6843 matches found
PHP apache_request_headers Function Buffer Overflow
This module exploits a stack based buffer overflow in the CGI version of PHP 5.4.x before 5.4.3. The vulnerability is due to the insecure handling of the HTTP headers. This module has been tested against the thread safe version of PHP 5.4.2, from "windows.php.net", running with Apache 2.2.22 from...
Avoid underscore/tolower
Underscore/tolower Safe Encoder used to exploit CVE-2012-2329. It is a modified version of the 'Avoid UTF8/tolower' encoder by skape. Please check the documentation of the skape encoder before using it. As the original, this encoder expects ECX pointing to the start of the encoded payload. Also...
Lattice Semiconductor PAC-Designer 6.21 Symbol Value Buffer Overflow
This module exploits a vulnerability found in Lattice Semiconductor PAC-Designer 6.21. As a .pac file, when supplying a long string of data to the 'value' field under the 'SymbolicSchematicData' tag, it is possible to cause a memory corruption on the stack, which results in arbitrary code executi...
MS12-037 Microsoft Internet Explorer Same ID Property Deleted Object Handling Memory Corruption
This module exploits a memory corruption flaw in Internet Explorer 8 when handling objects with the same ID property. At the moment this module targets IE8 over Windows XP SP3 and Windows 7. This module supports heap massaging as well as the heap spray method seen in the wild Java msvcrt71.dll...
ComSndFTP v1.3.7 Beta USER Format String (Write4) Vulnerability
This module exploits the ComSndFTP FTP Server version 1.3.7 beta by sending a specially crafted format string specifier as a username. The crafted username is sent to the server to overwrite the hardcoded function pointer from Ws232.dll!WSACleanup. Once this function pointer is triggered, the cod...
Setuid Nmap Exploit
Nmap's man page mentions that "Nmap should never be installed with special privileges e.g. suid root for security reasons.." and specifically avoids making any of its binaries setuid during installation. Nevertheless, administrators sometimes feel the need to do insecure things. This module abuse...
Windows Escalate Task Scheduler XML Privilege Escalation
This module exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet. When processing task files, the Windows Task Scheduler only uses a CRC32 checksum to validate that the file has not been tampered with. Also, In a default configuration, normal users can read and write the task files that...
TFM MMPlayer (m3u/ppl File) Buffer Overflow
This module exploits a buffer overflow in MMPlayer 2.2 The vulnerability is triggered when opening a malformed M3U/PPL file that contains an overly long string, which results in overwriting a SEH record, thus allowing arbitrary code execution under the context of the user. This module requires...
Symantec Web Gateway 5.0.2.8 ipchange.php Command Injection
This module exploits a command injection vulnerability found in Symantec Web Gateway's HTTP service due to the insecure usage of the exec function. This module abuses the spywall/ipchange.php file to execute arbitrary OS commands without authentication. This module requires Metasploit:...
MS12-005 Microsoft Office ClickOnce Unsafe Object Package Handling Vulnerability
This module exploits a vulnerability found in Microsoft Office's ClickOnce feature. When handling a Macro document, the application fails to recognize certain file extensions as dangerous executables, which can be used to bypass the warning message. This can allow attackers to trick victims into...
Linux Read File
Read up to 4096 bytes from the local file system and write it back out to the specified file descriptor This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 63 include...
Symantec Web Gateway 5.0.2.8 Arbitrary PHP File Upload Vulnerability
This module exploits a file upload vulnerability found in Symantec Web Gateway's HTTP service. Due to the incorrect use of file extensions in the uploadfile function, attackers may to abuse the spywall/blockedfile.php file in order to upload a malicious PHP file without any authentication, which...
Apache Struts Remote Command Execution
This module exploits a remote command execution vulnerability in Apache Struts versions 'Apache Struts Remote Command Execution', 'Description' = %q This module exploits a remote command execution vulnerability in Apache Struts versions 'Johannes Dahse', Vulnerability discovery and PoC 'Andreas...
Tom Sawyer Software GET Extension Factory Remote Code Execution
This module exploits a remote code execution vulnerability in the tsgetx71ex553.dll ActiveX control installed with Tom Sawyer GET Extension Factory due to an incorrect initialization under Internet Explorer. While the Tom Sawyer GET Extension Factory is installed with some versions of VMware...
Sielco Sistemi Winlog Buffer Overflow 2.07.14 - 2.07.16
This module exploits a buffer overflow in Sielco Sistem Winlog 'Sielco Sistemi Winlog Buffer Overflow 2.07.14 - 2.07.16', 'Description' = %q This module exploits a buffer overflow in Sielco Sistem Winlog MSFLICENSE, 'Author' = 'Michael Messner ' , 'References' = 'BID', '53811', 'CVE', '2012-3815'...
MS02-065 Microsoft IIS MDAC msadcs.dll RDS DataStub Content-Type Overflow
This module can be used to execute arbitrary code on IIS servers that expose the /msadc/msadcs.dll Microsoft Data Access Components MDAC Remote Data Service RDS DataFactory service. The service is exploitable even when RDS is configured to deny remote connections handsafe.reg. The service is...
