Metasploit Penetration Testing Framework
Veritas Backup Exec Windows Remote File Access
This module abuses a logic flaw in the Backup Exec Windows Agent to download arbitrary files from the system. This flaw was found by someone who wishes to remain anonymous and affects all known versions of the Backup Exec Windows Agent. The output file is in 'MTF' format, which can be extracted by the 'NTKBUp' program listed in the references section. To transfer an entire directory, specify a path that includes a trailing backslash.
OSVDB-18695
BID-14551
http://www.fpns.net/willy/msb...
Veritas Backup Exec Server Registry Access
This modules exploits a remote registry access flaw in the BackupExec Windows Server RPC service. This vulnerability was discovered by Pedram Amini and is based on the NDR stub information information posted to openrce.org. Please see the action list for the different attack modes.
OSVDB-17627
CVE-2005-0771
http://www.idefense.com/appli...
Cisco IOS HTTP Unauthorized Administrative Access
This module exploits a vulnerability in the Cisco IOS HTTP Server. By sending a GET request for "/level/num/exec/..", where num is between 16 and 99, it is possible to bypass authentication and obtain full system control. IOS 11.3 -> 12.2 are reportedly vulnerable. This module tested successfully against a Cisco 1600 Router IOS v11.3(11d).
BID-2936
CVE-2001-0537
http://www.cisco.com/warp/pub...
OSVDB-578
Cisco VPN Concentrator 3000 FTP Unauthorized Administrative Access
This module tests for a logic vulnerability in the Cisco VPN Concentrator 3000 series. It is possible to execute some FTP statements without authentication (CWD, RNFR, MKD, RMD, SIZE, CDUP). It also appears to have some memory leak bugs when working with CWD commands. This module simply creates an arbitrary directory, verifies that the directory has been created, then deletes it and verifies deletion to confirm the bug.
BID-19680
CVE-2006-4313
http://www.cisco.com/warp/pub...
OSVDB-28139
OSVDB-28138
IBM DB2 db2rcmd.exe Command Execution Vulnerability.
This module exploits a vulnerability in the Remote Command Server component in IBM's DB2 Universal Database 8.1. An authenticated attacker can send arbitrary commands to the DB2REMOTECMD named pipe which could lead to administrator privileges.
CVE-2004-0795
BID-9821
Novell eDirectory DHOST Predictable Session Cookie
This module is able to predict the next session cookie value issued by the DHOST web service of Novell eDirectory 8.8.5. An attacker can run this module, wait until the real administrator logs in, then specify the predicted cookie value to hijack their session.
OSVDB-60035
EMC AlphaStor Device Manager Arbitrary Command Execution
EMC AlphaStor Device Manager is prone to a remote command-injection vulnerability because the application fails to properly sanitize user-supplied input.
http://labs.idefense.com/inte...
CVE-2008-2157
BID-29398
EMC AlphaStor Library Manager Arbitrary Command Execution
EMC AlphaStor Library Manager is prone to a remote command-injection vulnerability because the application fails to properly sanitize user-supplied input.
http://labs.idefense.com/inte...
CVE-2008-2157
BID-29398
HP Web JetAdmin 6.5 Server Arbitrary Command Execution
This module abuses a command execution vulnerability within the web based management console of the Hewlett-Packard Web JetAdmin network printer tool v6.2 - v6.5. It is possible to execute commands as SYSTEM without authentication. The vulnerability also affects POSIX systems, however at this stage the module only works against Windows. This module does not apply to HP printers.
OSVDB-5798
BID-10224
http://www.milw0rm.com/exploi...
Iomega StorCenter Pro NAS Web Authentication Bypass
The Iomega StorCenter Pro Network Attached Storage device web interface increments sessions IDs, allowing for simple brute force attacks to bypass authentication and gain administrative access.
Tomcat Administration Tool default access
Detect Tomcat Administration Tool default access.
http://tomcat.apache.org/
Typo3 sa-2009-002 File Disclosure
This module exploits a file disclosure vulnerability in the jumpUrl mechanism of Typo3. This flaw can be used to read any file that the web server user account has access to.
OSVDB-52048
CVE-2009-0815
http://secunia.com/advisories...
http://www.milw0rm.com/exploi...
http://typo3.org/teams/securi...
SAP MaxDB cons.exe Remote Command Injection
SAP MaxDB is prone to a remote command-injection vulnerability because the application fails to properly sanitize user-supplied input.
BID-27206
CVE-2008-0244
Motorola WR850G v4.03 Credentials
Login credentials to the Motorola WR850G router with firmware v4.03 can be obtained via a simple GET request if issued while the administrator is logged in. A lot more information is available through this request, but you can get it all and more after logging in.
http://seclists.org/bugtraq/2...
Microsoft Host Integration Server 2006 Command Execution Vulnerability.
This module exploits a command-injection vulnerability in Microsoft Host Integration Server 2006.
MSB-MS08-059
CVE-2008-3466
http://labs.idefense.com/inte...
Microsoft SQL Server Configuration Enumerator
This module will perform a series of configuration audits and security checks against a Microsoft SQL Server database. For this module to work, valid administrative user credentials must be supplied.
Microsoft SQL Server xp_cmdshell Command Execution
This module will execute a Windows command on a MSSQL/MSDE instance via the xp_cmdshell procedure. A valid username and password is required to use this module
http://msdn.microsoft.com/en-...
Microsoft SQL Server Generic Query
This module will allow for simple SQL statements to be executed against a MSSQL/MSDE instance given the appropiate credentials.
www.attackresearch.com
http://msdn.microsoft.com/en-...
MySQL Enumeration Module
This module allows for simple enumeration of MySQL Database Server provided proper credentials to connect remotely.
https://cisecurity.org/benchm...
MySQL SQL Generic Query
This module allows for simple SQL statements to be executed against a MySQL instance given the appropriate credentials.
TrendMicro OfficeScanNT Listener Traversal Arbitrary File Access
This module tests for directory traversal vulnerability in the UpdateAgent function in the OfficeScanNT Listener (TmListen.exe) service in Trend Micro OfficeScan. This allows remote attackers to read arbitrary files as SYSTEM via dot dot sequences in a HTTP request.
OSVDB-48730
CVE-2008-2439
BID-31531
http://www.trendmicro.com/ftp...
