AIM Triton 1.0.4 CSeq Buffer Overflow

This module exploits a buffer overflow in AOL's AIM Triton 1.0.4. By sending an overly long CSeq value, a remote attacker could overflow a buffer and execute arbitrary code on the system with the privileges of the affected application. This module requires Metasploit:...

SIPfoundry sipXphone 2.6.0.27 CSeq Buffer Overflow

This module exploits a buffer overflow in SIPfoundry's sipXphone 2.6.0.27. By sending an overly long CSeq value, a remote attacker could overflow a buffer and execute arbitrary code on the system with the privileges of the affected application. This module requires Metasploit:...

Ipswitch WhatsUp Gold 8.03 Buffer Overflow

This module exploits a buffer overflow in IPswitch WhatsUp Gold 8.03. By posting a long string for the value of 'instancename' in the maincfgret.cgi script an attacker can overflow a buffer and execute arbitrary code on the system. This module requires Metasploit: https://metasploit.com/download...

SIP Invite Spoof

This module will create a fake SIP invite request making the targeted device ring and display fake caller id information. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'SIP Invite Spoof',...

Novell eDirectory NDS Server Host Header Overflow

This module exploits a stack buffer overflow in Novell eDirectory 8.8.1. The web interface does not validate the length of the HTTP Host header prior to using the value of that header in an HTTP redirect. This module requires Metasploit: https://metasploit.com/download Current source:...

Oracle 9i XDB HTTP PASS Overflow (win32)

This module exploits a stack buffer overflow in the authorization code of the Oracle 9i HTTP XDB service. David Litchfield, has illustrated multiple vulnerabilities in the Oracle 9i XML Database XDB, during a seminar on "Variations in exploit methods between Linux and Windows" presented at the...

Qualcomm WorldMail 3.0 IMAPD LIST Buffer Overflow

This module exploits a stack buffer overflow in the Qualcomm WorldMail IMAP Server version 3.0 builds 6.1.19.0 through 6.1.22.0. Version 6.1.22.1 fixes this particular vulnerability. NOTE: The service does NOT restart automatically by default. You may be limited to only one attempt, so choose...

Mercury/32 PH Server Module Buffer Overflow

This module exploits a stack-based buffer overflow in Mercury/32 'Mercury/32 PH Server Module Buffer Overflow', 'Description' = %q This module exploits a stack-based buffer overflow in Mercury/32 'MC', 'License' = MSFLICENSE, 'References' = 'CVE', '2005-4411' , 'OSVDB', '22103', 'BID', '16396' , ...

SHTTPD URI-Encoded POST Request Overflow

This module exploits a stack buffer overflow in SHTTPD 'SHTTPD URI-Encoded POST Request Overflow', 'Description' = %q This module exploits a stack buffer overflow in SHTTPD 'LMH ', 'hdm', 'skOd', 'License' = MSFLICENSE, 'References' = 'CVE', '2006-5216', 'OSVDB', '29565' , 'URL',...

YPOPS 0.6 Buffer Overflow

This module exploits a stack buffer overflow in the YPOPS POP3 service. This is a classic stack buffer overflow for YPOPS version 0.6. Possibly Affected version 0.5, 0.4.5.1, 0.4.5. Eip point to jmp ebx opcode in ws32.dll This module requires Metasploit: https://metasploit.com/download Current...

Apache Win32 Chunked Encoding

This module exploits the chunked transfer integer wrap vulnerability in Apache version 1.2.x to 1.3.24. This particular module has been tested with all versions of the official Win32 build between 1.3.9 and 1.3.24. Additionally, it should work against most co-branded and bundled versions of Apach...

FreeSSHd 1.0.9 Key Exchange Algorithm String Buffer Overflow

This module exploits a simple stack buffer overflow in FreeSSHd 1.0.9. This flaw is due to a buffer overflow error when handling a specially crafted key exchange algorithm string received from an SSH client. This module requires Metasploit: https://metasploit.com/download Current source:...

Microsoft SRV.SYS Pipe Transaction No Null

This module exploits a NULL pointer dereference flaw in the SRV.SYS driver of the Windows operating system. This bug was independently discovered by CORE Security and ISS. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framewo...

IA WebMail 3.x Buffer Overflow

This exploits a stack buffer overflow in the IA WebMail server. This exploit has not been tested against a live system at this time. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'IA WebMail 3...

Windows Executable Download (http,https,ftp) and Execute

Download an EXE from an HTTPS/FTP URL and execute it This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 429 include Msf::Payload::Windows include Msf::Payload::Single include...