Samsung NET-i Viewer Multiple ActiveX BackupToAvi() Remote Overflow
This module exploits a vulnerability in the CNCCtrl.dll ActiveX control installed with the Samsung NET-i viewer 1.37. Specifically, when supplying a long string for the fname parameter to the BackupToAvi method, an integer overflow occurs, which leads to a posterior buffer overflow due to the use...
MS99-025 Microsoft IIS MDAC msadcs.dll RDS Arbitrary Remote Command Execution
This module can be used to execute arbitrary commands on IIS servers that expose the /msadc/msadcs.dll Microsoft Data Access Components MDAC Remote Data Service RDS DataFactory service using VbBusObj or AdvancedDataFactory to inject shell commands into Microsoft Access databases MDBs, MSSQL...
Multi Gather Skype User Data Enumeration
This module will enumerate Skype account settings, contact list, call history, chat logs, file transfer history, and voicemail logs, saving all the data to CSV files for analysis. This module requires Metasploit: https://metasploit.com/download Current source:...
Modbus Version Scanner
This module detects the Modbus service, tested on a SAIA PCD1.M2 system. Modbus is a clear text protocol used in common SCADA systems, developed originally as a serial-line RS232 async protocol, and later transformed to IP, which is called ModbusTCP. This module requires Metasploit:...
MS11-093 Microsoft Windows OLE Object File Handling Remote Code Execution
This module exploits a type confusion vulnerability in the OLE32 component of Windows XP SP3. The vulnerability exists in the CPropertyStorage::ReadMultiple function. A Visio document with a specially crafted Summary Information Stream embedded allows to get remote code execution through Internet...
Snort 2 DCE/RPC Preprocessor Buffer Overflow
This module allows remote attackers to execute arbitrary code by exploiting the Snort service via crafted SMB traffic. The vulnerability is due to a boundary error within the DCE/RPC preprocessor when reassembling SMB Write AndX requests, which may result a stack-based buffer overflow with a...
Log1 CMS writeInfo() PHP Code Injection
This module exploits the "Ajax File and Image Manager" component that can be found in log1 CMS. In function.base.php of this component, the 'data' parameter in writeInfo allows any malicious user to have direct control of writing data to file data.php, which results in arbitrary remote code...
GIMP script-fu Server Buffer Overflow
This module exploits a buffer overflow in the script-fu server component on GIMP 'GIMP script-fu Server Buffer Overflow', 'Description' = %q This module exploits a buffer overflow in the script-fu server component on GIMP 'Joseph Sheridan', Vulnerability Discovery and PoC 'juan vazquez' Metasploi...
Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020002 Buffer Overflow
This module exploits a remote buffer overflow in the Citrix Provisioning Services 5.6 SP1 without Hotfix CPVS56SP1E043 by sending a malformed packet with the opcode 0x40020002 GetFooterRequest to the 6905/UDP port. The module, which allows code execution under the context of SYSTEM, has been...
Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020004 Buffer Overflow
This module exploits a remote buffer overflow in the Citrix Provisioning Services 5.6 SP1 without Hotfix CPVS56SP1E043 by sending a malformed packet with the opcode 0x40020004 GetBootRecordRequest to the 6905/UDP port. The module, which allows code execution under the context of SYSTEM, has been...
Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020006 Buffer Overflow
This module exploits a remote buffer overflow in the Citrix Provisioning Services 5.6 SP1 without Hotfix CPVS56SP1E043 by sending a malformed packet with the opcode 0x40020006 GetObjetsRequest to the 6905/UDP port. The module, which allows code execution under the context of SYSTEM, has been...
PcAnywhere Login Scanner
This module will test pcAnywhere logins on a range of machines and report successful logins. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'PcAnywhere Login Scanner', 'Description' = %q This...
S40 0.4.2 CMS Directory Traversal Vulnerability
This module exploits a directory traversal vulnerability found in S40 CMS. The flaw is due to the 'page' function not properly handling the $pid parameter, which allows a malicious user to load an arbitrary file path. This module requires Metasploit: https://metasploit.com/download Current source...
PHP Volunteer Management System v1.0.2 Arbitrary File Upload Vulnerability
This module exploits a vulnerability found in PHP Volunteer Management System, version v1.0.2 or prior. This application has an upload feature that allows an authenticated user to upload anything to the 'uploads' directory, which is actually reachable by anyone without a credential. An attacker c...
MPlayer SAMI Subtitle File Buffer Overflow
This module exploits a stack-based buffer overflow found in the handling of SAMI subtitles files in MPlayer SVN Versions before 33471. It currently targets SMPlayer 0.6.8, which is distributed with a vulnerable version of MPlayer. The overflow is triggered when an unsuspecting victim opens a movi...
Lattice Semiconductor ispVM System XCF File Handling Overflow
This module exploits a vulnerability found in ispVM System 18.0.2. Due to the way ispVM handles .xcf files, it is possible to cause a buffer overflow with a specially crafted file, when a long value is supplied for the version attribute of the ispXCF tag. It results in arbitrary code execution...
Symantec Web Gateway 5.0.2.8 relfile File Inclusion Vulnerability
This module exploits a vulnerability found in Symantec Web Gateway's HTTP service. By injecting PHP code in the access log, it is possible to load it with a directory traversal flaw, which allows remote code execution under the context of 'apache'. Please note that it may take up to several minut...
QuickShare File Server 1.2.1 Directory Traversal Vulnerability
This module exploits a vulnerability found in QuickShare File Server's FTP service. By supplying "../" in the file path, it is possible to trigger a directory traversal flaw, allowing the attacker to read a file outside the virtual directory. By default, the "Writable" option is enabled during...
WeBid converter.php Remote PHP Code Injection
This module exploits a vulnerability found in WeBid version 1.0.2. By abusing the converter.php file, a malicious user can inject PHP code in the includes/currencies.php script without any authentication, which results in arbitrary code execution. This module requires Metasploit:...
RabidHamster R4 Log Entry sprintf() Buffer Overflow
This module exploits a vulnerability found in RabidHamster R4's web server. By supplying a malformed HTTP request, it is possible to trigger a stack-based buffer overflow when generating a log, which may result in arbitrary code execution under the context of the user. This module requires...
appRain CMF Arbitrary PHP File Upload Vulnerability
This module exploits a vulnerability found in appRain's Content Management Framework CMF, version 0.1.5 or less. By abusing the uploadify.php file, a malicious user can upload a file to the uploads/ directory without any authentication, which results in arbitrary code execution. This module...
OpenOffice OLE Importer DocumentSummaryInformation Stream Handling Overflow
This module exploits a vulnerability in OpenOffice 2.3.1 and 2.3.0 on Microsoft Windows XP SP3. By supplying a OLE file with a malformed DocumentSummaryInformation stream, an attacker can gain control of the execution flow, which results arbitrary code execution under the context of the user. Thi...
OS X Text to Speech Utility
This module will speak whatever is in the 'TEXT' option on the victim machine. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'OS X Text to Speech Utility', 'Description' = %q This module will...
FlexNet License Server Manager lmgrd Buffer Overflow
This module exploits a vulnerability in the FlexNet License Server Manager. The vulnerability is due to the insecure usage of memcpy in the lmgrd service when handling network packets, which results in a stack buffer overflow. In order to improve reliability, this module will make lots of...
Windows Manage PowerShell Download and/or Execute
This module will download and execute a PowerShell script over a meterpreter session. The user may also enter text substitutions to be made in memory before execution. Setting VERBOSE to true will output both the script prior to execution and the results. This module requires Metasploit:...
HP StorageWorks P4000 Virtual SAN Appliance Command Execution
This module exploits a vulnerability found in HP's StorageWorks P4000 VSA on versions prior to 9.5. By using a default account credential, it is possible to inject arbitrary commands as part of a ping request via port 13838. This module requires Metasploit: https://metasploit.com/download Current...
Active Collab "chat module" Remote PHP Code Injection Exploit
This module exploits an arbitrary code injection vulnerability in the chat module that is part of Active Collab versions 2.3.8 and earlier by abusing a pregreplace using the /e modifier and its replacement string using double quotes. The vulnerable function can be found in...
Foxit Reader 3.0 Open Execute Action Stack Based Buffer Overflow
This module exploits a buffer overflow in Foxit Reader 3.0 builds 1301 and earlier. Due to the way Foxit Reader handles the input from an "Launch" action, it is possible to cause a stack-based buffer overflow, allowing an attacker to gain arbitrary code execution under the context of the user. Th...
Squiggle 1.7 SVG Browser Java Code Execution
This module abuses the SVG support to execute Java Code in the Squiggle Browser included in the Batik framework 1.7 through a crafted SVG file referencing a jar file. In order to gain arbitrary code execution, the browser must meet the following conditions: 1 It must support at least SVG version...
Oracle Weblogic Apache Connector POST Request Buffer Overflow
This module exploits a stack based buffer overflow in the BEA Weblogic Apache plugin. The connector fails to properly handle specially crafted HTTP POST requests, resulting a buffer overflow due to the insecure usage of sprintf. Currently, this module works over Windows systems without DEP, and h...
CCTV DVR Login Scanning Utility
This module tests for standalone CCTV DVR video surveillance deployments specifically by MicroDigital, HIVISION, CTRing, and numerous other rebranded devices that are utilizing default vendor passwords. Additionally, this module has the ability to brute force user accounts. Such CCTV DVR video...
Windows Gather Local User Account Password Hashes (Registry)
This module will dump the local user accounts from the SAM database using the registry This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'English' class MetasploitModule 'Windows Gather Local User Account Passwo...
Cisco Secure ACS Unauthorized Password Change
This module exploits an authentication bypass issue which allows arbitrary password change requests to be issued for any user in the local store. Instances of Secure ACS running version 5.1 with patches 3, 4, or 5 as well as version 5.2 with either no patches or patches 1 and 2 are vulnerable...
Hashtable Collisions
This module uses a denial-of-service DoS condition appearing in a variety of programming languages. This vulnerability occurs when storing multiple values in a hash table and all values have the same hash value. This can cause a web server parsing the POST parameters issued with a request into a...