Metasploit Penetration Testing Framework

AIX Calendar Manager Service Daemon (rpc.cmsd) Opcode 21 Buffer Overflow

This module exploits a buffer overflow vulnerability in opcode 21 handled by rpc.cmsd on AIX. By making a request with a long string passed to the first argument of the "rtable_create" RPC, a stack based buffer overflow occurs. This leads to arbitrary code execution. NOTE: Unsuccessful attempts may cause inetd/portmapper to enter a state where further attempts are not possible. CVE-2009-3699 OSVDB-58726 BID-36615 http://labs.idefense.com/inte... http://aix.software.ibm.com/a...

ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow

This module exploits a buffer overflow vulnerability in _tt_internal_realpath function of the ToolTalk database server (rpc.ttdbserverd). CVE-2009-2727 OSVDB-55151

Mercantec SoftCart CGI Overflow

This is an exploit for an undisclosed buffer overflow in the SoftCart.exe CGI as shipped with Mercantec's shopping cart software. It is possible to execute arbitrary code by passing a malformed CGI parameter in an HTTP GET request. This issue is known to affect SoftCart version 4.00b. CVE-2004-2221 OSVDB-9011 BID-10926

System V Derived /bin/login Extraneous Arguments Buffer Overflow

This exploit connects to a system's modem over dialup and exploits a buffer overlflow vulnerability in it's System V derived /bin/login. The vulnerability is triggered by providing a large number of arguments. CVE-2001-0797 OSVDB-690 OSVDB-691 BID-3681 http://archives.neohapsis.com... http://archives.neohapsis.com...

Samba trans2open Overflow (*BSD x86)

XTACACSD <= 4.1.2 report() Buffer Overflow

This module exploits a stack buffer overflow in XTACACSD <= 4.1.2. By sending a specially crafted XTACACS packet with an overly long username, an attacker may be able to execute arbitrary code. CVE-2008-7232 OSVDB-58140 http://aluigi.altervista.org/...

HP-UX LPD Command Execution

This exploit abuses an unpublished vulnerability in the HP-UX LPD service. This flaw allows an unauthenticated attacker to execute arbitrary commands with the privileges of the root user. The LPD service is only exploitable when the address of the attacking system can be resolved by the target. This vulnerability was silently patched with the buffer overflow flaws addressed in HP Security Bulletin HPSBUX0208-213. CVE-2002-1473 OSVDB-9638 http://archives.neohapsis.com...

Irix LPD tagprinter Command Execution

This module exploits an arbitrary command execution flaw in the in.lpd service shipped with all versions of Irix. CVE-2001-0800 OSVDB-8573 http://www.lsd-pl.net/code/IR...

Unreal Tournament 2004 "secure" Overflow (Linux)

This is an exploit for the GameSpy secure query in the Unreal Engine. This exploit only requires one UDP packet, which can be both spoofed and sent to a broadcast address. Usually, the GameSpy query server listens on port 7787, but you can manually specify the port as well. The RunServer.sh script will automatically restart the server upon a crash, giving us the ability to bruteforce the service and exploit it multiple times. CVE-2004-0608 OSVDB-7217 BID-10570

Alcatel-Lucent OmniPCX Enterprise masterCGI Arbitrary Command Execution

This module abuses a metacharacter injection vulnerability in the HTTP management interface of the Alcatel-Lucent OmniPCX Enterprise Communication Server 7.1 and earlier. The Unified Maintenance Tool contains a 'masterCGI' binary which allows an unauthenticated attacker to execute arbitrary commands by specifing shell metacharaters as the 'user' within the 'ping' action to obtain 'httpd' user access. This module only supports command line payloads, as the httpd process kills the reverse/bind shell spawn after the HTTP 200 OK response. OSVDB-40521 BID-25694 CVE-2007-3010 http://www1.alcatel-lucent.co...

DD-WRT HTTP Daemon Arbitrary Command Execution

This module abuses a metacharacter injection vulnerability in the HTTP management server of wireless gateways running DD-WRT. This flaw allows an unauthenticated attacker to execute arbitrary commands as the root user account. CVE-2009-2765 OSVDB-55990 BID-35742 http://www.milw0rm.com/exploi...

Berlios GPSD Format String Vulnerability

This module exploits a format string vulnerability in the Berlios GPSD server. This vulnerability was discovered by Kevin Finisterre. CVE-2004-1388 OSVDB-13199 BID-12371 http://www.securiteam.com/uni...

Linksys apply.cgi buffer overflow

This module exploits a stack buffer overflow in apply.cgi on the Linksys WRT54G and WRT54GS routers. According to iDefense who discovered this vulnerability, all WRT54G versions prior to 4.20.7 and all WRT54GS version prior to 1.05.2 may be be affected. CVE-2005-2799 OSVDB-19389 http://labs.idefense.com/inte...

PeerCast <= 0.1216 URL Handling Buffer Overflow (linux)

This module exploits a stack buffer overflow in PeerCast <= v0.1216. The vulnerability is caused due to a boundary error within the handling of URL parameters. CVE-2006-1148 OSVDB-23777 BID-17040 http://www.infigo.hr/in_focus...

RedHat Piranha Virtual Server Package passwd.php3 Arbitrary Command Execution

This module abuses two flaws - a metacharacter injection vulnerability in the HTTP management server of RedHat 6.2 systems running the Piranha LVS cluster service and GUI (rpm packages: piranha and piranha-gui). The vulnerability allows an authenticated attacker to execute arbitrary commands as the Apache user account (nobody) within the /piranha/secure/passwd.php3 script. The package installs with a default user and password of piranha:q which was exploited in the wild. CVE-2000-0248 OSVDB-289 BID-1148 CVE-2000-0322 OSVDB-1300 BID-1149

Snort Back Orifice Pre-Preprocessor Remote Exploit

This module exploits a stack buffer overflow in the Back Orifice pre-processor module included with Snort versions 2.4.0, 2.4.1, 2.4.2, and 2.4.3. This vulnerability could be used to completely compromise a Snort sensor, and would typically gain an attacker full root or administrative privileges. CVE-2005-3252 OSVDB-20034 BID-15131 http://xforce.iss.net/xforce/...

UoW IMAP server LSUB Buffer Overflow

This module exploits a buffer overflow in the 'LSUB' command of the University of Washington IMAP service. This vulnerability can only be exploited with a valid username and password. CVE-2000-0284 OSVDB-12037 BID-1110 http://www.milw0rm.com/exploi...

Madwifi SIOCGIWSCAN Buffer Overflow

The Madwifi driver under Linux is vulnerable to a remote kernel-mode stack-based buffer overflow. The vulnerability is triggered by one of these properly crafted information element: WPA, RSN, WME and Atheros OUI Current madwifi driver (0.9.2) and and all madwifi-ng drivers since r1504 are vulnerable Madwifi 0.9.2.1 release corrects the issue. This module has been tested against Ubuntu 6.10 and is 100% reliable, doesn\'t crash the Wifi stack and can exploit the same machine multiple time without the need to reboot it. This module depends on the Lorcon2 library and only works on the Linux platform with a supported wireless card. Please see the Ruby Lorcon2 documentation (external/ruby-lorcon/README) for more information. CVE-2006-6332 OSVDB-31267 http://www.madwifi.org

GLD (Greylisting Daemon) Postfix Buffer Overflow

This module exploits a stack buffer overflow in the Salim Gasmi GLD <= 1.4 greylisting daemon for Postfix. By sending an overly long string the stack can be overwritten. CVE-2005-1099 OSVDB-15492 BID-13129 http://www.milw0rm.com/exploi...

hplip hpssd.py From Address Arbitrary Command Execution

This module exploits a command execution vulnerable in the hpssd.py daemon of the Hewlett-Packard Linux Imaging and Printing Project. According to MITRE, versions 1.x and 2.x before 2.7.10 are vulnerable. This module was written and tested using the Fedora 6 Linux distribution. On the test system, the daemon listens on localhost only and runs with root privileges. Although the configuration shows the daemon is to listen on port 2207, it actually listens on a dynamic port. NOTE: If the target system does not have a 'sendmail' command installed, this vulnerability cannot be exploited. CVE-2007-5208 OSVDB-41693 BID-26054 https://bugzilla.redhat.com/s... https://bugzilla.redhat.com/a...

Borland InterBase INET_connect() Buffer Overflow

This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted service attach request. CVE-2007-5243 OSVDB-38605 BID-25917 http://www.risesecurity.org/a...

Borland InterBase jrd8_create_database() Buffer Overflow

This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted create request. CVE-2007-5243 OSVDB-38606 BID-25917 http://www.risesecurity.org/a...

Borland InterBase open_marker_file() Buffer Overflow

This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted attach request. CVE-2007-5244 OSVDB-38610 BID-25917 http://www.risesecurity.org/a...

Borland InterBase PWD_db_aliased() Buffer Overflow

This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted attach request. CVE-2007-5243 OSVDB-38607 BID-25917 http://www.risesecurity.org/a...

LPRng use_syslog Remote Format String Vulnerability

This module exploits a format string vulnerability in the LPRng print server. This vulnerability was discovered by Chris Evans. There was a publicly circulating worm targeting this vulnerability, which prompted RedHat to pull their 7.0 release. They consequently re-released it as "7.0-respin". CVE-2000-0917 OSVDB-421 BID-1712 US-CERT-VU-382365 http://www.cert.org/advisorie... https://bugzilla.redhat.com/s... http://www.exploit-db.com/exp... http://www.exploit-db.com/exp... http://www.exploit-db.com/exp...

MySQL yaSSL CertDecoder::GetName Buffer Overflow

This module exploits a stack buffer overflow in the yaSSL (1.9.8 and earlier) implementation bundled with MySQL. By sending a specially crafted client certificate, an attacker can execute arbitrary code. This vulnerability is present within the CertDecoder::GetName function inside "taocrypt/src/asn.cpp". However, the stack buffer that is written to exists within a parent function's stack frame. NOTE: This vulnerability requires a non-default configuration. First, the attacker must be able to pass the host-based authentication. Next, the server must be configured to listen on an accessible network interface. Lastly, the server must have been manually configured to use SSL. The binary from version 5.5.0-m2 was built with /GS and /SafeSEH. During testing on Windows XP SP3, these protections successfully prevented exploitation. Testing was also done with mysql on Ubuntu 9.04. Although the vulnerable code is present, both version 5.5.0-m2 built from source and version 5.0.75 from a binary package were not exploitable due to the use of the compiler's FORTIFY feature. Although suse11 was mentioned in the original blog post, the binary package they provide does not contain yaSSL or support SSL. CVE-2009-4484 BID-37640 BID-37943 BID-37974 OSVDB-61956 http://secunia.com/advisories... http://intevydis.blogspot.com...

MySQL yaSSL SSL Hello Message Buffer Overflow

This module exploits a stack buffer overflow in the yaSSL (1.7.5 and earlier) implementation bundled with MySQL <= 6.0. By sending a specially crafted Hello packet, an attacker may be able to execute arbitrary code. CVE-2008-0226 OSVDB-41195 BID-27140

Cyrus IMAPD pop3d popsubfolders USER Buffer Overflow

This exploit takes advantage of a stack based overflow. Once the stack corruption has occured it is possible to overwrite a pointer which is later used for a memcpy. This gives us a write anything anywhere condition similar to a format string vulnerability. NOTE: The popsubfolders option is a non-default setting. I chose to overwrite the GOT with my shellcode and return to it. This defeats the VA random patch and possibly other stack protection features. Tested on gentoo-sources Linux 2.6.16. Although Fedora CORE 5 ships with a version containing the vulnerable code, it is not exploitable due to the use of the FORTIFY_SOURCE compiler enhancement CVE-2006-2502 OSVDB-25853 BID-18056 http://www.exploit-db.com/exp... http://www.exploit-db.com/exp... http://archives.neohapsis.com...

Poptop Negative Read Overflow

This is an exploit for the Poptop negative read overflow. This will work against versions prior to 1.1.3-b3 and 1.1.3-20030409, but I currently do not have a good way to detect Poptop versions. The server will by default only allow 4 concurrent manager processes (what we run our code in), so you could have a max of 4 shells at once. Using the current method of exploitation, our socket will be closed before we have the ability to run code, preventing the use of Findsock. CVE-2003-0213 OSVDB-3293 http://securityfocus.com/arch... http://www.freewebs.com/bligh...

Squid NTLM Authenticate Overflow

This is an exploit for Squid\'s NTLM authenticate overflow (libntlmssp.c). Due to improper bounds checking in ntlm_check_auth, it is possible to overflow the 'pass' variable on the stack with user controlled data of a user defined length. Props to iDEFENSE for the advisory. CVE-2004-0541 OSVDB-6791 http://www.idefense.com/appli... BID-10500

Samba chain_reply Memory Corruption (Linux x86)

This exploits a memory corruption vulnerability present in Samba versions prior to 3.3.13. When handling chained response packets, Samba fails to validate the offset value used when building the next part. By setting this value to a number larger than the destination buffer size, an attacker can corrupt memory. Additionally, setting this value to a value smaller than 'smb_wct' (0x24) will cause the header of the input buffer chunk to be corrupted. After close inspection, it appears that 3.0.x versions of Samba are not exploitable. Since they use an "InputBuffer" size of 0x20441, an attacker cannot cause memory to be corrupted in an exploitable way. It is possible to corrupt the heap header of the "InputBuffer", but it didn't seem possible to get the chunk to be processed again prior to process exit. In order to gain code execution, this exploit attempts to overwrite a "talloc chunk" desctructor function pointer. This particular module is capable of exploiting the flaw on x86 Linux systems that do not have the nx memory protection. NOTE: It is possible to make exploitation attempts indefinitely since Samba forks for user sessions in the default configuration. CVE-2010-2063 OSVDB-65518 http://labs.idefense.com/inte...

Samba lsa_io_trans_names Heap Overflow

This module triggers a heap overflow in the LSA RPC service of the Samba daemon. This module uses the TALLOC chunk overwrite method (credit Ramon and Adriano), which only works with Samba versions 3.0.21-3.0.24. Additonally, this module will not work when the Samba "log level" parameter is higher than "2". CVE-2007-2446 OSVDB-34699

Samba trans2open Overflow (Linux x86)

This exploits the buffer overflow found in Samba versions 2.2.0 to 2.2.8. This particular module is capable of exploiting the flaw on x86 Linux systems that do not have the noexec stack option set. NOTE: Some older versions of RedHat do not seem to be vulnerable since they apparently do not allow anonymous access to IPC. CVE-2003-0201 OSVDB-4469 BID-7294 http://seclists.org/bugtraq/2...

Firefox 3.5 escape() Return Value Memory Corruption

This module exploits a memory corruption vulnerability in the Mozilla Firefox browser. This flaw occurs when a bug in the javascript interpreter fails to preserve the return value of the escape() function and results in uninitialized memory being used instead. This module has only been tested on Windows, but should work on other platforms as well with the current targets. CVE-2009-2477 OSVDB-55846 BID-35660 https://bugzilla.mozilla.org/...

Firefox location.QueryInterface() Code Execution

This module exploits a code execution vulnerability in the Mozilla Firefox browser. To reliably exploit this vulnerability, we need to fill almost a gigabyte of memory with our nop sled and payload. This module has been tested on OS X 10.3 with the stock Firefox 1.5.0 package. CVE-2006-0295 OSVDB-22893 BID-16476 http://www.mozilla.org/securi...

Apple OS X iTunes 8.1.1 ITMS Overflow

This modules exploits a stack-based buffer overflow in iTunes itms:// URL parsing. It is accessible from the browser and in Safari, itms urls will be opened in iTunes automatically. Because iTunes is multithreaded, only vfork-based payloads should be used. CVE-2009-0950 OSVDB-54833 http://support.apple.com/kb/H... http://redpig.dataspill.org/2...

Sun Java Calendar Deserialization Exploit

This module exploits a flaw in the deserialization of Calendar objects in the Sun JVM. The payload can be either a native payload which is generated as an executable and dropped/executed on the target or a shell from within the Java applet in the target browser. The affected Java versions are JDK and JRE 6 Update 10 and earlier, JDK and JRE 5.0 Update 16 and earlier, SDK and JRE 1.4.2_18 and earlier (SDK and JRE 1.3.1 are not affected). CVE-2008-5353 OSVDB-50500 http://slightlyrandombrokenth... http://landonf.bikemonkey.org... http://blog.cr0.org/2009/05/w... http://sunsolve.sun.com/searc...

Sun Java JRE getSoundbank file:// URI Buffer Overflow

This module exploits a flaw in the getSoundbank function in the Sun JVM. The payload is serialized and passed to the applet via PARAM tags. It must be a native payload. The effected Java versions are JDK and JRE 6 Update 16 and earlier, JDK and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.2_23 and earlier, and SDK and JRE 1.3.1_26 and earlier. NOTE: Although all of the above versions are reportedly vulnerable, only 1.6.0_u11 and 1.6.0_u16 on Windows XP SP3 were tested. CVE-2009-3867 OSVDB-59711 BID-36881 http://zerodayinitiative.com/...

Sun Java JRE AWT setDiffICM Buffer Overflow

This module exploits a flaw in the setDiffICM function in the Sun JVM. The payload is serialized and passed to the applet via PARAM tags. It must be a native payload. The effected Java versions are JDK and JRE 6 Update 16 and earlier, JDK and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.2_23 and earlier, and SDK and JRE 1.3.1_26 and earlier. NOTE: Although all of the above versions are reportedly vulnerable, only 1.6.0_u11 and 1.6.0_u16 on Windows XP SP3 were tested. CVE-2009-3869 OSVDB-59710 BID-36881 http://sunsolve.sun.com/searc... http://www.zerodayinitiative....

Signed Applet Social Engineering Code Exec

This exploit dynamically creates an applet via the Msf::Exploit::Java mixin, converts it to a .jar file, then signs the .jar with a dynamically created certificate containing values of your choosing. This is presented to the end user via a web page with an applet tag, loading the signed applet. The user's JVM pops a dialog asking if they trust the signed applet and displays the values chosen. Once the user clicks 'accept', the applet executes with full user permissions. The java payload used in this exploit is derived from Stephen Fewer's and HDM's payload created for the CVE-2008-5353 java deserialization exploit. This module requires the rjb rubygem, the JDK, and the $JAVA_HOME variable to be set. If these dependencies are not present, the exploit falls back to a static, signed JAR. http://www.defcon.org/images/...

Java Statement.invoke() Trusted Method Chain Exploit

This module exploits a vulnerability in Java Runtime Environment that allows an untrusted method to run in a privileged context. The vulnerability affects version 6 prior to update 19 and version 5 prior to update 23. CVE-2010-0840 OSVDB-63483 http://slightlyrandombrokenth...

Mozilla Suite/Firefox InstallVersion->compareTo() Code Execution

This module exploits a code execution vulnerability in the Mozilla Suite, Mozilla Firefox, and Mozilla Thunderbird applications. This exploit module is a direct port of Aviv Raff's HTML PoC. CVE-2005-2265 OSVDB-17968 BID-14242 http://www.mozilla.org/securi...

Mozilla Suite/Firefox Navigator Object Code Execution

This module exploits a code execution vulnerability in the Mozilla Suite, Mozilla Firefox, and Mozilla Thunderbird applications. This exploit requires the Java plugin to be installed. CVE-2006-3677 OSVDB-27559 BID-19192 http://www.mozilla.org/securi... http://browserfun.blogspot.co...

Opera 9 Configuration Overwrite

Opera web browser in versions <= 9.10 allows unrestricted script access to its configuration page, opera:config, allowing an attacker to change settings and potentially execute arbitrary code. OSVDB-66472

Opera historysearch XSS

Certain constructs are not escaped correctly by Opera's History Search results. These can be used to inject scripts into the page, which can then be used to modify configuration settings and execute arbitrary commands. Affects Opera versions between 9.50 and 9.61. CVE-2008-4696 OSVDB-49472 BID-31869 http://www.opera.com/support/...

Apple QTJava toQTPointer() Arbitrary Memory Access

This module exploits an arbitrary memory access vulnerability in the Quicktime for Java API provided with Quicktime 7. CVE-2007-2175 OSVDB-34178 BID-23608 http://www.zerodayinitiative....

Adobe U3D CLODProgressiveMeshDeclaration Array Overrun

This module exploits an array overflow in Adobe Reader and Adobe Acrobat. Affected versions include < 7.1.4, < 8.1.7, and < 9.2. By creating a specially crafted pdf that a contains malformed U3D data, an attacker may be able to execute arbitrary code. CVE-2009-2990 OSVDB-58920 BID-36665 http://sites.google.com/site/... http://www.adobe.com/support/...

Maple Maplet File Creation and Command Execution

This module harnesses Maple's ability to create files and execute commands automatically when opening a Maplet. All versions up to 13 are suspected vulnerable. Testing was conducted with version 13 on Windows. Standard security settings prevent code from running in a normal maple worksheet without user interaction, but those setting do not prevent code in a Maplet from running. In order for the payload to be executed, an attacker must convince someone to open a specially modified .maplet file with Maple. By doing so, an attacker can execute arbitrary code as the victim user. OSVDB-64541 http://www.maplesoft.com/prod...

PeaZip <= 2.6.1 Zip Processing Command Injection

This module exploits a command injection vulnerability in PeaZip. All versions prior to 2.6.2 are suspected vulnerable. Testing was conducted with version 2.6.1 on Windows. In order for the command to be executed, an attacker must convince someone to open a specially crafted zip file with PeaZip, and access the specially file via double-clicking it. By doing so, an attacker can execute arbitrary commands as the victim user. CVE-2009-2261 OSVDB-54966 http://peazip.sourceforge.net/ http://www.exploit-db.com/exp...

wu-ftpd SITE EXEC/INDEX Format String Vulnerability

This module exploits a format string vulnerability in versions of the Washington University FTP server older than 2.6.1. By executing specially crafted SITE EXEC or SITE INDEX commands containing format specifiers, an attacker can corrupt memory and execute arbitrary code. CVE-2000-0573 OSVDB-11805 BID-1387

Generic Payload Handler

This module is a stub that provides all of the features of the Metasploit payload system to exploits that have been launched outside of the framework.

JBoss JMX Console Beanshell Deployer WAR upload and deployment

This module can be used to install a WAR file payload on JBoss servers that have an exposed "jmx-console" application. The payload is put on the server by using the jboss.system:BSHDeployer's createScriptDeployment() method. CVE-2010-0738 http://www.redteam-pentesting...

JBoss Java Class DeploymentFileRepository WAR deployment

This module uses the DeploymentFileRepository class in JBoss Application Server (jbossas) to deploy a JSP file in a minimal WAR context. CVE-2010-0738 http://www.redteam-pentesting...

JBoss JMX Console Deployer Upload and Execute

This module can be used to execute a payload on JBoss servers that have an exposed "jmx-console" application. The payload is put on the server by using the jboss.system:MainDeployer functionality. To accomplish this, a temporary HTTP server is created to serve a WAR archive containing our payload. This method will only work if the target server allows outbound connections to us. CVE-2007-1036 CVE-2010-0738 OSVDB-33744 http://www.redteam-pentesting...

Sun Java System Web Server WebDAV OPTIONS Buffer Overflow

This module exploits a buffer overflow in Sun Java Web Server prior to version 7 Update 8. By sending an "OPTIONS" request with an overly long path, attackers can execute arbitrary code. In order to reach the vulnerable code, the attacker must also specify the path to a directory with WebDAV enabled. This exploit was tested and confirmed to work on Windows XP SP3 without DEP. Versions for other platforms are vulnerable as well. The vulnerability was originally discovered and disclosed by Evgeny Legerov of Intevydis. CVE-2010-0361 OSVDB-61851 http://intevydis.blogspot.com... http://sunsolve.sun.com/searc...

Apache Tomcat Manager Application Deployer Upload and Execute

This module can be used to execute a payload on Apache Tomcat servers that have an exposed "manager" application. The payload is uploaded as a WAR archive containing a jsp application using a PUT request. The manager application can also be abused using /manager/html/upload, but that method is not implemented in this module. CVE-2009-3843 OSVDB-60317 CVE-2009-4189 OSVDB-60670 CVE-2009-4188 CVE-2009-3548 OSVDB-60176 BID-36954 http://tomcat.apache.org/tomc...

HP OpenView OmniBack II Command Execution

This module uses a vulnerability in the OpenView Omniback II service to execute arbitrary commands. This vulnerability was discovered by DiGiT and his code was used as the basis for this module. For Microsoft Windows targets, due to module limitations, use the "unix/cmd/generic" payload and set CMD to your command. You can only pass a small amount of characters (4) to the command line on Windows. CVE-2001-0311 OSVDB-6018 BID-11032 http://www.securiteam.com/exp...

VERITAS NetBackup Remote Command Execution

This module allows arbitrary command execution on an ephemeral port opened by Veritas NetBackup, whilst an administrator is authenticated. The port is opened and allows direct console access as root or SYSTEM from any source address. CVE-2004-1389 OSVDB-11026 BID-11494 http://seer.support.veritas.c...

Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow

The LWRES dissector in Wireshark version 0.9.15 through 1.0.10 and 1.2.0 through 1.2.5 allows remote attackers to execute arbitrary code due to a stack-based buffer overflow. This bug found and reported by babi. This particular exploit targets the dissect_getaddrsbyname_request function. Several other functions also contain potentially exploitable stack-based buffer overflows. The Windows version (of 1.2.5 at least) is compiled with /GS, which prevents exploitation via the return address on the stack. Sending a larger string allows exploitation using the SEH bypass method. However, this packet will usually get fragmented, which may cause additional complications. NOTE: The vulnerable code is reached only when the packet dissection is rendered. If the packet is fragmented, all fragments must be captured and reassembled to exploit this issue. CVE-2010-0304 OSVDB-61987 BID-37985 http://www.wireshark.org/secu... http://anonsvn.wireshark.org/...

Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow (loop)

The LWRES dissector in Wireshark version 0.9.15 through 1.0.10 and 1.2.0 through 1.2.5 allows remote attackers to execute arbitrary code due to a stack-based buffer overflow. This bug found and reported by babi. This particular exploit targets the dissect_getaddrsbyname_request function. Several other functions also contain potentially exploitable stack-based buffer overflows. The Windows version (of 1.2.5 at least) is compiled with /GS, which prevents exploitation via the return address on the stack. Sending a larger string allows exploitation using the SEH bypass method. However, this packet will usually get fragmented, which may cause additional complications. NOTE: The vulnerable code is reached only when the packet dissection is rendered. If the packet is fragmented, all fragments must be captured and reassembled to exploit this issue. This version loops, sending the packet every X seconds until the job is killed. CVE-2010-0304 OSVDB-61987 BID-37985 http://www.wireshark.org/secu... http://anonsvn.wireshark.org/...

NTP daemon readvar Buffer Overflow

This module exploits a stack based buffer overflow in the ntpd and xntpd service. By sending an overly long 'readvar' request it is possible to execute code remotely. As the stack is corrupted, this module uses the Egghunter technique. CVE-2001-0414 OSVDB-805 BID-2540 US-CERT-VU-970472

PHP 4 unserialize() ZVAL Reference Counter Overflow (Cookie)

This module exploits an integer overflow vulnerability in the unserialize() function of the PHP web server extension. This vulnerability was patched by Stefan in version 4.5.0 and applies all previous versions supporting this function. This particular module targets numerous web applications and is based on the proof of concept provided by Stefan Esser. This vulnerability requires approximately 900k of data to trigger due the multiple Cookie headers requirement. Since we are already assuming a fast network connection, we use a 2Mb block of shellcode for the brute force, allowing quick exploitation for those with fast networks. One of the neat things about this vulnerability is that on x86 systems, the EDI register points into the beginning of the hashtable string. This can be used with an egghunter to quickly exploit systems where the location of a valid "jmp EDI" or "call EDI" instruction is known. The EDI method is faster, but the bandwidth-intensive brute force used by this module is more reliable across a wider range of systems. CVE-2007-1286 OSVDB-32771 http://www.php-security.org/M...

RealServer Describe Buffer Overflow

This module exploits a buffer overflow in RealServer 7/8/9 and was based on Johnny Cyberpunk's THCrealbad exploit. This code should reliably exploit Linux, BSD, and Windows-based servers. CVE-2002-1643 OSVDB-4468 http://lists.immunitysec.com/...

Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow

This module attempts to exploit a buffer overflow vulnerability present in versions 2.2.2 through 2.2.6 of Samba. The Samba developers report this as: "Bug in the length checking for encrypted password change requests from clients." The bug was discovered and reported by the Debian Samba Maintainers. CVE-2003-0085 OSVDB-6323 BID-7106 http://www.samba.org/samba/hi...

Samba "username map script" Command Execution

This module exploits a command execution vulerability in Samba versions 3.0.20 through 3.0.25rc3 when using the non-default "username map script" configuration option. By specifying a username containing shell meta characters, attackers can execute arbitrary commands. No authentication is needed to exploit this vulnerability since this option is used to map usernames prior to authentication! CVE-2007-2447 OSVDB-34700 BID-23972 http://labs.idefense.com/inte... http://samba.org/samba/securi...

Subversion Date Svnserve

This is an exploit for the Subversion date parsing overflow. This exploit is for the svnserve daemon (svn:// protocol) and will not work for Subversion over webdav (http[s]://). This exploit should never crash the daemon, and should be safe to do multi-hits. **WARNING** This exploit seems to (not very often, I've only seen it during testing) corrupt the subversion database, so be careful! CVE-2004-0397 OSVDB-6301 BID-10386 http://lists.netsys.com/piper... MIL-68

Wyse Rapport Hagent Fake Hserver Command Execution

This module exploits the Wyse Rapport Hagent service by pretending to be a legitimate server. This process involves starting both HTTP and FTP services on the attacker side, then contacting the Hagent service of the target and indicating that an update is available. The target will then download the payload wrapped in an executable from the FTP service. CVE-2009-0695 OSVDB-55839 US-CERT-VU-654545 http://snosoft.blogspot.com/ http://www.theregister.co.uk/... http://www.wyse.com/servicean... http://www.wyse.com/servicean...

Novell NetWare LSASS CIFS.NLM Driver Stack Buffer Overflow

This module exploits a stack buffer overflow in the NetWare CIFS.NLM driver. Since the driver runs in the kernel space, a failed exploit attempt can cause the OS to reboot. CVE-2005-2852 OSVDB-12790

AppleFileServer LoginExt PathName Overflow

This module exploits a stack buffer overflow in the AppleFileServer service on MacOS X. This vulnerability was originally reported by Atstake and was actually one of the few useful advisories ever published by that company. You only have one chance to exploit this bug. This particular exploit uses a stack-based return address that will only work under optimal conditions. CVE-2004-0430 OSVDB-5762 BID-10271

Arkeia Backup Client Type 77 Overflow (Mac OS X)

This module exploits a stack buffer overflow in the Arkeia backup client for the Mac OS X platform. This vulnerability affects all versions up to and including 5.3.3 and has been tested with Arkeia 5.3.1 on Mac OS X 10.3.5. CVE-2005-0491 OSVDB-14011 BID-12594 http://lists.netsys.com/piper...

iPhone MobileSafari LibTIFF Buffer Overflow

This module exploits a buffer overflow in the version of libtiff shipped with firmware versions 1.00, 1.01, 1.02, and 1.1.1 of the Apple iPhone. iPhones which have not had the BSD tools installed will need to use a special payload. CVE-2006-3459 OSVDB-27723 BID-19283

iPhone MobileSafari LibTIFF Buffer Overflow

Safari Archive Metadata Command Execution

This module exploits a vulnerability in Safari's "Safe file" feature, which will automatically open any file with one of the allowed extensions. This can be abused by supplying a zip file, containing a shell script, with a metafile indicating that the file should be opened by Terminal.app. This module depends on the 'zip' command-line utility. CVE-2006-0848 OSVDB-23510 BID-16736

Apple OS X Software Update Command Execution

This module exploits a feature in the Distribution Packages, which are used in the Apple Software Update mechanism. This feature allows for arbitrary command execution through JavaScript. This exploit provides the malicious update server. Requests must be redirected to this server by other means for this exploit to work. CVE-2007-5863 OSVDB-40722

Mail.app Image Attachment Command Execution

This module exploits a command execution vulnerability in the Mail.app application shipped with Mac OS X 10.5.0. This flaw was patched in 10.4 in March of 2007, but reintroduced into the final release of 10.5. CVE-2006-0395 CVE-2007-6165 OSVDB-40875 BID-26510 BID-16907

iPhone MobileMail LibTIFF Buffer Overflow

WebSTAR FTP Server USER Overflow

This module exploits a stack buffer overflow in the logging routine of the WebSTAR FTP server. Reliable code execution is obtained by a series of hops through the System library. CVE-2004-0695 OSVDB-7794 BID-10720

MacOS X EvoCam HTTP GET Buffer Overflow

This module exploits a stack buffer overflow in the web server provided with the EvoCam program for Mac OS X. We use Dino Dai Zovi's exec-from-heap technique to copy the payload from the non-executable stack segment to heap memory. Vulnerable versions include 3.6.6, 3.6.7, and possibly earlier versions as well. EvoCam version 3.6.8 fixes the vulnerablity. CVE-2010-2309 OSVDB-65043 http://www.exploit-db.com/exp...

Mac OS X mDNSResponder UPnP Location Overflow

TODO

UFO: Alien Invasion IRC Client Buffer Overflow Exploit

This module exploits a buffer overflow in the IRC client component of UFO: Alien Invasion 2.2.1. CVE-2010-2309 OSVDB-65689 http://www.exploit-db.com/exp...

MacOS X QuickTime RTSP Content-Type Overflow

No module description CVE-2007-6166 OSVDB-40876 BID-26549

Samba lsa_io_trans_names Heap Overflow

This module triggers a heap overflow in the LSA RPC service of the Samba daemon. This module uses the szone_free() to overwrite the size() or free() pointer in initial_malloc_zones structure. CVE-2007-2446 OSVDB-34699

Samba trans2open Overflow (Mac OS X PPC)

This exploits the buffer overflow found in Samba versions 2.2.0 to 2.2.8. This particular module is capable of exploiting the bug on Mac OS X PowerPC systems. CVE-2003-0201 OSVDB-4469 BID-7294 http://seclists.org/bugtraq/2...

Solaris dtspcd Heap Overflow

This is a port of noir's dtspcd exploit. This module should work against any vulnerable version of Solaris 8 (sparc). The original exploit code was published in the book Shellcoder's Handbook. CVE-2001-0803 OSVDB-4503 BID-3517 http://www.cert.org/advisorie... http://media.wiley.com/produc...

Solaris LPD Command Execution

This module exploits an arbitrary command execution flaw in the in.lpd service shipped with all versions of Sun Solaris up to and including 8.0. This module uses a technique discovered by Dino Dai Zovi to exploit the flaw without needing to know the resolved name of the attacking system. CVE-2001-1583 OSVDB-15131 BID-3274

Samba lsa_io_trans_names Heap Overflow

This module triggers a heap overflow in the LSA RPC service of the Samba daemon. This module uses the TALLOC chunk overwrite method (credit Ramon and Adriano), which only works with Samba versions 3.0.21-3.0.24. Additionally, this module will not work when the Samba "log level" parameter is higher than "2". CVE-2007-2446 OSVDB-34699

Samba trans2open Overflow (Solaris SPARC)

This exploits the buffer overflow found in Samba versions 2.2.0 to 2.2.8. This particular module is capable of exploiting the flaw on Solaris SPARC systems that do not have the noexec stack option set. Big thanks to MC and valsmith for resolving a problem with the beta version of this module. CVE-2003-0201 OSVDB-4469 BID-7294 http://seclists.org/bugtraq/2...

Sun Solaris sadmind adm_build_path() Buffer Overflow

This module exploits a buffer overflow vulnerability in adm_build_path() function of sadmind daemon. The distributed system administration daemon (sadmind) is the daemon used by Solstice AdminSuite applications to perform distributed system administration operations. The sadmind daemon is started automatically by the inetd daemon whenever a request to invoke an operation is received. The sadmind daemon process continues to run for 15 minutes after the last request is completed, unless a different idle-time is specified with the -i command line option. The sadmind daemon may be started independently from the command line, for example, at system boot time. In this case, the -i option has no effect; sadmind continues to run, even if there are no active requests. CVE-2008-4556 OSVDB-49111 http://risesecurity.org/advis...

Solaris sadmind Command Execution

This exploit targets a weakness in the default security settings of the sadmind RPC application. This server is installed and enabled by default on most versions of the Solaris operating system. Vulnerable systems include solaris 2.7, 8, and 9 CVE-2003-0722 OSVDB-4585 BID-8615 http://lists.insecure.org/lis...

Solaris ypupdated Command Execution

This exploit targets a weakness in the way the ypupdated RPC application uses the command shell when handling a MAP UPDATE request. Extra commands may be launched through this command shell, which runs as root on the remote host, by passing commands in the format '|<command>'. Vulnerable systems include Solaris 2.7, 8, 9, and 10, when ypupdated is started with the '-i' command-line option. CVE-1999-0209 OSVDB-11517 BID-1749

Sun Solaris Telnet Remote Authentication Bypass Vulnerability

This module exploits the argument injection vulnerabilty in the telnet daemon (in.telnetd) of Solaris 10 and 11. CVE-2007-0882 OSVDB-31881 BID-22512

Solaris in.telnetd TTYPROMPT Buffer Overflow

This module uses a buffer overflow in the Solaris 'login' application to bypass authentication in the telnet daemon. CVE-2001-0797 OSVDB-690 BID-5531

Internal Aggressive Test Exploit

This module tests the exploitation of a test service.

Command Stager Web Test

This module tests the command stager mixin against a shell.jsp application installed on an Apache Tomcat server.

Test Dialup Exploit

This exploit connects to a system's modem over dialup and provides the user with a readout of the login banner.

Internal Egghunter Test Exploit

This module tests the exploitation of a test service using the Egghunter.

MIPS Aggressive Test Exploit

This module tests the exploitation of a test service

Exec

Internal Kernel-mode Test Exploit

This module tests the exploitation of a kernel-mode test service.

ContentKeeper Web Remote Command Execution

This module exploits the ContentKeeper Web Appliance. Versions prior to 125.10 are affected. This module exploits a combination of weaknesses to enable remote command execution as the Apache user. Following exploitation it is possible to abuse an insecure PATH call to 'ps' etc in setuid 'benetool' to escalate to root. OSVDB-54551 OSVDB-54552 http://www.aushack.com/200904...

UnrealIRCD 3.2.8.1 Backdoor Command Execution

This module uses exploits a malicious backdoor that was added to the Unreal IRCD 3.2.8.1 download archive. This backdoor was present in the Unreal3.2.8.1.tar.gz archive between November 2009 and June 12th 2010. CVE-2010-2075 OSVDB-65445 http://www.unrealircd.com/txt...

DistCC Daemon Command Execution

This module uses a documented security weakness to execute arbitrary commands on any system running distccd. CVE-2004-2687 OSVDB-13378 http://distcc.samba.org/secur...

SpamAssassin spamd Remote Command Execution

This module exploits a flaw in the SpamAssassin spamd service by specifying a malicious vpopmail User header, when running with vpopmail and paranoid modes enabled (non-default). Versions prior to v3.1.3 are vulnerable CVE-2006-2447 OSVDB-26177 BID-18290 http://spamassassin.apache.or...

Zabbix Agent net.tcp.listen Command Injection

This module exploits a metacharacter injection vulnerability in the FreeBSD and Solaris versions of the Zabbix agent. This flaw can only be exploited if the attacker can hijack the IP address of an authorized server (as defined in the configuration file). CVE-2009-4502 OSVDB-60956 https://support.zabbix.com/br...

ClamAV Milter Blackhole-Mode Remote Code Execution

This module exploits a flaw in the Clam AntiVirus suite 'clamav-milter' (Sendmail mail filter). Versions prior to v0.92.2 are vulnerable. When implemented with black hole mode enabled, it is possible to execute commands remotely due to an insecure popen call. CVE-2007-4560 OSVDB-36909 BID-25439 http://www.milw0rm.com/exploi...

AWStats configdir Remote Command Execution

This module exploits an arbitrary command execution vulnerability in the AWStats CGI script. iDEFENSE has confirmed that AWStats versions 6.1 and 6.2 are vulnerable. CVE-2005-0116 OSVDB-13002 BID-12298 http://www.idefense.com/appli...

AWStats migrate Remote Command Execution

This module exploits an arbitrary command execution vulnerability in the AWStats CGI script. AWStats v6.4 and v6.5 are vulnerable. Perl based payloads are recommended with this module. The vulnerability is only present when AllowToUpdateStatsFromBrowser is enabled in the AWstats configuration file (non-default). CVE-2006-2237 OSVDB-25284 BID-17844 http://awstats.sourceforge.ne... http://www.milw0rm.com/exploi...

Barracuda IMG.PL Remote Command Execution

This module exploits an arbitrary command execution vulnerability in the Barracuda Spam Firewall appliance. Versions prior to 3.1.18 are vulnerable. CVE-2005-2847 OSVDB-19279 BID-14712 NSS-19556 http://www.securiweb.net/wiki...

BASE base_qry_common Remote File Include.

This module exploits a remote file inclusion vulnerability in the base_qry_common.php file in BASE 1.2.4 and earlier. CVE-2006-2685 OSVDB-49366 BID-18298

Cacti graph_view.php Remote Command Execution

This module exploits an arbitrary command execution vulnerability in the Raxnet Cacti 'graph_view.php' script. All versions of Raxnet Cacti prior to 0.8.6-d are vulnerable. OSVDB-17539 BID-14042

Coppermine Photo Gallery <= 1.4.14 picEditor.php Command Execution

This module exploits a vulnerability in the picEditor.php script of Coppermine Photo Gallery. When configured to use the ImageMagick library, the 'quality', 'angle', and 'clipval' parameters are not properly escaped before being passed to the PHP 'exec' command. In order to reach the vulnerable 'exec' call, the input must pass several validation steps. The vulnerabilities actually reside in the following functions: image_processor.php: rotate_image(...) include/imageObjectIM.class.php: imageObject::cropImage(...) include/imageObjectIM.class.php: imageObject::rotateImage(...) include/imageObjectIM.class.php: imageObject::resizeImage(...) include/picmgmt.inc.php: resize_image(...) NOTE: Use of the ImageMagick library is a non-default option. However, a user can specify its use at installation time. CVE-2008-0506 OSVDB-41676 http://www.exploit-db.com/exp... http://forum.coppermine-galle...

Dogfood CRM spell.php Remote Command Execution

This module exploits a previously unpublished vulnerability in the Dogfood CRM mail function which is vulnerable to command injection in the spell check feature. Because of character restrictions, this exploit works best with the double-reverse telnet payload. This vulnerability was discovered by LSO and affects v2.0.10. OSVDB-54707 http://downloads.sourceforge....

Google Appliance ProxyStyleSheet Command Execution

This module exploits a feature in the Saxon XSLT parser used by the Google Search Appliance. This feature allows for arbitrary java methods to be called. Google released a patch and advisory to their client base in August of 2005 (GA-2005-08-m). The target appliance must be able to connect back to your machine for this exploit to work. CVE-2005-3757 OSVDB-20981 BID-15509

Matt Wright guestbook.pl Arbitrary Command Execution

The Matt Wright guestbook.pl <= v2.3.1 CGI script contains a flaw that may allow arbitrary command execution. The vulnerability requires that HTML posting is enabled in the guestbook.pl script, and that the web server must have the Server-Side Include (SSI) script handler enabled for the '.html' file type. By combining the script weakness with non-default server configuration, it is possible to exploit this vulnerability successfully. CVE-1999-1053 OSVDB-84 BID-776

Joomla 1.5.12 TinyBrowser File Upload Code Execution

This module exploits a vulnerability in the TinyMCE/tinybrowser plugin. This plugin is not secured in version 1.5.12 of joomla and allows the upload of files on the remote server. By renaming the uploaded file this vulnerability can be used to upload/execute code on the affected system. OSVDB-64578 http://milw0rm.com/exploits/9296 http://developer.joomla.org/s...

Mambo Cache_Lite Class mosConfig_absolute_path Remote File Include.

This module exploits a remote file inclusion vulnerability in includes/Cache/Lite/Output.php in the Cache_Lite package in Mambo 4.6.4 and earlier. CVE-2008-2905 OSVDB-46173 BID-29716

Nagios3 statuswml.cgi Ping Command Execution

This module abuses a metacharacter injection vulnerability in the Nagios3 statuswml.cgi script. This flaw is triggered when shell metacharacters are present in the parameters to the ping and traceroute commands. CVE-2009-2288 OSVDB-55281

HP Openview connectedNodes.ovpl Remote Command Execution

This module exploits an arbitrary command execution vulnerability in the HP OpenView connectedNodes.ovpl CGI application. The results of the command will be displayed to the screen. CVE-2005-2773 OSVDB-19057 BID-14662

OpenX banner-edit.php File Upload PHP Code Execution

This module exploits a vulnerability in the OpenX advertising software. In versions prior to version 2.8.2, authenticated users can upload files with arbitrary extensions to be used as banner creative content. By uploading a file with a PHP extension, an attacker can execute arbitrary PHP code. NOTE: The file must also return either "png", "gif", or "jpeg" as its image type as returned from the PHP getimagesize() function. CVE-2009-4098 OSVDB-60499 BID-37110 http://archives.neohapsis.com... https://developer.openx.org/j... http://www.openx.org/docs/2.8... http://php.net/manual/en/func... http://gynvael.coldwind.pl/?i... http://gynvael.coldwind.pl/?i... http://gynvael.coldwind.pl/?i... http://programming.arantius.c... http://stackoverflow.com/ques...

osCommerce 2.2 Arbitrary PHP Code Execution

osCommerce is a popular open source E-Commerce application. The admin console contains a file management utility that allows administrators to upload, download, and edit files. This could be abused to allow unauthenticated attackers to execute arbitrary code with the permissions of the webserver. OSVDB-60018 http://www.milw0rm.com/exploi...

PAJAX Remote Command Execution

RedTeam has identified two security flaws in PAJAX (<= 0.5.1). It is possible to execute arbitrary PHP code from unchecked user input. Additionally, it is possible to include arbitrary files on the server ending in ".class.php". CVE-2006-1551 OSVDB-24618 BID-17519 http://www.redteam-pentesting...

Generic PHP Code eval

Exploits things like <?php eval($_REQUEST['evalme']); ?> It is likely that HTTP evasion options will break this exploit.

PHP Remote File Include Generic Exploit

This module can be used to exploit any generic PHP file include vulnerability, where the application includes code like the following: <?php include($_GET['path']); ?>

vBulletin misc.php Template Name Arbitrary Code Execution

This module exploits an arbitrary PHP code execution flaw in the vBulletin web forum software. This vulnerability is only present when the "Add Template Name in HTML Comments" option is enabled. All versions of vBulletin prior to 3.0.7 are affected. CVE-2005-0511 BID-12622 OSVDB-14047

WordPress cache_lastpostdate Arbitrary Code Execution

This module exploits an arbitrary PHP code execution flaw in the WordPress blogging software. This vulnerability is only present when the PHP 'register_globals' option is enabled (common for hosting providers). All versions of WordPress prior to 1.5.1.3 are affected. CVE-2005-2612 OSVDB-18672 BID-14533

PHP XML-RPC Arbitrary Code Execution

This module exploits an arbitrary code execution flaw discovered in many implementations of the PHP XML-RPC module. This flaw is exploitable through a number of PHP web applications, including but not limited to Drupal, Wordpress, Postnuke, and TikiWiki. CVE-2005-1921 OSVDB-17793 BID-14088

phpBB viewtopic.php Arbitrary Code Execution

This module exploits two arbitrary PHP code execution flaws in the phpBB forum system. The problem is that the 'highlight' parameter in the 'viewtopic.php' script is not verified properly and will allow an attacker to inject arbitrary code via preg_replace(). This vulnerability was introduced in revision 3076, and finally fixed in revision 5166. According to the "tags" within their tree, this corresponds to versions 2.0.4 through 2.0.15 (inclusive). CVE-2005-2086 CVE-2004-1315 OSVDB-11719 OSVDB-17613 BID-14086 BID-10701

PhpMyAdmin Config File Code Injection

This module exploits a vulnerability in PhpMyAdmin's setup feature which allows an attacker to inject arbitrary PHP code into a configuration file. The original advisory says the vulnerability is present in phpMyAdmin versions 2.11.x < 2.11.9.5 and 3.x < 3.1.3.1; this module was tested on 3.0.1.1. The file where our payload is written (phpMyAdmin/config/config.inc.php) is not directly used by the system, so it may be a good idea to either delete it or copy the running config (phpMyAdmin/config.inc.php) over it after successful exploitation. CVE-2009-1151 OSVDB-53076 http://www.milw0rm.com/exploi... http://www.phpmyadmin.net/hom... http://labs.neohapsis.com/200...

QuickTime Streaming Server parse_xml.cgi Remote Execution

The QuickTime Streaming Server contains a CGI script that is vulnerable to metacharacter injection, allow arbitrary commands to be executed as root. OSVDB-10562 BID-6954 CVE-2003-0050

Simple PHP Blog <= 0.4.0 Remote Command Execution

This module combines three separate issues within The Simple PHP Blog (<= 0.4.0) application to upload arbitrary data and thus execute a shell. The first vulnerability exposes the hash file (password.txt) to unauthenticated users. The second vulnerability lies within the image upload system provided to logged-in users; there is no image validation function in the blogger to prevent an authenticated user from uploading any file type. The third vulnerability occurs within the blog comment functionality, allowing arbitrary files to be deleted. CVE-2005-2733 OSVDB-19012 BID-14667 http://www.milw0rm.com/exploi...

SquirrelMail PGP Plugin command execution (SMTP)

This module exploits a command execution vulnerability in the PGP plugin of SquirrelMail. This flaw was found while quickly grepping the code after release of some information at http://www.wslabi.com/. Later, iDefense published an advisory .... Reading an email in SquirrelMail with the PGP plugin activated is enough to compromise the underlying server. Only "cmd/unix/generic" payloads were tested. CVE-2003-0990 OSVDB-3178 http://lists.immunitysec.com/... http://labs.idefense.com/inte... http://www.wslabi.com/wabisab...

TikiWiki tiki-graph_formula Remote PHP Code Execution

TikiWiki (<= 1.9.8) contains a flaw that may allow a remote attacker to execute arbitrary PHP code. The issue is due to 'tiki-graph_formula.php' script not properly sanitizing user input supplied to create_function(), which may allow a remote attacker to execute arbitrary PHP code resulting in a loss of integrity. CVE-2007-5423 OSVDB-40478 BID-26006

TikiWiki jhot Remote Command Execution

TikiWiki contains a flaw that may allow a malicious user to execute arbitrary PHP code. The issue is triggered due to the jhot.php script not correctly verifying uploaded files. It is possible that the flaw may allow arbitrary PHP code execution by uploading a malicious PHP script resulting in a loss of integrity. The vulnerability was reported in Tikiwiki version 1.9.4. CVE-2006-4602 OSVDB-28456 BID-19819 http://secunia.com/advisories...

TWiki History TWikiUsers rev Parameter Command Execution

This module exploits a vulnerability in the history component of TWiki. By passing a 'rev' parameter containing shell metacharacters to the TWikiUsers script, an attacker can execute arbitrary OS commands. CVE-2005-2877 OSVDB-19403 BID-14834 http://twiki.org/cgi-bin/view...

TWiki Search Function Arbitrary Command Execution

This module exploits a vulnerability in the search component of TWiki. By passing a 'search' parameter containing shell metacharacters to the 'WebSearch' script, an attacker can execute arbitrary OS commands. CVE-2004-1037 OSVDB-11714 BID-11674 http://twiki.org/cgi-bin/view...

Symantec Alert Management System Intel Alert Originator Service Buffer Overflow

This module exploits a stack buffer overflow in Intel Alert Originator Service msgsys.exe. When an attacker sends a specially crafted alert, arbitrary code may be executed. CVE-2009-1430 OSVDB-54159 BID-34674

Symantec Remote Management Buffer Overflow

This module exploits a stack buffer overflow in Symantec Client Security 3.0.x. This module has only been tested against Symantec Client Security 3.0.2 build 10.0.2.2000. CVE-2006-2630 OSVDB-25846 BID-18107 http://research.eeye.com/html...

Trend Micro ServerProtect 5.58 Buffer Overflow

This module exploits a buffer overflow in Trend Micro ServerProtect 5.58 Build 1060. By sending a specially crafted RPC request, an attacker could overflow the buffer and execute arbitrary code. CVE-2007-1070 OSVDB-33042 BID-22639

Trend Micro ServerProtect 5.58 CreateBinding() Buffer Overflow

Trend Micro ServerProtect 5.58 EarthAgent.EXE Buffer Overflow

This module exploits a buffer overflow in Trend Micro ServerProtect 5.58 Build 1060 EarthAgent.EXE. By sending a specially crafted RPC request, an attacker could overflow the buffer and execute arbitrary code. CVE-2007-2508 OSVDB-35789 BID-23866

Arkeia Backup Client Type 77 Overflow (Win32)

This module exploits a stack buffer overflow in the Arkeia backup client for the Windows platform. This vulnerability affects all versions up to and including 5.3.3. CVE-2005-0491 OSVDB-14011 BID-12594 http://lists.netsys.com/piper...

Energizer DUO Trojan Code Execution

This module will execute an arbitrary payload against any system infected with the Arugizer trojan horse. This backdoor was shipped with the software package accompanying the Energizer Duo USB battery charger. CVE-2010-0103 OSVDB-62782 US-CERT-VU-154421

Veritas Backup Exec Name Service Overflow

This module exploits a vulnerability in the Veritas Backup Exec Agent Browser service. This vulnerability occurs when a recv() call has a length value too long for the destination stack buffer. By sending an agent name value of 63 bytes or more, we can overwrite the return address of the recv function. Since we only have ~60 bytes of contiguous space for shellcode, a tiny findsock payload is sent which uses a hardcoded IAT address for the recv() function. This payload will then roll the stack back to the beginning of the page, recv() the real shellcode into it, and jump to it. This module has been tested against Veritas 9.1 SP0, 9.1 SP1, and 8.6. CVE-2004-1172 OSVDB-12418 BID-11974 http://www.idefense.com/appli...

Veritas Backup Exec Windows Remote Agent Overflow

This module exploits a stack buffer overflow in the Veritas BackupExec Windows Agent software. This vulnerability occurs when a client authentication request is received with type '3' and a long password argument. Reliable execution is obtained by abusing the stack buffer overflow to smash a SEH pointer. CVE-2005-0773 OSVDB-17624 BID-14022 http://www.idefense.com/appli... http://seer.support.veritas.c...

Computer Associates ARCserve REPORTREMOTEEXECUTECML Buffer Overflow

This module exploits a buffer overflow in Computer Associates BrighStor ARCserve r11.5 (build 3884). By sending a specially crafted RPC request to opcode 0x342, an attacker could overflow the buffer and execute arbitrary code. In order to successfully exploit this vulnerability, you will need set the hostname argument (HNAME). BID-31684 OSVDB-49468 CVE-2008-4397 http://crackinglandia.blogspo...

CA BrightStor Discovery Service TCP Overflow

This module exploits a vulnerability in the CA BrightStor Discovery Service. This vulnerability occurs when a specific type of request is sent to the TCP listener on port 41523. This vulnerability was discovered by cybertronic[at]gmx.net and affects all known versions of the BrightStor product. This module is based on the 'cabrightstor_disco' exploit by Thor Doomen. CVE-2005-2535 OSVDB-13814 BID-12536 http://archives.neohapsis.com... http://milw0rm.com/exploits/1131

CA BrightStor Discovery Service Stack Buffer Overflow

This module exploits a vulnerability in the CA BrightStor Discovery Service. This vulnerability occurs when a large request is sent to UDP port 41524, triggering a stack buffer overflow. CVE-2005-0260 OSVDB-13613 BID-12491 http://www.idefense.com/appli...

