Section: .. / 0911-exploits /

Page 11 of 18
<< 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 >> Files 250 - 275 of 449

Currently sorted by: Last Modified Sort By: File Name, File Size

/// File Name:	realplayer_smil.rb.txt
Description:	This Metasploit module exploits a stack overflow in RealNetworks RealPlayer 10 and 8. By creating a URL link to a malicious SMIL file, a remote attacker could overflow a buffer and execute arbitrary code. When using this module, be sure to set the URIPATH with an extension of '.smil'. This Metasploit module has been tested with RealPlayer 10 build 6.0.12.883 and RealPlayer 8 build 6.0.9.584.
Author:	MC
Homepage:	http://www.metasploit.com
File Size:	2638
Related OSVDB(s):	14305
Related CVE(s):	CVE-2005-0455
Last Modified:	Nov 25 19:34:53 2009
MD5 Checksum:	2b5b268dbf2f48b35eb3c346ec3282d1

/// File Name:	realtek_playlist.rb.txt
Description:	This Metasploit module exploits a stack overflow in Realtek Media Player(RtlRack) A4.06. When a Realtek Media Player client opens a specially crafted playlist, an attacker may be able to execute arbitrary code.
Author:	MC
Homepage:	http://www.metasploit.com
File Size:	1889
Related OSVDB(s):	50715
Related CVE(s):	CVE-2008-5664
Last Modified:	Nov 25 19:34:53 2009
MD5 Checksum:	32d9f6a14796516b4db88691988e1dcc

/// File Name:	realvnc_client.rb.txt
Description:	This Metasploit module exploits a buffer overflow in RealVNC 3.3.7 (vncviewer.exe).
Author:	MC
Homepage:	http://www.metasploit.com
File Size:	2119
Related OSVDB(s):	6281
Related CVE(s):	CVE-2001-0167
Last Modified:	Nov 25 19:34:53 2009
MD5 Checksum:	a2ab91c2999848db0a2107619477ce53

/// File Name:	realwin.rb.txt
Description:	This Metasploit module exploits a stack overflow in DATAC Control International RealWin SCADA Server 2.0 (Build 6.0.10.37). By sending a specially crafted FC_INFOTAG/SET_CONTROL packet, an attacker may be able to execute arbitrary code.
Author:	MC
Homepage:	http://www.metasploit.com
File Size:	1945
Related OSVDB(s):	48606
Related CVE(s):	CVE-2008-4322
Last Modified:	Nov 25 19:34:53 2009
MD5 Checksum:	7f59e4c978df5b696017cc5bc744f09e

/// File Name:	roxio_cineplayer.rb.txt
Description:	This Metasploit module exploits a stack-based buffer overflow in SonicPlayer ActiveX control (SonicMediaPlayer.dll) 3.0.0.1 installed by Roxio CinePlayer 3.2. By setting an overly long value to 'DiskType', an attacker can overrun a buffer and execute arbitrary code.
Author:	Trancer
Homepage:	http://www.metasploit.com
File Size:	3510
Related OSVDB(s):	34779
Related CVE(s):	CVE-2007-1559
Last Modified:	Nov 25 19:34:53 2009
MD5 Checksum:	d702dd32e39d1ef28a59dd49e3fb415b

/// File Name:	rsa_webagent_redirect.rb.txt
Description:	This Metasploit module exploits a stack overflow in the SecurID Web Agent for IIS. This ISAPI filter runs in-process with inetinfo.exe, any attempt to exploit this flaw will result in the termination and potential restart of the IIS service.
Author:	H D Moore
Homepage:	http://www.metasploit.com
File Size:	3030
Related OSVDB(s):	20151
Related CVE(s):	CVE-2005-4734
Last Modified:	Nov 25 19:34:53 2009
MD5 Checksum:	11717250820087d585d235ad373f2a29

/// File Name:	safenet_ike_11.rb.txt
Description:	This Metasploit module exploits a stack overflow in Safenet SoftRemote IKE IreIKE.exe service. When sending a specially crafted udp packet to port 62514 an attacker may be able to execute arbitrary code. This Metasploit module has been tested with Juniper NetScreen-Remote 10.8.0 (Build 20) using windows/meterpreter/reverse_ord_tcp payloads.
Author:	MC
Homepage:	http://www.metasploit.com
File Size:	4200
Related OSVDB(s):	54831
Related CVE(s):	CVE-2009-1943
Last Modified:	Nov 25 19:34:53 2009
MD5 Checksum:	693347c05eeaf84f2c8e0f1db86d4c61