SQL Injection in MDSYS.SDO_TOPO_DROP_FTBL Trigger.
This module will escalate a Oracle DB user to MDSYS by exploiting an sql injection bug in the MDSYS.SDO_TOPO_DROP_FTBL trigger. After that exploit escalate user to DBA using "CREATE ANY TRIGGER" privilege given to MDSYS user by creating evil trigger in system scheme (2-stage attack).
CVE-2008-3979
http://www.securityfocus.com/...
http://www.ngssoftware.com/
Oracle SMB Relay Code Execution
This module will help you to get Administrator access to OS using an unprivileged Oracle database user (you need only CONNECT and RESOURCE privileges). To do this you must firstly run smb_sniffer or smb_relay module on your sever. Then you must connect to Oracle database and run this module Ora_NTLM_stealer.rb which will connect to your SMB sever with credentials of Oracle RDBMS. So if smb_relay is working, you will get Administrator access to server which runs Oracle. If not than you can decrypt HALFLM hash.
http://dsecrg.com/pages/pub/s...
Oracle Account Discovery.
This module uses a list of well known default authentication credentials to discover easily guessed accounts.
http://www.petefinnigan.com/d...
http://seclists.org/fulldiscl...
Oracle SQL Generic Query
This module allows for simple SQL statements to be executed against a Oracle instance given the appropriate credentials and sid.
https://www.metasploit.com/us...
Oracle Database Enumeration
This module provides a simple way to scan an Oracle database server for configuration parameters that may be useful during a penetration test. Valid database credentials must be provided for this module to run.
Oracle Secure Backup exec_qr() Command Injection Vulnerability
This module exploits a command injection vulnerablility in Oracle Secure Backup version 10.1.0.3 to 10.2.0.2.
CVE-2008-5448
http://www.oracle.com/technol...
http://www.zerodayinitiative....
Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability
This module exploits an authentication bypass vulnerability in login.php in order to execute arbitrary code via a command injection vulnerability in property_box.php. This module was tested against Oracle Secure Backup version 10.3.0.1.0 (Win32).
CVE-2009-1977
CVE-2009-1978
http://www.zerodayinitiative....
http://www.zerodayinitiative....
Oracle Java execCommand (Win32)
This module will create a java class which enables the execution of OS commands.
https://www.metasploit.com/us...
Oracle URL Download
This module will create a java class which enables the download of a binary from a webserver to the oracle filesystem.
http://www.argeniss.com/resea...
ORACLE SID Brute Forcer.
This module simply attempts to discover the protected SID.
https://www.metasploit.com/us...
http://www.red-database-secur...
TNSLsnr Command Issuer
This module allows for the sending of arbitrary TNS commands in order to gather information. Inspired from tnscmd.pl from www.jammed.com/~jwa/hacks/security/tnscmd/tnscmd
UoW pop2d Remote File Retrieval Vulnerability
This module exploits a vulnerability in the FOLD command of the University of Washington ipop2d service. By specifying an arbitrary folder name it is possible to retrieve any file which is world or group readable by the user ID of the POP account. This vulnerability can only be exploited with a valid username and password. The From address is the file owner.
OSVDB-368
BID-1484
PostgreSQL Server Generic Query
This module imports a file local on the PostgreSQL Server into a temporary table, reads it, and then drops the temporary table. It requires PostgreSQL credentials with table CREATE privileges as well as read privileges to the target file.
http://michaeldaw.org/sql-inj...
PostgreSQL Server Generic Query
This module will allow for simple SQL statements to be executed against a PostgreSQL instance given the appropiate credentials.
www.postgresql.org
TrendMicro ServerProtect File Access
This modules exploits a remote file access flaw in the ServerProtect Windows Server RPC service. Please see the action list (or the help output) for more information.
CVE-2007-6507
http://www.zerodayinitiative....
Samba Symlink Directory Traversal
This module exploits a directory traversal flaw in the Samba CIFS server. To exploit this flaw, a writeable share must be specified. The newly created directory will link to the root filesystem.
OSVDB-62145
http://www.samba.org/samba/ne...
Symantec System Center Alert Management System Arbitrary Command Execution
Symantec System Center Alert Management System is prone to a remote command-injection vulnerability because the application fails to properly sanitize user-supplied input.
CVE-2009-1429
BID-34671
OSVDB-54157
http://www.zerodayinitiative....
http://www.symantec.com/busin...
TikiWiki information disclosure
A vulnerability has been reported in Tikiwiki, which can be exploited by a anonymous user to dump the MySQL user & passwd just by creating a mysql error with the "sort_mode" var. The vulnerability has been reported in Tikiwiki version 1.9.5.
OSVDB-30172
BID-20858
CVE-2006-5702
http://secunia.com/advisories...
Webmin file disclosure
A vulnerability has been reported in Webmin and Usermin, which can be exploited by malicious people to disclose potentially sensitive information. The vulnerability is caused due to an unspecified error within the handling of an URL. This can be exploited to read the contents of any files on the server via a specially crafted URL, without requiring a valid login. The vulnerability has been reported in Webmin (versions prior to 1.290) and Usermin (versions prior to 1.220).
OSVDB-26772
BID-18744
CVE-2006-3392
http://www.kb.cert.org/vuls/i...
http://secunia.com/advisories...
Generic Emailer (SMTP)
This module can be used to automate email delivery. This code is based on Joshua Abraham's email script for social engineering.
http://spl0it.org/
Cisco IOS HTTP GET /%% request Denial of Service
This module triggers a Denial of Service condition in the Cisco IOS HTTP server. By sending a GET request for "/%%", the device becomes unresponsive. IOS 11.1 -> 12.1 are reportedly vulnerable. This module tested successfully against a Cisco 1600 Router IOS v11.2(18)P.
BID-1154
CVE-2000-0380
http://www.cisco.com/warp/pub...
OSVDB-1302
FreeBSD Remote NFS RPC Request Denial of Service
This module sends a specially-crafted NFS Mount request causing a kernel panic on host running FreeBSD 6.0.
http://lists.immunitysec.com/...
BID-16838
CVE-2006-0900
3Com SuperStack Switch Denial of Service
This module causes a temporary denial of service condition against 3Com SuperStack switches. By sending excessive data to the HTTP Management interface, the switch stops responding temporarily. The device does not reset. Tested successfully against a 3300SM firmware v2.66. Reported to affect versions prior to v2.72.
