exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 101 - 125 of 223 RSS Feed

Files from H D Moore

Email addresshdm at metasploit.com
First Active1999-08-17
Last Active2018-05-07
Novell Messenger Server 2.0 Accept-Language Overflow
Posted Nov 26, 2009
Authored by H D Moore | Site metasploit.com

This Metasploit module exploits a stack overflow in Novell GroupWise Messenger Server v2.0. This flaw is triggered by any HTTP request with an Accept-Language header greater than 16 bytes. To overwrite the return address on the stack, we must first pass a memcpy() operation that uses pointers we supply. Due to the large list of restricted characters and the limitations of the current encoder modules, very few payloads are usable.

tags | exploit, web, overflow
advisories | CVE-2006-0992
SHA-256 | a1d697bfa45ada6da52e8ea308f0c3606ce2221638b31aed1bbc0ddd602c35ab
Microsoft IIS ISAPI nsiislog.dll ISAPI POST Overflow
Posted Nov 26, 2009
Authored by H D Moore | Site metasploit.com

This exploits a buffer overflow found in the nsiislog.dll ISAPI filter that comes with Windows Media Server. This Metasploit module will also work against the 'patched' MS03-019 version. This vulnerability was addressed by MS03-022.

tags | exploit, overflow
systems | windows
advisories | CVE-2003-0349
SHA-256 | ad9fc69b5ae085e1d66b6f4c2bbed65ebe800fac2ccd87a76b223cabe1751d22
Microsoft OWC Spreadsheet msDataSourceObject Memory Corruption
Posted Nov 26, 2009
Authored by H D Moore | Site metasploit.com

This Metasploit module exploits a memory corruption vulnerability within the Office Web Component Spreadsheet ActiveX control. This module was based on an exploit found in the wild.

tags | exploit, web, activex
advisories | CVE-2009-1136
SHA-256 | 63e393d818d0e11fefc366662c76d81a1d1c79713209420ea516ad8d7619f717
Microsoft Windows Authenticated User Code Execution
Posted Nov 26, 2009
Authored by H D Moore | Site metasploit.com

This Metasploit module uses a valid administrator username and password (or password hash) to execute an arbitrary payload. This Metasploit module is similar to the "psexec" utility provided by SysInternals. Unfortunately, this module is not able to clean up after itself. The service and payload file listed in the output will need to be manually removed after access has been gained. The service created by this tool uses a randomly chosen name and description, so the services list can become cluttered after repeated exploitation.

tags | exploit, arbitrary
SHA-256 | 7e69916186a567766bd4bf1a328c2c2ee90aea8e4025bd91ba79d72ee98b6cdb
Microsoft IIS ISAPI RSA WebAgent Redirect Overflow
Posted Nov 26, 2009
Authored by H D Moore | Site metasploit.com

This Metasploit module exploits a stack overflow in the SecurID Web Agent for IIS. This ISAPI filter runs in-process with inetinfo.exe, any attempt to exploit this flaw will result in the termination and potential restart of the IIS service.

tags | exploit, web, overflow
advisories | CVE-2005-4734
SHA-256 | 6731f7cfffb48eb6475deb03f06c7c06f7e5aac97f496506a547b8a2bc12cc70
SentinelLM UDP Buffer Overflow
Posted Nov 26, 2009
Authored by H D Moore | Site metasploit.com

This Metasploit module exploits a simple stack overflow in the Sentinel License Manager. The SentinelLM service is installed with a wide selection of products and seems particular popular with academic products. If the wrong target value is selected, the service will crash and not restart.

tags | exploit, overflow
advisories | CVE-2005-0353
SHA-256 | b3b8d34caeb45783a1f8700003e5230699257061da772dbefa84b92498e39349
SHTTPD <= 1.34 URI-Encoded POST Request Overflow (win32)
Posted Nov 26, 2009
Authored by H D Moore, skOd, LMH | Site metasploit.com

