Sun Java JRE getSoundbank file:// URI Buffer Overflow

This module exploits a flaw in the getSoundbank function in the Sun JVM. The payload is serialized and passed to the applet via PARAM tags. It must be a native payload. The effected Java versions are JDK and JRE 6 Update 16 and earlier, JDK and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.223 a...

Symantec Altiris Deployment Solution ActiveX Control Buffer Overflow

This module exploits a stack buffer overflow in Symantec Altiris Deployment Solution. When sending an overly long string to RunCmd method of AeXNSConsoleUtilities.dll 6.0.0.1426 an attacker may be able to execute arbitrary code. This module requires Metasploit: https://metasploit.com/download...

Xenorate 2.50 (.xpl) Universal Local Buffer Overflow (SEH)

This module exploits a stack buffer overflow in Xenorate 2.50 by creating a specially crafted xpl file. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Xenorate 2.50 .xpl Universal Local Buffer...

Audio Workstation 6.4.2.4.3 pls Buffer Overflow

This module exploits a buffer overflow in Audio Workstation 6.4.2.4.3. When opening a malicious pls file with the Audio Workstation, a remote attacker could overflow a buffer and execute arbitrary code. This module requires Metasploit: https://metasploit.com/download Current source:...

gAlan 0.2.1 Buffer Overflow

This module exploits a stack buffer overflow in gAlan 0.2.1 by creating a specially crafted galan file. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'gAlan 0.2.1 Buffer Overflow', 'Descriptio...

Eureka Email 2.2q ERR Remote Buffer Overflow

This module exploits a buffer overflow in the Eureka Email 2.2q client that is triggered through an excessively long ERR message. NOTE: this exploit isn't very reliable. Unfortunately reaching the vulnerable code can only be done when manually checking mail Ctrl-M. Checking at startup will not...

Timbuktu PlughNTCommand Named Pipe Buffer Overflow

This module exploits a stack based buffer overflow in Timbuktu Pro version 'Timbuktu PlughNTCommand Named Pipe Buffer Overflow', 'Description' = %q This module exploits a stack based buffer overflow in Timbuktu Pro version = 8.6.6 in a pretty novel way. This exploit requires two connections. The...

MS09-072 Microsoft Internet Explorer Style getElementsByTagName Memory Corruption

This module exploits a vulnerability in the getElementsByTagName function as implemented within Internet Explorer. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule HttpClients::IE, :uaminver =...

QuickTime Streaming Server parse_xml.cgi Remote Execution

The QuickTime Streaming Server contains a CGI script that is vulnerable to metacharacter injection, allow arbitrary commands to be executed as root. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModu...

HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow

This module exploits a stack buffer overflow in HTML Help Workshop 4.74 by creating a specially crafted hhp file. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'HTML Help Workshop 4.74 hhp...

HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow

This module exploits a stack buffer overflow in HTML Help Workshop 4.74 By creating a specially crafted hhp file, an attacker may be able to execute arbitrary code. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework clas...

HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow

This module exploits a stack buffer overflow in HTML Help Workshop 4.74 by creating a specially crafted hhp file. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'HTML Help Workshop 4.74 hhp...

Persits XUpload ActiveX MakeHttpRequest Directory Traversal

This module exploits a directory traversal in Persits Software Inc's XUpload ActiveX controlversion 3.0.0.3 that's included in HP LoadRunner 9.5. By passing a string containing ".." sequences to the MakeHttpRequest method, an attacker is able to write arbitrary files to arbitrary locations on...

Adobe Illustrator CS4 v14.0.0

Adobe Illustrator CS4 V14.0.0 Encapsulated Postscript .eps overlong DSC Comment Buffer Overflow Exploit This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Adobe Illustrator CS4 v14.0.0',...

WU-FTPD SITE EXEC/INDEX Format String Vulnerability

This module exploits a format string vulnerability in versions of the Washington University FTP server older than 2.6.1. By executing specially crafted SITE EXEC or SITE INDEX commands containing format specifiers, an attacker can corrupt memory and execute arbitrary code. This module requires...

Oracle SQL Generic Query

This module allows for simple SQL statements to be executed against an Oracle instance given the appropriate credentials and sid. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Oracle SQL...

Computer Associates ARCserve REPORTREMOTEEXECUTECML Buffer Overflow

This module exploits a buffer overflow in Computer Associates BrightStor ARCserve r11.5 build 3884. By sending a specially crafted RPC request to opcode 0x342, an attacker could overflow the buffer and execute arbitrary code. In order to successfully exploit this vulnerability, you will need set...

FreeFTPd 1.0.10 Key Exchange Algorithm String Buffer Overflow

This module exploits a simple stack buffer overflow in FreeFTPd 1.0.10 This flaw is due to a buffer overflow error when handling a specially crafted key exchange algorithm string received from an SSH client. This module is based on MC's freesshdkeyexchange exploit. This module requires Metasploit...