OSVDB-7246
CVE-2004-2691
http://support.3com.com/infod...
Dell OpenManage POST Request Heap Overflow (win32)
This module exploits a heap overflow in the Dell OpenManage Web Server (omws32.exe), versions 3.2-3.7.1. The vulnerability exists due to a boundary error within the handling of POST requests, where the application input is set to an overly long file name. This module will crash the web server, however it is likely exploitable under certain conditions.
http://archives.neohapsis.com...
BID-9750
OSVDB-4077
CVE-2004-0331
Ruby WEBrick::HTTP::DefaultFileHandler DoS
The WEBrick::HTTP::DefaultFileHandler in WEBrick in Ruby 1.8.5 and earlier, 1.8.6 to 1.8.6-p286, 1.8.7 to 1.8.7-p71, and 1.9 to r18423 allows for a DoS (CPU consumption) via a crafted HTTP request.
BID-30644
CVE-2008-3656
http://www.ruby-lang.org/en/n...
Avahi < 0.6.24 Source Port 0 DoS
Avahi-daemon versions prior to 0.6.24 can be DoS'd with an mDNS packet with a source port of 0
CVE-2008-5081
NTP.org ntpd Reserved Mode Denial of Service
This module exploits a denial of service vulnerability within the NTP (network time protocol) demon. By sending a single packet to a vulnerable ntpd server (Victim A), spoofed from the IP address of another vulnerable ntpd server (Victim B), both victims will enter an infinite response loop. Note, unless you control the spoofed source host or the real remote host(s), you will not be able to halt the DoS condition once begun!
BID-37255
CVE-2009-3563
https://support.ntp.org/bugs/...
MS02-063 PPTP Malformed Control Data Kernel Denial of Service
This module exploits a kernel based overflow when sending abnormal PPTP Control Data packets to Microsoft Windows 2000 SP0-3 and XP SP0-1 based PPTP RAS servers (Remote Access Services). Kernel memory is overwritten resulting in a BSOD. Code execution may be possible however this module is only a DoS.
BID-5807
CVE-2002-1214
OSVDB-13422
MSB-MS02-063
Samba lsa_io_privilege_set Heap Overflow
This module triggers a heap overflow in the LSA RPC service of the Samba daemon.
CVE-2007-2446
Samba lsa_io_trans_names Heap Overflow
This module triggers a heap overflow in the LSA RPC service of the Samba daemon.
CVE-2007-2446
Sendmail SMTP Address prescan <= 8.12.8 Memory Corruption
This is a proof of concept denial of service module for Sendmail versions 8.12.8 and earlier. The vulnerability is within the prescan() method when parsing SMTP headers. Due to the prescan function, only 0x5c and 0x00 bytes can be used, limiting the likelihood for arbitrary code execution.
OSVDB-2577
CVE-2003-0694
BID-8641
http://www.milw0rm.com/exploi...
Solaris LPD Arbitrary File Delete
This module uses a vulnerability in the Solaris line printer daemon to delete arbitrary files on an affected system. This can be used to exploit the rpc.walld format string flaw, the missing krb5.conf authentication bypass, or simply delete system files. Tested on Solaris 2.6, 7, 8, 9, and 10.
CVE-2005-4797
BID-14510
OSVDB-18650
http://sunsolve.sun.com/searc...
Juniper JunOS Malformed TCP Option
This module exploits a denial of service vulnerability in Juniper Network's JunOS router operating system. By sending a TCP packet with TCP option 101 set, an attacker can cause an affected router to reboot.
BID-37670
OSVDB-61538
http://praetorianprefect.com/...
TCP SYN Flooder
A simple TCP SYN flooder
Wireless CTS/RTS Flooder
This module sends 802.11 CTS/RTS requests to a specific wireless peer, using the specified source address,
Apple Airport 802.11 Probe Response Kernel Memory Corruption
The Apple Airport driver provided with Orinoco-based Airport cards (1999-2003 PowerBooks, iMacs) is vulnerable to a remote memory corruption flaw. When the driver is placed into active scanning mode, a malformed probe response frame can be used to corrupt internal kernel structures, leading to arbitrary code execution. This vulnerability is triggered when a probe response frame is received that does not contain valid information element (IE) fields after the fixed-length header. The data following the fixed-length header is copied over internal kernel structures, resulting in memory operations being performed on attacker-controlled pointer values.
Wireless DEAUTH Flooder
This module sends 802.11 DEAUTH requests to a specific wireless peer, using the specified source address and source BSSID.
Wireless Fake Access Point Beacon Flood
This module can advertise thousands of fake access points, using random SSIDs and BSSID addresses. Inspired by Black Alchemy's fakeap tool.
Wireless Frame (File) Injector
Inspired by Josh Wright's file2air, this module writes wireless frames from a binary file to the air, allowing you to substitute some addresses before it gets sent. Unlike the original file2air (currently v1.1), this module *does* take into account the ToDS and FromDS flags in the frame when replacing any specified addresses.
NetGear MA521 Wireless Driver Long Rates Overflow
This module exploits a buffer overflow in the NetGear MA521 wireless device driver under Windows XP. When a specific malformed frame (beacon or probe response) is received by the wireless interface under active scanning mode, the MA521nd5.SYS driver attempts to write to an attacker-controlled memory location. The vulnerability is triggered by an invalid supported rates information element. This DoS was tested with version 5.148.724.2003 of the MA521nd5.SYS driver and a NetGear MA521 Cardbus adapter. A remote code execution module is also in development. This module depends on the Lorcon2 library and only works on the Linux platform with a supported wireless card. Please see the Ruby Lorcon2 documentation (external/ruby-lorcon/README) for more information.
http://projects.info-pull.com...
ftp://downloads.netgear.com/f...
NetGear WG311v1 Wireless Driver Long SSID Overflow
This module exploits a buffer overflow in the NetGear WG311v1 wireless device driver under Windows XP and 2000. A kernel-mode heap overflow occurs when malformed probe response frame is received that contains a long SSID field This DoS was tested with version 2.3.1.10 of the WG311ND5.SYS driver and a NetGear WG311v1 PCI card. A remote code execution module is also in development. This module depends on the Lorcon2 library and only works on the Linux platform with a supported wireless card. Please see the Ruby Lorcon2 documentation (external/ruby-lorcon/README) for more information.
http://projects.info-pull.com...
ftp://downloads.netgear.com/f...