Computer Associates Alert Notification Buffer Overflow

This module exploits a buffer overflow in Computer Associates Threat Manager for the Enterprise r8.1 By sending a specially crafted RPC request, an attacker could overflow the buffer and execute arbitrary code. In order to successfully exploit this vulnerability, you will need valid logon credentials to the target. CVE-2007-4620 OSVDB-44040 BID-28605

CA BrightStor HSM Buffer Overflow

This module exploits one of the multiple stack buffer overflows in Computer Associates BrightStor HSM. By sending a specially crafted request, an attacker could overflow the buffer and execute arbitrary code. CVE-2007-5082 OSVDB-41363 BID-25823

CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow

This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup for Laptops & Desktops 11.1. By sending a specially crafted request, an attacker could overflow the buffer and execute arbitrary code. CVE-2007-0449 OSVDB-31593 BID-22342

CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow

This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup for Laptops & Desktops 11.1. By sending a specially crafted request (rxsUseLicenseIni), an attacker could overflow the buffer and execute arbitrary code. CVE-2007-3216 OSVDB-35329 BID-24348

CA BrightStor ARCserve License Service GCR NETWORK Buffer Overflow

This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup 11.0. By sending a specially crafted request to the lic98rmtd.exe service, an attacker could overflow the buffer and execute arbitrary code. CVE-2005-0581 OSVDB-14389 BID-12705

CA BrightStor ArcServe Media Service Stack Buffer Overflow

This exploit targets a stack buffer overflow in the MediaSrv RPC service of CA BrightStor Arcserve. By sending a specially crafted SUNRPC request, an attacker can overflow a stack buffer and execute arbitrary code. CVE-2007-2139 OSVDB-35326 BID-23635 https://www.zerodayinitiative...

CA BrightStor ARCserve Message Engine Buffer Overflow

This module exploits a buffer overflow in Computer Associates BrightStor ARCserve Backup 11.1 - 11.5 SP2. By sending a specially crafted RPC request, an attacker could overflow the buffer and execute arbitrary code. CVE-2007-0169 OSVDB-31318 BID-22005

CA BrightStor ARCserve Message Engine Heap Overflow

This module exploits a heap overflow in Computer Associates BrightStor ARCserve Backup 11.5. By sending a specially crafted RPC request, an attacker could overflow the buffer and execute arbitrary code. CVE-2006-5143 OSVDB-29533 BID-20365

CA BrightStor Agent for Microsoft SQL Overflow

This module exploits a vulnerability in the CA BrightStor Agent for Microsoft SQL Server. This vulnerability was discovered by cybertronic[at]gmx.net. CVE-2005-1272 OSVDB-18501 BID-14453 http://www.idefense.com/appli... http://www3.ca.com/securityad...

CA BrightStor ARCserve Tape Engine Buffer Overflow

This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup r11.1 - r11.5. By sending a specially crafted DCERPC request, an attacker could overflow the buffer and execute arbitrary code. CVE-2006-6076 OSVDB-30637 BID-21221 http://www.milw0rm.com/exploi... http://www.ca.com/us/security...

CA BrightStor Universal Agent Overflow

This module exploits a convoluted heap overflow in the CA BrightStor Universal Agent service. Triple userland exception results in heap growth and execution of dereferenced function pointer at a specified address. CVE-2005-1018 OSVDB-15471 BID-13102 http://www.idefense.com/appli...

Adobe Flash Player "newfunction" Invalid Pointer Use

This module exploits a vulnerability in the DoABC tag handling within versions 9.x and 10.0 of Adobe Flash Player. Adobe Reader and Acrobat are also vulnerable, as are any other applications that may embed Flash player. Arbitrary code execution is achieved by embedding a specially crafted Flash movie into a PDF document. An AcroJS heap spray is used in order to ensure that the memory used by the invalid pointer issue is controlled. NOTE: This module uses a similar DEP bypass method to that used within the adobe_libtiff module. This method is unlikely to work across various Windows versions due a the hardcoded syscall number. CVE-2010-1297 OSVDB-65141 BID-40586 http://www.adobe.com/support/... http://feliam.wordpress.com/2...

Adobe FlateDecode Stream Predictor 02 Integer Overflow

This module exploits an integer overflow vulnerability in Adobe Reader and Adobe Acrobat Professional versions before 9.2. CVE-2009-3459 BID-36600 OSVDB-58729 http://blogs.adobe.com/psirt/... http://www.adobe.com/support/... http://www.fortiguard.com/ana...

Adobe Collab.getIcon() Buffer Overflow

This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat. Affected versions include < 7.1.1, < 8.1.3, and < 9.1. By creating a specially crafted pdf that a contains malformed Collab.getIcon() call, an attacker may be able to execute arbitrary code. CVE-2009-0927 OSVDB-53647 http://www.zerodayinitiative....

Adobe JBIG2Decode Memory Corruption Exploit

This module exploits a heap-based pointer corruption flaw in Adobe Reader 9.0.0 and earlier. This module relies upon javascript for the heap spray. CVE-2009-0658 OSVDB-52073 http://bl4cksecurity.blogspot...

Adobe Doc.media.newPlayer Use After Free Vulnerability

This module exploits a use after free vulnerability in Adobe Reader and Adobe Acrobat Professional versions up to and including 9.2. CVE-2009-4324 BID-37331 OSVDB-60980

Adobe util.printf() Buffer Overflow

This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat Professional < 8.1.3. By creating a specially crafted pdf that a contains malformed util.printf() entry, an attacker may be able to execute arbitrary code. CVE-2008-2992 OSVDB-49520

AOL Instant Messenger goaway Overflow

This module exploits a flaw in the handling of AOL Instant Messenger's 'goaway' URI handler. An attacker can execute arbitrary code by supplying a overly sized buffer as the 'message' parameter. This issue is known to affect AOL Instant Messenger 5.5. CVE-2004-0636 OSVDB-8398 BID-10889 http://www.idefense.com/appli...

Amaya Browser v11.0 bdo tag overflow

This module exploits a stack buffer overflow in the Amaya v11 Browser. By sending an overly long string to the "bdo" tag, an attacker may be able to execute arbitrary code. CVE-2009-0323 OSVDB-55721 BID-33046, 33047

AOL Radio AmpX ActiveX Control ConvertFile() Buffer Overflow

This module exploits a stack-based buffer overflow in AOL IWinAmpActiveX class (AmpX.dll) version 2.4.0.6 installed via AOL Radio website. By setting an overly long value to 'ConvertFile()', an attacker can overrun a buffer and execute arbitrary code. OSVDB-54706 BID-35028 http://www.milw0rm.com/exploi...

America Online ICQ ActiveX Control Arbitrary File Download and Execute.

This module allows remote attackers to download and execute arbitrary files on a users system via the DownloadAgent function of the ICQPhone.SipxPhoneManager ActiveX control. CVE-2006-5650 OSVDB-30220 BID-20930 http://www.zerodayinitiative....

Apple ITunes 4.7 Playlist Buffer Overflow

This module exploits a stack buffer overflow in Apple ITunes 4.7 build 4.7.0.42. By creating a URL link to a malicious PLS file, a remote attacker could overflow a buffer and execute arbitrary code. When using this module, be sure to set the URIPATH with an extension of '.pls'. CVE-2005-0043 OSVDB-12833 BID-12238

Apple QuickTime 7.6.7 _Marshaled_pUnk Code Execution

This module exploits a memory trust issue in Apple QuickTime 7.6.7. When processing a specially-crafted HTML page, the QuickTime ActiveX control will treat a supplied parameter as a trusted pointer. It will then use it as a COM-type pUnknown and lead to arbitrary code execution. This exploit utilizes a combination of heap spraying and the QuickTimeAuthoring.qtx module to bypass DEP and ASLR. This module does not opt-in to ASLR. As such, this module should be reliable on all Windows versions. NOTE: The addresses may need to be adjusted for older versions of QuickTime. CVE-2010-1818 OSVDB-67705 http://reversemode.com/index....

Apple QuickTime 7.1.3 RTSP URI Buffer Overflow

This module exploits a buffer overflow in Apple QuickTime 7.1.3. This module was inspired by MOAB-01-01-2007. The Browser target for this module was tested against IE 6 and Firefox 1.5.0.3 on Windows XP SP0/2; Firefox 3 blacklists the QuickTime plugin. CVE-2007-0015 OSVDB-31023 BID-21829 http://projects.info-pull.com...

Apple QuickTime 7.6.6 Invalid SMIL URI Buffer Overflow

This module exploits a buffer overflow in Apple QuickTime 7.6.6. When processing a malformed SMIL uri, a stack-based buffer overflow can occur when logging an error message. CVE-2010-1799 OSVDB-66636 BID-41962 http://secunia.com/advisories... http://support.apple.com/kb/H...

Ask.com Toolbar askBar.dll ActiveX Control Buffer Overflow

This module exploits a stack buffer overflow in Ask.com Toolbar 4.0.2.53. An attacker may be able to excute arbitrary code by sending an overly long string to the "ShortFormat()" method in askbar.dll. CVE-2007-5107 OSVDB-37735 http://wslabi.com/wabisabilab...

AtHocGov IWSAlerts ActiveX Control Buffer Overflow

This module exploits a stack buffer overflow in AtHocGov IWSAlerts. When sending an overly long string to the CompleteInstallation() method of AtHocGovTBr.dll (6.1.4.36) an attacker may be able to execute arbitrary code. This vulnerability was silently patched by the vendor. http://www.athoc.com/products...

Autodesk IDrop ActiveX Control Heap Memory Corruption

This module exploits a heap-based memory corruption vulnerability in Autodesk IDrop ActiveX control (IDrop.ocx) version 17.1.51.160. An attacker can execute arbitrary code by triggering a heap use after free condition using the Src, Background, PackageXml properties. OSVDB-53265 BID-34352 http://www.milw0rm.com/exploi... http://marc.info/?l=full-disc...

SonicWALL Aventail epi.dll AuthCredential Format String Exploit

This module exploits a format string vulnerability within version 10.0.4.x and 10.5.1 of the SonicWALL Aventail SSL-VPN Endpoint Interrogator/Installer ActiveX control (epi.dll). By calling the 'AuthCredential' method with a specially crafted Unicode format string, an attacker can cause memory corruption and execute arbitrary code. Unfortunately, it does not appear to be possible to indirectly re-use existing stack data for more reliable exploitation. This is due to several particulars about this vulnerability. First, the format string must be a Unicode string, which uses two bytes per character. Second, the buffer is allocated on the stack using the 'alloca' function. As such, each additional format specifier (%x) will add four more bytes to the size allocated. This results in the inability to move the read pointer outside of the buffer. Further testing showed that using specifiers that pop more than four bytes does not help. Any number of format specifiers will result in accessing the same value within the buffer. NOTE: It may be possible to leverage the vulnerability to leak memory contents. However, that has not been fully investigated at this time. OSVDB-67286 http://sotiriu.de/adv/NSOADV-...

AwingSoft Winds3D Player SceneURL Buffer Overflow

This module exploits a data segment buffer overflow within Winds3D Viewer of AwingSoft Awakening 3.x (WindsPly.ocx v3.6.0.0). This ActiveX is a plugin of AwingSoft Web3D Player. By setting an overly long value to the 'SceneURL' property, an attacker can overrun a buffer and execute arbitrary code. CVE-2009-4588 OSVDB-60017 http://www.milw0rm.com/exploi... http://www.shinnai.net/exploi... http://www.rec-sec.com/2009/0...

AwingSoft Winds3D Player 3.5 SceneURL Download and Execute

This module exploits an untrusted program execution vulnerability within the Winds3D Player from AwingSoft. The Winds3D Player is a browser plugin for IE (ActiveX), Opera (DLL) and Firefox (XPI). By setting the 'SceneURL' parameter to the URL to an executable, an attacker can execute arbitrary code. Testing was conducted using plugin version 3.5.0.9 for Firefox 3.5 and IE 8 on Windows XP SP3. CVE-2009-4850 OSVDB-60049

BaoFeng Storm mps.dll ActiveX OnBeforeVideoDownload Buffer Overflow

This module exploits a buffer overflow in BaoFeng's Storm media Player ActiveX control. Verions of mps.dll including 3.9.4.27 and lower are affected. When passing an overly long string to the method "OnBeforeVideoDownload" an attacker can execute arbitrary code. CVE-2009-1612 OSVDB-54169 BID-34789 http://www.exploit-db.com/exp...

RKD Software BarCodeAx.dll v4.9 ActiveX Remote Stack Buffer Overflow

This module exploits a stack buffer overflow in RKD Software Barcode Application ActiveX Control 'BarCodeAx.dll'. By sending an overly long string to the BeginPrint method of BarCodeAx.dll v4.9, an attacker may be able to execute arbitrary code. http://www.milw0rm.com/exploi... OSVDB-37482 BID-24596 CVE-2007-3435

CA BrightStor ARCserve Backup AddColumn() ActiveX Buffer Overflow

The CA BrightStor ARCserve Backup ActiveX control (ListCtrl.ocx) is vulnerable to a stack-based buffer overflow. By passing an overly long argument to the AddColumn() method, a remote attacker could overflow a buffer and execute arbitrary code on the system. CVE-2008-1472 OSVDB-43214

Chilkat Crypt ActiveX WriteFile Unsafe Method

This module allows attackers to execute code via the 'WriteFile' unsafe method of Chilkat Software Inc's Crypt ActiveX control. This exploit is based on shinnai's exploit that uses an hcp:// protocol URI to execute our payload immediately. However, this method requires that the victim user be browsing with Administrator. Additionally, this method will not work on newer versions of Windows. NOTE: This vulnerability is still unpatched. The latest version of Chilkat Crypt at the time of this writing includes ChilkatCrypt2.DLL version 4.4.4.0. CVE-2008-5002 OSVDB-49510 BID-32073 http://www.exploit-db.com/exp...

CommuniCrypt Mail 1.16 SMTP ActiveX Stack Buffer Overflow

This module exploits a stack buffer overflow in the ANSMTP.dll/AOSMTP.dll ActiveX Control provided by CommuniCrypt Mail 1.16. By sending a overly long string to the "AddAttachments()" method, an attacker may be able to execute arbitrary code. OSVDB-64839 http://www.exploit-db.com/exp...

Creative Software AutoUpdate Engine ActiveX Control Buffer Overflow

This module exploits a stack buffer overflow in Creative Software AutoUpdate Engine. When sending an overly long string to the cachefolder() property of CTSUEng.ocx an attacker may be able to execute arbitrary code. CVE-2008-0955 OSVDB-45655

Worldweaver DX Studio Player <= 3.0.29 shell.execute() Command Execution

This module exploits a command execution vulnerability within the DX Studio Player from Worldweaver. The player is a browser plugin for IE (ActiveX) and Firefox (dll). When an unsuspecting user visits a web page referring to a specially crafted .dxstudio document, an attacker can execute arbitrary commands. Testing was conducted using plugin version 3.0.29.0 for Firefox 2.0.0.20 and IE 6 on Windows XP SP3. In IE, the user will be prompted if they wish to allow the plug-in to access local files. This prompt appears to occur only once per server host. NOTE: This exploit uses additionally dangerous script features to write to local files! CVE-2009-2011 BID-35273 OSVDB-54969 http://www.exploit-db.com/exp... http://dxstudio.com/guide.aspx

Electronic Arts SnoopyCtrl ActiveX Control Buffer Overflow

This module exploits a stack buffer overflow in Electronic Arts SnoopyCtrl ActiveX Control (NPSnpy.dll 1.1.0.36. When sending a overly long string to the CheckRequirements() method, an attacker may be able to execute arbitrary code. CVE-2007-4466 OSVDB-37723

FlipViewer FViewerLoading ActiveX Control Buffer Overflow

This module exploits a stack buffer overflow in E-BOOK Systems FlipViewer 4.0. The vulnerability is caused due to a boundary error in the FViewerLoading (FlipViewerX.dll) ActiveX control when handling the "LoadOpf()" method. CVE-2007-2919 OSVDB-37042 BID-24328

EnjoySAP SAP GUI ActiveX Control Buffer Overflow

This module exploits a stack buffer overflow in SAP KWEdit ActiveX Control (kwedit.dll 6400.1.1.41) provided by EnjoySAP GUI. By sending an overly long string to the "PrepareToPostHTML()" method, an attacker may be able to execute arbitrary code. CVE-2007-3605 OSVDB-37690 BID-24772

Facebook Photo Uploader 4 ActiveX Control Buffer Overflow

This module exploits a stack buffer overflow in Facebook Photo Uploader 4. By sending an overly long string to the "ExtractIptc()" property located in the ImageUploader4.ocx (4.5.57.0) Control, an attacker may be able to execute arbitrary code. CVE-2008-5711 OSVDB-41073 BID-27534 http://milw0rm.com/exploits/5049

GOM Player ActiveX Control Buffer Overflow

This module exploits a stack buffer overflow in GOM Player 2.1.6.3499. By sending an overly long string to the "OpenUrl()" method located in the GomWeb3.dll Control, an attacker may be able to execute arbitrary code. CVE-2007-5779 OSVDB-38282 http://secunia.com/advisories...

Green Dam URL Processing Buffer Overflow

This module exploits a stack-based buffer overflow in Green Dam Youth Escort version 3.17 in the way it handles overly long URLs. By setting an overly long URL, an attacker can overrun a buffer and execute arbitrary code. This module uses the .NET DLL memory technique by Alexander Sotirov and Mark Dowd and should bypass DEP, NX and ASLR. OSVDB-55126 http://www.cse.umich.edu/~jha... http://www.milw0rm.com/exploi... http://taossa.com/archive/bh0...

Persits XUpload ActiveX AddFile Buffer Overflow

This module exploits a stack buffer overflow in Persits Software Inc's XUpload ActiveX control(version 3.0.0.3) thats included in HP LoadRunner 9.5. By passing an overly long string to the AddFile method, an attacker may be able to execute arbitrary code. CVE-2008-0492 OSVDB-40762 BID-27456 http://www.milw0rm.com/exploi... http://lists.grok.org.uk/pipe...

HP LoadRunner 9.0 ActiveX AddFolder Buffer Overflow

This module exploits a stack buffer overflow in Persits Software Inc's XUpload ActiveX control(version 2.1.0.1) thats included in HP LoadRunner 9.0. By passing an overly long string to the AddFolder method, an attacker may be able to execute arbitrary code. CVE-2007-6530 OSVDB-39901 BID-27025 http://lists.grok.org.uk/pipe...

HP Mercury Quality Center ActiveX Control ProgColor Buffer Overflow

This module exploits a stack-based buffer overflow in SPIDERLib.Loader ActiveX control (Spider90.ocx) 9.1.0.4353 installed by TestDirector (TD) for Hewlett-Packard Mercury Quality Center 9.0 before Patch 12.1, and 8.2 SP1 before Patch 32. By setting an overly long value to 'ProgColor', an attacker can overrun a buffer and execute arbitrary code. CVE-2007-1819 OSVDB-34317 BID-23239 http://labs.idefense.com/inte...

Hyleos ChemView ActiveX Control Stack Buffer Overflow

This module exploits a stack-based buffer overflow within version 1.9.5.1 of Hyleos ChemView (HyleosChemView.ocx). By calling the 'SaveAsMolFile' or 'ReadMolFile' methods with an overly long first argument, an attacker can overrun a buffer and execute arbitrary code. CVE-2010-0679 OSVDB-62276 http://www.security-assessmen... http://www.exploit-db.com/exp...

IBM Access Support ActiveX Control Buffer Overflow

This module exploits a stack buffer overflow in IBM Access Support. When sending an overly long string to the GetXMLValue() method of IbmEgath.dll (3.20.284.0) an attacker may be able to execute arbitrary code. CVE-2009-0215 OSVDB-52958 BID-34228

IBM Lotus Domino Web Access Upload Module Buffer Overflow

This module exploits a stack buffer overflow in IBM Lotus Domino Web Access Upload Module. By sending an overly long string to the "General_ServerName()" property located in the dwa7w.dll and the inotes6w.dll control, an attacker may be able to execute arbitrary code. CVE-2007-4474 OSVDB-40954 BID-26972 http://milw0rm.com/exploits/4820

Internet Explorer COM CreateObject Code Execution

This module exploits a generic code execution vulnerability in Internet Explorer by abusing vulnerable ActiveX objects. MSB-MS06-014 CVE-2006-0003 OSVDB-24517 MSB-MS06-073 CVE-2006-4704 OSVDB-30155

Internet Explorer isComponentInstalled Overflow

This module exploits a stack buffer overflow in Internet Explorer. This bug was patched in Windows 2000 SP4 and Windows XP SP1 according to MSRC. CVE-2006-1016 OSVDB-31647 BID-16870

Internet Explorer Unsafe Scripting Misconfiguration

This exploit takes advantage of the "Initialize and script ActiveX controls not marked safe for scripting" setting within Internet Explorer. When this option is set, IE allows access to the WScript.Shell ActiveX control, which allows javascript to interact with the file system and run commands. This security flaw is not uncommon in corporate environments for the 'Intranet' or 'Trusted Site' zones. In order to save binary data to the file system, ADODB.Stream access is required, which in IE7 will trigger a cross domain access violation. As such, we write the code to a .vbs file and execute it from there, where no such restrictions exist. When set via domain policy, the most common registry entry to modify is HKLM\ Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1201, which if set to '0' forces ActiveX controls not marked safe for scripting to be enabled for the Intranet zone. This module creates a javascript/html hybrid that will render correctly either via a direct GET http://msf-server/ or as a javascript include, such as in: http://intranet-server/xss.asp?id="><script%20src=http://10.10.10.10/ie_unsafe_script.js> </script>. http://support.microsoft.com/... http://blog.invisibledenizen....

Sun Java Web Start Plugin Command Line Argument Injection

This module exploits a flaw in the Web Start plugin component of Sun Java Web Start. The arguments passed to Java Web Start are not properly validated. By passing the lesser known -J option, an attacker can pass arbitrary options directly to the Java runtime. By utilizing the -XXaltjvm option, as discussed by Ruben Santamarta, an attacker can execute arbitrary code in the context of an unsuspecting browser user. This vulnerability was originally discovered independently by both Ruben Santamarta and Tavis Ormandy. Tavis reported that all versions since version 6 Update 10 "are believed to be affected by this vulnerability." In order for this module to work, it must be ran as root on a server that does not serve SMB. Additionally, the target host must have the WebClient service (WebDAV Mini-Redirector) enabled. CVE-2010-0886 OSVDB-63648 BID-39346 http://archives.neohapsis.com... http://www.reversemode.com/in...

Juniper SSL-VPN IVE JuniperSetupDLL.dll ActiveX Control Buffer Overflow

This module exploits a stack buffer overflow in the JuniperSetupDLL.dll library which is called by the JuniperSetup.ocx ActiveX control, as part of the Juniper SSL-VPN (IVE) appliance. By specifying an overly long string to the ProductName object parameter, the stack is overwritten. CVE-2006-2086 OSVDB-25001 BID-17712 http://archives.neohapsis.com...

Kazaa Altnet Download Manager ActiveX Control Buffer Overflow

This module exploits a stack buffer overflow in the Altnet Download Manager ActiveX Control (amd4.dll) bundled with Kazaa Media Desktop 3.2.7. By sending a overly long string to the "Install()" method, an attacker may be able to execute arbitrary code. CVE-2007-5217 OSVDB-37785 http://secunia.com/advisories...

Logitech VideoCall ActiveX Control Buffer Overflow

This module exploits a stack buffer overflow in the Logitech VideoCall ActiveX Control (wcamxmp.dll 2.0.3470.448). By sending a overly long string to the "Start()" method, an attacker may be able to execute arbitrary code. CVE-2007-2918 OSVDB-36820 BID-24254

iseemedia / Roxio / MGI Software LPViewer ActiveX Control Buffer Overflow

This module exploits a stack buffer overflow in LPViewer ActiveX control (LPControll.dll 3.2.0.2). When sending an overly long string to the URL() property an attacker may be able to execute arbitrary code. CVE-2008-4384 OSVDB-48946 US-CERT-VU-848873 BID-31604

Macrovision InstallShield Update Service Buffer Overflow

This module exploits a stack buffer overflow in Macrovision InstallShield Update Service(Isusweb.dll 6.0.100.54472). By passing an overly long ProductCode string to the DownloadAndExecute method, an attacker may be able to execute arbitrary code. CVE-2007-5660 OSVDB-38347 http://lists.grok.org.uk/pipe...

Macrovision InstallShield Update Service ActiveX Unsafe Method

This module allows attackers to execute code via an unsafe methods in Macrovision InstallShield 2008. CVE-2007-5660 OSVDB-38347 BID-26280

McAfee Subscription Manager Stack Buffer Overflow

This module exploits a flaw in the McAfee Subscription Manager ActiveX control. Due to an unsafe use of vsprintf, it is possible to trigger a stack buffer overflow by passing a large string to one of the COM-exposed routines, such as IsAppExpired. This vulnerability was discovered by Karl Lynn of eEye. CVE-2006-3961 OSVDB-27698 BID-19265 http://lists.grok.org.uk/pipe...

McAfee Visual Trace ActiveX Control Buffer Overflow

This module exploits a stack buffer overflow in the McAfee Visual Trace 3.25 ActiveX Control (NeoTraceExplorer.dll 1.0.0.1). By sending a overly long string to the "TraceTarget()" method, an attacker may be able to execute arbitrary code. CVE-2006-6707 OSVDB-32399 http://secunia.com/advisories...

mIRC IRC URL Buffer Overflow

This module exploits a stack buffer overflow in mIRC 6.1. By submitting an overly long and specially crafted URL to the 'irc' protocol, an attacker can overwrite the buffer and control program execution. CVE-2003-1336 OSVDB-2665 BID-8819

MS03-020 Internet Explorer Object Type

This module exploits a vulnerability in Internet Explorer's handling of the OBJECT type attribute. CVE-2003-0344 OSVDB-2967 BID-7806 MSB-MS03-020

Windows XP/2003/Vista Metafile Escape() SetAbortProc Code Execution

This module exploits a vulnerability in the GDI library included with Windows XP and 2003. This vulnerability uses the 'Escape' metafile function to execute arbitrary code through the SetAbortProc procedure. This module generates a random WMF record stream for each request. CVE-2005-4560 OSVDB-21987 MSB-MS06-001 BID-16074 http://www.microsoft.com/tech... http://wvware.sourceforge.net... http://www.geocad.ru/new/site...

Internet Explorer createTextRange() Code Execution

This module exploits a code execution vulnerability in Microsoft Internet Explorer. Both IE6 and IE7 (Beta 2) are vulnerable. It will corrupt memory in a way, which, under certain circumstances, can lead to an invalid/corrupt table pointer dereference. EIP will point to a very remote, non-existent memory location. This module is the result of merging three different exploit submissions and has only been reliably tested against Windows XP SP2. This vulnerability was independently discovered by multiple parties. The heap spray method used by this exploit was pioneered by Skylined. CVE-2006-1359 OSVDB-24050 MSB-MS06-013 BID-17196 US-CERT-VU-876678 http://secunia.com/secunia_re... http://seclists.org/lists/bug... http://seclists.org/lists/ful... http://www.shog9.com/crashIE....

Internet Explorer VML Fill Method Code Execution

This module exploits a code execution vulnerability in Microsoft Internet Explorer using a buffer overflow in the VML processing code (VGX.dll). This module has been tested on Windows 2000 SP4, Windows XP SP0, and Windows XP SP2. CVE-2006-4868 OSVDB-28946 MSB-MS06-055 BID-20096

Internet Explorer WebViewFolderIcon setSlice() Overflow

This module exploits a flaw in the WebViewFolderIcon ActiveX control included with Windows 2000, Windows XP, and Windows 2003. This flaw was published during the Month of Browser Bugs project (MoBB #18). CVE-2006-3730 OSVDB-27110 MSB-MS06-057 BID-19030 http://browserfun.blogspot.co...

Internet Explorer Daxctle.OCX KeyFrame Method Heap Buffer Overflow Vulnerability

This module exploits a heap overflow vulnerability in the KeyFrame method of the direct animation ActiveX control. This is a port of the exploit implemented by Alexander Sotirov. CVE-2006-4777 OSVDB-28842 BID-20047 MSB-MS06-067 https://www.blackhat.com/pres...

Internet Explorer XML Core Services HTTP Request Handling

This module exploits a code execution vulnerability in Microsoft XML Core Services which exists in the XMLHTTP ActiveX control. This module is the modifed version of http://www.milw0rm.com/exploits/2743 - credit to str0ke. This module has been successfully tested on Windows 2000 SP4, Windows XP SP2, Windows 2003 Server SP0 with IE6 + Microsoft XML Core Services 4.0 SP2. CVE-2006-5745 OSVDB-29425 MSB-MS06-071 BID-20915

Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (HTTP)

This module exploits a buffer overflow vulnerability in the LoadAniIcon() function in USER32.dll. The flaw can be triggered through Internet Explorer 6 and 7 by using the CURSOR style sheet directive to load a malicious .ANI file. The module can also exploit Mozilla Firefox by using a UNC path in a moz-icon URL and serving the .ANI file over WebDAV. The vulnerable code in USER32.dll will catch any exceptions that occur while the invalid cursor is loaded, causing the exploit to silently fail when the wrong target has been chosen. This vulnerability was discovered by Alexander Sotirov of Determina and was rediscovered, in the wild, by McAfee. CVE-2007-0038 OSVDB-33629 BID-23194 MSB-MS07-017 http://www.microsoft.com/tech... http://www.determina.com/secu...

Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download

This module allows remote attackers to place arbitrary files on a users file system via the Microsoft Office Snapshot Viewer ActiveX Control. CVE-2008-2463 OSVDB-46749 MSB-MS08-041 BID-30114

Windows Media Encoder 9 wmex.dll ActiveX Buffer Overflow

This module exploits a stack buffer overflow in Windows Media Encoder 9. When sending an overly long string to the GetDetailsString() method of wmex.dll an attacker may be able to execute arbitrary code. CVE-2008-3008 OSVDB-47962 BID-31065 MSB-MS08-053

Microsoft Visual Studio Msmask32.ocx ActiveX Buffer Overflow.

This module exploits a stack buffer overflow in Microsoft's Visual Studio 6.0. When passing a specially crafted string to the Mask parameter of the Msmask32.ocx ActiveX Control, an attacker may be able to execute arbitrary code. CVE-2008-3704 OSVDB-47475 BID-30674 MSB-MS08-070

Internet Explorer Data Binding Memory Corruption

This module exploits a vulnerability in the data binding feature of Internet Explorer. In order to execute code reliably, this module uses the .NET DLL memory technique pioneered by Alexander Sotirov and Mark Dowd. This method is used to create a fake vtable at a known location with all methods pointing to our payload. Since the .text segment of the .NET DLL is non-writable, a prefixed code stub is used to copy the payload into a new memory segment and continue execution from there. CVE-2008-4844 OSVDB-50622 BID-32721 MSB-MS08-078 http://www.microsoft.com/tech... http://taossa.com/archive/bh0...

Internet Explorer 7 CFunctionPointer Uninitialized Memory Corruption

This module exploits an error related to the CFunctionPointer function when attempting to access uninitialized memory. A remote attacker could exploit this vulnerability to corrupt memory and execute arbitrary code on the system with the privileges of the victim. CVE-2009-0075 OSVDB-51839 MSB-MS09-002

Microsoft OWC Spreadsheet HTMLURL Buffer Overflow

This module exploits a buffer overflow in Microsoft's Office Web Components. When passing an overly long string as the "HTMLURL" parameter an attacker can execute arbitrary code. CVE-2009-1534 OSVDB-56916 BID-35992 MSB-MS09-043 http://labs.idefense.com/inte...

Microsoft OWC Spreadsheet msDataSourceObject Memory Corruption

This module exploits a memory corruption vulnerability within versions 10 and 11 of the Office Web Component Spreadsheet ActiveX control. This module was based on an exploit found in the wild. CVE-2009-1136 OSVDB-55806 MSB-MS09-043 http://ahmed.obied.net/softwa... http://www.exploit-db.com/exp... http://www.microsoft.com/tech...

Internet Explorer Style getElementsByTagName Memory Corruption

This module exploits a vulnerability in the getElementsByTagName function as implemented within Internet Explorer. MSB-MS09-072 CVE-2009-3672 OSVDB-50622 BID-37085 http://www.microsoft.com/tech... http://taossa.com/archive/bh0...

Internet Explorer "Aurora" Memory Corruption

This module exploits a memory corruption flaw in Internet Explorer. This flaw was found in the wild and was a key component of the "Operation Aurora" attacks that lead to the compromise of a number of high profile companies. The exploit code is a direct port of the public sample published to the Wepawet malware analysis site. The technique used by this module is currently identical to the public sample, as such, only Internet Explorer 6 can be reliably exploited. MSB-MS10-002 CVE-2010-0249 OSVDB-61697 http://www.microsoft.com/tech... http://wepawet.iseclab.org/vi...

Internet Explorer DHTML Behaviors Use After Free

This module exploits a use-after-free vulnerability within the DHTML behaviors functionality of Microsoft Internet Explorer versions 6 and 7. This bug was discovered being used in-the-wild and was previously known as the "iepeers" vulnerability. The name comes from Microsoft's suggested workaround to block access to the iepeers.dll file. According to Nico Waisman, "The bug itself is when trying to persist an object using the setAttribute, which end up calling VariantChangeTypeEx with both the source and the destination being the same variant. So if you send as a variant an IDISPATCH the algorithm will try to do a VariantClear of the destination before using it. This will end up on a call to PlainRelease which deref the reference and clean the object." NOTE: Internet Explorer 8 and Internet Explorer 5 are not affected. CVE-2010-0806 OSVDB-62810 BID-38615 http://www.microsoft.com/tech... http://www.avertlabs.com/rese... http://eticanicomana.blogspot... MSB-MS10-018

Internet Explorer Tabular Data Control ActiveX Memory Corruption

This module exploits a memory corruption vulnerability in the Internet Explorer Tabular Data ActiveX Control. Microsoft reports that version 5.01 and 6 of Internet Explorer are vulnerable. By specifying a long value as the "DataURL" parameter to this control, it is possible to write a NUL byte outside the bounds of an array. By targeting control flow data on the stack, an attacker can execute arbitrary code. CVE-2010-0805 OSVDB-63329 BID-39025 http://www.zerodayinitiative.... MSB-MS10-018

Internet Explorer Winhlp32.exe MsgBox Code Execution

This module exploits a code execution vulnerability that occurs when a user presses F1 on MessageBox originated from VBscript within a web page. When the user hits F1, the MessageBox help functionaility will attempt to load and use a HLP file from an SMB or WebDAV (if the WebDAV redirector is enabled) server. This particular version of the exploit implements a WebDAV server that will serve HLP file as well as a payload EXE. During testing warnings about the payload EXE being unsigned were witnessed. A future version of this module might use other methods that do not create such a warning. CVE-2010-0483 OSVDB-62632 MSB-MS10-023 http://www.microsoft.com/tech... http://blogs.technet.com/msrc... http://isec.pl/vulnerabilitie...

Microsoft Help Center XSS and Command Execution

Help and Support Center is the default application provided to access online documentation for Microsoft Windows. Microsoft supports accessing help documents directly via URLs by installing a protocol handler for the scheme "hcp". Due to an error in validation of input to hcp:// combined with a local cross site scripting vulnerability and a specialized mechanism to launch the XSS trigger, arbitrary command execution can be achieved. On IE7 on XP SP2 or SP3, code execution is automatic. If WMP9 is installed, it can be used to launch the exploit automatically. If IE8 and WMP11, either can be used to launch the attack, but both pop dialog boxes asking the user if execution should continue. This exploit detects if non-intrusive mechanisms are available and will use one if possible. In the case of both IE8 and WMP11, the exploit defaults to using an iframe on IE8, but is configurable by setting the DIALOGMECH option to "none" or "player". CVE-2010-1885 OSVDB-65264 http://lock.cmpxchg8b.com/b10... http://www.microsoft.com/tech... MSB-MS10-042

Microsoft Windows Shell LNK Code Execution

This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK) that contain an icon resource pointing to a malicious DLL. This module creates a WebDAV service that can be used to run an arbitrary payload when accessed as a UNC path. CVE-2010-2568 OSVDB-66387 MSB-MS10-046 http://www.microsoft.com/tech...

Microsoft DirectShow (msvidctl.dll) MPEG-2 Memory Corruption

This module exploits a memory corruption within the MSVidCtl component of Microsoft DirectShow (BDATuner.MPEG2TuneRequest). By loading a specially crafted GIF file, an attacker can overrun a buffer and execute arbitrary code. ClassID is now configurable via an advanced option (otherwise randomized) - I)ruid CVE-2008-0015 OSVDB-55651 BID-35558 MSB-MS09-032 MSB-MS09-037 http://www.microsoft.com/tech...

Microsoft Whale Intelligent Application Gateway ActiveX Control Buffer Overflow

This module exploits a stack buffer overflow in Microsoft Whale Intelligent Application Gateway Whale Client. When sending an overly long string to CheckForUpdates() method of WhlMgr.dll (3.1.502.64) an attacker may be able to execute arbitrary code. CVE-2007-2238 OSVDB-53933 http://technet.microsoft.com/...

NCTAudioFile2 v2.x ActiveX Control SetFormatLikeSample() Buffer Overflow

This module exploits a stack buffer overflow in the NCTAudioFile2.Audio ActiveX Control provided by various audio applications. By sending a overly long string to the "SetFormatLikeSample()" method, an attacker may be able to execute arbitrary code. CVE-2007-0018 OSVDB-32032 BID-22196 US-CERT-VU-292713 http://lists.grok.org.uk/pipe...

Norton AntiSpam 2004 SymSpamHelper ActiveX Control Buffer Overflow

This module exploits a stack buffer overflow in Norton AntiSpam 2004. When sending an overly long string to the LaunchCustomRuleWizard() method of symspam.dll (2004.1.0.147) an attacker may be able to execute arbitrary code. CVE-2004-0363 OSVDB-6249 BID-9916

Symantec Norton Internet Security 2004 ActiveX Control Buffer Overflow

This module exploits a stack buffer overflow in the ISAlertDataCOM ActiveX Control (ISLAert.dll) provided by Symantec Norton Internet Security 2004. By sending a overly long string to the "Get()" method, an attacker may be able to execute arbitrary code. CVE-2007-1689 OSVDB-36164 http://securityresponse.syman...

Novell iPrint Client ActiveX Control Date/Time Buffer Overflow

This module exploits a stack buffer overflow in Novell iPrint Client 5.30. When passing a specially crafted date/time string via certain parameters to ienipp.ocx an attacker can execute arbitrary code. NOTE: The "operation" variable must be set to a valid command in order to reach this vulnerability. CVE-2009-1569 BID-37242 OSVDB-60804 http://secunia.com/advisories...

Novell iPrint Client ActiveX Control Buffer Overflow

This module exploits a stack buffer overflow in Novell iPrint Client 4.26. When sending an overly long string to the ExecuteRequest() property of ienipp.ocx an attacker may be able to execute arbitrary code. CVE-2008-0935 OSVDB-42063 BID-27939

Novell iPrint Client ActiveX Control Buffer Overflow

This module exploits a stack buffer overflow in Novell iPrint Client 4.34. When sending an overly long string to the GetDriverSettings() property of ienipp.ocx an attacker may be able to execute arbitrary code. CVE-2008-2908 OSVDB-46194 http://secunia.com/advisories...

Novell iPrint Client ActiveX Control target-frame Buffer Overflow

This module exploits a stack buffer overflow in Novell iPrint Client 5.30. When passing an overly long string via the "target-frame" parameter to ienipp.ocx an attacker can execute arbitrary code. NOTE: The "operation" variable must be set to a valid command in order to reach this vulnerability. CVE-2009-1568 BID-37242 OSVDB-60803 http://secunia.com/advisories...

Oracle Document Capture 10g ActiveX Control Buffer Overflow

This module exploits a stack buffer overflow in Oracle Document Capture 10g (10.1.3.5.0). Oracle Document Capture 10g comes bundled with a third party ActiveX control emsmtp.dll (6.0.1.0). When passing a overly long string to the method "SubmitToExpress" an attacker may be able to execute arbitrary code. CVE-2007-4607 OSVDB-38335 BID-25467 US-CERT-VU-281977

Orbit Downloader Connecting Log Creation Buffer Overflow

This module exploits a stack buffer overflow in Orbit Downloader 2.8.4. When an attacker serves up a malicious web site, abritrary code may be executed. The PAYLOAD windows/shell_bind_tcp works best. CVE-2009-0187 OSVDB-52294 BID-33894

Persits XUpload ActiveX MakeHttpRequest Directory Traversal

This module exploits a directory traversal in Persits Software Inc's XUpload ActiveX control(version 3.0.0.3) that's included in HP LoadRunner 9.5. By passing a string containing "..\" sequences to the MakeHttpRequest method, an attacker is able to write arbitrary files to arbitrary locations on disk. Code execution occurs by writing to the All Users Startup Programs directory. You may want to combine this module with the use of multi/handler since a user would have to log for the payloda to execute. CVE-2009-3693 OSVDB-60001 http://retrogod.altervista.or...

RealPlayer rmoc3260.dll ActiveX Control Heap Corruption

This module exploits a heap corruption vulnerability in the RealPlayer ActiveX control. By sending a specially crafted string to the 'Console' property in the rmoc3260.dll control, an attacker may be able to execute arbitrary code. CVE-2008-1309 OSVDB-42946 BID-28157 http://secunia.com/advisories...

RealPlayer ierpplug.dll ActiveX Control Playlist Name Buffer Overflow

This module exploits a stack buffer overflow in RealOne Player V2 Gold Build 6.0.11.853 and RealPlayer 10.5 Build 6.0.12.1483. By sending an overly long string to the "Import()" method, an attacker may be able to execute arbitrary code. CVE-2007-5601 OSVDB-41430 BID-26130

RealNetworks RealPlayer SMIL Buffer Overflow

This module exploits a stack buffer overflow in RealNetworks RealPlayer 10 and 8. By creating a URL link to a malicious SMIL file, a remote attacker could overflow a buffer and execute arbitrary code. When using this module, be sure to set the URIPATH with an extension of '.smil'. This module has been tested with RealPlayer 10 build 6.0.12.883 and RealPlayer 8 build 6.0.9.584. CVE-2005-0455 OSVDB-14305 BID-12698

Roxio CinePlayer ActiveX Control Buffer Overflow

This module exploits a stack-based buffer overflow in SonicPlayer ActiveX control (SonicMediaPlayer.dll) 3.0.0.1 installed by Roxio CinePlayer 3.2. By setting an overly long value to 'DiskType', an attacker can overrun a buffer and execute arbitrary code. CVE-2007-1559 OSVDB-34779 BID-23412

SAP AG SAPgui EAI WebViewer3D Buffer Overflow

This module exploits a stack buffer overflow in Siemens Unigraphics Solutions Teamcenter Visualization EAI WebViewer3D ActiveX control that is bundled with SAPgui. When passing an overly long string the SaveViewToSessionFile() method, arbitrary code may be executed. CVE-2007-4475 OSVDB-53066 US-CERT-VU-985449

SoftArtisans XFile FileManager ActiveX Control Buffer Overflow

This module exploits a stack buffer overflow in SoftArtisans XFile FileManager ActiveX control (SAFmgPwd.dll 2.0.5.3). When sending an overly long string to the GetDriveName() method an attacker may be able to execute arbitrary code. CVE-2007-1682 OSVDB-47794 US-CERT-VU-914785 BID-30826

SonicWall SSL-VPN NetExtender ActiveX Control Buffer Overflow

This module exploits a stack buffer overflow in SonicWall SSL-VPN NetExtender. By sending an overly long string to the "AddRouteEntry()" method located in the NELaunchX.dll (1.0.0.26) Control, an attacker may be able to execute arbitrary code. CVE-2007-5603 OSVDB-39069 http://www.sec-consult.com/30...

Symantec Altiris Deployment Solution ActiveX Control Arbitrary File Download and Execute.

This module allows remote attackers to install and execute arbitrary files on a users file system via AeXNSPkgDLLib.dll (6.0.0.1418). This module was tested against Symantec Altiris Deployment Solution 6.9 sp3. BID-36346 CVE-2009-3028 OSVDB-57893

Symantec Altiris Deployment Solution ActiveX Control Buffer Overflow

This module exploits a stack buffer overflow in Symantec Altiris Deployment Solution. When sending an overly long string to RunCmd() method of AeXNSConsoleUtilities.dll (6.0.0.1426) an attacker may be able to execute arbitrary code. CVE-2009-3033 BID-37092 OSVDB-60496

Symantec AppStream LaunchObj ActiveX Control Arbitrary File Download and Execute.

This module exploits a vulnerability in Symantec AppStream Client 5.x. The vulnerability is in the LaunchObj ActiveX control (launcher.dll 5.1.0.82) containing the "installAppMgr()" method. The insecure method can be exploited to download and execute arbitrary files in the context of the currently logged-on user. CVE-2008-4388 OSVDB-51410

Symantec BackupExec Calendar Control Buffer Overflow

This module exploits a stack buffer overflow in Symantec BackupExec Calendar Control. By sending an overly long string to the "_DOWText0" property located in the pvcalendar.ocx control, an attacker may be able to execute arbitrary code. CVE-2007-6016 OSVDB-42358 BID-26904 http://secunia.com/advisories...

Symantec ConsoleUtilities ActiveX Control Buffer Overflow

This module exploits a stack buffer overflow in Symantecs ConsoleUtilities. By sending an overly long string to the "BrowseAndSaveFile()" method located in the AeXNSConsoleUtilities.dll (6.0.0.1846) Control, an attacker may be able to execute arbitrary code CVE-2009-3031 OSVDB-59597 BID-36698 http://sotiriu.de/adv/NSOADV-... http://www.symantec.com/busin...

Husdawg, LLC. System Requirements Lab ActiveX Unsafe Method

This module allows attackers to execute code via an unsafe method in Husdawg, LLC. System Requirements Lab ActiveX Control (sysreqlab2.dll 2.30.0.0) CVE-2008-4385 OSVDB-50122 US-CERT-VU-166651

Trend Micro OfficeScan Client ActiveX Control Buffer Overflow

This module exploits a stack buffer overflow in Trend Micro OfficeScan Corporate Edition 7.3. By sending an overly long string to the "CgiOnUpdate()" method located in the OfficeScanSetupINI.dll Control, an attacker may be able to execute arbitrary code. CVE-2007-0325 OSVDB-33040 BID-22585

Tumbleweed FileTransfer vcst_eu.dll ActiveX Control Buffer Overflow

This module exploits a stack buffer overflow in the vcst_eu.dll FileTransfer Module (1.0.0.5) ActiveX control in the Tumbleweed SecureTransport suite. By sending an overly long string to the TransferFile() 'remotefile' function, an attacker may be able to execute arbitrary code. CVE-2008-1724 OSVDB-44252 http://www.aushack.com/200708...

Ultra Shareware Office Control ActiveX HttpUpload Buffer Overflow

This module exploits a stack-based buffer overflow in Ultra Shareware's Office Control. When processing the 'HttpUpload' method, the arguments are concatenated together to form a command line to run a bundled version of cURL. If the command fails to run, a stack-based buffer overflow occurs when building the error message. This is due to the use of sprintf() without proper bounds checking. NOTE: Due to input restrictions, this exploit uses a heap-spray to get the payload into memory unmodified. CVE-2008-3878 OSVDB-47866 BID-30861 http://www.exploit-db.com/exp...

VeryPDF PDFView OCX ActiveX OpenPDF Heap Overflow

The VeryPDF PDFView ActiveX control is prone to a heap buffer-overflow because it fails to properly bounds-check user-supplied data before copying it into an insufficiently sized memory buffer. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. CVE-2008-5492 OSVDB-49871 BID-32313

WebDAV Application DLL Hijacker

This module presents a directory of file extensions that can lead to code execution when opened from the share. The default EXTENSIONS option must be configured to specify a vulnerable application type. http://blog.zoller.lu/2010/08... http://www.acrossecurity.com/...

WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow

This module exploits a stack-based buffer overflow in WebEx's WebexUCFObject ActiveX Control. If an long string is passed to the 'NewObject' method, a stack- based buffer overflow will occur when copying attacker-supplied data using the sprintf function. It is noteworthy that this vulnerability was discovered and reported by multiple independent researchers. To quote iDefense's advisory, "Before this issue was publicly reported, at least three independent security researchers had knowledge of this issue; thus, it is reasonable to believe that even more people were aware of this issue before disclosure." NOTE: Due to input restrictions, this exploit uses a heap-spray to get the payload into memory unmodified. CVE-2008-3558 OSVDB-47344 BID-30578 http://www.exploit-db.com/exp... http://labs.idefense.com/inte... http://www.trapkit.de/advisor... http://tk-blog.blogspot.com/2... http://archives.neohapsis.com... http://www.cisco.com/en/US/pr...

Winamp Playlist UNC Path Computer Name Overflow

This module exploits a vulnerability in the Winamp media player. This flaw is triggered when a audio file path is specified, inside a playlist, that consists of a UNC path with a long computer name. This module delivers the playlist via the browser. This module has only been successfully tested on Winamp 5.11 and 5.12. CVE-2006-0476 OSVDB-22789 BID-16410

Winamp Ultravox Streaming Metadata (in_mp3.dll) Buffer Overflow

This module exploits a stack buffer overflow in Winamp 5.24. By sending an overly long artist tag, a remote attacker may be able to execute arbitrary code. This vulnerability can be exploited from the browser or the winamp client itself. CVE-2008-0065 OSVDB-41707 BID-27344

WinDVD7 IASystemInfo.DLL ActiveX Control Buffer Overflow

This module exploits a stack buffer overflow in IASystemInfo.dll ActiveX control in InterVideo WinDVD 7. By sending a overly long string to the "ApplicationType()" property, an attacker may be able to execute arbitrary code. CVE-2007-0348 OSVDB-34315 BID-23071

WinZip FileView (WZFILEVIEW.FileViewCtrl.61) ActiveX Buffer Overflow

The FileView ActiveX control (WZFILEVIEW.FileViewCtrl.61) could allow a remote attacker to execute arbitrary code on the system. The control contains several unsafe methods and is marked safe for scripting and safe for initialization. A remote attacker could exploit this vulnerability to execute arbitrary code on the victim system. WinZip 10.0 <= Build 6667 are vulnerable. CVE-2006-5198 OSVDB-30433 BID-21060

XMPlay 3.3.0.4 (ASX Filename) Buffer Overflow

This module exploits a stack buffer overflow in XMPlay 3.3.0.4. The vulnerability is caused due to a boundary error within the parsing of playlists containing an overly long file name. This module uses the ASX file format. CVE-2006-6063 OSVDB-30537 BID-21206 http://secunia.com/advisories...

Yahoo! Messenger YVerInfo.dll ActiveX Control Buffer Overflow

This module exploits a stack buffer overflow in the Yahoo! Messenger ActiveX Control (YVerInfo.dll <= 2006.8.24.1). By sending a overly long string to the "fvCom()" method from a yahoo.com domain, an attacker may be able to execute arbitrary code. CVE-2007-4515 OSVDB-37739 BID-25494 http://labs.idefense.com/inte...

Yahoo! Messenger 8.1.0.249 ActiveX Control Buffer Overflow

This module exploits a stack buffer overflow in the Yahoo! Webcam Upload ActiveX Control (ywcupl.dll) provided by Yahoo! Messenger version 8.1.0.249. By sending a overly long string to the "Server()" method, and then calling the "Send()" method, an attacker may be able to execute arbitrary code. Using the payloads "windows/shell_bind_tcp" and "windows/shell_reverse_tcp" yield for the best results. CVE-2007-3147 OSVDB-37082 http://lists.grok.org.uk/pipe...

Zenturi ProgramChecker ActiveX Control Arbitrary File Download.

This module allows remote attackers to place arbitrary files on a users file system via the Zenturi ProgramChecker sasatl.dll (1.5.0.531) ActiveX Control. CVE-2007-2987 OSVDB-36715 BID-24217

Microsoft RPC DCOM Interface Overflow

This module exploits a stack buffer overflow in the RPCSS service, this vulnerability was originally found by the Last Stage of Delirium research group and has been widely exploited ever since. This module can exploit the English versions of Windows NT 4.0 SP3-6a, Windows 2000, Windows XP, and Windows 2003 all in one request :) CVE-2003-0352 OSVDB-2100 MSB-MS03-026 BID-8205

Microsoft Message Queueing Service Path Overflow

This module exploits a stack buffer overflow in the RPC interface to the Microsoft Message Queueing service. The offset to the return address changes based on the length of the system hostname, so this must be provided via the 'HNAME' option. Much thanks to snort.org and Jean-Baptiste Marchand's excellent MSRPC website. CVE-2005-0059 OSVDB-15458 MSB-MS05-017 BID-13112

Microsoft DNS RPC Service extractQuotedChar() Overflow (TCP)

Microsoft Message Queueing Service DNS Name Path Overflow

This module exploits a stack buffer overflow in the RPC interface to the Microsoft Message Queueing service. This exploit requires the target system to have been configured with a DNS name and for that name to be supplied in the 'DNAME' option. This name does not need to be served by a valid DNS server, only configured on the target machine. CVE-2007-3039 OSVDB-39123 MSB-MS07-065

Broadcom Wireless Driver Probe Response SSID Overflow

This module exploits a stack buffer overflow in the Broadcom Wireless driver that allows remote code execution in kernel mode by sending a 802.11 probe response that contains a long SSID. The target MAC address must be provided to use this exploit. The two cards tested fell into the 00:14:a5:06:XX:XX and 00:14:a4:2a:XX:XX ranges. This module depends on the Lorcon2 library and only works on the Linux platform with a supported wireless card. Please see the Ruby Lorcon2 documentation (external/ruby-lorcon/README) for more information. CVE-2006-5882 OSVDB-30294 http://projects.info-pull.com...

D-Link DWL-G132 Wireless Driver Beacon Rates Overflow

This module exploits a stack buffer overflow in the A5AGU.SYS driver provided with the D-Link DWL-G132 USB wireless adapter. This stack buffer overflow allows remote code execution in kernel mode. The stack buffer overflow is triggered when a 802.11 Beacon frame is received that contains a long Rates information element. This exploit was tested with version 1.0.1.41 of the A5AGU.SYS driver and a D-Link DWL-G132 USB adapter (HW: A2, FW: 1.02). Newer versions of the A5AGU.SYS driver are provided with the D-Link WUA-2340 adapter and appear to resolve this flaw, but D-Link does not offer an updated driver for the DWL-G132. Since this vulnerability is exploited via beacon frames, all cards within range of the attack will be affected. The tested adapter used a MAC address in the range of 00:11:95:f2:XX:XX. Vulnerable clients will need to have their card in a non-associated state for this exploit to work. The easiest way to reproduce this bug is by starting the exploit and then accessing the Windows wireless network browser and forcing it to refresh. D-Link was NOT contacted about this flaw. A search of the SecurityFocus database indicates that D-Link has not provided an official patch or solution for any of the seven flaws listed at the time of writing: (BIDs 13679, 16621, 16690, 18168, 18299, 19006, and 20689). As of November 17th, 2006, D-Link has fixed the flaw it the latest version of the DWL-G132 driver (v1.21). This module depends on the Lorcon2 library and only works on the Linux platform with a supported wireless card. Please see the Ruby Lorcon2 documentation (external/ruby-lorcon/README) for more information. CVE-2006-6055 OSVDB-30296 http://projects.info-pull.com... ftp://ftp.dlink.com/Wireless/...

NetGear WG111v2 Wireless Driver Long Beacon Overflow

This module exploits a stack buffer overflow in the NetGear WG111v2 wireless device driver. This stack buffer overflow allows remote code execution in kernel mode. The stack buffer overflow is triggered when a 802.11 Beacon frame is received that contains more than 1100 bytes worth of information elements. This exploit was tested with version 5.1213.6.316 of the WG111v2.SYS driver and a NetGear WG111v2 USB adapter. Since this vulnerability is exploited via beacon frames, all cards within range of the attack will be affected. The tested adapter used a MAC address in the range of 00:18:4d:02:XX:XX. Vulnerable clients will need to have their card in a non-associated state for this exploit to work. The easiest way to reproduce this bug is by starting the exploit and then unplugging and reinserting the USB card. The exploit can take up to a minute to execute the payload, depending on system activity. NetGear was NOT contacted about this flaw. A search of the SecurityFocus database indicates that NetGear has not provided an official patch or solution for any of the thirty flaws listed at the time of writing. This list includes BIDs: 1010, 3876, 4024, 4111, 5036, 5667, 5830, 5943, 5940, 6807, 7267, 7270, 7371, 7367, 9194, 10404, 10459, 10585, 10935, 11580, 11634, 12447, 15816, 16837, 16835, 19468, and 19973. This module depends on the Lorcon2 library and only works on the Linux platform with a supported wireless card. Please see the Ruby Lorcon2 documentation (external/ruby-lorcon/README) for more information. CVE-2006-5972 OSVDB-30473 http://projects.info-pull.com...

Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (SMTP)

This module exploits a buffer overflow vulnerability in the LoadAniIcon() function of USER32.dll. The flaw is triggered through Outlook Express by using the CURSOR style sheet directive to load a malicious .ANI file. This vulnerability was discovered by Alexander Sotirov of Determina and was rediscovered, in the wild, by McAfee. MSB-MS07-017 CVE-2007-0038 CVE-2007-1765 OSVDB-33629 BID-23194 http://www.microsoft.com/tech... http://www.determina.com/secu... http://www.determina.com/secu...

Outlook ATTACH_BY_REF_ONLY File Execution

It has been discovered that certain e-mail message cause Outlook to create Windows shortcut-like attachments or messages within Outlook. Through specially crafted TNEF streams with certain MAPI attachment properties, it is possible to set a path name to files to be executed. When a user double clicks on such an attachment or message, Outlook will proceed to execute the file that is set by the path name value. These files can be local files, but also file stored remotely for example on a file share. Exploitation is limited by the fact that its is not possible for attackers to supply command line options. MSB-MS10-045 CVE-2010-0266 OSVDB-66296 BID-41446 http://www.akitasecurity.nl/a...

Outlook ATTACH_BY_REF_RESOLVE File Execution

EMC AlphaStor Agent Buffer Overflow

This module exploits a stack buffer overflow in EMC AlphaStor 3.1. By sending a specially crafted message, an attacker may be able to execute arbitrary code. CVE-2008-2158 OSVDB-45714 http://labs.idefense.com/inte...

A-PDF WAV to MP3 v1.0.0 Buffer Overflow

This module exploits a buffer overflow in A-PDF WAV to MP3 v1.0.0. When the application is used to import a specially crafted m3u file, a buffer overflow occurs allowing arbitrary code execution. OSVDB-67241 http://www.exploit-db.com/exp... http://www.exploit-db.com/exp...

ACDSee XPM File Section Buffer Overflow

This module exploits a buffer overflow in ACDSee 9.0. When viewing a malicious XPM file with the ACDSee product, a remote attacker could overflow a buffer and execute arbitrary code. CVE-2007-2193 OSVDB-35236 BID-23620

activePDF WebGrabber ActiveX Control Buffer Overflow

This module exploits a stack buffer overflow in activePDF WebGrabber 3.8. When sending an overly long string to the GetStatus() method of APWebGrb.ocx (3.8.2.0) an attacker may be able to execute arbitrary code. This control is not marked safe for scripting, so choose your attack vector accordingly. OSVDB-64579 http://www.activepdf.com/prod...

Adobe Collab.collectEmailInfo() Buffer Overflow

This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat Professional 8.1.1. By creating a specially crafted pdf that a contains malformed Collab.collectEmailInfo() call, an attacker may be able to execute arbitrary code. CVE-2007-5659 OSVDB-41495

Adobe Flash Player "newfunction" Invalid Pointer Use

Adobe FlateDecode Stream Predictor 02 Integer Overflow

Adobe Collab.getIcon() Buffer Overflow

Adobe Illustrator CS4 v14.0.0

Adobe Illustrator CS4 (V14.0.0) Encapsulated Postscript (.eps) overlong DSC Comment Buffer Overflow Exploit CVE-2009-4195 BID-37192 OSVDB-60632 http://retrogod.altervista.or... http://www.exploit-db.com/exp...

Adobe JBIG2Decode Memory Corruption Exploit

Adobe Acrobat Bundled LibTIFF Integer Overflow

This module exploits an integer overflow vulnerability in Adobe Reader and Adobe Acrobat Professional versions 8.0 through 8.2 and 9.0 through 9.3. CVE-2010-0188 BID-38195 OSVDB-62526 http://www.adobe.com/support/... http://secunia.com/blog/76/ http://bugix-security.blogspo...

Adobe Doc.media.newPlayer Use After Free Vulnerability

This module exploits a use after free vulnerability in Adobe Reader and Adobe Acrobat Professional versions up to and including 9.2. CVE-2009-4324 BID-37331 OSVDB-60980

Adobe PDF Embedded EXE Social Engineering

This module embeds a Metasploit payload into an existing PDF file. The resulting PDF can be sent to a target as part of a social engineering attack. CVE-2010-1240 OSVDB-63667 http://blog.didierstevens.com... http://blog.didierstevens.com... http://blog.didierstevens.com...

Adobe PDF Escape EXE Social Engineering (No JavaScript)

This module embeds a Metasploit payload into an existing PDF file in a non-standard method. The resulting PDF can be sent to a target as part of a social engineering attack. CVE-2010-1240 OSVDB-63667 http://blog.didierstevens.com... http://blog.didierstevens.com... http://blog.didierstevens.com...

Adobe U3D CLODProgressiveMeshDeclaration Array Overrun

This module exploits an array overflow in Adobe Reader and Adobe Acrobat. Affected versions include < 7.1.4, < 8.2, and < 9.3. By creating a specially crafted pdf that a contains malformed U3D data, an attacker may be able to execute arbitrary code. CVE-2009-3953 OSVDB-61690 http://www.adobe.com/support/...

Adobe util.printf() Buffer Overflow

Altap Salamander 2.5 PE Viewer Buffer Overflow

This module exploits a buffer overflow in Altap Salamander <= v2.5. By creating a malicious file and convincing a user to view the file with the Portable Executable Viewer plugin within a vulnerable version of Salamander, the PDB file string is copied onto the stack and the SEH can be overwritten. CVE-2007-3314 BID-24557 OSVDB-37579 http://vuln.sg/salamander25-e...

AOL 9.5 Phobos.Playlist Import() Stack-based Buffer Overflow

This module exploits a stack-based buffer overflow within Phobos.dll of AOL 9.5. By setting an overly long value to 'Import()', an attacker can overrun a buffer and execute arbitrary code. NOTE: This ActiveX control is NOT marked safe for scripting or initialization. OSVDB-61964 http://www.exploit-db.com/exp... http://www.rec-sec.com/2010/0...

Audio Workstation 6.4.2.4.3 pls Buffer Overflow

This module exploits a buffer overflow in Audio Workstation 6.4.2.4.3. When opening a malicious pls file with the Audio Workstation, a remote attacker could overflow a buffer and execute arbitrary code. CVE-2009-0476 OSVDB-55424 http://www.exploit-db.com/exp...

Audiotran 1.4.1 (PLS File) Stack Buffer Overflow

This module exploits a stack-based buffer overflow in Audiotran 1.4.1. An attacker must send the file to victim and the victim must open the file. Alternatively it may be possible to execute code remotely via an embedded PLS file within a browser, when the PLS extention is registered to Audiotran. This functionality has not been tested in this module. CVE-2009-0476 OSVDB-55424 http://www.exploit-db.com/exp...

BlazeDVD 5.1 PLF Buffer Overflow

This module exploits a stack over flow in BlazeDVD 5.1. When the application is used to open a specially crafted plf file, a buffer is overwritten allowing for the execution of arbitrary code. CVE-2006-6199 OSVDB-30770 BID-35918

CA Antivirus Engine CAB Buffer Overflow

This module exploits a stack buffer overflow in CA eTrust Antivirus 8.1.637. By creating a specially crafted CAB file, an an attacker may be able to execute arbitrary code. CVE-2007-2864 OSVDB-35245 BID-24330 http://www.zerodayinitiative....

Cain & Abel <= v4.9.24 RDP Buffer Overflow.

This module exploits a stack-based buffer overflow in the Cain & Abel v4.9.24 and below. An attacker must send the file to victim, and the victim must open the specially crafted RDP file under Tools -> Remote Desktop Password Decoder. CVE-2008-5405 OSVDB-50342 http://www.milw0rm.com/exploi... BID-32543

AstonSoft DeepBurner (DBR File) Path Buffer Overflow

This module exploits a stack-based buffer overflow in versions 1.9.0.228, 1.8.0, and possibly other versions of AstonSoft's DeepBurner (Pro, Lite, etc). An attacker must send the file to victim and the victim must open the file. Alternatively it may be possible to execute code remotely via an embedded DBR file within a browser, since the DBR extention is registered to DeepBurner. BID-21657 OSVDB-32356 CVE-2006-6665 http://milw0rm.com/exploits/2950 http://milw0rm.com/exploits/8335 http://www.exploit-db.com/exp...

Destiny Media Player 1.61 PLS M3U Buffer Overflow

This module exploits a stack-based buffer overflow in the Destiny Media Player 1.61. An attacker must send the file to victim and the victim must open the file. File-->Open Playlist CVE-2009-3429 OSVDB-53249 http://www.milw0rm.com/exploi... BID-33091

DjVu DjVu_ActiveX_MSOffice.dll ActiveX ComponentBuffer Overflow

This module exploits a stack buffer overflow in DjVu ActiveX Component. When sending an overly long string to the ImageURL() property of DjVu_ActiveX_MSOffice.dll (3.0) an attacker may be able to execute arbitrary code. This control is not marked safe for scripting, so choose your attack vector accordingly. CVE-2008-4922 OSVDB-49592 BID-31987

EMC ApplicationXtender (KeyWorks) ActiveX Control Buffer Overflow

This module exploits a stack buffer overflow in the KeyWorks KeyHelp Activex Control (KeyHelp.ocx 1.2.3120.0). This Activex Control comes bundled with EMC's Documentation ApplicationXtender 5.4. OSVDB-58423 BID-36546

CA eTrust PestPatrol ActiveX Control Buffer Overflow

This module exploits a stack buffer overflow in CA eTrust PestPatrol. When sending an overly long string to the Initialize() property of ppctl.dll (5.6.7.9) an attacker may be able to execute arbitrary code. CVE-2009-4225 OSVDB-60862 http://www.my-etrust.com/Exte...

Free Download Manager Torrent Parsing Buffer Overflow

This module exploits a stack buffer overflow in Free Download Manager 3.0 Build 844. Arbitrary code execution could occur when parsing a specially crafted torrent file. CVE-2009-0184 OSVDB-54033 BID-33555 http://freedownload.svn.sourc... http://freedownload.svn.sourc... http://secunia.com/secunia_re... http://downloads.securityfocu...

FeedDemon <= 3.1.0.12 Stack Buffer Overflow

This module exploits a buffer overflow in FeedDemon v3.1.0.12. When the application is used to import a specially crafted opml file, a buffer overflow occurs allowing arbitrary code execution. All versions are suspected to be vulnerable. This vulnerability was originally reported against version 2.7 in February of 2009. CVE-2009-0546 OSVDB-51753 BID-33630 http://www.exploit-db.com/exp... http://www.exploit-db.com/exp... http://www.exploit-db.com/exp...

gAlan 0.2.1 Buffer Overflow Exploit

This module exploits a stack buffer overflow in gAlan 0.2.1 By creating a specially crafted galan file, an an attacker may be able to execute arbitrary code. OSVDB-60897 http://www.exploit-db.com/exp...

HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow Exploit

This module exploits a stack buffer overflow in HTML Help Workshop 4.74 By creating a specially crafted hhp file, an an attacker may be able to execute arbitrary code. CVE-2006-0564 OSVDB-22941 http://www.exploit-db.com/exp... http://www.exploit-db.com/exp...

HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow Exploit

This module exploits a stack buffer overflow in HTML Help Workshop 4.74 By creating a specially crafted hhp file, an an attacker may be able to execute arbitrary code. CVE-2009-0133 BID-33189 OSVDB-22941 http://www.exploit-db.com/exp... http://www.exploit-db.com/exp...

HT-MP3Player 1.0 HT3 File Parsing Buffer Overflow

This module exploits a stack buffer overflow in HT-MP3Player 1.0. Arbitrary code execution could occur when parsing a specially crafted .HT3 file. NOTE: The player installation does not register the file type to be handled. Therefore, a user must take extra steps to load this file. CVE-2009-2485 OSVDB-55449 http://www.milw0rm.com/exploi... http://www.milw0rm.com/exploi...

PointDev IDEAL Migration Buffer Overflow

This module exploits a stack buffer overflow in versions v9.7 through v10.5 of IDEAL Administration and versions 4.5 and 4.51 of IDEAL Migration. All versions are suspected to be vulnerable. By creating a specially crafted ipj file, an an attacker may be able to execute arbitrary code. NOTE: IDEAL Administration 10.5 is compiled with /SafeSEH CVE-2009-4265 OSVDB-60681 http://www.exploit-db.com/exp... http://www.exploit-db.com/exp... http://www.exploit-db.com/exp... http://www.exploit-db.com/exp...

McAfee Remediation Client ActiveX Control Buffer Overflow

This module exploits a stack buffer overflow in McAfee Remediation Agent 4.5.0.41. When sending an overly long string to the DeleteSnapshot() method of enginecom.dll (3.7.0.9) an attacker may be able to execute arbitrary code. This control is not marked safe for scripting, so choose your attack vector accordingly. http://www.metasploit.com

Media Jukebox 8.0.400 Buffer Overflow Exploit (SEH)

This module exploits a stack buffer overflow in Media Jukebox 8.0.400 By creating a specially crafted m3u or pls file, an an attacker may be able to execute arbitrary code. OSVDB-55924 CVE-2009-2650

Millenium MP3 Studio 2.0 (PLS File) Stack Buffer Overflow

This module exploits a stack-based buffer overflow in Millenium MP3 Studio 2.0. An attacker must send the file to victim and the victim must open the file. Alternatively it may be possible to execute code remotely via an embedded PLS file within a browser, when the PLS extention is registered to Millenium MP3 Studio. This functionality has not been tested in this module. OSVDB-56574 http://www.exploit-db.com/exp... http://www.exploit-db.com/exp...

Mini-Stream 3.0.1.1 Buffer Overflow Exploit

This module exploits a stack buffer overflow in Mini-Stream 3.0.1.1 By creating a specially crafted pls file, an an attacker may be able to execute arbitrary code. OSVDB-61341 http://www.exploit-db.com/exp...

Microsoft Excel Malformed FEATHEADER Record Vulnerability

This module exploits a vulnerability in the handling of the FEATHEADER record by Microsoft Excel. Revisions of Office XP and later prior to the release of the MS09-067 bulletin are vulnerable. When processing a FEATHEADER (Shared Feature) record, Microsoft used a data structure from the file to calculate a pointer offset without doing proper validation. Attacker supplied data is then used to calculate the location of an object, and in turn a virtual function call. This results in arbitrary code exection. NOTE: On some versions of Office, the user will need to dismiss a warning dialog prior to the payload executing. CVE-2009-3129 OSVDB-59860 MSB-MS09-067 BID-36945 http://www.zerodayinitiative.... http://labs.idefense.com/inte...

Microsoft PowerPoint Viewer TextBytesAtom Stack Buffer Overflow

This module exploits a stack buffer overflow vulnerability in the handling of the TextBytesAtom records by Microsoft PowerPoint Viewer. According to Microsoft, the PowerPoint Viewer distributed with Office 2003 SP3 and earlier, as well as Office 2004 for Mac, are vulnerable. NOTE: The vulnerable code path is not reachable on versions of Windows prior to Windows Vista. CVE-2010-0033 OSVDB-62241 MSB-MS10-004 http://www.zerodayinitiative.... http://www.snoop-security.com...

Microsoft Visual Basic VBP Buffer Overflow

This module exploits a stack oveflow in Microsoft Visual Basic 6.0. When a specially crafted vbp file containing a long reference line, an attacker may be able to execute arbitrary code. CVE-2007-4776 OSVDB-36936 BID-25629

Microsoft Works 7 WkImgSrv.dll WKsPictureInterface() ActiveX Exploit

The Microsoft Works ActiveX control (WkImgSrv.dll) could allow a remote attacker to execute arbitrary code on a system. By passing a negative integer to the WksPictureInterface method, an attacker could execute arbitrary code on the system with privileges of the victim. Change 168430090 /0X0A0A0A0A to 202116108 / 0x0C0C0C0C FOR IE6. This control is not marked safe for scripting, please choose your attack vector carefully. CVE-2008-1898 OSVDB-44458

Steinberg MyMP3Player 3.0 Buffer Overflow

This module exploits a stack buffer overflow in Steinberg MyMP3Player == 3.0. When the application is used to open a specially crafted m3u file, a buffer overflow occurs allowing arbitrary code execution. OSVDB-64580 http://www.exploit-db.com/exp...

Orbital Viewer ORB File Parsing Buffer Overflow

This module exploits a stack-based buffer overflow in David Manthey's Orbital Viewer. When processing .ORB files, data is read from file into a fixed-size stack buffer using the fscanf function. Since no bounds checking is done, a buffer overflow can occur. Attackers can execute arbitrary code by convincing their victim to open an ORB file. BID-38436 OSVDB-62580 CVE-2010-0688 http://www.corelan.be:8800/in... http://www.exploit-db.com/exp...

ProShow Gold v4.0.2549 (PSH File) Stack Buffer Overflow

This module exploits a stack-based buffer overflow in ProShow Gold v4.0.2549. An attacker must send the file to victim and the victim must open the file. CVE-2009-3214 OSVDB-57226 http://www.exploit-db.com/exp... http://www.exploit-db.com/exp...

SafeNet SoftRemote GROUPNAME Buffer Overflow

This module exploits a stack buffer overflow in SafeNet SoftRemote Security Policy Editor <= 10.8.5. When an attacker creates a specially formatted security policy with an overly long GROUPNAME argument, it is possible to execute arbitrary code. CVE-2009-3861 OSVDB-59660 http://www.senseofsecurity.co...

SasCam Webcam Server v.2.6.5 Get() method Buffer Overflow

The SasCam Webcam Server ActiveX control is vulnerable to a buffer overflow. By passing an overly long argument via the Get method, a remote attacker could overflow a buffer and execute arbitrary code on the system with the privileges of the user. This control is not marked safe for scripting, please choose your attack vector carefully. CVE-2008-6898 OSVDB-55945 BID-33053

S.O.M.P.L 1.0 Player Buffer Overflow

This module exploits a buffer overflow in Simple Open Music Player v1.0. When the application is used to import a specially crafted m3u file, a buffer overflow occurs allowing arbitrary code execution. OSVDB-64368 http://www.exploit-db.com/exp...

UltraISO CCD File Parsing Buffer Overflow

This module exploits a stack-based buffer overflow in EZB Systems, Inc's UltraISO. When processing .CCD files, data is read from file into a fixed-size stack buffer. Since no bounds checking is done, a buffer overflow can occur. Attackers can execute arbitrary code by convincing their victim to open an CCD file. NOTE: A file with the same base name, but the extension of "img" must also exist. Opening either file will trigger the vulnerability, but the files must both exist. CVE-2009-1260 OSVDB-53275 BID-34363 BID-38613 http://www.exploit-db.com/exp...

UltraISO CUE File Parsing Buffer Overflow

This module exploits a stack-based buffer overflow in EZB Systems, Inc's UltraISO. When processing .CUE files, data is read from file into a fixed-size stack buffer. Since no bounds checking is done, a buffer overflow can occur. Attackers can execute arbitrary code by convincing their victim to open an CUE file. NOTE: A file with the same base name, but the extension of "bin" must also exist. Opening either file will trigger the vulnerability, but the files must both exist. CVE-2007-2888 OSVDB-36570 BID-24140 http://www.exploit-db.com/exp...

URSoft W32Dasm Disassembler Function Buffer Overflow

This module exploits a buffer overflow in W32Dasm <= v8.93. By creating a malicious file and convincing a user to disassemble the file with a vulnerable version of W32Dasm, the Imports/Exports function is copied to the stack and arbitrary code may be executed locally as the user. CVE-2005-0308 OSVDB-13169 BID-12352 http://aluigi.altervista.org/...

VariCAD 2010-2.05 EN (DWB File) Stack Buffer Overflow

This module exploits a stack-based buffer overflow in VariCAD 2010-2.05 EN. An attacker must send the file to victim and the victim must open the file. OSVDB-63067 BID-38815 http://www.exploit-db.com/exp...

VideoLAN VLC TiVo Buffer Overflow

This module exploits a buffer overflow in VideoLAN VLC 0.9.4. By creating a malicious TY file, a remote attacker could overflow a buffer and execute arbitrary code. CVE-2008-4654 OSVDB-49181 BID-31813

VideoLAN Client (VLC) Win32 smb:// URI Buffer Overflow

This module exploits a stack-based buffer overflow in the Win32AddConnection function of the VideoLAN VLC media player. Versions 0.9.9 throught 1.0.1 are reportedly affected. This vulnerability is only present in Win32 builds of VLC. This payload was found to work with the windows/exec and windows/meterpreter/reverse_tcp payloads. However, the windows/meterpreter/reverse_ord_tcp was found not to work. BID-35500 OSVDB-55509 CVE-2009-2484 http://git.videolan.org/?p=vl... http://milw0rm.com/exploits/9209 http://www.exploit-db.com/exp...

VUPlayer CUE Buffer Overflow

This module exploits a stack over flow in VUPlayer <= 2.49. When the application is used to open a specially crafted cue file, an buffer is overwritten allowing for the execution of arbitrary code. OSVDB-64581 BID-33960

VUPlayer M3U Buffer Overflow

This module exploits a stack over flow in VUPlayer <= 2.49. When the application is used to open a specially crafted m3u file, an buffer is overwritten allowing for the execution of arbitrary code. CVE-2006-6251 OSVDB-31710

WM Downloader 3.1.2.2 Buffer Overflow

This module exploits a buffer overflow in WM Downloader v3.1.2.2. When the application is used to import a specially crafted m3u file, a buffer overflow occurs allowing arbitrary code execution. OSVDB-66911 http://www.exploit-db.com/exp...

Xenorate 2.50 (.xpl) universal Local Buffer Overflow Exploit (SEH)

This module exploits a stack buffer overflow in Xenorate 2.50 By creating a specially crafted xpl file, an an attacker may be able to execute arbitrary code. OSVDB-57162 http://www.exploit-db.com/exp...

Zinf Audio Player 2.2.1 (PLS File) Stack Buffer Overflow.

This module exploits a stack-based buffer overflow in the Zinf Audio Player 2.2.1. An attacker must send the file to victim and the victim must open the file. Alternatively it may be possible to execute code remotely via an embedded PLS file within a browser, when the PLS extention is registered to Zinf. This functionality has not been tested in this module. CVE-2004-0964 OSVDB-10416 http://www.milw0rm.com/exploi... BID-11248

ISS PAM.dll ICQ Parser Buffer Overflow

This module exploits a stack buffer overflow in the ISS products that use the iss-pam1.dll ICQ parser (Blackice/RealSecure). Successful exploitation will result in arbitrary code execution as LocalSystem. This exploit only requires 1 UDP packet, which can be both spoofed and sent to a broadcast address. The ISS exception handler will recover the process after each overflow, giving us the ability to bruteforce the service and exploit it multiple times. CVE-2004-0362 OSVDB-4355 http://www.eeye.com/html/Rese... http://xforce.iss.net/xforce/...

Kerio Firewall 2.1.4 Authentication Packet Overflow

This module exploits a stack buffer overflow in Kerio Personal Firewall administration authentication process. This module has only been tested against Kerio Personal Firewall 2 (2.1.4). CVE-2003-0220 OSVDB-6294 BID-7180 http://www1.corest.com/common...

3Com 3CDaemon 2.0 FTP Username Overflow

This module exploits a vulnerability in the 3Com 3CDaemon FTP service. This package is being distributed from the 3Com web site and is recommended in numerous support documents. This module uses the USER command to trigger the overflow. CVE-2005-0277 OSVDB-12810 OSVDB-12811 BID-12155 ftp://ftp.3com.com/pub/utilbi...

Cesar FTP 0.99g MKD Command Buffer Overflow

This module exploits a stack buffer overflow in the MKD verb in CesarFTP 0.99g. You must have valid credentials to trigger this vulnerability. Also, you only get one chance, so choose your target carefully. CVE-2006-2961 OSVDB-26364 BID-18586 http://secunia.com/advisories...

BolinTech Dream FTP Server 1.02 Format String

This module exploits a format string overflow in the BolinTech Dream FTP Server version 1.02. Based on the exploit by SkyLined. CVE-2004-2074 OSVDB-4986 BID-9800 http://www.milw0rm.com/exploi...

Easy File Sharing FTP Server 2.0 PASS Overflow

This module exploits a stack buffer overflow in the Easy File Sharing 2.0 service. By sending an overly long password, an attacker can execute arbitrary code. CVE-2006-3952 OSVDB-27646 BID-19243

EasyFTP Server <= 1.7.0.11 CWD Command Stack Buffer Overflow

This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11 and earlier. EasyFTP fails to check input size when parsing 'CWD' commands, which leads to a stack based buffer overflow. EasyFTP allows anonymous access by default; valid credentials are typically unnecessary to exploit this vulnerability. After version 1.7.0.12, this package was renamed "UplusFtp". This exploit utilizes a small piece of code that I\'ve referred to as 'fixRet'. This code allows us to inject of payload of ~500 bytes into a 264 byte buffer by 'fixing' the return address post-exploitation. See references for more information. OSVDB-62134 http://paulmakowski.wordpress... http://paulmakowski.wordpress... http://seclists.org/bugtraq/2... http://code.google.com/p/easy... https://tegosecurity.com/etc/... http://www.securityfocus.com/...

EasyFTP Server <= 1.7.0.11 LIST Command Stack Buffer Overflow

This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11. credit goes to Karn Ganeshan. NOTE: Although, this is likely to exploit the same vulnerability as the 'easyftp_cwd_fixret' exploit, it uses a slightly different vector. OSVDB-62134 http://www.exploit-db.com/exp... http://www.exploit-db.com/exp...

EasyFTP Server <= 1.7.0.11 MKD Command Stack Buffer Overflow

This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11 and earlier. EasyFTP fails to check input size when parsing 'MKD' commands, which leads to a stack based buffer overflow. NOTE: EasyFTP allows anonymous access by default. However, in order to access the 'MKD' command, you must have access to an account that can create directories. After version 1.7.0.12, this package was renamed "UplusFtp". This exploit utilizes a small piece of code that I\'ve referred to as 'fixRet'. This code allows us to inject of payload of ~500 bytes into a 264 byte buffer by 'fixing' the return address post-exploitation. See references for more information. OSVDB-62134 http://www.exploit-db.com/exp... http://www.exploit-db.com/exp...

FileCopa FTP Server pre 18 Jul Version

This module exploits the buffer overflow found in the LIST command in fileCOPA FTP server pre 18 Jul 2006 version discovered by www.appsec.ch CVE-2006-3726 OSVDB-27389 BID-19065

freeFTPd 1.0 Username Overflow

This module exploits a stack buffer overflow in the freeFTPd multi-protocol file transfer service. This flaw can only be exploited when logging has been enabled (non-default). CVE-2005-3683 OSVDB-20909 BID-15457 http://lists.grok.org.uk/pipe...

GlobalSCAPE Secure FTP Server Input Overflow

This module exploits a buffer overflow in the GlobalSCAPE Secure FTP Server. All versions prior to 3.0.3 are affected by this flaw. A valid user account ( or anonymous access) is required for this exploit to work. CVE-2005-1415 OSVDB-16049 BID-13454 http://archives.neohapsis.com...

HTTPDX tolog() Function Format String Vulnerability

This module exploits a format string vulnerability in HTTPDX FTP server. By sending an specially crafted FTP command containing format specifiers, an attacker can corrupt memory and execute arbitrary code. By default logging is off for HTTP, but enabled for the 'moderator' user via FTP. CVE-2009-4769 OSVDB-60181

LeapWare LeapFTP v2.7.3.600 PASV Reply Client Overflow

This module exploits a buffer overflow in the LeapWare LeapFTP v2.7.3.600 client that is triggered through an excessively long PASV reply command. This module was ported from the original exploit by drG4njubas with minor improvements. CVE-2003-0558 OSVDB-4587 BID-7860 http://www.milw0rm.com/exploi...

Microsoft IIS FTP Server NLST Response Overflow

This module exploits a stack buffer overflow flaw in the Microsoft IIS FTP service. The flaw is triggered when a special NLST argument is passed while the session has changed into a long directory path. For this exploit to work, the FTP server must be configured to allow write access to the file system (either anonymously or in conjunction with a real account) http://milw0rm.com/exploits/9541 CVE-2009-3023 OSVDB-57589 BID-36189

NetTerm NetFTPD USER Buffer Overflow

This module exploits a vulnerability in the NetTerm NetFTPD application. This package is part of the NetTerm package. This module uses the USER command to trigger the overflow. CVE-2005-1323 OSVDB-15865 http://seclists.org/lists/ful... BID-13396

Oracle 9i XDB FTP PASS Overflow (win32)

By passing an overly long string to the PASS command, a stack based buffer overflow occurs. David Litchfield, has illustrated multiple vulnerabilities in the Oracle 9i XML Database (XDB), during a seminar on "Variations in exploit methods between Linux and Windows" presented at the Blackhat conference. CVE-2003-0727 OSVDB-2449 BID-8375 http://www.blackhat.com/prese...

