{ "auxiliary_admin/2wire/xslt_password_reset": { "name": "2Wire Cross-Site Request Forgery Password Reset Vulnerability", "full_name": "auxiliary/admin/2wire/xslt_password_reset", "rank": 300, "disclosure_date": "2007-08-15", "type": "auxiliary", "author": [ "hkm ", "Travis Phillips" ], "description": "This module will reset the admin password on a 2Wire wireless router. This is\n done by using the /xslt page where authentication is not required, thus allowing\n configuration changes (such as resetting the password) as administrators.", "references": [ "CVE-2007-4387", "OSVDB-37667", "BID-36075", "URL-http://seclists.org/bugtraq/2007/Aug/225" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/2wire/xslt_password_reset.rb", "is_install_path": true, "ref_name": "admin/2wire/xslt_password_reset", "check": false }, "auxiliary_admin/android/google_play_store_uxss_xframe_rce": { "name": "Android Browser RCE Through Google Play Store XFO", "full_name": "auxiliary/admin/android/google_play_store_uxss_xframe_rce", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "Rafay Baloch", "joev " ], "description": "This module combines two vulnerabilities to achieve remote code\n execution on affected Android devices. First, the module exploits\n CVE-2014-6041, a Universal Cross-Site Scripting (UXSS) vulnerability present in\n versions of Android's open source stock browser (the AOSP Browser) prior to\n 4.4. Second, the Google Play store's web interface fails to enforce a\n X-Frame-Options: DENY header (XFO) on some error pages, and therefore, can be\n targeted for script injection. As a result, this leads to remote code execution\n through Google Play's remote installation feature, as any application available\n on the Google Play store can be installed and launched on the user's device.\n\n This module requires that the user is logged into Google with a vulnerable browser.\n\n To list the activities in an APK, you can use `aapt dump badging /path/to/app.apk`.", "references": [ "URL-https://community.rapid7.com/community/metasploit/blog/2014/09/15/major-android-bug-is-a-privacy-disaster-cve-2014-6041", "URL-http://1337day.com/exploit/description/22581", "OSVDB-110664", "CVE-2014-6041" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/android/google_play_store_uxss_xframe_rce.rb", "is_install_path": true, "ref_name": "admin/android/google_play_store_uxss_xframe_rce", "check": false }, "auxiliary_admin/appletv/appletv_display_image": { "name": "Apple TV Image Remote Control", "full_name": "auxiliary/admin/appletv/appletv_display_image", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "0a29406d9794e4f9b30b3c5d6702c708", "sinn3r " ], "description": "This module will show an image on an AppleTV device for a period of time.\n Some AppleTV devices are actually password-protected, in that case please\n set the PASSWORD datastore option. For password brute forcing, please see\n the module auxiliary/scanner/http/appletv_login.", "references": [ "URL-http://nto.github.io/AirPlay.html" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 7000, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/appletv/appletv_display_image.rb", "is_install_path": true, "ref_name": "admin/appletv/appletv_display_image", "check": false }, "auxiliary_admin/appletv/appletv_display_video": { "name": "Apple TV Video Remote Control", "full_name": "auxiliary/admin/appletv/appletv_display_video", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "0a29406d9794e4f9b30b3c5d6702c708", "sinn3r " ], "description": "This module plays a video on an AppleTV device. Note that\n AppleTV can be somewhat picky about the server that hosts the video.\n Tested servers include default IIS, default Apache, and Ruby's WEBrick.\n For WEBrick, the default MIME list may need to be updated, depending on\n what media file is to be played. Python SimpleHTTPServer is not\n recommended. Also, if you're playing a video, the URL must be an IP\n address. Some AppleTV devices are actually password-protected; in that\n case please set the PASSWORD datastore option. For password\n brute forcing, please see the module auxiliary/scanner/http/appletv_login.", "references": [ "URL-http://nto.github.io/AirPlay.html" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 7000, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/appletv/appletv_display_video.rb", "is_install_path": true, "ref_name": "admin/appletv/appletv_display_video", "check": false }, "auxiliary_admin/atg/atg_client": { "name": "Veeder-Root Automatic Tank Gauge (ATG) Administrative Client", "full_name": "auxiliary/admin/atg/atg_client", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "Jon Hart " ], "description": "This module acts as a simplistic administrative client for interfacing\n with Veeder-Root Automatic Tank Gauges (ATGs) or other devices speaking\n the TLS-250 and TLS-350 protocols. This has been tested against\n GasPot and Conpot, both honeypots meant to simulate ATGs; it has not\n been tested against anything else, so use at your own risk.", "references": [ "URL-https://community.rapid7.com/community/infosec/blog/2015/01/22/the-internet-of-gas-station-tank-gauges", "URL-http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-gaspot-experiment", "URL-https://github.com/sjhilt/GasPot", "URL-https://github.com/mushorg/conpot", "URL-http://www.veeder.com/us/automatic-tank-gauge-atg-consoles", "URL-http://www.chipkin.com/files/liz/576013-635.pdf", "URL-http://www.veeder.com/gold/download.cfm?doc_id=6227" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 10001, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/atg/atg_client.rb", "is_install_path": true, "ref_name": "admin/atg/atg_client", "check": true }, "auxiliary_admin/aws/aws_launch_instances": { "name": "Launches Hosts in AWS", "full_name": "auxiliary/admin/aws/aws_launch_instances", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "Javier Godinez " ], "description": "This module will attempt to launch an AWS instances (hosts) in EC2.", "references": [ "URL-https://drive.google.com/open?id=0B2Ka7F_6TetSNFdfbkI1cnJHUTQ", "URL-https://published-prd.lanyonevents.com/published/rsaus17/sessionsFiles/4721/IDY-W10-DevSecOps-on-the-Offense-Automating-Amazon-Web-Services-Account-Takeover.pdf" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 443, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/aws/aws_launch_instances.rb", "is_install_path": true, "ref_name": "admin/aws/aws_launch_instances", "check": false }, "auxiliary_admin/backupexec/dump": { "name": "Veritas Backup Exec Windows Remote File Access", "full_name": "auxiliary/admin/backupexec/dump", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "hdm ", "Unknown" ], "description": "This module abuses a logic flaw in the Backup Exec Windows Agent to download\n arbitrary files from the system. This flaw was found by someone who wishes to\n remain anonymous and affects all known versions of the Backup Exec Windows Agent. The\n output file is in 'MTF' format, which can be extracted by the 'NTKBUp' program\n listed in the references section. To transfer an entire directory, specify a\n path that includes a trailing backslash.", "references": [ "CVE-2005-2611", "OSVDB-18695", "BID-14551", "URL-http://www.fpns.net/willy/msbksrc.lzh" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 10000, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/backupexec/dump.rb", "is_install_path": true, "ref_name": "admin/backupexec/dump", "check": false }, "auxiliary_admin/backupexec/registry": { "name": "Veritas Backup Exec Server Registry Access", "full_name": "auxiliary/admin/backupexec/registry", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "hdm " ], "description": "This modules exploits a remote registry access flaw in the BackupExec Windows\n Server RPC service. This vulnerability was discovered by Pedram Amini and is based\n on the NDR stub information posted to openrce.org.\n Please see the action list for the different attack modes.", "references": [ "OSVDB-17627", "CVE-2005-0771", "URL-http://www.idefense.com/application/poi/display?id=269&type=vulnerabilities" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 6106, "targets": null, "mod_time": "2017-08-24 21:38:44 +0000", "path": "/modules/auxiliary/admin/backupexec/registry.rb", "is_install_path": true, "ref_name": "admin/backupexec/registry", "check": false }, "auxiliary_admin/chromecast/chromecast_reset": { "name": "Chromecast Factory Reset DoS", "full_name": "auxiliary/admin/chromecast/chromecast_reset", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "wvu " ], "description": "This module performs a factory reset on a Chromecast, causing a denial of service (DoS).\n No user authentication is required.", "references": [ "URL-http://www.google.com/intl/en/chrome/devices/chromecast/index.html" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 8008, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/chromecast/chromecast_reset.rb", "is_install_path": true, "ref_name": "admin/chromecast/chromecast_reset", "check": false }, "auxiliary_admin/chromecast/chromecast_youtube": { "name": "Chromecast YouTube Remote Control", "full_name": "auxiliary/admin/chromecast/chromecast_youtube", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "wvu " ], "description": "This module acts as a simple remote control for Chromecast YouTube.", "references": [ "URL-http://www.google.com/intl/en/chrome/devices/chromecast/index.html" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 8008, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/chromecast/chromecast_youtube.rb", "is_install_path": true, "ref_name": "admin/chromecast/chromecast_youtube", "check": false }, "auxiliary_admin/cisco/cisco_asa_extrabacon": { "name": "Cisco ASA Authentication Bypass (EXTRABACON)", "full_name": "auxiliary/admin/cisco/cisco_asa_extrabacon", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "Sean Dillon ", "Zachary Harding ", "Nate Caroe ", "Dylan Davis ", "William Webb ", "Jeff Jarmoc ", "Equation Group", "Shadow Brokers" ], "description": "This module patches the authentication functions of a Cisco ASA\n to allow uncredentialed logins. Uses improved shellcode for payload.", "references": [ "CVE-2016-6366", "URL-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp", "URL-https://github.com/RiskSense-Ops/CVE-2016-6366" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 161, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/cisco/cisco_asa_extrabacon.rb", "is_install_path": true, "ref_name": "admin/cisco/cisco_asa_extrabacon", "check": true }, "auxiliary_admin/cisco/cisco_secure_acs_bypass": { "name": "Cisco Secure ACS Unauthorized Password Change", "full_name": "auxiliary/admin/cisco/cisco_secure_acs_bypass", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "Jason Kratzer " ], "description": "This module exploits an authentication bypass issue which allows arbitrary\n password change requests to be issued for any user in the local store.\n Instances of Secure ACS running version 5.1 with patches 3, 4, or 5 as well\n as version 5.2 with either no patches or patches 1 and 2 are vulnerable.", "references": [ "BID-47093", "CVE-2011-0951", "URL-http://www.cisco.com/en/US/products/csa/cisco-sa-20110330-acs.html" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 443, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/cisco/cisco_secure_acs_bypass.rb", "is_install_path": true, "ref_name": "admin/cisco/cisco_secure_acs_bypass", "check": true }, "auxiliary_admin/cisco/vpn_3000_ftp_bypass": { "name": "Cisco VPN Concentrator 3000 FTP Unauthorized Administrative Access", "full_name": "auxiliary/admin/cisco/vpn_3000_ftp_bypass", "rank": 300, "disclosure_date": "2006-08-23", "type": "auxiliary", "author": [ "aushack " ], "description": "This module tests for a logic vulnerability in the Cisco VPN Concentrator\n 3000 series. It is possible to execute some FTP statements without authentication\n (CWD, RNFR, MKD, RMD, SIZE, CDUP). It also appears to have some memory leak bugs\n when working with CWD commands. This module simply creates an arbitrary directory,\n verifies that the directory has been created, then deletes it and verifies deletion\n to confirm the bug.", "references": [ "BID-19680", "CVE-2006-4313", "OSVDB-28139", "OSVDB-28138" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 21, "targets": null, "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/auxiliary/admin/cisco/vpn_3000_ftp_bypass.rb", "is_install_path": true, "ref_name": "admin/cisco/vpn_3000_ftp_bypass", "check": false }, "auxiliary_admin/db2/db2rcmd": { "name": "IBM DB2 db2rcmd.exe Command Execution Vulnerability", "full_name": "auxiliary/admin/db2/db2rcmd", "rank": 300, "disclosure_date": "2004-03-04", "type": "auxiliary", "author": [ "MC " ], "description": "This module exploits a vulnerability in the Remote Command Server\n component in IBM's DB2 Universal Database 8.1. An authenticated\n attacker can send arbitrary commands to the DB2REMOTECMD named pipe\n which could lead to administrator privileges.", "references": [ "CVE-2004-0795", "OSVDB-4180", "BID-9821" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 445, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/db2/db2rcmd.rb", "is_install_path": true, "ref_name": "admin/db2/db2rcmd", "check": false }, "auxiliary_admin/dns/dyn_dns_update": { "name": "DNS Server Dynamic Update Record Injection", "full_name": "auxiliary/admin/dns/dyn_dns_update", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "King Sabri ", "Brent Cook " ], "description": "This module allows adding and/or deleting a record to\n any remote DNS server that allows unrestricted dynamic updates.", "references": [ "URL-http://www.tenable.com/plugins/index.php?view=single&id=35372", "URL-https://github.com/KINGSABRI/CVE-in-Ruby/tree/master/NONE-CVE/DNSInject", "URL-https://www.christophertruncer.com/dns-modification-dnsinject-nessus-plugin-35372/", "URL-https://github.com/ChrisTruncer/PenTestScripts/blob/master/DNSInject.py" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/dns/dyn_dns_update.rb", "is_install_path": true, "ref_name": "admin/dns/dyn_dns_update", "check": false }, "auxiliary_admin/edirectory/edirectory_dhost_cookie": { "name": "Novell eDirectory DHOST Predictable Session Cookie", "full_name": "auxiliary/admin/edirectory/edirectory_dhost_cookie", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "hdm " ], "description": "This module is able to predict the next session cookie value issued\n by the DHOST web service of Novell eDirectory 8.8.5. An attacker can run\n this module, wait until the real administrator logs in, then specify the\n predicted cookie value to hijack their session.", "references": [ "CVE-2009-4655", "OSVDB-60035" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 8030, "targets": null, "mod_time": "2018-07-08 19:00:11 +0000", "path": "/modules/auxiliary/admin/edirectory/edirectory_dhost_cookie.rb", "is_install_path": true, "ref_name": "admin/edirectory/edirectory_dhost_cookie", "check": false }, "auxiliary_admin/edirectory/edirectory_edirutil": { "name": "Novell eDirectory eMBox Unauthenticated File Access", "full_name": "auxiliary/admin/edirectory/edirectory_edirutil", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "Nicob", "MC ", "sinn3r " ], "description": "This module will access Novell eDirectory's eMBox service and can run the\n following actions via the SOAP interface: GET_DN, READ_LOGS, LIST_SERVICES,\n STOP_SERVICE, START_SERVICE, SET_LOGFILE.", "references": [ "CVE-2008-0926", "BID-28441", "OSVDB-43690" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 8028, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/edirectory/edirectory_edirutil.rb", "is_install_path": true, "ref_name": "admin/edirectory/edirectory_edirutil", "check": false }, "auxiliary_admin/emc/alphastor_devicemanager_exec": { "name": "EMC AlphaStor Device Manager Arbitrary Command Execution", "full_name": "auxiliary/admin/emc/alphastor_devicemanager_exec", "rank": 300, "disclosure_date": "2008-05-27", "type": "auxiliary", "author": [ "MC " ], "description": "EMC AlphaStor Device Manager is prone to a remote command-injection vulnerability\n because the application fails to properly sanitize user-supplied input.", "references": [ "URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=703", "OSVDB-45715", "CVE-2008-2157", "BID-29398" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 3000, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/emc/alphastor_devicemanager_exec.rb", "is_install_path": true, "ref_name": "admin/emc/alphastor_devicemanager_exec", "check": false }, "auxiliary_admin/emc/alphastor_librarymanager_exec": { "name": "EMC AlphaStor Library Manager Arbitrary Command Execution", "full_name": "auxiliary/admin/emc/alphastor_librarymanager_exec", "rank": 300, "disclosure_date": "2008-05-27", "type": "auxiliary", "author": [ "MC " ], "description": "EMC AlphaStor Library Manager is prone to a remote command-injection vulnerability\n because the application fails to properly sanitize user-supplied input.", "references": [ "URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=703", "CVE-2008-2157", "OSVDB-45715", "BID-29398" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 3500, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/emc/alphastor_librarymanager_exec.rb", "is_install_path": true, "ref_name": "admin/emc/alphastor_librarymanager_exec", "check": false }, "auxiliary_admin/firetv/firetv_youtube": { "name": "Amazon Fire TV YouTube Remote Control", "full_name": "auxiliary/admin/firetv/firetv_youtube", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "wvu " ], "description": "This module acts as a simple remote control for the Amazon Fire TV's\n YouTube app.\n\n Tested on the Amazon Fire TV Stick.", "references": [ "URL-http://www.amazon.com/dp/B00CX5P8FC?_encoding=UTF8&showFS=1", "URL-http://www.amazon.com/dp/B00GDQ0RMG/ref=fs_ftvs" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 8008, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/firetv/firetv_youtube.rb", "is_install_path": true, "ref_name": "admin/firetv/firetv_youtube", "check": false }, "auxiliary_admin/hp/hp_data_protector_cmd": { "name": "HP Data Protector 6.1 EXEC_CMD Command Execution", "full_name": "auxiliary/admin/hp/hp_data_protector_cmd", "rank": 300, "disclosure_date": "2011-02-07", "type": "auxiliary", "author": [ "ch0ks", "c4an", "wireghoul", "sinn3r " ], "description": "This module exploits HP Data Protector's omniinet process, specifically\n against a Windows setup.\n\n When an EXEC_CMD packet is sent, omniinet.exe will attempt to look\n for that user-supplied filename with kernel32!FindFirstFileW(). If the file\n is found, the process will then go ahead execute it with CreateProcess()\n under a new thread. If the filename isn't found, FindFirstFileW() will throw\n an error (0x03), and then bails early without triggering CreateProcess().\n\n Because of these behaviors, if you try to supply an argument, FindFirstFileW()\n will look at that as part of the filename, and then bail.\n\n Please note that when you specify the 'CMD' option, the base path begins\n under C:\\.", "references": [ "CVE-2011-0923", "OSVDB-72526", "ZDI-11-055", "URL-http://hackarandas.com/blog/2011/08/04/hp-data-protector-remote-shell-for-hpux" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 5555, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/hp/hp_data_protector_cmd.rb", "is_install_path": true, "ref_name": "admin/hp/hp_data_protector_cmd", "check": false }, "auxiliary_admin/hp/hp_ilo_create_admin_account": { "name": "HP iLO 4 1.00-2.50 Authentication Bypass Administrator Account Creation", "full_name": "auxiliary/admin/hp/hp_ilo_create_admin_account", "rank": 300, "disclosure_date": "2017-08-24", "type": "auxiliary", "author": [ "Fabien Perigaud " ], "description": "This module exploits an authentication bypass in HP iLO 4 1.00 to 2.50, triggered by a buffer\n overflow in the Connection HTTP header handling by the web server.\n Exploiting this vulnerability gives full access to the REST API, allowing arbitrary\n accounts creation.", "references": [ "CVE-2017-12542", "BID-100467", "URL-https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03769en_us", "URL-https://www.synacktiv.com/posts/exploit/hp-ilo-talk-at-recon-brx-2018.html" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 443, "targets": null, "mod_time": "2018-03-16 16:46:50 +0000", "path": "/modules/auxiliary/admin/hp/hp_ilo_create_admin_account.rb", "is_install_path": true, "ref_name": "admin/hp/hp_ilo_create_admin_account", "check": true }, "auxiliary_admin/hp/hp_imc_som_create_account": { "name": "HP Intelligent Management SOM Account Creation", "full_name": "auxiliary/admin/hp/hp_imc_som_create_account", "rank": 300, "disclosure_date": "2013-10-08", "type": "auxiliary", "author": [ "rgod ", "juan vazquez " ], "description": "This module exploits a lack of authentication and access control in HP Intelligent\n Management, specifically in the AccountService RpcServiceServlet from the SOM component,\n in order to create a SOM account with Account Management permissions. This module has\n been tested successfully on HP Intelligent Management Center 5.2 E0401 and 5.1 E202 with\n SOM 5.2 E0401 and SOM 5.1 E0201 over Windows 2003 SP2.", "references": [ "CVE-2013-4824", "OSVDB-98249", "BID-62902", "ZDI-13-240", "URL-https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03943547" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 8080, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/hp/hp_imc_som_create_account.rb", "is_install_path": true, "ref_name": "admin/hp/hp_imc_som_create_account", "check": false }, "auxiliary_admin/http/allegro_rompager_auth_bypass": { "name": "Allegro Software RomPager 'Misfortune Cookie' (CVE-2014-9222) Authentication Bypass", "full_name": "auxiliary/admin/http/allegro_rompager_auth_bypass", "rank": 300, "disclosure_date": "2014-12-17", "type": "auxiliary", "author": [ "Jon Hart ", "Jan Trencansky ", "Lior Oppenheim" ], "description": "This module exploits HTTP servers that appear to be vulnerable to the\n 'Misfortune Cookie' vulnerability which affects Allegro Software\n Rompager versions before 4.34 and can allow attackers to authenticate\n to the HTTP service as an administrator without providing valid\n credentials.", "references": [ "CVE-2014-9222", "URL-http://mis.fortunecook.ie", "URL-http://mis.fortunecook.ie/misfortune-cookie-suspected-vulnerable.pdf", "URL-http://mis.fortunecook.ie/too-many-cooks-exploiting-tr069_tal-oppenheim_31c3.pdf" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/http/allegro_rompager_auth_bypass.rb", "is_install_path": true, "ref_name": "admin/http/allegro_rompager_auth_bypass", "check": false }, "auxiliary_admin/http/arris_motorola_surfboard_backdoor_xss": { "name": "Arris / Motorola Surfboard SBG6580 Web Interface Takeover", "full_name": "auxiliary/admin/http/arris_motorola_surfboard_backdoor_xss", "rank": 300, "disclosure_date": "2015-04-08", "type": "auxiliary", "author": [ "joev " ], "description": "The web interface for the Arris / Motorola Surfboard SBG6580 has\n several vulnerabilities that, when combined, allow an arbitrary website to take\n control of the modem, even if the user is not currently logged in. The attacker\n must successfully know, or guess, the target's internal gateway IP address.\n This is usually a default value of 192.168.0.1.\n\n First, a hardcoded backdoor account was discovered in the source code\n of one device with the credentials \"technician/yZgO8Bvj\". Due to lack of CSRF\n in the device's login form, these credentials - along with the default\n \"admin/motorola\" - can be sent to the device by an arbitrary website, thus\n inadvertently logging the user into the router.\n\n Once successfully logged in, a persistent XSS vulnerability is\n exploited in the firewall configuration page. This allows injection of\n Javascript that can perform any available action in the router interface.\n\n The following firmware versions have been tested as vulnerable:\n\n SBG6580-6.5.2.0-GA-06-077-NOSH, and\n SBG6580-8.6.1.0-GA-04-098-NOSH", "references": [ "CVE-2015-0964", "CVE-2015-0965", "CVE-2015-0966", "URL-https://community.rapid7.com/community/infosec/blog/2015/06/05/r7-2015-01-csrf-backdoor-and-persistent-xss-on-arris-motorola-cable-modems" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/http/arris_motorola_surfboard_backdoor_xss.rb", "is_install_path": true, "ref_name": "admin/http/arris_motorola_surfboard_backdoor_xss", "check": false }, "auxiliary_admin/http/axigen_file_access": { "name": "Axigen Arbitrary File Read and Delete", "full_name": "auxiliary/admin/http/axigen_file_access", "rank": 300, "disclosure_date": "2012-10-31", "type": "auxiliary", "author": [ "Zhao Liang", "juan vazquez " ], "description": "This module exploits a directory traversal vulnerability in the WebAdmin\n interface of Axigen, which allows an authenticated user to read and delete\n arbitrary files with SYSTEM privileges. The vulnerability is known to work on\n Windows platforms. This module has been tested successfully on Axigen 8.10 over\n Windows 2003 SP2.", "references": [ "US-CERT-VU-586556", "CVE-2012-4940", "OSVDB-86802" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 9000, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/http/axigen_file_access.rb", "is_install_path": true, "ref_name": "admin/http/axigen_file_access", "check": false }, "auxiliary_admin/http/cfme_manageiq_evm_pass_reset": { "name": "Red Hat CloudForms Management Engine 5.1 miq_policy/explorer SQL Injection", "full_name": "auxiliary/admin/http/cfme_manageiq_evm_pass_reset", "rank": 300, "disclosure_date": "2013-11-12", "type": "auxiliary", "author": [ "Ramon de C Valle " ], "description": "This module exploits a SQL injection vulnerability in the \"explorer\"\n action of \"miq_policy\" controller of the Red Hat CloudForms Management\n Engine 5.1 (ManageIQ Enterprise Virtualization Manager 5.0 and earlier) by\n changing the password of the target account to the specified password.", "references": [ "CVE-2013-2050", "CWE-89", "URL-https://bugzilla.redhat.com/show_bug.cgi?id=959062" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 443, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/http/cfme_manageiq_evm_pass_reset.rb", "is_install_path": true, "ref_name": "admin/http/cfme_manageiq_evm_pass_reset", "check": false }, "auxiliary_admin/http/cnpilot_r_cmd_exec": { "name": "Cambium cnPilot r200/r201 Command Execution as 'root'", "full_name": "auxiliary/admin/http/cnpilot_r_cmd_exec", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "Karn Ganeshen " ], "description": "Cambium cnPilot r200/r201 device software versions 4.2.3-R4 to\n 4.3.3-R4, contain an undocumented, backdoor 'root' shell. This shell is\n accessible via a specific url, to any authenticated user. The module uses this\n shell to execute arbitrary system commands as 'root'.", "references": [ "CVE-2017-5259", "URL-https://blog.rapid7.com/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-12-19 16:53:02 +0000", "path": "/modules/auxiliary/admin/http/cnpilot_r_cmd_exec.rb", "is_install_path": true, "ref_name": "admin/http/cnpilot_r_cmd_exec", "check": true }, "auxiliary_admin/http/cnpilot_r_fpt": { "name": "Cambium cnPilot r200/r201 File Path Traversal", "full_name": "auxiliary/admin/http/cnpilot_r_fpt", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "Karn Ganeshen " ], "description": "This module exploits a File Path Traversal vulnerability in Cambium\n cnPilot r200/r201 to read arbitrary files off the file system. Affected\n versions - 4.3.3-R4 and prior.", "references": [ "CVE-2017-5261", "URL-https://blog.rapid7.com/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-12-19 16:53:02 +0000", "path": "/modules/auxiliary/admin/http/cnpilot_r_fpt.rb", "is_install_path": true, "ref_name": "admin/http/cnpilot_r_fpt", "check": true }, "auxiliary_admin/http/contentkeeper_fileaccess": { "name": "ContentKeeper Web Appliance mimencode File Access", "full_name": "auxiliary/admin/http/contentkeeper_fileaccess", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "aushack " ], "description": "This module abuses the 'mimencode' binary present within\n ContentKeeper Web filtering appliances to retrieve arbitrary\n files outside of the webroot.", "references": [ "OSVDB-54551", "URL-http://www.aushack.com/200904-contentkeeper.txt" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/auxiliary/admin/http/contentkeeper_fileaccess.rb", "is_install_path": true, "ref_name": "admin/http/contentkeeper_fileaccess", "check": true }, "auxiliary_admin/http/dlink_dir_300_600_exec_noauth": { "name": "D-Link DIR-600 / DIR-300 Unauthenticated Remote Command Execution", "full_name": "auxiliary/admin/http/dlink_dir_300_600_exec_noauth", "rank": 300, "disclosure_date": "2013-02-04", "type": "auxiliary", "author": [ "Michael Messner " ], "description": "This module exploits an OS Command Injection vulnerability in some D-Link\n Routers like the DIR-600 rev B and the DIR-300 rev B. The vulnerability exists in\n command.php, which is accessible without authentication. This module has been\n tested with the versions DIR-600 2.14b01 and below, DIR-300 rev B 2.13 and below.