Multiple Wireless Vendor NULL SSID Probe Response
This module exploits a firmware-level vulnerability in a variety of 802.11b devices. This attack works by sending a probe response frame containing a NULL SSID information element to an affected device. This flaw affects many cards based on the Choice MAC (Intersil, Lucent, Agere, Orinoco, and the first generation of Airport cards).
http://802.11ninja.net/papers...
WVE-2006-0064
Wireless Test Module
This module is a test of the wireless packet injection system. Please see external/ruby-lorcon/README for more information.
Appian Enterprise Business Suite 5.6 SP1 DoS
This module exploits a denial of service flaw in the Appian Enterprise Business Suite service.
http://archives.neohapsis.com...
Microsoft Windows EOT Font Table Directory Integer Overflow
This module exploits an integer overflow flaw in the Microsoft Windows Embedded OpenType font parsing code located in win32k.sys. Since the kernel itself parses embedded web fonts, it is possible to trigger a BSoD from a normal web page when viewed with Internet Explorer.
CVE-2009-2514
MSB-MS09-065
OSVDB-59869
FileZilla FTP Server Admin Interface Denial of Service
This module triggers a Denial of Service condition in the FileZilla FTP Server Administration Interface in versions 0.9.4d and earlier. By sending a procession of excessively long USER commands to the FTP Server, the Administration Interface (FileZilla Server Interface.exe) when running, will overwrite the stack with our string and generate an exception. The FileZilla FTP Server itself will continue functioning.
BID-15346
CVE-2005-3589
http://www.milw0rm.com/exploi...
OSVDB-20817
FileZilla FTP Server <=0.9.21 Malformed PORT Denial of Service
This module triggers a Denial of Service condition in the FileZilla FTP Server versions 0.9.21 and earlier. By sending a malformed PORT command then LIST command, the server attempts to write to a NULL pointer.
BID-21542
BID-21549
CVE-2006-6565
http://www.milw0rm.com/exploi...
OSVDB-34435
Guild FTPd 0.999.8.11/0.999.14 Heap Corruption
Guild FTPd 0.999.8.11 and 0.999.14 are vulnerable to heap corruption. You need to have a valid login so you can run CWD and LIST.
http://milw0rm.com/exploits/6738
Titan FTP Server 6.26.630 SITE WHO DoS
The Titan FTP server v6.26 build 630 can be DoS'd by issuing "SITE WHO". You need a valid login so you can send this command.
http://milw0rm.com/exploits/6753
Victory FTP Server 5.0 LIST DoS
The Victory FTP Server v5.0 can be brought down by sending a very simple LIST command
http://milw0rm.com/exploits/6834
WinFTP 2.3.0 NLST Denial of Service
This module is a very rough port of Julien Bedard's PoC. You need a valid login, but even anonymous can do it if it has permission to call NLST.
http://milw0rm.com/exploits/6581
XM Easy Personal FTP Server 5.6.0 NLST DoS
This module is a port of shinnai's script. You need a valid login, but even anonymous can do it as long as it has permission to call NLST.
http://milw0rm.com/exploits/6741
XM Easy Personal FTP Server 5.7.0 NLST DoS
You need a valid login to DoS this FTP server, but even anonymous can do it as long as it has permission to call NLST.
http://milw0rm.com/exploits/8294
Pi3Web <=2.0.13 ISAPI DoS
The Pi3Web HTTP server crashes when a request is made for an invalid DLL file in /isapi. By default, the non-DLLs in this directory after installation are users.txt, install.daf and readme.daf.
http://milw0rm.com/exploits/7109
Microsoft Windows NAT Helper Denial of Service
This module exploits a denial of service vulnerability within the Internet Connection Sharing service in Windows XP.
BID-20804
CVE-2006-5614
Microsoft Plug and Play Service Registry Overflow
This module triggers a stack overflow in the Windows Plug and Play service. This vulnerability can be exploited on Windows 2000 without a valid user account. Since the PnP service runs inside the service.exe process, this module will result in a forced reboot on Windows 2000. Obtaining code execution is possible if user-controlled memory can be placed at 0x00000030, 0x0030005C, or 0x005C005C.
CVE-2005-2120
MSB-MS05-047
BID-15065
OSVDB-18830
Microsoft SRV.SYS Mailslot Write Corruption
This module triggers a kernel pool corruption bug in SRV.SYS. Each call to the mailslot write function results in a two byte return value being written into the response packet. The code which creates this packet fails to consider these two bytes in the allocation routine, resulting in a slow corruption of the kernel memory pool. These two bytes are almost always set to "\xff\xff" (a short integer with value of -1).
BID-19215
CVE-2006-3942
http://www.coresecurity.com/c...
MSB-MS06-035
Microsoft SRV.SYS Pipe Transaction No Null
This module exploits a NULL pointer dereference flaw in the SRV.SYS driver of the Windows operating system. This bug was independently discovered by CORE Security and ISS.
MSB-MS06-063
CVE-2006-3942
BID-19215
Microsoft SRV.SYS WriteAndX Invalid DataOffset
This module exploits a denial of service vulnerability in the SRV.SYS driver of the Windows operating system.
MSB-MS09-001
CVE-2008-4114
BID-31179
Microsoft RRAS InterfaceAdjustVLSPointers NULL Dereference
This module triggers a NULL dereference in svchost.exe on all current versions of Windows that run the RRAS service. This service is only accessible without authentication on Windows XP SP1 (using the SRVSVC pipe).
Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
This module exploits an out of bounds function table dereference in the SMB request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7 release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista without SP1 does not seem affected by this flaw.
CVE-2009-3103
BID-36299
OSVDB-57799
http://seclists.org/fulldiscl...
http://www.microsoft.com/tech...
Microsoft Windows 7 / Server 2008 R2 SMB Client Infinite Loop
This module exploits a denial of service flaw in the Microsoft Windows SMB client on Windows 7 and Windows Server 2008 R2. To trigger this bug, run this module as a service and force a vulnerability client to access the IP of this system as a SMB server. This can be accomplished by embedding a UNC path (\HOST\share\something) into a web page if the target is using Internet Explorer, or a Word document otherwise.
http://g-laurent.blogspot.com...
Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference
This module triggers a NULL pointer dereference in the SRV2.SYS kernel driver when processing an SMB2 logoff request before a session has been correctly negotiated, resulting in a BSOD. Effecting Vista SP1/SP2 (And possibly Server 2008 SP1/SP2), the flaw was resolved with MS09-050.
MSB-MS09-050
Microsoft Vista SP0 SMB Negotiate Protocol DoS
This module exploits a flaw in Windows Vista that allows a remote unauthenticated attacker to disable the SMB service. This vulnerability was silently fixed in Microsoft Vista Service Pack 1.
MS06-019 Exchange MODPROP Heap Overflow
This module triggers a heap overflow vulnerability in MS Exchange that occurs when multiple malformed MODPROP values occur in a VCAL request.
BID-17908
CVE-2006-0027
MSB-MS06-019
PacketTrap TFTP Server 2.2.5459.0 DoS
The PacketTrap TFTP server version 2.2.5459.0 can be brought down by sending a special write request.
http://milw0rm.com/exploits/6863
Wireshark chunked_encoding_dissector function DOS
Wireshark crash when dissecting an HTTP chunked response. Versions affected: 0.99.5 (Bug 1394)
https://bugs.wireshark.org/bu...
Wireshark LDAP dissector DOS
The LDAP dissector in Wireshark 0.99.2 through 0.99.8 allows remote attackers to cause a denial of service (application crash) via a malformed packet.
CVE-2008-1562
HTTP GET Request URI Fuzzer (Incrementing Lengths)
This module sends a series of HTTP GET request with incrementing URL lengths.
HTTP GET Request URI Fuzzer (Fuzzer Strings)
This module sends a series of HTTP GET request with malicious URIs.
SMB Negotiate SMB2 Dialect Corruption
This module sends a series of SMB negiotiate requests that advertise a SMB2 dialect with corrupted bytes.
SMB Create Pipe Request Fuzzer
This module sends a series of SMB create pipe requests using malicious strings.
SMB Create Pipe Request Corruption
This module sends a series of SMB create pipe requests with corrupted bytes.
SMB Negotiate Dialect Corruption
This module sends a series of SMB negiotiate requests with corrupted bytes
SMB NTLMv1 Login Request Corruption
This module sends a series of SMB login requests using the NTLMv1 protocol with corrupted bytes.
SMB Tree Connect Request Fuzzer
This module sends a series of SMB tree connect requests using malicious strings.
SMB Tree Connect Request Corruption
This module sends a series of SMB tree connect requests with corrupted bytes.
SSH Key Exchange Init Corruption
This module sends a series of SSH requests with a corrupted initial key exchange payload.
SSH 1.5 Version Fuzzer
This module sends a series of SSH requests with malicious version strings.
SSH 2.0 Version Fuzzer
This module sends a series of SSH requests with malicious version strings.
SSH Version Corruption
This module sends a series of SSH requests with a corrupted version string
TDS Protocol Login Request Corruption Fuzzer
This module sends a series of malformed TDS login requests.
TDS Protocol Login Request Username Fuzzer
This module sends a series of malformed TDS login requests.
Wireless Beacon Frame Fuzzer
This module sends out corrupted beacon frames.
Wireless Probe Response Frame Fuzzer
This module sends out corrupted probe response frames.
Citrix MetaFrame ICA Published Applications Scanner
This module attempts to query Citrix Metaframe ICA server to obtain a published list of applications.
http://www.securiteam.com/exp...
Citrix MetaFrame ICA Published Applications Bruteforcer
This module attempts to brute force program names within the Citrix Metaframe ICA server.
OSVDB-50617
BID-5817
http://sh0dan.org/oldfiles/ha...
DNS Enumeration Module
This module can be used to enumerate various types of information about a domain from a specific DNS server.
CVE-1999-0532
Search Engine Domain Email Address Collector
This module uses Google, Bing and Yahoo to create a list of valid email addresses for the target domain.
Foxit Reader Authorization Bypass
This module exploits a authorization bypass vulnerability in Foxit Reader build 1120. When a attacker creates a specially crafted pdf file containing a Open/Execute action, arbitrary commands can be executed without confirmation from the victim.
CVE-2009-0836
BID-34035
DB2 Authentication Brute Force Utility
This module attempts to authenticate against a DB2 instance using username and password combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options.
DB2 Probe Utility
This module queries a DB2 instance information.
DB2 Discovery Service Detection.
This module simply queries the DB2 discovery service for information.
Endpoint Mapper Service Discovery
This module can be used to obtain information from the Endpoint Mapper service.
Hidden DCERPC Service Discovery
This module will query the endpoint mapper and make a list of all ncacn_tcp RPC services. It will then connect to each of these services and use the management API to list all other RPC services accessible on this port. Any RPC service found attached to a TCP port, but not listed in the endpoint mapper, will be displayed and analyzed to see whether anonymous access is permitted.
Remote Management Interface Discovery
This module can be used to obtain information from the Remote Management Interface DCERPC service.
DCERPC TCP Service Auditor
Determine what DCERPC services are accessible over a TCP port
DECT Call Scanner
This module scans for active DECT calls
Dedected-http://www.dedected.org
DECT Base Station Scanner
This module scans for DECT base stations
Dedected-http://www.dedected.org
ARP Sweep Local Network Discovery
Enumerate alive Hosts in local network using ARP requests.
UDP Service Sweeper
Detect common UDP services
EMC AlphaStor Device Manager Service.
This module querys the remote host for the EMC Alphastor Device Management Service.
EMC AlphaStor Library Manager Service.
This module querys the remote host for the EMC Alphastor Library Management Service.
Finger Service User Enumerator
Identify valid users through the finger service using a variety of tricks
Anonymous FTP Access Detection
Detect anonymous (read/write) FTP server access.
http://en.wikipedia.org/wiki/...
FTP Version Scanner
Detect FTP Version.
HTTP Backup File Scanner
This module identifies the existence of possible copies of a specific file in a given path.
HTTP Blind SQL Injection GET QUERY Scanner
This module identifies the existence of Blind SQL injection issues in GET Query parameters values.
