Samba lsa_io_trans_names Heap Overflow

This module triggers a heap overflow in the LSA RPC service of the Samba daemon. This module uses the szonefree to overwrite the size or free pointer in initialmalloczones structure. This module requires Metasploit: https://metasploit.com/download Current source:...

Trend Micro ServerProtect 5.58 EarthAgent.EXE Buffer Overflow

This module exploits a buffer overflow in Trend Micro ServerProtect 5.58 Build 1060 EarthAgent.EXE. By sending a specially crafted RPC request, an attacker could overflow the buffer and execute arbitrary code. This module requires Metasploit: https://metasploit.com/download Current source:...

Logitech VideoCall ActiveX Control Buffer Overflow

This module exploits a stack buffer overflow in the Logitech VideoCall ActiveX Control wcamxmp.dll 2.0.3470.448. By sending an overly long string to the "Start" method, an attacker may be able to execute arbitrary code. This module requires Metasploit: https://metasploit.com/download Current...

Yahoo! Messenger 8.1.0.249 ActiveX Control Buffer Overflow

This module exploits a stack buffer overflow in the Yahoo! Webcam Upload ActiveX Control ywcupl.dll provided by Yahoo! Messenger version 8.1.0.249. By sending an overly long string to the "Server" method, and then calling the "Send" method, an attacker may be able to execute arbitrary code. Using...

Apple QTJava toQTPointer() Arbitrary Memory Access

This module exploits an arbitrary memory access vulnerability in the Quicktime for Java API provided with Quicktime 7. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Apple QTJava toQTPointer...

TinyIdentD 2.2 Stack Buffer Overflow

This module exploits a stack based buffer overflow in TinyIdentD version 2.2. If we send a long string to the ident service we can overwrite the return address and execute arbitrary code. Credit to Maarten Boone. This module requires Metasploit: https://metasploit.com/download Current source:...

GAMSoft TelSrv 1.5 Username Buffer Overflow

This module exploits a username sprintf stack buffer overflow in GAMSoft TelSrv 1.5. Other versions may also be affected. The service terminates after exploitation, so you only get one chance! This module requires Metasploit: https://metasploit.com/download Current source:...

Apache mod_jk 1.2.20 Buffer Overflow

This is a stack buffer overflow exploit for modjk 1.2.20. Should work on any Win32 OS. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Apache modjk 1.2.20 Buffer Overflow', 'Description' = %q...

Samba lsa_io_privilege_set Heap Overflow

This module triggers a heap overflow in the LSA RPC service of the Samba daemon. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Samba lsaioprivilegeset Heap Overflow', 'Description' = %q This...

Samba lsa_io_trans_names Heap Overflow

This module triggers a heap overflow in the LSA RPC service of the Samba daemon. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Samba lsaiotransnames Heap Overflow', 'Description' = %q This...

Symantec Norton Internet Security 2004 ActiveX Control Buffer Overflow

This module exploits a stack buffer overflow in the ISAlertDataCOM ActiveX Control ISLAert.dll provided by Symantec Norton Internet Security 2004. By sending an overly long string to the "Get" method, an attacker may be able to execute arbitrary code. This module requires Metasploit:...

IBM TPM for OS Deployment 5.1.0.x rembo.exe Buffer Overflow

This is a stack buffer overflow exploit for IBM Tivoli Provisioning Manager for OS Deployment version 5.1.0.X. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'IBM TPM for OS Deployment 5.1.0.x...

CA BrightStor ArcServe Media Service Stack Buffer Overflow

This exploit targets a stack buffer overflow in the MediaSrv RPC service of CA BrightStor ARCserve. By sending a specially crafted SUNRPC request, an attacker can overflow a stack buffer and execute arbitrary code. This module requires Metasploit: https://metasploit.com/download Current source:...

Trend Micro ServerProtect 5.58 Buffer Overflow

This module exploits a buffer overflow in Trend Micro ServerProtect 5.58 Build 1060. By sending a specially crafted RPC request, an attacker could overflow the buffer and execute arbitrary code. This module requires Metasploit: https://metasploit.com/download Current source:...

MS06-019 Exchange MODPROP Heap Overflow

This module triggers a heap overflow vulnerability in MS Exchange that occurs when multiple malformed MODPROP values occur in a VCAL request. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule...

OS X Command Shell, Reverse TCP Inline

Connect back to attacker and spawn a command shell This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 65 include Msf::Payload::Single include Msf::Payload::Osx include...