\n In order to get a remote shell the telnetd could be started without any\n authentication.", "references": [ "OSVDB-89861", "EDB-24453", "URL-http://www.dlink.com/uk/en/home-solutions/connect/routers/dir-600-wireless-n-150-home-router", "URL-http://www.s3cur1ty.de/home-network-horror-days", "URL-http://www.s3cur1ty.de/m1adv2013-003" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/http/dlink_dir_300_600_exec_noauth.rb", "is_install_path": true, "ref_name": "admin/http/dlink_dir_300_600_exec_noauth", "check": false }, "auxiliary_admin/http/dlink_dir_645_password_extractor": { "name": "D-Link DIR 645 Password Extractor", "full_name": "auxiliary/admin/http/dlink_dir_645_password_extractor", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "Roberto Paleari ", "Michael Messner " ], "description": "This module exploits an authentication bypass vulnerability in DIR 645 < v1.03.\n With this vulnerability you are able to extract the password for the remote\n management.", "references": [ "OSVDB-90733", "BID-58231", "PACKETSTORM-120591" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-08-30 15:18:23 +0000", "path": "/modules/auxiliary/admin/http/dlink_dir_645_password_extractor.rb", "is_install_path": true, "ref_name": "admin/http/dlink_dir_645_password_extractor", "check": false }, "auxiliary_admin/http/dlink_dsl320b_password_extractor": { "name": "D-Link DSL 320B Password Extractor", "full_name": "auxiliary/admin/http/dlink_dsl320b_password_extractor", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "Michael Messner " ], "description": "This module exploits an authentication bypass vulnerability in D-Link DSL 320B\n <=v1.23. This vulnerability allows to extract the credentials for the remote\n management interface.", "references": [ "EDB-25252", "OSVDB-93013", "URL-http://www.s3cur1ty.de/m1adv2013-018" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-08-30 15:18:23 +0000", "path": "/modules/auxiliary/admin/http/dlink_dsl320b_password_extractor.rb", "is_install_path": true, "ref_name": "admin/http/dlink_dsl320b_password_extractor", "check": false }, "auxiliary_admin/http/foreman_openstack_satellite_priv_esc": { "name": "Foreman (Red Hat OpenStack/Satellite) users/create Mass Assignment", "full_name": "auxiliary/admin/http/foreman_openstack_satellite_priv_esc", "rank": 300, "disclosure_date": "2013-06-06", "type": "auxiliary", "author": [ "Ramon de C Valle " ], "description": "This module exploits a mass assignment vulnerability in the 'create'\n action of 'users' controller of Foreman and Red Hat OpenStack/Satellite\n (Foreman 1.2.0-RC1 and earlier) by creating an arbitrary administrator\n account. For this exploit to work, your account must have 'create_users'\n permission (e.g., Manager role).", "references": [ "BID-60835", "CVE-2013-2113", "CWE-915", "OSVDB-94655", "URL-https://bugzilla.redhat.com/show_bug.cgi?id=966804", "URL-http://projects.theforeman.org/issues/2630" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 443, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/http/foreman_openstack_satellite_priv_esc.rb", "is_install_path": true, "ref_name": "admin/http/foreman_openstack_satellite_priv_esc", "check": false }, "auxiliary_admin/http/gitstack_rest": { "name": "GitStack Unauthenticated REST API Requests", "full_name": "auxiliary/admin/http/gitstack_rest", "rank": 300, "disclosure_date": "2018-01-15", "type": "auxiliary", "author": [ "Kacper Szurek", "Jacob Robles" ], "description": "This modules exploits unauthenticated REST API requests in GitStack through v2.3.10.\n The module supports requests for listing users of the application and listing\n available repositories. Additionally, the module can create a user and add the user\n to the application's repositories. This module has been tested against GitStack v2.3.10.", "references": [ "CVE-2018-5955", "EDB-43777", "EDB-44044" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2018-03-09 07:43:12 +0000", "path": "/modules/auxiliary/admin/http/gitstack_rest.rb", "is_install_path": true, "ref_name": "admin/http/gitstack_rest", "check": false }, "auxiliary_admin/http/hp_web_jetadmin_exec": { "name": "HP Web JetAdmin 6.5 Server Arbitrary Command Execution", "full_name": "auxiliary/admin/http/hp_web_jetadmin_exec", "rank": 300, "disclosure_date": "2004-04-27", "type": "auxiliary", "author": [ "aushack " ], "description": "This module abuses a command execution vulnerability within the\n web based management console of the Hewlett-Packard Web JetAdmin\n network printer tool v6.2 - v6.5. It is possible to execute commands\n as SYSTEM without authentication. The vulnerability also affects POSIX\n systems, however at this stage the module only works against Windows.\n This module does not apply to HP printers.", "references": [ "OSVDB-5798", "BID-10224", "EDB-294" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 8000, "targets": null, "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/auxiliary/admin/http/hp_web_jetadmin_exec.rb", "is_install_path": true, "ref_name": "admin/http/hp_web_jetadmin_exec", "check": false }, "auxiliary_admin/http/iis_auth_bypass": { "name": "MS10-065 Microsoft IIS 5 NTFS Stream Authentication Bypass", "full_name": "auxiliary/admin/http/iis_auth_bypass", "rank": 300, "disclosure_date": "2010-07-02", "type": "auxiliary", "author": [ "Soroush Dalili", "sinn3r " ], "description": "This module bypasses basic authentication for Internet Information Services (IIS).\n By appending the NTFS stream name to the directory name in a request, it is\n possible to bypass authentication.", "references": [ "CVE-2010-2731", "OSVDB-66160", "MSB-MS10-065", "URL-http://soroush.secproject.com/blog/2010/07/iis5-1-directory-authentication-bypass-by-using-i30index_allocation/" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/http/iis_auth_bypass.rb", "is_install_path": true, "ref_name": "admin/http/iis_auth_bypass", "check": false }, "auxiliary_admin/http/intersil_pass_reset": { "name": "Intersil (Boa) HTTPd Basic Authentication Password Reset", "full_name": "auxiliary/admin/http/intersil_pass_reset", "rank": 300, "disclosure_date": "2007-09-10", "type": "auxiliary", "author": [ "Luca \"ikki\" Carettoni ", "Claudio \"paper\" Merloni ", "Max Dietz " ], "description": "The Intersil extension in the Boa HTTP Server 0.93.x - 0.94.11\n allows basic authentication bypass when the user string is greater\n than 127 bytes long. The long string causes the password to be\n overwritten in memory, which enables the attacker to reset the\n password. In addition, the malicious attempt also may cause a\n denial-of-service condition.\n\n Please note that you must set the request URI to the directory that\n requires basic authentication in order to work properly.", "references": [ "CVE-2007-4915", "BID-25676", "PACKETSTORM-59347" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2018-07-08 19:00:11 +0000", "path": "/modules/auxiliary/admin/http/intersil_pass_reset.rb", "is_install_path": true, "ref_name": "admin/http/intersil_pass_reset", "check": true }, "auxiliary_admin/http/iomega_storcenterpro_sessionid": { "name": "Iomega StorCenter Pro NAS Web Authentication Bypass", "full_name": "auxiliary/admin/http/iomega_storcenterpro_sessionid", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "aushack " ], "description": "The Iomega StorCenter Pro Network Attached Storage device web interface increments sessions IDs,\n allowing for simple brute force attacks to bypass authentication and gain administrative\n access.", "references": [ "OSVDB-55586", "CVE-2009-2367" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/auxiliary/admin/http/iomega_storcenterpro_sessionid.rb", "is_install_path": true, "ref_name": "admin/http/iomega_storcenterpro_sessionid", "check": false }, "auxiliary_admin/http/jboss_bshdeployer": { "name": "JBoss JMX Console Beanshell Deployer WAR Upload and Deployment", "full_name": "auxiliary/admin/http/jboss_bshdeployer", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "us3r777 " ], "description": "This module can be used to install a WAR file payload on JBoss servers that have\n an exposed \"jmx-console\" application. The payload is put on the server by\n using the jboss.system:BSHDeployer's createScriptDeployment() method.", "references": [ "CVE-2010-0738", "OSVDB-64171", "URL-http://www.redteam-pentesting.de/publications/jboss", "URL-https://bugzilla.redhat.com/show_bug.cgi?id=574105" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 8080, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/http/jboss_bshdeployer.rb", "is_install_path": true, "ref_name": "admin/http/jboss_bshdeployer", "check": false }, "auxiliary_admin/http/jboss_deploymentfilerepository": { "name": "JBoss JMX Console DeploymentFileRepository WAR Upload and Deployment", "full_name": "auxiliary/admin/http/jboss_deploymentfilerepository", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "us3r777 " ], "description": "This module uses the DeploymentFileRepository class in the JBoss Application Server\n to deploy a JSP file which then deploys an arbitrary WAR file.", "references": [ "CVE-2010-0738", "OSVDB-64171", "URL-http://www.redteam-pentesting.de/publications/jboss", "URL-https://bugzilla.redhat.com/show_bug.cgi?id=574105" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 8080, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/http/jboss_deploymentfilerepository.rb", "is_install_path": true, "ref_name": "admin/http/jboss_deploymentfilerepository", "check": false }, "auxiliary_admin/http/jboss_seam_exec": { "name": "JBoss Seam 2 Remote Command Execution", "full_name": "auxiliary/admin/http/jboss_seam_exec", "rank": 300, "disclosure_date": "2010-07-19", "type": "auxiliary", "author": [ "guerrino di massa", "Cristiano Maruti " ], "description": "JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform\n 4.3.0 for Red Hat Linux, does not properly sanitize inputs for JBoss Expression\n Language (EL) expressions, which allows remote attackers to execute arbitrary code\n via a crafted URL. This modules also has been tested successfully against IBM\n WebSphere 6.1 running on iSeries.\n\n NOTE: this is only a vulnerability when the Java Security Manager is not properly\n configured.", "references": [ "CVE-2010-1871", "OSVDB-66881" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 8080, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/http/jboss_seam_exec.rb", "is_install_path": true, "ref_name": "admin/http/jboss_seam_exec", "check": false }, "auxiliary_admin/http/joomla_registration_privesc": { "name": "Joomla Account Creation and Privilege Escalation", "full_name": "auxiliary/admin/http/joomla_registration_privesc", "rank": 300, "disclosure_date": "2016-10-25", "type": "auxiliary", "author": [ "Fabio Pires ", "Filipe Reis ", "Vitor Oliveira " ], "description": "This module creates an arbitrary account with administrative privileges in Joomla versions 3.4.4\n through 3.6.3. If an email server is configured in Joomla, an email will be sent to activate the account (the account is disabled by default).", "references": [ "CVE-2016-8869", "CVE-2016-8870", "URL-https://developer.joomla.org/security-centre/660-20161002-core-elevated-privileges.html", "URL-https://developer.joomla.org/security-centre/659-20161001-core-account-creation.html", "URL-https://medium.com/@showthread/joomla-3-6-4-account-creation-elevated-privileges-write-up-and-exploit-965d8fb46fa2" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/http/joomla_registration_privesc.rb", "is_install_path": true, "ref_name": "admin/http/joomla_registration_privesc", "check": true }, "auxiliary_admin/http/kaseya_master_admin": { "name": "Kaseya VSA Master Administrator Account Creation", "full_name": "auxiliary/admin/http/kaseya_master_admin", "rank": 300, "disclosure_date": "2015-09-23", "type": "auxiliary", "author": [ "Pedro Ribeiro " ], "description": "This module abuses the setAccount page on Kaseya VSA between 7 and 9.1 to create a new\n Master Administrator account. Normally this page is only accessible via the localhost\n interface, but the application does nothing to prevent this apart from attempting to\n force a redirect. This module has been tested with Kaseya VSA v7.0.0.17, v8.0.0.10 and\n v9.0.0.3.", "references": [ "CVE-2015-6922", "ZDI-15-448", "URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/kaseya-vsa-vuln-2.txt", "URL-http://seclists.org/bugtraq/2015/Sep/132" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/http/kaseya_master_admin.rb", "is_install_path": true, "ref_name": "admin/http/kaseya_master_admin", "check": false }, "auxiliary_admin/http/katello_satellite_priv_esc": { "name": "Katello (Red Hat Satellite) users/update_roles Missing Authorization", "full_name": "auxiliary/admin/http/katello_satellite_priv_esc", "rank": 300, "disclosure_date": "2014-03-24", "type": "auxiliary", "author": [ "Ramon de C Valle " ], "description": "This module exploits a missing authorization vulnerability in the\n \"update_roles\" action of \"users\" controller of Katello and Red Hat Satellite\n (Katello 1.5.0-14 and earlier) by changing the specified account to an\n administrator account.", "references": [ "CVE-2013-2143", "CWE-862", "URL-https://bugzilla.redhat.com/show_bug.cgi?id=970849" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 443, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/http/katello_satellite_priv_esc.rb", "is_install_path": true, "ref_name": "admin/http/katello_satellite_priv_esc", "check": false }, "auxiliary_admin/http/limesurvey_file_download": { "name": "Limesurvey Unauthenticated File Download", "full_name": "auxiliary/admin/http/limesurvey_file_download", "rank": 300, "disclosure_date": "2015-10-12", "type": "auxiliary", "author": [ "Pichaya Morimoto", "Christian Mehlmauer " ], "description": "This module exploits an unauthenticated file download vulnerability\n in limesurvey between 2.0+ and 2.06+ Build 151014. The file is downloaded\n as a ZIP and unzipped automatically, thus binary files can be downloaded.", "references": [ "URL-https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20151022-0_Lime_Survey_multiple_critical_vulnerabilities_v10.txt", "URL-https://www.limesurvey.org/en/blog/76-limesurvey-news/security-advisories/1836-limesurvey-security-advisory-10-2015", "URL-https://github.com/LimeSurvey/LimeSurvey/compare/2.06_plus_151014...2.06_plus_151016?w=1" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/http/limesurvey_file_download.rb", "is_install_path": true, "ref_name": "admin/http/limesurvey_file_download", "check": false }, "auxiliary_admin/http/linksys_e1500_e2500_exec": { "name": "Linksys E1500/E2500 Remote Command Execution", "full_name": "auxiliary/admin/http/linksys_e1500_e2500_exec", "rank": 300, "disclosure_date": "2013-02-05", "type": "auxiliary", "author": [ "Michael Messner " ], "description": "Some Linksys Routers are vulnerable to an authenticated OS command injection.\n Default credentials for the web interface are admin/admin or admin/password. Since\n it is a blind os command injection vulnerability, there is no output for the\n executed command. A ping command against a controlled system for can be used for\n testing purposes.", "references": [ "OSVDB-89912", "BID-57760", "EDB-24475", "URL-http://www.s3cur1ty.de/m1adv2013-004" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/http/linksys_e1500_e2500_exec.rb", "is_install_path": true, "ref_name": "admin/http/linksys_e1500_e2500_exec", "check": false }, "auxiliary_admin/http/linksys_tmunblock_admin_reset_bof": { "name": "Linksys WRT120N tmUnblock Stack Buffer Overflow", "full_name": "auxiliary/admin/http/linksys_tmunblock_admin_reset_bof", "rank": 300, "disclosure_date": "2014-02-19", "type": "auxiliary", "author": [ "Craig Heffner", "Michael Messner " ], "description": "This module exploits a stack-based buffer overflow vulnerability in the WRT120N Linksys router\n to reset the password of the management interface temporarily to an empty value.\n This module has been tested successfully on a WRT120N device with firmware version\n 1.0.07.", "references": [ "EDB-31758", "OSVDB-103521", "URL-http://www.devttys0.com/2014/02/wrt120n-fprintf-stack-overflow/" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/http/linksys_tmunblock_admin_reset_bof.rb", "is_install_path": true, "ref_name": "admin/http/linksys_tmunblock_admin_reset_bof", "check": false }, "auxiliary_admin/http/linksys_wrt54gl_exec": { "name": "Linksys WRT54GL Remote Command Execution", "full_name": "auxiliary/admin/http/linksys_wrt54gl_exec", "rank": 300, "disclosure_date": "2013-01-18", "type": "auxiliary", "author": [ "Michael Messner " ], "description": "Some Linksys Routers are vulnerable to OS Command injection.\n You will need credentials to the web interface to access the vulnerable part\n of the application.\n Default credentials are always a good starting point. admin/admin or admin\n and blank password could be a first try.\n Note: This is a blind OS command injection vulnerability. This means that\n you will not see any output of your command. Try a ping command to your\n local system and observe the packets with tcpdump (or equivalent) for a first test.\n\n Hint: To get a remote shell you could upload a netcat binary and exec it.\n WARNING: this module will overwrite network and DHCP configuration.", "references": [ "URL-http://www.s3cur1ty.de/m1adv2013-01", "URL-http://www.s3cur1ty.de/attacking-linksys-wrt54gl", "EDB-24202", "BID-57459", "OSVDB-89421" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/http/linksys_wrt54gl_exec.rb", "is_install_path": true, "ref_name": "admin/http/linksys_wrt54gl_exec", "check": false }, "auxiliary_admin/http/manage_engine_dc_create_admin": { "name": "ManageEngine Desktop Central Administrator Account Creation", "full_name": "auxiliary/admin/http/manage_engine_dc_create_admin", "rank": 300, "disclosure_date": "2014-12-31", "type": "auxiliary", "author": [ "Pedro Ribeiro " ], "description": "This module exploits an administrator account creation vulnerability in Desktop Central\n from v7 onwards by sending a crafted request to DCPluginServelet. It has been tested in\n several versions of Desktop Central (including MSP) from v7 onwards.", "references": [ "CVE-2014-7862", "OSVDB-116554", "URL-http://seclists.org/fulldisclosure/2015/Jan/2", "URL-https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/me_dc9_admin.txt" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 8020, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/http/manage_engine_dc_create_admin.rb", "is_install_path": true, "ref_name": "admin/http/manage_engine_dc_create_admin", "check": false }, "auxiliary_admin/http/manageengine_dir_listing": { "name": "ManageEngine Multiple Products Arbitrary Directory Listing", "full_name": "auxiliary/admin/http/manageengine_dir_listing", "rank": 300, "disclosure_date": "2015-01-28", "type": "auxiliary", "author": [ "Pedro Ribeiro " ], "description": "This module exploits a directory listing information disclosure vulnerability in the\n FailOverHelperServlet on ManageEngine OpManager, Applications Manager and IT360. It\n makes a recursive listing, so it will list the whole drive if you ask it to list / in\n Linux or C:\\ in Windows. This vulnerability is unauthenticated on OpManager and\n Applications Manager, but authenticated in IT360. This module will attempt to login\n using the default credentials for the administrator and guest accounts; alternatively\n you can provide a pre-authenticated cookie or a username / password combo. For IT360\n targets enter the RPORT of the OpManager instance (usually 8300). This module has been\n tested on both Windows and Linux with several different versions. Windows paths have to\n be escaped with 4 backslashes on the command line. There is a companion module that\n allows for arbitrary file download. This vulnerability has been fixed in Applications\n Manager v11.9 b11912 and OpManager 11.6.", "references": [ "CVE-2014-7863", "OSVDB-117696", "URL-http://seclists.org/fulldisclosure/2015/Jan/114", "URL-https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/me_failservlet.txt" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/http/manageengine_dir_listing.rb", "is_install_path": true, "ref_name": "admin/http/manageengine_dir_listing", "check": false }, "auxiliary_admin/http/manageengine_file_download": { "name": "ManageEngine Multiple Products Arbitrary File Download", "full_name": "auxiliary/admin/http/manageengine_file_download", "rank": 300, "disclosure_date": "2015-01-28", "type": "auxiliary", "author": [ "Pedro Ribeiro " ], "description": "This module exploits an arbitrary file download vulnerability in the FailOverHelperServlet\n on ManageEngine OpManager, Applications Manager and IT360. This vulnerability is\n unauthenticated on OpManager and Applications Manager, but authenticated in IT360. This\n module will attempt to login using the default credentials for the administrator and\n guest accounts; alternatively you can provide a pre-authenticated cookie or a username\n and password combo. For IT360 targets enter the RPORT of the OpManager instance (usually\n 8300). This module has been tested on both Windows and Linux with several different\n versions. Windows paths have to be escaped with 4 backslashes on the command line. There is\n a companion module that allows the recursive listing of any directory. This\n vulnerability has been fixed in Applications Manager v11.9 b11912 and OpManager 11.6.", "references": [ "CVE-2014-7863", "OSVDB-117695", "URL-http://seclists.org/fulldisclosure/2015/Jan/114", "URL-https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/me_failservlet.txt" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/http/manageengine_file_download.rb", "is_install_path": true, "ref_name": "admin/http/manageengine_file_download", "check": false }, "auxiliary_admin/http/manageengine_pmp_privesc": { "name": "ManageEngine Password Manager SQLAdvancedALSearchResult.cc Pro SQL Injection", "full_name": "auxiliary/admin/http/manageengine_pmp_privesc", "rank": 300, "disclosure_date": "2014-11-08", "type": "auxiliary", "author": [ "Pedro Ribeiro " ], "description": "ManageEngine Password Manager Pro (PMP) has an authenticated blind SQL injection\n vulnerability in SQLAdvancedALSearchResult.cc that can be abused to escalate\n privileges and obtain Super Administrator access. A Super Administrator can then\n use his privileges to dump the whole password database in CSV format. PMP can use\n both MySQL and PostgreSQL databases but this module only exploits the latter as\n MySQL does not support stacked queries with Java. PostgreSQL is the default database\n in v6.8 and above, but older PMP versions can be upgraded and continue using MySQL,\n so a higher version does not guarantee exploitability. This module has been tested\n on v6.8 to v7.1 build 7104 on both Windows and Linux. The vulnerability is fixed in\n v7.1 build 7105 and above.", "references": [ "CVE-2014-8499", "OSVDB-114485", "URL-http://seclists.org/fulldisclosure/2014/Nov/18", "URL-https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/me_pmp_privesc.txt" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 7272, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb", "is_install_path": true, "ref_name": "admin/http/manageengine_pmp_privesc", "check": true }, "auxiliary_admin/http/mantisbt_password_reset": { "name": "MantisBT password reset", "full_name": "auxiliary/admin/http/mantisbt_password_reset", "rank": 300, "disclosure_date": "2017-04-16", "type": "auxiliary", "author": [ "John (hyp3rlinx) Page", "Julien (jvoisin) Voisin" ], "description": "MantisBT before 1.3.10, 2.2.4, and 2.3.1 are vulnerable to unauthenticated password reset.", "references": [ "CVE-2017-7615", "EDB-41890", "URL-https://mantisbt.org/bugs/view.php?id=22690", "URL-http://hyp3rlinx.altervista.org/advisories/MANTIS-BUG-TRACKER-PRE-AUTH-REMOTE-PASSWORD-RESET.txt" ], "is_server": false, "is_client": false, "platform": "Linux,Windows", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/http/mantisbt_password_reset.rb", "is_install_path": true, "ref_name": "admin/http/mantisbt_password_reset", "check": true }, "auxiliary_admin/http/mutiny_frontend_read_delete": { "name": "Mutiny 5 Arbitrary File Read and Delete", "full_name": "auxiliary/admin/http/mutiny_frontend_read_delete", "rank": 300, "disclosure_date": "2013-05-15", "type": "auxiliary", "author": [ "juan vazquez " ], "description": "This module exploits the EditDocument servlet from the frontend on the Mutiny 5\n appliance. The EditDocument servlet provides file operations, such as copy and\n delete, which are affected by a directory traversal vulnerability. Because of this,\n any authenticated frontend user can read and delete arbitrary files from the system\n with root privileges. In order to exploit the vulnerability a valid user (any role)\n in the web frontend is required. The module has been tested successfully on the\n Mutiny 5.0-1.07 appliance.", "references": [ "CVE-2013-0136", "US-CERT-VU-701572", "URL-https://community.rapid7.com/community/metasploit/blog/2013/05/15/new-1day-exploits-mutiny-vulnerabilities" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/http/mutiny_frontend_read_delete.rb", "is_install_path": true, "ref_name": "admin/http/mutiny_frontend_read_delete", "check": false }, "auxiliary_admin/http/netflow_file_download": { "name": "ManageEngine NetFlow Analyzer Arbitrary File Download", "full_name": "auxiliary/admin/http/netflow_file_download", "rank": 300, "disclosure_date": "2014-11-30", "type": "auxiliary", "author": [ "Pedro Ribeiro " ], "description": "This module exploits an arbitrary file download vulnerability in CSVServlet\n on ManageEngine NetFlow Analyzer. This module has been tested on both Windows\n and Linux with versions 8.6 to 10.2. Note that when typing Windows paths, you\n must escape the backslash with a backslash.", "references": [ "CVE-2014-5445", "OSVDB-115340", "URL-http://seclists.org/fulldisclosure/2014/Dec/9", "URL-https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/me_netflow_it360_file_dl.txt" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 8080, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/http/netflow_file_download.rb", "is_install_path": true, "ref_name": "admin/http/netflow_file_download", "check": false }, "auxiliary_admin/http/netgear_auth_download": { "name": "NETGEAR ProSafe Network Management System 300 Authenticated File Download", "full_name": "auxiliary/admin/http/netgear_auth_download", "rank": 300, "disclosure_date": "2016-02-04", "type": "auxiliary", "author": [ "Pedro Ribeiro " ], "description": "Netgear's ProSafe NMS300 is a network management utility that runs on Windows systems.\n The application has a file download vulnerability that can be exploited by an\n authenticated remote attacker to download any file in the system.\n This module has been tested with versions 1.5.0.2, 1.4.0.17 and 1.1.0.13.", "references": [ "CVE-2016-1524", "US-CERT-VU-777024", "URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear_nms_rce.txt", "URL-http://seclists.org/fulldisclosure/2016/Feb/30" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 8080, "targets": null, "mod_time": "2017-08-24 21:38:44 +0000", "path": "/modules/auxiliary/admin/http/netgear_auth_download.rb", "is_install_path": true, "ref_name": "admin/http/netgear_auth_download", "check": false }, "auxiliary_admin/http/netgear_soap_password_extractor": { "name": "Netgear Unauthenticated SOAP Password Extractor", "full_name": "auxiliary/admin/http/netgear_soap_password_extractor", "rank": 300, "disclosure_date": "2015-02-11", "type": "auxiliary", "author": [ "Peter Adkins ", "Michael Messner ", "h00die " ], "description": "This module exploits an authentication bypass vulnerability in different Netgear devices.\n It allows to extract the password for the remote management interface. This module has been\n tested on a Netgear WNDR3700v4 - V1.0.1.42, but other devices are reported as vulnerable:\n NetGear WNDR3700v4 - V1.0.0.4SH, NetGear WNDR3700v4 - V1.0.1.52, NetGear WNR2200 - V1.0.1.88,\n NetGear WNR2500 - V1.0.0.24, NetGear WNDR3700v2 - V1.0.1.14 (Tested by Paula Thomas),\n NetGear WNDR3700v1 - V1.0.16.98 (Tested by Michal Bartoszkiewicz),\n NetGear WNDR3700v1 - V1.0.7.98 (Tested by Michal Bartoszkiewicz),\n NetGear WNDR4300 - V1.0.1.60 (Tested by Ronny Lindner),\n NetGear R6300v2 - V1.0.3.8 (Tested by Robert Mueller),\n NetGear WNDR3300 - V1.0.45 (Tested by Robert Mueller),\n NetGear WNDR3800 - V1.0.0.48 (Tested by an Anonymous contributor),\n NetGear WNR1000v2 - V1.0.1.1 (Tested by Jimi Sebree),\n NetGear WNR1000v2 - V1.1.2.58 (Tested by Chris Boulton),\n NetGear WNR2000v3 - v1.1.2.10 (Tested by h00die)", "references": [ "BID-72640", "OSVDB-118316", "URL-https://github.com/darkarnium/secpub/tree/master/NetGear/SOAPWNDR" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/http/netgear_soap_password_extractor.rb", "is_install_path": true, "ref_name": "admin/http/netgear_soap_password_extractor", "check": false }, "auxiliary_admin/http/netgear_wnr2000_pass_recovery": { "name": "NETGEAR WNR2000v5 Administrator Password Recovery", "full_name": "auxiliary/admin/http/netgear_wnr2000_pass_recovery", "rank": 300, "disclosure_date": "2016-12-20", "type": "auxiliary", "author": [ "Pedro Ribeiro " ], "description": "The NETGEAR WNR2000 router has a vulnerability in the way it handles password recovery.