This Metasploit module exploits a directory traversal vulnerability in the XCRC command implemented in versions of Titan FTP up to and including 8.10.1125. By making sending multiple XCRC command, it is possible to disclose the contents of any file on the drive with a simple CRC "brute force" attack. Although the daemon runs with SYSTEM privileges, access is limited to files that reside on the same drive as the FTP servers root directory.
ed7575b07995a5b8577846eccae5dd4535f4645203b1365a49593336a9c3e5ff
Detect VNC servers that support the "None" authentication method.
0bec066f46dede6a815b8a3bda8d747ffc60b5d7fdc9246f913be16b7512cbad
This Metasploit module targets a directory traversal vulnerability in the kcms_server component from the Kodak Color Management System. By utilizing the ToolTalk Database Server\s TT_ISBUILD procedure, an attacker can bypass existing directory traversal validation and read arbitrary files. Vulnerable systems include Solaris 2.5 - 9 SPARC and x86. Both kcms_server and rpc.ttdbserverd must be running on the target host.
9e0f8280924d59afd0ff56e393c2314caf4fc4c6a0742e7f28548c862092b10e
This Metasploit module exploits a cross-domain issue within the Android web browser to exfiltrate files from a vulnerable device.
dd13356635f2999608328974a708d0fa3528aed773ff26396b6cd072f639afbd
This Metasploit module triggers a heap overflow when processing a specially crafted FTP request containing Telnet IAC (0xff) bytes. When constructing the response, the Microsoft IIS FTP Service overflows the heap buffer with 0xff bytes. This issue can be triggered pre-auth and may in fact be exploitable for remote code execution.
abed1f5c04a53ec53d5c8c7b407c490b68fdb3bae004065e4060e14c0df5f32a
This Metasploit module exploits a buffer underrun vulnerability in Microsofts DNSAPI.dll as distributed with Windows Vista and later without KB2509553. By sending a specially crafted LLMNR query, containing a leading . character, an attacker can trigger stack exhaustion or potentially cause stack memory corruption. Although this vulnerability may lead to code execution, it has not been proven to be possible at the time of this writing. NOTE: In some circumstances, a . may be found before the top of the stack is reached. In these cases, this module may not be able to cause a crash.
a71d06bc0af2c8808bc4c87e5235724259e8ba12ad801bcf119206a92f885688
This Metasploit module exploits a denial of service flaw in the Microsoft Windows SMB service on versions of Windows prior to the August 2010 Patch Tuesday. To trigger this bug, you must be able to access a share with at least read privileges. That generally means you will need authentication. However, if a system has a guest accessible share, you can trigger it without any authentication.
d21a5048f75da86ab532ba9d4cc90e95331aa5e10825891e1c4b7d9f069c2020
This Metasploit module exploits a denial of service flaw in the Microsoft Windows SMB service on versions of Windows Server 2003 that have been configured as a domain controller. By sending a specially crafted election request, an attacker can cause a pool overflow. The vulnerability appears to be due to an error handling a length value while calculating the amount of memory to copy to a buffer. When there are zero bytes left in the buffer, the length value is improperly decremented and an integer underflow occurs. The resulting value is used in several calculations and is then passed as the length value to an inline memcpy operation. Unfortunately, the length value appears to be fixed at -2 (0xfffffffe) and causes considerable damage to kernel heap memory. While theoretically possible, it does not appear to be trivial to turn this vulnerability into remote (or even local) code execution.
83963f7202852444f496b9b32c24f1f420890784a7bc742ab76e1e65e71e2d4b
This Metasploit module exploits the MS12-020 RDP vulnerability originally discovered and reported by Luigi Auriemma. The flaw can be found in the way the T.125 ConnectMCSPDU packet is handled in the maxChannelIDs field, which will result an invalid pointer being used, therefore causing a denial-of-service condition.
65f6cf47ec80739aebde264685f63dfdec8a0624d51f0c15702c7607a260ba99
This Metasploit module triggers a use-after-free vulnerability in the Apache Software Foundation mod_isapi extension for versions 2.2.14 and earlier. In order to reach the vulnerable code, the target server must have an ISAPI module installed and configured. By making a request that terminates abnormally (either an aborted TCP connection or an unsatisfied chunked request), mod_isapi will unload the ISAPI extension. Later, if another request comes for that ISAPI module, previously obtained pointers will be used resulting in an access violation or potentially arbitrary code execution. Although arbitrary code execution is theoretically possible, a real-world method of invoking this consequence has not been proven. In order to do so, one would need to find a situation where a particular ISAPI module loads at an image base address that can be re-allocated by a remote attacker. Limited success was encountered using two separate ISAPI modules. In this scenario, a second ISAPI module was loaded into the same memory area as the previously unloaded module.
e04d3b9c9de28cf065800495f9d457177003f542be9c1a8e7109f19ae6fb7ca1
This Metasploit module exploits an authentication bypass vulnerability in the infosvr service running on UDP port 9999 on various ASUS routers to execute arbitrary commands as root. This Metasploit module launches the BusyBox Telnet daemon on the port specified in the TelnetPort option to gain an interactive remote shell. This Metasploit module was tested successfully on an ASUS RT-N12E with firmware version 2.0.0.35. Numerous ASUS models are reportedly affected, but untested.
