This Metasploit module exploits a stack oveflow in Microsoft Visual Basic 6.0. When a specially crafted vbp file containing a long reference line, an attacker may be able to execute arbitrary code.
6e374c5188f5608083cbab9fb2401659c976e19fb28d2bb839bd2373dbb1a54e
This Metasploit module exploits a stack overflow in Microsoft's Visual Studio 6.0. When passing a specially crafted string to the Mask parameter of the Msmask32.ocx ActiveX Control, an attacker may be able to execute arbitrary code.
56b52c8f83d0a22f5e67d717396bd5fe41cbe970d924fc937c14e7521ff8ee80
This is an exploit for the Phone Book Service /pbserver/pbserver.dll described in MS00-094. By sending an overly long URL argument for phone book updates, it is possible to overwrite the stack. This Metasploit module has only been tested against Windows 2000 SP1.
0e561c8f11c38a6ebd0de7aa176eab37b866399106f3bb7dd08428cdcb0ccc69
This Metasploit module exploits a stack overflow in the IDQ ISAPI handler for Microsoft Index Server.
922a4bb873edf400f55e85500ac54f53ec4e8fce7f1483297386eb14811fc309
This exploits a buffer overflow in the ISAPI ISM.DLL used to process HTR scripting in IIS 4.0. This Metasploit module works against Windows NT 4 Service Packs 3, 4, and 5. The server will continue to process requests until the payload being executed has exited. If you've set EXITFUNC to 'seh', the server will continue processing requests, but you will have trouble terminating a bind shell. If you set EXITFUNC to thread, the server will crash upon exit of the bind shell. The payload is alpha-numerically encoded without a NOP sled because otherwise the data gets mangled by the filters.
c0284698cfd346698336fc945b0632cf0c7ba907c5406d8c5e64e623fd0a639b
By sending malformed data to TCP port 1433, an unauthenticated remote attacker could overflow a buffer and possibly execute code on the server with SYSTEM level privileges. This Metasploit module should work against any vulnerable SQL Server 2000 or MSDE install (< SP3).
bb060a2182b92a6585f642a8e1510b97fb8a2f530e651eeed2debcf906b0e3dc
This exploits a buffer overflow in NTDLL.dll on Windows 2000 through the SEARCH WebDAV method in IIS. This particular module only works against Windows 2000. It should have a reasonable chance of success against any service pack.
4caf806bf3d6f77c4656950f84e53b18fa51e99928ad15a38f88eb4cb5dc4dad
This Metasploit module exploits a vulnerability in Internet Explorer's handling of the OBJECT type attribute.
762676e5b4cae135dd0de251981a7ff4fd73802648ec93cee17bd317804a31d0
This Metasploit module exploits a stack overflow in the RPCSS service, this vulnerability was originally found by the Last Stage of Delirium research group and has bee widely exploited ever since. This Metasploit module can exploit the English versions of Windows NT 4.0 SP3-6a, Windows 2000, Windows XP, and Windows 2003 all in one request :)
6b1062b85247570ddb5362e034cb6be3d1be2f14dd236970e3ab1f279909588d
This Metasploit module exploits a stack overflow in the NetApi32 NetAddAlternateComputerName function using the Workstation service in Windows XP.
3a957a76c70de4e6ae21065e66dd7dbc255dc940f602d8dab44cb00038144a0a
This is an exploit for a previously undisclosed vulnerability in the bit string decoding code in the Microsoft ASN.1 library. This vulnerability is not related to the bit string vulnerability described in eEye advisory AD20040210-2. Both vulnerabilities were fixed in the MS04-007 patch. You are only allowed one attempt with this vulnerability. If the payload fails to execute, the LSASS system service will crash and the target system will automatically reboot itself in 60 seconds. If the payload succeeeds, the system will no longer be able to process authentication requests, denying all attempts to login through SMB or at the console. A reboot is required to restore proper functioning of an exploited system. This exploit has been successfully tested with the win32/*/reverse_tcp payloads, however a few problems were encounted when using the equivalent bind payloads. Your mileage may vary.
8d9c928e6cd1a6002436a9b5bc1e9d94a868525515b51e06f0839ad3d7e7a68e
This Metasploit module exploits a stack overflow in the LSASS service, this vulnerability was originally found by eEye. When re-exploiting a Windows XP system, you will need need to run this module twice. DCERPC request fragmentation can be performed by setting 'FragSize' parameter.
d1baeef5ba6b111771fa5d96efb4b64cd26d7afcd05bc41178efc9a7b7a52d22
This Metasploit module exploits a buffer overflow in the Microsoft Windows SSL PCT protocol stack. This code is based on Johnny Cyberpunk's THC release and has been tested against Windows 2000 and Windows XP. To use this module, specify the remote port of any SSL service, or the port and protocol of an application that uses SSL. The only application protocol supported at this time is SMTP. You only have one chance to select the correct target, if you are attacking IIS, you may want to try one of the other exploits first (WebDAV). If WebDAV does not work, this more than likely means that this is either Windows 2000 SP4+ or Windows XP (IIS 5.0 vs IIS 5.1). Using the wrong target may not result in an immediate crash of the remote system.
ac057a3cda069d28dca0c494d2f34be73d1c4eeab49fc99c9b71b71226f4849e
This Metasploit module exploits a stack overflow in the NetDDE service, which is the precursor to the DCOM interface. This exploit effects only operating systems released prior to Windows XP SP1 (2000 SP4, XP SP0). Despite Microsoft's claim that this vulnerability can be exploited without authentication, the NDDEAPI pipe is only accessible after successful authentication.
c2bd4617c647ff19e1847b77cc3d7916505f16f526abbfabcf23ced43ab47f97
This Metasploit module exploits a arbitrary memory write flaw in the WINS service. This exploit has been tested against Windows 2000 only.