\n This vulnerability can be exploited by an unauthenticated attacker who is able to guess\n the value of a certain timestamp which is in the configuration of the router.\n Brute forcing the timestamp token might take a few minutes, a few hours, or days, but\n it is guaranteed that it can be bruteforced.\n This module works very reliably and it has been tested with the WNR2000v5, firmware versions\n 1.0.0.34 and 1.0.0.18. It should also work with the hardware revisions v4 and v3, but this\n has not been tested.", "references": [ "CVE-2016-10175", "CVE-2016-10176", "URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear-wnr2000.txt", "URL-http://seclists.org/fulldisclosure/2016/Dec/72", "URL-http://kb.netgear.com/000036549/Insecure-Remote-Access-and-Command-Execution-Security-Vulnerability" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/http/netgear_wnr2000_pass_recovery.rb", "is_install_path": true, "ref_name": "admin/http/netgear_wnr2000_pass_recovery", "check": false }, "auxiliary_admin/http/nexpose_xxe_file_read": { "name": "Nexpose XXE Arbitrary File Read", "full_name": "auxiliary/admin/http/nexpose_xxe_file_read", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "Brandon Perry ", "Drazen Popovic ", "Bojan Zdrnja " ], "description": "Nexpose v5.7.2 and prior is vulnerable to a XML External Entity attack via a number\n of vectors. This vulnerability can allow an attacker to a craft special XML that\n could read arbitrary files from the filesystem. This module exploits the\n vulnerability via the XML API.", "references": [ "URL-https://community.rapid7.com/community/nexpose/blog/2013/08/16/r7-vuln-2013-07-24" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 3780, "targets": null, "mod_time": "2017-08-30 15:18:23 +0000", "path": "/modules/auxiliary/admin/http/nexpose_xxe_file_read.rb", "is_install_path": true, "ref_name": "admin/http/nexpose_xxe_file_read", "check": false }, "auxiliary_admin/http/novell_file_reporter_filedelete": { "name": "Novell File Reporter Agent Arbitrary File Delete", "full_name": "auxiliary/admin/http/novell_file_reporter_filedelete", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "Luigi Auriemma", "juan vazquez " ], "description": "NFRAgent.exe in Novell File Reporter allows remote attackers to delete\n arbitrary files via a full pathname in an SRS request with OPERATION set to 4 and\n CMD set to 5 against /FSF/CMD. This module has been tested successfully on NFR\n Agent 1.0.4.3 (File Reporter 1.0.2) and NFR Agent 1.0.3.22 (File Reporter 1.0.1) on\n Windows platforms.", "references": [ "CVE-2011-2750", "OSVDB-73729", "URL-http://aluigi.org/adv/nfr_2-adv.txt" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 3037, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/http/novell_file_reporter_filedelete.rb", "is_install_path": true, "ref_name": "admin/http/novell_file_reporter_filedelete", "check": false }, "auxiliary_admin/http/nuuo_nvrmini_reset": { "name": "NUUO NVRmini 2 / NETGEAR ReadyNAS Surveillance Default Configuration Load and Administrator Password Reset", "full_name": "auxiliary/admin/http/nuuo_nvrmini_reset", "rank": 300, "disclosure_date": "2016-08-04", "type": "auxiliary", "author": [ "Pedro Ribeiro " ], "description": "The NVRmini 2 Network Video Recorded and the ReadyNAS Surveillance application are vulnerable\n to an administrator password reset on the exposed web management interface.\n Note that this only works for unauthenticated attackers in earlier versions of the Nuuo firmware\n (before v1.7.6), otherwise you need an administrative user password.\n This exploit has been tested on several versions of the NVRmini 2 and the ReadyNAS Surveillance.\n It probably also works on the NVRsolo and other Nuuo devices, but it has not been tested\n in those devices.", "references": [ "CVE-2016-5676", "US-CERT-VU-856152", "URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-nvr-vulns.txt", "URL-http://seclists.org/bugtraq/2016/Aug/45" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 8081, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/http/nuuo_nvrmini_reset.rb", "is_install_path": true, "ref_name": "admin/http/nuuo_nvrmini_reset", "check": false }, "auxiliary_admin/http/openbravo_xxe": { "name": "Openbravo ERP XXE Arbitrary File Read", "full_name": "auxiliary/admin/http/openbravo_xxe", "rank": 300, "disclosure_date": "2013-10-30", "type": "auxiliary", "author": [ "Brandon Perry " ], "description": "The Openbravo ERP XML API expands external entities which can be defined as\n local files. This allows the user to read any files from the FS as the\n user Openbravo is running as (generally not root).\n\n This module was tested against Openbravo ERP version 3.0MP25 and 2.50MP6.", "references": [ "CVE-2013-3617", "OSVDB-99141", "BID-63431", "URL-https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-08-24 21:38:44 +0000", "path": "/modules/auxiliary/admin/http/openbravo_xxe.rb", "is_install_path": true, "ref_name": "admin/http/openbravo_xxe", "check": false }, "auxiliary_admin/http/pfadmin_set_protected_alias": { "name": "Postfixadmin Protected Alias Deletion Vulnerability", "full_name": "auxiliary/admin/http/pfadmin_set_protected_alias", "rank": 300, "disclosure_date": "2017-02-03", "type": "auxiliary", "author": [ "Jan-Frederik Rieckers" ], "description": "Postfixadmin installations between 2.91 and 3.0.1 do not check if an\n admin is allowed to delete protected aliases. This vulnerability can be\n used to redirect protected aliases to an other mail address. Eg. rewrite\n the postmaster@domain alias", "references": [ "CVE-2017-5930", "URL-https://github.com/postfixadmin/postfixadmin/pull/23", "BID-96142" ], "is_server": false, "is_client": false, "platform": "PHP", "arch": "php", "rport": 80, "targets": null, "mod_time": "2017-12-30 13:03:36 +0000", "path": "/modules/auxiliary/admin/http/pfadmin_set_protected_alias.rb", "is_install_path": true, "ref_name": "admin/http/pfadmin_set_protected_alias", "check": true }, "auxiliary_admin/http/rails_devise_pass_reset": { "name": "Ruby on Rails Devise Authentication Password Reset", "full_name": "auxiliary/admin/http/rails_devise_pass_reset", "rank": 300, "disclosure_date": "2013-01-28", "type": "auxiliary", "author": [ "joernchen", "jjarmoc" ], "description": "The Devise authentication gem for Ruby on Rails is vulnerable\n to a password reset exploit leveraging type confusion. By submitting XML\n to rails, we can influence the type used for the reset_password_token\n parameter. This allows for resetting passwords of arbitrary accounts,\n knowing only the associated email address.\n\n This module defaults to the most common devise URIs and response values,\n but these may require adjustment for implementations which customize them.\n\n Affects Devise < v2.2.3, 2.1.3, 2.0.5 and 1.5.4 when backed by any database\n except PostgreSQL or SQLite3. Tested with v2.2.2, 2.1.2, and 2.0.4 on Rails\n 3.2.11. Patch applied to Rails 3.2.12 and 3.1.11 should prevent exploitation\n of this vulnerability, by quoting numeric values when comparing them with\n non numeric values.", "references": [ "CVE-2013-0233", "OSVDB-89642", "BID-57577", "URL-http://blog.plataformatec.com.br/2013/01/security-announcement-devise-v2-2-3-v2-1-3-v2-0-5-and-v1-5-3-released/", "URL-http://www.phenoelit.org/blog/archives/2013/02/05/mysql_madness_and_rails/index.html", "URL-https://github.com/rails/rails/commit/921a296a3390192a71abeec6d9a035cc6d1865c8", "URL-https://github.com/rails/rails/commit/26e13c3ca71cbc7859cc4c51e64f3981865985d8" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/http/rails_devise_pass_reset.rb", "is_install_path": true, "ref_name": "admin/http/rails_devise_pass_reset", "check": false }, "auxiliary_admin/http/scadabr_credential_dump": { "name": "ScadaBR Credentials Dumper", "full_name": "auxiliary/admin/http/scadabr_credential_dump", "rank": 300, "disclosure_date": "2017-05-28", "type": "auxiliary", "author": [ "Brendan Coles " ], "description": "This module retrieves credentials from ScadaBR, including\n service credentials and unsalted SHA1 password hashes for\n all users, by invoking the 'EmportDwr.createExportData' DWR\n method of Mango M2M which is exposed to all authenticated\n users regardless of privilege level.\n\n This module has been tested successfully with ScadaBR\n versions 1.0 CE and 0.9 on Windows and Ubuntu systems.", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 8080, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/http/scadabr_credential_dump.rb", "is_install_path": true, "ref_name": "admin/http/scadabr_credential_dump", "check": false }, "auxiliary_admin/http/scrutinizer_add_user": { "name": "Plixer Scrutinizer NetFlow and sFlow Analyzer HTTP Authentication Bypass", "full_name": "auxiliary/admin/http/scrutinizer_add_user", "rank": 300, "disclosure_date": "2012-07-27", "type": "auxiliary", "author": [ "MC ", "Jonathan Claudius", "Tanya Secker", "sinn3r " ], "description": "This will add an administrative account to Scrutinizer NetFlow and sFlow Analyzer\n without any authentication. Versions such as 9.0.1 or older are affected.", "references": [ "CVE-2012-2626", "OSVDB-84318", "URL-https://www.trustwave.com/spiderlabs/advisories/TWSL2012-014.txt" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/http/scrutinizer_add_user.rb", "is_install_path": true, "ref_name": "admin/http/scrutinizer_add_user", "check": false }, "auxiliary_admin/http/sophos_wpa_traversal": { "name": "Sophos Web Protection Appliance patience.cgi Directory Traversal", "full_name": "auxiliary/admin/http/sophos_wpa_traversal", "rank": 300, "disclosure_date": "2013-04-03", "type": "auxiliary", "author": [ "Wolfgang Ettlingers", "juan vazquez " ], "description": "This module abuses a directory traversal in Sophos Web Protection Appliance, specifically\n on the /cgi-bin/patience.cgi component. This module has been tested successfully on the\n Sophos Web Virtual Appliance v3.7.0.", "references": [ "CVE-2013-2641", "OSVDB-91953", "BID-58833", "EDB-24932", "URL-http://www.sophos.com/en-us/support/knowledgebase/118969.aspx", "URL-https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130403-0_Sophos_Web_Protection_Appliance_Multiple_Vulnerabilities.txt" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 443, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/http/sophos_wpa_traversal.rb", "is_install_path": true, "ref_name": "admin/http/sophos_wpa_traversal", "check": false }, "auxiliary_admin/http/sysaid_admin_acct": { "name": "SysAid Help Desk Administrator Account Creation", "full_name": "auxiliary/admin/http/sysaid_admin_acct", "rank": 300, "disclosure_date": "2015-06-03", "type": "auxiliary", "author": [ "Pedro Ribeiro " ], "description": "This module exploits a vulnerability in SysAid Help Desk that allows an unauthenticated\n user to create an administrator account. Note that this exploit will only work once. Any\n subsequent attempts will fail. On the other hand, the credentials must be verified\n manually. This module has been tested on SysAid 14.4 in Windows and Linux.", "references": [ "CVE-2015-2993", "URL-http://seclists.org/fulldisclosure/2015/Jun/8", "URL-https://github.com/pedrib/PoC/blob/master/advisories/sysaid-14.4-multiple-vulns.txt" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 8080, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/http/sysaid_admin_acct.rb", "is_install_path": true, "ref_name": "admin/http/sysaid_admin_acct", "check": false }, "auxiliary_admin/http/sysaid_file_download": { "name": "SysAid Help Desk Arbitrary File Download", "full_name": "auxiliary/admin/http/sysaid_file_download", "rank": 300, "disclosure_date": "2015-06-03", "type": "auxiliary", "author": [ "Pedro Ribeiro " ], "description": "This module exploits two vulnerabilities in SysAid Help Desk that allows\n an unauthenticated user to download arbitrary files from the system. First, an\n information disclosure vulnerability (CVE-2015-2997) is used to obtain the file\n system path, and then we abuse a directory traversal (CVE-2015-2996) to download\n the file. Note that there are some limitations on Windows, in that the information\n disclosure vulnerability doesn't work on a Windows platform, and we can only\n traverse the current drive (if you enter C:\\afile.txt and the server is running\n on D:\\ the file will not be downloaded).\n\n This module has been tested with SysAid 14.4 on Windows and Linux.", "references": [ "CVE-2015-2996", "CVE-2015-2997", "URL-http://seclists.org/fulldisclosure/2015/Jun/8", "URL-https://github.com/pedrib/PoC/blob/master/advisories/sysaid-14.4-multiple-vulns.txt" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 8080, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/http/sysaid_file_download.rb", "is_install_path": true, "ref_name": "admin/http/sysaid_file_download", "check": false }, "auxiliary_admin/http/sysaid_sql_creds": { "name": "SysAid Help Desk Database Credentials Disclosure", "full_name": "auxiliary/admin/http/sysaid_sql_creds", "rank": 300, "disclosure_date": "2015-06-03", "type": "auxiliary", "author": [ "Pedro Ribeiro " ], "description": "This module exploits a vulnerability in SysAid Help Desk that allows an unauthenticated\n user to download arbitrary files from the system. This is used to download the server\n configuration file that contains the database username and password, which is encrypted\n with a fixed, known key. This module has been tested with SysAid 14.4 on Windows and Linux.", "references": [ "CVE-2015-2996", "CVE-2015-2998", "URL-http://seclists.org/fulldisclosure/2015/Jun/8", "URL-https://github.com/pedrib/PoC/blob/master/advisories/sysaid-14.4-multiple-vulns.txt" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 8080, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/http/sysaid_sql_creds.rb", "is_install_path": true, "ref_name": "admin/http/sysaid_sql_creds", "check": false }, "auxiliary_admin/http/telpho10_credential_dump": { "name": "Telpho10 Backup Credentials Dumper", "full_name": "auxiliary/admin/http/telpho10_credential_dump", "rank": 300, "disclosure_date": "2016-09-02", "type": "auxiliary", "author": [ "Jan Rude" ], "description": "This module exploits a vulnerability present in all versions of Telpho10 telephone system\n appliance. This module generates a configuration backup of Telpho10,\n downloads the file and dumps the credentials for admin login,\n phpmyadmin, phpldapadmin, etc.\n This module has been successfully tested on the appliance versions 2.6.31 and 2.6.39.", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "", "rport": 80, "targets": null, "mod_time": "2018-05-23 09:32:41 +0000", "path": "/modules/auxiliary/admin/http/telpho10_credential_dump.rb", "is_install_path": true, "ref_name": "admin/http/telpho10_credential_dump", "check": false }, "auxiliary_admin/http/tomcat_administration": { "name": "Tomcat Administration Tool Default Access", "full_name": "auxiliary/admin/http/tomcat_administration", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "Matteo Cantoni " ], "description": "Detect the Tomcat administration interface. The administration interface is included in versions 5.5 and lower.\n Port 8180 is the default for FreeBSD, 8080 for all others.", "references": [ "URL-http://tomcat.apache.org/" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 8180, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/http/tomcat_administration.rb", "is_install_path": true, "ref_name": "admin/http/tomcat_administration", "check": true }, "auxiliary_admin/http/tomcat_utf8_traversal": { "name": "Tomcat UTF-8 Directory Traversal Vulnerability", "full_name": "auxiliary/admin/http/tomcat_utf8_traversal", "rank": 300, "disclosure_date": "2009-01-09", "type": "auxiliary", "author": [ "aushack ", "guerrino di massa" ], "description": "This module tests whether a directory traversal vulnerability is present\n in versions of Apache Tomcat 4.1.0 - 4.1.37, 5.5.0 - 5.5.26 and 6.0.0\n - 6.0.16 under specific and non-default installations. The connector must have\n allowLinking set to true and URIEncoding set to UTF-8. Furthermore, the\n vulnerability actually occurs within Java and not Tomcat; the server must\n use Java versions prior to Sun 1.4.2_19, 1.5.0_17, 6u11 - or prior IBM Java\n 5.0 SR9, 1.4.2 SR13, SE 6 SR4 releases. This module has only been tested against\n RedHat 9 running Tomcat 6.0.16 and Sun JRE 1.5.0-05. You may wish to change\n FILE (hosts,sensitive files), MAXDIRS and RPORT depending on your environment.", "references": [ "URL-http://tomcat.apache.org/", "OSVDB-47464", "CVE-2008-2938", "URL-http://www.securityfocus.com/archive/1/499926" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 8080, "targets": null, "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/auxiliary/admin/http/tomcat_utf8_traversal.rb", "is_install_path": true, "ref_name": "admin/http/tomcat_utf8_traversal", "check": true }, "auxiliary_admin/http/trendmicro_dlp_traversal": { "name": "TrendMicro Data Loss Prevention 5.5 Directory Traversal", "full_name": "auxiliary/admin/http/trendmicro_dlp_traversal", "rank": 300, "disclosure_date": "2009-01-09", "type": "auxiliary", "author": [ "aushack " ], "description": "This module tests whether a directory traversal vulnerablity is present\n in Trend Micro DLP (Data Loss Prevention) Appliance v5.5 build <= 1294.\n The vulnerability appears to be actually caused by the Tomcat UTF-8\n bug which is implemented in module tomcat_utf8_traversal CVE 2008-2938.\n This module simply tests for the same bug with Trend Micro specific settings.\n Note that in the Trend Micro appliance, /etc/shadow is not used and therefore\n password hashes are stored and anonymously accessible in the passwd file.", "references": [ "URL-http://tomcat.apache.org/", "OSVDB-47464", "OSVDB-73447", "CVE-2008-2938", "URL-http://www.securityfocus.com/archive/1/499926", "EDB-17388", "BID-48225" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 8443, "targets": null, "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/auxiliary/admin/http/trendmicro_dlp_traversal.rb", "is_install_path": true, "ref_name": "admin/http/trendmicro_dlp_traversal", "check": true }, "auxiliary_admin/http/typo3_news_module_sqli": { "name": "TYPO3 News Module SQL Injection", "full_name": "auxiliary/admin/http/typo3_news_module_sqli", "rank": 300, "disclosure_date": "2017-04-06", "type": "auxiliary", "author": [ "Marco Rivoli", "Charles Fol" ], "description": "This module exploits a SQL Injection vulnerability In TYPO3 NewsController.php\n in the news module 5.3.2 and earlier. It allows an unauthenticated user to execute arbitrary\n SQL commands via vectors involving overwriteDemand and OrderByAllowed. The SQL injection\n can be used to obtain password hashes for application user accounts. This module has been\n tested on TYPO3 3.16.0 running news extension 5.0.0.\n\n This module tries to extract username and password hash of the administrator user.\n It tries to inject sql and check every letter of a pattern, to see\n if it belongs to the username or password it tries to alter the ordering of results. If\n the letter doesn't belong to the word being extracted then all results are inverted\n (News #2 appears before News #1, so Pattern2 before Pattern1), instead if the letter belongs\n to the word being extracted then the results are in proper order (News #1 appears before News #2,\n so Pattern1 before Pattern2)", "references": [ "CVE-2017-7581", "URL-http://www.ambionics.io/blog/typo3-news-module-sqli" ], "is_server": false, "is_client": false, "platform": "PHP", "arch": "php", "rport": 80, "targets": null, "mod_time": "2018-03-15 10:46:08 +0000", "path": "/modules/auxiliary/admin/http/typo3_news_module_sqli.rb", "is_install_path": true, "ref_name": "admin/http/typo3_news_module_sqli", "check": false }, "auxiliary_admin/http/typo3_sa_2009_001": { "name": "TYPO3 sa-2009-001 Weak Encryption Key File Disclosure", "full_name": "auxiliary/admin/http/typo3_sa_2009_001", "rank": 300, "disclosure_date": "2009-01-20", "type": "auxiliary", "author": [ "Chris John Riley" ], "description": "This module exploits a flaw in TYPO3 encryption ey creation process to allow for\n file disclosure in the jumpUrl mechanism. This flaw can be used to read any file\n that the web server user account has access to view.", "references": [ "CVE-2009-0255", "OSVDB-51536", "URL-http://blog.c22.cc/advisories/typo3-sa-2009-001", "URL-http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-001/" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2018-07-12 17:34:52 +0000", "path": "/modules/auxiliary/admin/http/typo3_sa_2009_001.rb", "is_install_path": true, "ref_name": "admin/http/typo3_sa_2009_001", "check": false }, "auxiliary_admin/http/typo3_sa_2009_002": { "name": "Typo3 sa-2009-002 File Disclosure", "full_name": "auxiliary/admin/http/typo3_sa_2009_002", "rank": 300, "disclosure_date": "2009-02-10", "type": "auxiliary", "author": [ "spinbad " ], "description": "This module exploits a file disclosure vulnerability in the jumpUrl mechanism of\n Typo3. This flaw can be used to read any file that the web server user account has\n access to.", "references": [ "OSVDB-52048", "CVE-2009-0815", "URL-http://secunia.com/advisories/33829/", "EDB-8038", "URL-http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-002/" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/http/typo3_sa_2009_002.rb", "is_install_path": true, "ref_name": "admin/http/typo3_sa_2009_002", "check": false }, "auxiliary_admin/http/typo3_sa_2010_020": { "name": "TYPO3 sa-2010-020 Remote File Disclosure", "full_name": "auxiliary/admin/http/typo3_sa_2010_020", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "Chris John Riley", "Gregor Kopf" ], "description": "This module exploits a flaw in the way the TYPO3 jumpurl feature matches hashes.\n Due to this flaw a Remote File Disclosure is possible by matching the juhash of 0.\n This flaw can be used to read any file that the web server user account has access to view.", "references": [ "CVE-2010-3714", "URL-http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-020", "URL-http://gregorkopf.de/slides_berlinsides_2010.pdf" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2018-07-12 17:34:52 +0000", "path": "/modules/auxiliary/admin/http/typo3_sa_2010_020.rb", "is_install_path": true, "ref_name": "admin/http/typo3_sa_2010_020", "check": false }, "auxiliary_admin/http/typo3_winstaller_default_enc_keys": { "name": "TYPO3 Winstaller Default Encryption Keys", "full_name": "auxiliary/admin/http/typo3_winstaller_default_enc_keys", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "Chris John Riley" ], "description": "This module exploits known default encryption keys found in the TYPO3 Winstaller.\n This flaw allows for file disclosure in the jumpUrl mechanism. This issue can be\n used to read any file that the web server user account has access to view.\n\n The method used to create the juhash (short MD5 hash) was altered in later versions\n of Typo3. Use the show actions command to display and select the version of TYPO3 in\n use (defaults to the older method of juhash creation).", "references": [ "URL-http://typo3winstaller.sourceforge.net/" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 8503, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/http/typo3_winstaller_default_enc_keys.rb", "is_install_path": true, "ref_name": "admin/http/typo3_winstaller_default_enc_keys", "check": false }, "auxiliary_admin/http/ulterius_file_download": { "name": "Ulterius Server File Download Vulnerability", "full_name": "auxiliary/admin/http/ulterius_file_download", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "Rick Osgood", "Jacob Robles" ], "description": "This module exploits a directory traversal vulnerability in Ulterius Server < v1.9.5.0\n to download files from the affected host. A valid file path is needed to download a file.\n Fortunately, Ulterius indexes every file on the system, which can be stored in the\n following location:\n\n http://ulteriusURL:port/.../fileIndex.db.\n\n This module can download and parse the fileIndex.db file. There is also an option to\n download a file using a provided path.", "references": [ "EDB-43141", "CVE-2017-16806" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 22006, "targets": null, "mod_time": "2018-02-15 16:31:09 +0000", "path": "/modules/auxiliary/admin/http/ulterius_file_download.rb", "is_install_path": true, "ref_name": "admin/http/ulterius_file_download", "check": false }, "auxiliary_admin/http/vbulletin_upgrade_admin": { "name": "vBulletin Administrator Account Creation", "full_name": "auxiliary/admin/http/vbulletin_upgrade_admin", "rank": 300, "disclosure_date": "2013-10-09", "type": "auxiliary", "author": [ "Unknown", "juan vazquez " ], "description": "This module abuses the \"install/upgrade.php\" component on vBulletin 4.1+ and 4.5+ to\n create a new administrator account, as exploited in the wild on October 2013. This module\n has been tested successfully on vBulletin 4.1.5 and 4.1.0.", "references": [ "CVE-2013-6129", "URL-http://blog.imperva.com/2013/10/threat-advisory-a-vbulletin-exploit-administrator-injection.html", "OSVDB-98370", "URL-http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3991423-potential-vbulletin-exploit-vbulletin-4-1-vbulletin-5" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2018-07-12 17:34:52 +0000", "path": "/modules/auxiliary/admin/http/vbulletin_upgrade_admin.rb", "is_install_path": true, "ref_name": "admin/http/vbulletin_upgrade_admin", "check": false }, "auxiliary_admin/http/webnms_cred_disclosure": { "name": "WebNMS Framework Server Credential Disclosure", "full_name": "auxiliary/admin/http/webnms_cred_disclosure", "rank": 300, "disclosure_date": "2016-07-04", "type": "auxiliary", "author": [ "Pedro Ribeiro " ], "description": "This module abuses two vulnerabilities in WebNMS Framework Server 5.2 to extract\nall user credentials. The first vulnerability is an unauthenticated file download\nin the FetchFile servlet, which is used to download the file containing the user\ncredentials. The second vulnerability is that the passwords in the file are\nobfuscated with a very weak algorithm which can be easily reversed.\nThis module has been tested with WebNMS Framework Server 5.2 and 5.2 SP1 on\nWindows and Linux.", "references": [ "CVE-2016-6601", "CVE-2016-6602", "URL-https://blogs.securiteam.com/index.php/archives/2712", "URL-http://seclists.org/fulldisclosure/2016/Aug/54" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 9090, "targets": null, "mod_time": "2017-08-24 21:38:44 +0000", "path": "/modules/auxiliary/admin/http/webnms_cred_disclosure.rb", "is_install_path": true, "ref_name": "admin/http/webnms_cred_disclosure", "check": false }, "auxiliary_admin/http/webnms_file_download": { "name": "WebNMS Framework Server Arbitrary Text File Download", "full_name": "auxiliary/admin/http/webnms_file_download", "rank": 300, "disclosure_date": "2016-07-04", "type": "auxiliary", "author": [ "Pedro Ribeiro " ], "description": "This module abuses a vulnerability in WebNMS Framework Server 5.2 that allows an\nunauthenticated user to download files off the file system by using a directory\ntraversal attack on the FetchFile servlet.\nNote that only text files can be downloaded properly, as any binary file will get\nmangled by the servlet. Also note that for Windows targets you can only download\nfiles that are in the same drive as the WebNMS installation.