/// File Name:	sami_ftpd_user.rb.txt
Description:	This Metasploit module exploits the KarjaSoft Sami FTP Server version 2.02 by sending an excessively long USER string. The stack is overwritten when the administrator attempts to view the FTP logs. Therefore, this exploit is passive and requires end-user interaction. Keep this in mind when selecting payloads. When the server is restarted, it will re-execute the exploit until the logfile is manually deleted via the file system.
Author:	patrick
Homepage:	http://www.metasploit.com
File Size:	2878
Related OSVDB(s):	25670
Related CVE(s):	CVE-2006-0441, CVE-2006-2212
Last Modified:	Nov 25 19:34:53 2009
MD5 Checksum:	cdd873f272de57650477e7e4afc1c838

/// File Name:	sap_2005_license.rb.txt
Description:	This Metasploit module exploits a stack overflow in the SAP Business One 2005 License Manager 'NT Naming Service' A and B releases. By sending an excessively long string the stack is overwritten enabling arbitrary code execution.
Author:	Jacopo Cervini
Homepage:	http://www.metasploit.com
File Size:	2051
Related OSVDB(s):	56837
Last Modified:	Nov 25 19:34:53 2009
MD5 Checksum:	72c7933317e0d71a135cbb16c84c33e7

/// File Name:	sapdb_webtools.rb.txt
Description:	This Metasploit module exploits a stack overflow in SAP DB 7.4 WebTools. By sending an overly long GET request, it may be possible for an attacker to execute arbitrary code. Using the PAYLOAD of windows/shell_bind_tcp or windows/shell_reverse_tcp allows for the most reliable results.
Author:	MC
Homepage:	http://www.metasploit.com
File Size:	2126
Related OSVDB(s):	37838
Related CVE(s):	CVE-2007-3614
Last Modified:	Nov 25 19:34:53 2009
MD5 Checksum:	f7aad34dc11523f1e10b33fad8d02fe1

/// File Name:	sapgui_saveviewtosessionfile.rb.txt
Description:	This Metasploit module exploits a stack overflow in Siemens Unigraphics Solutions Teamcenter Visualization EAI WebViewer3D ActiveX control that is bundled with SAPgui. When passing an overly long string the SaveViewToSessionFile() method, arbitrary code may be executed.
Author:	MC
Homepage:	http://www.metasploit.com
File Size:	3670
Related OSVDB(s):	53066
Related CVE(s):	CVE-2007-4475
Last Modified:	Nov 25 19:34:53 2009
MD5 Checksum:	540d7200ed86f4aaabfcac7cf9890aab

/// File Name:	saplpd.rb.txt
Description:	This Metasploit module exploits a stack overflow in SAPlpd 6.28 (SAP Release 6.40). By sending an overly long argument, an attacker may be able to execute arbitrary code.
Author:	MC
Homepage:	http://www.metasploit.com
File Size:	1778
Related OSVDB(s):	41127
Related CVE(s):	CVE-2008-0621
Last Modified:	Nov 25 19:34:53 2009
MD5 Checksum:	68b773c28b5671d16f23589113be97d7

/// File Name:	sascam_get.rb.txt
Description:	The SasCam Webcam Server ActiveX control is vulnerable to a buffer overflow. By passing an overly long argument via the Get method, a remote attacker could overflow a buffer and execute arbitrary code on the system with the privileges of the user. This control is not marked safe for scripting, please choose your attack vector carefully.
Author:	dean
Homepage:	http://www.metasploit.com
File Size:	3429
Related OSVDB(s):	55945
Last Modified:	Nov 25 19:34:53 2009
MD5 Checksum:	520a186c72bdfda7485ac2d0b0ec7c01

/// File Name:	sasser_ftpd_port.rb.txt
Description:	This Metasploit module exploits the FTP server component of the Sasser worm. By sending an overly long PORT command the stack can be overwritten.
Author:	Val Smith,chamuco,patrick
Homepage:	http://www.metasploit.com
File Size:	1797
Related OSVDB(s):	6197
Last Modified:	Nov 25 19:34:53 2009
MD5 Checksum:	d43c04ad521b75f49917fecff05e6333

