Windows Media Services ConnectFunnel Stack Buffer Overflow

This module exploits a stack buffer overflow in the Windows Media Unicast Service version 4.1.0.3930 NUMS.exe. By sending a specially crafted FunnelConnect request, an attacker can execute arbitrary code under the "NetShowServices" user account. Windows Media Services 4.1 ships with Windows 2000...

Sun Java Web Start Plugin Command Line Argument Injection

This module exploits a flaw in the Web Start plugin component of Sun Java Web Start. The arguments passed to Java Web Start are not properly validated. By passing the lesser known -J option, an attacker can pass arbitrary options directly to the Java runtime. By utilizing the -XXaltjvm option, as...

Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference

This module triggers a NULL pointer dereference in the SRV2.SYS kernel driver when processing an SMB2 logoff request before a session has been correctly negotiated, resulting in a BSOD. Effecting Vista SP1/SP2 And possibly Server 2008 SP1/SP2, the flaw was resolved with MS09-050. This module...

Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (HTTP)

This module exploits a buffer overflow vulnerability in the LoadAniIcon function in USER32.dll. The flaw can be triggered through Internet Explorer 6 and 7 by using the CURSOR style sheet directive to load a malicious .ANI file. The module can also exploit Mozilla Firefox by using a UNC path in a...

Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference

This module exploits an out of bounds function table dereference in the SMB request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7 release candidates not RTM, and Windows 2008 Server prior to R2. Windows Vista without SP1 does not seem affected by this flaw. This...

Microsoft Windows 7 / Server 2008 R2 SMB Client Infinite Loop

This module exploits a denial of service flaw in the Microsoft Windows SMB client on Windows 7 and Windows Server 2008 R2. To trigger this bug, run this module as a service and forces a vulnerable client to access the IP of this system as an SMB server. This can be accomplished by embedding a UNC...

MS10-022 Microsoft Internet Explorer Winhlp32.exe MsgBox Code Execution

This module exploits a code execution vulnerability that occurs when a user presses F1 on MessageBox originated from VBscript within a web page. When the user hits F1, the MessageBox help functionality will attempt to load and use a HLP file from an SMB or WebDAV if the WebDAV redirector is enabl...

Generic x86 Tight Loop

Generate a tight loop in the target process This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 2 include Msf::Payload::Single def initializeinfo = supermergeinfoinfo, 'Name' = 'Generi...

HTTP Vuln Scanner

This module identifies common vulnerable files or cgis. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'HTTP Vuln Scanner', 'Description' = %q This module identifies common vulnerable files or...

SMB SID User Enumeration (LookupSid)

Determine what users exist via brute force SID lookups. This module can enumerate both local and domain accounts by setting ACTION to either LOCAL or DOMAIN This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...

MS10-018 Microsoft Internet Explorer Tabular Data Control ActiveX Memory Corruption

This module exploits a memory corruption vulnerability in the Internet Explorer Tabular Data ActiveX Control. Microsoft reports that version 5.01 and 6 of Internet Explorer are vulnerable. By specifying a long value as the "DataURL" parameter to this control, it is possible to write a NUL byte...

Windows Meterpreter (Reflective Injection), Windows Reverse HTTPS Stager (wininet)

Inject the Meterpreter server DLL via the Reflective Dll Injection payload staged. Requires Windows XP SP2 or newer. Tunnel communication over HTTPS Windows wininet This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework modu...

Windows Meterpreter (Reflective Injection), Reverse TCP Stager (DNS)

Inject the Meterpreter server DLL via the Reflective Dll Injection payload staged. Requires Windows XP SP2 or newer. Connect back to the attacker This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule...

VNC Server (Reflective Injection), Reverse TCP Stager (DNS)

Inject a VNC Dll via a reflective loader staged. Connect back to the attacker This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 321 include Msf::Payload::Stager include...

Windows Inject DLL, Reverse TCP Stager (DNS)

Inject a custom DLL into the exploited process. Connect back to the attacker This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 321 include Msf::Payload::Stager include...

Windows Command Shell, Reverse TCP Stager (DNS)

Spawn a piped command shell staged. Connect back to the attacker This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 321 include Msf::Payload::Stager include...

Windows Upload/Execute, Reverse TCP Stager (DNS)

Uploads an executable and runs it staged. Connect back to the attacker This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 321 include Msf::Payload::Stager include...

Reflective DLL Injection, Reverse TCP Stager (DNS)

Inject a DLL via a reflective loader. Connect back to the attacker This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 321 include Msf::Payload::Stager include...

Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (DNS)

Inject the meterpreter server DLL staged. Connect back to the attacker This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 321 include Msf::Payload::Stager include...

Steinberg MyMP3Player 3.0 Buffer Overflow

This module exploits a stack buffer overflow in Steinberg MyMP3Player == 3.0. When the application is used to open a specially crafted m3u file, a buffer overflow occurs allowing arbitrary code execution. This module requires Metasploit: https://metasploit.com/download Current source:...

HP OpenView Network Node Manager OvWebHelp.exe CGI Buffer Overflow

This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50. By sending a specially crafted CGI request to OvWebHelp.exe, an attacker may be able to execute arbitrary code. This module requires Metasploit: https://metasploit.com/download Current source:...

UltraISO CUE File Parsing Buffer Overflow

This module exploits a stack-based buffer overflow in EZB Systems, Inc's UltraISO. When processing .CUE files, data is read from file into a fixed-size stack buffer. Since no bounds checking is done, a buffer overflow can occur. Attackers can execute arbitrary code by convincing their victim to...

Oracle DB SQL Injection via DBMS_EXPORT_EXTENSION

This module will escalate an Oracle DB user to DBA by exploiting a sql injection bug in the DBMSEXPORTEXTENSION.GETDOMAININDEXMETADATA package. Note: This module has been tested against 9i, 10gR1 and 10gR2. This module requires Metasploit: https://metasploit.com/download Current source:...

PostgreSQL Version Probe

Enumerates the version of PostgreSQL servers. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'PostgreSQL Version Probe', 'Description' = %q Enumerates the version of PostgreSQL servers. ,...

UltraISO CCD File Parsing Buffer Overflow

This module exploits a stack-based buffer overflow in EZB Systems, Inc's UltraISO. When processing .CCD files, data is read from file into a fixed-size stack buffer. Since no bounds checking is done, a buffer overflow can occur. Attackers can execute arbitrary code by convincing their victim to...

VariCAD 2010-2.05 EN (DWB File) Stack Buffer Overflow

This module exploits a stack-based buffer overflow in VariCAD 2010-2.05 EN. An attacker must send the file to victim and the victim must open the file. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...

Adobe Acrobat Bundled LibTIFF Integer Overflow

This module exploits an integer overflow vulnerability in Adobe Reader and Adobe Acrobat Professional versions 8.0 through 8.2 and 9.0 through 9.3. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'zlib' class...

Oracle DB 11g R1/R2 DBMS_JVM_EXP_PERMS OS Code Execution

This module exploits a flaw 0 day in DBMSJVMEXPPERMS package that allows any user with create session privilege to grant themselves java IO privileges. Identified by David Litchfield. Works on 11g R1 and R2 Windows only. This module requires Metasploit: https://metasploit.com/download Current...

Oracle DB 10gR2, 11gR1/R2 DBMS_JVM_EXP_PERMS OS Command Execution

This module exploits a flaw 0 day in DBMSJVMEXPPERMS package that allows any user with create session privilege to grant themselves java IO privileges. Identified by David Litchfield. Works on 10g R2, 11g R1 and R2 Windows only This module requires Metasploit: https://metasploit.com/download...

Oracle XML DB SID Discovery via Brute Force

This module attempts to retrieve the sid from the Oracle XML DB httpd server, utilizing Pete Finnigan's default oracle password list. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Oracle XML ...

MS10-002 Microsoft Internet Explorer "Aurora" Memory Corruption

This module exploits a memory corruption flaw in Internet Explorer. This flaw was found in the wild and was a key component of the "Operation Aurora" attacks that lead to the compromise of a number of high profile companies. The exploit code is a direct port of the public sample published to the...

Microsoft Internet Explorer Unsafe Scripting Misconfiguration

This exploit takes advantage of the "Initialize and script ActiveX controls not marked safe for scripting" setting within Internet Explorer. When this option is set, IE allows access to the WScript.Shell ActiveX control, which allows javascript to interact with the file system and run commands...

Orbital Viewer ORB File Parsing Buffer Overflow

This module exploits a stack-based buffer overflow in David Manthey's Orbital Viewer. When processing .ORB files, data is read from file into a fixed-size stack buffer using the fscanf function. Since no bounds checking is done, a buffer overflow can occur. Attackers can execute arbitrary code by...

Apache mod_isapi Dangling Pointer

This module triggers a use-after-free vulnerability in the Apache Software Foundation modisapi extension for versions 2.2.14 and earlier. In order to reach the vulnerable code, the target server must have an ISAPI module installed and configured. By making a request that terminates abnormally...