InterSystems Cache UtilConfigHome.csp Argument Buffer Overflow

This module exploits a stack buffer overflow in InterSystems Cache 2009.1. By sending a specially crafted GET request, an attacker may be able to execute arbitrary code. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...

Adobe U3D CLODProgressiveMeshDeclaration Array Overrun

This module exploits an array overflow in Adobe Reader and Adobe Acrobat. Affected versions include 'Adobe U3D CLODProgressiveMeshDeclaration Array Overrun', 'Description' = %q This module exploits an array overflow in Adobe Reader and Adobe Acrobat. Affected versions include MSFLICENSE, 'Author'...

MS03-046 Exchange 2000 XEXCH50 Heap Overflow

This is an exploit for the Exchange 2000 heap overflow. Due to the nature of the vulnerability, this exploit is not very reliable. This module has been tested against Exchange 2000 SP0 and SP3 running a Windows 2000 system patched to SP4. It normally takes between one and 100 connection attempts ...

Adobe U3D CLODProgressiveMeshDeclaration Array Overrun

This module exploits an array overflow in Adobe Reader and Adobe Acrobat. Affected versions include 'Adobe U3D CLODProgressiveMeshDeclaration Array Overrun', 'Description' = %q This module exploits an array overflow in Adobe Reader and Adobe Acrobat. Affected versions include MSFLICENSE, 'Author'...

Citrix MetaFrame ICA Published Applications Bruteforcer

This module attempts to brute force program names within the Citrix Metaframe ICA server. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Citrix MetaFrame ICA Published Applications Bruteforcer...

Citrix MetaFrame ICA Published Applications Scanner

This module attempts to query Citrix Metaframe ICA server to obtain a published list of applications. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Citrix MetaFrame ICA Published Applications...

HTTPDX tolog() Function Format String Vulnerability

This module exploits a format string vulnerability in HTTPDX HTTP server. By sending a specially crafted HTTP request containing format specifiers, an attacker can corrupt memory and execute arbitrary code. By default logging is off for HTTP, but enabled for the 'moderator' user via FTP. This...

HTTPDX tolog() Function Format String Vulnerability

This module exploits a format string vulnerability in HTTPDX FTP server. By sending a specially crafted FTP command containing format specifiers, an attacker can corrupt memory and execute arbitrary code. By default logging is off for HTTP, but enabled for the 'moderator' user via FTP. This modul...

HTTPDX h_handlepeer() Function Buffer Overflow

This module exploits a stack-based buffer overflow vulnerability in HTTPDX HTTP server 1.4. The vulnerability is caused due to a boundary error within the "hhandlepeer" function in http.cpp. By sending an overly long HTTP request, an attacker can overrun a buffer and execute arbitrary code. This...

Bourne ${IFS} Substitution Command Encoder

This encoder uses Bourne $IFS substitution to avoid whitespace without being overly fancy. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Bourne $IFS Substitution Command Encoder', 'Descriptio...

Simple PHP Blog Remote Command Execution

This module combines three separate issues within The Simple PHP Blog 'Simple PHP Blog Remote Command Execution', 'Description' = %q This module combines three separate issues within The Simple PHP Blog = 0.4.0 application to upload arbitrary data and thus execute a shell. The first vulnerability...

PhpMyAdmin Config File Code Injection

This module exploits a vulnerability in phpMyAdmin's setup feature which allows an attacker to inject arbitrary PHP code into a configuration file. The original advisory says the vulnerability is present in phpMyAdmin versions 2.11.x 'PhpMyAdmin Config File Code Injection', 'Description' = %q Thi...

Oracle Document Capture 10g ActiveX Control Buffer Overflow

This module exploits a stack buffer overflow in Oracle Document Capture 10g 10.1.3.5.0. Oracle Document Capture 10g comes bundled with a third party ActiveX control emsmtp.dll 6.0.1.0. When passing an overly long string to the method "SubmitToExpress" an attacker may be able to execute arbitrary...

AwingSoft Winds3D Player 3.5 SceneURL Download and Execute

This module exploits an untrusted program execution vulnerability within the Winds3D Player from AwingSoft. The Winds3D Player is a browser plugin for IE ActiveX, Opera DLL and Firefox XPI. By setting the 'SceneURL' parameter to the URL to an executable, an attacker can execute arbitrary code...

AwingSoft Winds3D Player SceneURL Buffer Overflow

This module exploits a data segment buffer overflow within Winds3D Viewer of AwingSoft Awakening 3.x WindsPly.ocx v3.6.0.0. This ActiveX is a plugin of AwingSoft Web3D Player. By setting an overly long value to the 'SceneURL' property, an attacker can overrun a buffer and execute arbitrary code...