\nThis module has been tested with WebNMS Framework Server 5.2 and 5.2 SP1 on\nWindows and Linux.", "references": [ "CVE-2016-6601", "URL-https://blogs.securiteam.com/index.php/archives/2712", "URL-http://seclists.org/fulldisclosure/2016/Aug/54" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 9090, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/http/webnms_file_download.rb", "is_install_path": true, "ref_name": "admin/http/webnms_file_download", "check": false }, "auxiliary_admin/http/wp_custom_contact_forms": { "name": "WordPress custom-contact-forms Plugin SQL Upload", "full_name": "auxiliary/admin/http/wp_custom_contact_forms", "rank": 300, "disclosure_date": "2014-08-07", "type": "auxiliary", "author": [ "Marc-Alexandre Montpas", "Christian Mehlmauer " ], "description": "The WordPress custom-contact-forms plugin <= 5.1.0.3 allows unauthenticated users to download\n a SQL dump of the plugins database tables. It's also possible to upload files containing\n SQL statements which will be executed. The module first tries to extract the WordPress\n table prefix from the dump and then attempts to create a new admin user.", "references": [ "URL-http://blog.sucuri.net/2014/08/database-takeover-in-custom-contact-forms.html", "URL-https://plugins.trac.wordpress.org/changeset?old_path=%2Fcustom-contact-forms%2Ftags%2F5.1.0.3&old=997569&new_path=%2Fcustom-contact-forms%2Ftags%2F5.1.0.4&new=997569&sfp_email=&sfph_mail=", "WPVDB-7542" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/http/wp_custom_contact_forms.rb", "is_install_path": true, "ref_name": "admin/http/wp_custom_contact_forms", "check": false }, "auxiliary_admin/http/wp_easycart_privilege_escalation": { "name": "WordPress WP EasyCart Plugin Privilege Escalation", "full_name": "auxiliary/admin/http/wp_easycart_privilege_escalation", "rank": 300, "disclosure_date": "2015-02-25", "type": "auxiliary", "author": [ "Rob Carr " ], "description": "The WordPress WP EasyCart plugin from version 1.1.30 to 3.0.20 allows authenticated\n users of any user level to set any system option via a lack of validation in the\n ec_ajax_update_option and ec_ajax_clear_all_taxrates functions located in\n /inc/admin/admin_ajax_functions.php. The module first changes the admin e-mail address\n to prevent any notifications being sent to the actual administrator during the attack,\n re-enables user registration in case it has been disabled and sets the default role to\n be administrator. This will allow for the user to create a new account with admin\n privileges via the default registration page found at /wp-login.php?action=register.", "references": [ "CVE-2015-2673", "WPVDB-7808", "URL-http://blog.rastating.com/wp-easycart-privilege-escalation-information-disclosure" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-08-24 21:38:44 +0000", "path": "/modules/auxiliary/admin/http/wp_easycart_privilege_escalation.rb", "is_install_path": true, "ref_name": "admin/http/wp_easycart_privilege_escalation", "check": true }, "auxiliary_admin/http/wp_symposium_sql_injection": { "name": "WordPress Symposium Plugin SQL Injection", "full_name": "auxiliary/admin/http/wp_symposium_sql_injection", "rank": 300, "disclosure_date": "2015-08-18", "type": "auxiliary", "author": [ "PizzaHatHacker", "Matteo Cantoni " ], "description": "This module exploits a SQL injection vulnerability in the WP Symposium plugin\n before 15.8 for WordPress, which allows remote attackers to extract credentials\n via the size parameter to get_album_item.php.", "references": [ "CVE-2015-6522", "EDB-37824" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/http/wp_symposium_sql_injection.rb", "is_install_path": true, "ref_name": "admin/http/wp_symposium_sql_injection", "check": true }, "auxiliary_admin/http/wp_wplms_privilege_escalation": { "name": "WordPress WPLMS Theme Privilege Escalation", "full_name": "auxiliary/admin/http/wp_wplms_privilege_escalation", "rank": 300, "disclosure_date": "2015-02-09", "type": "auxiliary", "author": [ "Evex", "Rob Carr " ], "description": "The WordPress WPLMS theme from version 1.5.2 to 1.8.4.1 allows an\n authenticated user of any user level to set any system option due to a lack of\n validation in the import_data function of /includes/func.php.\n\n The module first changes the admin e-mail address to prevent any\n notifications being sent to the actual administrator during the attack,\n re-enables user registration in case it has been disabled and sets the default\n role to be administrator. This will allow for the user to create a new account\n with admin privileges via the default registration page found at\n /wp-login.php?action=register.", "references": [ "WPVDB-7785" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/http/wp_wplms_privilege_escalation.rb", "is_install_path": true, "ref_name": "admin/http/wp_wplms_privilege_escalation", "check": true }, "auxiliary_admin/http/zyxel_admin_password_extractor": { "name": "ZyXEL GS1510-16 Password Extractor", "full_name": "auxiliary/admin/http/zyxel_admin_password_extractor", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "Daniel Manser", "Sven Vetsch" ], "description": "This module exploits a vulnerability in ZyXEL GS1510-16 routers\n to extract the admin password. Due to a lack of authentication on the\n webctrl.cgi script, unauthenticated attackers can recover the\n administrator password for these devices. The vulnerable device\n has reached end of life for support from the manufacturer, so it is\n unlikely this problem will be addressed.", "references": [ "URL-https://github.com/rapid7/metasploit-framework/pull/2709" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/http/zyxel_admin_password_extractor.rb", "is_install_path": true, "ref_name": "admin/http/zyxel_admin_password_extractor", "check": false }, "auxiliary_admin/kerberos/ms14_068_kerberos_checksum": { "name": "MS14-068 Microsoft Kerberos Checksum Validation Vulnerability", "full_name": "auxiliary/admin/kerberos/ms14_068_kerberos_checksum", "rank": 300, "disclosure_date": "2014-11-18", "type": "auxiliary", "author": [ "Tom Maddock", "Sylvain Monne", "juan vazquez " ], "description": "This module exploits a vulnerability in the Microsoft Kerberos implementation. The problem\n exists in the verification of the Privilege Attribute Certificate (PAC) from a Kerberos TGS\n request, where a domain user may forge a PAC with arbitrary privileges, including\n Domain Administrator. This module requests a TGT ticket with a forged PAC and exports it to\n a MIT Kerberos Credential Cache file. It can be loaded on Windows systems with the Mimikatz\n help. It has been tested successfully on Windows 2008.", "references": [ "CVE-2014-6324", "MSB-MS14-068", "OSVDB-114751", "URL-http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx", "URL-https://labs.mwrinfosecurity.com/blog/2014/12/16/digging-into-ms14-068-exploitation-and-defence/", "URL-https://github.com/bidord/pykek", "URL-https://community.rapid7.com/community/metasploit/blog/2014/12/25/12-days-of-haxmas-ms14-068-now-in-metasploit" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 88, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/kerberos/ms14_068_kerberos_checksum.rb", "is_install_path": true, "ref_name": "admin/kerberos/ms14_068_kerberos_checksum", "check": false }, "auxiliary_admin/maxdb/maxdb_cons_exec": { "name": "SAP MaxDB cons.exe Remote Command Injection", "full_name": "auxiliary/admin/maxdb/maxdb_cons_exec", "rank": 300, "disclosure_date": "2008-01-09", "type": "auxiliary", "author": [ "MC " ], "description": "SAP MaxDB is prone to a remote command-injection vulnerability\n because the application fails to properly sanitize user-supplied input.", "references": [ "OSVDB-40210", "BID-27206", "CVE-2008-0244" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 7210, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/maxdb/maxdb_cons_exec.rb", "is_install_path": true, "ref_name": "admin/maxdb/maxdb_cons_exec", "check": false }, "auxiliary_admin/misc/sercomm_dump_config": { "name": "SerComm Device Configuration Dump", "full_name": "auxiliary/admin/misc/sercomm_dump_config", "rank": 300, "disclosure_date": "2013-12-31", "type": "auxiliary", "author": [ "Eloi Vanderbeken ", "Matt \"hostess\" Andreko " ], "description": "This module will dump the configuration of several SerComm devices. These devices\n typically include routers from NetGear and Linksys. This module was tested\n successfully against the NetGear DG834 series ADSL modem router.", "references": [ "OSVDB-101653", "URL-https://github.com/elvanderb/TCP-32764" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 32764, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/misc/sercomm_dump_config.rb", "is_install_path": true, "ref_name": "admin/misc/sercomm_dump_config", "check": false }, "auxiliary_admin/misc/wol": { "name": "UDP Wake-On-Lan (WOL)", "full_name": "auxiliary/admin/misc/wol", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "sinn3r " ], "description": "This module will turn on a remote machine with a network card that\n supports wake-on-lan (or MagicPacket). In order to use this, you must\n know the machine's MAC address in advance. The current default MAC\n address is just an example of how your input should look like.\n\n The password field is optional. If present, it should be in this hex\n format: 001122334455, which is translated to \"0x001122334455\" in binary.\n Note that this should be either 4 or 6 bytes long.", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/misc/wol.rb", "is_install_path": true, "ref_name": "admin/misc/wol", "check": false }, "auxiliary_admin/motorola/wr850g_cred": { "name": "Motorola WR850G v4.03 Credentials", "full_name": "auxiliary/admin/motorola/wr850g_cred", "rank": 300, "disclosure_date": "2004-09-24", "type": "auxiliary", "author": [ "kris katterjohn " ], "description": "Login credentials to the Motorola WR850G router with\n firmware v4.03 can be obtained via a simple GET request\n if issued while the administrator is logged in. A lot\n more information is available through this request, but\n you can get it all and more after logging in.", "references": [ "CVE-2004-1550", "OSVDB-10232", "URL-http://seclists.org/bugtraq/2004/Sep/0339.html" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/motorola/wr850g_cred.rb", "is_install_path": true, "ref_name": "admin/motorola/wr850g_cred", "check": false }, "auxiliary_admin/ms/ms08_059_his2006": { "name": "Microsoft Host Integration Server 2006 Command Execution Vulnerability", "full_name": "auxiliary/admin/ms/ms08_059_his2006", "rank": 300, "disclosure_date": "2008-10-14", "type": "auxiliary", "author": [ "MC " ], "description": "This module exploits a command-injection vulnerability in Microsoft Host Integration Server 2006.", "references": [ "MSB-MS08-059", "CVE-2008-3466", "OSVDB-49068", "URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=745" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 0, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/ms/ms08_059_his2006.rb", "is_install_path": true, "ref_name": "admin/ms/ms08_059_his2006", "check": false }, "auxiliary_admin/mssql/mssql_enum": { "name": "Microsoft SQL Server Configuration Enumerator", "full_name": "auxiliary/admin/mssql/mssql_enum", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "Carlos Perez " ], "description": "This module will perform a series of configuration audits and\n security checks against a Microsoft SQL Server database. For this\n module to work, valid administrative user credentials must be\n supplied.", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 1433, "targets": null, "mod_time": "2017-08-16 21:40:03 +0000", "path": "/modules/auxiliary/admin/mssql/mssql_enum.rb", "is_install_path": true, "ref_name": "admin/mssql/mssql_enum", "check": false }, "auxiliary_admin/mssql/mssql_enum_domain_accounts": { "name": "Microsoft SQL Server SUSER_SNAME Windows Domain Account Enumeration", "full_name": "auxiliary/admin/mssql/mssql_enum_domain_accounts", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "nullbind ", "antti " ], "description": "This module can be used to bruteforce RIDs associated with the domain of the SQL Server\n using the SUSER_SNAME function. This is similar to the smb_lookupsid module, but executed\n through SQL Server queries as any user with the PUBLIC role (everyone). Information that\n can be enumerated includes Windows domain users, groups, and computer accounts. Enumerated\n accounts can then be used in online dictionary attacks.", "references": [ "URL-http://msdn.microsoft.com/en-us/library/ms174427.aspx" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 1433, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/mssql/mssql_enum_domain_accounts.rb", "is_install_path": true, "ref_name": "admin/mssql/mssql_enum_domain_accounts", "check": false }, "auxiliary_admin/mssql/mssql_enum_domain_accounts_sqli": { "name": "Microsoft SQL Server SQLi SUSER_SNAME Windows Domain Account Enumeration", "full_name": "auxiliary/admin/mssql/mssql_enum_domain_accounts_sqli", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "nullbind ", "antti " ], "description": "This module can be used to bruteforce RIDs associated with the domain of the SQL Server\n using the SUSER_SNAME function via Error Based SQL injection. This is similar to the\n smb_lookupsid module, but executed through SQL Server queries as any user with the PUBLIC\n role (everyone). Information that can be enumerated includes Windows domain users, groups,\n and computer accounts. Enumerated accounts can then be used in online dictionary attacks.\n The syntax for injection URLs is: /testing.asp?id=1+and+1=[SQLi];--", "references": [ "URL-http://msdn.microsoft.com/en-us/library/ms174427.aspx" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/mssql/mssql_enum_domain_accounts_sqli.rb", "is_install_path": true, "ref_name": "admin/mssql/mssql_enum_domain_accounts_sqli", "check": false }, "auxiliary_admin/mssql/mssql_enum_sql_logins": { "name": "Microsoft SQL Server SUSER_SNAME SQL Logins Enumeration", "full_name": "auxiliary/admin/mssql/mssql_enum_sql_logins", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "nullbind " ], "description": "This module can be used to obtain a list of all logins from a SQL Server with any login.\n Selecting all of the logins from the master..syslogins table is restricted to sysadmins.\n However, logins with the PUBLIC role (everyone) can quickly enumerate all SQL Server\n logins using the SUSER_SNAME function by fuzzing the principal_id parameter. This is\n pretty simple, because the principal IDs assigned to logins are incremental. Once logins\n have been enumerated they can be verified via sp_defaultdb error analysis. This is\n important, because not all of the principal IDs resolve to SQL logins (some resolve to\n roles instead). Once logins have been enumerated, they can be used in dictionary attacks.", "references": [ "URL-http://msdn.microsoft.com/en-us/library/ms174427.aspx" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 1433, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/mssql/mssql_enum_sql_logins.rb", "is_install_path": true, "ref_name": "admin/mssql/mssql_enum_sql_logins", "check": false }, "auxiliary_admin/mssql/mssql_escalate_dbowner": { "name": "Microsoft SQL Server Escalate Db_Owner", "full_name": "auxiliary/admin/mssql/mssql_escalate_dbowner", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "nullbind " ], "description": "This module can be used to escalate privileges to sysadmin if the user has\n the db_owner role in a trustworthy database owned by a sysadmin user. Once\n the user has the sysadmin role the msssql_payload module can be used to obtain\n a shell on the system.", "references": [ "URL-http://technet.microsoft.com/en-us/library/ms188676(v=sql.105).aspx" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 1433, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/mssql/mssql_escalate_dbowner.rb", "is_install_path": true, "ref_name": "admin/mssql/mssql_escalate_dbowner", "check": false }, "auxiliary_admin/mssql/mssql_escalate_dbowner_sqli": { "name": "Microsoft SQL Server SQLi Escalate Db_Owner", "full_name": "auxiliary/admin/mssql/mssql_escalate_dbowner_sqli", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "nullbind " ], "description": "This module can be used to escalate SQL Server user privileges to sysadmin through a web\n SQL Injection. In order to escalate, the database user must to have the db_owner role in\n a trustworthy database owned by a sysadmin user. Once the database user has the sysadmin\n role, the mssql_payload_sqli module can be used to obtain a shell on the system.\n\n The syntax for injection URLs is: /testing.asp?id=1+and+1=[SQLi];--", "references": [ "URL-http://technet.microsoft.com/en-us/library/ms188676(v=sql.105).aspx" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/mssql/mssql_escalate_dbowner_sqli.rb", "is_install_path": true, "ref_name": "admin/mssql/mssql_escalate_dbowner_sqli", "check": false }, "auxiliary_admin/mssql/mssql_escalate_execute_as": { "name": "Microsoft SQL Server Escalate EXECUTE AS", "full_name": "auxiliary/admin/mssql/mssql_escalate_execute_as", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "nullbind " ], "description": "This module can be used escalate privileges if the IMPERSONATION privilege has been\n assigned to the user. In most cases, this results in additional data access, but in\n some cases it can be used to gain sysadmin privileges.", "references": [ "URL-http://msdn.microsoft.com/en-us/library/ms178640.aspx" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 1433, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/mssql/mssql_escalate_execute_as.rb", "is_install_path": true, "ref_name": "admin/mssql/mssql_escalate_execute_as", "check": false }, "auxiliary_admin/mssql/mssql_escalate_execute_as_sqli": { "name": "Microsoft SQL Server SQLi Escalate Execute AS", "full_name": "auxiliary/admin/mssql/mssql_escalate_execute_as_sqli", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "nullbind " ], "description": "This module can be used escalate privileges if the IMPERSONATION privilege has been\n assigned to the user via error based SQL injection. In most cases, this results in\n additional data access, but in some cases it can be used to gain sysadmin privileges.\n The syntax for injection URLs is: /testing.asp?id=1+and+1=[SQLi];--", "references": [ "URL-http://msdn.microsoft.com/en-us/library/ms178640.aspx" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/mssql/mssql_escalate_execute_as_sqli.rb", "is_install_path": true, "ref_name": "admin/mssql/mssql_escalate_execute_as_sqli", "check": false }, "auxiliary_admin/mssql/mssql_exec": { "name": "Microsoft SQL Server xp_cmdshell Command Execution", "full_name": "auxiliary/admin/mssql/mssql_exec", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "tebo " ], "description": "This module will execute a Windows command on a MSSQL/MSDE instance\n via the xp_cmdshell procedure. A valid username and password is required\n to use this module", "references": [ "URL-http://msdn.microsoft.com/en-us/library/cc448435(PROT.10).aspx" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 1433, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/mssql/mssql_exec.rb", "is_install_path": true, "ref_name": "admin/mssql/mssql_exec", "check": false }, "auxiliary_admin/mssql/mssql_findandsampledata": { "name": "Microsoft SQL Server Find and Sample Data", "full_name": "auxiliary/admin/mssql/mssql_findandsampledata", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "Scott Sutherland ", "Robin Wood ", "humble-desser ", "Carlos Perez ", "hdm ", "todb " ], "description": "This script will search through all of the non-default databases\n on the SQL Server for columns that match the keywords defined in the TSQL KEYWORDS\n option. If column names are found that match the defined keywords and data is present\n in the associated tables, the script will select a sample of the records from each of\n the affected tables. The sample size is determined by the SAMPLE_SIZE option, and results\n output in a CSV format.", "references": [ "URL-http://www.netspi.com/blog/author/ssutherland/" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 1433, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/mssql/mssql_findandsampledata.rb", "is_install_path": true, "ref_name": "admin/mssql/mssql_findandsampledata", "check": true }, "auxiliary_admin/mssql/mssql_idf": { "name": "Microsoft SQL Server Interesting Data Finder", "full_name": "auxiliary/admin/mssql/mssql_idf", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "Robin Wood " ], "description": "This module will search the specified MSSQL server for\n 'interesting' columns and data.\n\n The module has been tested against SQL Server 2005 but it should also work on\n SQL Server 2008. The module will not work against SQL Server 2000 at this time,\n if you are interested in supporting this platform, please contact the author.", "references": [ "URL-http://www.digininja.org/metasploit/mssql_idf.php" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 1433, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/mssql/mssql_idf.rb", "is_install_path": true, "ref_name": "admin/mssql/mssql_idf", "check": false }, "auxiliary_admin/mssql/mssql_ntlm_stealer": { "name": "Microsoft SQL Server NTLM Stealer", "full_name": "auxiliary/admin/mssql/mssql_ntlm_stealer", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "nullbind " ], "description": "This module can be used to help capture or relay the LM/NTLM credentials of the\n account running the remote SQL Server service. The module will use the supplied\n credentials to connect to the target SQL Server instance and execute the native\n \"xp_dirtree\" or \"xp_fileexist\" stored procedure. The stored procedures will then\n force the service account to authenticate to the system defined in the SMBProxy\n option. In order for the attack to be successful, the SMB capture or relay module\n must be running on the system defined as the SMBProxy. The database account used\n to connect to the database should only require the \"PUBLIC\" role to execute.\n Successful execution of this attack usually results in local administrative access\n to the Windows system. Specifically, this works great for relaying credentials\n between two SQL Servers using a shared service account to get shells. However, if\n the relay fails, then the LM hash can be reversed using the Halflm rainbow tables\n and john the ripper. Thanks to \"Sh2kerr\" who wrote the ora_ntlm_stealer for the\n inspiration.", "references": [ "URL-http://en.wikipedia.org/wiki/SMBRelay" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 1433, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/mssql/mssql_ntlm_stealer.rb", "is_install_path": true, "ref_name": "admin/mssql/mssql_ntlm_stealer", "check": true }, "auxiliary_admin/mssql/mssql_ntlm_stealer_sqli": { "name": "Microsoft SQL Server SQLi NTLM Stealer", "full_name": "auxiliary/admin/mssql/mssql_ntlm_stealer_sqli", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "nullbind ", "Antti " ], "description": "This module can be used to help capture or relay the LM/NTLM credentials of the\n account running the remote SQL Server service. The module will use the SQL\n injection from GET_PATH to connect to the target SQL Server instance and execute\n the native \"xp_dirtree\" or stored procedure. The stored procedures will then\n force the service account to authenticate to the system defined in the SMBProxy\n option. In order for the attack to be successful, the SMB capture or relay module\n must be running on the system defined as the SMBProxy. The database account used to\n connect to the database should only require the \"PUBLIC\" role to execute.\n Successful execution of this attack usually results in local administrative access\n to the Windows system. Specifically, this works great for relaying credentials\n between two SQL Servers using a shared service account to get shells. However, if\n the relay fails, then the LM hash can be reversed using the Halflm rainbow tables\n and john the ripper.", "references": [ "URL-http://en.wikipedia.org/wiki/SMBRelay" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/mssql/mssql_ntlm_stealer_sqli.rb", "is_install_path": true, "ref_name": "admin/mssql/mssql_ntlm_stealer_sqli", "check": false }, "auxiliary_admin/mssql/mssql_sql": { "name": "Microsoft SQL Server Generic Query", "full_name": "auxiliary/admin/mssql/mssql_sql", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "tebo " ], "description": "This module will allow for simple SQL statements to be executed against a\n MSSQL/MSDE instance given the appropriate credentials.", "references": [ "URL-http://www.attackresearch.com", "URL-http://msdn.microsoft.com/en-us/library/cc448435(PROT.10).aspx" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 1433, "targets": null, "mod_time": "2017-08-24 21:38:44 +0000", "path": "/modules/auxiliary/admin/mssql/mssql_sql.rb", "is_install_path": true, "ref_name": "admin/mssql/mssql_sql", "check": false }, "auxiliary_admin/mssql/mssql_sql_file": { "name": "Microsoft SQL Server Generic Query from File", "full_name": "auxiliary/admin/mssql/mssql_sql_file", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "j0hn__f : " ], "description": "This module will allow for multiple SQL queries contained within a specified\n file to be executed against a Microsoft SQL (MSSQL) Server instance, given\n the appropriate credentials.", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 1433, "targets": null, "mod_time": "2017-08-24 21:38:44 +0000", "path": "/modules/auxiliary/admin/mssql/mssql_sql_file.rb", "is_install_path": true, "ref_name": "admin/mssql/mssql_sql_file", "check": false }, "auxiliary_admin/mysql/mysql_enum": { "name": "MySQL Enumeration Module", "full_name": "auxiliary/admin/mysql/mysql_enum", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "Carlos Perez " ], "description": "This module allows for simple enumeration of MySQL Database Server\n provided proper credentials to connect remotely.", "references": [ "URL-https://cisecurity.org/benchmarks.html" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 3306, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/mysql/mysql_enum.rb", "is_install_path": true, "ref_name": "admin/mysql/mysql_enum", "check": false }, "auxiliary_admin/mysql/mysql_sql": { "name": "MySQL SQL Generic Query", "full_name": "auxiliary/admin/mysql/mysql_sql", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "Bernardo Damele A. G. " ], "description": "This module allows for simple SQL statements to be executed\n against a MySQL instance given the appropriate credentials.", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 3306, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/mysql/mysql_sql.rb", "is_install_path": true, "ref_name": "admin/mysql/mysql_sql", "check": false }, "auxiliary_admin/natpmp/natpmp_map": { "name": "NAT-PMP Port Mapper", "full_name": "auxiliary/admin/natpmp/natpmp_map", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "Jon Hart " ], "description": "Map (forward) TCP and UDP ports on NAT devices using NAT-PMP", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 5351, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/natpmp/natpmp_map.rb", "is_install_path": true, "ref_name": "admin/natpmp/natpmp_map", "check": true }, "auxiliary_admin/netbios/netbios_spoof": { "name": "NetBIOS Response Brute Force Spoof (Direct)", "full_name": "auxiliary/admin/netbios/netbios_spoof", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "vvalien", "hdm ", "tombkeeper" ], "description": "This module continuously spams NetBIOS responses to a target for given hostname,\n causing the target to cache a malicious address for this name. On high-speed local\n networks, the PPSRATE value should be increased to speed up this attack. As an\n example, a value of around 30,000 is almost 100% successful when spoofing a\n response for a 'WPAD' lookup. Distant targets may require more time and lower\n rates for a successful attack.", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 137, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/netbios/netbios_spoof.rb", "is_install_path": true, "ref_name": "admin/netbios/netbios_spoof", "check": false }, "auxiliary_admin/officescan/tmlisten_traversal": { "name": "TrendMicro OfficeScanNT Listener Traversal Arbitrary File Access", "full_name": "auxiliary/admin/officescan/tmlisten_traversal", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "Anshul Pandey ", "aushack " ], "description": "This module tests for directory traversal vulnerability in the UpdateAgent\n function in the OfficeScanNT Listener (TmListen.exe) service in Trend Micro\n OfficeScan. This allows remote attackers to read arbitrary files as SYSTEM\n via dot dot sequences in an HTTP request.", "references": [ "OSVDB-48730", "CVE-2008-2439", "BID-31531", "URL-http://www.trendmicro.com/ftp/documentation/readme/OSCE_7.3_Win_EN_CriticalPatch_B1372_Readme.txt" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 26122, "targets": null, "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/auxiliary/admin/officescan/tmlisten_traversal.rb", "is_install_path": true, "ref_name": "admin/officescan/tmlisten_traversal", "check": true }, "auxiliary_admin/oracle/ora_ntlm_stealer": { "name": "Oracle SMB Relay Code Execution", "full_name": "auxiliary/admin/oracle/ora_ntlm_stealer", "rank": 300, "disclosure_date": "2009-04-07", "type": "auxiliary", "author": [ "Sh2kerr " ], "description": "This module will help you to get Administrator access to OS using an unprivileged\n Oracle database user (you need only CONNECT and RESOURCE privileges).\n To do this you must firstly run smb_sniffer or smb_relay module on your sever.\n Then you must connect to Oracle database and run this module Ora_NTLM_stealer.rb\n which will connect to your SMB sever with credentials of Oracle RDBMS.