HTTP Directory Brute Force Scanner
This module identifies the existence of interesting directories by brute forcing the name in a given directory path.
HTTP SSL Certificate Checker
This module will check the certificate of the specified web servers to ensure the subject and issuer match the supplied pattern and that the certificate is not expired.
HTTP Copy File Scanner
This module identifies the existence of possible copies of a specific file in a given path.
HTTP Directory Listing Scanner
This module identifies directory listing vulnerabilities in a given directory path.
HTTP Directory Scanner
This module identifies the existence of interesting directories in a given directory path.
MS09-020 IIS6 WebDAV Unicode Auth Bypass Directory Scanner
This module is based on et's HTTP Directory Scanner module, with one exception. Where authentication is required, it attempts to bypass authentication using the WebDAV IIS6 Unicode vulnerability discovered by Kingcope. The vulnerability appears to be exploitable where WebDAV is enabled on the IIS6 server, and any protected folder requires either Basic, Digest or NTLM authentication.
MSB-MS09-020
CVE-2009-1535
CVE-2009-1122
OSVDB-54555
BID-34993
Pull Del.icio.us Links (URLs) for a domain
This module pulls and parses the URLs stored by Del.icio.us users for the purpose of replaying during a web assessment. Finding unlinked and old pages.
Pull Archive.org stored URLs for a domain
This module pulls and parses the URLs stored by Archive.org for the purpose of replaying during a web assessment. Finding unlinked and old pages.
HTTP Error Based SQL Injection Scanner
This module identifies the existence of Error Based SQL injection issues. Still requires alot of work
HTTP File Same Name Directory Scanner
This module identifies the existence of files in a given directory path named as the same name of the directory. Only works if PATH is differenet than '/'.
HTTP Interesting File Scanner
This module identifies the existence of interesting files in a given directory path.
FrontPage Server Extensions Login Utility
This module queries the FrontPage Server Extensions and determines whether anonymous access is allowed.
http://en.wikipedia.org/wiki/...
http://msdn2.microsoft.com/en...
HTTP Version Detection
Display version information about each system
HTTP Microsoft SQL Injection Table XSS Infection
This module implements the mass SQL injection attack in use lately by concatenation of HTML string that forces a persistant XSS attack to redirect user browser to a attacker controller website.
MS09-020 IIS6 WebDAV Unicode Auth Bypass
Simplified version of MS09-020 IIS6 WebDAV Unicode Auth Bypass scanner. It attempts to bypass authentication using the WebDAV IIS6 Unicode vulnerability discovered by Kingcope. The vulnerability appears to be exploitable where WebDAV is enabled on the IIS6 server, and any protected folder requires either Basic, Digest or NTLM authentication.
MSB-MS09-020
CVE-2009-1535
CVE-2009-1122
OSVDB-54555
BID-34993
HTTP Options Detection
Display available HTTP options for each system
HTTP Previous Directory File Scanner
This module identifies files in the first parent directory with same name as the given directory path. Example: Test /backup/files/ will look for the following files /backup/files.ext .
HTTP File Extension Scanner
This module identifies the existence of additional files by modifying the extension of an existing file.
HTTP Robots.txt Content Scanner
Detect robots.txt files and analize its content
HTTP SOAP Verb/Noun Brute Force Scanner
This module attempts to brute force SOAP/XML requests to uncover hidden methods.
SQLMAP SQL Injection External Module
This module launch a sqlmap session. sqlmap is an automatic SQL injection tool developed in Python. Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user specific DBMS tables/columns, run his own SQL SELECT statement, read specific files on the file system and much more.
http://sqlmap.sourceforge.net
HTTP SSL Certificate tester
Display vhost associated to server using SSL certificate and check for signature algorithm
HTTP Subversion Scanner
Detect subversion directories and files and analize its content. Only SVN Version > 7 supported
Tomcat Application Manager Login Utility
This module simply attempts to login to a Tomcat Application Manager instance using a specific user/pass.
OSVDB-60317
CVE-2009-3843
http://www.harmonysecurity.co...
BID-38084
http://www-01.ibm.com/support...
http://tomcat.apache.org/
HTTP trace.axd Content Scanner
Detect trace.axd files and analize its content
HTTP Verb Authentication Bypass Scanner
This module test for authentication bypass using different HTTP verbs.
HTTP Virtual Host Brute Force Scanner
This module tries to identify unique virtual hosts hosted by the target web server.
HTTP Vuln scanner
This module identifies common vulnerable files or cgis.
HTTP WebDAV Internal IP Scanner
Detect webservers internal IPs though WebDAV
HTTP WebDAV Scanner
Detect webservers with WebDAV enabled
HTTP WebDAV Website Content Scanner
Detect webservers disclosing its content though WebDAV
HTTP Writable Path PUT/DELETE File Access
This module can abuse misconfigured web servers to upload and delete web content via PUT and DELETE HTTP requests.
HTTP Blind XPATH 1.0 Injector
This module exploits blind XPATH 1.0 injections over HTTP GET requests.
IPID Sequence Scanner
This module will probe hosts' IPID sequences and classify them using the same method Nmap uses when it's performing its IPID Idle Scan (-sI) and OS Detection (-O). Nmap's probes are SYN/ACKs while this module's are SYNs. While this does not change the underlying functionality, it does change the chance of whether or not the probe will be stopped by a firewall. Nmap's Idle Scan can use hosts whose IPID sequences are classified as "Incremental" or "Broken little-endian incremental".
Borland InterBase Services Manager Information
This module retrieves version of the services manager, version and implementation of the InterBase server from InterBase Services Manager.
SunRPC Portmap Program Enumerator
This module calls the target portmap service and enumerates all program entries and their running port numbers.
http://www.ietf.org/rfc/rfc10...
Motorola Timbuktu Service Detection.
This module simply sends a packet to the Motorola Timbuktu service for detection.
MSSQL Login Utility
This module simply queries the MSSQL instance for a specific user/pass (default is sa with blank).
MSSQL Ping Utility
This module simply queries the MSSQL instance for information.
MySQL Login Utility
This module simply queries the MySQL instance for a specific user/pass (default is root with blank).
