Browse Exploit & Auxiliary Modules

The Metasploit Project hosts the world's largest database of quality assured exploits, including hundreds of remote exploits, auxiliary modules, and payloads. You can even review the Metasploit Framework source code of any module - or write your own.

Search for modules

Open Source Vulnerability DataBase ID
Bugtraq ID
Full Text Search
Common Vulnerabilities Exposures ID
Microsoft Security Bulletin ID
 
Search Modules

Module Browser

ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)

This module exploits a stack-based buffer overflow in versions 1.2 through 1.3.0 of ProFTPD server. The vulnerability is within the "sreplace" function within the "src/support.c" file. The off-by-one heap overflow bug in the ProFTPD sreplace function has been discovered about 2 (two) years ago by Evgeny Legerov. We tried to exploit this off-by-one bug via MKD command, but failed. We did not work on this bug since then. Actually, there are exists at least two bugs in sreplace function, one is the mentioned off-by-one heap overflow bug the other is a stack-based buffer overflow via 'sstrncpy(dst,src,negative argument)'. We were unable to reach the "sreplace" stack bug on ProFTPD 1.2.10 stable version, but the version 1.3.0rc3 introduced some interesting changes, among them: 1. another (integer) overflow in sreplace! 2. now it is possible to reach sreplace stack-based buffer overflow bug via the "pr_display_file" function! 3. stupid '.message' file display bug So we decided to choose ProFTPD 1.3.0 as a target for our exploit. To reach the bug, you need to upload a specially created .message file to a writeable directory, then do "CWD <writeable directory>" to trigger the invocation of sreplace function. Note that ProFTPD 1.3.0rc3 has introduced a stupid bug: to display '.message' file you also have to upload a file named '250'. ProFTPD 1.3.0 fixes this bug. The exploit is a part of VulnDisco Pack since Dec 2005.

ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (Linux)

This module exploits a stack-based buffer overflow in versions of ProFTPD server between versions 1.3.2rc3 and 1.3.3b. By sending data containing a large number of Telnet IAC commands, an attacker can corrupt memory and execute arbitrary code. The Debian Squeeze version of the exploit uses a little ROP stub to indirectly transfer the flow of execution to a pool buffer (the cmd_rec "res" in "pr_cmd_read"). The Ubuntu version uses a ROP stager to mmap RWX memory, copy a small stub to it, and execute the stub. The stub then copies the remainder of the payload in and executes it. NOTE: Most Linux distributions either do not ship a vulnerable version of ProFTPD, or they ship a version compiled with stack smashing protection. Although SSP significantly reduces the probability of a single attempt succeeding, it will not prevent exploitation. Since the daemon forks in a default configuration, the cookie value will remain the same despite some attemtps failing. By making repeated requests, an attacker can eventually guess the cookie value and exploit the vulnerability. The cookie in Ubuntu has 24-bits of entropy. This reduces the effectiveness and could allow exploitation in semi-reasonable amount of time.

Unreal Tournament 2004 "secure" Overflow (Linux)

This is an exploit for the GameSpy secure query in the Unreal Engine. This exploit only requires one UDP packet, which can be both spoofed and sent to a broadcast address. Usually, the GameSpy query server listens on port 7787, but you can manually specify the port as well. The RunServer.sh script will automatically restart the server upon a crash, giving us the ability to bruteforce the service and exploit it multiple times.

Alcatel-Lucent OmniPCX Enterprise masterCGI Arbitrary Command Execution

This module abuses a metacharacter injection vulnerability in the HTTP management interface of the Alcatel-Lucent OmniPCX Enterprise Communication Server 7.1 and earlier. The Unified Maintenance Tool contains a 'masterCGI' binary which allows an unauthenticated attacker to execute arbitrary commands by specifing shell metacharaters as the 'user' within the 'ping' action to obtain 'httpd' user access. This module only supports command line payloads, as the httpd process kills the reverse/bind shell spawn after the HTTP 200 OK response.

DD-WRT HTTP Daemon Arbitrary Command Execution

This module abuses a metacharacter injection vulnerability in the HTTP management server of wireless gateways running DD-WRT. This flaw allows an unauthenticated attacker to execute arbitrary commands as the root user account.

Berlios GPSD Format String Vulnerability

This module exploits a format string vulnerability in the Berlios GPSD server. This vulnerability was discovered by Kevin Finisterre.

Linksys WRT54 Access Point apply.cgi Buffer Overflow

This module exploits a stack buffer overflow in apply.cgi on the Linksys WRT54G and WRT54GS routers. According to iDefense who discovered this vulnerability, all WRT54G versions prior to 4.20.7 and all WRT54GS version prior to 1.05.2 may be be affected.