\n So if smb_relay is working, you will get Administrator access to server which\n runs Oracle. If not than you can decrypt HALFLM hash.", "references": [ "URL-http://dsecrg.com/pages/pub/show.php?id=17" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": "1521", "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/oracle/ora_ntlm_stealer.rb", "is_install_path": true, "ref_name": "admin/oracle/ora_ntlm_stealer", "check": false }, "auxiliary_admin/oracle/oracle_login": { "name": "Oracle Account Discovery", "full_name": "auxiliary/admin/oracle/oracle_login", "rank": 300, "disclosure_date": "2008-11-20", "type": "auxiliary", "author": [ "MC " ], "description": "This module uses a list of well known default authentication credentials\n to discover easily guessed accounts.", "references": [ "URL-http://www.petefinnigan.com/default/oracle_default_passwords.csv", "URL-http://seclists.org/fulldisclosure/2009/Oct/261" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": "1521", "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/oracle/oracle_login.rb", "is_install_path": true, "ref_name": "admin/oracle/oracle_login", "check": false }, "auxiliary_admin/oracle/oracle_sql": { "name": "Oracle SQL Generic Query", "full_name": "auxiliary/admin/oracle/oracle_sql", "rank": 300, "disclosure_date": "2007-12-07", "type": "auxiliary", "author": [ "MC " ], "description": "This module allows for simple SQL statements to be executed\n against an Oracle instance given the appropriate credentials\n and sid.", "references": [ "URL-https://www.metasploit.com/users/mc" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": "1521", "targets": null, "mod_time": "2017-08-24 21:38:44 +0000", "path": "/modules/auxiliary/admin/oracle/oracle_sql.rb", "is_install_path": true, "ref_name": "admin/oracle/oracle_sql", "check": false }, "auxiliary_admin/oracle/oraenum": { "name": "Oracle Database Enumeration", "full_name": "auxiliary/admin/oracle/oraenum", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "Carlos Perez " ], "description": "This module provides a simple way to scan an Oracle database server\n for configuration parameters that may be useful during a penetration\n test. Valid database credentials must be provided for this module to\n run.", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": "1521", "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/oracle/oraenum.rb", "is_install_path": true, "ref_name": "admin/oracle/oraenum", "check": false }, "auxiliary_admin/oracle/osb_execqr": { "name": "Oracle Secure Backup exec_qr() Command Injection Vulnerability", "full_name": "auxiliary/admin/oracle/osb_execqr", "rank": 300, "disclosure_date": "2009-01-14", "type": "auxiliary", "author": [ "MC " ], "description": "This module exploits a command injection vulnerability in Oracle Secure Backup version 10.1.0.3 to 10.2.0.2.", "references": [ "CVE-2008-5448", "OSVDB-51342", "URL-http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html", "ZDI-09-003" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 443, "targets": null, "mod_time": "2017-08-24 21:38:44 +0000", "path": "/modules/auxiliary/admin/oracle/osb_execqr.rb", "is_install_path": true, "ref_name": "admin/oracle/osb_execqr", "check": false }, "auxiliary_admin/oracle/osb_execqr2": { "name": "Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability", "full_name": "auxiliary/admin/oracle/osb_execqr2", "rank": 300, "disclosure_date": "2009-08-18", "type": "auxiliary", "author": [ "MC " ], "description": "This module exploits an authentication bypass vulnerability\n in login.php in order to execute arbitrary code via a command injection\n vulnerability in property_box.php. This module was tested\n against Oracle Secure Backup version 10.3.0.1.0 (Win32).", "references": [ "CVE-2009-1977", "OSVDB-55903", "CVE-2009-1978", "OSVDB-55904", "ZDI-09-058", "ZDI-09-059" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 443, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/oracle/osb_execqr2.rb", "is_install_path": true, "ref_name": "admin/oracle/osb_execqr2", "check": false }, "auxiliary_admin/oracle/osb_execqr3": { "name": "Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability", "full_name": "auxiliary/admin/oracle/osb_execqr3", "rank": 300, "disclosure_date": "2010-07-13", "type": "auxiliary", "author": [ "MC " ], "description": "This module exploits an authentication bypass vulnerability\n in login.php in order to execute arbitrary code via a command injection\n vulnerability in property_box.php. This module was tested\n against Oracle Secure Backup version 10.3.0.1.0 (Win32).", "references": [ "CVE-2010-0904", "OSVDB-66338", "ZDI-10-118" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 443, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/oracle/osb_execqr3.rb", "is_install_path": true, "ref_name": "admin/oracle/osb_execqr3", "check": false }, "auxiliary_admin/oracle/post_exploitation/win32exec": { "name": "Oracle Java execCommand (Win32)", "full_name": "auxiliary/admin/oracle/post_exploitation/win32exec", "rank": 300, "disclosure_date": "2007-12-07", "type": "auxiliary", "author": [ "MC " ], "description": "This module will create a java class which enables the execution of OS commands.", "references": [ "URL-https://www.metasploit.com/users/mc" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": "1521", "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/oracle/post_exploitation/win32exec.rb", "is_install_path": true, "ref_name": "admin/oracle/post_exploitation/win32exec", "check": false }, "auxiliary_admin/oracle/post_exploitation/win32upload": { "name": "Oracle URL Download", "full_name": "auxiliary/admin/oracle/post_exploitation/win32upload", "rank": 300, "disclosure_date": "2005-02-10", "type": "auxiliary", "author": [ "CG " ], "description": "This module will create a java class which enables the download\n of a binary from a webserver to the oracle filesystem.", "references": [ "URL-http://www.argeniss.com/research/oraclesqlinj.zip" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": "1521", "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/oracle/post_exploitation/win32upload.rb", "is_install_path": true, "ref_name": "admin/oracle/post_exploitation/win32upload", "check": false }, "auxiliary_admin/oracle/sid_brute": { "name": "Oracle TNS Listener SID Brute Forcer", "full_name": "auxiliary/admin/oracle/sid_brute", "rank": 300, "disclosure_date": "2009-01-07", "type": "auxiliary", "author": [ "MC " ], "description": "This module simply attempts to discover the protected SID.", "references": [ "URL-https://www.metasploit.com/users/mc", "URL-http://www.red-database-security.com/scripts/sid.txt" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 1521, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/oracle/sid_brute.rb", "is_install_path": true, "ref_name": "admin/oracle/sid_brute", "check": false }, "auxiliary_admin/oracle/tnscmd": { "name": "Oracle TNS Listener Command Issuer", "full_name": "auxiliary/admin/oracle/tnscmd", "rank": 300, "disclosure_date": "2009-02-01", "type": "auxiliary", "author": [ "MC " ], "description": "This module allows for the sending of arbitrary TNS commands in order\n to gather information.\n Inspired from tnscmd.pl from www.jammed.com/~jwa/hacks/security/tnscmd/tnscmd", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 1521, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/oracle/tnscmd.rb", "is_install_path": true, "ref_name": "admin/oracle/tnscmd", "check": false }, "auxiliary_admin/pop2/uw_fileretrieval": { "name": "UoW pop2d Remote File Retrieval Vulnerability", "full_name": "auxiliary/admin/pop2/uw_fileretrieval", "rank": 300, "disclosure_date": "2000-07-14", "type": "auxiliary", "author": [ "aushack " ], "description": "This module exploits a vulnerability in the FOLD command of the\n University of Washington ipop2d service. By specifying an arbitrary\n folder name it is possible to retrieve any file which is world or group\n readable by the user ID of the POP account. This vulnerability can only\n be exploited with a valid username and password. The From address is\n the file owner.", "references": [ "OSVDB-368", "BID-1484" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 109, "targets": null, "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/auxiliary/admin/pop2/uw_fileretrieval.rb", "is_install_path": true, "ref_name": "admin/pop2/uw_fileretrieval", "check": false }, "auxiliary_admin/postgres/postgres_readfile": { "name": "PostgreSQL Server Generic Query", "full_name": "auxiliary/admin/postgres/postgres_readfile", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "todb " ], "description": "This module imports a file local on the PostgreSQL Server into a\n temporary table, reads it, and then drops the temporary table.\n It requires PostgreSQL credentials with table CREATE privileges\n as well as read privileges to the target file.", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 5432, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/postgres/postgres_readfile.rb", "is_install_path": true, "ref_name": "admin/postgres/postgres_readfile", "check": false }, "auxiliary_admin/postgres/postgres_sql": { "name": "PostgreSQL Server Generic Query", "full_name": "auxiliary/admin/postgres/postgres_sql", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "todb " ], "description": "This module will allow for simple SQL statements to be executed against a\n PostgreSQL instance given the appropriate credentials.", "references": [ "URL-www.postgresql.org" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 5432, "targets": null, "mod_time": "2017-08-24 21:38:44 +0000", "path": "/modules/auxiliary/admin/postgres/postgres_sql.rb", "is_install_path": true, "ref_name": "admin/postgres/postgres_sql", "check": false }, "auxiliary_admin/sap/sap_configservlet_exec_noauth": { "name": "SAP ConfigServlet OS Command Execution", "full_name": "auxiliary/admin/sap/sap_configservlet_exec_noauth", "rank": 300, "disclosure_date": "2012-11-01", "type": "auxiliary", "author": [ "Dmitry Chastuhin", "Andras Kabai" ], "description": "This module allows execution of operating system commands through the SAP\n ConfigServlet without any authentication.", "references": [ "OSVDB-92704", "EDB-24963", "URL-http://erpscan.com/wp-content/uploads/2012/11/Breaking-SAP-Portal-HackerHalted-2012.pdf" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 50000, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/sap/sap_configservlet_exec_noauth.rb", "is_install_path": true, "ref_name": "admin/sap/sap_configservlet_exec_noauth", "check": false }, "auxiliary_admin/sap/sap_mgmt_con_osexec": { "name": "SAP Management Console OSExecute", "full_name": "auxiliary/admin/sap/sap_mgmt_con_osexec", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "Chris John Riley" ], "description": "This module allows execution of operating system commands through the SAP\n Management Console SOAP Interface. A valid username and password must be\n provided.", "references": [ "URL-http://blog.c22.cc" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 50013, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/sap/sap_mgmt_con_osexec.rb", "is_install_path": true, "ref_name": "admin/sap/sap_mgmt_con_osexec", "check": true }, "auxiliary_admin/scada/advantech_webaccess_dbvisitor_sqli": { "name": "Advantech WebAccess DBVisitor.dll ChartThemeConfig SQL Injection", "full_name": "auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli", "rank": 300, "disclosure_date": "2014-04-08", "type": "auxiliary", "author": [ "rgod ", "juan vazquez " ], "description": "This module exploits a SQL injection vulnerability found in Advantech WebAccess 7.1. The\n vulnerability exists in the DBVisitor.dll component, and can be abused through malicious\n requests to the ChartThemeConfig web service. This module can be used to extract the site\n and project usernames and hashes.", "references": [ "CVE-2014-0763", "ZDI-14-077", "OSVDB-105572", "BID-66740", "URL-https://ics-cert.us-cert.gov/advisories/ICSA-14-079-03" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb", "is_install_path": true, "ref_name": "admin/scada/advantech_webaccess_dbvisitor_sqli", "check": true }, "auxiliary_admin/scada/ge_proficy_substitute_traversal": { "name": "GE Proficy Cimplicity WebView substitute.bcl Directory Traversal", "full_name": "auxiliary/admin/scada/ge_proficy_substitute_traversal", "rank": 300, "disclosure_date": "2013-01-22", "type": "auxiliary", "author": [ "Unknown", "juan vazquez " ], "description": "This module abuses a directory traversal in GE Proficy Cimplicity, specifically on the\n gefebt.exe component used by the WebView, in order to retrieve arbitrary files with SYSTEM\n privileges. This module has been tested successfully on GE Proficy Cimplicity 7.5.", "references": [ "CVE-2013-0653", "OSVDB-89490", "BID-57505", "URL-http://ics-cert.us-cert.gov/advisories/ICSA-13-022-02" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/scada/ge_proficy_substitute_traversal.rb", "is_install_path": true, "ref_name": "admin/scada/ge_proficy_substitute_traversal", "check": false }, "auxiliary_admin/scada/modicon_command": { "name": "Schneider Modicon Remote START/STOP Command", "full_name": "auxiliary/admin/scada/modicon_command", "rank": 300, "disclosure_date": "2012-04-05", "type": "auxiliary", "author": [ "K. Reid Wightman ", "todb " ], "description": "The Schneider Modicon with Unity series of PLCs use Modbus function\n code 90 (0x5a) to perform administrative commands without authentication.\n This module allows a remote user to change the state of the PLC between\n STOP and RUN, allowing an attacker to end process control by the PLC.\n\n This module is based on the original 'modiconstop.rb' Basecamp module from\n DigitalBond.", "references": [ "URL-http://www.digitalbond.com/tools/basecamp/metasploit-modules/" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 502, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/scada/modicon_command.rb", "is_install_path": true, "ref_name": "admin/scada/modicon_command", "check": false }, "auxiliary_admin/scada/modicon_password_recovery": { "name": "Schneider Modicon Quantum Password Recovery", "full_name": "auxiliary/admin/scada/modicon_password_recovery", "rank": 300, "disclosure_date": "2012-01-19", "type": "auxiliary", "author": [ "K. Reid Wightman ", "todb " ], "description": "The Schneider Modicon Quantum series of Ethernet cards store usernames and\n passwords for the system in files that may be retrieved via backdoor access.\n\n This module is based on the original 'modiconpass.rb' Basecamp module from\n DigitalBond.", "references": [ "URL-http://www.digitalbond.com/tools/basecamp/metasploit-modules/" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 21, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/scada/modicon_password_recovery.rb", "is_install_path": true, "ref_name": "admin/scada/modicon_password_recovery", "check": true }, "auxiliary_admin/scada/modicon_stux_transfer": { "name": "Schneider Modicon Ladder Logic Upload/Download", "full_name": "auxiliary/admin/scada/modicon_stux_transfer", "rank": 300, "disclosure_date": "2012-04-05", "type": "auxiliary", "author": [ "K. Reid Wightman ", "todb " ], "description": "The Schneider Modicon with Unity series of PLCs use Modbus function\n code 90 (0x5a) to send and receive ladder logic. The protocol is\n unauthenticated, and allows a rogue host to retrieve the existing\n logic and to upload new logic.\n\n Two modes are supported: \"SEND\" and \"RECV,\" which behave as one might\n expect -- use 'set mode ACTIONAME' to use either mode of operation.\n\n In either mode, FILENAME must be set to a valid path to an existing\n file (for SENDing) or a new file (for RECVing), and the directory must\n already exist. The default, 'modicon_ladder.apx' is a blank\n ladder logic file which can be used for testing.\n\n This module is based on the original 'modiconstux.rb' Basecamp module from\n DigitalBond.", "references": [ "URL-http://www.digitalbond.com/tools/basecamp/metasploit-modules/" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 502, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/scada/modicon_stux_transfer.rb", "is_install_path": true, "ref_name": "admin/scada/modicon_stux_transfer", "check": false }, "auxiliary_admin/scada/moxa_credentials_recovery": { "name": "Moxa Device Credential Retrieval", "full_name": "auxiliary/admin/scada/moxa_credentials_recovery", "rank": 300, "disclosure_date": "2015-07-28", "type": "auxiliary", "author": [ "Patrick DeSantis ", "K. Reid Wightman " ], "description": "The Moxa protocol listens on 4800/UDP and will respond to broadcast\n or direct traffic. The service is known to be used on Moxa devices\n in the NPort, OnCell, and MGate product lines. Many devices with\n firmware versions older than 2017 or late 2016 allow admin credentials\n and SNMP read and read/write community strings to be retrieved without\n authentication.\n\n This module is the work of Patrick DeSantis of Cisco Talos K. Reid\n Wightman.\n\n Tested on: Moxa NPort 6250 firmware v1.13, MGate MB3170 firmware 2.5,\n and NPort 5110 firmware 2.6.", "references": [ "CVE-2016-9361", "BID-85965", "URL-https://www.digitalbond.com/blog/2016/10/25/serial-killers/", "URL-https://github.com/reidmefirst/MoxaPass/blob/master/moxa_getpass.py", "URL-https://ics-cert.us-cert.gov/advisories/ICSA-16-336-02" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 4800, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/scada/moxa_credentials_recovery.rb", "is_install_path": true, "ref_name": "admin/scada/moxa_credentials_recovery", "check": true }, "auxiliary_admin/scada/multi_cip_command": { "name": "Allen-Bradley/Rockwell Automation EtherNet/IP CIP Commands", "full_name": "auxiliary/admin/scada/multi_cip_command", "rank": 300, "disclosure_date": "2012-01-19", "type": "auxiliary", "author": [ "Ruben Santamarta ", "K. Reid Wightman ", "todb " ], "description": "The EtherNet/IP CIP protocol allows a number of unauthenticated commands to a PLC which\n implements the protocol. This module implements the CPU STOP command, as well as\n the ability to crash the Ethernet card in an affected device.\n\n This module is based on the original 'ethernetip-multi.rb' Basecamp module\n from DigitalBond.", "references": [ "URL-http://www.digitalbond.com/tools/basecamp/metasploit-modules/" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 44818, "targets": null, "mod_time": "2017-08-24 21:38:44 +0000", "path": "/modules/auxiliary/admin/scada/multi_cip_command.rb", "is_install_path": true, "ref_name": "admin/scada/multi_cip_command", "check": false }, "auxiliary_admin/scada/phoenix_command": { "name": "PhoenixContact PLC Remote START/STOP Command", "full_name": "auxiliary/admin/scada/phoenix_command", "rank": 300, "disclosure_date": "2015-05-20", "type": "auxiliary", "author": [ "Tijl Deneut " ], "description": "PhoenixContact Programmable Logic Controllers are built upon a variant of\n ProConOS. Communicating using a proprietary protocol over ports TCP/1962\n and TCP/41100 or TCP/20547.\n It allows a remote user to read out the PLC Type, Firmware and\n Build number on port TCP/1962.\n And also to read out the CPU State (Running or Stopped) AND start\n or stop the CPU on port TCP/41100 (confirmed ILC 15x and 17x series)\n or on port TCP/20547 (confirmed ILC 39x series)", "references": [ "URL-https://github.com/tijldeneut/ICSSecurityScripts", "CVE-2014-9195" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/scada/phoenix_command.rb", "is_install_path": true, "ref_name": "admin/scada/phoenix_command", "check": false }, "auxiliary_admin/scada/yokogawa_bkbcopyd_client": { "name": "Yokogawa BKBCopyD.exe Client", "full_name": "auxiliary/admin/scada/yokogawa_bkbcopyd_client", "rank": 300, "disclosure_date": "2014-08-09", "type": "auxiliary", "author": [ "Unknown" ], "description": "This module allows an unauthenticated user to interact with the Yokogawa\n CENTUM CS3000 BKBCopyD.exe service through the PMODE, RETR and STOR\n operations.", "references": [ "CVE-2014-5208", "URL-https://community.rapid7.com/community/metasploit/blog/2014/08/09/r7-2014-10-disclosure-yokogawa-centum-cs3000-bkbcopydexe-file-system-access" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 20111, "targets": null, "mod_time": "2018-07-08 19:00:11 +0000", "path": "/modules/auxiliary/admin/scada/yokogawa_bkbcopyd_client.rb", "is_install_path": true, "ref_name": "admin/scada/yokogawa_bkbcopyd_client", "check": false }, "auxiliary_admin/serverprotect/file": { "name": "TrendMicro ServerProtect File Access", "full_name": "auxiliary/admin/serverprotect/file", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "toto" ], "description": "This modules exploits a remote file access flaw in the ServerProtect Windows\n Server RPC service. Please see the action list (or the help output) for more\n information.", "references": [ "CVE-2007-6507", "OSVDB-44318", "ZDI-07-077" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 5168, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/serverprotect/file.rb", "is_install_path": true, "ref_name": "admin/serverprotect/file", "check": false }, "auxiliary_admin/smb/check_dir_file": { "name": "SMB Scanner Check File/Directory Utility", "full_name": "auxiliary/admin/smb/check_dir_file", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "aushack ", "j0hn__f" ], "description": "This module is useful when checking an entire network\n of SMB hosts for the presence of a known file or directory.\n An example would be to scan all systems for the presence of\n antivirus or known malware outbreak. Typically you must set\n RPATH, SMBUser, SMBDomain and SMBPass to operate correctly.", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 445, "targets": null, "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/auxiliary/admin/smb/check_dir_file.rb", "is_install_path": true, "ref_name": "admin/smb/check_dir_file", "check": true }, "auxiliary_admin/smb/delete_file": { "name": "SMB File Delete Utility", "full_name": "auxiliary/admin/smb/delete_file", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "mubix " ], "description": "This module deletes a file from a target share and path. The usual reason\n to use this module is to work around limitations in an existing SMB client that may not\n be able to take advantage of pass-the-hash style authentication.", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 445, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/smb/delete_file.rb", "is_install_path": true, "ref_name": "admin/smb/delete_file", "check": true }, "auxiliary_admin/smb/download_file": { "name": "SMB File Download Utility", "full_name": "auxiliary/admin/smb/download_file", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "mubix " ], "description": "This module downloads a file from a target share and path. The usual reason\n to use this module is to work around limitations in an existing SMB client that may not\n be able to take advantage of pass-the-hash style authentication.", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 445, "targets": null, "mod_time": "2018-05-07 00:13:11 +0000", "path": "/modules/auxiliary/admin/smb/download_file.rb", "is_install_path": true, "ref_name": "admin/smb/download_file", "check": true }, "auxiliary_admin/smb/list_directory": { "name": "SMB Directory Listing Utility", "full_name": "auxiliary/admin/smb/list_directory", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "mubix ", "hdm " ], "description": "This module lists the directory of a target share and path. The only reason\n to use this module is if your existing SMB client is not able to support the features\n of the Metasploit Framework that you need, like pass-the-hash authentication.", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 445, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/smb/list_directory.rb", "is_install_path": true, "ref_name": "admin/smb/list_directory", "check": false }, "auxiliary_admin/smb/ms17_010_command": { "name": "MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution", "full_name": "auxiliary/admin/smb/ms17_010_command", "rank": 300, "disclosure_date": "2017-03-14", "type": "auxiliary", "author": [ "sleepya", "zerosum0x0", "Shadow Brokers", "Equation Group" ], "description": "This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where\n primitive. This will then be used to overwrite the connection session information with as an\n Administrator session. From there, the normal psexec command execution is done.\n\n Exploits a type confusion between Transaction and WriteAndX requests and a race condition in\n Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy\n exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a\n named pipe.", "references": [ "AKA-ETERNALSYNERGY", "AKA-ETERNALROMANCE", "AKA-ETERNALCHAMPION", "AKA-ETERNALBLUE", "MSB-MS17-010", "CVE-2017-0143", "CVE-2017-0146", "CVE-2017-0147", "URL-https://github.com/worawit/MS17-010", "URL-https://hitcon.org/2017/CMT/slide-files/d2_s2_r0.pdf", "URL-https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 445, "targets": null, "mod_time": "2018-04-27 10:49:04 +0000", "path": "/modules/auxiliary/admin/smb/ms17_010_command.rb", "is_install_path": true, "ref_name": "admin/smb/ms17_010_command", "check": true }, "auxiliary_admin/smb/psexec_command": { "name": "Microsoft Windows Authenticated Administration Utility", "full_name": "auxiliary/admin/smb/psexec_command", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "Royce Davis @R3dy__ " ], "description": "This module uses a valid administrator username and password to execute an\n arbitrary command on one or more hosts, using a similar technique than the \"psexec\"\n utility provided by SysInternals. Daisy chaining commands with '&' does not work\n and users shouldn't try it. This module is useful because it doesn't need to upload\n any binaries to the target machine.", "references": [ "CVE-1999-0504", "OSVDB-3106", "URL-https://www.optiv.com/blog/owning-computers-without-shell-access", "URL-http://sourceforge.net/projects/smbexec/", "URL-http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 445, "targets": null, "mod_time": "2018-04-27 20:58:25 +0000", "path": "/modules/auxiliary/admin/smb/psexec_command.rb", "is_install_path": true, "ref_name": "admin/smb/psexec_command", "check": true }, "auxiliary_admin/smb/psexec_ntdsgrab": { "name": "PsExec NTDS.dit And SYSTEM Hive Download Utility", "full_name": "auxiliary/admin/smb/psexec_ntdsgrab", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "Royce Davis " ], "description": "This module authenticates to an Active Directory Domain Controller and creates\n a volume shadow copy of the %SYSTEMDRIVE%. It then pulls down copies of the\n ntds.dit file as well as the SYSTEM hive and stores them. The ntds.dit and SYSTEM\n hive copy can be used in combination with other tools for offline extraction of AD\n password hashes. All of this is done without uploading a single binary to the\n target host.", "references": [ "URL-http://sourceforge.net/projects/smbexec", "URL-https://www.optiv.com/blog/owning-computers-without-shell-access" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 445, "targets": null, "mod_time": "2017-08-01 22:39:14 +0000", "path": "/modules/auxiliary/admin/smb/psexec_ntdsgrab.rb", "is_install_path": true, "ref_name": "admin/smb/psexec_ntdsgrab", "check": false }, "auxiliary_admin/smb/samba_symlink_traversal": { "name": "Samba Symlink Directory Traversal", "full_name": "auxiliary/admin/smb/samba_symlink_traversal", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "kcope", "hdm " ], "description": "This module exploits a directory traversal flaw in the Samba\n CIFS server. To exploit this flaw, a writeable share must be specified.\n The newly created directory will link to the root filesystem.", "references": [ "CVE-2010-0926", "OSVDB-62145", "URL-http://www.samba.org/samba/news/symlink_attack.html" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 445, "targets": null, "mod_time": "2018-07-12 17:34:52 +0000", "path": "/modules/auxiliary/admin/smb/samba_symlink_traversal.rb", "is_install_path": true, "ref_name": "admin/smb/samba_symlink_traversal", "check": false }, "auxiliary_admin/smb/upload_file": { "name": "SMB File Upload Utility", "full_name": "auxiliary/admin/smb/upload_file", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "hdm " ], "description": "This module uploads a file to a target share and path. The only reason\n to use this module is if your existing SMB client is not able to support the features\n of the Metasploit Framework that you need, like pass-the-hash authentication.", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 445, "targets": null, "mod_time": "2018-05-07 00:13:11 +0000", "path": "/modules/auxiliary/admin/smb/upload_file.rb", "is_install_path": true, "ref_name": "admin/smb/upload_file", "check": true }, "auxiliary_admin/sunrpc/solaris_kcms_readfile": { "name": "Solaris KCMS + TTDB Arbitrary File Read", "full_name": "auxiliary/admin/sunrpc/solaris_kcms_readfile", "rank": 300, "disclosure_date": "2003-01-22", "type": "auxiliary", "author": [ "vlad902 ", "jduck " ], "description": "This module targets a directory traversal vulnerability in the\n kcms_server component from the Kodak Color Management System. By\n utilizing the ToolTalk Database Server\\'s TT_ISBUILD procedure, an\n attacker can bypass existing directory traversal validation and\n read arbitrary files.\n\n Vulnerable systems include Solaris 2.5 - 9 SPARC and x86. Both\n kcms_server and rpc.ttdbserverd must be running on the target\n host.", "references": [ "CVE-2003-0027", "OSVDB-8201", "BID-6665", "URL-http://marc.info/?l=bugtraq&m=104326556329850&w=2" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 111, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/sunrpc/solaris_kcms_readfile.rb", "is_install_path": true, "ref_name": "admin/sunrpc/solaris_kcms_readfile", "check": false }, "auxiliary_admin/teradata/teradata_odbc_sql": { "name": "Teradata ODBC SQL Query Module", "full_name": "auxiliary/admin/teradata/teradata_odbc_sql", "rank": 300, "disclosure_date": "2018-03-29", "type": "auxiliary", "author": [ "Ted Raffle (actuated)" ], "description": "SQL query module for ODBC connections to local Teradata databases.\n\n Port specification (TCP 1025 by default) is not necessary for ODBC connections.