/// File Name:	savant_31_overflow.rb.txt
Description:	This Metasploit module exploits a stack overflow in Savant 3.1 Web Server. The service supports a maximum of 10 threads (for a default install). Each exploit attempt generally causes a thread to die whether successful or not. Therefore you only have 10 chances (unless non-default).
Author:	patrick
Homepage:	http://www.metasploit.com
File Size:	3351
Related OSVDB(s):	9829
Related CVE(s):	CVE-2002-1120
Last Modified:	Nov 25 19:34:53 2009
MD5 Checksum:	14110dcd7eb8eac8e82254d45c0f87fe

/// File Name:	seattlelab_pass.rb.txt
Description:	There exists an unauthenticated buffer overflow vulnerability in the POP3 server of Seattle Lab Mail 5.5 when sending a password with excessive length. Successful exploitation should not crash either the service or the server; however, after initial use the port cannot be reused for successive exploitation until the service has been restarted. Consider using a command execution payload following the bind shell to restart the service if you need to reuse the same port. The overflow appears to occur in the debugging/error reporting section of the slmail.exe executable, and there are multiple offsets that will lead to successful exploitation. This exploit uses 2606, the offset that creates the smallest overall payload. The other offset is 4654. The return address is overwritten with a "jmp esp" call from the application library SLMFC.DLL found in %SYSTEM%\\\\system32\\\\. This return address works against all version of Windows and service packs. The last modification date on the library is dated 06/02/99. Assuming that the code where the overflow occurs has not changed in some time, prior version of SLMail may also be vulnerable with this exploit. The author has not been able to acquire older versions of SLMail for testing purposes. Please let us know if you were able to get this exploit working against other SLMail versions.
Author:	stinko
Homepage:	http://www.metasploit.com
File Size:	3607
Related OSVDB(s):	12002
Last Modified:	Nov 25 19:34:53 2009
MD5 Checksum:	31727f3f716d9e66cb4a7a16fce801c3

/// File Name:	securecrt_ssh1.rb.txt
Description:	This Metasploit module exploits a buffer overflow in SecureCRT <= 4.0 Beta 2. By sending a vulnerable client an overly long SSH1 protocol identifier string, it is possible to execute arbitrary code. This Metasploit module has only been tested on SecureCRT 3.4.4.
Author:	MC
Homepage:	http://www.metasploit.com
File Size:	1946
Related OSVDB(s):	4991
Related CVE(s):	CVE-2002-1059
Last Modified:	Nov 25 19:34:53 2009
MD5 Checksum:	75a7ffeea7fe910cfa88ec1979cbec61

/// File Name:	sentinel_lm7_udp.rb.txt
Description:	This Metasploit module exploits a simple stack overflow in the Sentinel License Manager. The SentinelLM service is installed with a wide selection of products and seems particular popular with academic products. If the wrong target value is selected, the service will crash and not restart.
Author:	H D Moore
Homepage:	http://www.metasploit.com
File Size:	2621
Related OSVDB(s):	14605
Related CVE(s):	CVE-2005-0353
Last Modified:	Nov 25 19:34:53 2009
MD5 Checksum:	0bfef000329c917fbe457948c9038027

/// File Name:	servu_mdtm.rb.txt
Description:	This is an exploit for the Serv-U's MDTM command timezone overflow. It has been heavily tested against versions 4.0.0.4/4.1.0.0/4.1.0.3/5.0.0.0 with success against nt4/2k/xp/2k3. I have also had success against version 3, but only tested 1 version/os. The bug is in all versions prior to 5.0.0.4, but this exploit will not work against versions not listed above. You only get one shot, but it should be OS/SP independent. This exploit is a single hit, the service dies after the shellcode finishes execution.
Author:	spoonm
Homepage:	http://www.metasploit.com
File Size:	5677
Related OSVDB(s):	4073
Related CVE(s):	CVE-2004-0330
Last Modified:	Nov 25 19:34:53 2009
MD5 Checksum:	3c3e798367f555e4fb0346813c33a307