MySQL Server Version Enumeration
Enumerates the version of MySQL servers
NetBIOS Information Discovery
Discover host information through NetBIOS
NFS Mount Scanner
This module scans NFS mounts and their permissions.
http://www.ietf.org/rfc/rfc10...
NTP Monitor List Scanner
Obtain the list of recent clients from an NTP server
Oracle Enterprise Manager Control SID Discovery
This module makes a request to the Oracle Enterprise Manager Control Console in an attempt to discover the SID.
http://dsecrg.com/files/pub/p...
SID Enumeration.
This module simply queries the TNS listner for the Oracle SID. With Oracle 9.2.0.8 and above the listener will be protected and the SID will have to be bruteforced or guessed.
Oracle Application Server Spy Servlet SID Enumeration.
This module makes a request to the Oracle Application Server in an attempt to discover the SID.
http://dsecrg.com/files/pub/p...
Oracle tnslsnr Service Version Query.
This module simply queries the tnslsnr service for the Oracle build.
Oracle XML DB SID Discovery
This module simply makes a authenticated request to retrieve the sid from the Oracle XML DB httpd server.
http://dsecrg.com/files/pub/p...
TCP ACK Firewall Scanner
Map out firewall rulesets with a raw ACK scan. Any unfiltered ports found means a stateful firewall is not in place for them.
FTP Bounce Port Scanner
Enumerate TCP services via the FTP bounce PORT/LIST method, which can still come in handy every once in a while (I know of a server that still allows this just fine...).
TCP SYN Port Scanner
Enumerate open TCP services using a raw SYN scan.
TCP Port Scanner
Enumerate open TCP services
TCP "XMas" Port Scanner
Enumerate open|filtered TCP services using a raw "XMas" scan; this sends probes containing the FIN, PSH and URG flags.
PostgreSQL Login Utility
This module attempts to authenticate against a PostgreSQL instance using username and password combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options.
www.postgresql.org
PostgreSQL Login Utility
Enumerates the verion of PostgreSQL servers.
www.postgresql.org
Rogue Gateway Detection: Receiver
This module listens for replies to the requests sent by the rogue_send module. The RPORT, CPORT, and ECHOID values must match the rogue_send parameters used exactly.
http://www.metasploit.com/res...
Rogue Gateway Detection: Sender
This module send a series of TCP SYN and ICMP ECHO requests to each internal target host, spoofing the source address of an external system running the rogue_recv module. This allows the system running the rogue_recv module to determine what external IP a given internal system is using as its default route.
http://www.metasploit.com/res...
SIP username enumerator
Scan for numeric username/extensions using OPTIONS/REGISTER requests
SIP Endpoint Scanner
Scan for SIP devices using OPTIONS requests
SMB Session Pipe Auditor
Determine what named pipes are accessible over SMB
SMB Session Pipe DCERPC Auditor
Determine what DCERPC services are accessible over a SMB pipe
SMB 2.0 Protocol Detection
Detect systems that support the SMB 2.0 protocol
SMB User Enumeration (SAM EnumUsers)
Determine what local users exist via the SAM RPC service
SMB Login Check Scanner
This module will test a SMB login on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.
SMB Local User Enumeration (LookupSid)
Determine what local users exist via brute force SID lookups
SMB Version Detection
Display version information about each system
SMTP Banner Grabber
SMTP Banner Grabber
http://www.ietf.org/rfc/rfc28...
AIX SNMP Scanner Auxiliary Module
AIX SNMP Scanner Auxiliary Module
SNMP Community Scanner
Scan for SNMP devices using common community names
SSH Version Scannner
Detect SSH Version.
http://en.wikipedia.org/wiki/...
Wardialer
Scan for dial-up systems that are connected to modems and answer telephony indials.
Telnet Login Check Scanner
This module will test a telnet login on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.
Telnet Service Banner Detection
Detect telnet services
TFTP Brute Forcer
This module uses a dictionary to brute force valid TFTP image names from a TFTP server.
VNC Authentication None Detection
Detect VNC server with empty password.
http://en.wikipedia.org/wiki/RFB
http://en.wikipedia.org/wiki/Vnc
X11 No-Auth Scanner
This module scans for X11 servers that allow anyone to connect without authentication.
OSVDB-309
CVE-1999-0526
HTTP Client Automatic Exploiter
This module uses a combination of client-side and server-side techniques to fingerprint HTTP clients and then automatically exploit them.
Authentication Capture: FTP
This module provides a fake FTP service that is designed to capture authentication credentials.
Authentication Capture: HTTP
This module provides a fake HTTP service that is designed to capture authentication credentials.
HTTP Client MS Credential Catcher
This module attempts to quietly catch NTLM/LM Challenge hashes.
Authentication Capture: IMAP
This module provides a fake IMAP service that is designed to capture authentication credentials.
Authentication Capture: POP3
This module provides a fake POP3 service that is designed to capture authentication credentials.
Authentication Capture: SMB
This module provides a SMB service that can be used to capture the challenge-response password hashes of SMB client systems. All responses sent by this service have the same hardcoded challenge string (\x11\x22\x33\x44\x55\x66\x77\x88), allowing for easy cracking using Cain & Abel or L0phtcrack. To exploit this, the target system must try to authenticate to this module. The easiest way to force a SMB authentication attempt is by embedding a UNC path (\\SERVER\SHARE) into a web page or email message. When the victim views the web page or email, their system will automatically connect to the server specified in the UNC share (the IP address of the system running this module) and attempt to authenticate.
Authentication Capture: SMTP
This module provides a fake SMTP service that is designed to capture authentication credentials.
Authentication Capture: Telnet
This module provides a fake Telnet service that is designed to capture authentication credentials. DONTs and WONTs are sent to the client for all option negotiations, except for ECHO at the time of the password prompt since the server controls that for a bit more realism.
DNS Spoofing Helper Service
This module provides a DNS service that returns TXT records indicating information about the querying service. Based on Dino Dai Zovi DNS code from Karma.
Fake DNS Service
This module provides a DNS service that redirects all queries to a particular address.