0fd9b3969b4bf0e960fb66268aea32b78e442d90a8d93e78895e7611291a8f43
This Metasploit module exploits a integer overflow vulnerability in the Stagefright Library (libstagefright.so). The vulnerability occurs when parsing specially crafted MP4 files. While a wide variety of remote attack vectors exist, this particular exploit is designed to work within an HTML5 compliant browser. Exploitation is done by supplying a specially crafted MP4 file with two tx3g atoms that, when their sizes are summed, cause an integer overflow when processing the second atom. As a result, a temporary buffer is allocated with insufficient size and a memcpy call leads to a heap overflow. This version of the exploit uses a two-stage information leak based on corrupting the MetaData that the browser reads from mediaserver. This method is based on a technique published in NorthBit's Metaphor paper. First, we use a variant of their technique to read the address of a heap buffer located adjacent to a SampleIterator object as the video HTML element's videoHeight. Next, we read the vtable pointer from an empty Vector within the SampleIterator object using the video element's duration. This gives us a code address that we can use to determine the base address of libstagefright and construct a ROP chain dynamically. NOTE: the mediaserver process on many Android devices (Nexus, for example) is constrained by SELinux and thus cannot use the execve system call. To avoid this problem, the original exploit uses a kernel exploit payload that disables SELinux and spawns a shell as root. Work is underway to make the framework more amenable to these types of situations. Until that work is complete, this exploit will only yield a shell on devices without SELinux or with SELinux in permissive mode.
1a90f98f06bcb60d18f94ddf7062901f68d339cc68bbdab75711aaafaeffc5d2
Android Stagefright remote code execution exploit that leverages an integer overflow in the libstagefright MP4 'stsc' atom handling.
f67b80af5b935bc038028c58afef32987821b769236699aed6fdf96d9c690c1d
This Metasploit module exploits a privilege escalation issue in Android versions prior 4.2's WebView component that arises when untrusted Javascript code is executed by a WebView that has one or more Interfaces added to it. The untrusted Javascript code can call into the Java Reflection APIs exposed by the Interface and execute arbitrary commands. Some distributions of the Android Browser app have an addJavascriptInterface call tacked on, and thus are vulnerable to RCE. The Browser app in the Google APIs 4.1.2 release of Android is known to be vulnerable. A secondary attack vector involves the WebViews embedded inside a large number of Android applications. Ad integrations are perhaps the worst offender here. If you can MITM the WebView's HTTP connection, or if you can get a persistent XSS into the page displayed in the WebView, then you can inject the html/js served by this module and get a shell. Note: Adding a .js to the URL will return plain javascript (no HTML markup).
dbb32d05e01054ebc7b29568cea429ebb06111292c8c20ba817f8d844646e5ff
This Metasploit module exploits a vulnerability in Java 7, which allows an attacker to run arbitrary Java code outside the sandbox. The vulnerability seems to be related to the use of the newly introduced ClassFinder#resolveClass in Java 7, which allows the sun.awt.SunToolkit class to be loaded and modified. Please note this flaw is also being exploited in the wild, and there is no patch from Oracle at this point. Our module has been successfully tested on multiple setups, including: IE, Firefox, Chrome and Safari on Windows, Linux and OS X, etc.
5ad9244a813015246c4b0e8bd5e77b71df43a8026083619c5950c1be4875177c
This Metasploit module exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet. When processing task files, the Windows Task Scheduler only uses a CRC32 checksum to validate that the file has not been tampered with. Also, In a default configuration, normal users can read and write the task files that they have created. By modifying the task file and creating a CRC32 collision, an attacker can execute arbitrary commands with SYSTEM privileges.
d58b245a3284a4c3a0c953e6cd974d43047680186d9ff32f042bd97e492059fb
This Metasploit module exploits a flaw in the Web Start component of the Sun Java Runtime Environment. The arguments passed to Java Web Start are not properly validated, allowing injection of arbitrary arguments to the JVM. By utilizing the lesser known -J option, an attacker can take advantage of the -XXaltjvm option, as discussed previously by Ruben Santamarta. This method allows an attacker to execute arbitrary code in the context of an unsuspecting browser user. In order for this module to work, it must be ran as root on a server that does not serve SMB. Additionally, the target host must have the WebClient service (WebDAV Mini-Redirector) enabled.