OS X Command Shell, Find Port Inline

Spawn a shell on an established connection This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 61 include Msf::Payload::Single include Msf::Payload::Osx include...

Hidden DCERPC Service Discovery

This module will query the endpoint mapper and make a list of all ncacntcp RPC services. It will then connect to each of these services and use the management API to list all other RPC services accessible on this port. Any RPC service found attached to a TCP port, but not listed in the endpoint...

LANDesk Management Suite 8.7 Alert Service Buffer Overflow

This module exploits a stack buffer overflow in LANDesk Management Suite 8.7. By sending an overly long string to the Alert Service, a buffer is overwritten and arbitrary code can be executed. This module requires Metasploit: https://metasploit.com/download Current source:...

Endpoint Mapper Service Discovery

This module can be used to obtain information from the Endpoint Mapper service. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Endpoint Mapper Service Discovery', 'Description' = %q This modul...

Remote Management Interface Discovery

This module can be used to obtain information from the Remote Management Interface DCERPC service. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Remote Management Interface Discovery',...

WinDVD7 IASystemInfo.DLL ActiveX Control Buffer Overflow

This module exploits a stack buffer overflow in IASystemInfo.dll ActiveX control in InterVideo WinDVD 7. By sending an overly long string to the "ApplicationType" property, an attacker may be able to execute arbitrary code. This module requires Metasploit: https://metasploit.com/download Current...

HP Mercury Quality Center ActiveX Control ProgColor Buffer Overflow

This module exploits a stack-based buffer overflow in SPIDERLib.Loader ActiveX control Spider90.ocx 9.1.0.4353 installed by TestDirector TD for Hewlett-Packard Mercury Quality Center 9.0 before Patch 12.1, and 8.2 SP1 before Patch 32. By setting an overly long value to 'ProgColor', an attacker ca...

Apple QuickTime 7.1.3 RTSP URI Buffer Overflow

This module exploits a buffer overflow in Apple QuickTime 7.1.3. This module was inspired by MOAB-01-01-2007. The Browser target for this module was tested against IE 6 and Firefox 1.5.0.3 on Windows XP SP0/2; Firefox 3 blacklists the QuickTime plugin. This module requires Metasploit:...

Easy File Sharing FTP Server 2.0 PASS Overflow

This module exploits a stack buffer overflow in the Easy File Sharing 2.0 service. By sending an overly long password, an attacker can execute arbitrary code. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...

Texas Imperial Software WFTPD 3.23 SIZE Overflow

This module exploits a buffer overflow in the SIZE verb in Texas Imperial's Software WFTPD 3.23. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Texas Imperial Software WFTPD 3.23 SIZE Overflow...

MS06-040 Microsoft Server Service NetpwPathCanonicalize Overflow

This module exploits a stack buffer overflow in the NetApi32 CanonicalizePathName function using the NetpwPathCanonicalize RPC call in the Server Service. It is likely that other RPC calls could be used to exploit this service. This exploit will result in a denial of service on Windows XP SP2 or...

MS03-007 Microsoft IIS 5.0 WebDAV ntdll.dll Path Overflow

This exploits a buffer overflow in NTDLL.dll on Windows 2000 through the SEARCH WebDAV method in IIS. This particular module only works against Windows 2000. It should have a reasonable chance of success against SP0 to SP3. This module requires Metasploit: https://metasploit.com/download Current...

Novell NetMail NMAP STOR Buffer Overflow

This module exploits a stack buffer overflow in Novell's Netmail 3.52 NMAP STOR verb. By sending an overly long string, an attacker can overwrite the buffer and control program execution. This module requires Metasploit: https://metasploit.com/download Current source:...

Windows Meterpreter (Reflective Injection), Reverse TCP Stager

Inject the Meterpreter server DLL via the Reflective Dll Injection payload staged. Requires Windows XP SP2 or newer. Connect back to the attacker This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule...

Windows Meterpreter (skape/jt Injection), Reverse TCP Stager

Inject the meterpreter server DLL staged. Connect back to the attacker This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 296 include Msf::Payload::Stager include...

Reflective DLL Injection, Reverse TCP Stager

Inject a DLL via a reflective loader. Connect back to the attacker This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 296 include Msf::Payload::Stager include...

Veritas Backup Exec Windows Remote File Access

This module abuses a logic flaw in the Backup Exec Windows Agent to download arbitrary files from the system. This flaw was found by someone who wishes to remain anonymous and affects all known versions of the Backup Exec Windows Agent. The output file is in 'MTF' format, which can be extracted b...

