This Metasploit module exploits a type confusion vulnerability found in the ActiveX component of Adobe Flash Player. This vulnerability was found exploited in the wild in November 2013. This Metasploit module has been tested successfully on IE 6 to IE 10 with Flash 11.7, 11.8 and 11.9 prior to 11.9.900.170 over Windows XP SP3 and Windows 7 SP1.
2547432fd02f1ba4aff29ae93a0c14c41a56c95f4cec7e25e1165d0846aa03ec
This Metasploit module exploits a buffer overflow in Foxit Reader 3.0 builds 1301 and earlier. Due to the way Foxit Reader handles the input from an "Launch" action, it is possible to cause a stack-based buffer overflow, allowing an attacker to gain arbitrary code execution under the context of the user.
009165bbb7f39c130705ca1779b5bf21f2c3fd6f324d13329ecce60c590e0dcc
This Metasploit module exploits a stack based buffer overflow in the Citrix Gateway ActiveX control. Exploitation of this vulnerability requires user interaction. The victim must click a button in a dialog to begin a scan. This is typical interaction that users should be accustom to. Exploitation results in code execution with the privileges of the user who browsed to the exploit page.
09d9e8b876ca54fa2ea6081f2db151f089cbcc1f38aaa0b3ae3a8349a4c63825
This Metasploit module exploits a remote command execution vulnerability in Apache Struts versions < 2.2.0. This issue is caused by a failure to properly handle unicode characters in OGNL extensive expressions passed to the web server. By sending a specially crafted request to the Struts application it is possible to bypass the "#" restriction on ParameterInterceptors by using OGNL context variables. Bypassing this restriction allows for the execution of arbitrary Java code.
f3dc9c6ae8fc8270cc4ef71f82c223ad04ea9e8725f94ee4894465c9a0bfbc4b
This Metasploit module exploits an information disclosure vulnerability in the CA Arcserve D2D r15 web server. The information disclosure can be triggered by sending a specially crafted RPC request to the homepage servlet. This causes CA Arcserve to disclosure the username and password in cleartext used for authentication. This username and password pair are Windows credentials with Administrator access.
7c8e30e3bf5a9fd18f843efebdc225b819266ca4ca82d428c51238a4afa9d1c6
This Metasploit module exploits a stack based buffer overflow in the way IBM Tivoli Endpoint Manager versions 3.7.1, 4.1, 4.1.1, 4.3.1 handles long POST query arguments. This issue can be triggered by sending a specially crafted HTTP POST request to the service (lcfd.exe) listening on TCP port 9495. To trigger this issue authorization is required. This exploit makes use of a second vulnerability, a hardcoded account (tivoli/boss) is used to bypass the authorization restriction.
e26c45a50f92baafd2fb68a99ebdaa1c0b4d55454982b873642bcb3d0f2a41d7
This Metasploit module exploits a vulnerability in the Cisco AnyConnect VPN client vpnweb.ocx ActiveX control. This control is typically used to install the VPN client. An attacker can set the 'url' property which is where the control tries to locate the files needed to install the client. The control tries to download two files from the site specified within the 'url' property. One of these files it will be stored in a temporary directory and executed.
ef1996fa8324f29a9b671331d440a114bd14ca14534139ba1cdb0b9541a1ba33
This Metasploit module exploits a vulnerability in the Golden FTP service. This Metasploit module uses the PASS command to trigger the overflow.
6ba50b9d749a73eb361bcea253eb0bf927451c37d0d2ba653f58227c262ae8db
This Metasploit module takes advantage of a trust relationship issue within the Zend Server Java Bridge. The Java Bridge is responsible for handling interactions between PHP and Java code within Zend Server. When Java code is encountered Zend Server communicates with the Java Bridge. The Java Bridge then handles the java code and creates the objects within the Java Virtual Machine. This interaction however, does not require any sort of authentication. This leaves the JVM wide open to remote attackers. Sending specially crafted data to the Java Bridge results in the execution of arbitrary java code.