FTP File Server
This module provides a FTP service
SOCKS Proxy UNC Path Redirection
This module provides a Socks proxy service that redirects all HTTP requests to a web page that loads a UNC path.
pSnuffle Packet Sniffer
This module sniffs passwords like dsniff did in the past
DNS BailiWicked Domain Attack
This exploit attacks a fairly ubiquitous flaw in DNS implementations which Dan Kaminsky found and disclosed ~Jul 2008. This exploit replaces the target domains nameserver entries in a vulnerable DNS cache server. This attack works by sending random hostname queries to the target DNS server coupled with spoofed replies to those queries from the authoritative nameservers for that domain. Eventually, a guessed ID will match, the spoofed packet will get accepted, and the nameserver entries for the target domain will be replaced by the server specified in the NEWDNS option of this exploit.
CVE-2008-1447
US-CERT-VU-800113
http://www.caughq.org/exploit...
DNS BailiWicked Host Attack
This exploit attacks a fairly ubiquitous flaw in DNS implementations which Dan Kaminsky found and disclosed ~Jul 2008. This exploit caches a single malicious host entry into the target nameserver by sending random hostname queries to the target DNS server coupled with spoofed replies to those queries from the authoritative nameservers for that domain. Eventually, a guessed ID will match, the spoofed packet will get accepted, and due to the additional hostname entry being within bailiwick constraints of the original request the malicious host entry will get cached.
CVE-2008-1447
US-CERT-VU-800113
http://www.caughq.org/exploit...
DNS Lookup Result Comparison
This module can be used to determine differences in the cache entries between two DNS servers. This is primarily useful for detecting cache poisoning attacks, but can also be used to detect geo-location loadbalancing.
Airpwn TCP hijack
TCP streams are 'protected' only in so much as the sequence number is not guessable. Wifi is shared media. Got your nose. Responses which do not begin with Header: Value assumed to be HTML only and will have Header:Value data prepended. Responses which do not include a Content-Length header will have one generated.
DNSpwn DNS hijack
Race DNS responses and replace DNS queries
SQL Injection via SYS.DBMS_CDC_IPUBLISH.ALTER_HOTLOG_INTERNAL_CSOURCE
The module exploits an sql injection flaw in the ALTER_HOTLOG_INTERNAL_CSOURCE procedure of the PL/SQL package DBMS_CDC_IPUBLISH. Any user with execute privilege on the vulnerable package can exploit this vulnerability. By default, users granted EXECUTE_CATALOG_ROLE have the required privilege. Affected versions: Oracle Database Server versions 10gR1, 10gR2 and 11gR1. Fixed with October 2008 CPU.
CVE-2008-3996
http://www.appsecinc.com/reso...
SQL Injection via SYS.DBMS_CDC_PUBLISH.ALTER_AUTOLOG_CHANGE_SOURCE
The module exploits an sql injection flaw in the ALTER_AUTOLOG_CHANGE_SOURCE procedure of the PL/SQL package DBMS_CDC_PUBLISH. Any user with execute privilege on the vulnerable package can exploit this vulnerability. By default, users granted EXECUTE_CATALOG_ROLE have the required privilege. Affected versions: Oracle Database Server versions 10gR1, 10gR2 and 11gR1. Fixed with October 2008 CPU.
CVE-2008-3995
http://www.appsecinc.com/reso...
SQL Injection via SYS.DBMS_METADATA.GET_GRANTED_XML.
This module will escalate a Oracle DB user to DBA by exploiting an sql injection bug in the SYS.DBMS_METADATA.GET_GRANTED_XML package/function.
http://www.metasploit.com
SQL Injection via SYS.DBMS_METADATA.GET_XML.
This module will escalate a Oracle DB user to DBA by exploiting an sql injection bug in the SYS.DBMS_METADATA.GET_XML package/function.
http://www.metasploit.com
SQL Injection via SYS.DBMS_METADATA.OPEN.
This module will escalate a Oracle DB user to DBA by exploiting an sql injection bug in the SYS.DBMS_METADATA.OPEN package/function.
http://www.metasploit.com
SQL Injection via SYS.LT.COMPRESSWORKSPACE.
This module exploits an sql injection flaw in the COMPRESSWORKSPACE procedure of the PL/SQL package SYS.LT. Any user with execute privilege on the vulnerable package can exploit this vulnerability.
http://www.oracle.com/technol...
http://www.appsecinc.com/reso...
SQL Injection via SYS.LT.FINDRICSET Evil Cursor Method
This module will escalate a Oracle DB user to DBA by exploiting an sql injection bug in the SYS.LT.FINDRICSET package via Evil Cursor technique. Tested on oracle 10.1.0.3.0 -- should work on thru 10.1.0.5.0 and supposedly on 11g. Fixed with Oracle Critical Patch update October 2007.
BID-26098
CVE-2007-5511
http://rawlab.mindcreations.c...
http://www.oracle.com/technol...
SQL Injection via SYS.LT.MERGEWORKSPACE.
This module exploits an sql injection flaw in the MERGEWORKSPACE procedure of the PL/SQL package SYS.LT. Any user with execute privilege on the vulnerable package can exploit this vulnerability.
http://www.oracle.com/technol...
http://www.appsecinc.com/reso...
http://www.dsecrg.com/pages/e...
SQL Injection via SYS.LT.REMOVEWORKSPACE.
This module exploits an sql injection flaw in the REMOVEWORKSPACE procedure of the PL/SQL package SYS.LT. Any user with execute privilege on the vulnerable package can exploit this vulnerability.
CVE-2008-3984
http://www.appsecinc.com/reso...
SQL Injection via SYS.LT.ROLLBACKWORKSPACE.
This module exploits an sql injection flaw in the ROLLBACKWORKSPACE procedure of the PL/SQL package SYS.LT. Any user with execute privilege on the vulnerable package can exploit this vulnerability.
CVE-2009-0978
http://www.oracle.com/technol...
Simple Network Capture Tester
This module sniffs HTTP GET requests from the network
Simple Ethernet Frame Spoofer
This module sends spoofed ethernet frames
Simple IP Spoofing Tester
Simple IP Spoofing Tester
Simple Recon Module Tester
Simple Recon Module Tester
Simple Recon Module Tester
Simple Recon Module Tester
Simple Recon Module Tester
Simple Recon Module Tester
Simple Recon Module Tester
Simple Recon Module Tester
SIP Invite Spoof
This module will create a fake SIP invite request making the targeted device ring and display fake caller id information.
Metasploit Framework 3.3.3Copyright © 2003-2010 Rapid7 LLC