This exploit takes advantage of a stack based overflow. Once the stack corruption has occurred it is possible to overwrite a pointer which is later used for a memcpy. This gives us a write anything anywhere condition similar to a format string vulnerability.
eb9a55064f6e381a97138b188135a0635600efe4ead2bdf62f7751369e16a37e
This Metasploit module exploits a stack overflow in the IBM Tivoli Storage Manager Express Remote Client Agent service. By sending a "dicuGetIdentify" request packet containing a long NodeName parameter, an attacker can execute arbitrary code. NOTE: this exploit first connects to the CAD service to start the RCA service and obtain the port number on which it runs. This service does not restart.
3d12be67beff922e63d2ba3c7af87796dc724d566da3472bbc068cb1c51b523b
This Metasploit module exploits a buffer overflow in the Eureka Email 2.2q client that is triggered through an excessively long ERR message. NOTE: this exploit isn't very reliable. Unfortunately reaching the vulnerable code can only be done when manually checking mail (Ctrl-M). Checking at startup will not reach the code targeted here.
03aa5d1fb353fd0b0a186d111853941e220644c617f4997fc853286c33067088
This Metasploit module exploits a stack overflow in the IBM Tivoli Storage Manager Express CAD Service. By sending a "ping" packet containing a long string, an attacker can execute arbitrary code. NOTE: the dsmcad.exe service must be in a particular state (CadWaitingStatus = 1) in order for the vulnerable code to be reached. This state doesn't appear to be reachable when the TSM server is not running. This service does not restart.
8a10ef51f9a242610ead82abda18b323770c190feb98597aba24f56a8407f14a
This Metasploit module exploits a stack overflow in the NetApi32 NetpManageIPCConnect function using the Workstation service in Windows 2000 SP4 and Windows XP SP2. In order to exploit this vulnerability, you must specify a the name of a valid Windows DOMAIN. It may be possible to satisfy this condition by using a custom dns and ldap setup, however that method is not covered here. Although Windows XP SP2 is vulnerable, Microsoft reports that Administrator credentials are required to reach the vulnerable code. Windows XP SP1 only requires valid user credentials. Also, testing shows that a machine already joined to a domain is not exploitable.
ea9293c701b97bcc0c680f787edd7ae46789120c6798479e817b203688e6abb8
This Metasploit module exploits a directory traversal in Persits Software Inc's XUpload ActiveX control(version 3.0.0.3) that's included in HP LoadRunner 9.5. By passing a string containing "..\\\\" sequences to the MakeHttpRequest method, an attacker is able to write arbitrary files to arbitrary locations on disk. Code execution occurs by writing to the All Users Startup Programs directory. You may want to combine this module with the use of multi/handler since a user would have to log for the payload to execute.
a22d6a5d6ae13466a6759a4b609ca02715e96a081fa217cf96cb8a72607502d3
This Metasploit module exploits a data segment buffer overflow within Winds3D Viewer of AwingSoft Awakening 3.x (WindsPly.ocx v3.6.0.0). This ActiveX is a plugin of AwingSoft Web3D Player. By setting an overly long value to the 'SceneURL' property, an attacker can overrun a buffer and execute arbitrary code.
cc5464c5502efeb363604ff7cff786f441a5c42581c6aaf148a0991375add770
This Metasploit module exploits a vulnerability in the getElementsByTagName function as implemented within Internet Explorer.
d11edd52626b5a17b7f199e8ad2f6694a46ee39e57f58766dc6ad4feb982d0fc
This Metasploit module exploits a stack overflow in the NCTAudioFile2.Audio ActiveX Control provided by various audio applications. By sending a overly long string to the "SetFormatLikeSample()" method, an attacker may be able to execute arbitrary code.
572cd45f169e8ae99680a260fbe93c3ec15696fd145b671b14f7ce7d7656216b
This Metasploit module exploits an untrusted program execution vulnerability within the Winds3D Player from AwingSoft. The Winds3D Player is a browser plugin for IE (ActiveX), Opera (DLL) and Firefox (XPI). By setting the 'SceneURL' parameter to the URL to an executable, an attacker can execute arbitrary code. Testing was conducted using plugin version 3.5.0.9 for Firefox 3.5 and IE 8 on Windows XP SP3.
5d1244d3102a6a8bc52f45d6e2d5c1543508b64b6756ff4a6bbce3e854708833
This Metasploit module exploits a stack overflow in Persits Software Inc's XUpload ActiveX control(version 3.0.0.3) thats included in HP LoadRunner 9.5. By passing an overly long string to the AddFile method, an attacker may be able to execute arbitrary code.