0b7ab4865dc9886b7d46ce4b5433ed01d7157a9568397fc5d7d07dd4d712244f
This Metasploit module exploits a vulnerability in AVM2 action script virtual machine used in Adobe Flash Player versions 9.0 through 10. The AVM fails to properly verify bytecode streams prior to executing it. This can cause uninitialized memory to be executed. Utilizing heap spraying techniques to control the uninitialized memory region it is possible to execute arbitrary code. Typically Flash Player is not used as a standalone application. Often, SWF files are embedded in other file formats or specifically loaded via a web browser. Malcode was discovered in the wild which embedded a malformed SWF file within an Excel spreadsheet. This exploit is based off the byte stream found within that malcode sample.
42f45f3260ab9c5b8cc16ebc8f87909c47dfc836d8362769726a745db24e2709
This Metasploit module exploits a initialization flaw within RealPlayer 11/11.1 and RealPlayer SP 1.0 - 1.1.4. An abnormally long CDDA URI causes an object initialization failure. However, this failure is improperly handled and uninitialized memory executed.
62839465e28e0ea9cf0ef9d9a77ebcf656fe7aa1aca009b4ad424e57e87ca3f2
This Metasploit module exploits an unsafe Javascript API implemented in Foxit PDF Reader version 4.2. The createDataObject() Javascript API function allows for writing arbitrary files to the file system. This issue was fixed in version 4.3.1.0218. Note: This exploit uses the All Users directory currently, which required administrator privileges to write to. This means an administrative user has to open the file to be successful. Kind of lame but thats how it goes sometimes in the world of file write bugs.
d026ecdeb70b4e79e1a300231786aff558d631a15efcc80798eb6c642d176d5e
This Metasploit module tests the command stager mixin against a shell.jsp application installed on an Apache Tomcat server.
d8dd64919cdfb10de8c7a3cdcde49d5fbf78ea5803b2d4d65ba04543e2ee4058
This exploit takes advantage of a stack based overflow. Once the stack corruption has occurred it is possible to overwrite a pointer which is later used for a memcpy. This gives us a write anything anywhere condition similar to a format string vulnerability.
eb9a55064f6e381a97138b188135a0635600efe4ead2bdf62f7751369e16a37e
This Metasploit module exploits a stack based buffer overflow in Timbuktu Pro version <= 8.6.6 in a pretty novel way. This exploit requires two connections. The first connection is used to leak stack data using the buffer overflow to overwrite the nNumberOfBytesToWrite argument. By supplying a large value for this argument it is possible to cause Timbuktu to reply to the initial request with leaked stack data. Using this data allows for reliable exploitation of the buffer overflow vulnerability. Props to Infamous41d for helping in finding this exploitation path. The second connection utilizes the data from the data leak to accurately exploit the stack based buffer overflow vulnerability. TODO: hdm suggested using meterpreter's migration capability and restarting the process for multishot exploitation.
1a3eb49398ce9b0ab57cd1e8f8fcef3eb6dad5ad3499db7694e64b4fa58552a2
This Metasploit module exploits a stack overflow in HP OpenView Network Node Manager versions 7.53 and earlier. Specifically this vulnerability is caused by a failure to properly handle user supplied input within the HTTP request including headers and the actual URL GET request. Exploitation is tricky due to character restrictions. It was necessary to utilize a egghunter shellcode which was alphanumeric encoded by muts in the original exploit. If you plan on using exploit this for a remote shell, you will likely want to migrate to a different process as soon as possible. Any connections get reset after a short period of time. This is probably some timeout handling code that causes this.
3dc7da1a36dedf13ddf7ea5539aaac3f51e4cbdb8ecfab2652405871dd1aca71
Send ICMP nasty garbage append file logrotate exploit that makes use of sing.
66b2e94faa752f7db45c993144f3a91713c980d4d184f0f642fbc06f37962d07
BitchX version 1.1 Final remote heap overflow exploit that binds a TCP shell to port 4444.
3199f543fb31d066f849b9da09c089cd39b2ca2d158a738330f4a690bbcad49e
Functioning cyrus-imapd pop3d exploit that will bypass VA Randomization. Written in Ruby.
cacdc5be8bfaa3e014d1b725ab854c63f95de8e238d93ae9918354c38df1be94