HT-MP3Player 1.0 HT3 File Parsing Buffer Overflow

This module exploits a stack buffer overflow in HT-MP3Player 1.0. Arbitrary code execution could occur when parsing a specially crafted .HT3 file. NOTE: The player installation does not register the file type to be handled. Therefore, a user must take extra steps to load this file. This module...

osCommerce 2.2 Arbitrary PHP Code Execution

osCommerce is a popular open source E-Commerce application. The admin console contains a file management utility that allows administrators to upload, download, and edit files. This could be abused to allow unauthenticated attackers to execute arbitrary code with the permissions of the webserver...

Novell eDirectory DHOST Predictable Session Cookie

This module is able to predict the next session cookie value issued by the DHOST web service of Novell eDirectory 8.8.5. An attacker can run this module, wait until the real administrator logs in, then specify the predicted cookie value to hijack their session. This module requires Metasploit:...

Persits XUpload ActiveX AddFile Buffer Overflow

This module exploits a stack buffer overflow in Persits Software Inc's XUpload ActiveX controlversion 3.0.0.3 thats included in HP LoadRunner 9.5. By passing an overly long string to the AddFile method, an attacker may be able to execute arbitrary code. This module requires Metasploit:...

HP LoadRunner 9.0 ActiveX AddFolder Buffer Overflow

This module exploits a stack buffer overflow in Persits Software Inc's XUpload ActiveX controlversion 2.1.0.1 thats included in HP LoadRunner 9.0. By passing an overly long string to the AddFolder method, an attacker may be able to execute arbitrary code. This module requires Metasploit:...

Microsoft Windows EOT Font Table Directory Integer Overflow

This module exploits an integer overflow flaw in the Microsoft Windows Embedded OpenType font parsing code located in win32k.sys. Since the kernel itself parses embedded web fonts, it is possible to trigger a BSoD from a normal web page when viewed with Internet Explorer. This module requires...

Free Download Manager Torrent Parsing Buffer Overflow

This module exploits a stack buffer overflow in Free Download Manager 3.0 Build 844. Arbitrary code execution could occur when parsing a specially crafted torrent file. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...

Rhinosoft Serv-U Session Cookie Buffer Overflow

This module exploits a buffer overflow in Rhinosoft Serv-U 9.0.0.5. Sending a specially crafted POST request with an overly long session cookie string, an attacker may be able to execute arbitrary code. This module requires Metasploit: https://metasploit.com/download Current source:...

Hewlett-Packard Power Manager Administration Buffer Overflow

This module exploits a stack buffer overflow in Hewlett-Packard Power Manager 4.2. Sending a specially crafted POST request with an overly long Login string, an attacker may be able to execute arbitrary code. This module requires Metasploit: https://metasploit.com/download Current source:...

SafeNet SoftRemote GROUPNAME Buffer Overflow

This module exploits a stack buffer overflow in SafeNet SoftRemote Security Policy Editor 'SafeNet SoftRemote GROUPNAME Buffer Overflow', 'Description' = %q This module exploits a stack buffer overflow in SafeNet SoftRemote Security Policy Editor MSFLICENSE, 'Author' = 'MC' , 'References' = 'CVE'...

Symantec ConsoleUtilities ActiveX Control Buffer Overflow

This module exploits a stack buffer overflow in Symantecs ConsoleUtilities. By sending an overly long string to the "BrowseAndSaveFile" method located in the AeXNSConsoleUtilities.dll 6.0.0.1846 Control, an attacker may be able to execute arbitrary code This module requires Metasploit:...

Rogue Gateway Detection: Receiver

This module listens for replies to the requests sent by the roguesend module. The RPORT, CPORT, and ECHOID values must match the roguesend parameters used exactly. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...

Rogue Gateway Detection: Sender

This module send a series of TCP SYN and ICMP ECHO requests to each internal target host, spoofing the source address of an external system running the roguerecv module. This allows the system running the roguerecv module to determine what external IP a given internal system is using as its defau...

HTTP GET Request URI Fuzzer (Incrementing Lengths)

This module sends a series of HTTP GET request with incrementing URL lengths. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'HTTP GET Request URI Fuzzer Incrementing Lengths', 'Description' = ...

HTTP GET Request URI Fuzzer (Fuzzer Strings)

This module sends a series of HTTP GET request with malicious URIs. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'HTTP GET Request URI Fuzzer Fuzzer Strings', 'Description' = %q This module...

Joomla 1.5.12 TinyBrowser File Upload Code Execution

This module exploits a vulnerability in the TinyMCE/tinybrowser plugin. This plugin is not secured in version 1.5.12 of joomla and allows the upload of files on the remote server. By renaming the uploaded file this vulnerability can be used to upload/execute code on the affected system. This modu...

SMB Tree Connect Request Corruption

This module sends a series of SMB tree connect requests with corrupted bytes. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'SMB Tree Connect Request Corruption', 'Description' = %q This modul...