Oracle 9i XDB FTP UNLOCK Overflow (win32)

By passing an overly long token to the UNLOCK command, a stack based buffer overflow occurs. David Litchfield, has illustrated multiple vulnerabilities in the Oracle 9i XML Database (XDB), during a seminar on "Variations in exploit methods between Linux and Windows" presented at the Blackhat conference. Oracle9i includes a number of default accounts, including dbsnmp:dbsmp, scott:tiger, system:manager, and sys:change_on_install. CVE-2003-0727 OSVDB-2449 BID-8375 http://www.blackhat.com/prese...

ProFTP 2.9 Banner Remote Buffer Overflow Exploit

This module exploits a buffer overflow in the ProFTP 2.9 client that is triggered through an excessively long welcome message. CVE-2009-3976 OSVDB-57394 http://www.labtam-inc.com/ind...

KarjaSoft Sami FTP Server v2.02 USER Overflow

This module exploits the KarjaSoft Sami FTP Server version 2.02 by sending an excessively long USER string. The stack is overwritten when the administrator attempts to view the FTP logs. Therefore, this exploit is passive and requires end-user interaction. Keep this in mind when selecting payloads. When the server is restarted, it will re-execute the exploit until the logfile is manually deleted via the file system. CVE-2006-0441 CVE-2006-2212 OSVDB-25670 BID-16370 BID-22045 BID-17835 http://www.milw0rm.com/exploi... http://www.milw0rm.com/exploi... http://www.milw0rm.com/exploi... http://www.milw0rm.com/exploi... http://www.milw0rm.com/exploi...

Sasser Worm avserve FTP PORT Buffer Overflow

This module exploits the FTP server component of the Sasser worm. By sending an overly long PORT command the stack can be overwritten. OSVDB-6197

Serv-U FTPD MDTM Overflow

This is an exploit for the Serv-U\'s MDTM command timezone overflow. It has been heavily tested against versions 4.0.0.4/4.1.0.0/4.1.0.3/5.0.0.0 with success against nt4/2k/xp/2k3. I have also had success against version 3, but only tested 1 version/os. The bug is in all versions prior to 5.0.0.4, but this exploit will not work against versions not listed above. You only get one shot, but it should be OS/SP independent. This exploit is a single hit, the service dies after the shellcode finishes execution. CVE-2004-0330 OSVDB-4073 http://archives.neohapsis.com... http://www.cnhonker.com/advis... http://www.cnhonker.com/index... BID-9751

SlimFTPd LIST Concatenation Overflow

This module exploits a stack buffer overflow in the SlimFTPd server. The flaw is triggered when a LIST command is received with an overly-long argument. This vulnerability affects all versions of SlimFTPd prior to 3.16 and was discovered by Raphael Rigo. CVE-2005-2373 OSVDB-18172 BID-14339

Trellian FTP Client 3.01 PASV Remote Buffer Overflow

This module exploits a buffer overflow in the Trellian 3.01 FTP client that is triggered through an excessively long PASV message. CVE-2010-1465 OSVDB-63812 http://www.exploit-db.com/exp...

Vermillion FTP Daemon PORT Command Memory Corruption

This module exploits an out-of-bounds array access in the Arcane Software Vermillion FTP server. By sending an specially crafted FTP PORT command, an attacker can corrupt stack memory and execute arbitrary code. This particular issue is caused by processing data bound by attacker controlled input while writing into a 4 byte stack buffer. Unfortunately, the writing that occurs is not a simple byte copy. Processing is done using a source ptr (p) and a destination pointer (q). The vulnerable function walks the input string and continues while the source byte is non-null. If a comma is encountered, the function increments the the destination pointer. If an ascii digit [0-9] is encountered, the following occurs: *q = (*q * 10) + (*p - '0'); All other input characters are ignored in this loop. As a consequence, an attacker must craft input such that modifications to the current values on the stack result in usable values. In this exploit, the low two bytes of the return address are adjusted to point at the location of a 'call edi' instruction within the binary. This was chosen since 'edi' points at the source buffer when the function returns. NOTE: This server can be installed as a service using "vftpd.exe install". If so, the service does not restart automatically, giving an attacker only one attempt. OSVDB-62163 http://www.exploit-db.com/exp... http://www.global-evolution.i...

War-FTPD 1.65 Password Overflow

This exploits the buffer overflow found in the PASS command in War-FTPD 1.65. This particular module will only work reliably against Windows 2000 targets. The server must be configured to allow anonymous logins for this exploit to succeed. A failed attempt will bring down the service completely. CVE-1999-0256 OSVDB-875 BID-10078 http://lists.insecure.org/lis...

War-FTPD 1.65 Username Overflow

This module exploits a buffer overflow found in the USER command of War-FTPD 1.65. CVE-1999-0256 OSVDB-875 BID-10078 http://lists.insecure.org/lis...

Texas Imperial Software WFTPD 3.23 SIZE Overflow

This module exploits a buffer overflow in the SIZE verb in Texas Imperial's Software WFTPD 3.23. CVE-2006-4318 OSVDB-28134 BID-19617

WS-FTP Server 5.03 MKD Overflow

This module exploits the buffer overflow found in the MKD command in IPSWITCH WS_FTP Server 5.03 discovered by Reed Arvin. CVE-2004-1135 OSVDB-12509 BID-11772

Ipswitch WS_FTP Server 5.05 XMD5 Overflow

This module exploits a buffer overflow in the XMD5 verb in IPSWITCH WS_FTP Server 5.05. CVE-2006-4847 OSVDB-28939 BID-20076

Xftp FTP Client 3.0 PWD Remote Buffer Overflow Exploit

This module exploits a buffer overflow in the Xftp 3.0 FTP client that is triggered through an excessively long PWD message. OSVDB-63968 http://www.exploit-db.com/exp...

Xlink FTP Client Buffer Overflow

This module exploits a stack buffer overflow in Xlink FTP Client 32 Version 3.01 that comes bundled with Omni-NFS Enterprise 5.2. When a overly long FTP server response is recieved by a client, arbitrary code may be executed. CVE-2006-5792 OSVDB-33969 http://www.metasploit.com/ http://www.xlink.com

Xlink FTP Server Buffer Overflow

This module exploits a stack buffer overflow in Xlink FTP Server that comes bundled with Omni-NFS Enterprise 5.2. When a overly long FTP request is sent to the server, arbitrary code may be executed. CVE-2006-5792 OSVDB-58646 http://www.metasploit.com/ http://www.xlink.com

Medal Of Honor Allied Assault getinfo Stack Buffer Overflow

This module exploits a stack based buffer overflow in the getinfo command of Medal Of Honor Allied Assault. CVE-2004-0735 OSVDB-8061 http://www.milw0rm.com/exploi... BID-10743

Racer v0.5.3 beta 5 Buffer Overflow

This module explots the Racer Car and Racing Simulator game versions v0.5.3 beta 5 and earlier. Both the client and server listen on UDP port 26000. By sending an overly long buffer we are able to execute arbitrary code remotely. CVE-2007-4370 OSVDB-39601 http://www.milw0rm.com/exploi... BID-25297

Unreal Tournament 2004 "secure" Overflow (Win32)

Adobe RoboHelp Server 8 Arbitrary File Upload and Execute.

This module exploits a authentication bypass vulnerability which allows remote attackers to upload and execute arbitrary code. CVE-2009-3068 OSVDB-57896 http://www.intevydis.com/blog... http://www.zerodayinitiative....

Alt-N SecurityGateway username Buffer Overflow

Alt-N SecurityGateway is prone to a buffer overflow condition. This is due to insufficient bounds checking on the "username" parameter. Successful exploitation could result in code execution with SYSTEM level privileges. NOTE: This service doesn't restart, you'll only get one shot. However, it often survives a successful exploitation attempt. CVE-2008-4193 OSVDB-45854 BID-29457

Alt-N WebAdmin USER Buffer Overflow

Alt-N WebAdmin is prone to a buffer overflow condition. This is due to insufficient bounds checking on the USER parameter. Successful exploitation could result in code execution with SYSTEM level privileges. CVE-2003-0471 OSVDB-2207 BID-8024 NSS-11771

Amlibweb NetOpacs webquery.dll Stack Overflow

This module exploits a stack overflow in Amlib's Amlibweb Library Management System (NetOpacs). The webquery.dll API is available through IIS requests. By specifying an overly long string to the 'app' parameter, SeH can be reliably overwritten allowing for arbitrary remote code execution. In addition, it is possible to overwrite EIP by specifying an arbitrary parameter name with an '=' terminator. OSVDB-66814 http://www.aushack.com/adviso...

Apache Win32 Chunked Encoding

This module exploits the chunked transfer integer wrap vulnerability in Apache version 1.2.x to 1.3.24. This particular module has been tested with all versions of the official Win32 build between 1.3.9 and 1.3.24. Additionally, it should work against most co-branded and bundled versions of Apache (Oracle 8i, 9i, IBM HTTPD, etc). You will need to use the Check() functionality to determine the exact target version prior to launching the exploit. The version of Apache bundled with Oracle 8.1.7 will not automatically restart, so if you use the wrong target value, the server will crash. CVE-2002-0392 OSVDB-838 BID-5033 http://lists.insecure.org/lis...

Apache module mod_rewrite LDAP protocol Buffer Overflow

This module exploits the mod_rewrite LDAP protocol scheme handling flaw discovered by Mark Dowd, which produces an off-by-one overflow. Apache versions 1.3.29-36, 2.0.47-58, and 2.2.1-2 are vulnerable. This module requires REWRITEPATH to be set accurately. In addition, the target must have 'RewriteEngine on' configured, with a specific 'RewriteRule' condition enabled to allow for exploitation. The flaw affects multiple platforms, however this module currently only supports Windows based installations. CVE-2006-3747 OSVDB-27588 BID-19204 http://archives.neohapsis.com... http://www.milw0rm.com/exploi... http://www.milw0rm.com/exploi... http://www.milw0rm.com/exploi...

Apache mod_jk 1.2.20 Buffer Overflow

This is a stack buffer overflow exploit for mod_jk 1.2.20. Should work on any Win32 OS. CVE-2007-0774 OSVDB-33855 BID-22791 http://www.zerodayinitiative....

BadBlue 2.5 EXT.dll Buffer Overflow

This is a stack buffer overflow exploit for BadBlue version 2.5. CVE-2005-0595 OSVDB-14238 BID-7387

BadBlue 2.72b PassThru Buffer Overflow

This module exploits a stack buffer overflow in the PassThru functionality in ext.dll in BadBlue 2.72b and earlier. CVE-2007-6377 OSVDB-42416 BID-26803

BEA WebLogic JSESSIONID Cookie Value Overflow

This module exploits a buffer overflow in BEA\'s WebLogic plugin. The vulnerable code is only accessible when clustering is configured. A request containing a long JSESSION cookie value can lead to arbirtary code execution. CVE-2008-5457 OSVDB-51311

BEA Weblogic Transfer-Encoding Buffer Overflow

This module exploits a stack based buffer overflow in the BEA Weblogic Apache plugin. This vulnerability exists in the error reporting for unknown Transfer-Encoding headers. You may have to run this twice due to timing issues with handlers. CVE-2008-4008 OSVDB-49283 http://support.bea.com/applic...

Belkin Bulldog Plus Web Service Buffer Overflow

This module exploits a stack buffer overflow in Belkin Bulldog Plus 4.0.2 build 1219. When sending a specially crafted http request, an attacker may be able to execute arbitrary code. OSVDB-54395 BID-34033

CA iTechnology iGateway Debug Mode Buffer Overflow

This module exploits a vulnerability in the Computer Associates iTechnology iGateway component. When <Debug>True</Debug> is enabled in igateway.conf (non-default), it is possible to overwrite the stack and execute code remotely. This module works best with Ordinal payloads. CVE-2005-3190 OSVDB-19920 http://www.ca.com/us/security... http://www.milw0rm.com/exploi... BID-15025

EasyFTP Server <= 1.7.0.11 list.html path Stack Buffer Overflow

This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11 and earlier. EasyFTP fails to check input size when parsing the 'path' parameter supplied to an HTTP GET request, which leads to a stack based buffer overflow. EasyFTP allows anonymous access by default; valid credentials are typically unnecessary to exploit this vulnerability. After version 1.7.0.12, this package was renamed "UplusFtp". Due to limited space, as well as difficulties using an egghunter, the use of staged, ORD, and/or shell payloads is recommended. OSVDB-66614 http://www.exploit-db.com/exp...

Novell eDirectory NDS Server Host Header Overflow

This module exploits a stack buffer overflow in Novell eDirectory 8.8.1. The web interface does not validate the length of the HTTP Host header prior to using the value of that header in an HTTP redirect. CVE-2006-5478 OSVDB-29993 BID-20655

eDirectory 8.7.3 iMonitor Remote Stack Buffer Overflow

This module exploits a stack buffer overflow in eDirectory 8.7.3 iMonitor service. This vulnerability was discovered by Peter Winter-Smith of NGSSoftware. NOTE: repeated exploitation attempts may cause eDirectory to crash. It does not restart automatically in a default installation. CVE-2005-2551 OSVDB-18703 BID-14548

EFS Easy Chat Server Authentication Request Handling Buffer Overflow

This module exploits a stack buffer overflow in EFS Software Easy Chat Server. By sending a overly long authentication request, an attacker may be able to execute arbitrary code. NOTE: The offset to SEH is influenced by the installation path of the program. The path, which defaults to "C:\Program Files\Easy Chat Server", is concatentated with "\users\" and the string passed as the username HTTP paramter. CVE-2004-2466 OSVDB-7416 BID-25328

Free Download Manager Remote Control Server Buffer Overflow

This module exploits a stack buffer overflow in Free Download Manager Remote Control 2.5 Build 758. When sending a specially crafted Authorization header, an attacker may be able to execute arbitrary code. CVE-2009-0183 OSVDB-51745

HP OpenView Network Node Manager OpenView5.exe CGI Buffer Overflow

This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50. By sending a specially crafted CGI request, an attacker may be able to execute arbitrary code. CVE-2007-6204 OSVDB-39530 BID-26741

HP OpenView Network Node Manager ovalarm.exe CGI Buffer Overflow

This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53. By sending a specially crafted CGI request to ovalarm.exe, an attacker can execute arbitrary code. This specific vulnerability is due to a call to "sprintf_new" in the "isWide" function within "ovalarm.exe". A stack buffer overflow occurs when processing an HTTP request that contains the following. 1. An "Accept-Language" header longer than 100 bytes 2. An "OVABverbose" URI variable set to "on", "true" or "1" The vulnerability is related to "_WebSession::GetWebLocale()" .. NOTE: This exploit has been tested successfully with a reverse_ord_tcp payload. CVE-2009-4179 OSVDB-60930 BID-37347 http://dvlabs.tippingpoint.co... http://h20000.www2.hp.com/biz...

HP OpenView NNM 7.53, 7.51 OVAS.EXE Pre-Authentication SEH Overflow

This module exploits a stack buffer overflow in HP OpenView Network Node Manager versions 7.53 and earlier. Specifically this vulnerability is caused by a failure to properly handle user supplied input within the HTTP request including headers and the actual URL GET request. Exploitation is tricky due to character restrictions. It was necessary to utilize a egghunter shellcode which was alphanumeric encoded by muts in the original exploit. If you plan on using exploit this for a remote shell, you will likely want to migrate to a different process as soon as possible. Any connections get reset after a short period of time. This is probably some timeout handling code that causes this. CVE-2008-1697 OSVDB-43992 BID-28569

HP OpenView Network Node Manager OvWebHelp.exe CGI Buffer Overflow

This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50. By sending a specially crafted CGI request to OvWebHelp.exe, an attacker may be able to execute arbitrary code. CVE-2009-4178 OSVDB-60929 BID-37340

HP OpenView Network Node Manager Snmp.exe CGI Buffer Overflow

This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50. By sending a specially crafted CGI request to Snmp.exe, an attacker may be able to execute arbitrary code. CVE-2009-3849 OSVDB-60933

HP OpenView Network Node Manager Toolbar.exe CGI Buffer Overflow

This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50. By sending a specially crafted CGI request to Toolbar.exe, an attacker may be able to execute arbitrary code. CVE-2008-0067 OSVDB-53222 BID-33147

Hewlett-Packard Power Manager Administration Buffer Overflow.

This module exploits a stack buffer overflow in Hewlett-Packard Power Manager 4.2. Sending a specially crafted POST request with an overly long Login string, an attacker may be able to execute arbitrary code. CVE-2009-2685 OSVDB-59684

HTTPDX h_handlepeer() Function Buffer Overflow

This module exploits a stack-based buffer overflow vulnerability in HTTPDX HTTP server 1.4. The vulnerability is caused due to a boundary error within the "h_handlepeer()" function in http.cpp. By sending an overly long HTTP request, an attacker can overrun a buffer and execute arbitrary code. OSVDB-58714 CVE-2009-3711 http://www.pank4j.com/exploit... http://www.rec-sec.com/2009/1...

HTTPDX tolog() Function Format String Vulnerability

This module exploits a format string vulnerability in HTTPDX HTTP server. By sending an specially crafted HTTP request containing format specifiers, an attacker can corrupt memory and execute arbitrary code. By default logging is off for HTTP, but enabled for the 'moderator' user via FTP. CVE-2009-4769 OSVDB-60182

IA WebMail 3.x Buffer Overflow

This exploits a stack buffer overflow in the IA WebMail server. This exploit has not been tested against a live system at this time. CVE-2003-1192 OSVDB-2757 BID-8965 http://www.k-otik.net/exploit...

IBM TPM for OS Deployment 5.1.0.x rembo.exe Buffer Overflow

This is a stack buffer overflow exploit for IBM Tivoli Provisioning Manager for OS Deployment version 5.1.0.X. CVE-2007-1868 OSVDB-34678 BID-23264 http://dvlabs.tippingpoint.co...

IBM Tivoli Storage Manager Express CAD Service Buffer Overflow

This module exploits a stack buffer overflow in the IBM Tivoli Storage Manager Express CAD Service (5.3.3). By sending an overly long GET request, it may be possible for an attacker to execute arbitrary code. CVE-2007-4880 OSVDB-38161 BID-25743

Icecast (<= 2.0.1) Header Overwrite (win32)

This module exploits a buffer overflow in the header parsing of icecast, discovered by Luigi Auriemma. Sending 32 HTTP headers will cause a write one past the end of a pointer array. On win32 this happens to overwrite the saved instruction pointer, and on linux (depending on compiler, etc) this seems to generally overwrite nothing crucial (read not exploitable). !! This exploit uses ExitThread(), this will leave icecast thinking the thread is still in use, and the thread counter won't be decremented. This means for each time your payload exits, the counter will be left incremented, and eventually the threadpool limit will be maxed. So you can multihit, but only till you fill the threadpool. CVE-2004-1561 OSVDB-10406 BID-11271 http://archives.neohapsis.com...

InterSystems Cache UtilConfigHome.csp Argument Buffer Overflow

This module exploits a stack buffer overflow in InterSystems Cache 2009.1. By sending a specially crafted GET request, an attacker may be able to execute arbitrary code. OSVDB-60549 BID-37177

Ipswitch WhatsUp Gold 8.03 Buffer Overflow

This module exploits a buffer overflow in IPswitch WhatsUp Gold 8.03. By posting a long string for the value of 'instancename' in the _maincfgret.cgi script an attacker can overflow a buffer and execute arbitrary code on the system. CVE-2004-0798 OSVDB-9177 BID-11043

MailEnable Authorization Header Buffer Overflow

This module exploits a remote buffer overflow in the MailEnable web service. The vulnerability is triggered when a large value is placed into the Authorization header of the web request. MailEnable Enterprise Edition versions priot to 1.0.5 and MailEnable Professional versions prior to 1.55 are affected. CVE-2005-1348 OSVDB-15913 OSVDB-15737 BID-13350 NSS-18123

MaxDB WebDBM Database Parameter Overflow

This module exploits a stack buffer overflow in the MaxDB WebDBM service. By sending a specially-crafted HTTP request that contains an overly long database name. A remote attacker could overflow a buffer and execute arbitrary code on the system with privileges of the wahttp process. This module has been tested against MaxDB 7.6.00.16 and MaxDB 7.6.00.27. CVE-2006-4305 OSVDB-28300 BID-19660

MaxDB WebDBM GET Buffer Overflow

This module exploits a stack buffer overflow in the MaxDB WebDBM service. This service is included with many recent versions of the MaxDB and SAPDB products. This particular module is capable of exploiting Windows systems through the use of an SEH frame overwrite. The offset to the SEH frame may change depending on where MaxDB has been installed, this module assumes a web root path with the same length as: C:\Program Files\sdb\programs\web\Documents CVE-2005-0684 OSVDB-15816 http://www.idefense.com/appli... BID-13368

McAfee ePolicy Orchestrator / ProtectionPilot Overflow

This is an exploit for the McAfee HTTP Server (NAISERV.exe). McAfee ePolicy Orchestrator 2.5.1 <= 3.5.0 and ProtectionPilot 1.1.0 are known to be vulnerable. By sending a large 'Source' header, the stack can be overwritten. This module is based on the exploit by xbxice and muts. Due to size constraints, this module uses the Egghunter technique. CVE-2006-5156 OSVDB-29421 http://www.milw0rm.com/exploi... http://www.remote-exploit.org... BID-20288

MDaemon <= 6.8.5 WorldClient form2raw.cgi Stack Buffer Overflow

This module exploits a stack buffer overflow in Alt-N MDaemon SMTP server for versions 6.8.5 and earlier. When WorldClient HTTP server is installed (default), a CGI script is provided to accept html FORM based emails and deliver via MDaemon.exe, by writing the CGI output to the Raw Queue. When X-FromCheck is enabled (also default), the temporary form2raw.cgi data is copied by MDaemon.exe and a stack based overflow occurs when an excessively long From field is specified. The RawQueue is processed every 1 minute by default, to a maximum of 60 minutes. Keep this in mind when choosing payloads or setting WfsDelay... You'll need to wait. Furthermore, this exploit uses a direct memory jump into a nopsled (which isn't very reliable). Once the payload is written into the Raw Queue by Form2Raw, MDaemon will continue to crash/execute the payload until the CGI output is manually deleted from the queue in C:\MDaemon\RawFiles\*.raw. CVE-2003-1200 OSVDB-3255 BID-9317

Minishare 1.4.1 Buffer Overflow

This is a simple buffer overflow for the minishare web server. This flaw affects all versions prior to 1.4.2. This is a plain stack buffer overflow that requires a "jmp esp" to reach the payload, making this difficult to target many platforms at once. This module has been successfully tested against 1.4.1. Version 1.3.4 and below do not seem to be vulnerable. CVE-2004-2271 OSVDB-11530 BID-11620 http://archives.neohapsis.com...

NaviCOPA 2.0.1 URL Handling Buffer Overflow

This module exploits a stack buffer overflow in NaviCOPA 2.0.1. The vulnerability is caused due to a boundary error within the handling of URL parameters. CVE-2006-5112 OSVDB-29257 BID-20250

Novell Messenger Server 2.0 Accept-Language Overflow

This module exploits a stack buffer overflow in Novell GroupWise Messenger Server v2.0. This flaw is triggered by any HTTP request with an Accept-Language header greater than 16 bytes. To overwrite the return address on the stack, we must first pass a memcpy() operation that uses pointers we supply. Due to the large list of restricted characters and the limitations of the current encoder modules, very few payloads are usable. CVE-2006-0992 OSVDB-24617 BID-17503

Now SMS/MMS Gateway Buffer Overflow

This module exploits a stack buffer overflow in Now SMS/MMS Gateway v2007.06.27. By sending a specially crafted GET request, an attacker may be able to execute arbitrary code. CVE-2008-0871 OSVDB-42953 BID-27896

Oracle 9i XDB HTTP PASS Overflow (win32)

This module exploits a stack buffer overflow in the authorization code of the Oracle 9i HTTP XDB service. David Litchfield, has illustrated multiple vulnerabilities in the Oracle 9i XML Database (XDB), during a seminar on "Variations in exploit methods between Linux and Windows" presented at the Blackhat conference. CVE-2003-0727 OSVDB-2449 BID-8375 http://www.blackhat.com/prese...

PeerCast <= 0.1216 URL Handling Buffer Overflow (win32)

Private Wire Gateway Buffer Overflow

This exploits a buffer overflow in the ADMCREG.EXE used in the PrivateWire Online Registration Facility. CVE-2006-3252 OSVDB-26861 BID-18647

PSO Proxy v0.91 Stack Buffer Overflow

This module exploits a buffer overflow in the PSO Proxy v0.91 web server. If a client sends an excessively long string the stack is overwritten. CVE-2004-0313 OSVDB-4028 http://www.milw0rm.com/exploi... BID-9706

Sambar 6 Search Results Buffer Overflow

This module exploits a buffer overflow found in the /search/results.stm application that comes with Sambar 6. This code is a direct port of Andrew Griffiths's SMUDGE exploit, the only changes made were to the nops and payload. This exploit causes the service to die, whether you provided the correct target or not. CVE-2004-2086 OSVDB-5786 BID-9607

SAP DB 7.4 WebTools Buffer Overflow

This module exploits a stack buffer overflow in SAP DB 7.4 WebTools. By sending an overly long GET request, it may be possible for an attacker to execute arbitrary code. CVE-2007-3614 OSVDB-37838 BID-24773

Savant 3.1 Web Server Overflow

This module exploits a stack buffer overflow in Savant 3.1 Web Server. The service supports a maximum of 10 threads (for a default install). Each exploit attempt generally causes a thread to die whether sucessful or not. Therefore, in a default configuration, you only have 10 chances. Due to the limited space available for the payload in this exploit module, use of the "ord" payloads is recommended. CVE-2002-1120 OSVDB-9829 BID-5686 http://www.milw0rm.com/exploi...

Rhinosoft Serv-U Session Cookie Buffer Overflow

This module exploits a buffer overflow in Rhinosoft Serv-U 9.0.0.5. Sending a specially crafted POST request with an overly long session cookie string, an attacker may be able to execute arbitrary code. CVE-2009-4006 OSVDB-59772 http://rangos.de/ServU-ADV.txt http://lists.grok.org.uk/pipe...

SHOUTcast DNAS/win32 1.9.4 File Request Format String Overflow

This module exploits a format string vulnerability in the Nullsoft SHOUTcast server for Windows. The vulnerability is triggered by requesting a file path that contains format string specifiers. This vulnerability was discovered by Tomasz Trojanowski and Damian Put. CVE-2004-1373 OSVDB-12585 BID-12096

SHTTPD <= 1.34 URI-Encoded POST Request Overflow (win32)

This module exploits a stack buffer overflow in SHTTPD <= 1.34. The vulnerability is caused due to a boundary error within the handling of POST requests. Based on an original exploit by skOd but using a different method found by hdm. CVE-2006-5216 OSVDB-29565 http://shttpd.sourceforge.net BID-20393

Streamcast <= 0.9.75 HTTP User-Agent Buffer Overflow

This module exploits a stack buffer overflow in Streamcast <= 0.9.75. By sending an overly long User-Agent in an HTTP GET request, an attacker may be able to execute arbitrary code. CVE-2008-0550 OSVDB-42670 http://aluigi.altervista.org/...

Sybase EAServer 5.2 Remote Stack Buffer Overflow

This module exploits a stack buffer overflow in the Sybase EAServer Web Console. The offset to the SEH frame appears to change depending on what version of Java is in use by the remote server, making this exploit somewhat unreliable. CVE-2005-2297 OSVDB-17996 BID-14287

TrackerCam PHP Argument Buffer Overflow

This module exploits a simple stack buffer overflow in the TrackerCam web server. All current versions of this software are vulnerable to a large number of security issues. This module abuses the directory traversal flaw to gain information about the system and then uses the PHP overflow to execute arbitrary code. CVE-2005-0478 OSVDB-13953 OSVDB-13955 BID-12592 http://aluigi.altervista.org/...

