Browse Exploit & Auxiliary Modules

The Metasploit Project hosts the world's largest database of quality assured exploits, including hundreds of remote exploits, auxiliary modules, and payloads. You can even review the Metasploit Framework source code of any module - or write your own.

Search for modules

Open Source Vulnerability DataBase ID
Bugtraq ID
Full Text Search
Common Vulnerabilities Exposures ID
Microsoft Security Bulletin ID
 
Search Modules

Module Browser

Solaris dtspcd Heap Overflow

This is a port of noir's dtspcd exploit. This module should work against any vulnerable version of Solaris 8 (sparc). The original exploit code was published in the book Shellcoder's Handbook.

Solaris LPD Command Execution

This module exploits an arbitrary command execution flaw in the in.lpd service shipped with all versions of Sun Solaris up to and including 8.0. This module uses a technique discovered by Dino Dai Zovi to exploit the flaw without needing to know the resolved name of the attacking system.

Samba lsa_io_trans_names Heap Overflow

This module triggers a heap overflow in the LSA RPC service of the Samba daemon. This module uses the TALLOC chunk overwrite method (credit Ramon and Adriano), which only works with Samba versions 3.0.21-3.0.24. Additionally, this module will not work when the Samba "log level" parameter is higher than "2".

Samba trans2open Overflow (Solaris SPARC)

This exploits the buffer overflow found in Samba versions 2.2.0 to 2.2.8. This particular module is capable of exploiting the flaw on Solaris SPARC systems that do not have the noexec stack option set. Big thanks to MC and valsmith for resolving a problem with the beta version of this module.

Sun Solaris sadmind adm_build_path() Buffer Overflow

This module exploits a buffer overflow vulnerability in adm_build_path() function of sadmind daemon. The distributed system administration daemon (sadmind) is the daemon used by Solstice AdminSuite applications to perform distributed system administration operations. The sadmind daemon is started automatically by the inetd daemon whenever a request to invoke an operation is received. The sadmind daemon process continues to run for 15 minutes after the last request is completed, unless a different idle-time is specified with the -i command line option. The sadmind daemon may be started independently from the command line, for example, at system boot time. In this case, the -i option has no effect; sadmind continues to run, even if there are no active requests.

Solaris sadmind Command Execution

This exploit targets a weakness in the default security settings of the sadmind RPC application. This server is installed and enabled by default on most versions of the Solaris operating system. Vulnerable systems include solaris 2.7, 8, and 9

Solaris ypupdated Command Execution

This exploit targets a weakness in the way the ypupdated RPC application uses the command shell when handling a MAP UPDATE request. Extra commands may be launched through this command shell, which runs as root on the remote host, by passing commands in the format '|<command>'. Vulnerable systems include Solaris 2.7, 8, 9, and 10, when ypupdated is started with the '-i' command-line option.

Sun Solaris Telnet Remote Authentication Bypass Vulnerability

This module exploits the argument injection vulnerabilty in the telnet daemon (in.telnetd) of Solaris 10 and 11.

Solaris in.telnetd TTYPROMPT Buffer Overflow

This module uses a buffer overflow in the Solaris 'login' application to bypass authentication in the telnet daemon.