/// File Name:	shixxnote_font.rb.txt
Description:	This Metasploit module exploits a buffer overflow in ShixxNOTE 6.net. The vulnerability is caused due to boundary errors in the handling of font fields.
Author:	MC
Homepage:	http://www.metasploit.com
File Size:	1907
Related OSVDB(s):	10721
Related CVE(s):	CVE-2004-1595
Last Modified:	Nov 25 19:34:53 2009
MD5 Checksum:	892334061ff66af3ed77a6a6cb4620b5

/// File Name:	shoutcast_format.rb.txt
Description:	This Metasploit module exploits a format string vulnerability in the Nullsoft SHOUTcast server for Windows. The vulnerability is triggered by requesting a file path that contains format string specifiers. This vulnerability was discovered by Tomasz Trojanowski and Damian Put.
Author:	MC
Homepage:	http://www.metasploit.com
File Size:	2864
Related OSVDB(s):	12585
Related CVE(s):	CVE-2004-1373
Last Modified:	Nov 25 19:34:53 2009
MD5 Checksum:	701edb6431e0df222813fa3a50ede484

/// File Name:	shttpd_post.rb.txt
Description:	This Metasploit module exploits a stack overflow in SHTTPD <= 1.34. The vulnerability is caused due to a boundary error within the handling of POST requests. Based on an original exploit by skOd but using a different method found by hdm.
Author:	H D Moore,LMH,skOd
Homepage:	http://www.metasploit.com
File Size:	2486
Related OSVDB(s):	29565
Related CVE(s):	CVE-2006-5216
Last Modified:	Nov 25 19:34:53 2009
MD5 Checksum:	b21fb21fbf2bc5aea9b40ebb37bd6696

/// File Name:	sipxezphone_cseq.rb.txt
Description:	This Metasploit module exploits a buffer overflow in SIPfoundry's sipXezPhone version 0.35a. By sending an long CSeq header, a remote attacker could overflow a buffer and execute arbitrary code on the system with the privileges of the affected application.
Author:	MC
Homepage:	http://www.metasploit.com
File Size:	2318
Related OSVDB(s):	27122
Related CVE(s):	CVE-2006-3524
Last Modified:	Nov 25 19:34:53 2009
MD5 Checksum:	e6ef398d8cc4914b72f93725e4bd8069

/// File Name:	slimftpd_list_concat.rb.txt
Description:	This Metasploit module exploits a stack overflow in the SlimFTPd server. The flaw is triggered when a LIST command is received with an overly-long argument. This vulnerability affects all versions of SlimFTPd prior to 3.16 and was discovered by Raphael Rigo.
Author:	Fairuzan Roslan
Homepage:	http://www.metasploit.com
File Size:	1830
Related OSVDB(s):	18172
Related CVE(s):	CVE-2005-2373
Last Modified:	Nov 25 19:34:53 2009
MD5 Checksum:	6da2313875c54279748142df3eb0ffa8

/// File Name:	smb_relay.rb.txt
Description:	This Metasploit module will relay SMB authentication requests to another host, gaining access to an authenticated SMB session if successful. If the connecting user is an administrator and network logins are allowed to the target machine, this module will execute an arbitrary payload. To exploit this, the target system must try to authenticate to this module. The easiest way to force a SMB authentication attempt is by embedding a UNC path (\\\\\\\\SERVER\\\\SHARE) into a web page or email message. When the victim views the web page or email, their system will automatically connect to the server specified in the UNC share (the IP address of the system running this module) and attempt to authenticate. Unfortunately, this module is not able to clean up after itself. The service and payload file listed in the output will need to be manually removed after access has been gained. The service created by this tool uses a randomly chosen name and description, so the services list can become cluttered after repeated exploitation. The SMB authentication relay attack was first reported by Sir Dystic on March 31st, 2001 at @lanta.con in Atlanta, Georgia. On November 11th 2008 Microsoft released bulletin MS08-068. This bulletin includes a patch which prevents the relaying of challenge keys back to the host which issued them, preventing this exploit from working in the default configuration. It is still possible to set the SMBHOST parameter to a third-party host that the victim is authorized to access, but the "reflection" attack has been effectively broken.
Author:	H D Moore
Homepage:	http://www.metasploit.com
File Size:	14556
Related OSVDB(s):	49736
Related CVE(s):	CVE-2008-4037
Last Modified:	Nov 25 19:34:53 2009
MD5 Checksum:	d205c4ca89f0c3ebef2501ee6f238df5