81161207244c8e7484b4277932284c0018d20eb38ceb3a2c62bd1e994ede6a05
This Metasploit module exploits an arbitrary PHP code execution vulnerability introduced as a backdoor into Horde 3.3.12 and Horde Groupware 1.2.10.
5817e62d4533bab2dbd047fa5bee1b0835f288d738632129acd4ba22eaf51ee4
This Metasploit module exploits a vulnerability in the U3D handling within versions 9.x through 9.4.6 and 10 through to 10.1.1 of Adobe Reader. The vulnerability is due to the use of uninitialized memory. Arbitrary code execution is achieved by embedding specially crafted U3D data into a PDF document. A heap spray via JavaScript is used in order to ensure that the memory used by the invalid pointer issue is controlled.
958220f3112687e60ccfaeeb8830223cf29aa4ac4c24d29d128ae6cc845d5953
This Metasploit module exploits an input validation error in libmod_plugin as included with VideoLAN VLC 1.1.8. All versions prior to version 1.1.9 are affected. By creating a malicious S3M file, a remote attacker could execute arbitrary code. Although other products that bundle libmodplug may be vulnerable, this module was only tested against VLC. NOTE: As of July 1st, 2010, VLC now calls SetProcessDEPPoly to permanently enable NX support on machines that support it. As such, this module is capable of bypassing DEP, but not ASLR.
e72918bb99176c250a3e97631e70871f2208d1f45b7278b1b4936f047fb968a6
This Metasploit module exploits a stack-based buffer overflow vulnerability in version 3.0 of ediSys Corp.'s eZip Wizard. In order for the command to be executed, an attacker must convince someone to open a specially crafted zip file with eZip Wizard, and access the specially file via double-clicking it. By doing so, an attacker can execute arbitrary code as the victim user.
f7cf6b8da01815b33b60d03bf75a15fdc34e7db6f1efa9610628e431ece1a389
This Metasploit module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe' CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. The vulnerable code is within the option parsing function within "ovwebsnmpsrv.exe" with a timestamp prior to April 7th, 2010. Reaching the vulnerable code requires a 'POST' request with an 'arg' parameter that, when combined with a some static text, exceeds 10240 bytes. The parameter must begin with a dash. It is important to note that this vulnerability must be exploited by overwriting SEH. This is since overflowing the buffer with controllable data always triggers an access violation when attempting to write static text beyond the end of the stack. Exploiting this issue is a bit tricky due to a restrictive character set. In order to accomplish arbitrary code execution, a double-backward jump is used in combination with the Alpha2 encoder.
776b4fe0d9851d0c1cbfd43336360be9b50d1f85d6ab691a9d9e621ecb22aa34
This Metasploit module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe' CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. This vulnerability is triggerable via either a GET or POST request. It is interesting to note that this vulnerability cannot be exploited by overwriting SEH, since attempting to would trigger CVE-2010-1964. The vulnerable code is within a sub-function called from "main" within "ovwebsnmpsrv.exe" with a timestamp prior to April 7th, 2010. This function contains a 256 byte stack buffer which is passed to the "getProxiedStorageAddress" function within ovutil.dll. When processing the address results in an error, the buffer is overflowed in a call to sprintf_new. There are no stack cookies present, so exploitation is easily achieved by overwriting the saved return address. There exists some unreliability when running this exploit. It is not completely clear why at this time, but may be related to OVWDB or session management. Also, on some attempts OV NNM may report invalid characters in the URL. It is not clear what is causing this either.
5582013e7dde303149edfe7da48c08313b51ded046619d9bfba33ef02981baa8
This Metasploit module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe' CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. This vulnerability is triggerable via either a GET or POST request. The buffer being written to is 1024 bytes in size. It is important to note that this vulnerability must be exploited by overwriting SEH. Otherwise, CVE-2010-1961 is triggered! The vulnerable code is within the "main" function within "ovwebsnmpsrv.exe" with a timestamp prior to April 7th, 2010. There are no stack cookies, so exploitation is easily achieved by overwriting SEH structures. There exists some unreliability when running this exploit. It is not completely clear why at this time, but may be related to OVWDB or session management. Also, on some attempts OV NNM may report invalid characters in the URL. It is not clear what is causing this either.
6b4d95471d68cca9d3ef11a5eae191b4a98a078054233598f568e7012765400b
This Metasploit module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM_01203. By making a specially crafted HTTP request to the "snmpviewer.exe" CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. The vulnerable code lies within the a function within "snmpviewer.exe" with a timestamp prior to April 7th, 2010. This vulnerability is triggerable via either a GET or POST request. The request must contain 'act' and 'app' parameters which, when combined, total more than the 1024 byte stack buffer can hold.
941d626b048888e533b6035864853431c8dc16bff0ae357bda104698ffecbf13