6841 matches found
Solaris in.telnetd TTYPROMPT Buffer Overflow
This module uses a buffer overflow in the Solaris 'login' application to bypass authentication in the telnet daemon. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Solaris in.telnetd TTYPROMPT...
Non-Alpha Encoder
Encodes payloads as non-alpha based bytes. This allows payloads to bypass both toupper and tolower calls, but will fail isalpha. Table based design from Russel Sanford. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...
Novell Messenger Server 2.0 Accept-Language Overflow
This module exploits a stack buffer overflow in Novell GroupWise Messenger Server v2.0. This flaw is triggered by any HTTP request with an Accept-Language header greater than 16 bytes. To overwrite the return address on the stack, we must first pass a memcpy operation that uses pointers we supply...
PeerCast URL Handling Buffer Overflow
This module exploits a stack buffer overflow in PeerCast 'PeerCast URL Handling Buffer Overflow', 'Description' = %q This module exploits a stack buffer overflow in PeerCast 'MC' , 'License' = BSDLICENSE, 'References' = 'CVE', '2006-1148', 'OSVDB', '23777', 'BID', '17040' , 'Privileged' = false,...
PeerCast URL Handling Buffer Overflow
This module exploits a stack buffer overflow in PeerCast 'PeerCast URL Handling Buffer Overflow', 'Description' = %q This module exploits a stack buffer overflow in PeerCast 'hdm' , 'License' = MSFLICENSE, 'References' = 'CVE', '2006-1148', 'OSVDB', '23777', 'BID', '17040' , 'Privileged' = false,...
Firefox location.QueryInterface() Code Execution
This module exploits a code execution vulnerability in the Mozilla Firefox browser. To reliably exploit this vulnerability, we need to fill almost a gigabyte of memory with our nop sled and payload. This module has been tested on OS X 10.3 with the stock Firefox 1.5.0 package. This module require...
Irix LPD tagprinter Command Execution
This module exploits an arbitrary command execution flaw in the in.lpd service shipped with all versions of Irix. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Irix LPD tagprinter Command...
Unix Command Shell, Reverse TCP (via Perl)
Creates an interactive shell via perl This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 234 include Msf::Payload::Single include Msf::Sessions::CommandShellOptions def initializeinfo...
Linux Command Shell, Reverse TCP Stager
Spawn a command shell staged. Connect back to the attacker This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 123 include Msf::Payload::Stager include Msf::Payload::Linux::ReverseTcpx...
Linux Mettle x86, Reverse TCP Stager
Inject the mettle server payload staged. Connect back to the attacker This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 123 include Msf::Payload::Stager include...
Novell ZENworks 6.5 Desktop/Server Management Overflow
This module exploits a heap overflow in the Novell ZENworks Desktop Management agent. This vulnerability was discovered by Alex Wheeler. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Novell...
MS04-031 Microsoft NetDDE Service Overflow
This module exploits a stack buffer overflow in the NetDDE service, which is the precursor to the DCOM interface. This exploit effects only operating systems released prior to Windows XP SP1 2000 SP4, XP SP0. Despite Microsoft's claim that this vulnerability can be exploited without authenticatio...
MS02-018 Microsoft IIS 4.0 .HTR Path Overflow
This exploits a buffer overflow in the ISAPI ISM.DLL used to process HTR scripting in IIS 4.0. This module works against Windows NT 4 Service Packs 3, 4, and 5. The server will continue to process requests until the payload being executed has exited. If you've set EXITFUNC to 'seh', the server wi...
MS01-023 Microsoft IIS 5.0 Printer Host Header Overflow
This exploits a buffer overflow in the request processor of the Internet Printing Protocol ISAPI module in IIS. This module works against Windows 2000 Server and Professional SP0-SP1. If the service stops responding after a successful compromise, run the exploit a couple more times to completely...
DistCC Daemon Command Execution
This module uses a documented security weakness to execute arbitrary commands on any system running distccd. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'DistCC Daemon Command Execution',...
Unix Command Shell, Bind TCP (via Perl)
Listen for a connection and spawn a command shell via perl This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 240 include Msf::Payload::Single include Msf::Sessions::CommandShellOptio...
Polymorphic XOR Additive Feedback Encoder
This encoder implements a polymorphic XOR additive feedback encoder. The decoder stub is generated based on dynamic instruction substitution and dynamic block ordering. Registers are also selected dynamically. This module requires Metasploit: https://metasploit.com/download Current source:...