\n\n Requires ODBC driver and Python Teradata module.", "references": [ "URL-https://developer.teradata.com/tools/reference/teradata-python-module", "URL-https://downloads.teradata.com/download/connectivity/odbc-driver/linux", "AKA-Teradata ODBC Authentication Scanner" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 1025, "targets": null, "mod_time": "2018-06-27 15:34:29 +0000", "path": "/modules/auxiliary/admin/teradata/teradata_odbc_sql.py", "is_install_path": true, "ref_name": "admin/teradata/teradata_odbc_sql", "check": true }, "auxiliary_admin/tftp/tftp_transfer_util": { "name": "TFTP File Transfer Utility", "full_name": "auxiliary/admin/tftp/tftp_transfer_util", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "todb " ], "description": "This module will transfer a file to or from a remote TFTP server.\n Note that the target must be able to connect back to the Metasploit system,\n and NAT traversal for TFTP is often unsupported.\n\n Two actions are supported: \"Upload\" and \"Download,\" which behave as one might\n expect -- use 'set action Actionname' to use either mode of operation.\n\n If \"Download\" is selected, at least one of FILENAME or REMOTE_FILENAME\n must be set. If \"Upload\" is selected, either FILENAME must be set to a valid path to\n a source file, or FILEDATA must be populated. FILENAME may be a fully qualified path,\n or the name of a file in the Msf::Config.local_directory or Msf::Config.data_directory.", "references": [ "URL-http://www.faqs.org/rfcs/rfc1350.html", "URL-http://www.networksorcery.com/enp/protocol/tftp.htm" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 69, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/tftp/tftp_transfer_util.rb", "is_install_path": true, "ref_name": "admin/tftp/tftp_transfer_util", "check": false }, "auxiliary_admin/tikiwiki/tikidblib": { "name": "TikiWiki Information Disclosure", "full_name": "auxiliary/admin/tikiwiki/tikidblib", "rank": 300, "disclosure_date": "2006-11-01", "type": "auxiliary", "author": [ "Matteo Cantoni " ], "description": "A vulnerability has been reported in Tikiwiki, which can be exploited by\n an anonymous user to dump the MySQL user & passwd just by creating a mysql\n error with the \"sort_mode\" var.\n\n The vulnerability was reported in Tikiwiki version 1.9.5.", "references": [ "OSVDB-30172", "BID-20858", "CVE-2006-5702", "URL-http://secunia.com/advisories/22678/" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-08-24 21:38:44 +0000", "path": "/modules/auxiliary/admin/tikiwiki/tikidblib.rb", "is_install_path": true, "ref_name": "admin/tikiwiki/tikidblib", "check": false }, "auxiliary_admin/upnp/soap_portmapping": { "name": "UPnP IGD SOAP Port Mapping Utility", "full_name": "auxiliary/admin/upnp/soap_portmapping", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "St0rn ", "Jon Hart " ], "description": "Manage port mappings on UPnP IGD-capable device using the AddPortMapping and\n DeletePortMapping SOAP requests", "references": [ "URL-http://www.upnp-hacks.org/igd.html" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/upnp/soap_portmapping.rb", "is_install_path": true, "ref_name": "admin/upnp/soap_portmapping", "check": false }, "auxiliary_admin/vmware/poweroff_vm": { "name": "VMWare Power Off Virtual Machine", "full_name": "auxiliary/admin/vmware/poweroff_vm", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "theLightCosine " ], "description": "This module will log into the Web API of VMWare and try to power off\n a specified Virtual Machine.", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 443, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/vmware/poweroff_vm.rb", "is_install_path": true, "ref_name": "admin/vmware/poweroff_vm", "check": false }, "auxiliary_admin/vmware/poweron_vm": { "name": "VMWare Power On Virtual Machine", "full_name": "auxiliary/admin/vmware/poweron_vm", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "theLightCosine " ], "description": "This module will log into the Web API of VMWare and try to power on\n a specified Virtual Machine.", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 443, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/vmware/poweron_vm.rb", "is_install_path": true, "ref_name": "admin/vmware/poweron_vm", "check": false }, "auxiliary_admin/vmware/tag_vm": { "name": "VMWare Tag Virtual Machine", "full_name": "auxiliary/admin/vmware/tag_vm", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "theLightCosine " ], "description": "This module will log into the Web API of VMWare and\n 'tag' a specified Virtual Machine. It does this by\n logging a user event with user supplied text", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 443, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/vmware/tag_vm.rb", "is_install_path": true, "ref_name": "admin/vmware/tag_vm", "check": false }, "auxiliary_admin/vmware/terminate_esx_sessions": { "name": "VMWare Terminate ESX Login Sessions", "full_name": "auxiliary/admin/vmware/terminate_esx_sessions", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "theLightCosine " ], "description": "This module will log into the Web API of VMWare and try to terminate\n user login sessions as specified by the session keys.", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 443, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/vmware/terminate_esx_sessions.rb", "is_install_path": true, "ref_name": "admin/vmware/terminate_esx_sessions", "check": false }, "auxiliary_admin/vnc/realvnc_41_bypass": { "name": "RealVNC NULL Authentication Mode Bypass", "full_name": "auxiliary/admin/vnc/realvnc_41_bypass", "rank": 300, "disclosure_date": "2006-05-15", "type": "auxiliary", "author": [ "hdm ", "theLightCosine " ], "description": "This module exploits an Authentication bypass Vulnerability\n in RealVNC Server version 4.1.0 and 4.1.1. It sets up a proxy\n listener on LPORT and proxies to the target server\n\n The AUTOVNC option requires that vncviewer be installed on\n the attacking machine.", "references": [ "BID-17978", "OSVDB-25479", "URL-http://secunia.com/advisories/20107/", "CVE-2006-2369" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 5900, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/vnc/realvnc_41_bypass.rb", "is_install_path": true, "ref_name": "admin/vnc/realvnc_41_bypass", "check": false }, "auxiliary_admin/vxworks/apple_airport_extreme_password": { "name": "Apple Airport Extreme Password Extraction (WDBRPC)", "full_name": "auxiliary/admin/vxworks/apple_airport_extreme_password", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "hdm " ], "description": "This module can be used to read the stored password of a vulnerable\n Apple Airport Extreme access point. Only a small number of firmware versions\n have the WDBRPC service running, however the factory configuration was\n vulnerable. It appears that firmware versions 5.0.x as well as 5.1.x are\n susceptible to this issue. Once the password is obtained, the access point\n can be managed using the Apple AirPort utility.", "references": [ "OSVDB-66842", "URL-http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html", "US-CERT-VU-362332" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 17185, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/vxworks/apple_airport_extreme_password.rb", "is_install_path": true, "ref_name": "admin/vxworks/apple_airport_extreme_password", "check": false }, "auxiliary_admin/vxworks/dlink_i2eye_autoanswer": { "name": "D-Link i2eye Video Conference AutoAnswer (WDBRPC)", "full_name": "auxiliary/admin/vxworks/dlink_i2eye_autoanswer", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "hdm " ], "description": "This module can be used to enable auto-answer mode for the D-Link\n i2eye video conferencing system. Once this setting has been flipped,\n the device will accept incoming video calls without acknowledgement.\n The NetMeeting software included in Windows XP can be used to connect\n to this device. The i2eye product is no longer supported by the vendor\n and all models have reached their end of life (EOL).", "references": [ "OSVDB-66842", "URL-http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html", "US-CERT-VU-362332" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 17185, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/vxworks/dlink_i2eye_autoanswer.rb", "is_install_path": true, "ref_name": "admin/vxworks/dlink_i2eye_autoanswer", "check": false }, "auxiliary_admin/vxworks/wdbrpc_memory_dump": { "name": "VxWorks WDB Agent Remote Memory Dump", "full_name": "auxiliary/admin/vxworks/wdbrpc_memory_dump", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "hdm " ], "description": "This module provides the ability to dump the system memory of a VxWorks target through WDBRPC", "references": [ "OSVDB-66842", "URL-http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html", "US-CERT-VU-362332" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 17185, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/vxworks/wdbrpc_memory_dump.rb", "is_install_path": true, "ref_name": "admin/vxworks/wdbrpc_memory_dump", "check": false }, "auxiliary_admin/vxworks/wdbrpc_reboot": { "name": "VxWorks WDB Agent Remote Reboot", "full_name": "auxiliary/admin/vxworks/wdbrpc_reboot", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "hdm " ], "description": "This module provides the ability to reboot a VxWorks target through WDBRPC", "references": [ "OSVDB-66842", "URL-http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html", "US-CERT-VU-362332" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 17185, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/vxworks/wdbrpc_reboot.rb", "is_install_path": true, "ref_name": "admin/vxworks/wdbrpc_reboot", "check": true }, "auxiliary_admin/webmin/edit_html_fileaccess": { "name": "Webmin edit_html.cgi file Parameter Traversal Arbitrary File Access", "full_name": "auxiliary/admin/webmin/edit_html_fileaccess", "rank": 300, "disclosure_date": "2012-09-06", "type": "auxiliary", "author": [ "Unknown", "juan vazquez " ], "description": "This module exploits a directory traversal in Webmin 1.580. The vulnerability\n exists in the edit_html.cgi component and allows an authenticated user with access\n to the File Manager Module to access arbitrary files with root privileges. The\n module has been tested successfully with Webmin 1.580 over Ubuntu 10.04.", "references": [ "OSVDB-85247", "BID-55446", "CVE-2012-2983", "URL-http://www.americaninfosec.com/research/dossiers/AISG-12-002.pdf", "URL-https://github.com/webmin/webmin/commit/4cd7bad70e23e4e19be8ccf7b9f245445b2b3b80" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 10000, "targets": null, "mod_time": "2017-08-24 21:38:44 +0000", "path": "/modules/auxiliary/admin/webmin/edit_html_fileaccess.rb", "is_install_path": true, "ref_name": "admin/webmin/edit_html_fileaccess", "check": false }, "auxiliary_admin/webmin/file_disclosure": { "name": "Webmin File Disclosure", "full_name": "auxiliary/admin/webmin/file_disclosure", "rank": 300, "disclosure_date": "2006-06-30", "type": "auxiliary", "author": [ "Matteo Cantoni " ], "description": "A vulnerability has been reported in Webmin and Usermin, which can be\n exploited by malicious people to disclose potentially sensitive information.\n The vulnerability is caused due to an unspecified error within the handling\n of an URL. This can be exploited to read the contents of any files on the\n server via a specially crafted URL, without requiring a valid login.\n The vulnerability has been reported in Webmin (versions prior to 1.290) and\n Usermin (versions prior to 1.220).", "references": [ "OSVDB-26772", "BID-18744", "CVE-2006-3392", "US-CERT-VU-999601", "URL-http://secunia.com/advisories/20892/" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 10000, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/webmin/file_disclosure.rb", "is_install_path": true, "ref_name": "admin/webmin/file_disclosure", "check": false }, "auxiliary_admin/zend/java_bridge": { "name": "Zend Server Java Bridge Design Flaw Remote Code Execution", "full_name": "auxiliary/admin/zend/java_bridge", "rank": 300, "disclosure_date": "2011-03-28", "type": "auxiliary", "author": [ "ikki", "MC " ], "description": "This module abuses a flaw in the Zend Java Bridge Component of\n the Zend Server Framework. By sending a specially crafted packet, an\n attacker may be able to execute arbitrary code.\n\n NOTE: This module has only been tested with the Win32 build of the software.", "references": [ "OSVDB-71420", "ZDI-11-113", "EDB-17078" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 10001, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/admin/zend/java_bridge.rb", "is_install_path": true, "ref_name": "admin/zend/java_bridge", "check": false }, "auxiliary_analyze/jtr_aix": { "name": "John the Ripper AIX Password Cracker", "full_name": "auxiliary/analyze/jtr_aix", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "theLightCosine ", "hdm " ], "description": "This module uses John the Ripper to identify weak passwords that have been\n acquired from passwd files on AIX systems.", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": null, "targets": null, "mod_time": "2018-06-13 12:09:58 +0000", "path": "/modules/auxiliary/analyze/jtr_aix.rb", "is_install_path": true, "ref_name": "analyze/jtr_aix", "check": false }, "auxiliary_analyze/jtr_crack_fast": { "name": "John the Ripper Password Cracker (Fast Mode)", "full_name": "auxiliary/analyze/jtr_crack_fast", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "hdm " ], "description": "This module uses John the Ripper to identify weak passwords that have been\n acquired as hashed files (loot) or raw LANMAN/NTLM hashes (hashdump). The goal\n of this module is to find trivial passwords in a short amount of time. To\n crack complex passwords or use large wordlists, John the Ripper should be\n used outside of Metasploit. This initial version just handles LM/NTLM credentials\n from hashdump and uses the standard wordlist and rules.", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": null, "targets": null, "mod_time": "2018-06-13 12:09:58 +0000", "path": "/modules/auxiliary/analyze/jtr_crack_fast.rb", "is_install_path": true, "ref_name": "analyze/jtr_crack_fast", "check": false }, "auxiliary_analyze/jtr_linux": { "name": "John the Ripper Linux Password Cracker", "full_name": "auxiliary/analyze/jtr_linux", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "theLightCosine ", "hdm " ], "description": "This module uses John the Ripper to identify weak passwords that have been\n acquired from unshadowed passwd files from Unix systems. The module will only crack\n MD5 and DES implementations by default. Set Crypt to true to also try to crack\n Blowfish and SHA implementations. Warning: This is much slower.", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": null, "targets": null, "mod_time": "2018-06-13 12:09:58 +0000", "path": "/modules/auxiliary/analyze/jtr_linux.rb", "is_install_path": true, "ref_name": "analyze/jtr_linux", "check": false }, "auxiliary_analyze/jtr_mssql_fast": { "name": "John the Ripper MS SQL Password Cracker (Fast Mode)", "full_name": "auxiliary/analyze/jtr_mssql_fast", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "theLightCosine ", "hdm " ], "description": "This module uses John the Ripper to identify weak passwords that have been\n acquired from the mssql_hashdump module. Passwords that have been successfully\n cracked are then saved as proper credentials", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": null, "targets": null, "mod_time": "2018-06-13 12:09:58 +0000", "path": "/modules/auxiliary/analyze/jtr_mssql_fast.rb", "is_install_path": true, "ref_name": "analyze/jtr_mssql_fast", "check": false }, "auxiliary_analyze/jtr_mysql_fast": { "name": "John the Ripper MySQL Password Cracker (Fast Mode)", "full_name": "auxiliary/analyze/jtr_mysql_fast", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "theLightCosine ", "hdm " ], "description": "This module uses John the Ripper to identify weak passwords that have been\n acquired from the mysql_hashdump module. Passwords that have been successfully\n cracked are then saved as proper credentials", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": null, "targets": null, "mod_time": "2018-06-13 12:09:58 +0000", "path": "/modules/auxiliary/analyze/jtr_mysql_fast.rb", "is_install_path": true, "ref_name": "analyze/jtr_mysql_fast", "check": false }, "auxiliary_analyze/jtr_oracle_fast": { "name": "John the Ripper Oracle Password Cracker (Fast Mode)", "full_name": "auxiliary/analyze/jtr_oracle_fast", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "theLightCosine ", "hdm " ], "description": "This module uses John the Ripper to identify weak passwords that have been\n acquired from the oracle_hashdump module. Passwords that have been successfully\n cracked are then saved as proper credentials", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": null, "targets": null, "mod_time": "2018-06-13 12:09:58 +0000", "path": "/modules/auxiliary/analyze/jtr_oracle_fast.rb", "is_install_path": true, "ref_name": "analyze/jtr_oracle_fast", "check": false }, "auxiliary_analyze/jtr_postgres_fast": { "name": "John the Ripper Postgres SQL Password Cracker", "full_name": "auxiliary/analyze/jtr_postgres_fast", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "theLightCosine " ], "description": "This module uses John the Ripper to attempt to crack Postgres password\n hashes, gathered by the postgres_hashdump module. It is slower than some of the other\n JtR modules because it has to do some wordlist manipulation to properly handle postgres'\n format.", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": null, "targets": null, "mod_time": "2018-06-13 12:09:58 +0000", "path": "/modules/auxiliary/analyze/jtr_postgres_fast.rb", "is_install_path": true, "ref_name": "analyze/jtr_postgres_fast", "check": false }, "auxiliary_bnat/bnat_router": { "name": "BNAT Router", "full_name": "auxiliary/bnat/bnat_router", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "bannedit ", "Jonathan Claudius" ], "description": "This module will properly route BNAT traffic and allow for connections to be\n established to machines on ports which might not otherwise be accessible.", "references": [ "URL-https://github.com/claudijd/bnat", "URL-http://www.slideshare.net/claudijd/dc-skytalk-bnat-hijacking-repairing-broken-communication-channels" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/bnat/bnat_router.rb", "is_install_path": true, "ref_name": "bnat/bnat_router", "check": false }, "auxiliary_bnat/bnat_scan": { "name": "BNAT Scanner", "full_name": "auxiliary/bnat/bnat_scan", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "bannedit ", "Jonathan Claudius " ], "description": "This module is a scanner which can detect Broken NAT (network address translation)\n implementations, which could result in an inability to reach ports on remote\n machines. Typically, these ports will appear in nmap scans as 'filtered'/'closed'.", "references": [ "URL-https://github.com/claudijd/bnat", "URL-http://www.slideshare.net/claudijd/dc-skytalk-bnat-hijacking-repairing-broken-communication-channels" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": null, "targets": null, "mod_time": "2017-08-24 21:38:44 +0000", "path": "/modules/auxiliary/bnat/bnat_scan.rb", "is_install_path": true, "ref_name": "bnat/bnat_scan", "check": true }, "auxiliary_client/hwbridge/connect": { "name": "Hardware Bridge Session Connector", "full_name": "auxiliary/client/hwbridge/connect", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "Craig Smith" ], "description": "The Hardware Bridge (HWBridge) is a standardized method for\n Metasploit to interact with Hardware Devices. This extends\n the normal exploit capabilities to the non-ethernet realm and\n enables direct hardware and alternative bus manipulations. You\n must have compatible bridging hardware attached to this machine or\n reachable on your network to use any HWBridge exploits.\n\n Use this exploit module to connect the physical HWBridge which\n will start an interactive hwbridge session. You can launch a hwbridge\n server locally by using compliant hardware and executing the local_hwbridge\n module. After that module has started, pass the HWBRIDGE_BASE_URL\n options to this connector module.", "references": [ "URL-http://opengarages.org/hwbridge" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 8080, "targets": null, "mod_time": "2017-09-11 18:30:34 +0000", "path": "/modules/auxiliary/client/hwbridge/connect.rb", "is_install_path": true, "ref_name": "client/hwbridge/connect", "check": false }, "auxiliary_client/iec104/iec104": { "name": "IEC104 Client Utility", "full_name": "auxiliary/client/iec104/iec104", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "Michael John " ], "description": "This module allows sending 104 commands.", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 2404, "targets": null, "mod_time": "2018-08-03 20:13:48 +0000", "path": "/modules/auxiliary/client/iec104/iec104.rb", "is_install_path": true, "ref_name": "client/iec104/iec104", "check": false }, "auxiliary_client/mms/send_mms": { "name": "MMS Client", "full_name": "auxiliary/client/mms/send_mms", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "sinn3r " ], "description": "This module sends an MMS message to multiple phones of the same carrier.\n You can use it to send a malicious attachment to phones.", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/client/mms/send_mms.rb", "is_install_path": true, "ref_name": "client/mms/send_mms", "check": false }, "auxiliary_client/sms/send_text": { "name": "SMS Client", "full_name": "auxiliary/client/sms/send_text", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "sinn3r " ], "description": "This module sends a text message to multiple phones of the same carrier.\n You can use it to send a malicious link to phones.\n\n Please note that you do not use this module to send a media file (attachment).\n In order to send a media file, please use auxiliary/client/mms/send_mms instead.", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/client/sms/send_text.rb", "is_install_path": true, "ref_name": "client/sms/send_text", "check": false }, "auxiliary_client/smtp/emailer": { "name": "Generic Emailer (SMTP)", "full_name": "auxiliary/client/smtp/emailer", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "et " ], "description": "This module can be used to automate email delivery.\n This code is based on Joshua Abraham's email script for social\n engineering.", "references": [ "URL-http://spl0it.org/" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": "25", "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/client/smtp/emailer.rb", "is_install_path": true, "ref_name": "client/smtp/emailer", "check": false }, "auxiliary_crawler/msfcrawler": { "name": "Metasploit Web Crawler", "full_name": "auxiliary/crawler/msfcrawler", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "et " ], "description": "This auxiliary module is a modular web crawler, to be used in conjunction with wmap (someday) or standalone.", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-08-24 21:38:44 +0000", "path": "/modules/auxiliary/crawler/msfcrawler.rb", "is_install_path": true, "ref_name": "crawler/msfcrawler", "check": true }, "auxiliary_docx/word_unc_injector": { "name": "Microsoft Word UNC Path Injector", "full_name": "auxiliary/docx/word_unc_injector", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "SphaZ " ], "description": "This module modifies a .docx file that will, upon opening, submit stored\n netNTLM credentials to a remote host. It can also create an empty docx file. If\n emailed the receiver needs to put the document in editing mode before the remote\n server will be contacted. Preview and read-only mode do not work. Verified to work\n with Microsoft Word 2003, 2007, 2010, and 2013. In order to get the hashes the\n auxiliary/server/capture/smb module can be used.", "references": [ "URL-http://jedicorp.com/?p=534" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/docx/word_unc_injector.rb", "is_install_path": true, "ref_name": "docx/word_unc_injector", "check": false }, "auxiliary_dos/android/android_stock_browser_iframe": { "name": "Android Stock Browser Iframe DOS", "full_name": "auxiliary/dos/android/android_stock_browser_iframe", "rank": 300, "disclosure_date": "2012-12-01", "type": "auxiliary", "author": [ "Jean Pascal Pereira", "Jonathan Waggoner" ], "description": "This module exploits a vulnerability in the native browser that comes with Android 4.0.3.\n If successful, the browser will crash after viewing the webpage.", "references": [ "PACKETSTORM-118539", "CVE-2012-6301" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/android/android_stock_browser_iframe.rb", "is_install_path": true, "ref_name": "dos/android/android_stock_browser_iframe", "check": false }, "auxiliary_dos/cisco/ios_http_percentpercent": { "name": "Cisco IOS HTTP GET /%% Request Denial of Service", "full_name": "auxiliary/dos/cisco/ios_http_percentpercent", "rank": 300, "disclosure_date": "2000-04-26", "type": "auxiliary", "author": [ "aushack " ], "description": "This module triggers a Denial of Service condition in the Cisco IOS\n HTTP server. By sending a GET request for \"/%%\", the device becomes\n unresponsive. IOS 11.1 -> 12.1 are reportedly vulnerable. This module\n tested successfully against a Cisco 1600 Router IOS v11.2(18)P.", "references": [ "BID-1154", "CVE-2000-0380", "OSVDB-1302" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/auxiliary/dos/cisco/ios_http_percentpercent.rb", "is_install_path": true, "ref_name": "dos/cisco/ios_http_percentpercent", "check": false }, "auxiliary_dos/cisco/ios_telnet_rocem": { "name": "Cisco IOS Telnet Denial of Service", "full_name": "auxiliary/dos/cisco/ios_telnet_rocem", "rank": 300, "disclosure_date": "2017-03-17", "type": "auxiliary", "author": [ "Artem Kondratenko" ], "description": "This module triggers a Denial of Service condition in the Cisco IOS\n telnet service affecting multiple Cisco switches. Tested against Cisco\n Catalyst 2960 and 3750.", "references": [ "BID-96960", "CVE-2017-3881", "URL-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp", "URL-https://artkond.com/2017/04/10/cisco-catalyst-remote-code-execution" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 23, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/cisco/ios_telnet_rocem.rb", "is_install_path": true, "ref_name": "dos/cisco/ios_telnet_rocem", "check": false }, "auxiliary_dos/dhcp/isc_dhcpd_clientid": { "name": "ISC DHCP Zero Length ClientID Denial of Service Module", "full_name": "auxiliary/dos/dhcp/isc_dhcpd_clientid", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "sid", "theLightCosine " ], "description": "This module performs a Denial of Service Attack against the ISC DHCP server,\n versions 4.1 before 4.1.1-P1 and 4.0 before 4.0.2-P1. It sends out a DHCP Request\n message with a 0-length client_id option for an IP address on the appropriate range\n for the dhcp server. When ISC DHCP Server tries to hash this value it exits\n abnormally.", "references": [ "CVE-2010-2156", "OSVDB-65246", "EDB-14185" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/dhcp/isc_dhcpd_clientid.rb", "is_install_path": true, "ref_name": "dos/dhcp/isc_dhcpd_clientid", "check": false }, "auxiliary_dos/dns/bind_tkey": { "name": "BIND TKEY Query Denial of Service", "full_name": "auxiliary/dos/dns/bind_tkey", "rank": 300, "disclosure_date": "2015-07-28", "type": "auxiliary", "author": [ "Jonathan Foote", "throwawayokejxqbbif", "wvu " ], "description": "This module sends a malformed TKEY query, which exploits an\n error in handling TKEY queries on affected BIND9 'named' DNS servers.\n As a result, a vulnerable named server will exit with a REQUIRE\n assertion failure. This condition can be exploited in versions of BIND\n between BIND 9.1.0 through 9.8.x, 9.9.0 through 9.9.7-P1 and 9.10.0\n through 9.10.2-P2.", "references": [ "CVE-2015-5477", "URL-https://www.isc.org/blogs/cve-2015-5477-an-error-in-handling-tkey-queries-can-cause-named-to-exit-with-a-require-assertion-failure/", "URL-https://kb.isc.org/article/AA-01272" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 53, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/dns/bind_tkey.rb", "is_install_path": true, "ref_name": "dos/dns/bind_tkey", "check": true }, "auxiliary_dos/dns/bind_tsig": { "name": "BIND TKEY Query Denial of Service", "full_name": "auxiliary/dos/dns/bind_tsig", "rank": 300, "disclosure_date": "2016-09-27", "type": "auxiliary", "author": [ "Martin Rocha", "Ezequiel Tavella", "Alejandro Parodi", "Infobyte Research Team" ], "description": "A defect in the rendering of messages into packets can cause named to\n exit with an assertion failure in buffer.c while constructing a response\n to a query that meets certain criteria.\n\n This assertion can be triggered even if the apparent source address\n isn't allowed to make queries.", "references": [ "CVE-2016-2776", "URL-http://blog.infobytesec.com/2016/10/a-tale-of-dns-packet-cve-2016-2776.html" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 53, "targets": null, "mod_time": "2017-08-26 10:41:10 +0000", "path": "/modules/auxiliary/dos/dns/bind_tsig.rb", "is_install_path": true, "ref_name": "dos/dns/bind_tsig", "check": true }, "auxiliary_dos/freebsd/nfsd/nfsd_mount": { "name": "FreeBSD Remote NFS RPC Request Denial of Service", "full_name": "auxiliary/dos/freebsd/nfsd/nfsd_mount", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "MC " ], "description": "This module sends a specially-crafted NFS Mount request causing a\n kernel panic on host running FreeBSD 6.0.", "references": [ "BID-16838", "OSVDB-23511", "CVE-2006-0900" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 2049, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/freebsd/nfsd/nfsd_mount.rb", "is_install_path": true, "ref_name": "dos/freebsd/nfsd/nfsd_mount", "check": false }, "auxiliary_dos/hp/data_protector_rds": { "name": "HP Data Protector Manager RDS DOS", "full_name": "auxiliary/dos/hp/data_protector_rds", "rank": 300, "disclosure_date": "2011-01-08", "type": "auxiliary", "author": [ "Roi Mallo ", "sinn3r " ], "description": "This module causes a remote DOS on HP Data Protector's RDS service. By sending\n a malformed packet to port 1530, _rm32.dll causes RDS to crash due to an enormous\n size for malloc().", "references": [ "CVE-2011-0514", "OSVDB-70617", "EDB-15940" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 1530, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/hp/data_protector_rds.rb", "is_install_path": true, "ref_name": "dos/hp/data_protector_rds", "check": false }, "auxiliary_dos/http/3com_superstack_switch": { "name": "3Com SuperStack Switch Denial of Service", "full_name": "auxiliary/dos/http/3com_superstack_switch", "rank": 300, "disclosure_date": "2004-06-24", "type": "auxiliary", "author": [ "aushack " ], "description": "This module causes a temporary denial of service condition\n against 3Com SuperStack switches. By sending excessive data\n to the HTTP Management interface, the switch stops responding\n temporarily. The device does not reset. Tested successfully\n against a 3300SM firmware v2.66. Reported to affect versions\n prior to v2.72.", "references": [ "OSVDB-7246", "CVE-2004-2691", "URL-http://support.3com.com/infodeli/tools/switches/dna1695-0aaa17.pdf" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/auxiliary/dos/http/3com_superstack_switch.rb", "is_install_path": true, "ref_name": "dos/http/3com_superstack_switch", "check": false }, "auxiliary_dos/http/apache_commons_fileupload_dos": { "name": "Apache Commons FileUpload and Apache Tomcat DoS", "full_name": "auxiliary/dos/http/apache_commons_fileupload_dos", "rank": 300, "disclosure_date": "2014-02-06", "type": "auxiliary", "author": [ "Unknown", "ribeirux" ], "description": "This module triggers an infinite loop in Apache Commons FileUpload 1.0\n through 1.3 via a specially crafted Content-Type header.\n Apache Tomcat 7 and Apache Tomcat 8 use a copy of FileUpload to handle\n mime-multipart requests, therefore, Apache Tomcat 7.0.0 through 7.0.50\n and 8.0.0-RC1 through 8.0.1 are affected by this issue. Tomcat 6 also\n uses Commons FileUpload as part of the Manager application.", "references": [ "CVE-2014-0050", "URL-http://tomcat.apache.org/security-8.html", "URL-http://tomcat.apache.org/security-7.html" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 8080, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/http/apache_commons_fileupload_dos.rb", "is_install_path": true, "ref_name": "dos/http/apache_commons_fileupload_dos", "check": false }, "auxiliary_dos/http/apache_mod_isapi": { "name": "Apache mod_isapi Dangling Pointer", "full_name": "auxiliary/dos/http/apache_mod_isapi", "rank": 300, "disclosure_date": "2010-03-05", "type": "auxiliary", "author": [ "Brett Gervasoni", "jduck " ], "description": "This module triggers a use-after-free vulnerability in the Apache\n Software Foundation mod_isapi extension for versions 2.2.14 and earlier.\n In order to reach the vulnerable code, the target server must have an\n ISAPI module installed and configured.\n\n By making a request that terminates abnormally (either an aborted TCP\n connection or an unsatisfied chunked request), mod_isapi will unload the\n ISAPI extension. Later, if another request comes for that ISAPI module,\n previously obtained pointers will be used resulting in an access\n violation or potentially arbitrary code execution.\n\n Although arbitrary code execution is theoretically possible, a\n real-world method of invoking this consequence has not been proven. In\n order to do so, one would need to find a situation where a particular\n ISAPI module loads at an image base address that can be re-allocated by\n a remote attacker.\n\n Limited success was encountered using two separate ISAPI modules. In\n this scenario, a second ISAPI module was loaded into the same memory\n area as the previously unloaded module.", "references": [ "CVE-2010-0425", "OSVDB-62674", "BID-38494", "URL-https://issues.apache.org/bugzilla/show_bug.cgi?id=48509", "URL-http://www.gossamer-threads.com/lists/apache/cvs/381537", "URL-http://www.senseofsecurity.com.au/advisories/SOS-10-002", "EDB-11650" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/http/apache_mod_isapi.rb", "is_install_path": true, "ref_name": "dos/http/apache_mod_isapi", "check": false }, "auxiliary_dos/http/apache_range_dos": { "name": "Apache Range Header DoS (Apache Killer)", "full_name": "auxiliary/dos/http/apache_range_dos", "rank": 300, "disclosure_date": "2011-08-19", "type": "auxiliary", "author": [ "Kingcope", "Masashi Fujiwara", "Markus Neis " ], "description": "The byterange filter in the Apache HTTP Server 2.0.x through 2.0.64, and 2.2.x\n through 2.2.19 allows remote attackers to cause a denial of service (memory and\n CPU consumption) via a Range header that expresses multiple overlapping ranges,\n exploit called \"Apache Killer\"", "references": [ "BID-49303", "CVE-2011-3192", "EDB-17696", "OSVDB-74721" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/http/apache_range_dos.rb", "is_install_path": true, "ref_name": "dos/http/apache_range_dos", "check": true }, "auxiliary_dos/http/apache_tomcat_transfer_encoding": { "name": "Apache Tomcat Transfer-Encoding Information Disclosure and DoS", "full_name": "auxiliary/dos/http/apache_tomcat_transfer_encoding", "rank": 300, "disclosure_date": "2010-07-09", "type": "auxiliary", "author": [ "Steve Jones", "Hoagie ", "Paulino Calderon " ], "description": "Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.27, and 7.0.0 beta does not\n properly handle an invalid Transfer-Encoding header, which allows remote attackers\n to cause a denial of service (application outage) or obtain sensitive information\n via a crafted header that interferes with \"recycling of a buffer.\"", "references": [ "CVE-2010-2227", "OSVDB-66319", "BID-41544" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 8000, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/http/apache_tomcat_transfer_encoding.rb", "is_install_path": true, "ref_name": "dos/http/apache_tomcat_transfer_encoding", "check": false }, "auxiliary_dos/http/brother_debut_dos": { "name": "Brother Debut http Denial Of Service", "full_name": "auxiliary/dos/http/brother_debut_dos", "rank": 300, "disclosure_date": "2017-11-02", "type": "auxiliary", "author": [ "z00n <0xz00n@gmail.com>", "h00die" ], "description": "The Debut embedded HTTP server <= 1.20 on Brother printers allows for a Denial\n of Service (DoS) condition via a crafted HTTP request. The printer will be\n unresponsive from HTTP and printing requests for ~300 seconds. After which, the\n printer will start responding again.", "references": [ "CVE-2017-16249", "URL-https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2017-017/?fid=10211" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2018-01-24 20:54:21 +0000", "path": "/modules/auxiliary/dos/http/brother_debut_dos.rb", "is_install_path": true, "ref_name": "dos/http/brother_debut_dos", "check": false }, "auxiliary_dos/http/canon_wireless_printer": { "name": "Canon Wireless Printer Denial Of Service", "full_name": "auxiliary/dos/http/canon_wireless_printer", "rank": 300, "disclosure_date": "2013-06-18", "type": "auxiliary", "author": [ "Matt \"hostess\" Andreko " ], "description": "The HTTP management interface on several models of Canon Wireless printers\n allows for a Denial of Service (DoS) condition via a crafted HTTP request. Note:\n if this module is successful, the device can only be recovered with a physical\n power cycle.", "references": [ "CVE-2013-4615", "URL-http://www.mattandreko.com/2013/06/canon-y-u-no-security.html" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/http/canon_wireless_printer.rb", "is_install_path": true, "ref_name": "dos/http/canon_wireless_printer", "check": false }, "auxiliary_dos/http/dell_openmanage_post": { "name": "Dell OpenManage POST Request Heap Overflow (win32)", "full_name": "auxiliary/dos/http/dell_openmanage_post", "rank": 300, "disclosure_date": "2004-02-26", "type": "auxiliary", "author": [ "aushack " ], "description": "This module exploits a heap overflow in the Dell OpenManage\n Web Server (omws32.exe), versions 3.2-3.7.1. The vulnerability\n exists due to a boundary error within the handling of POST requests,\n where the application input is set to an overly long file name.\n This module will crash the web server, however it is likely exploitable\n under certain conditions.", "references": [ "URL-http://archives.neohapsis.com/archives/bugtraq/2004-02/0650.html", "BID-9750", "OSVDB-4077", "CVE-2004-0331" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 1311, "targets": null, "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/auxiliary/dos/http/dell_openmanage_post.rb", "is_install_path": true, "ref_name": "dos/http/dell_openmanage_post", "check": false }, "auxiliary_dos/http/f5_bigip_apm_max_sessions": { "name": "F5 BigIP Access Policy Manager Session Exhaustion Denial of Service", "full_name": "auxiliary/dos/http/f5_bigip_apm_max_sessions", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "Denis Kolegov ", "Oleg Broslavsky ", "Nikita Oleksov " ], "description": "This module exploits a resource exhaustion denial of service in F5 BigIP devices. An\n unauthenticated attacker can establish multiple connections with BigIP Access Policy\n Manager (APM) and exhaust all available sessions defined in customer license. In the\n first step of the BigIP APM negotiation the client sends a HTTP request. The BigIP\n system creates a session, marks it as pending and then redirects the client to an access\n policy URI. Since BigIP allocates a new session after the first unauthenticated request,\n and deletes the session only if an access policy timeout expires, the attacker can exhaust\n all available sessions by repeatedly sending the initial HTTP request and leaving the\n sessions as pending.", "references": [ "URL-https://support.f5.com/kb/en-us/products/big-ip_apm/releasenotes/product/relnote-apm-11-6-0.html" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 443, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/http/f5_bigip_apm_max_sessions.rb", "is_install_path": true, "ref_name": "dos/http/f5_bigip_apm_max_sessions", "check": false }, "auxiliary_dos/http/flexense_http_server_dos": { "name": "Flexense HTTP Server Denial Of Service", "full_name": "auxiliary/dos/http/flexense_http_server_dos", "rank": 300, "disclosure_date": "2018-03-09", "type": "auxiliary", "author": [ "Ege Balci " ], "description": "This module triggers a Denial of Service vulnerability in the Flexense HTTP server.\n Vulnerability caused by a user mode write access memory violation and can be triggered with\n rapidly sending variety of HTTP requests with long HTTP header values.\n\n Multiple Flexense applications that are using Flexense HTTP server 10.6.24 and below vesions reportedly vulnerable.", "references": [ "CVE-2018-8065", "URL-https://github.com/EgeBalci/Sync_Breeze_Enterprise_10_6_24_-DOS" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2018-05-29 16:09:27 +0000", "path": "/modules/auxiliary/dos/http/flexense_http_server_dos.rb", "is_install_path": true, "ref_name": "dos/http/flexense_http_server_dos", "check": true }, "auxiliary_dos/http/gzip_bomb_dos": { "name": "Gzip Memory Bomb Denial Of Service", "full_name": "auxiliary/dos/http/gzip_bomb_dos", "rank": 300, "disclosure_date": "2004-01-01", "type": "auxiliary", "author": [ "info ", "joev " ], "description": "This module generates and hosts a 10MB single-round gzip file that decompresses to 10GB.\n Many applications will not implement a length limit check and will eat up all memory and\n eventually die. This can also be used to kill systems that download/parse content from\n a user-provided URL (image-processing servers, AV, websites that accept zipped POST data, etc).\n\n A FILEPATH datastore option can also be provided to save the .gz bomb locally.\n\n Some clients (Firefox) will allow for multiple rounds of gzip. Most gzip utils will correctly\n deflate multiple rounds of gzip on a file. Setting ROUNDS=3 and SIZE=10240 (default value)\n will generate a 300 byte gzipped file that expands to 10GB.", "references": [ "URL-http://www.aerasec.de/security/advisories/decompression-bomb-vulnerability.html" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/http/gzip_bomb_dos.rb", "is_install_path": true, "ref_name": "dos/http/gzip_bomb_dos", "check": false }, "auxiliary_dos/http/hashcollision_dos": { "name": "Hashtable Collisions", "full_name": "auxiliary/dos/http/hashcollision_dos", "rank": 300, "disclosure_date": "2011-12-28", "type": "auxiliary", "author": [ "Alexander Klink", "Julian Waelde", "Scott A. Crosby", "Dan S. Wallach", "Krzysztof Kotowicz", "Christian Mehlmauer " ], "description": "This module uses a denial-of-service (DoS) condition appearing in a variety of\n programming languages. This vulnerability occurs when storing multiple values\n in a hash table and all values have the same hash value. This can cause a web server\n parsing the POST parameters issued with a request into a hash table to consume\n hours of CPU with a single HTTP request.\n\n Currently, only the hash functions for PHP and Java are implemented.\n This module was tested with PHP + httpd, Tomcat, Glassfish and Geronimo.\n It also generates a random payload to bypass some IDS signatures.", "references": [ "URL-http://www.ocert.org/advisories/ocert-2011-003.html", "URL-http://www.nruns.com/_downloads/advisory28122011.pdf", "URL-http://events.ccc.de/congress/2011/Fahrplan/events/4680.en.html", "URL-http://events.ccc.de/congress/2011/Fahrplan/attachments/2007_28C3_Effective_DoS_on_web_application_platforms.pdf", "URL-http://www.youtube.com/watch?v=R2Cq3CLI6H8", "CVE-2011-5034", "CVE-2011-5035", "CVE-2011-4885", "CVE-2011-4858" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/http/hashcollision_dos.rb", "is_install_path": true, "ref_name": "dos/http/hashcollision_dos", "check": false }, "auxiliary_dos/http/ibm_lotus_notes": { "name": "IBM Notes encodeURI DOS", "full_name": "auxiliary/dos/http/ibm_lotus_notes", "rank": 300, "disclosure_date": "2017-08-31", "type": "auxiliary", "author": [ "Dhiraj Mishra" ], "description": "This module exploits a vulnerability in the native browser that comes with IBM Lotus Notes.\n If successful, it could cause the Notes client to hang and have to be restarted.", "references": [ "EXPLOIT-DB-42602", "CVE-2017-1129", "URL-http://www-01.ibm.com/support/docview.wss?uid=swg21999385" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": null, "targets": null, "mod_time": "2017-10-09 17:02:24 +0000", "path": "/modules/auxiliary/dos/http/ibm_lotus_notes.rb", "is_install_path": true, "ref_name": "dos/http/ibm_lotus_notes", "check": false }, "auxiliary_dos/http/ibm_lotus_notes2": { "name": "IBM Notes Denial Of Service", "full_name": "auxiliary/dos/http/ibm_lotus_notes2", "rank": 300, "disclosure_date": "2017-08-31", "type": "auxiliary", "author": [ "Dhiraj Mishra" ], "description": "This module exploits a vulnerability in the native browser that comes with IBM Lotus Notes.\n If successful, the browser will crash after viewing the webpage.", "references": [ "EDB-42604", "CVE-2017-1130" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": null, "targets": null, "mod_time": "2017-11-06 20:45:50 +0000", "path": "/modules/auxiliary/dos/http/ibm_lotus_notes2.rb", "is_install_path": true, "ref_name": "dos/http/ibm_lotus_notes2", "check": false }, "auxiliary_dos/http/monkey_headers": { "name": "Monkey HTTPD Header Parsing Denial of Service (DoS)", "full_name": "auxiliary/dos/http/monkey_headers", "rank": 300, "disclosure_date": "2013-05-30", "type": "auxiliary", "author": [ "Doug Prostko " ], "description": "This module causes improper header parsing that leads to a segmentation fault\n due to a specially crafted HTTP request. Affects version <= 1.2.0.", "references": [ "CVE-2013-3843", "OSVDB-93853", "BID-60333" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 2001, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/http/monkey_headers.rb", "is_install_path": true, "ref_name": "dos/http/monkey_headers", "check": false }, "auxiliary_dos/http/ms15_034_ulonglongadd": { "name": "MS15-034 HTTP Protocol Stack Request Handling Denial-of-Service", "full_name": "auxiliary/dos/http/ms15_034_ulonglongadd", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "Bill Finlayson", "sinn3r " ], "description": "This module will check if scanned hosts are vulnerable to CVE-2015-1635 (MS15-034), a\n vulnerability in the HTTP protocol stack (HTTP.sys) that could result in arbitrary code\n execution. This module will try to cause a denial-of-service.", "references": [ "CVE-2015-1635", "MSB-MS15-034", "URL-http://pastebin.com/ypURDPc4", "URL-https://github.com/rapid7/metasploit-framework/pull/5150", "URL-https://community.qualys.com/blogs/securitylabs/2015/04/20/ms15-034-analyze-and-remote-detection", "URL-http://www.securitysift.com/an-analysis-of-ms15-034/" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb", "is_install_path": true, "ref_name": "dos/http/ms15_034_ulonglongadd", "check": true }, "auxiliary_dos/http/nodejs_pipelining": { "name": "Node.js HTTP Pipelining Denial of Service", "full_name": "auxiliary/dos/http/nodejs_pipelining", "rank": 300, "disclosure_date": "2013-10-18", "type": "auxiliary", "author": [ "Marek Majkowski", "titanous", "joev " ], "description": "This module exploits a Denial of Service (DoS) condition in the HTTP parser of Node.js versions\n released before 0.10.21 and 0.8.26. The attack sends many pipelined\n HTTP requests on a single connection, which causes unbounded memory\n allocation when the client does not read the responses.", "references": [ "CVE-2013-4450", "OSVDB-98724", "BID-63229", "URL-http://blog.nodejs.org/2013/10/22/cve-2013-4450-http-server-pipeline-flood-dos" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/http/nodejs_pipelining.rb", "is_install_path": true, "ref_name": "dos/http/nodejs_pipelining", "check": true }, "auxiliary_dos/http/novell_file_reporter_heap_bof": { "name": "NFR Agent Heap Overflow Vulnerability", "full_name": "auxiliary/dos/http/novell_file_reporter_heap_bof", "rank": 300, "disclosure_date": "2012-11-16", "type": "auxiliary", "author": [ "juan vazquez " ], "description": "This module exploits a heap overflow in NFRAgent.exe, a component of Novell\n File Reporter (NFR). The vulnerability occurs when handling requests of name \"SRS\",\n where NFRAgent.exe fails to generate a response in a secure way, copying user\n controlled data into a fixed-length buffer in the heap without bounds checking.\n This module has been tested against NFR Agent 1.0.4.3 (File Reporter 1.0.2).", "references": [ "CVE-2012-4956", "URL-https://community.rapid7.com/community/metasploit/blog/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 3037, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/http/novell_file_reporter_heap_bof.rb", "is_install_path": true, "ref_name": "dos/http/novell_file_reporter_heap_bof", "check": false }, "auxiliary_dos/http/rails_action_view": { "name": "Ruby on Rails Action View MIME Memory Exhaustion", "full_name": "auxiliary/dos/http/rails_action_view", "rank": 300, "disclosure_date": "2013-12-04", "type": "auxiliary", "author": [ "Toby Hsieh", "joev ", "sinn3r " ], "description": "This module exploits a Denial of Service (DoS) condition in Action View that requires\n a controller action. By sending a specially crafted content-type header to a Rails\n application, it is possible for it to store the invalid MIME type, and may eventually\n consume all memory if enough invalid MIMEs are given.\n\n Versions 3.0.0 and other later versions are affected, fixed in 4.0.2 and 3.2.16.", "references": [ "CVE-2013-6414", "OSVDB-100525", "BID-64074", "URL-http://seclists.org/oss-sec/2013/q4/400", "URL-https://github.com/rails/rails/commit/bee3b7f9371d1e2ddcfe6eaff5dcb26c0a248068" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/http/rails_action_view.rb", "is_install_path": true, "ref_name": "dos/http/rails_action_view", "check": false }, "auxiliary_dos/http/rails_json_float_dos": { "name": "Ruby on Rails JSON Processor Floating Point Heap Overflow DoS", "full_name": "auxiliary/dos/http/rails_json_float_dos", "rank": 300, "disclosure_date": "2013-11-22", "type": "auxiliary", "author": [ "Charlie Somerville", "joev ", "todb " ], "description": "When Ruby attempts to convert a string representation of a large floating point\n decimal number to its floating point equivalent, a heap-based buffer overflow\n can be triggered. This module has been tested successfully on a Ruby on Rails application\n using Ruby version 1.9.3-p448 with WebRick and Thin web servers, where the Rails application\n crashes with a segfault error. Other versions of Ruby are reported to be affected.", "references": [ "CVE-2013-4164", "OSVDB-100113", "URL-https://www.ruby-lang.org/en/news/2013/11/22/ruby-1-9-3-p484-is-released/" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/http/rails_json_float_dos.rb", "is_install_path": true, "ref_name": "dos/http/rails_json_float_dos", "check": false }, "auxiliary_dos/http/slowloris": { "name": "Slowloris Denial of Service Attack", "full_name": "auxiliary/dos/http/slowloris", "rank": 300, "disclosure_date": "2009-06-17", "type": "auxiliary", "author": [ "RSnake", "Gokberk Yaltirakli", "Daniel Teixeira", "Matthew Kienow " ], "description": "Slowloris tries to keep many connections to the target web server open and hold them open as long as possible.\n It accomplishes this by opening connections to the target web server and sending a partial request.\n Periodically, it will send subsequent HTTP headers, adding to-but never completing-the request.\n Affected servers will keep these connections open, filling their maximum concurrent connection pool,\n eventually denying additional connection attempts from clients.", "references": [ "CVE-2007-6750", "CVE-2010-2227", "URL-https://www.exploit-db.com/exploits/8976/", "URL-https://github.com/gkbrk/slowloris" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2018-03-07 17:06:04 +0000", "path": "/modules/auxiliary/dos/http/slowloris.py", "is_install_path": true, "ref_name": "dos/http/slowloris", "check": false }, "auxiliary_dos/http/sonicwall_ssl_format": { "name": "SonicWALL SSL-VPN Format String Vulnerability", "full_name": "auxiliary/dos/http/sonicwall_ssl_format", "rank": 300, "disclosure_date": "2009-05-29", "type": "auxiliary", "author": [ "aushack " ], "description": "There is a format string vulnerability within the SonicWALL\n SSL-VPN Appliance - 200, 2000 and 4000 series. Arbitrary memory\n can be read or written to, depending on the format string used.\n There appears to be a length limit of 127 characters of format\n string data. With physical access to the device and debugging,\n this module may be able to be used to execute arbitrary code remotely.", "references": [ "BID-35145", "OSVDB-54881", "URL-http://www.aushack.com/200905-sonicwall.txt" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 443, "targets": null, "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/auxiliary/dos/http/sonicwall_ssl_format.rb", "is_install_path": true, "ref_name": "dos/http/sonicwall_ssl_format", "check": false }, "auxiliary_dos/http/ua_parser_js_redos": { "name": "ua-parser-js npm module ReDoS", "full_name": "auxiliary/dos/http/ua_parser_js_redos", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "Ryan Knell, Sonatype Security Research", "Nick Starke, Sonatype Security Research" ], "description": "This module exploits a Regular Expression Denial of Service vulnerability\n in the npm module \"ua-parser-js\". Server-side applications that use\n \"ua-parser-js\" for parsing the browser user-agent string will be vulnerable\n if they call the \"getOS\" or \"getResult\" functions. This vulnerability was\n fixed as of version 0.7.16.", "references": [ "CVE-2017-16086", "URL-https://github.com/faisalman/ua-parser-js/commit/25e143ee7caba78c6405a57d1d06b19c1e8e2f79", "CWE-400" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2018-07-12 17:34:52 +0000", "path": "/modules/auxiliary/dos/http/ua_parser_js_redos.rb", "is_install_path": true, "ref_name": "dos/http/ua_parser_js_redos", "check": false }, "auxiliary_dos/http/webkitplus": { "name": "WebKitGTK+ WebKitFaviconDatabase DoS", "full_name": "auxiliary/dos/http/webkitplus", "rank": 300, "disclosure_date": "2018-06-03", "type": "auxiliary", "author": [ "Dhiraj Mishra", "Hardik Mehta", "Zubin Devnani", "Manuel Caballero" ], "description": "This module exploits a vulnerability in WebKitFaviconDatabase when pageURL is unset.\n If successful, it could lead to application crash, resulting in denial of service.", "references": [ "EDB-44842", "CVE-2018-11646", "URL-https://bugs.webkit.org/show_bug.cgi?id=186164", "URL-https://datarift.blogspot.com/2018/06/cve-2018-11646-webkit.html" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": null, "targets": null, "mod_time": "2018-06-14 11:25:00 +0000", "path": "/modules/auxiliary/dos/http/webkitplus.rb", "is_install_path": true, "ref_name": "dos/http/webkitplus", "check": false }, "auxiliary_dos/http/webrick_regex": { "name": "Ruby WEBrick::HTTP::DefaultFileHandler DoS", "full_name": "auxiliary/dos/http/webrick_regex", "rank": 300, "disclosure_date": "2008-08-08", "type": "auxiliary", "author": [ "kris katterjohn " ], "description": "The WEBrick::HTTP::DefaultFileHandler in WEBrick in\n Ruby 1.8.5 and earlier, 1.8.6 to 1.8.6-p286, 1.8.7\n to 1.8.7-p71, and 1.9 to r18423 allows for a DoS\n (CPU consumption) via a crafted HTTP request.", "references": [ "BID-30644", "CVE-2008-3656", "OSVDB-47471", "URL-http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/http/webrick_regex.rb", "is_install_path": true, "ref_name": "dos/http/webrick_regex", "check": false }, "auxiliary_dos/http/wordpress_directory_traversal_dos": { "name": "WordPress Traversal Directory DoS", "full_name": "auxiliary/dos/http/wordpress_directory_traversal_dos", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "Yorick Koster", "CryptisStudents" ], "description": "Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin\n function in wp-admin/includes/ajax-actions.php in WordPress before 4.6\n allows remote attackers to hijack the authentication of subscribers\n for /dev/random read operations by leveraging a late call to\n the check_ajax_referer function, a related issue to CVE-2016-6896.", "references": [ "CVE-2016-6897", "EDB-40288", "OVEID-OVE-20160712-0036" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/http/wordpress_directory_traversal_dos.rb", "is_install_path": true, "ref_name": "dos/http/wordpress_directory_traversal_dos", "check": false }, "auxiliary_dos/http/wordpress_long_password_dos": { "name": "WordPress Long Password DoS", "full_name": "auxiliary/dos/http/wordpress_long_password_dos", "rank": 300, "disclosure_date": "2014-11-20", "type": "auxiliary", "author": [ "Javier Nieto Arevalo", "Andres Rojas Guerrero", "Rob Carr " ], "description": "WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x\n before 4.0.1 allows remote attackers to cause a denial of service\n (CPU consumption) via a long password that is improperly handled\n during hashing.", "references": [ "CVE-2014-9016", "URL-http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9034", "OSVDB-114857", "WPVDB-7681" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2018-07-12 17:34:52 +0000", "path": "/modules/auxiliary/dos/http/wordpress_long_password_dos.rb", "is_install_path": true, "ref_name": "dos/http/wordpress_long_password_dos", "check": false }, "auxiliary_dos/http/wordpress_xmlrpc_dos": { "name": "Wordpress XMLRPC DoS", "full_name": "auxiliary/dos/http/wordpress_xmlrpc_dos", "rank": 300, "disclosure_date": "2014-08-06", "type": "auxiliary", "author": [ "Nir Goldshlager", "Christian Mehlmauer " ], "description": "Wordpress XMLRPC parsing is vulnerable to a XML based denial of service.\n This vulnerability affects Wordpress 3.5 - 3.9.2 (3.8.4 and 3.7.4 are\n also patched).", "references": [ "CVE-2014-5266", "URL-http://wordpress.org/news/2014/08/wordpress-3-9-2/", "URL-http://www.breaksec.com/?p=6362", "URL-http://mashable.com/2014/08/06/wordpress-xml-blowup-dos/", "URL-https://core.trac.wordpress.org/changeset/29404", "WPVDB-7526" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2018-07-12 17:34:52 +0000", "path": "/modules/auxiliary/dos/http/wordpress_xmlrpc_dos.rb", "is_install_path": true, "ref_name": "dos/http/wordpress_xmlrpc_dos", "check": false }, "auxiliary_dos/http/ws_dos": { "name": "ws - Denial of Service", "full_name": "auxiliary/dos/http/ws_dos", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "Ryan Knell, Sonatype Security Research", "Nick Starke, Sonatype Security Research" ], "description": "This module exploits a Denial of Service vulnerability in npm module \"ws\".