Trend Micro OfficeScan Remote Stack Buffer Overflow

This module exploits a stack buffer overflow in Trend Micro OfficeScan cgiChkMasterPwd.exe (running with SYSTEM privileges). CVE-2008-1365 OSVDB-42499

Xitami 2.5c2 Web Server If-Modified-Since Overflow

This module exploits a stack buffer overflow in the iMatix Corporation Xitami Web Server. If a malicious user sends an If-Modified-Since header containing an overly long string, it may be possible to execute a payload remotely. Due to size constraints, this module uses the Egghunter technique. CVE-2007-5067 OSVDB-40594 OSVDB-40595 BID-25772 http://www.milw0rm.com/exploi...

Novell ZENworks Configuration Management Remote Execution

This module exploits a code execution flaw in Novell ZENworks Configuration Management 10.2.0. By exploiting the UploadServlet, an attacker can upload a malicious file outside of the TEMP directory and then make a secondary request that allows for arbitrary code execution. OSVDB-63412 BID-39114 http://www.zerodayinitiative.... http://tucanalamigo.blogspot....

Microsoft IIS WebDAV Write Access Code Execution

This module can be used to execute a payload on IIS servers that have world-writeable directories. The payload is uploaded as an ASP script using a WebDAV PUT request. OSVDB-397 BID-12141

Microsoft IIS 5.0 Printer Host Header Overflow

This exploits a buffer overflow in the request processor of the Internet Printing Protocol ISAPI module in IIS. This module works against Windows 2000 service pack 0 and 1. If the service stops responding after a successful compromise, run the exploit a couple more times to completely kill the hung process. CVE-2001-0241 OSVDB-3323 BID-2674 MSB-MS01-023 http://seclists.org/lists/bug...

Microsoft IIS/PWS CGI Filename Double Decode Command Execution

This module will execute an arbitrary payload on a Microsoft IIS installation that is vulnerable to the CGI double-decode vulnerability of 2001. NOTE: This module will leave a metasploit payload in the IIS scripts directory. CVE-2001-0333 OSVDB-556 BID-2708 MSB-MS01-026 http://marc.info/?l=bugtraq&m...

Microsoft IIS 5.0 IDQ Path Overflow

This module exploits a stack buffer overflow in the IDQ ISAPI handler for Microsoft Index Server. CVE-2001-0500 OSVDB-568 MSB-MS01-033 BID-2880

Microsoft IIS 4.0 .HTR Path Overflow

This exploits a buffer overflow in the ISAPI ISM.DLL used to process HTR scripting in IIS 4.0. This module works against Windows NT 4 Service Packs 3, 4, and 5. The server will continue to process requests until the payload being executed has exited. If you've set EXITFUNC to 'seh', the server will continue processing requests, but you will have trouble terminating a bind shell. If you set EXITFUNC to thread, the server will crash upon exit of the bind shell. The payload is alpha-numerically encoded without a NOP sled because otherwise the data gets mangled by the filters. CVE-1999-0874 OSVDB-3325 BID-307 http://www.eeye.com/html/rese... MSB-MS02-018

Microsoft IIS 5.0 WebDAV ntdll.dll Path Overflow

This exploits a buffer overflow in NTDLL.dll on Windows 2000 through the SEARCH WebDAV method in IIS. This particular module only works against Windows 2000. It should have a reasonable chance of success against any service pack. CVE-2003-0109 OSVDB-4467 BID-7116 MSB-MS03-007

Qualcomm WorldMail 3.0 IMAPD LIST Buffer Overflow

This module exploits a stack buffer overflow in the Qualcomm WorldMail IMAP Server version 3.0 (builds 6.1.19.0 through 6.1.22.0). Version 6.1.22.1 fixes this particular vulnerability. NOTE: The service does NOT restart automatically by default. You may be limited to only one attempt, so choose wisely! CVE-2005-4267 OSVDB-22097 BID-15980

IMail IMAP4D Delete Overflow

This module exploits a buffer overflow in the 'DELETE' command of the the IMail IMAP4D service. This vulnerability can only be exploited with a valid username and password. This flaw was patched in version 8.14. CVE-2004-1520 OSVDB-11838 BID-11675

Ipswitch IMail IMAP SEARCH Buffer Overflow

This module exploits a stack buffer overflow in Ipswitch IMail Server 2006.1 IMAP SEARCH verb. By sending an overly long string, an attacker can overwrite the buffer and control program execution. In order for this module to be successful, the IMAP user must have at least one message. CVE-2007-3925 OSVDB-36219 BID-24962

MailEnable IMAPD (2.35) Login Request Buffer Overflow

MailEnable's IMAP server contains a buffer overflow vulnerability in the Login command. CVE-2006-6423 OSVDB-32125 BID-21492 http://lists.grok.org.uk/pipe...

MailEnable IMAPD (1.54) STATUS Request Buffer Overflow

MailEnable's IMAP server contains a buffer overflow vulnerability in the STATUS command. With proper credentials, this could allow for the execution of arbitrary code. CVE-2005-2278 OSVDB-17844 BID-14243 NSS-19193

MailEnable IMAPD W3C Logging Buffer Overflow

This module exploits a buffer overflow in the W3C logging functionality of the MailEnable IMAPD service. Logging is not enabled by default and this exploit requires a valid username and password to exploit the flaw. MailEnable Professional version 1.6 and prior and MailEnable Enterprise version 1.1 and prior are affected. CVE-2005-3155 OSVDB-19842 BID-15006

Mdaemon 8.0.3 IMAPD CRAM-MD5 Authentication Overflow

This module exploits a buffer overflow in the CRAM-MD5 authentication of the MDaemon IMAP service. This vulnerability was discovered by Muts. CVE-2004-1520 OSVDB-11838 BID-11675

MDaemon 9.6.4 IMAPD FETCH Buffer Overflow

This module exploits a stack buffer overflow in the Alt-N MDaemon IMAP Server version 9.6.4 by sending an overly long FETCH BODY command. Valid IMAP account credentials are required. Credit to Matteo Memelli CVE-2008-1358 OSVDB-43111 BID-28245 http://www.milw0rm.com/exploi...

Mercur v5.0 IMAP SP3 SELECT Buffer Overflow

Mercur v5.0 IMAP server is prone to a remotely exploitable stack-based buffer overflow vulnerability. This issue is due to a failure of the application to properly bounds check user-supplied data prior to copying it to a fixed size memory buffer. Credit to Tim Taylor for discover the vulnerability. CVE-2006-1255 OSVDB-23950 BID-17138

Mercur Messaging 2005 IMAP Login Buffer Overflow

This module exploits a stack buffer overflow in Atrium Mercur IMAP 5.0 SP3. Since the room for shellcode is small, using the reverse ordinal payloads yields the best results. CVE-2006-1255 OSVDB-23950 BID-17138 http://archives.neohapsis.com...

Mercury/32 <= 4.01b LOGIN Buffer Overflow

This module exploits a stack buffer overflow in Mercury/32 <= 4.01b IMAPD LOGIN verb. By sending a specially crafted login command, a buffer is corrupted, and code execution is possible. This vulnerability was discovered by (mu-b at digit-labs.org). CVE-2007-1373 OSVDB-33883

Mercury/32 v4.01a IMAP RENAME Buffer Overflow

This module exploits a stack buffer overflow vulnerability in the Mercury/32 v.4.01a IMAP service. CVE-2004-1211 OSVDB-12508 BID-11775 NSS-15867

Novell NetMail <= 3.52d IMAP APPEND Buffer Overflow

This module exploits a stack buffer overflow in Novell's Netmail 3.52 IMAP APPEND verb. By sending an overly long string, an attacker can overwrite the buffer and control program execution. CVE-2006-6425 OSVDB-31362 BID-21723 http://www.zerodayinitiative....

Novell NetMail <=3.52d IMAP AUTHENTICATE Buffer Overflow

This module exploits a stack buffer overflow in Novell's NetMail 3.52 IMAP AUTHENTICATE GSSAPI command. By sending an overly long string, an attacker can overwrite the buffer and control program execution. Using the PAYLOAD of windows/shell_bind_tcp or windows/shell_reverse_tcp allows for the most reliable results. OSVDB-55175 http://www.w00t-shell.net/#

Novell NetMail <= 3.52d IMAP STATUS Buffer Overflow

This module exploits a stack buffer overflow in Novell's Netmail 3.52 IMAP STATUS verb. By sending an overly long string, an attacker can overwrite the buffer and control program execution. CVE-2005-3314 OSVDB-20956 BID-15491

Novell NetMail <= 3.52d IMAP SUBSCRIBE Buffer Overflow

This module exploits a stack buffer overflow in Novell's NetMail 3.52 IMAP SUBSCRIBE verb. By sending an overly long string, an attacker can overwrite the buffer and control program execution. CVE-2006-6761 OSVDB-31360 BID-21728 http://labs.idefense.com/inte...

Microsoft IIS Phone Book Service Overflow

This is an exploit for the Phone Book Service /pbserver/pbserver.dll described in MS00-094. By sending an overly long URL argument for phone book updates, it is possible to overwrite the stack. This module has only been tested against Windows 2000 SP1. CVE-2000-1089 OSVDB-463 BID-2048 MSB-MS00-094

Microsoft IIS ISAPI nsiislog.dll ISAPI POST Overflow

This exploits a buffer overflow found in the nsiislog.dll ISAPI filter that comes with Windows Media Server. This module will also work against the 'patched' MS03-019 version. This vulnerability was addressed by MS03-022. CVE-2003-0349 OSVDB-4535 BID-8035 MSB-MS03-022 http://archives.neohapsis.com...

Microsoft IIS ISAPI FrontPage fp30reg.dll Chunked Overflow

This is an exploit for the chunked encoding buffer overflow described in MS03-051 and originally reported by Brett Moore. This particular modules works against versions of Windows 2000 between SP0 and SP3. Service Pack 4 fixes the issue. CVE-2003-0822 OSVDB-2952 BID-9007 MSB-MS03-051

Microsoft IIS ISAPI RSA WebAgent Redirect Overflow

This module exploits a stack buffer overflow in the SecurID Web Agent for IIS. This ISAPI filter runs in-process with inetinfo.exe, any attempt to exploit this flaw will result in the termination and potential restart of the IIS service. CVE-2005-4734 OSVDB-20151

Microsoft IIS ISAPI w3who.dll Query String Overflow

This module exploits a stack buffer overflow in the w3who.dll ISAPI application. This vulnerability was discovered Nicolas Gregoire and this code has been successfully tested against Windows 2000 and Windows XP (SP2). When exploiting Windows XP, the payload must call RevertToSelf before it will be able to spawn a command shell. CVE-2004-1134 OSVDB-12258 http://www.exaprobe.com/labs/... BID-11820

IMail LDAP Service Buffer Overflow

This exploits a buffer overflow in the LDAP service that is part of the IMail product. This module was tested against version 7.10 and 8.5, both running on Windows 2000. CVE-2004-0297 OSVDB-3984 BID-9682 http://secunia.com/advisories...

Computer Associates License Client GETCONFIG Overflow

This module exploits an vulnerability in the CA License Client service. This exploit will only work if your IP address can be resolved from the target system point of view. This can be accomplished on a local network by running the 'nmbd' service that comes with Samba. If you are running this exploit from Windows and do not filter udp port 137, this should not be a problem (if the target is on the same network segment). Due to the bugginess of the software, you are only allowed one connection to the agent port before it starts ignoring you. If it wasn't for this issue, it would be possible to repeatedly exploit this bug. CVE-2005-0581 OSVDB-14389 BID-12705 http://labs.idefense.com/inte...

Computer Associates License Server GETCONFIG Overflow

This module exploits an vulnerability in the CA License Server network service. By sending an excessively long GETCONFIG packet the stack may be overwritten. CVE-2005-0581 OSVDB-14389 BID-12705 http://labs.idefense.com/inte...

SentinelLM UDP Buffer Overflow

This module exploits a simple stack buffer overflow in the Sentinel License Manager. The SentinelLM service is installed with a wide selection of products and seems particular popular with academic products. If the wrong target value is selected, the service will crash and not restart. CVE-2005-0353 OSVDB-14605 BID-12742

IBM Lotus Domino Web Server Accept-Language Stack Buffer Overflow

This module exploits a stack buffer overflow in IBM Lotus Domino Web Server prior to version 7.0.3FP1 and 8.0.1. This flaw is triggered by any HTTP request with an Accept-Language header greater than 114 bytes. CVE-2008-2240 OSVDB-45415 BID-29310 http://www-01.ibm.com/support...

IBM Lotus Domino Sametime STMux.exe Stack Buffer Overflow

This module exploits a stack buffer overflow in Lotus Domino\'s Sametime Server. By sending an overly long POST request to the Multiplexer STMux.exe service we are able to overwrite SEH. Based on the exploit by Manuel Santamarina Suarez. CVE-2008-2499 OSVDB-45610 BID-29328 http://www.zerodayinitiative....

Hummingbird Connectivity 10 SP5 LPD Buffer Overflow

This module exploits a stack buffer overflow in Hummingbird Connectivity 10 LPD Daemon. This module has only been tested against Hummingbird Exceed v10 with SP5. CVE-2005-1815 OSVDB-16957 BID-13788

NIPrint LPD Request Overflow

This module exploits a stack buffer overflow in the Network Instrument NIPrint LPD service. Inspired by Immunity's VisualSploit :-) CVE-2003-1141 OSVDB-2774 BID-8968 http://www.immunitysec.com/do...

SAP SAPLPD 6.28 Buffer Overflow

This module exploits a stack buffer overflow in SAPlpd 6.28 (SAP Release 6.40) . By sending an overly long argument, an attacker may be able to execute arbitrary code. CVE-2008-0621 OSVDB-41127 BID-27613

WinComLPD <= 3.0.2 Buffer Overflow

This module exploits a stack buffer overflow in WinComLPD <= 3.0.2. By sending an overly long authentication packet to the remote adminstration service, an attacker may be able to execute arbitrary code. CVE-2008-5159 OSVDB-42861 BID-27614

AgentX++ Master AgentX::receive_agentx Stack Buffer Overflow

This exploits a stack buffer overflow in the AgentX++ library, as used by various applications. By sending a specially crafted request, an attacker can execute arbitrary code, potentially with SYSTEM privileges. This module was tested successfully against master.exe as included with Real Network\'s Helix Server v12. When installed as a service with Helix Server, the service runs as SYSTEM, has no recovery action, but will start automatically on boot. This module does not work with NX/XD enabled but could be modified easily to do so. The address CVE-2010-1318 OSVDB-63919 http://labs.idefense.com/inte...

Apple QuickTime 7.3 RTSP Response Header Buffer Overflow

This module exploits a stack buffer overflow in Apple QuickTime 7.3. By sending an overly long RTSP response to a client, an attacker may be able to execute arbitrary code. CVE-2007-6166 OSVDB-40876 BID-26549 http://milw0rm.com/exploits/4648

Asus Dpcproxy Buffer Overflow

This module exploits a stack buffer overflow in Asus Dpcroxy version 2.0.0.19. It should be vulnerable until version 2.0.0.24. Credit to Luigi Auriemma CVE-2008-1491 OSVDB-43638 BID-28394

BakBone NetVault Remote Heap Overflow

This module exploits a heap overflow in the BakBone NetVault Process Manager service. This code is a direct port of the netvault.c code written by nolimit and BuzzDee. CVE-2005-1009 OSVDB-15234 BID-12967

BigAnt Server 2.2 Buffer Overflow

This module exploits a stack buffer overflow in BigAnt Server 2.2. By sending a specially crafted packet, an attacker may be able to execute arbitrary code. CVE-2008-1914 OSVDB-44454 BID-28795

BigAnt Server 2.50 SP1 Buffer Overflow

This exploits a stack buffer overflow in the BigAnt Messaging Service, part of the BigAnt Server product suite. This module was tested successfully against version 2.50 SP1. CVE-2008-1914 OSVDB-44454 http://www.exploit-db.com/exp... http://www.exploit-db.com/exp...

BigAnt Server 2.52 USV Buffer Overflow

This exploits a stack buffer overflow in the BigAnt Messaging Service, part of the BigAnt Server product suite. This module was tested successfully against version 2.52. NOTE: The AntServer service does not restart, you only get one shot. OSVDB-61386 http://www.exploit-db.com/exp... http://www.exploit-db.com/exp...

Bomberclone 0.11.6 Buffer Overflow

This module exploits a stack buffer overflow in Bomberclone 0.11.6 for Windows. The return address is overwritten with lstrcpyA memory address, the second and third value are the destination buffer, the fourth value is the source address of our buffer in the stack. This exploit is like a return in libc. ATTENTION The shellcode is exec ONLY when someone try to close bomberclone. CVE-2006-0460 OSVDB-23263 BID-16697 http://www.frsirt.com/english...

Bopup Communications Server Buffer Overflow

This module exploits a stack buffer overflow in Bopup Communications Server 3.2.26.5460. By sending a specially crafted packet, an attacker may be able to execute arbitrary code. CVE-2009-2227 OSVDB-55275 http://www.blabsoft.com/produ... http://milw0rm.com/exploits/9002

Borland Interbase Create-Request Buffer Overflow

This module exploits a stack buffer overflow in Borland Interbase 2007. By sending a specially crafted create-request packet, a remote attacker may be able to execute arbitrary code. CVE-2007-3566 OSVDB-38602 http://dvlabs.tippingpoint.co...

Borland CaliberRM StarTeam Multicast Service Buffer Overflow

This module exploits a stack buffer overflow in Borland CaliberRM 2006. By sending a specially crafted GET request to the STMulticastService, an attacker may be able to execute arbitrary code. CVE-2008-0311 OSVDB-44039 BID-28602

DoubleTake/HP StorageWorks Storage Mirroring Service Authentication Overflow

This module exploits a stack buffer overflow in the authentication mechanism of NSI Doubletake which is also rebranded as HP Storage Works. This vulnerability was found by Titon of Bastard Labs. CVE-2008-1661 OSVDB-45924

eIQNetworks ESA License Manager LICMGR_ADDLICENSE Overflow

This module exploits a stack buffer overflow in eIQnetworks Enterprise Security Analyzer. During the processing of long arguments to the LICMGR_ADDLICENSE command, a stack-based buffer overflow occurs. This module has only been tested against ESA v2.1.13. CVE-2006-3838 OSVDB-27526 BID-19163 http://www.zerodayinitiative....

eIQNetworks ESA Topology DELETEDEVICE Overflow

This module exploits a stack buffer overflow in eIQnetworks Enterprise Security Analyzer. During the processing of long arguments to the DELETEDEVICE command in the Topology server, a stack-based buffer overflow occurs. This module has only been tested against ESA v2.1.13. CVE-2006-3838 OSVDB-27528 BID-19164

Eureka Email 2.2q ERR Remote Buffer Overflow Exploit

This module exploits a buffer overflow in the Eureka Email 2.2q client that is triggered through an excessively long ERR message. NOTE: this exploit isn't very reliable. Unfortunately reaching the vulnerable code can only be done when manually checking mail (Ctrl-M). Checking at startup will not reach the code targeted here. CVE-2009-3837 OSVDB-59262 http://www.exploit-db.com/exp...

Firebird Relational Database isc_attach_database() Buffer Overflow

This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted create request. CVE-2007-5243 OSVDB-38607 BID-25917 http://www.risesecurity.org/a...

Firebird Relational Database isc_create_database() Buffer Overflow

This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted create request. CVE-2007-5243 OSVDB-38606 BID-25917 http://www.risesecurity.org/a...

Firebird Relational Database SVC_attach() Buffer Overflow

This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted service attach request. CVE-2007-5243 OSVDB-38605 BID-25917 http://www.risesecurity.org/a...

HP OmniInet.exe MSG_PROTOCOL Buffer Overflow

This module exploits a stack-based buffer overflow in the Hewlett-Packard OmniInet NT Service. By sending a specially crafted MSG_PROTOCOL (0x010b) packet, a remote attacker may be able to execute arbitrary code with elevated privileges. This service is installed with HP OpenView Data Protector, HP Application Recovery Manager and potentially other products. This exploit has been tested against versions 6.1, 6.0, and 5.50 of Data Protector. and versions 6.0 and 6.1 of Application Recovery Manager. NOTE: There are actually two consecutive wcscpy() calls in the program (which may be why ZDI considered them two separate issues). However, this module only exploits the first one. CVE-2007-2280 BID-37396 OSVDB-61206 http://www.zerodayinitiative....

HP OmniInet.exe MSG_PROTOCOL Buffer Overflow

This module exploits a stack-based buffer overflow in the Hewlett-Packard OmniInet NT Service. By sending a specially crafted MSG_PROTOCOL (0x010b) packet, a remote attacker may be able to execute arbitrary code with elevated privileges. This service is installed with HP OpenView Data Protector, HP Application Recovery Manager and potentially other products. This exploit has been tested against versions 6.1, 6.0, and 5.50 of Data Protector. and versions 6.0 and 6.1 of Application Recovery Manager. NOTE: There are actually two consecutive wcscpy() calls in the program (which may be why ZDI considered them two separate issues). However, this module only exploits the second one. CVE-2009-3844 BID-37250 OSVDB-60852 http://www.zerodayinitiative....

HP OpenView Operations OVTrace Buffer Overflow

This module exploits a stack buffer overflow in HP OpenView Operations version A.07.50. By sending a specially crafted packet, a remote attacker may be able to execute arbitrary code. CVE-2007-3872 OSVDB-39527 BID-25255

Borland InterBase isc_attach_database() Buffer Overflow

This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted attach request. CVE-2007-5243 OSVDB-38607 BID-25917 http://www.risesecurity.org/a...

Borland InterBase isc_create_database() Buffer Overflow

This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted create request. CVE-2007-5243 OSVDB-38606 BID-25917 http://www.risesecurity.org/a...

Borland InterBase SVC_attach() Buffer Overflow

This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted service attach request. CVE-2007-5243 OSVDB-38605 BID-25917 http://www.risesecurity.org/a...

IBM Tivoli Storage Manager Express CAD Service Buffer Overflow

This module exploits a stack buffer overflow in the IBM Tivoli Storage Manager Express CAD Service. By sending a "ping" packet containing a long string, an attacker can execute arbitrary code. NOTE: the dsmcad.exe service must be in a particular state (CadWaitingStatus = 1) in order for the vulnerable code to be reached. This state doesn't appear to be reachable when the TSM server is not running. This service does not restart. CVE-2009-3853 OSVDB-59632

IBM Tivoli Storage Manager Express RCA Service Buffer Overflow

This module exploits a stack buffer overflow in the IBM Tivoli Storage Manager Express Remote Client Agent service. By sending a "dicuGetIdentify" request packet containing a long NodeName parameter, an attacker can execute arbitrary code. NOTE: this exploit first connects to the CAD service to start the RCA service and obtain the port number on which it runs. This service does not restart. CVE-2008-4828 OSVDB-54232 BID-34803

LANDesk Management Suite 8.7 Alert Service Buffer Overflow

This module exploits a stack buffer overflow in LANDesk Management Suite 8.7. By sending an overly long string to the Alert Service, a buffer is overwritten and arbitrary code can be executed. CVE-2007-1674 OSVDB-34964 http://www.tippingpoint.com/s...

Mercury/32 <= v4.01b PH Server Module Buffer Overflow

This module exploits a stack-based buffer overflow in Mercury/32 <= v4.01b PH Server Module. This issue is due to a failure of the application to properly bounds check user-supplied data prior to copying it to a fixed size memory buffer. CVE-2005-4411 OSVDB-22103 BID-16396

mIRC <= 6.34 PRIVMSG Handling Stack Buffer Overflow

This module exploits a buffer overflow in the mIRC IRC Client v6.34 and earlier. By enticing a mIRC user to connect to this server module, an excessively long PRIVMSG command can be sent, overwriting the stack. Due to size restrictions, ordinal payloads may be necessary. This module is based on the code by SkD. CVE-2008-4449 OSVDB-48752 BID-31552 http://www.milw0rm.com/exploi...

Microsoft DirectX DirectShow SAMI Buffer Overflow

This module exploits a stack buffer overflow in the DirectShow Synchronized Accessible Media Interchanged (SAMI) parser in quartz.dll. This module has only been tested with Windows Media Player (6.4.09.1129) and DirectX 8.0. CVE-2007-3901 OSVDB-39126 MSB-MS07-064 BID-26787

Netcat v1.10 NT Stack Buffer Overflow

This module exploits a stack buffer overflow in Netcat v1.10 NT. By sending an overly long string we are able to overwrite SEH. The vulnerability exists when netcat is used to bind (-e) an executable to a port in doexec.c. This module tested successfully using "c:\>nc -L -p 31337 -e ftp". CVE-2004-1317 OSVDB-12612 BID-12106 http://www.milw0rm.com/exploi...

NetTransport Download Manager 2.90.510 Buffer Overflow

This exploits a stack buffer overflow in NetTransport Download Manager, part of the NetXfer suite. This module was tested successfully against version 2.90.510. OSVDB-61435 http://www.exploit-db.com/exp...

POP Peeper v3.4 DATE Buffer Overflow

This module exploits a stack buffer overflow in POP Peeper v3.4. When a specially crafted DATE string is sent to a client, an attacker may be able to execute arbitrary code. This module is based off of krakowlabs code. CVE-2009-1029 OSVDB-53560 BID-34093 http://www.krakowlabs.com/res...

POP Peeper v3.4 UIDL Buffer Overflow

This module exploits a stack buffer overflow in POP Peeper v3.4. When a specially crafted UIDL string is sent to a client, an attacker may be able to execute arbitrary code. This module is based off of krakowlabs code. OSVDB-53559 BID-33926 http://www.krakowlabs.com/res...

Realtek Media Player Playlist Buffer Overflow.

This module exploits a stack buffer overflow in Realtek Media Player(RtlRack) A4.06. When a Realtek Media Player client opens a specially crafted playlist, an attacker may be able to execute arbitrary code. CVE-2008-5664 OSVDB-50715 BID-32860

SAP Business One License Manager 2005 Buffer Overflow

This module exploits a stack buffer overflow in the SAP Business One 2005 License Manager 'NT Naming Service' A and B releases. By sending an excessively long string the stack is overwritten enabling arbitrary code execution. OSVDB-56837 BID-35933 http://www.milw0rm.com/exploi...

ShixxNOTE 6.net Font Field Overflow

This module exploits a buffer overflow in ShixxNOTE 6.net. The vulnerability is caused due to boundary errors in the handling of font fields. CVE-2004-1595 OSVDB-10721 BID-11409

Talkative IRC v0.4.4.16 Response Buffer Overflow

This module exploits a stack buffer overflow in Talkative IRC v0.4.4.16. When a specially crafted response string is sent to a client, an attacker may be able to execute arbitrary code. OSVDB-64582 BID-34141 http://milw0rm.com/exploits/8227

TinyIdentD 2.2 Stack Buffer Overflow

This module exploits a stack based buffer overflow in TinyIdentD version 2.2. If we send a long string to the ident service we can overwrite the return address and execute arbitrary code. Credit to Maarten Boone. CVE-2007-2711 OSVDB-36053 BID-23981

UFO: Alien Invasion IRC Client Buffer Overflow Exploit

This module exploits a buffer overflow in the IRC client component of UFO: Alien Invasion 2.2.1. OSVDB-65689 http://www.exploit-db.com/exp...

VideoLAN VLC TiVo Buffer Overflow

Windows RSH daemon Buffer Overflow

This module exploits a vulnerabliltiy in Windows RSH daemon 1.8. The vulnerability is due to a failure to check for the length of input sent to the RSH server. A CPORT of 512 -> 1023 must be configured for the exploit to be successful. CVE-2007-4006 OSVDB-38572 BID-25044

Windows Media Services ConnectFunnel Stack Buffer Overflow

This module exploits a stack buffer overflow in the Windows Media Unicast Service version 4.1.0.3930 (NUMS.exe). By sending a specially crafted FunnelConnect request, an attacker can execute arbitrary code under the "NetShowServices" user account. Windows Media Services 4.1 ships with Windows 2000 Server, but is not installed by default. NOTE: This service does NOT restart automatically. Successful, as well as unsuccessful exploitation attempts will kill the service which prevents additional attempts. CVE-2010-0478 OSVDB-63726 MSB-MS10-025 https://www.lexsi.com/abonnes...

Timbuktu Pro Directory Traversal/File Upload.