Energizer DUO USB Battery Charger Arucer.dll Trojan Code Execution

This module will execute an arbitrary payload against any system infected with the Arugizer trojan horse. This backdoor was shipped with the software package accompanying the Energizer DUO USB battery charger. This module requires Metasploit: https://metasploit.com/download Current source:...

Energizer DUO Trojan Scanner

Detect instances of the Energizer DUO trojan horse software on port 7777 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Energizer DUO Trojan Scanner', 'Description' = 'Detect instances of the...

WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow

This module exploits a stack-based buffer overflow in WebEx's WebexUCFObject ActiveX Control. If a long string is passed to the 'NewObject' method, a stack- based buffer overflow will occur when copying attacker-supplied data using the sprintf function. It is noteworthy that this vulnerability wa...

Ultra Shareware Office Control ActiveX HttpUpload Buffer Overflow

This module exploits a stack-based buffer overflow in Ultra Shareware's Office Control. When processing the 'HttpUpload' method, the arguments are concatenated together to form a command line to run a bundled version of cURL. If the command fails to run, a stack-based buffer overflow occurs when...

Chilkat Crypt ActiveX WriteFile Unsafe Method

This module allows attackers to execute code via the 'WriteFile' unsafe method of Chilkat Software Inc's Crypt ActiveX control. This exploit is based on shinnai's exploit that uses an hcp:// protocol URI to execute our payload immediately. However, this method requires that the victim user be...

Microsoft OWC Spreadsheet HTMLURL Buffer Overflow

This module exploits a buffer overflow in Microsoft's Office Web Components. When passing an overly long string as the "HTMLURL" parameter an attacker can execute arbitrary code. This module requires Metasploit: https://metasploit.com/download Current source:...

Microsoft OWC Spreadsheet msDataSourceObject Memory Corruption

This module exploits a memory corruption vulnerability within versions 10 and 11 of the Office Web Component Spreadsheet ActiveX control. This module was based on an exploit found in the wild. This module requires Metasploit: https://metasploit.com/download Current source:...

BaoFeng Storm mps.dll ActiveX OnBeforeVideoDownload Buffer Overflow

This module exploits a buffer overflow in BaoFeng's Storm media Player ActiveX control. Versions of mps.dll including 3.9.4.27 and lower are affected. When passing an overly long string to the method "OnBeforeVideoDownload" an attacker can execute arbitrary code. This module requires Metasploit:...

POP3 Banner Grabber

POP3 Banner Grabber This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'POP3 Banner Grabber', 'Description' = 'POP3 Banner Grabber', 'Author' = 'hdm', 'License' = MSFLICENSE registeroptions...

IMAP4 Banner Grabber

IMAP4 Banner Grabber This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'IMAP4 Banner Grabber', 'Description' = 'IMAP4 Banner Grabber', 'Author' = 'hdm', 'License' = MSFLICENSE end def runhostip...

SMTP Banner Grabber

SMTP Banner Grabber This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'SMTP Banner Grabber', 'Description' = 'SMTP Banner Grabber', 'References' = 'URL', 'http://www.ietf.org/rfc/rfc2821.txt', ,...

MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference

This module exploits an out of bounds function table dereference in the SMB request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7 release candidates not RTM, and Windows 2008 Server prior to R2. Windows Vista without SP1 does not seem affected by this flaw. This...

Novell iPrint Client ActiveX Control target-frame Buffer Overflow

This module exploits a stack buffer overflow in Novell iPrint Client 5.30. When passing an overly long string via the "target-frame" parameter to ienipp.ocx an attacker can execute arbitrary code. NOTE: The "operation" variable must be set to a valid command in order to reach this vulnerability...

Avahi Source Port 0 DoS

Avahi-daemon versions prior to 0.6.24 can be DoS'd with an mDNS packet with a source port of 0. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Avahi Source Port 0 DoS', 'Description' = %q...

TWiki History TWikiUsers rev Parameter Command Execution

This module exploits a vulnerability in the history component of TWiki. By passing a 'rev' parameter containing shell metacharacters to the TWikiUsers script, an attacker can execute arbitrary OS commands. This module requires Metasploit: https://metasploit.com/download Current source:...

TWiki Search Function Arbitrary Command Execution

This module exploits a vulnerability in the search component of TWiki. By passing a 'search' parameter containing shell metacharacters to the 'WebSearch' script, an attacker can execute arbitrary OS commands. This module requires Metasploit: https://metasploit.com/download Current source:...