Browse Exploit & Auxiliary Modules
The Metasploit Project hosts the world's largest database of quality assured exploits, including hundreds of remote exploits, auxiliary modules, and payloads. You can even review the Metasploit Framework source code of any module - or write your own.
Search for modules
Module Browser
Cisco IOS HTTP GET /%% request Denial of Service
This module triggers a Denial of Service condition in the Cisco IOS HTTP server. By sending a GET request for "/%%", the device becomes unresponsive. IOS 11.1 -> 12.1 are reportedly vulnerable. This module tested successfully against a Cisco 1600 Router IOS v11.2(18)P.
ISC DHCP Zero Length ClientID Denial of Service Module
This module performs a Denial of Service Attack against the ISC DHCP server, versions 4.1 before 4.1.1-P1 and 4.0 before 4.0.2-P1. It sends out a DHCP Request message with a 0-length client_id option for an IP address on the appropriate range for the dhcp server. When ISC DHCP Server tries to hash this value it exits abnormally.
FreeBSD Remote NFS RPC Request Denial of Service
This module sends a specially-crafted NFS Mount request causing a kernel panic on host running FreeBSD 6.0.
HP Data Protector Manager RDS DOS
This module causes a remote DOS on HP Data Protector's RDS service. By sending a malformed packet to port 1530, _rm32.dll causes RDS to crash due to an enormous size for malloc().
3Com SuperStack Switch Denial of Service
This module causes a temporary denial of service condition against 3Com SuperStack switches. By sending excessive data to the HTTP Management interface, the switch stops responding temporarily. The device does not reset. Tested successfully against a 3300SM firmware v2.66. Reported to affect versions prior to v2.72.
Apache mod_isapi <= 2.2.14 Dangling Pointer
This module triggers a use-after-free vulnerability in the Apache Software Foundation mod_isapi extension. In order to reach the vulnerable code, the target server must have an ISAPI module installed and configured. By making a request that terminates abnormally (either an aborted TCP connection or an unsatisfied chunked request), mod_isapi will unload the ISAPI extension. Later, if another request comes for that ISAPI module, previously obtained pointers will be used resulting in an access violation or potentially arbitrary code execution. Although arbitrary code execution is theoretically possible, a real-world method of invoking this consequence has not been proven. In order to do so, one would need to find a situation where a particular ISAPI module loads at an image base address that can be re-allocated by a remote attacker. Limited success was encountered using two separate ISAPI modules. In this scenario, a second ISAPI module was loaded into the same memory area as the previously unloaded module.
Apache Range header DoS (Apache Killer)
The byterange filter in the Apache HTTP Server 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, exploit called "Apache Killer"
Apache Tomcat Transfer-Encoding Information Disclosure and DoS
Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.27, and 7.0.0 beta does not properly handle an invalid Transfer-Encoding header, which allows remote attackers to cause a denial of service (application outage) or obtain sensitive information via a crafted header that interferes with "recycling of a buffer."
Dell OpenManage POST Request Heap Overflow (win32)
This module exploits a heap overflow in the Dell OpenManage Web Server (omws32.exe), versions 3.2-3.7.1. The vulnerability exists due to a boundary error within the handling of POST requests, where the application input is set to an overly long file name. This module will crash the web server, however it is likely exploitable under certain conditions.
SonicWALL SSL-VPN Format String Vulnerability
There is a format string vulnerability within the SonicWALL SSL-VPN Appliance - 200, 2000 and 4000 series. Arbitrary memory can be read or written to, depending on the format string used. There appears to be a length limit of 127 characters of format string data. With physical access to the device and debugging, this module may be able to be used to execute arbitrary code remotely.
Ruby WEBrick::HTTP::DefaultFileHandler DoS
The WEBrick::HTTP::DefaultFileHandler in WEBrick in Ruby 1.8.5 and earlier, 1.8.6 to 1.8.6-p286, 1.8.7 to 1.8.7-p71, and 1.9 to r18423 allows for a DoS (CPU consumption) via a crafted HTTP request.