This Metasploit module exploits a stack overflow in SHTTPD <= 1.34. The vulnerability is caused due to a boundary error within the handling of POST requests. Based on an original exploit by skOd but using a different method found by hdm.

tags | exploit, overflow
advisories | CVE-2006-5216
SHA-256 | bbf79a73aac5ea469215c707ea33d3bd1c106a494632ed021e897dc2cd38886f
Microsoft Windows SMB Relay Code Execution
Posted Nov 26, 2009
Authored by H D Moore | Site metasploit.com

This Metasploit module will relay SMB authentication requests to another host, gaining access to an authenticated SMB session if successful. If the connecting user is an administrator and network logins are allowed to the target machine, this module will execute an arbitrary payload. To exploit this, the target system must try to authenticate to this module. The easiest way to force a SMB authentication attempt is by embedding a UNC path (\\\\\\\\SERVER\\\\SHARE) into a web page or email message. When the victim views the web page or email, their system will automatically connect to the server specified in the UNC share (the IP address of the system running this module) and attempt to authenticate. Unfortunately, this module is not able to clean up after itself. The service and payload file listed in the output will need to be manually removed after access has been gained. The service created by this tool uses a randomly chosen name and description, so the services list can become cluttered after repeated exploitation. The SMB authentication relay attack was first reported by Sir Dystic on March 31st, 2001 at @lanta.con in Atlanta, Georgia. On November 11th 2008 Microsoft released bulletin MS08-068. This bulletin includes a patch which prevents the relaying of challenge keys back to the host which issued them, preventing this exploit from working in the default configuration. It is still possible to set the SMBHOST parameter to a third-party host that the victim is authorized to access, but the "reflection" attack has been effectively broken.

tags | exploit, web, arbitrary
advisories | CVE-2008-4037
SHA-256 | be0175ccf32e6255a62bc1a5aee3fb663de0b84e1aaa94c1802858f10132da2c
CA BrightStor Agent for Microsoft SQL Overflow
Posted Nov 26, 2009
Authored by H D Moore | Site metasploit.com

This Metasploit module exploits a vulnerability in the CA BrightStor Agent for Microsoft SQL Server. This vulnerability was discovered by cybertronic@gmx.net.

tags | exploit
advisories | CVE-2005-1272
SHA-256 | 6f3148ca8e6cb75aae2d712af549181db84899e56e0083e09541baaa2a3caca6
TrackerCam PHP Argument Buffer Overflow
Posted Nov 26, 2009
Authored by H D Moore | Site metasploit.com

This Metasploit module exploits a simple stack overflow in the TrackerCam web server. All current versions of this software are vulnerable to a large number of security issues. This Metasploit module abuses the directory traversal flaw to gain information about the system and then uses the PHP overflow to execute arbitrary code.

tags | exploit, web, overflow, arbitrary, php
advisories | CVE-2005-0478
SHA-256 | ae55a6fee4cafa96c99ebd106e4931f2e8fc92f8db8a69e077e7d9353559240d
CA BrightStor Universal Agent Overflow
Posted Nov 26, 2009
Authored by H D Moore | Site metasploit.com

This Metasploit module exploits a convoluted heap overflow in the CA BrightStor Universal Agent service. Triple userland exception results in heap growth and execution of dereferenced function pointer at a specified address.

tags | exploit, overflow
advisories | CVE-2005-1018
SHA-256 | 950f8b93d5b18b2b02707e28fab4cd089bd1f4fd430e235855691518bfbd89f2
Microsoft IIS ISAPI w3who.dll Query String Overflow
Posted Nov 26, 2009
Authored by H D Moore | Site metasploit.com

This Metasploit module exploits a stack overflow in the w3who.dll ISAPI application. This vulnerability was discovered Nicolas Gregoire and this code has been successfully tested against Windows 2000 and Windows XP (SP2). When exploiting Windows XP, the payload must call RevertToSelf before it will be able to spawn a command shell.