MS06-055 Microsoft Internet Explorer VML Fill Method Code Execution

This module exploits a code execution vulnerability in Microsoft Internet Explorer using a buffer overflow in the VML processing code VGX.dll. This module has been tested on Windows 2000 SP4, Windows XP SP0, and Windows XP SP2. This module requires Metasploit: https://metasploit.com/download...

MaxDB WebDBM Database Parameter Overflow

This module exploits a stack buffer overflow in the MaxDB WebDBM service. By sending a specially-crafted HTTP request that contains an overly long database name. A remote attacker could overflow a buffer and execute arbitrary code on the system with privileges of the wahttp process. This module h...

Ipswitch WS_FTP Server 5.05 XMD5 Overflow

This module exploits a buffer overflow in the XMD5 verb in IPSWITCH WSFTP Server 5.05. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Ipswitch WSFTP Server 5.05 XMD5 Overflow', 'Description' =...

Solaris LPD Arbitrary File Delete

This module uses a vulnerability in the Solaris line printer daemon to delete arbitrary files on an affected system. This can be used to exploit the rpc.walld format string flaw, the missing krb5.conf authentication bypass, or simply delete system files. Tested on Solaris 2.6, 7, 8, 9, and 10. Th...

Samba trans2open Overflow (Mac OS X PPC)

This exploits the buffer overflow found in Samba versions 2.2.0 to 2.2.8. This particular module is capable of exploiting the bug on Mac OS X PowerPC systems. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...

AOL Instant Messenger goaway Overflow

This module exploits a flaw in the handling of AOL Instant Messenger's 'goaway' URI handler. An attacker can execute arbitrary code by supplying an overly sized buffer as the 'message' parameter. This issue is known to affect AOL Instant Messenger 5.5. This module requires Metasploit:...

MS03-026 Microsoft RPC DCOM Interface Overflow

This module exploits a stack buffer overflow in the RPCSS service, this vulnerability was originally found by the Last Stage of Delirium research group and has been widely exploited ever since. This module can exploit the English versions of Windows NT 4.0 SP3-6a, Windows 2000, Windows XP, and...

McAfee Subscription Manager Stack Buffer Overflow

This module exploits a flaw in the McAfee Subscription Manager ActiveX control. Due to an unsafe use of vsprintf, it is possible to trigger a stack buffer overflow by passing a large string to one of the COM-exposed routines, such as IsAppExpired. This vulnerability was discovered by Karl Lynn of...

Microsoft IIS ISAPI w3who.dll Query String Overflow

This module exploits a stack buffer overflow in the w3who.dll ISAPI application. This vulnerability was discovered Nicolas Gregoire and this code has been successfully tested against Windows 2000 and Windows XP SP2. When exploiting Windows XP, the payload must call RevertToSelf before it will be...

Proxy-Pro Professional GateKeeper 4.7 GET Request Overflow

This module exploits a stack buffer overflow in Proxy-Pro Professional GateKeeper 4.7. By sending a long HTTP GET to the default port of 3128, a remote attacker could overflow a buffer and execute arbitrary code. This module requires Metasploit: https://metasploit.com/download Current source:...

Kerio Firewall 2.1.4 Authentication Packet Overflow

This module exploits a stack buffer overflow in Kerio Personal Firewall administration authentication process. This module has only been tested against Kerio Personal Firewall 2 2.1.4. This module requires Metasploit: https://metasploit.com/download Current source:...

SIPfoundry sipXezPhone 0.35a CSeq Field Overflow

This module exploits a buffer overflow in SIPfoundry's sipXezPhone version 0.35a. By sending an long CSeq header, a remote attacker could overflow a buffer and execute arbitrary code on the system with the privileges of the affected application. This module requires Metasploit:...

ShixxNOTE 6.net Font Field Overflow

This module exploits a buffer overflow in ShixxNOTE 6.net. The vulnerability is caused due to boundary errors in the handling of font fields. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule...

MS01-033 Microsoft IIS 5.0 IDQ Path Overflow

This module exploits a stack buffer overflow in the IDQ ISAPI handler for Microsoft Index Server. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'MS01-033 Microsoft IIS 5.0 IDQ Path Overflow',...

NIPrint LPD Request Overflow

This module exploits a stack buffer overflow in the Network Instrument NIPrint LPD service. Inspired by Immunity's VisualSploit :- This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'NIPrint LPD...

Hummingbird Connectivity 10 SP5 LPD Buffer Overflow

This module exploits a stack buffer overflow in Hummingbird Connectivity 10 LPD Daemon. This module has only been tested against Hummingbird Exceed v10 with SP5. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...