Windows Inject DLL, Reverse TCP Stager

Inject a custom DLL into the exploited process. Connect back to the attacker This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 296 include Msf::Payload::Stager include...

Windows Upload/Execute, Reverse TCP Stager

Uploads an executable and runs it staged. Connect back to the attacker This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 296 include Msf::Payload::Stager include...

Mozilla Suite/Firefox Navigator Object Code Execution

This module exploits a code execution vulnerability in the Mozilla Suite, Mozilla Firefox, and Mozilla Thunderbird applications. This exploit requires the Java plugin to be installed. This module requires Metasploit: https://metasploit.com/download Current source:...

MS05-039 Microsoft Plug and Play Service Overflow

This module exploits a stack buffer overflow in the Windows Plug and Play service. This vulnerability can be exploited on Windows 2000 without a valid user account. NOTE: Since the PnP service runs inside the service.exe process, a failed exploit attempt will cause the system to automatically...

PHP XML-RPC Arbitrary Code Execution

This module exploits an arbitrary code execution flaw discovered in many implementations of the PHP XML-RPC module. This flaw is exploitable through a number of PHP web applications, including but not limited to Drupal, Wordpress, Postnuke, and TikiWiki. This module requires Metasploit:...

Sybase EAServer 5.2 Remote Stack Buffer Overflow

This module exploits a stack buffer overflow in the Sybase EAServer Web Console. The offset to the SEH frame appears to change depending on what version of Java is in use by the remote server, making this exploit somewhat unreliable. This module requires Metasploit: https://metasploit.com/downloa...

VNC Server (Reflective Injection), Reverse TCP Stager

Inject a VNC Dll via a reflective loader staged. Connect back to the attacker This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 296 include Msf::Payload::Stager include...

Windows Command Shell, Reverse TCP Stager

Spawn a piped command shell staged. Connect back to the attacker This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 296 include Msf::Payload::Stager include...

Sun Solaris Telnet Remote Authentication Bypass Vulnerability

This module exploits the argument injection vulnerability in the telnet daemon in.telnetd of Solaris 10 and 11. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Sun Solaris Telnet Remote...

CA BrightStor ARCserve Message Engine Buffer Overflow

This module exploits a buffer overflow in Computer Associates BrightStor ARCserve Backup 11.1 - 11.5 SP2. By sending a specially crafted RPC request, an attacker could overflow the buffer and execute arbitrary code. This module requires Metasploit: https://metasploit.com/download Current source:...

CA BrightStor ARCserve Message Engine Heap Overflow

This module exploits a heap overflow in Computer Associates BrightStor ARCserve Backup 11.5. By sending a specially crafted RPC request, an attacker could overflow the buffer and execute arbitrary code. This module requires Metasploit: https://metasploit.com/download Current source:...

CA BrightStor ARCserve for Laptops and Desktops LGServer Buffer Overflow

This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup for Laptops & Desktops 11.1. By sending a specially crafted request, an attacker could overflow the buffer and execute arbitrary code. This module requires Metasploit: https://metasploit.com/download...

Novell NetMail IMAP AUTHENTICATE Buffer Overflow

This module exploits a stack buffer overflow in Novell's NetMail 3.52 IMAP AUTHENTICATE GSSAPI command. By sending an overly long string, an attacker can overwrite the buffer and control program execution. Using the PAYLOAD of windows/shellbindtcp or windows/shellreversetcp allows for the most...

RealNetworks RealPlayer SMIL Buffer Overflow

This module exploits a stack buffer overflow in RealNetworks RealPlayer 10 and 8. By creating a URL link to a malicious SMIL file, a remote attacker could overflow a buffer and execute arbitrary code. When using this module, be sure to set the URIPATH with an extension of '.smil'. This module has...

Apple ITunes 4.7 Playlist Buffer Overflow

This module exploits a stack buffer overflow in Apple ITunes 4.7 build 4.7.0.42. By creating a URL link to a malicious PLS file, a remote attacker could overflow a buffer and execute arbitrary code. When using this module, be sure to set the URIPATH with an extension of '.pls'. This module requir...

Windows Disable Windows ICF, Command Shell, Bind TCP Inline

Disable the Windows ICF, then listen for a connection and spawn a command shell This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 529 include Msf::Payload::Windows include...

Poptop Negative Read Overflow

This is an exploit for the Poptop negative read overflow. This will work against versions prior to 1.1.3-b3 and 1.1.3-20030409, but I currently do not have a good way to detect Poptop versions. The server will by default only allow 4 concurrent manager processes what we run our code in, so you...