85c23ae114221016947e1a2b1f0f56ddc35e424cb22d9bdbcb13848d698e7ea0
This Metasploit module exploits a stack overflow in the RPC interface to the Microsoft Message Queueing service. The offset to the return address changes based on the length of the system hostname, so this must be provided via the 'HNAME' option. Much thanks to snort.org and Jean-Baptiste Marchand's excellent MSRPC website.
9ce703ad5c9bd75fcfef87c8bac1ae3c1fd17fdecd81546f34e40245d7b2d7cd
This Metasploit module exploits a stack overflow in the news reader of Microsoft Outlook Express.
ced8028d9cca6bc9a59d95ef68f3dcde4dd0cf2c66f33c63c215121b9e1bd260
This Metasploit module exploits a stack overflow in the Windows Plug and Play service. This vulnerability can be exploited on Windows 2000 without a valid user account. Since the PnP service runs inside the service.exe process, a failed exploit attempt will cause the system to automatically reboot.
2d54b358ebb862c805c0f268e705e13f7bd6770f841069a133a28f5e460b2a4a
This Metasploit module exploits a vulnerability in the GDI library included with Windows XP and 2003. This vulnerability uses the 'Escape' metafile function to execute arbitrary code through the SetAbortProc procedure. This Metasploit module generates a random WMF record stream for each request.
86db9cc6a7d38fd5ac3353ce911cfa4cb32c5b51f03725a5e001c941eb2b3e42
This Metasploit module exploits a code execution vulnerability in Microsoft Internet Explorer. Both IE6 and IE7 (Beta 2) are vulnerable. It will corrupt memory in a way, which, under certain circumstances, can lead to an invalid/corrupt table pointer dereference. EIP will point to a very remote, non-existent memory location. This Metasploit module is the result of merging three different exploit submissions and has only been reliably tested against Windows XP SP2. This vulnerability was independently discovered by multiple parties. The heap spray method used by this exploit was pioneered by Skylined.
cc7d3a0a5a7e5685948a23de177b0b8648ee1b05bb7f812884db09692b243c0f
This Metasploit module exploits a registry-based stack overflow in the Windows Routing and Remote Access Service. Since the service is hosted inside svchost.exe, a failed exploit attempt can cause other system services to fail as well. A valid username and password is required to exploit this flaw on Windows 2000. When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'. Exploiting this flaw involves two distinct steps - creating the registry key and then triggering an overwrite based on a read of this key. Once the key is created, it cannot be recreated. This means that for any given system, you only get one chance to exploit this flaw. Picking the wrong target will require a manual removal of the following registry key before you can try again: HKEY_USERS\\\\.DEFAULT\\\\Software\\\\Microsoft\\\\RAS Phonebook
23ee569235c3874d89c2c84da0e57b5ca0d9fd9d118297399485cee1eebf336b
This Metasploit module exploits a stack overflow in the Windows Routing and Remote Access Service. Since the service is hosted inside svchost.exe, a failed exploit attempt can cause other system services to fail as well. A valid username and password is required to exploit this flaw on Windows 2000.
47054366204902bd94eaba8eae3d382f1284a1330486cc63fc5b83ed691498df
This Metasploit module exploits a stack overflow in the NetApi32 CanonicalizePathName() function using the NetpwPathCanonicalize RPC call in the Server Service. It is likely that other RPC calls could be used to exploit this service. This exploit will result in a denial of service on on Windows XP SP2 or Windows 2003 SP1. A failed exploit attempt will likely result in a complete reboot on Windows 2000 and the termination of all SMB-related services on Windows XP. The default target for this exploit should succeed on Windows NT 4.0, Windows 2000 SP0-SP4+, Windows XP SP0-SP1 and Windows 2003 SP0.
f304ff367f431dfac7b97723e8ececdc2561af58e238d7424a938dd58f43af92
This Metasploit module exploits a code execution vulnerability in Microsoft Internet Explorer using a buffer overflow in the VML processing code (VGX.dll). This Metasploit module has been tested on Windows 2000 SP4, Windows XP SP0, and Windows XP SP2.
dc3cd815cea490d0b9d3e5420cb08f039d38532b17c625f368c3079ec2fe492d
This Metasploit module exploits a flaw in the WebViewFolderIcon ActiveX control included with Windows 2000, Windows XP, and Windows 2003. This flaw was published during the Month of Browser Bugs project (MoBB #18).
f98f4db55e2d7e78b00b3522857c561efa3fb21ad8fa12270f3490dbaee6aa88