FutureSoft TFTP Server 2000 Transfer-Mode Overflow

This module exploits a stack buffer overflow in the FutureSoft TFTP Server 2000 product. By sending an overly long transfer-mode string, we were able to overwrite both the SEH and the saved EIP. A subsequent write-exception that will occur allows the transferring of execution to our shellcode via...

eIQNetworks ESA Topology DELETEDEVICE Overflow

This module exploits a stack buffer overflow in eIQnetworks Enterprise Security Analyzer. During the processing of long arguments to the DELETEDEVICE command in the Topology server, a stack-based buffer overflow occurs. This module has only been tested against ESA v2.1.13. This module requires...

eIQNetworks ESA License Manager LICMGR_ADDLICENSE Overflow

This module exploits a stack buffer overflow in eIQnetworks Enterprise Security Analyzer. During the processing of long arguments to the LICMGRADDLICENSE command, a stack-based buffer overflow occurs. This module has only been tested against ESA v2.1.13. This module requires Metasploit:...

MS03-049 Microsoft Workstation Service NetAddAlternateComputerName Overflow

This module exploits a stack buffer overflow in the NetApi32 NetAddAlternateComputerName function using the Workstation service in Windows XP. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule...

Symantec Remote Management Buffer Overflow

This module exploits a stack buffer overflow in Symantec Client Security 3.0.x. This module has only been tested against Symantec Client Security 3.0.2 build 10.0.2.2000. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framewor...

Generic Command Shell, Bind TCP Inline

Listen for a connection and spawn a command shell This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 0 include Msf::Payload::Single include Msf::Payload::Generic def initializeinfo =...

Generic Command Shell, Reverse TCP Inline

Connect back to attacker and spawn a command shell This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 0 include Msf::Payload::Single include Msf::Payload::Generic def initializeinfo =...

Microsoft SRV.SYS Mailslot Write Corruption

This module triggers a kernel pool corruption bug in SRV.SYS. Each call to the mailslot write function results in a two byte return value being written into the response packet. The code which creates this packet fails to consider these two bytes in the allocation routine, resulting in a slow...

Avoid UTF8/tolower

UTF8 Safe, tolower Safe Encoder This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework NOTE: Read this if you plan on using this encoder: This encoder has some limitations that must be considered. First, this encoder cannot ...

MSSQL Ping Utility

This module simply queries the MSSQL Browser service for server information. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'MSSQL Ping Utility', 'Description' = 'This module simply queries the...

MS04-011 Microsoft LSASS Service DsRolerUpgradeDownlevelServer Overflow

This module exploits a stack buffer overflow in the LSASS service, this vulnerability was originally found by eEye. When re-exploiting a Windows XP system, you will need need to run this module twice. DCERPC request fragmentation can be performed by setting 'FragSize' parameter. This module...

OS X Command Shell, Bind TCP Inline

Listen for a connection and spawn a command shell This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 74 include Msf::Payload::Single include Msf::Payload::Osx include...

Winamp Playlist UNC Path Computer Name Overflow

This module exploits a vulnerability in the Winamp media player. This flaw is triggered when an audio file path is specified, inside a playlist, that consists of a UNC path with a long computer name. This module delivers the playlist via the browser. This module has only been successfully tested ...

MS06-025 Microsoft RRAS Service RASMAN Registry Overflow

This module exploits a registry-based stack buffer overflow in the Windows Routing and Remote Access Service. Since the service is hosted inside svchost.exe, a failed exploit attempt can cause other system services to fail as well. A valid username and password is required to exploit this flaw on...

Microsoft RRAS InterfaceAdjustVLSPointers NULL Dereference

This module triggers a NULL dereference in svchost.exe on all current versions of Windows that run the RRAS service. This service is only accessible without authentication on Windows XP SP1 using the SRVSVC pipe. This module requires Metasploit: https://metasploit.com/download Current source:...

MS06-025 Microsoft RRAS Service Overflow

This module exploits a stack buffer overflow in the Windows Routing and Remote Access Service. Since the service is hosted inside svchost.exe, a failed exploit attempt can cause other system services to fail as well. A valid username and password is required to exploit this flaw on Windows 2000...

TFTPD32 Long Filename Buffer Overflow

This module exploits a stack buffer overflow in TFTPD32 version 2.21 and prior. By sending a request for an overly long file name to the tftpd32 server, a remote attacker could overflow a buffer and execute arbitrary code on the system. This module requires Metasploit:...

MS05-017 Microsoft Message Queueing Service Path Overflow

This module exploits a stack buffer overflow in the RPC interface to the Microsoft Message Queueing service. The offset to the return address changes based on the length of the system hostname, so this must be provided via the 'HNAME' option. Much thanks to snort.org and Jean-Baptiste Marchand's...

Non-Upper Encoder

Encodes payloads as non-alpha based bytes. This allows payloads to bypass tolower calls, but will fail isalpha. Table based design from Russel Sanford. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require...