Alt-N WebAdmin USER Buffer Overflow
Alt-N WebAdmin is prone to a buffer overflow condition. This is due to insufficient bounds checking on the USER parameter. Successful exploitation could result in code execution with SYSTEM level privileges. This module requires Metasploit: https://metasploit.com/download Current source:...
SPARC NOP Generator
SPARC NOP generator This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework SingleByte ---------- This class implements NOP generator for the SPARC platform class MetasploitModule Msf::Nop Nop types InsSethi = 0 InsArithmetic...
HP-UX LPD Command Execution
This exploit abuses an unpublished vulnerability in the HP-UX LPD service. This flaw allows an unauthenticated attacker to execute arbitrary commands with the privileges of the root user. The LPD service is only exploitable when the address of the attacking system can be resolved by the target...
MS02-056 Microsoft SQL Server Hello Overflow
By sending malformed data to TCP port 1433, an unauthenticated remote attacker could overflow a buffer and possibly execute code on the server with SYSTEM level privileges. This module should work against any vulnerable SQL Server 2000 or MSDE install 'MS02-056 Microsoft SQL Server Hello Overflow...
Oracle 9i XDB FTP UNLOCK Overflow (win32)
By passing an overly long token to the UNLOCK command, a stack based buffer overflow occurs. David Litchfield, has illustrated multiple vulnerabilities in the Oracle 9i XML Database XDB, during a seminar on "Variations in exploit methods between Linux and Windows" presented at the Blackhat...
Solaris LPD Command Execution
This module exploits an arbitrary command execution flaw in the in.lpd service shipped with all versions of Sun Solaris up to and including 8.0. This module uses a technique discovered by Dino Dai Zovi to exploit the flaw without needing to know the resolved name of the attacking system. This...
Linux Command Shell, Reverse TCP Inline
Connect back to attacker and spawn a command shell This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 68 include Msf::Payload::Single include Msf::Payload::Linux::X86::Prepends includ...
Veritas Backup Exec Windows Remote Agent Overflow
This module exploits a stack buffer overflow in the Veritas BackupExec Windows Agent software. This vulnerability occurs when a client authentication request is received with type '3' and a long password argument. Reliable execution is obtained by abusing the stack buffer overflow to smash a SEH...
Blue Coat WinProxy Host Header Overflow
This module exploits a buffer overflow in the Blue Coat Systems WinProxy service by sending a long port value for the Host header in a HTTP request. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModu...
Minishare 1.4.1 Buffer Overflow
This is a simple buffer overflow for the minishare web server. This flaw affects all versions prior to 1.4.2. This is a plain stack buffer overflow that requires a "jmp esp" to reach the payload, making this difficult to target many platforms at once. This module has been successfully tested...
MS04-045 Microsoft WINS Service Memory Overwrite
This module exploits an arbitrary memory write flaw in the WINS service. This exploit has been tested against Windows 2000 only. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'MS04-045 Microso...
freeFTPd 1.0 Username Overflow
This module exploits a stack buffer overflow in the freeFTPd multi-protocol file transfer service. This flaw can only be exploited when logging has been enabled non-default. This module requires Metasploit: https://metasploit.com/download Current source:...
Generic Shell Variable Substitution Command Encoder
This encoder uses standard Bourne shell variable substitution tricks to avoid commonly restricted characters. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Generic Shell Variable Substitution...
SPARC DWORD XOR Encoder
This encoder is optyx's 48-byte SPARC encoder with some tweaks. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'SPARC DWORD XOR Encoder', 'Description' = %q This encoder is optyx's 48-byte SPAR...
Unix Command Shell, Bind TCP (inetd)
Listen for a connection and spawn a command shell persistent This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 487 include Msf::Payload::Single include...
Unix Command Shell, Double Reverse TCP (telnet)
Creates an interactive shell through two inbound connections This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 130 include Msf::Payload::Single include...
Unix Command Shell, Reverse TCP (/dev/tcp)
Creates an interactive shell via bash's builtin /dev/tcp. This will not work on circa 2009 and older Debian-based Linux distributions including Ubuntu because they compile bash without the /dev/tcp feature. This module requires Metasploit: https://metasploit.com/download Current source:...