PeerCast <= 0.1216 URL Handling Buffer Overflow (linux)

This module exploits a stack buffer overflow in PeerCast <= v0.1216. The vulnerability is caused due to a boundary error within the handling of URL parameters.

RedHat Piranha Virtual Server Package passwd.php3 Arbitrary Command Execution

This module abuses two flaws - a metacharacter injection vulnerability in the HTTP management server of RedHat 6.2 systems running the Piranha LVS cluster service and GUI (rpm packages: piranha and piranha-gui). The vulnerability allows an authenticated attacker to execute arbitrary commands as the Apache user account (nobody) within the /piranha/secure/passwd.php3 script. The package installs with a default user and password of piranha:q which was exploited in the wild.

Snort Back Orifice Pre-Preprocessor Remote Exploit

This module exploits a stack buffer overflow in the Back Orifice pre-processor module included with Snort versions 2.4.0, 2.4.1, 2.4.2, and 2.4.3. This vulnerability could be used to completely compromise a Snort sensor, and would typically gain an attacker full root or administrative privileges.

UoW IMAP server LSUB Buffer Overflow

This module exploits a buffer overflow in the 'LSUB' command of the University of Washington IMAP service. This vulnerability can only be exploited with a valid username and password.

Madwifi SIOCGIWSCAN Buffer Overflow

The Madwifi driver under Linux is vulnerable to a remote kernel-mode stack-based buffer overflow. The vulnerability is triggered by one of these properly crafted information element: WPA, RSN, WME and Atheros OUI Current madwifi driver (0.9.2) and and all madwifi-ng drivers since r1504 are vulnerable Madwifi 0.9.2.1 release corrects the issue. This module has been tested against Ubuntu 6.10 and is 100% reliable, doesn\'t crash the Wifi stack and can exploit the same machine multiple time without the need to reboot it. This module depends on the Lorcon2 library and only works on the Linux platform with a supported wireless card. Please see the Ruby Lorcon2 documentation (external/ruby-lorcon/README) for more information.

Accellion File Transfer Appliance MPIPE2 Command Execution

This module exploits a chain of vulnerabilities in the Accellion File Transfer appliance. This appliance exposes a UDP service on port 8812 that acts as a gateway to the internal communication bus. This service uses Blowfish encryption for authentication, but the appliance ships with two easy to guess default authentication keys. This module abuses the known default encryption keys to inject a message into the communication bus. In order to execute arbitrary commands on the remote appliance, a message is injected into the bus destined for the 'matchrep' service. This service exposes a function named 'insert_plugin_meta_info' which is vulnerable to an input validation flaw in a call to system(). This provides access to the 'soggycat' user account, which has sudo privileges to run the primary admin tool as root. These two flaws are fixed in update version FTA_8_0_562.

Distributed Ruby Send instance_eval/syscall Code Execution

This module exploits remote code execution vulnerabilities in dRuby

GLD (Greylisting Daemon) Postfix Buffer Overflow

This module exploits a stack buffer overflow in the Salim Gasmi GLD <= 1.4 greylisting daemon for Postfix. By sending an overly long string the stack can be overwritten.

hplip hpssd.py From Address Arbitrary Command Execution

This module exploits a command execution vulnerable in the hpssd.py daemon of the Hewlett-Packard Linux Imaging and Printing Project. According to MITRE, versions 1.x and 2.x before 2.7.10 are vulnerable. This module was written and tested using the Fedora 6 Linux distribution. On the test system, the daemon listens on localhost only and runs with root privileges. Although the configuration shows the daemon is to listen on port 2207, it actually listens on a dynamic port. NOTE: If the target system does not have a 'sendmail' command installed, this vulnerability cannot be exploited.

Borland InterBase INET_connect() Buffer Overflow

This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted service attach request.

Borland InterBase jrd8_create_database() Buffer Overflow

This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted create request.

Borland InterBase open_marker_file() Buffer Overflow

This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted attach request.

Borland InterBase PWD_db_aliased() Buffer Overflow

This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted attach request.

LPRng use_syslog Remote Format String Vulnerability

This module exploits a format string vulnerability in the LPRng print server. This vulnerability was discovered by Chris Evans. There was a publicly circulating worm targeting this vulnerability, which prompted RedHat to pull their 7.0 release. They consequently re-released it as "7.0-respin".

NetSupport Manager Agent Remote Buffer Overflow

This module exploits a buffer overflow in NetSupport Manager Agent. It uses a similar ROP to the proftpd_iac exploit in order to avoid non executable stack.