tags | exploit, overflow, shell
systems | windows
advisories | CVE-2004-1134
SHA-256 | 20dab4e4e251ffcc0767b137171a85e4e58282441f0fc58daff570c8f12e47f8
War-FTPD 1.65 Password Overflow
Posted Nov 26, 2009
Authored by H D Moore | Site metasploit.com

This exploits the buffer overflow found in the PASS command in War-FTPD 1.65. This particular module will only work reliably against Windows 2000 targets. The server must be configured to allow anonymous logins for this exploit to succeed. A failed attempt will bring down the service completely.

tags | exploit, overflow
systems | windows
advisories | CVE-1999-0256
SHA-256 | 3eaff6b9ba8c0e78ff3fe3fd0e216a7c7c28d1e306176078e34609db67f6677c
Winamp Playlist UNC Path Computer Name Overflow
Posted Nov 26, 2009
Authored by H D Moore, Faithless | Site metasploit.com

This Metasploit module exploits a vulnerability in the Winamp media player. This flaw is triggered when a audio file path is specified, inside a playlist, that consists of a UNC path with a long computer name. This Metasploit module delivers the playlist via the browser. This Metasploit module has only been successfully tested on Winamp 5.11 and 5.12.

tags | exploit
advisories | CVE-2006-0476
SHA-256 | 2889b99fb672981aaf32d6d03175e887ca97949831928a04b0e3fda08d3056d2
Metasploit Framework 3.3
Posted Nov 18, 2009
Authored by H D Moore | Site metasploit.com

The Metasploit Framework is an advanced open-source platform for developing, testing, and using exploit code. Metasploit is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide. The framework is written in the Ruby programming language and includes components written in C and assembler.

Changes: 446 exploits, 216 auxiliary modules, and hundreds of payloads, including an in-memory VNC service and the Meterpreter. In addition, the Windows payloads now support NX, DEP, IPv6, and the Windows 7 platform. More than 180 bugs were fixed.
tags | tool, ruby
systems | unix
SHA-256 | 226f724ffb5915c8522fcf87ca2f9e787d31c1855dadf80953485f661ea314df
Microsoft Windows EOT Font Table Directory Integer Overflow
Posted Nov 18, 2009
Authored by H D Moore | Site metasploit.com

This Metasploit module exploits an integer overflow flaw in the Microsoft Windows Embedded OpenType font parsing code located in win32k.sys. Since the kernel itself parses embedded web fonts, it is possible to trigger a BSoD from a normal web page when viewed with Internet Explorer.

tags | exploit, web, overflow, kernel
systems | windows
advisories | CVE-2009-2514
SHA-256 | ff7cac37f0fc0381971b0be66dfede47d6023d4693a45fab58f977f64831e3b8
Microsoft SQL Server Resolution Overflow
Posted Oct 30, 2009
Authored by H D Moore | Site metasploit.com

This is an exploit for the SQL Server 2000 resolution service buffer overflow. This overflow is triggered by sending a udp packet to port 1434 which starts with 0x04 and is followed by long string terminating with a colon and a number. This Metasploit module should work against any vulnerable SQL Server 2000 or MSDE install (pre-SP3).

tags | exploit, overflow, udp
advisories | CVE-2002-0649
SHA-256 | 7711b3551f65de8b3c1a470acec58e0e4ae8a9851dc880cfc289ef0ef106db00
Microsoft IIS 5.0 Printer Host Header Overflow
Posted Oct 30, 2009
Authored by H D Moore | Site metasploit.com

This exploits a buffer overflow in the request processor of the Internet Printing Protocol ISAPI module in IIS. This Metasploit module works against Windows 2000 service pack 0 and 1. If the service stops responding after a successful compromise, run the exploit a couple more times to completely kill the hung process.

tags | exploit, overflow, protocol
systems | windows
advisories | CVE-2001-0241
SHA-256 | b89bdeebebc852766ecaacbc91a18e2b0ea9f977b2ecef4ca5770e85c2e682c9
Internet Explorer COM CreateObject Code Execution
Posted Oct 30, 2009
Authored by H D Moore | Site metasploit.com

This Metasploit module exploits a generic code execution vulnerability in Internet Explorer by abusing vulnerable ActiveX objects.

tags | exploit, code execution, activex
SHA-256 | cba235a2b01d01d109d7db9a4cf764f010d842bdcec957fac50efd8f2b5c47d6
Veritas Backup Exec Windows Remote Agent Overflow
Posted Oct 30, 2009
Authored by H D Moore | Site metasploit.com

This Metasploit module exploits a stack overflow in the Veritas BackupExec Windows Agent software. This vulnerability occurs when a client authentication request is received with type '3' and a long password argument. Reliable execution is obtained by abusing the stack overflow to smash a SEH pointer.

tags | exploit, overflow
systems | windows
advisories | CVE-2005-0773
SHA-256 | ba61f8839cb62683a0ecb79152b2af142df471dba3d77bf8cfeb996178ca8a7d
PHP XML-RPC Arbitrary Code Execution
Posted Oct 30, 2009
Authored by H D Moore, cazz | Site metasploit.com

This Metasploit module exploits an arbitrary code execution flaw discovered in many implementations of the PHP XML-RPC module. This flaw is exploitable through a number of PHP web applications, including but not limited to Drupal, Wordpress, Postnuke, and TikiWiki.

tags | exploit, web, arbitrary, php, code execution
advisories | CVE-2005-1921
SHA-256 | 74661987981d6b9dcef06ec55c6a9cc16d40945f635c122f6a84bdf7a7d57158
Nagios3 statuswml.cgi Ping Command Execution
Posted Oct 30, 2009
Authored by H D Moore | Site metasploit.com

This Metasploit module abuses a metacharacter injection vulnerability in the Nagios3 statuswml.cgi script. This flaw is triggered when shell metacharacters are present in the parameters to the ping and traceroute commands.

tags | exploit, shell, cgi
advisories | CVE-2009-2288
SHA-256 | c2d2c8751ff58fad537e0c6238ae35be30735fc182787d224c39c6889d509e97
Google Appliance ProxyStyleSheet Command Execution
Posted Oct 30, 2009
Authored by H D Moore | Site metasploit.com

This Metasploit module exploits a feature in the Saxon XSLT parser used by the Google Search Appliance. This feature allows for arbitrary java methods to be called. Google released a patch and advisory to their client base in August of 2005 (GA-2005-08-m). The target appliance must be able to connect back to your machine for this exploit to work.

tags | exploit, java, arbitrary
advisories | CVE-2005-3757
SHA-256 | bf415a1e9059ceeb4db8cc79d59e0eb830bd3d5f48ed7a59110d0560f2a5540e
DistCC Daemon Command Execution
Posted Oct 28, 2009
Authored by H D Moore | Site metasploit.com

This Metasploit module uses a documented security weakness to execute arbitrary commands on any system running distccd.

tags | exploit, arbitrary
advisories | CVE-2004-2687
SHA-256 | 0a769db2554d6e63eed260b8856d24d30fee9b9bc7f06f56160f29c66e421927
Solaris sadmind Command Execution
Posted Oct 28, 2009
Authored by H D Moore, cazz, vlad902 | Site metasploit.com

This exploit targets a weakness in the default security settings of the sadmind RPC application. This server is installed and enabled by default on most versions of the Solaris operating system. Vulnerable systems include solaris 2.7, 8, and 9.

tags | exploit
systems | solaris
advisories | CVE-2003-0722
SHA-256 | 14557b273499a2ea3ee86d39d208d2b582a750cf286e96ff62c3dd367eac0d64
Page 5 of 9
Back34567Next

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close