3Com 3CDaemon 2.0 FTP Username Overflow
This module exploits a vulnerability in the 3Com 3CDaemon FTP service. This package is being distributed from the 3Com web site and is recommended in numerous support documents. This module uses the USER command to trigger the overflow. This module requires Metasploit:...
SlimFTPd LIST Concatenation Overflow
This module exploits a stack buffer overflow in the SlimFTPd server. The flaw is triggered when a LIST command is received with an overly-long argument. This vulnerability affects all versions of SlimFTPd prior to 3.16 and was discovered by Raphael Rigo. This module requires Metasploit:...
War-FTPD 1.65 Username Overflow
This module exploits a buffer overflow found in the USER command of War-FTPD 1.65. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'War-FTPD 1.65 Username Overflow', 'Description' = %q This modu...
Alpha2 Alphanumeric Unicode Uppercase Encoder
Encodes payload as unicode-safe uppercase text. This encoder uses SkyLined's Alpha2 encoding suite. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'rex/encoder/alpha2/unicodeupper' class MetasploitModule...
Alpha2 Alphanumeric Unicode Mixedcase Encoder
Encodes payload as unicode-safe mixedcase text. This encoder uses SkyLined's Alpha2 encoding suite. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'rex/encoder/alpha2/unicodemixed' class MetasploitModule...
Alpha2 Alphanumeric Uppercase Encoder
Encodes payloads as alphanumeric uppercase text. This encoder uses SkyLined's Alpha2 encoding suite. A pure alpha encoder is impossible without having a register that points at or near the shellcode. In a default configuration the first few bytes at the beginning are an fnstenv getpc stub the sam...
Alpha2 Alphanumeric Mixedcase Encoder
Encodes payloads as alphanumeric mixedcase text. This encoder uses SkyLined's Alpha2 encoding suite. A pure alpha encoder is impossible without having a register that points at or near the shellcode. In a default configuration the first few bytes at the beginning are an fnstenv getpc stub the sam...
Samba trans2open Overflow (Solaris SPARC)
This exploits the buffer overflow found in Samba versions 2.2.0 to 2.2.8. This particular module is capable of exploiting the flaw on Solaris SPARC systems that do not have the noexec stack option set. Big thanks to MC and valsmith for resolving a problem with the beta version of this module. Thi...
Simple
Simple NOP generator This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework SingleByte ---------- This class implements simple NOP generator for PowerPC class MetasploitModule 'Simple', 'Alias' = 'ppcsimple', 'Description' =...
Solaris dtspcd Heap Overflow
This is a port of noir's dtspcd exploit. This module should work against any vulnerable version of Solaris 8 sparc. The original exploit code was published in the book Shellcoder's Handbook. This module requires Metasploit: https://metasploit.com/download Current source:...
Microsoft IIS ISAPI RSA WebAgent Redirect Overflow
This module exploits a stack buffer overflow in the SecurID Web Agent for IIS. This ISAPI filter runs in-process with inetinfo.exe, any attempt to exploit this flaw will result in the termination and potential restart of the IIS service. This module requires Metasploit:...
SentinelLM UDP Buffer Overflow
This module exploits a simple stack buffer overflow in the Sentinel License Manager. The SentinelLM service is installed with a wide selection of products and seems particular popular with academic products. If the wrong target value is selected, the service will crash and not restart. This modul...
SHOUTcast DNAS/win32 1.9.4 File Request Format String Overflow
This module exploits a format string vulnerability in the Nullsoft SHOUTcast server for Windows. The vulnerability is triggered by requesting a file path that contains format string specifiers. This vulnerability was discovered by Tomasz Trojanowski and Damian Put. This module requires Metasploit...
Icecast Header Overwrite
This module exploits a buffer overflow in the header parsing of icecast versions 2.0.1 and earlier, discovered by Luigi Auriemma. Sending 32 HTTP headers will cause a write one past the end of a pointer array. On win32 this happens to overwrite the saved instruction pointer, and on linux dependin...
Unreal Tournament 2004 "secure" Overflow (Win32)
This is an exploit for the GameSpy secure query in the Unreal Engine. This exploit only requires one UDP packet, which can be both spoofed and sent to a broadcast address. Usually, the GameSpy query server listens on port 7787, but you can manually specify the port as well. The RunServer.sh scrip...
Unix Command, Generic Command Execution
Executes the supplied command This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 8 include Msf::Payload::Single include Msf::Sessions::CommandShellOptions def initializeinfo =...