This module exploits a directory traversal vulnerablity in Motorola's Timbuktu Pro for Windows 8.6.5. CVE-2008-1117 OSVDB-43544

Lyris ListManager MSDE Weak sa Password

This module exploits a weak password vulnerability in the Lyris ListManager MSDE install. During installation, the 'sa' account password is set to 'lminstall'. Once the install completes, it is set to 'lyris' followed by the process ID of the installer. This module brute forces all possible process IDs that would be used by the installer. CVE-2005-4145 OSVDB-21559

Microsoft SQL Server Resolution Overflow

This is an exploit for the SQL Server 2000 resolution service buffer overflow. This overflow is triggered by sending a udp packet to port 1434 which starts with 0x04 and is followed by long string terminating with a colon and a number. This module should work against any vulnerable SQL Server 2000 or MSDE install (pre-SP3). CVE-2002-0649 OSVDB-4578 BID-5310 MSB-MS02-039

Microsoft SQL Server Hello Overflow

By sending malformed data to TCP port 1433, an unauthenticated remote attacker could overflow a buffer and possibly execute code on the server with SYSTEM level privileges. This module should work against any vulnerable SQL Server 2000 or MSDE install (< SP3). CVE-2002-1123 OSVDB-10132 BID-5411 MSB-MS02-056

Microsoft SQL Server sp_replwritetovarbin Memory Corruption

A heap-based buffer overflow can occur when calling the undocumented "sp_replwritetovarbin" extended stored procedure. This vulnerability affects all versions of Microsoft SQL Server 2000 and 2005, Windows Internal Database, and Microsoft Desktop Engine (MSDE) without the updates supplied in MS09-004. Microsoft patched this vulnerability in SP3 for 2005 without any public mention. An authenticated database session is required to access the vulnerable code. That said, it is possible to access the vulnerable code via an SQL injection vulnerability. This exploit smashes several pointers, as shown below. 1. pointer to a 32-bit value that is set to 0 2. pointer to a 32-bit value that is set to a length influcenced by the buffer length. 3. pointer to a 32-bit value that is used as a vtable pointer. In MSSQL 2000, this value is referenced with a displacement of 0x38. For MSSQL 2005, the displacement is 0x10. The address of our buffer is conveniently stored in ecx when this instruction is executed. 4. On MSSQL 2005, an additional vtable ptr is smashed, which is referenced with a displacement of 4. This pointer is not used by this exploit. This particular exploit replaces the previous dual-method exploit. It uses a technique where the value contained in ecx becomes the stack. From there, return oriented programming is used to normalize the execution state and finally execute the payload via a "jmp esp". All addresses used were found within the sqlservr.exe memory space, yielding very reliable code execution using only a single query. NOTE: The MSSQL server service does not automatically restart by default. That said, some exceptions are caught and will not result in terminating the process. If the exploit crashes the service prior to hijacking the stack, it won't die. Otherwise, it's a goner. OSVDB-50589 CVE-2008-5416 BID-32710 MSB-MS09-004 http://www.milw0rm.com/exploi...

Microsoft SQL Server Payload Execution

This module will execute an arbitrary payload on a Microsoft SQL Server, using the Windows debug.com method for writing an executable to disk and the xp_cmdshell stored procedure. File size restrictions are avoided by incorporating the debug bypass method presented at Defcon 17 by SecureState. Note that this module will leave a metasploit payload in the Windows System32 directory which must be manually deleted once the attack is completed. CVE-2000-0402 OSVDB-557 BID-1281 CVE-2000-1209 OSVDB-15757 BID-4797 http://www.thepentest.com/pre...

MySQL yaSSL SSL Hello Message Buffer Overflow

Omni-NFS Server Buffer Overflow

This module exploits a stack buffer overflow in Xlink Omni-NFS Server 5.2 When sending a specially crafted nfs packet, an attacker may be able to execute arbitrary code. CVE-2006-5780 OSVDB-30224 BID-20941 http://www.securityfocus.com/...

Microsoft Outlook Express NNTP Response Parsing Buffer Overflow

This module exploits a stack buffer overflow in the news reader of Microsoft Outlook Express. CVE-2005-1213 OSVDB-17306 BID-13951 MSB-MS05-030

Novell GroupWise Messenger Client Buffer Overflow

This module exploits a stack buffer overflow in Novell's GroupWise Messenger Client. By sending a specially crafted HTTP response, an attacker may be able to execute arbitrary code. CVE-2008-2703 OSVDB-46041 BID-29602 http://www.infobyte.com.ar/ad...

Novell NetMail <= 3.52d NMAP STOR Buffer Overflow

This module exploits a stack buffer overflow in Novell's Netmail 3.52 NMAP STOR verb. By sending an overly long string, an attacker can overwrite the buffer and control program execution. CVE-2006-6424 OSVDB-31363 BID-21725

Novell ZENworks 6.5 Desktop/Server Management Overflow

This module exploits a heap overflow in the Novell ZENworks Desktop Management agent. This vulnerability was discovered by Alex Wheeler. CVE-2005-1543 OSVDB-16698 BID-13678

Oracle 8i TNS Listener Buffer Overflow.

This module exploits a stack overflow in Oracle 8i. When sending a specially crafted packet to the TNS service, an attacker may be able to execute arbitrary code. CVE-2001-0499 BID-2941

Oracle Secure Backup NDMP_CONNECT_CLIENT_AUTH Buffer Overflow

The module exploits a stack buffer overflow in Oracle Secure Backup. When sending a specially crafted NDMP_CONNECT_CLIENT_AUTH packet, an attacker may be able to execute arbitrary code. CVE-2008-5444 OSVDB-51340 http://www.oracle.com/technol...

Oracle 8i TNS Listener (ARGUMENTS) Buffer Overflow.

This module exploits a stack buffer overflow in Oracle 8i. When sending a specially crafted packet containing a overly long ARGUMENTS string to the TNS service, an attacker may be able to execute arbitrary code. CVE-2001-0499 OSVDB-9427 BID-2941

Oracle TNS Listener AUTH_SESSKEY Buffer Overflow.

This module exploits a stack buffer overflow in Oracle. When sending a specially crafted packet containing a long AUTH_SESSKEY value to the TNS service, an attacker may be able to execute arbitrary code. CVE-2009-1979 OSVDB-59110 BID-36747 http://blogs.conus.info/node/28 http://blogs.conus.info/node/35 http://www.oracle.com/technol...

Oracle TNS Listener SERVICE_NAME Buffer Overflow.

This module exploits a stack buffer overflow in Oracle. When sending a specially crafted packet containing a long SERVICE_NAME to the TNS service, an attacker may be able to execute arbitrary code. CVE-2002-0965 OSVDB-5041 BID-4845 http://www.appsecinc.com/reso... http://www.oracle.com/technol...

Seattle Lab Mail 5.5 POP3 Buffer Overflow

There exists an unauthenticated buffer overflow vulnerability in the POP3 server of Seattle Lab Mail 5.5 when sending a password with excessive length. Successful exploitation should not crash either the service or the server; however, after initial use the port cannot be reused for successive exploitation until the service has been restarted. Consider using a command execution payload following the bind shell to restart the service if you need to reuse the same port. The overflow appears to occur in the debugging/error reporting section of the slmail.exe executable, and there are multiple offsets that will lead to successful exploitation. This exploit uses 2606, the offset that creates the smallest overall payload. The other offset is 4654. The return address is overwritten with a "jmp esp" call from the application library SLMFC.DLL found in %SYSTEM%\system32\. This return address works against all version of Windows and service packs. The last modification date on the library is dated 06/02/99. Assuming that the code where the overflow occurs has not changed in some time, prior version of SLMail may also be vulnerable with this exploit. The author has not been able to acquire older versions of SLMail for testing purposes. Please let us know if you were able to get this exploit working against other SLMail versions. CVE-2003-0264 OSVDB-11975 BID-7519

Blue Coat WinProxy Host Header Overflow

This module exploits a buffer overflow in the Blue Coat Systems WinProxy service by sending a long port value for the Host header in a HTTP request. CVE-2005-4085 OSVDB-22238 BID-16147 http://www.bluecoat.com/suppo...

CCProxy <= v6.2 Telnet Proxy Ping Overflow

This module exploits the YoungZSoft CCProxy <= v6.2 suite Telnet service. The stack is overwritten when sending an overly long address to the 'ping' command. CVE-2004-2416 OSVDB-11593 BID-11666 http://milw0rm.com/exploits/621

Proxy-Pro Professional GateKeeper 4.7 GET Request Overflow

This module exploits a stack buffer overflow in Proxy-Pro Professional GateKeeper 4.7. By sending a long HTTP GET to the default port of 3128, a remote attacker could overflow a buffer and execute arbitrary code. CVE-2004-0326 OSVDB-4027 BID-9716

Qbik WinGate WWW Proxy Server URL Processing Overflow

This module exploits a stack buffer overflow in Qbik WinGate version 6.1.1.1077 and earlier. By sending malformed HTTP POST URL to the HTTP proxy service on port 80, a remote attacker could overflow a buffer and execute arbitrary code. CVE-2006-2926 OSVDB-26214 BID-18312

DATAC RealWin SCADA Server Buffer Overflow

This module exploits a stack buffer overflow in DATAC Control International RealWin SCADA Server 2.0 (Build 6.0.10.37). By sending a specially crafted FC_INFOTAG/SET_CONTROL packet, an attacker may be able to execute arbitrary code. CVE-2008-4322 OSVDB-48606 BID-31418

AIM Triton 1.0.4 CSeq Buffer Overflow

This module exploits a buffer overflow in AOL\'s AIM Triton 1.0.4. By sending an overly long CSeq value, a remote attacker could overflow a buffer and execute arbitrary code on the system with the privileges of the affected application. CVE-2006-3524 OSVDB-27122 BID-18906

SIPfoundry sipXezPhone 0.35a CSeq Field Overflow

This module exploits a buffer overflow in SIPfoundry's sipXezPhone version 0.35a. By sending an long CSeq header, a remote attacker could overflow a buffer and execute arbitrary code on the system with the privileges of the affected application. CVE-2006-3524 OSVDB-27122 BID-18906

SIPfoundry sipXphone 2.6.0.27 CSeq Buffer Overflow

This module exploits a buffer overflow in SIPfoundry's sipXphone 2.6.0.27. By sending an overly long CSeq value, a remote attacker could overflow a buffer and execute arbitrary code on the system with the privileges of the affected application. CVE-2006-3524 OSVDB-27122 BID-18906

Microsoft Workstation Service NetAddAlternateComputerName Overflow

This module exploits a stack buffer overflow in the NetApi32 NetAddAlternateComputerName function using the Workstation service in Windows XP. CVE-2003-0812 OSVDB-11461 BID-9011 MSB-MS03-049

Microsoft ASN.1 Library Bitstring Heap Overflow

This is an exploit for a previously undisclosed vulnerability in the bit string decoding code in the Microsoft ASN.1 library. This vulnerability is not related to the bit string vulnerability described in eEye advisory AD20040210-2. Both vulnerabilities were fixed in the MS04-007 patch. You are only allowed one attempt with this vulnerability. If the payload fails to execute, the LSASS system service will crash and the target system will automatically reboot itself in 60 seconds. If the payload succeeeds, the system will no longer be able to process authentication requests, denying all attempts to login through SMB or at the console. A reboot is required to restore proper functioning of an exploited system. This exploit has been successfully tested with the win32/*/reverse_tcp payloads, however a few problems were encounted when using the equivalent bind payloads. Your mileage may vary. CVE-2003-0818 OSVDB-3902 BID-9633 http://www.phreedom.org/solar... MSB-MS04-007

Microsoft LSASS Service DsRolerUpgradeDownlevelServer Overflow

This module exploits a stack buffer overflow in the LSASS service, this vulnerability was originally found by eEye. When re-exploiting a Windows XP system, you will need need to run this module twice. DCERPC request fragmentation can be performed by setting 'FragSize' parameter. CVE-2003-0533 OSVDB-5248 BID-10108 MSB-MS04-011

Microsoft NetDDE Service Overflow

This module exploits a stack buffer overflow in the NetDDE service, which is the precursor to the DCOM interface. This exploit effects only operating systems released prior to Windows XP SP1 (2000 SP4, XP SP0). Despite Microsoft's claim that this vulnerability can be exploited without authentication, the NDDEAPI pipe is only accessible after successful authentication. CVE-2004-0206 OSVDB-10689 BID-11372 MSB-MS04-031

Microsoft Plug and Play Service Overflow

This module exploits a stack buffer overflow in the Windows Plug and Play service. This vulnerability can be exploited on Windows 2000 without a valid user account. NOTE: Since the PnP service runs inside the service.exe process, a failed exploit attempt will cause the system to automatically reboot. CVE-2005-1983 OSVDB-18605 BID-14513 MSB-MS05-039 http://www.hsc.fr/ressources/...

Microsoft RRAS Service RASMAN Registry Overflow

This module exploits a registry-based stack buffer overflow in the Windows Routing and Remote Access Service. Since the service is hosted inside svchost.exe, a failed exploit attempt can cause other system services to fail as well. A valid username and password is required to exploit this flaw on Windows 2000. When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'. Exploiting this flaw involves two distinct steps - creating the registry key and then triggering an overwrite based on a read of this key. Once the key is created, it cannot be recreated. This means that for any given system, you only get one chance to exploit this flaw. Picking the wrong target will require a manual removal of the following registry key before you can try again: HKEY_USERS\.DEFAULT\Software\Microsoft\RAS Phonebook CVE-2006-2370 OSVDB-26437 BID-18325 MSB-MS06-025

Microsoft RRAS Service Overflow

This module exploits a stack buffer overflow in the Windows Routing and Remote Access Service. Since the service is hosted inside svchost.exe, a failed exploit attempt can cause other system services to fail as well. A valid username and password is required to exploit this flaw on Windows 2000. When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'. CVE-2006-2370 OSVDB-26437 BID-18325 MSB-MS06-025

Microsoft Server Service NetpwPathCanonicalize Overflow

This module exploits a stack buffer overflow in the NetApi32 CanonicalizePathName() function using the NetpwPathCanonicalize RPC call in the Server Service. It is likely that other RPC calls could be used to exploit this service. This exploit will result in a denial of service on on Windows XP SP2 or Windows 2003 SP1. A failed exploit attempt will likely result in a complete reboot on Windows 2000 and the termination of all SMB-related services on Windows XP. The default target for this exploit should succeed on Windows NT 4.0, Windows 2000 SP0-SP4+, Windows XP SP0-SP1 and Windows 2003 SP0. CVE-2006-3439 OSVDB-27845 BID-19409 MSB-MS06-040

Microsoft Services MS06-066 nwapi32.dll

This module exploits a stack buffer overflow in the svchost service, when the netware client service is running. This specific vulnerability is in the nwapi32.dll module. CVE-2006-4688 OSVDB-30260 BID-21023 MSB-MS06-066

Microsoft Services MS06-066 nwwks.dll

Microsoft Workstation Service NetpManageIPCConnect Overflow

This module exploits a stack buffer overflow in the NetApi32 NetpManageIPCConnect function using the Workstation service in Windows 2000 SP4 and Windows XP SP2. In order to exploit this vulnerability, you must specify a the name of a valid Windows DOMAIN. It may be possible to satisfy this condition by using a custom dns and ldap setup, however that method is not covered here. Although Windows XP SP2 is vulnerable, Microsoft reports that Administrator credentials are required to reach the vulnerable code. Windows XP SP1 only requires valid user credentials. Also, testing shows that a machine already joined to a domain is not exploitable. CVE-2006-4691 OSVDB-30263 BID-20985 MSB-MS06-070

Microsoft DNS RPC Service extractQuotedChar() Overflow (SMB)

This module exploits a stack buffer overflow in the RPC interface of the Microsoft DNS service. The vulnerability is triggered when a long zone name parameter is supplied that contains escaped octal strings. This module is capable of bypassing NX/DEP protection on Windows 2003 SP1/SP2. This module exploits the RPC service using the \DNSSERVER pipe available via SMB. This pipe requires a valid user account to access, so the SMBUSER and SMBPASS options must be specified. CVE-2007-1748 OSVDB-34100 MSB-MS07-029 http://www.microsoft.com/tech...

Microsoft Server Service Relative Path Stack Corruption

This module exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service. This module is capable of bypassing NX on some operating systems and service packs. The correct target must be used to prevent the Server Service (along with a dozen others in the same process) from crashing. Windows XP targets seem to handle multiple successful exploitation events, but 2003 targets will often crash or hang on subsequent attempts. This is just the first version of this module, full support for NX bypass on 2003, along with other platforms, is still in development. CVE-2008-4250 OSVDB-49243 MSB-MS08-067 NEXPOSE-dcerpc-ms-netapi-netp...

Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference

This module exploits an out of bounds function table dereference in the SMB request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7 release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista without SP1 does not seem affected by this flaw. MSB-MS09-050 CVE-2009-3103 BID-36299 OSVDB-57799 http://seclists.org/fulldiscl... http://www.microsoft.com/tech...

Novell NetIdentity Agent XTIERRPCPIPE Named Pipe Buffer Overflow.

This module exploits a stack buffer overflow in Novell's NetIdentity Agent. When sending a specially crafted string to the 'XTIERRPCPIPE' named pipe, an attacker may be able to execute arbitrary code. The success of this module is much greater once the service has been restarted. CVE-2009-1350 OSVDB-53351 BID-34400 http://www.reversemode.com/in...

Microsoft Windows Authenticated User Code Execution

This module uses a valid administrator username and password (or password hash) to execute an arbitrary payload. This module is similar to the "psexec" utility provided by SysInternals. Unfortunately, this module is not able to clean up after itself. The service and payload file listed in the output will need to be manually removed after access has been gained. The service created by this tool uses a randomly chosen name and description, so the services list can become cluttered after repeated exploitation. CVE-1999-0504 OSVDB-3106 http://www.microsoft.com/tech...

Microsoft Windows SMB Relay Code Execution

This module will relay SMB authentication requests to another host, gaining access to an authenticated SMB session if successful. If the connecting user is an administrator and network logins are allowed to the target machine, this module will execute an arbitrary payload. To exploit this, the target system must try to authenticate to this module. The easiest way to force a SMB authentication attempt is by embedding a UNC path (\\SERVER\SHARE) into a web page or email message. When the victim views the web page or email, their system will automatically connect to the server specified in the UNC share (the IP address of the system running this module) and attempt to authenticate. Unfortunately, this module is not able to clean up after itself. The service and payload file listed in the output will need to be manually removed after access has been gained. The service created by this tool uses a randomly chosen name and description, so the services list can become cluttered after repeated exploitation. The SMB authentication relay attack was first reported by Sir Dystic on March 31st, 2001 at @lanta.con in Atlanta, Georgia. On November 11th 2008 Microsoft released bulletin MS08-068. This bulletin includes a patch which prevents the relaying of challenge keys back to the host which issued them, preventing this exploit from working in the default configuration. It is still possible to set the SMBHOST parameter to a third-party host that the victim is authorized to access, but the "reflection" attack has been effectively broken. CVE-2008-4037 OSVDB-49736 MSB-MS08-068 http://blogs.technet.com/swi/... http://en.wikipedia.org/wiki/... http://www.microsoft.com/tech... http://www.xfocus.net/article...

Timbuktu <= 8.6.6 PlughNTCommand Named Pipe Buffer Overflow

This module exploits a stack based buffer overflow in Timbuktu Pro version <= 8.6.6 in a pretty novel way. This exploit requires two connections. The first connection is used to leak stack data using the buffer overflow to overwrite the nNumberOfBytesToWrite argument. By supplying a large value for this argument it is possible to cause Timbuktu to reply to the initial request with leaked stack data. Using this data allows for reliable exploitation of the buffer overflow vulnerability. Props to Infamous41d for helping in finding this exploitation path. The second connection utilizes the data from the data leak to accurately exploit the stack based buffer overflow vulnerability. TODO: hdm suggested using meterpreter's migration capability and restarting the process for multishot exploitation. CVE-2009-1394 OSVDB-55436 BID-35496 http://labs.idefense.com/inte...

TABS MailCarrier v2.51 SMTP EHLO Overflow

This module exploits the MailCarrier v2.51 suite SMTP service. The stack is overwritten when sending an overly long EHLO command. CVE-2004-1638 OSVDB-11174 BID-11535 http://milw0rm.com/exploits/598

Mercury Mail SMTP AUTH CRAM-MD5 Buffer Overflow

This module exploits a stack buffer overflow in Mercury Mail Transport System 4.51. By sending a specially crafted argument to the AUTH CRAM-MD5 command, an attacker may be able to execute arbitrary code. CVE-2007-4440 OSVDB-39669 BID-25357

MS03-046 Exchange 2000 XEXCH50 Heap Overflow

This is an exploit for the Exchange 2000 heap overflow. Due to the nature of the vulnerability, this exploit is not very reliable. This module has been tested against Exchange 2000 SP0 and SP3 running a Windows 2000 system patched to SP4. It normally takes between one and 100 connection attempts to successfully obtain a shell. This exploit is *very* unreliable. CVE-2003-0714 BID-8838 OSVDB-2674 MSB-MS03-046 http://www.milw0rm.com/exploi...

SoftiaCom WMailserver 1.0 Buffer Overflow

This module exploits a stack buffer overflow in SoftiaCom WMailserver 1.0 (SMTP) via a SEH frame overwrite. CVE-2005-2287 OSVDB-17883 BID-14213

YPOPS 0.6 Buffer Overflow

This module exploits a stack buffer overflow in the YPOPS POP3 service. This is a classic stack buffer overflow for YPOPS version 0.6. Possibly Affected version 0.5, 0.4.5.1, 0.4.5. Eip point to jmp ebx opcode in ws_32.dll CVE-2004-1558 OSVDB-10367 BID-11256 http://www.securiteam.com/win...

FreeFTPd 1.0.10 Key Exchange Algorithm String Buffer Overflow

This module exploits a simple stack buffer overflow in FreeFTPd 1.0.10 This flaw is due to a buffer overflow error when handling a specially crafted key exchange algorithm string received from an SSH client. This module is based on MC's freesshd_key_exchange exploit. CVE-2006-2407 OSVDB-25569 BID-17958

FreeSSHd 1.0.9 Key Exchange Algorithm String Buffer Overflow

This module exploits a simple stack buffer overflow in FreeSSHd 1.0.9. This flaw is due to a buffer overflow error when handling a specially crafted key exchange algorithm string received from an SSH client. CVE-2006-2407 OSVDB-25463 BID-17958

PuTTy.exe <= v0.53 Buffer Overflow

This module exploits a buffer overflow in the PuTTY SSH client that is triggered through a validation error in SSH.c. CVE-2002-1359 OSVDB-8044 http://www.rapid7.com/advisor... BID-6407

SecureCRT <= 4.0 Beta 2 SSH1 Buffer Overflow

This module exploits a buffer overflow in SecureCRT <= 4.0 Beta 2. By sending a vulnerable client an overly long SSH1 protocol identifier string, it is possible to execute arbitrary code. This module has only been tested on SecureCRT 3.4.4. CVE-2002-1059 OSVDB-4991 BID-5287

Microsoft Private Communications Transport Overflow

This module exploits a buffer overflow in the Microsoft Windows SSL PCT protocol stack. This code is based on Johnny Cyberpunk's THC release and has been tested against Windows 2000 and Windows XP. To use this module, specify the remote port of any SSL service, or the port and protocol of an application that uses SSL. The only application protocol supported at this time is SMTP. You only have one chance to select the correct target, if you are attacking IIS, you may want to try one of the other exploits first (WebDAV). If WebDAV does not work, this more than likely means that this is either Windows 2000 SP4+ or Windows XP (IIS 5.0 vs IIS 5.1). Using the wrong target may not result in an immediate crash of the remote system. CVE-2003-0719 OSVDB-5250 BID-10116 MSB-MS04-011

GAMSoft TelSrv 1.5 Username Buffer Overflow

This module exploits a username sprintf stack buffer overflow in GAMSoft TelSrv 1.5. Other versions may also be affected. The service terminates after exploitation, so you only get one chance! CVE-2000-0665 OSVDB-373 BID-1478 http://cdn.simtel.net/pub/sim...

GoodTech Telnet Server <= 5.0.6 Buffer Overflow

This module exploits a stack buffer overflow in GoodTech Systems Telnet Server versions prior to 5.0.7. By sending an overly long string, an attacker can overwrite the buffer and control program execution. CVE-2005-0768 OSVDB-14806 BID-12815

Allied Telesyn TFTP Server 1.9 Long Filename Overflow

This module exploits a stack buffer overflow in AT-TFTP v1.9, by sending a request (get/write) for an overly long file name. CVE-2006-6184 OSVDB-11350 BID-21320 http://milw0rm.com/exploits/2887 ftp://guest:guest@ftp.alliedt...

D-Link TFTP 1.0 Long Filename Buffer Overflow

This module exploits a stack buffer overflow in D-Link TFTP 1.0. By sending a request for an overly long file name, an attacker could overflow a buffer and execute arbitrary code. For best results, use bind payloads with nonx (No NX). CVE-2007-1435 OSVDB-33977 BID-22923

FutureSoft TFTP Server 2000 Transfer-Mode Overflow

This module exploits a stack buffer overflow in the FutureSoft TFTP Server 2000 product. By sending an overly long transfer-mode string, we were able to overwrite both the SEH and the saved EIP. A subsequent write-exception that will occur allows the transferring of execution to our shellcode via the overwritten SEH. This module has been tested against Windows 2000 Professional and for some reason does not seem to work against Windows 2000 Server (could not trigger the overflow at all). CVE-2005-1812 OSVDB-16954 BID-13821 http://www.security.org.sg/vu...

Quick FTP Pro 2.1 Transfer-Mode Overflow

This module exploits a stack buffer overflow in the Quick TFTP Pro server product. MS Update KB926436 screws up the opcode address being used in oledlg.dll resulting in a DoS. This is a port of a sploit by Mati "muts" Aharoni. CVE-2008-1610 OSVDB-43784 BID-28459 http://secunia.com/advisories...

TFTPD32 <= 2.21 Long Filename Buffer Overflow

This module exploits a stack buffer overflow in TFTPD32 version 2.21 and prior. By sending a request for an overly long file name to the tftpd32 server, a remote attacker could overflow a buffer and execute arbitrary code on the system. CVE-2002-2226 OSVDB-45903 BID-6199

TFTPDWIN v0.4.2 Long Filename Buffer Overflow

This module exploits the ProSysInfo TFTPDWIN threaded TFTP Server. By sending an overly long file name to the tftpd.exe server, the stack can be overwritten. CVE-2006-4948 OSVDB-29032 BID-20131 http://www.milw0rm.com/exploi...

3CTftpSvc TFTP Long Mode Buffer Overflow

This module exploits a stack buffer overflow in 3CTftpSvc 2.0.1. By sending a specially crafted packet with an overly long mode field, a remote attacker could overflow a buffer and execute arbitrary code on the system. CVE-2006-6183 OSVDB-30758 BID-21301 http://secunia.com/advisories...

CA CAM log_security() Stack Buffer Overflow (Win32)

This module exploits a vulnerability in the CA CAM service by passing a long parameter to the log_security() function. The CAM service is part of TNG Unicenter. This module has been tested on Unicenter v3.1. CVE-2005-2668 OSVDB-18916 BID-14622

RealVNC 3.3.7 Client Buffer Overflow

This module exploits a buffer overflow in RealVNC 3.3.7 (vncviewer.exe). CVE-2001-0167 OSVDB-6281 BID-2305

UltraVNC 1.0.1 Client Buffer Overflow

This module exploits a buffer overflow in UltraVNC Win32 Viewer 1.0.1 Release. CVE-2006-1652 OSVDB-24456 BID-17378

WinVNC Web Server <= v3.3.3r7 GET Overflow

This module exploits a buffer overflow in the AT&T WinVNC version <= v3.3.3r7 web server. When debugging mode with logging is enabled (non-default), an overly long GET request can overwrite the stack. This exploit does not work well with VNC payloads! BID-2306 OSVDB-6280 CVE-2001-0168

SafeNet SoftRemote IKE Service Buffer Overflow

This module exploits a stack buffer overflow in Safenet SoftRemote IKE IreIKE.exe service. When sending a specially crafted udp packet to port 62514 an attacker may be able to execute arbitrary code. This module has been tested with Juniper NetScreen-Remote 10.8.0 (Build 20) using windows/meterpreter/reverse_ord_tcp payloads. CVE-2009-1943 OSVDB-54831 BID-35154 http://reversemode.com/index....

Microsoft WINS Service Memory Overwrite

This module exploits an arbitrary memory write flaw in the WINS service. This exploit has been tested against Windows 2000 only. CVE-2004-1080 OSVDB-12378 BID-11763 MSB-MS04-045

OSVDB:	CVE:
BID:	MSB:
TEXT: