This Metasploit module exploits a stack overflow in Novell GroupWise Messenger Server v2.0. This flaw is triggered by any HTTP request with an Accept-Language header greater than 16 bytes. To overwrite the return address on the stack, we must first pass a memcpy() operation that uses pointers we supply. Due to the large list of restricted characters and the limitations of the current encoder modules, very few payloads are usable.
a1d697bfa45ada6da52e8ea308f0c3606ce2221638b31aed1bbc0ddd602c35ab
This exploits a buffer overflow found in the nsiislog.dll ISAPI filter that comes with Windows Media Server. This Metasploit module will also work against the 'patched' MS03-019 version. This vulnerability was addressed by MS03-022.
ad9fc69b5ae085e1d66b6f4c2bbed65ebe800fac2ccd87a76b223cabe1751d22
This Metasploit module exploits a memory corruption vulnerability within the Office Web Component Spreadsheet ActiveX control. This module was based on an exploit found in the wild.
63e393d818d0e11fefc366662c76d81a1d1c79713209420ea516ad8d7619f717
This Metasploit module uses a valid administrator username and password (or password hash) to execute an arbitrary payload. This Metasploit module is similar to the "psexec" utility provided by SysInternals. Unfortunately, this module is not able to clean up after itself. The service and payload file listed in the output will need to be manually removed after access has been gained. The service created by this tool uses a randomly chosen name and description, so the services list can become cluttered after repeated exploitation.
7e69916186a567766bd4bf1a328c2c2ee90aea8e4025bd91ba79d72ee98b6cdb
This Metasploit module exploits a stack overflow in the SecurID Web Agent for IIS. This ISAPI filter runs in-process with inetinfo.exe, any attempt to exploit this flaw will result in the termination and potential restart of the IIS service.
6731f7cfffb48eb6475deb03f06c7c06f7e5aac97f496506a547b8a2bc12cc70
This Metasploit module exploits a simple stack overflow in the Sentinel License Manager. The SentinelLM service is installed with a wide selection of products and seems particular popular with academic products. If the wrong target value is selected, the service will crash and not restart.
b3b8d34caeb45783a1f8700003e5230699257061da772dbefa84b92498e39349
This Metasploit module exploits a stack overflow in SHTTPD <= 1.34. The vulnerability is caused due to a boundary error within the handling of POST requests. Based on an original exploit by skOd but using a different method found by hdm.
bbf79a73aac5ea469215c707ea33d3bd1c106a494632ed021e897dc2cd38886f
This Metasploit module will relay SMB authentication requests to another host, gaining access to an authenticated SMB session if successful. If the connecting user is an administrator and network logins are allowed to the target machine, this module will execute an arbitrary payload. To exploit this, the target system must try to authenticate to this module. The easiest way to force a SMB authentication attempt is by embedding a UNC path (\\\\\\\\SERVER\\\\SHARE) into a web page or email message. When the victim views the web page or email, their system will automatically connect to the server specified in the UNC share (the IP address of the system running this module) and attempt to authenticate. Unfortunately, this module is not able to clean up after itself. The service and payload file listed in the output will need to be manually removed after access has been gained. The service created by this tool uses a randomly chosen name and description, so the services list can become cluttered after repeated exploitation. The SMB authentication relay attack was first reported by Sir Dystic on March 31st, 2001 at @lanta.con in Atlanta, Georgia. On November 11th 2008 Microsoft released bulletin MS08-068. This bulletin includes a patch which prevents the relaying of challenge keys back to the host which issued them, preventing this exploit from working in the default configuration. It is still possible to set the SMBHOST parameter to a third-party host that the victim is authorized to access, but the "reflection" attack has been effectively broken.
be0175ccf32e6255a62bc1a5aee3fb663de0b84e1aaa94c1802858f10132da2c
This Metasploit module exploits a vulnerability in the CA BrightStor Agent for Microsoft SQL Server. This vulnerability was discovered by cybertronic@gmx.net.
6f3148ca8e6cb75aae2d712af549181db84899e56e0083e09541baaa2a3caca6
This Metasploit module exploits a simple stack overflow in the TrackerCam web server. All current versions of this software are vulnerable to a large number of security issues. This Metasploit module abuses the directory traversal flaw to gain information about the system and then uses the PHP overflow to execute arbitrary code.
ae55a6fee4cafa96c99ebd106e4931f2e8fc92f8db8a69e077e7d9353559240d
This Metasploit module exploits a convoluted heap overflow in the CA BrightStor Universal Agent service. Triple userland exception results in heap growth and execution of dereferenced function pointer at a specified address.
950f8b93d5b18b2b02707e28fab4cd089bd1f4fd430e235855691518bfbd89f2
This Metasploit module exploits a stack overflow in the w3who.dll ISAPI application. This vulnerability was discovered Nicolas Gregoire and this code has been successfully tested against Windows 2000 and Windows XP (SP2). When exploiting Windows XP, the payload must call RevertToSelf before it will be able to spawn a command shell.
20dab4e4e251ffcc0767b137171a85e4e58282441f0fc58daff570c8f12e47f8
This exploits the buffer overflow found in the PASS command in War-FTPD 1.65. This particular module will only work reliably against Windows 2000 targets. The server must be configured to allow anonymous logins for this exploit to succeed. A failed attempt will bring down the service completely.
3eaff6b9ba8c0e78ff3fe3fd0e216a7c7c28d1e306176078e34609db67f6677c
This Metasploit module exploits a vulnerability in the Winamp media player. This flaw is triggered when a audio file path is specified, inside a playlist, that consists of a UNC path with a long computer name. This Metasploit module delivers the playlist via the browser. This Metasploit module has only been successfully tested on Winamp 5.11 and 5.12.
2889b99fb672981aaf32d6d03175e887ca97949831928a04b0e3fda08d3056d2
The Metasploit Framework is an advanced open-source platform for developing, testing, and using exploit code. Metasploit is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide. The framework is written in the Ruby programming language and includes components written in C and assembler.
226f724ffb5915c8522fcf87ca2f9e787d31c1855dadf80953485f661ea314df
This Metasploit module exploits an integer overflow flaw in the Microsoft Windows Embedded OpenType font parsing code located in win32k.sys. Since the kernel itself parses embedded web fonts, it is possible to trigger a BSoD from a normal web page when viewed with Internet Explorer.
ff7cac37f0fc0381971b0be66dfede47d6023d4693a45fab58f977f64831e3b8
This is an exploit for the SQL Server 2000 resolution service buffer overflow. This overflow is triggered by sending a udp packet to port 1434 which starts with 0x04 and is followed by long string terminating with a colon and a number. This Metasploit module should work against any vulnerable SQL Server 2000 or MSDE install (pre-SP3).
7711b3551f65de8b3c1a470acec58e0e4ae8a9851dc880cfc289ef0ef106db00
This exploits a buffer overflow in the request processor of the Internet Printing Protocol ISAPI module in IIS. This Metasploit module works against Windows 2000 service pack 0 and 1. If the service stops responding after a successful compromise, run the exploit a couple more times to completely kill the hung process.
b89bdeebebc852766ecaacbc91a18e2b0ea9f977b2ecef4ca5770e85c2e682c9
This Metasploit module exploits a generic code execution vulnerability in Internet Explorer by abusing vulnerable ActiveX objects.
cba235a2b01d01d109d7db9a4cf764f010d842bdcec957fac50efd8f2b5c47d6
This Metasploit module exploits a stack overflow in the Veritas BackupExec Windows Agent software. This vulnerability occurs when a client authentication request is received with type '3' and a long password argument. Reliable execution is obtained by abusing the stack overflow to smash a SEH pointer.
ba61f8839cb62683a0ecb79152b2af142df471dba3d77bf8cfeb996178ca8a7d
This Metasploit module exploits an arbitrary code execution flaw discovered in many implementations of the PHP XML-RPC module. This flaw is exploitable through a number of PHP web applications, including but not limited to Drupal, Wordpress, Postnuke, and TikiWiki.
74661987981d6b9dcef06ec55c6a9cc16d40945f635c122f6a84bdf7a7d57158
This Metasploit module abuses a metacharacter injection vulnerability in the Nagios3 statuswml.cgi script. This flaw is triggered when shell metacharacters are present in the parameters to the ping and traceroute commands.
c2d2c8751ff58fad537e0c6238ae35be30735fc182787d224c39c6889d509e97
This Metasploit module exploits a feature in the Saxon XSLT parser used by the Google Search Appliance. This feature allows for arbitrary java methods to be called. Google released a patch and advisory to their client base in August of 2005 (GA-2005-08-m). The target appliance must be able to connect back to your machine for this exploit to work.
bf415a1e9059ceeb4db8cc79d59e0eb830bd3d5f48ed7a59110d0560f2a5540e
This Metasploit module uses a documented security weakness to execute arbitrary commands on any system running distccd.
0a769db2554d6e63eed260b8856d24d30fee9b9bc7f06f56160f29c66e421927
This exploit targets a weakness in the default security settings of the sadmind RPC application. This server is installed and enabled by default on most versions of the Solaris operating system. Vulnerable systems include solaris 2.7, 8, and 9.
14557b273499a2ea3ee86d39d208d2b582a750cf286e96ff62c3dd367eac0d64