Avahi < 0.6.24 Source Port 0 DoS
Avahi-daemon versions prior to 0.6.24 can be DoS'd with an mDNS packet with a source port of 0
NTP.org ntpd Reserved Mode Denial of Service
This module exploits a denial of service vulnerability within the NTP (network time protocol) demon. By sending a single packet to a vulnerable ntpd server (Victim A), spoofed from the IP address of another vulnerable ntpd server (Victim B), both victims will enter an infinite response loop. Note, unless you control the spoofed source host or the real remote host(s), you will not be able to halt the DoS condition once begun!
MS02-063 PPTP Malformed Control Data Kernel Denial of Service
This module exploits a kernel based overflow when sending abnormal PPTP Control Data packets to Microsoft Windows 2000 SP0-3 and XP SP0-1 based PPTP RAS servers (Remote Access Services). Kernel memory is overwritten resulting in a BSOD. Code execution may be possible however this module is only a DoS.
Samba lsa_io_privilege_set Heap Overflow
This module triggers a heap overflow in the LSA RPC service of the Samba daemon.
Samba lsa_io_trans_names Heap Overflow
This module triggers a heap overflow in the LSA RPC service of the Samba daemon.
Beckhoff TwinCAT SCADA PLC 2.11.0.2004 DoS
The Beckhoff TwinCAT version <= 2.11.0.2004 can be brought down by sending a crafted UDP packet to port 48899 (TCATSysSrv.exe).
7-Technologies IGSS 9 IGSSdataServer.exe DoS
The 7-Technologies SCADA IGSS Data Server (IGSSdataServer.exe) <= 9.0.0.10306 can be brought down by sending a crafted TCP packet to port 12401. This should also work for version <= 9.0.0.1120, but that version hasn't been tested.
Sendmail SMTP Address prescan <= 8.12.8 Memory Corruption
This is a proof of concept denial of service module for Sendmail versions 8.12.8 and earlier. The vulnerability is within the prescan() method when parsing SMTP headers. Due to the prescan function, only 0x5c and 0x00 bytes can be used, limiting the likelihood for arbitrary code execution.
Solaris LPD Arbitrary File Delete
This module uses a vulnerability in the Solaris line printer daemon to delete arbitrary files on an affected system. This can be used to exploit the rpc.walld format string flaw, the missing krb5.conf authentication bypass, or simply delete system files. Tested on Solaris 2.6, 7, 8, 9, and 10.
OpenSSL < 0.9.8i DTLS ChangeCipherSpec Remote DoS Exploit
This module performs a Denial of Service Attack against Datagram TLS in OpenSSL version 0.9.8i and earlier. OpenSSL crashes under these versions when it recieves a ChangeCipherspec Datagram before a ClientHello.
rsyslog Long Tag Off-By-Two DoS
This module triggers an off-by-two overflow in the rsyslog daemon. This flaw is unlikely to yield code execution but is effective at shutting down a remote log daemon. This bug was introduced in version 4.6.0 and corrected in 4.6.8/5.8.5. Compiler differences may prevent this bug from causing any noticeable result on many systems (RHEL6 is affected).
Juniper JunOS Malformed TCP Option
This module exploits a denial of service vulnerability in Juniper Network's JunOS router operating system. By sending a TCP packet with TCP option 101 set, an attacker can cause an affected router to reboot.
Apple Airport 802.11 Probe Response Kernel Memory Corruption
The Apple Airport driver provided with Orinoco-based Airport cards (1999-2003 PowerBooks, iMacs) is vulnerable to a remote memory corruption flaw. When the driver is placed into active scanning mode, a malformed probe response frame can be used to corrupt internal kernel structures, leading to arbitrary code execution. This vulnerability is triggered when a probe response frame is received that does not contain valid information element (IE) fields after the fixed-length header. The data following the fixed-length header is copied over internal kernel structures, resulting in memory operations being performed on attacker-controlled pointer values.
Wireless CTS/RTS Flooder
This module sends 802.11 CTS/RTS requests to a specific wireless peer, using the specified source address,
Wireless DEAUTH Flooder
This module sends 802.11 DEAUTH requests to a specific wireless peer, using the specified source address and source BSSID.
Wireless Fake Access Point Beacon Flood
This module can advertise thousands of fake access points, using random SSIDs and BSSID addresses. Inspired by Black Alchemy's fakeap tool.
Wireless Frame (File) Injector
Inspired by Josh Wright's file2air, this module writes wireless frames from a binary file to the air, allowing you to substitute some addresses before it gets sent. Unlike the original file2air (currently v1.1), this module *does* take into account the ToDS and FromDS flags in the frame when replacing any specified addresses.
NetGear MA521 Wireless Driver Long Rates Overflow
This module exploits a buffer overflow in the NetGear MA521 wireless device driver under Windows XP. When a specific malformed frame (beacon or probe response) is received by the wireless interface under active scanning mode, the MA521nd5.SYS driver attempts to write to an attacker-controlled memory location. The vulnerability is triggered by an invalid supported rates information element. This DoS was tested with version 5.148.724.2003 of the MA521nd5.SYS driver and a NetGear MA521 Cardbus adapter. A remote code execution module is also in development. This module depends on the Lorcon2 library and only works on the Linux platform with a supported wireless card. Please see the Ruby Lorcon2 documentation (external/ruby-lorcon/README) for more information.
NetGear WG311v1 Wireless Driver Long SSID Overflow
This module exploits a buffer overflow in the NetGear WG311v1 wireless device driver under Windows XP and 2000. A kernel-mode heap overflow occurs when malformed probe response frame is received that contains a long SSID field This DoS was tested with version 2.3.1.10 of the WG311ND5.SYS driver and a NetGear WG311v1 PCI card. A remote code execution module is also in development. This module depends on the Lorcon2 library and only works on the Linux platform with a supported wireless card. Please see the Ruby Lorcon2 documentation (external/ruby-lorcon/README) for more information.
Multiple Wireless Vendor NULL SSID Probe Response
This module exploits a firmware-level vulnerability in a variety of 802.11b devices. This attack works by sending a probe response frame containing a NULL SSID information element to an affected device. This flaw affects many cards based on the Choice MAC (Intersil, Lucent, Agere, Orinoco, and the first generation of Airport cards).
Wireless Beacon SSID Emulator
This module sends out beacon frames using SSID's identified in a specified file and randomly selected BSSID's. This is useful when combined with a Karmetasploit attack to get clients configured to not probe for networks in their PNL to start probing when they see a matching SSID in from this script. For a list of common SSID's to use with this script, check http://www.wigle.net/gps/gps/main/ssidstats. If a file of SSID's is not specified, a default list of 20 SSID's will be used. This script will run indefinitely until interrupted.
Wireless Test Module
This module is a test of the wireless packet injection system. Please see external/ruby-lorcon/README for more information.
Appian Enterprise Business Suite 5.6 SP1 DoS
This module exploits a denial of service flaw in the Appian Enterprise Business Suite service.
Microsoft Windows EOT Font Table Directory Integer Overflow
This module exploits an integer overflow flaw in the Microsoft Windows Embedded OpenType font parsing code located in win32k.sys. Since the kernel itself parses embedded web fonts, it is possible to trigger a BSoD from a normal web page when viewed with Internet Explorer.
FileZilla FTP Server Admin Interface Denial of Service
This module triggers a Denial of Service condition in the FileZilla FTP Server Administration Interface in versions 0.9.4d and earlier. By sending a procession of excessively long USER commands to the FTP Server, the Administration Interface (FileZilla Server Interface.exe) when running, will overwrite the stack with our string and generate an exception. The FileZilla FTP Server itself will continue functioning.
FileZilla FTP Server <=0.9.21 Malformed PORT Denial of Service
This module triggers a Denial of Service condition in the FileZilla FTP Server versions 0.9.21 and earlier. By sending a malformed PORT command then LIST command, the server attempts to write to a NULL pointer.