089d6eb19898145a2a56800a1257447d897fce5f0c907c70b9222faf98dfc7db
Alt-N SecurityGateway is prone to a buffer overflow condition. This is due to insufficient bounds checking on the "username" parameter. Successful exploitation could result in code execution with SYSTEM level privileges. NOTE: This service doesn't restart, you'll only get one shot. However, it often survives a successful exploitation attempt.
ff81f757d0ee734b80216662fed47c56e6a92afa7502822354ef61533ab501d3
This Metasploit module exploits a buffer overflow in Rhinosoft Serv-U 9.0.0.5. Sending a specially crafted POST request with an overly long session cookie string, an attacker may be able to execute arbitrary code.
69483ee7992ff6f4b2b2ef96e0c967c2db4973dbbf9ad4391f544ad1b0cd3449
This Metasploit module exploits a format string vulnerability in HTTPDX FTP server. By sending an specially crafted FTP command containing format specifiers, an attacker can corrupt memory and execute arbitrary code. By default logging is off for HTTP, but enabled for the 'moderator' user via FTP.
931d50dd9d1e55c8f607f4660c7aa3557cc6af19452ebf2580cf70d48421a3ee
This Metasploit module exploits a format string vulnerability in HTTPDX HTTP server. By sending an specially crafted HTTP request containing format specifiers, an attacker can corrupt memory and execute arbitrary code. By default logging is off for HTTP, but enabled for the 'moderator' user via FTP.
5e82425ca633c611eb005775846af3b61ea0104b3a119879e7ff8046db79d936
This Metasploit module exploits a stack buffer overflow in HT-MP3Player 1.0. Arbitrary code execution could occur when parsing a specially crafted .HT3 file. NOTE: The player installation does not register the file type to be handled. Therefore, a user must take extra steps to load this file.
93c3719a58f1c3f72ff27596e136d037fd1436d92c5834b6f8a0c7ed3b2353b0
This Metasploit module exploits a stack-based buffer overflow in ProShow Gold v4.0.2549. An attacker must send the file to victim and the victim must open the file.
cbe13148a58c488ccf7971b10d00768ebab0881172175b2ca34f1eebc44f7a4a
This Metasploit module exploits a stack overflow in HTML Help Workshop 4.74. By creating a specially crafted hhp file, an attacker may be able to execute arbitrary code.
d8999e37ae0660f6d0ccb78297cd00f678139931f395ba7c381dff454cfdddd2
This Metasploit module exploits a stack-based buffer overflow in Millenium MP3 Studio 2.0. An attacker must send the file to victim and the victim must open the file. Alternatively it may be possible to execute code remotely via an embedded PLS file within a browser, when the PLS extension is registered to Millenium MP3 Studio. This functionality has not been tested in this module.
06d85f2491d1615ca33ae611b3a98c687a542e8e52b5e87ca2f1e88fad8e5e4d
This Metasploit module exploits a stack overflow in Xenorate 2.50 By creating a specially crafted xpl file, an an attacker may be able to execute arbitrary code.
55d0fc5c30e52b4fa3196de380c9ba074f6b1b00caae59fe14a607e2123f1414
This Metasploit module exploits an array overflow in Adobe Reader and Adobe Acrobat. Affected versions include < 7.1.4, < 8.1.7, and < 9.2. By creating a specially crafted pdf that a contains malformed U3D data, an attacker may be able to execute arbitrary code.
7d4d1c9d8fe1d36f17d6776c8b9cbcf05cf5f1144bc437fe3eb1909f688d2b15
This Metasploit module exploits a use after free vulnerability in Adobe Reader and Adobe Acrobat Professional versions up to and including 9.2.
db8a3aadb83130b870e5a70ed5ba3a3aafb3ba7ade242ba5744bcd8251b74f40
This Metasploit module exploits a use after free vulnerability in Adobe Reader and Adobe Acrobat Professional versions up to and including 9.2.
b1f8cfeb14bd0899045d104a6e8573a0f4d05407352329432a77e25d99ebb260
This Metasploit module exploits an integer overflow vulnerability in Adobe Reader and Adobe Acrobat Professional versions before 9.2.
328118791df64b5b6d6ab27dc8882d52301e5fc9ac482a046dc54015346ec0ee
This Metasploit module exploits an integer overflow vulnerability in Adobe Reader and Adobe Acrobat Professional versions before 9.2.
52cfb9936f28bcd82db14be3f1433d97ac01c53395207cf875242f47e7ad9043