MySQL yaSSL CertDecoder::GetName Buffer Overflow

This module exploits a stack buffer overflow in the yaSSL (1.9.8 and earlier) implementation bundled with MySQL. By sending a specially crafted client certificate, an attacker can execute arbitrary code. This vulnerability is present within the CertDecoder::GetName function inside "taocrypt/src/asn.cpp". However, the stack buffer that is written to exists within a parent function's stack frame. NOTE: This vulnerability requires a non-default configuration. First, the attacker must be able to pass the host-based authentication. Next, the server must be configured to listen on an accessible network interface. Lastly, the server must have been manually configured to use SSL. The binary from version 5.5.0-m2 was built with /GS and /SafeSEH. During testing on Windows XP SP3, these protections successfully prevented exploitation. Testing was also done with mysql on Ubuntu 9.04. Although the vulnerable code is present, both version 5.5.0-m2 built from source and version 5.0.75 from a binary package were not exploitable due to the use of the compiler's FORTIFY feature. Although suse11 was mentioned in the original blog post, the binary package they provide does not contain yaSSL or support SSL.

MySQL yaSSL SSL Hello Message Buffer Overflow

This module exploits a stack buffer overflow in the yaSSL (1.7.5 and earlier) implementation bundled with MySQL <= 6.0. By sending a specially crafted Hello packet, an attacker may be able to execute arbitrary code.

Cyrus IMAPD pop3d popsubfolders USER Buffer Overflow

This exploit takes advantage of a stack based overflow. Once the stack corruption has occured it is possible to overwrite a pointer which is later used for a memcpy. This gives us a write anything anywhere condition similar to a format string vulnerability. NOTE: The popsubfolders option is a non-default setting. I chose to overwrite the GOT with my shellcode and return to it. This defeats the VA random patch and possibly other stack protection features. Tested on gentoo-sources Linux 2.6.16. Although Fedora CORE 5 ships with a version containing the vulnerable code, it is not exploitable due to the use of the FORTIFY_SOURCE compiler enhancement

Poptop Negative Read Overflow

This is an exploit for the Poptop negative read overflow. This will work against versions prior to 1.1.3-b3 and 1.1.3-20030409, but I currently do not have a good way to detect Poptop versions. The server will by default only allow 4 concurrent manager processes (what we run our code in), so you could have a max of 4 shells at once. Using the current method of exploitation, our socket will be closed before we have the ability to run code, preventing the use of Findsock.

Squid NTLM Authenticate Overflow

This is an exploit for Squid\'s NTLM authenticate overflow (libntlmssp.c). Due to improper bounds checking in ntlm_check_auth, it is possible to overflow the 'pass' variable on the stack with user controlled data of a user defined length. Props to iDEFENSE for the advisory.

Samba chain_reply Memory Corruption (Linux x86)

This exploits a memory corruption vulnerability present in Samba versions prior to 3.3.13. When handling chained response packets, Samba fails to validate the offset value used when building the next part. By setting this value to a number larger than the destination buffer size, an attacker can corrupt memory. Additionally, setting this value to a value smaller than 'smb_wct' (0x24) will cause the header of the input buffer chunk to be corrupted. After close inspection, it appears that 3.0.x versions of Samba are not exploitable. Since they use an "InputBuffer" size of 0x20441, an attacker cannot cause memory to be corrupted in an exploitable way. It is possible to corrupt the heap header of the "InputBuffer", but it didn't seem possible to get the chunk to be processed again prior to process exit. In order to gain code execution, this exploit attempts to overwrite a "talloc chunk" destructor function pointer. This particular module is capable of exploiting the flaw on x86 Linux systems that do not have the nx memory protection. NOTE: It is possible to make exploitation attempts indefinitely since Samba forks for user sessions in the default configuration.

Samba lsa_io_trans_names Heap Overflow

This module triggers a heap overflow in the LSA RPC service of the Samba daemon. This module uses the TALLOC chunk overwrite method (credit Ramon and Adriano), which only works with Samba versions 3.0.21-3.0.24. Additonally, this module will not work when the Samba "log level" parameter is higher than "2".

Samba trans2open Overflow (Linux x86)

This exploits the buffer overflow found in Samba versions 2.2.0 to 2.2.8. This particular module is capable of exploiting the flaw on x86 Linux systems that do not have the noexec stack option set. NOTE: Some older versions of RedHat do not seem to be vulnerable since they apparently do not allow anonymous access to IPC.

Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow

This module exploits a buffer overflow in the encryption option handler of the Linux BSD-derived telnet service (inetutils or krb5-telnet). Most Linux distributions use NetKit-derived telnet daemons, so this flaw only applies to a small subset of Linux systems running telnetd.