Guild FTPd 0.999.8.11/0.999.14 Heap Corruption
Guild FTPd 0.999.8.11 and 0.999.14 are vulnerable to heap corruption. You need to have a valid login so you can run CWD and LIST.
Microsoft IIS FTP Server Encoded Response Overflow Trigger
This module triggers a heap overflow when processing a specially crafted FTP request containing Telnet IAC (0xff) bytes. When constructing the response, the Microsoft IIS FTP Service overflows the heap buffer with 0xff bytes. This issue can be triggered pre-auth and may in fact be explotiable for remote code execution.
Microsoft IIS FTP Server <= 7.0 LIST Stack Exhaustion
This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the "FTP Publishing" must be configured as "manual" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.
Solar FTP Server <= 2.1.1 Malformed (User) Denial of Service
This module will send a format string as USER to Solar FTP, causing a READ violation in function "__output_1()" found in "sfsservice.exe" while trying to calculate the length of the string.
Titan FTP Server 6.26.630 SITE WHO DoS
The Titan FTP server v6.26 build 630 can be DoS'd by issuing "SITE WHO". You need a valid login so you can send this command.
Victory FTP Server 5.0 LIST DoS
The Victory FTP Server v5.0 can be brought down by sending a very simple LIST command
WinFTP 2.3.0 NLST Denial of Service
This module is a very rough port of Julien Bedard's PoC. You need a valid login, but even anonymous can do it if it has permission to call NLST.
XM Easy Personal FTP Server 5.6.0 NLST DoS
This module is a port of shinnai's script. You need a valid login, but even anonymous can do it as long as it has permission to call NLST.
XM Easy Personal FTP Server 5.7.0 NLST DoS
You need a valid login to DoS this FTP server, but even anonymous can do it as long as it has permission to call NLST.
Kaillera 0.86 Server Denial of Service
The Kaillera 0.86 server can be shut down by sending any malformed packet after the intial "hello" packet.
Microsoft IIS 6.0 ASP Stack Exhaustion Denial of Service
The vulnerability allows remote unauthenticated attackers to force the IIS server to become unresponsive until the IIS service is restarted manually by the administrator. Required is that Active Server Pages are hosted by the IIS and that an ASP script reads out a Post Form value.
Pi3Web <=2.0.13 ISAPI DoS
The Pi3Web HTTP server crashes when a request is made for an invalid DLL file in /isapi. By default, the non-DLLs in this directory after installation are users.txt, install.daf and readme.daf.
Microsoft Windows DNSAPI.dll LLMNR Buffer Underrun DoS
This module exploits a buffer underrun vulnerability in Microsoft's DNSAPI.dll as distributed with Windows Vista and later without KB2509553. By sending a specially crafted LLMNR query, containing a leading '.' character, an attacker can trigger stack exhaustion or potentially cause stack memory corruption. Although this vulnerability may lead to code execution, it has not been proven to be possible at the time of this writing. NOTE: In some circumstances, a '.' may be found before the top of the stack is reached. In these cases, this module may not be able to cause a crash.
Microsoft Windows NAT Helper Denial of Service
This module exploits a denial of service vulnerability within the Internet Connection Sharing service in Windows XP.
Microsoft Plug and Play Service Registry Overflow
This module triggers a stack buffer overflow in the Windows Plug and Play service. This vulnerability can be exploited on Windows 2000 without a valid user account. Since the PnP service runs inside the service.exe process, this module will result in a forced reboot on Windows 2000. Obtaining code execution is possible if user-controlled memory can be placed at 0x00000030, 0x0030005C, or 0x005C005C.
Microsoft SRV.SYS Mailslot Write Corruption
This module triggers a kernel pool corruption bug in SRV.SYS. Each call to the mailslot write function results in a two byte return value being written into the response packet. The code which creates this packet fails to consider these two bytes in the allocation routine, resulting in a slow corruption of the kernel memory pool. These two bytes are almost always set to "\xff\xff" (a short integer with value of -1).
Microsoft SRV.SYS Pipe Transaction No Null
This module exploits a NULL pointer dereference flaw in the SRV.SYS driver of the Windows operating system. This bug was independently discovered by CORE Security and ISS.
Microsoft SRV.SYS WriteAndX Invalid DataOffset
This module exploits a denial of service vulnerability in the SRV.SYS driver of the Windows operating system. This module has been tested successfully against Windows Vista.
Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
This module exploits an out of bounds function table dereference in the SMB request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7 release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista without SP1 does not seem affected by this flaw.
Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference
This module triggers a NULL pointer dereference in the SRV2.SYS kernel driver when processing an SMB2 logoff request before a session has been correctly negotiated, resulting in a BSOD. Effecting Vista SP1/SP2 (And possibly Server 2008 SP1/SP2), the flaw was resolved with MS09-050.
Microsoft Windows 7 / Server 2008 R2 SMB Client Infinite Loop
This module exploits a denial of service flaw in the Microsoft Windows SMB client on Windows 7 and Windows Server 2008 R2. To trigger this bug, run this module as a service and forces a vulnerabile client to access the IP of this system as an SMB server. This can be accomplished by embedding a UNC path (\HOST\share\something) into a web page if the target is using Internet Explorer, or a Word document otherwise.
Microsoft Windows SRV.SYS SrvSmbQueryFsInformation Pool Overflow DoS
This module exploits a denial of service flaw in the Microsoft Windows SMB service on versions of Windows prior to the August 2010 Patch Tuesday. To trigger this bug, you must be able to access a share with at least read privileges. That generally means you will need authentication. However, if a system has a guest accessible share, you can trigger it without any authentication.
Microsoft Windows Browser Pool DoS
This module exploits a denial of service flaw in the Microsoft Windows SMB service on versions of Windows Server 2003 that have been configured as a domain controller. By sending a specially crafted election request, an attacker can cause a pool overflow. The vulnerability appears to be due to an error handling a length value while calculating the amount of memory to copy to a buffer. When there are zero bytes left in the buffer, the length value is improperly decremented and an integer underflow occurs. The resulting value is used in several calculations and is then passed as the length value to an inline memcpy operation. Unfortunately, the length value appears to be fixed at -2 (0xfffffffe) and causes considerable damage to kernel heap memory. While theoretically possible, it does not appear to be trivial to turn this vulnerability into remote (or even local) code execution.
Microsoft RRAS InterfaceAdjustVLSPointers NULL Dereference
This module triggers a NULL dereference in svchost.exe on all current versions of Windows that run the RRAS service. This service is only accessible without authentication on Windows XP SP1 (using the SRVSVC pipe).
Microsoft Vista SP0 SMB Negotiate Protocol DoS
This module exploits a flaw in Windows Vista that allows a remote unauthenticated attacker to disable the SMB service. This vulnerability was silently fixed in Microsoft Vista Service Pack 1.
MS06-019 Exchange MODPROP Heap Overflow
This module triggers a heap overflow vulnerability in MS Exchange that occurs when multiple malformed MODPROP values occur in a VCAL request.
PacketTrap TFTP Server 2.2.5459.0 DoS
The PacketTrap TFTP server version 2.2.5459.0 can be brought down by sending a special write request.
SolarWinds TFTP Server 10.4.0.10 Denial of Service
The SolarWinds TFTP server can be shut down by sending a 'netascii' read request with a specially crafted file name.
Wireshark chunked_encoding_dissector function DOS
Wireshark crash when dissecting an HTTP chunked response. Versions affected: 0.99.5 (Bug 1394)
Wireshark CLDAP Dissector DOS
This module causes infinite recursion to occur within the CLDAP dissector by sending a specially crafted UDP packet.
Wireshark LDAP dissector DOS
The LDAP dissector in Wireshark 0.99.2 through 0.99.8 allows remote attackers to cause a denial of service (application crash) via a malformed packet.