This Metasploit module exploits a vulnerability found in TFTP Server 1.4 ST. The flaw is due to the way TFTP handles the filename parameter extracted from a WRQ request. The server will append the user-supplied filename to TFTP server binary's path without any bounds checking, and then attempt to open this with a fopen(). Since this isn't a valid file path, fopen() returns null, which allows the corrupted data to be used in a strcmp() function, causing an access violation. Since the offset is sensitive to how the TFTP server is launched, you must know in advance if your victim machine launched the TFTP as a 'Service' or 'Standalone' , and then manually select your target accordingly. A successful attempt will lead to remote code execution under the context of SYSTEM if run as a service, or the user if run as a standalone. A failed attempt will result a denial-of-service.
97a2a64a4d7b26a5088cf3d73076bee782c41a2cccb84de4ec3d8a09cc34adad
This Metasploit module exploits a stack overflow in HP OpenView Network Node Manager versions 7.53 and earlier. Specifically this vulnerability is caused by a failure to properly handle user supplied input within the HTTP request including headers and the actual URL GET request. Exploitation is tricky due to character restrictions. It was necessary to utilize a egghunter shellcode which was alphanumeric encoded by muts in the original exploit. If you plan on using exploit this for a remote shell, you will likely want to migrate to a different process as soon as possible. Any connections get reset after a short period of time. This is probably some timeout handling code that causes this.
3dc7da1a36dedf13ddf7ea5539aaac3f51e4cbdb8ecfab2652405871dd1aca71
HP NNM version 7.53 ovalarm.exe CGI pre-authentication remote buffer overflow exploit.
c3254e5bce844de2beae7b43c17e8ca6a8e7cc2e902e7f875b73fd47ddbfe34d
This Metasploit module exploits a buffer overflow in the GlobalSCAPE Secure FTP Server. All versions prior to 3.0.3 are affected by this flaw. A valid user account ( or anonymous access) is required for this exploit to work.
f92b038b30321d1e394a2a78f7f7a4672a2b84c28b02a128fdaf5a46600f586c
Remake of the IIS 5.0 FTP server / remote SYSTEM exploit. Useful for Win2k/JP SP0 through SP3.
ed41a61ee6a96323a70d1473d264138fe153fd8d0c341f6b6c99253319cc1ba0
Microsoft IIS version 5.0 FTP server remote stack overflow exploit for Windows 2000 SP4. Binds a shell to port 4444.
ce40cb6da965a415dbfc5397a6839d38275511d3ed979f7ce1fdfec8d8278203
Microsoft Internet Explorer 7 XML parsing remote buffer overflow exploit that spawns calc.exe.
68f9fa88b21b8862740cac4d6058e5ea49f525f8a10b4724d1d4297a7a3e4da5
Trixbox version 2.6.1 remote root exploit written in Python that spawns a reverse shell.
3f6ae161657fee10bb1b94f8851f662ec45c6d00a9982ae5161a385caba2cc38
DivX Player version 6.6.0 .SRT file handling SEH buffer overflow exploit.
d0c776b167346cb7b3bbbba959c1a956ee1363a07541a2a131ddbbc93d0153b6
HP OpenView NNM version 7.5.1 pre-authentication SEH overflow exploit that takes advantage of OVAS.EXE and spawns a shell on port 4444.
2a87cd0d72e24941751c9b2458bcad6fef042e1ef4977ab83e8bcd7be9a4421c
Novell eDirectory HTTP denial of service exploit.
2c961b1cde60fd28279cf7e9b53458f1a01c1d0b1131d03732e76b4866e70814
McAfee EPO version 4.0 remote denial of service exploit that takes advantage of FrameworkService.exe.
cb56841f9c46eb5a51ac3a43af27a3dcf1131d28c3139972272f110b7ea86d68
Quick TFTP Pro version 2.1 SEH overflow zero day exploit that binds a shell to port 4444.
1bac570fc98c5f940e65509f6372e870bf2fe8387dd7abd28dbe29874b43bf7a
TFTP Server for Windows version 1.4 ST zero day buffer overflow exploit. Binds a shell to port 4444.
67086b8e331febb1aa873729f1bee0fc7975c00a401b0d11aa39d04f9b68c580
PacketTrap Networks pt360 version 2.0.39 TFTPD remote denial of service exploit.
1d5e31bb3ab9232256d0c7e623888840055c80f3d02ab0d300875e0a291d9905
HP OpenView Network Node Manager version 07.50 CGI remote buffer overflow exploit that spawns a shell on tcp/4444.
c1b6e6242b27a389d95d0a8c0c0d9590bc8a620c50eb280474996d727d7eb991
Apple QuickTime versions 7.2 and 7.3 RTSP response universal exploit that works with Internet Explorer 7, Firefox, and Opera.
f4fa5a6b0803d5abdd488b565446a702e500b49822e7ebe4be0f1cd8ed357563
IBM Tivoli Provisioning Manager PRE AUTH remote exploit that binds a shell to TCP port 4444.
274b58c71804e51a1b53bb25dfe6e426f2dad792e863c34a4944ce547967aa3a
Muts' python fuzzer found several format bugs in Microsoft Word 2007. file789-1.doc causes an unspecified overflow in Word 2007. file798-1.doc causes a CPU exhaustion denial of service in Word 2007. file614-1.doc causes a CPU exhaustion denial of service and ends with a ding in Word 2007. evil.hlp demonstrates a heap overflow in Windows HLP files.
0bf99d28ae1aa96a0bc1342073df4220be09213fe84ae13ec1e089bbb109bd1e
Metasploit exploit for a remote buffer overflow that exists in the MailEnable Enterprise 1.1 IMAP EXAMINE command. This vulnerability affects MailEnable Enterprise 1.1 without the ME-10009.EXE patch.
32ff7a89101f26206751b513c937584a52058c2d9de29807a446083ec6427bd4
Python exploit for a remote buffer overflow that exists in the MailEnable Enterprise 1.1 IMAP EXAMINE command. This vulnerability affects MailEnable Enterprise 1.1 without the ME-10009.EXE patch.
2aa22f6b90d94adeab514c49934be2084dd51651d81239a49cd2c99a68e85f55
A remote buffer overflow exists in the MailEnable Enterprise 1.1 IMAP EXAMINE command, which allows for post authentication code execution. This vulnerability affects MailEnable Enterprise 1.1 without the ME-10009.EXE patch.
5d7e90c97562012dbbe25f0619abebad7142aa518eb5388cad9554f74af3d76c
A buffer overflow was discovered in GlobalScape Secure FTP Server 3.0.2 which allows remote code execution by sending a malformed FTP request. Various methods of exploitation provided.
38e3ab9713454d5f7622f50845d5d6a61dbec81b4affb2623e8faa92359188bd
Denial of service exploit that makes use of a format string vulnerability in MailEnable Standard Edition 1.8.
8a00478be0a8dc102229ae0af5901d3d9b81f6f9a086a712f08d589f8d2b366a
Savant Web Server version 3.1 remote buffer overflow exploit with French Windows support.
89050effe3dcbd193a8864b77cdcb028ed19a86e32efeeaa53483bd62f985f61