\n By sending a specially crafted value of the Sec-WebSocket-Extensions header on the initial WebSocket upgrade request, the ws component will crash.", "references": [ "URL-https://nodesecurity.io/advisories/550", "CWE-400" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 3000, "targets": null, "mod_time": "2017-12-11 11:49:31 +0000", "path": "/modules/auxiliary/dos/http/ws_dos.rb", "is_install_path": true, "ref_name": "dos/http/ws_dos", "check": false }, "auxiliary_dos/mdns/avahi_portzero": { "name": "Avahi Source Port 0 DoS", "full_name": "auxiliary/dos/mdns/avahi_portzero", "rank": 300, "disclosure_date": "2008-11-14", "type": "auxiliary", "author": [ "kris katterjohn " ], "description": "Avahi-daemon versions prior to 0.6.24 can be DoS'd\n with an mDNS packet with a source port of 0.", "references": [ "CVE-2008-5081", "OSVDB-50929" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 5353, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/mdns/avahi_portzero.rb", "is_install_path": true, "ref_name": "dos/mdns/avahi_portzero", "check": false }, "auxiliary_dos/misc/dopewars": { "name": "Dopewars Denial of Service", "full_name": "auxiliary/dos/misc/dopewars", "rank": 300, "disclosure_date": "2009-10-05", "type": "auxiliary", "author": [ "Doug Prostko " ], "description": "The jet command in Dopewars 1.5.12 is vulnerable to a segmentation fault due to\n a lack of input validation.", "references": [ "CVE-2009-3591", "OSVDB-58884", "BID-36606" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 7902, "targets": null, "mod_time": "2017-08-24 21:38:44 +0000", "path": "/modules/auxiliary/dos/misc/dopewars.rb", "is_install_path": true, "ref_name": "dos/misc/dopewars", "check": false }, "auxiliary_dos/misc/ibm_sametime_webplayer_dos": { "name": "IBM Lotus Sametime WebPlayer DoS", "full_name": "auxiliary/dos/misc/ibm_sametime_webplayer_dos", "rank": 300, "disclosure_date": "2013-11-07", "type": "auxiliary", "author": [ "Chris John Riley", "kicks4kittens" ], "description": "This module exploits a known flaw in the IBM Lotus Sametime WebPlayer\n version 8.5.2.1392 (and prior) to cause a denial of service condition\n against specific users. For this module to function the target user\n must be actively logged into the IBM Lotus Sametime server and have\n the Sametime Audio Visual browser plug-in (WebPlayer) loaded as a\n browser extension. The user should have the WebPlayer plug-in active\n (i.e. be in a Sametime Audio/Video meeting for this DoS to work correctly.", "references": [ "CVE-2013-3986", "OSVDB-99552", "BID-63611", "URL-http://www-01.ibm.com/support/docview.wss?uid=swg21654041", "URL-http://xforce.iss.net/xforce/xfdb/84969" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 5060, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/misc/ibm_sametime_webplayer_dos.rb", "is_install_path": true, "ref_name": "dos/misc/ibm_sametime_webplayer_dos", "check": false }, "auxiliary_dos/misc/ibm_tsm_dos": { "name": "IBM Tivoli Storage Manager FastBack Server Opcode 0x534 Denial of Service", "full_name": "auxiliary/dos/misc/ibm_tsm_dos", "rank": 300, "disclosure_date": "2015-12-15", "type": "auxiliary", "author": [ "Gianni Gnesa", "William Webb " ], "description": "This module exploits a denial of service condition present in IBM Tivoli Storage Manager\n FastBack Server when dealing with packets triggering the opcode 0x534 handler.", "references": [ "EDB-38979", "OSVDB-132307" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 11460, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/misc/ibm_tsm_dos.rb", "is_install_path": true, "ref_name": "dos/misc/ibm_tsm_dos", "check": false }, "auxiliary_dos/misc/memcached": { "name": "Memcached Remote Denial of Service", "full_name": "auxiliary/dos/misc/memcached", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "Gregory Man " ], "description": "This module sends a specially-crafted packet to cause a\n segmentation fault in memcached v1.4.15 or earlier versions.", "references": [ "URL-https://code.google.com/p/memcached/issues/detail?id=192", "CVE-2011-4971", "OSVDB-92867" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 11211, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/misc/memcached.rb", "is_install_path": true, "ref_name": "dos/misc/memcached", "check": false }, "auxiliary_dos/ntp/ntpd_reserved_dos": { "name": "NTP.org ntpd Reserved Mode Denial of Service", "full_name": "auxiliary/dos/ntp/ntpd_reserved_dos", "rank": 300, "disclosure_date": "2009-10-04", "type": "auxiliary", "author": [ "todb " ], "description": "This module exploits a denial of service vulnerability\n within the NTP (network time protocol) demon. By sending\n a single packet to a vulnerable ntpd server (Victim A),\n spoofed from the IP address of another vulnerable ntpd server\n (Victim B), both victims will enter an infinite response loop.\n Note, unless you control the spoofed source host or the real\n remote host(s), you will not be able to halt the DoS condition\n once begun!", "references": [ "BID-37255", "CVE-2009-3563", "OSVDB-60847", "URL-https://support.ntp.org/bugs/show_bug.cgi?id=1331" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/ntp/ntpd_reserved_dos.rb", "is_install_path": true, "ref_name": "dos/ntp/ntpd_reserved_dos", "check": true }, "auxiliary_dos/pptp/ms02_063_pptp_dos": { "name": "MS02-063 PPTP Malformed Control Data Kernel Denial of Service", "full_name": "auxiliary/dos/pptp/ms02_063_pptp_dos", "rank": 300, "disclosure_date": "2002-09-26", "type": "auxiliary", "author": [ "aushack " ], "description": "This module exploits a kernel based overflow when sending abnormal PPTP Control Data\n packets\tto Microsoft Windows 2000 SP0-3 and XP SP0-1 based PPTP RAS servers\n (Remote Access Services). Kernel memory is overwritten resulting in a BSOD.\n Code execution may be possible however this module is only a DoS.", "references": [ "BID-5807", "CVE-2002-1214", "OSVDB-13422", "MSB-MS02-063" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 1723, "targets": null, "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/auxiliary/dos/pptp/ms02_063_pptp_dos.rb", "is_install_path": true, "ref_name": "dos/pptp/ms02_063_pptp_dos", "check": false }, "auxiliary_dos/rpc/rpcbomb": { "name": "RPC DoS targeting *nix rpcbind/libtirpc", "full_name": "auxiliary/dos/rpc/rpcbomb", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "guidovranken", "Pearce Barry " ], "description": "This module exploits a vulnerability in certain versions of\n rpcbind, LIBTIRPC, and NTIRPC, allowing an attacker to trigger\n large (and never freed) memory allocations for XDR strings on\n the target.", "references": [ "CVE-2017-8779", "BID-98325", "URL-http://openwall.com/lists/oss-security/2017/05/03/12" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 111, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/rpc/rpcbomb.rb", "is_install_path": true, "ref_name": "dos/rpc/rpcbomb", "check": true }, "auxiliary_dos/samba/lsa_addprivs_heap": { "name": "Samba lsa_io_privilege_set Heap Overflow", "full_name": "auxiliary/dos/samba/lsa_addprivs_heap", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "hdm " ], "description": "This module triggers a heap overflow in the LSA RPC service\n of the Samba daemon.", "references": [ "CVE-2007-2446", "OSVDB-34699" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 445, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/samba/lsa_addprivs_heap.rb", "is_install_path": true, "ref_name": "dos/samba/lsa_addprivs_heap", "check": false }, "auxiliary_dos/samba/lsa_transnames_heap": { "name": "Samba lsa_io_trans_names Heap Overflow", "full_name": "auxiliary/dos/samba/lsa_transnames_heap", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "hdm " ], "description": "This module triggers a heap overflow in the LSA RPC service\n of the Samba daemon.", "references": [ "CVE-2007-2446", "OSVDB-34699" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 445, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/samba/lsa_transnames_heap.rb", "is_install_path": true, "ref_name": "dos/samba/lsa_transnames_heap", "check": false }, "auxiliary_dos/samba/read_nttrans_ea_list": { "name": "Samba read_nttrans_ea_list Integer Overflow", "full_name": "auxiliary/dos/samba/read_nttrans_ea_list", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "Jeremy Allison", "dz_lnly" ], "description": "Integer overflow in the read_nttrans_ea_list function in nttrans.c in\n smbd in Samba 3.x before 3.5.22, 3.6.x before 3.6.17, and 4.x before\n 4.0.8 allows remote attackers to cause a denial of service (memory\n consumption) via a malformed packet. Important Note: in order to work,\n the \"ea support\" option on the target share must be enabled.", "references": [ "OSVDB-95969", "BID-61597", "EDB-27778", "CVE-2013-4124" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 445, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/samba/read_nttrans_ea_list.rb", "is_install_path": true, "ref_name": "dos/samba/read_nttrans_ea_list", "check": false }, "auxiliary_dos/sap/sap_soap_rfc_eps_delete_file": { "name": "SAP SOAP EPS_DELETE_FILE File Deletion", "full_name": "auxiliary/dos/sap/sap_soap_rfc_eps_delete_file", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "Alexey Sintsov", "nmonkee" ], "description": "This module abuses the SAP NetWeaver EPS_DELETE_FILE function, on the SAP SOAP\n RFC Service, to delete arbitrary files on the remote file system. The module can\n also be used to capture SMB hashes by using a fake SMB share as DIRNAME.", "references": [ "OSVDB-74780", "URL-http://dsecrg.com/pages/vul/show.php?id=331", "URL-https://service.sap.com/sap/support/notes/1554030" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 8000, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/sap/sap_soap_rfc_eps_delete_file.rb", "is_install_path": true, "ref_name": "dos/sap/sap_soap_rfc_eps_delete_file", "check": true }, "auxiliary_dos/scada/beckhoff_twincat": { "name": "Beckhoff TwinCAT SCADA PLC 2.11.0.2004 DoS", "full_name": "auxiliary/dos/scada/beckhoff_twincat", "rank": 300, "disclosure_date": "2011-09-13", "type": "auxiliary", "author": [ "Luigi Auriemma", "jfa" ], "description": "The Beckhoff TwinCAT version <= 2.11.0.2004 can be brought down by sending\n a crafted UDP packet to port 48899 (TCATSysSrv.exe).", "references": [ "CVE-2011-3486", "OSVDB-75495", "URL-http://aluigi.altervista.org/adv/twincat_1-adv.txt" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 48899, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/scada/beckhoff_twincat.rb", "is_install_path": true, "ref_name": "dos/scada/beckhoff_twincat", "check": false }, "auxiliary_dos/scada/d20_tftp_overflow": { "name": "General Electric D20ME TFTP Server Buffer Overflow DoS", "full_name": "auxiliary/dos/scada/d20_tftp_overflow", "rank": 300, "disclosure_date": "2012-01-19", "type": "auxiliary", "author": [ "K. Reid Wightman ", "todb " ], "description": "By sending a malformed TFTP request to the GE D20ME, it is possible to crash the\n device.\n\n This module is based on the original 'd20ftpbo.rb' Basecamp module from\n DigitalBond.", "references": [ "URL-http://www.digitalbond.com/tools/basecamp/metasploit-modules/" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 69, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/scada/d20_tftp_overflow.rb", "is_install_path": true, "ref_name": "dos/scada/d20_tftp_overflow", "check": false }, "auxiliary_dos/scada/igss9_dataserver": { "name": "7-Technologies IGSS 9 IGSSdataServer.exe DoS", "full_name": "auxiliary/dos/scada/igss9_dataserver", "rank": 300, "disclosure_date": "2011-12-20", "type": "auxiliary", "author": [ "jfa" ], "description": "The 7-Technologies SCADA IGSS Data Server (IGSSdataServer.exe) <= 9.0.0.10306 can be\n brought down by sending a crafted TCP packet to port 12401. This should also work\n for version <= 9.0.0.1120, but that version hasn't been tested.", "references": [ "CVE-2011-4050", "OSVDB-77976", "URL-http://www.us-cert.gov/control_systems/pdf/ICSA-11-335-01.pdf" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 12401, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/scada/igss9_dataserver.rb", "is_install_path": true, "ref_name": "dos/scada/igss9_dataserver", "check": false }, "auxiliary_dos/scada/siemens_siprotec4": { "name": "Siemens SIPROTEC 4 and SIPROTEC Compact EN100 Ethernet Module - Denial of Service", "full_name": "auxiliary/dos/scada/siemens_siprotec4", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "M. Can Kurnaz" ], "description": "This module sends a specially crafted packet to port 50000/UDP\n causing a denial of service of the affected (Siemens SIPROTEC 4 and SIPROTEC Compact < V4.25) devices.\n A manual reboot is required to return the device to service.\n CVE-2015-5374 and a CVSS v2 base score of 7.8 have been assigned to this vulnerability.", "references": [ "URL-https://www.exploit-db.com/exploits/44103/", "URL-https://ics-cert.us-cert.gov/advisories/ICSA-15-202-01" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 50000, "targets": null, "mod_time": "2018-03-13 09:30:48 +0000", "path": "/modules/auxiliary/dos/scada/siemens_siprotec4.rb", "is_install_path": true, "ref_name": "dos/scada/siemens_siprotec4", "check": false }, "auxiliary_dos/scada/yokogawa_logsvr": { "name": "Yokogawa CENTUM CS 3000 BKCLogSvr.exe Heap Buffer Overflow", "full_name": "auxiliary/dos/scada/yokogawa_logsvr", "rank": 300, "disclosure_date": "2014-03-10", "type": "auxiliary", "author": [ "juan vazquez ", "Redsadic " ], "description": "This module abuses a buffer overflow vulnerability to trigger a Denial of Service\n of the BKCLogSvr component in the Yokogaca CENTUM CS 3000 product. The vulnerability\n exists in the handling of malformed log packets, with an unexpected long level field.\n The root cause of the vulnerability is a combination of usage of uninitialized memory\n from the stack and a dangerous string copy. This module has been tested successfully\n on Yokogawa CENTUM CS 3000 R3.08.50.", "references": [ "URL-http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf", "URL-https://community.rapid7.com/community/metasploit/blog/2014/03/10/yokogawa-centum-cs3000-vulnerabilities", "CVE-2014-0781" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 52302, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/scada/yokogawa_logsvr.rb", "is_install_path": true, "ref_name": "dos/scada/yokogawa_logsvr", "check": false }, "auxiliary_dos/smb/smb_loris": { "name": "SMBLoris NBSS Denial of Service", "full_name": "auxiliary/dos/smb/smb_loris", "rank": 300, "disclosure_date": "2017-06-29", "type": "auxiliary", "author": [ "thelightcosine", "Adam Cammack " ], "description": "The SMBLoris attack consumes large chunks of memory in the target by sending\n SMB requests with the NetBios Session Service(NBSS) Length Header value set\n to the maximum possible value. By keeping these connections open and initiating\n large numbers of these sessions, the memory does not get freed, and the server\n grinds to a halt. This vulnerability was originally disclosed by Sean Dillon\n and Zach Harding.\n\n DISCALIMER: This module opens a lot of simultaneous connections. Please check\n your system's ULIMIT to make sure it can handle it. This module will also run\n continuously until stopped.", "references": [ "URL-http://smbloris.com/" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 445, "targets": null, "mod_time": "2018-03-23 14:55:18 +0000", "path": "/modules/auxiliary/dos/smb/smb_loris.rb", "is_install_path": true, "ref_name": "dos/smb/smb_loris", "check": false }, "auxiliary_dos/smtp/sendmail_prescan": { "name": "Sendmail SMTP Address prescan Memory Corruption", "full_name": "auxiliary/dos/smtp/sendmail_prescan", "rank": 300, "disclosure_date": "2003-09-17", "type": "auxiliary", "author": [ "aushack " ], "description": "This is a proof of concept denial of service module for Sendmail versions\n 8.12.8 and earlier. The vulnerability is within the prescan() method when\n parsing SMTP headers. Due to the prescan function, only 0x5c and 0x00\n bytes can be used, limiting the likelihood for arbitrary code execution.", "references": [ "OSVDB-2577", "CVE-2003-0694", "BID-8641", "EDB-24" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 25, "targets": null, "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/auxiliary/dos/smtp/sendmail_prescan.rb", "is_install_path": true, "ref_name": "dos/smtp/sendmail_prescan", "check": false }, "auxiliary_dos/solaris/lpd/cascade_delete": { "name": "Solaris LPD Arbitrary File Delete", "full_name": "auxiliary/dos/solaris/lpd/cascade_delete", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "hdm ", "Optyx " ], "description": "This module uses a vulnerability in the Solaris line printer\n daemon to delete arbitrary files on an affected system. This\n can be used to exploit the rpc.walld format string flaw, the\n missing krb5.conf authentication bypass, or simply delete\n system files. Tested on Solaris 2.6, 7, 8, 9, and 10.", "references": [ "CVE-2005-4797", "BID-14510", "OSVDB-18650" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 515, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/solaris/lpd/cascade_delete.rb", "is_install_path": true, "ref_name": "dos/solaris/lpd/cascade_delete", "check": false }, "auxiliary_dos/ssl/dtls_changecipherspec": { "name": "OpenSSL DTLS ChangeCipherSpec Remote DoS", "full_name": "auxiliary/dos/ssl/dtls_changecipherspec", "rank": 300, "disclosure_date": "2000-04-26", "type": "auxiliary", "author": [ "Jon Oberheide ", "theLightCosine " ], "description": "This module performs a Denial of Service Attack against Datagram TLS in OpenSSL\n version 0.9.8i and earlier. OpenSSL crashes under these versions when it receives a\n ChangeCipherspec Datagram before a ClientHello.", "references": [ "CVE-2009-1386", "OSVDB-55073" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": null, "targets": null, "mod_time": "2017-08-24 21:38:44 +0000", "path": "/modules/auxiliary/dos/ssl/dtls_changecipherspec.rb", "is_install_path": true, "ref_name": "dos/ssl/dtls_changecipherspec", "check": false }, "auxiliary_dos/ssl/dtls_fragment_overflow": { "name": "OpenSSL DTLS Fragment Buffer Overflow DoS", "full_name": "auxiliary/dos/ssl/dtls_fragment_overflow", "rank": 300, "disclosure_date": "2014-06-05", "type": "auxiliary", "author": [ "Juri Aedla ", "Jon Hart " ], "description": "This module performs a Denial of Service Attack against Datagram TLS in\n OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h.\n This occurs when a DTLS ClientHello message has multiple fragments and the\n fragment lengths of later fragments are larger than that of the first, a\n buffer overflow occurs, causing a DoS.", "references": [ "CVE-2014-0195", "ZDI-14-173", "BID-67900", "URL-http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002", "URL-http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Once-Bled-Twice-Shy-OpenSSL-CVE-2014-0195/ba-p/6501048" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 4433, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/ssl/dtls_fragment_overflow.rb", "is_install_path": true, "ref_name": "dos/ssl/dtls_fragment_overflow", "check": false }, "auxiliary_dos/ssl/openssl_aesni": { "name": "OpenSSL TLS 1.1 and 1.2 AES-NI DoS", "full_name": "auxiliary/dos/ssl/openssl_aesni", "rank": 300, "disclosure_date": "2013-02-05", "type": "auxiliary", "author": [ "Wolfgang Ettlinger " ], "description": "The AES-NI implementation of OpenSSL 1.0.1c does not properly compute the\n length of an encrypted message when used with a TLS version 1.1 or above. This\n leads to an integer underflow which can cause a DoS. The vulnerable function\n aesni_cbc_hmac_sha1_cipher is only included in the 64-bit versions of OpenSSL.\n This module has been tested successfully on Ubuntu 12.04 (64-bit) with the default\n OpenSSL 1.0.1c package.", "references": [ "CVE-2012-2686", "URL-https://www.openssl.org/news/secadv/20130205.txt" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 443, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/ssl/openssl_aesni.rb", "is_install_path": true, "ref_name": "dos/ssl/openssl_aesni", "check": false }, "auxiliary_dos/syslog/rsyslog_long_tag": { "name": "rsyslog Long Tag Off-By-Two DoS", "full_name": "auxiliary/dos/syslog/rsyslog_long_tag", "rank": 300, "disclosure_date": "2011-09-01", "type": "auxiliary", "author": [ "hdm " ], "description": "This module triggers an off-by-two overflow in the\n rsyslog daemon. This flaw is unlikely to yield code execution\n but is effective at shutting down a remote log daemon. This bug\n was introduced in version 4.6.0 and corrected in 4.6.8/5.8.5.\n Compiler differences may prevent this bug from causing any\n noticeable result on many systems (RHEL6 is affected).", "references": [ "CVE-2011-3200", "URL-http://www.rsyslog.com/potential-dos-with-malformed-tag/", "URL-https://bugzilla.redhat.com/show_bug.cgi?id=727644" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 514, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/syslog/rsyslog_long_tag.rb", "is_install_path": true, "ref_name": "dos/syslog/rsyslog_long_tag", "check": false }, "auxiliary_dos/tcp/claymore_dos": { "name": "Claymore Dual GPU Miner Format String dos attack", "full_name": "auxiliary/dos/tcp/claymore_dos", "rank": 300, "disclosure_date": "2018-02-06", "type": "auxiliary", "author": [ "res1n", "bluebird" ], "description": "Claymore’s Dual GPU Miner 10.5 and below is vulnerable to a format strings vulnerability. This allows an\n unauthenticated attacker to read memory addresses, or immediately terminate the mining process causing\n a denial of service.", "references": [ "CVE-CVE-2018-6317", "URL-https://www.exploit-db.com/exploits/43972/", "URL-https://github.com/nanopool/Claymore-Dual-Miner" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 3333, "targets": null, "mod_time": "2018-02-16 16:17:52 +0000", "path": "/modules/auxiliary/dos/tcp/claymore_dos.py", "is_install_path": true, "ref_name": "dos/tcp/claymore_dos", "check": false }, "auxiliary_dos/tcp/junos_tcp_opt": { "name": "Juniper JunOS Malformed TCP Option", "full_name": "auxiliary/dos/tcp/junos_tcp_opt", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "todb " ], "description": "This module exploits a denial of service vulnerability\n in Juniper Network's JunOS router operating system. By sending a TCP\n packet with TCP option 101 set, an attacker can cause an affected\n router to reboot.", "references": [ "BID-37670", "OSVDB-61538", "URL-http://praetorianprefect.com/archives/2010/01/junos-juniper-flaw-exposes-core-routers-to-kernal-crash/" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/tcp/junos_tcp_opt.rb", "is_install_path": true, "ref_name": "dos/tcp/junos_tcp_opt", "check": false }, "auxiliary_dos/tcp/synflood": { "name": "TCP SYN Flooder", "full_name": "auxiliary/dos/tcp/synflood", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "kris katterjohn " ], "description": "A simple TCP SYN flooder", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/tcp/synflood.rb", "is_install_path": true, "ref_name": "dos/tcp/synflood", "check": false }, "auxiliary_dos/upnp/miniupnpd_dos": { "name": "MiniUPnPd 1.4 Denial of Service (DoS) Exploit", "full_name": "auxiliary/dos/upnp/miniupnpd_dos", "rank": 300, "disclosure_date": "2013-03-27", "type": "auxiliary", "author": [ "hdm ", "Dejan Lukan" ], "description": "This module allows remote attackers to cause a denial of service (DoS)\n in MiniUPnP 1.0 server via a specifically crafted UDP request.", "references": [ "CVE-2013-0229", "OSVDB-89625", "BID-57607", "URL-https://community.rapid7.com/servlet/JiveServlet/download/2150-1-16596/SecurityFlawsUPnP.pdf" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 1900, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/upnp/miniupnpd_dos.rb", "is_install_path": true, "ref_name": "dos/upnp/miniupnpd_dos", "check": false }, "auxiliary_dos/windows/appian/appian_bpm": { "name": "Appian Enterprise Business Suite 5.6 SP1 DoS", "full_name": "auxiliary/dos/windows/appian/appian_bpm", "rank": 300, "disclosure_date": "2007-12-17", "type": "auxiliary", "author": [ "guiness.stout " ], "description": "This module exploits a denial of service flaw in the Appian\n Enterprise Business Suite service.", "references": [ "CVE-2007-6509", "OSVDB-39500", "URL-http://archives.neohapsis.com/archives/fulldisclosure/2007-12/0440.html" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 5400, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/windows/appian/appian_bpm.rb", "is_install_path": true, "ref_name": "dos/windows/appian/appian_bpm", "check": false }, "auxiliary_dos/windows/browser/ms09_065_eot_integer": { "name": "Microsoft Windows EOT Font Table Directory Integer Overflow", "full_name": "auxiliary/dos/windows/browser/ms09_065_eot_integer", "rank": 300, "disclosure_date": "2009-11-10", "type": "auxiliary", "author": [ "hdm " ], "description": "This module exploits an integer overflow flaw in the Microsoft Windows Embedded\n OpenType font parsing code located in win32k.sys. Since the kernel itself parses\n embedded web fonts, it is possible to trigger a BSoD from a normal web page when\n viewed with Internet Explorer.", "references": [ "CVE-2009-2514", "MSB-MS09-065", "OSVDB-59869" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/windows/browser/ms09_065_eot_integer.rb", "is_install_path": true, "ref_name": "dos/windows/browser/ms09_065_eot_integer", "check": false }, "auxiliary_dos/windows/ftp/filezilla_admin_user": { "name": "FileZilla FTP Server Admin Interface Denial of Service", "full_name": "auxiliary/dos/windows/ftp/filezilla_admin_user", "rank": 300, "disclosure_date": "2005-11-07", "type": "auxiliary", "author": [ "aushack " ], "description": "This module triggers a Denial of Service condition in the FileZilla FTP\n Server Administration Interface in versions 0.9.4d and earlier.\n By sending a procession of excessively long USER commands to the FTP\n Server, the Administration Interface (FileZilla Server Interface.exe)\n when running, will overwrite the stack with our string and generate an\n exception. The FileZilla FTP Server itself will continue functioning.", "references": [ "BID-15346", "CVE-2005-3589", "EDB-1336", "OSVDB-20817" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": null, "targets": null, "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/auxiliary/dos/windows/ftp/filezilla_admin_user.rb", "is_install_path": true, "ref_name": "dos/windows/ftp/filezilla_admin_user", "check": false }, "auxiliary_dos/windows/ftp/filezilla_server_port": { "name": "FileZilla FTP Server Malformed PORT Denial of Service", "full_name": "auxiliary/dos/windows/ftp/filezilla_server_port", "rank": 300, "disclosure_date": "2006-12-11", "type": "auxiliary", "author": [ "aushack " ], "description": "This module triggers a Denial of Service condition in the FileZilla FTP\n Server versions 0.9.21 and earlier. By sending a malformed PORT command\n then LIST command, the server attempts to write to a NULL pointer.", "references": [ "BID-21542", "BID-21549", "CVE-2006-6565", "EDB-2914", "OSVDB-34435" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 21, "targets": null, "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/auxiliary/dos/windows/ftp/filezilla_server_port.rb", "is_install_path": true, "ref_name": "dos/windows/ftp/filezilla_server_port", "check": false }, "auxiliary_dos/windows/ftp/guildftp_cwdlist": { "name": "Guild FTPd 0.999.8.11/0.999.14 Heap Corruption", "full_name": "auxiliary/dos/windows/ftp/guildftp_cwdlist", "rank": 300, "disclosure_date": "2008-10-12", "type": "auxiliary", "author": [ "kris katterjohn " ], "description": "Guild FTPd 0.999.8.11 and 0.999.14 are vulnerable\n to heap corruption. You need to have a valid login\n so you can run CWD and LIST.", "references": [ "CVE-2008-4572", "OSVDB-49045", "EDB-6738" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 21, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/windows/ftp/guildftp_cwdlist.rb", "is_install_path": true, "ref_name": "dos/windows/ftp/guildftp_cwdlist", "check": false }, "auxiliary_dos/windows/ftp/iis75_ftpd_iac_bof": { "name": "Microsoft IIS FTP Server Encoded Response Overflow Trigger", "full_name": "auxiliary/dos/windows/ftp/iis75_ftpd_iac_bof", "rank": 300, "disclosure_date": "2010-12-21", "type": "auxiliary", "author": [ "Matthew Bergin", "jduck " ], "description": "This module triggers a heap overflow when processing a specially crafted\n FTP request containing Telnet IAC (0xff) bytes. When constructing the response,\n the Microsoft IIS FTP Service overflows the heap buffer with 0xff bytes.\n\n This issue can be triggered pre-auth and may in fact be exploitable for\n remote code execution.", "references": [ "CVE-2010-3972", "OSVDB-70167", "BID-45542", "MSB-MS11-004", "EDB-15803", "URL-http://blogs.technet.com/b/srd/archive/2010/12/22/assessing-an-iis-ftp-7-5-unauthenticated-denial-of-service-vulnerability.aspx" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 21, "targets": null, "mod_time": "2017-08-24 21:38:44 +0000", "path": "/modules/auxiliary/dos/windows/ftp/iis75_ftpd_iac_bof.rb", "is_install_path": true, "ref_name": "dos/windows/ftp/iis75_ftpd_iac_bof", "check": false }, "auxiliary_dos/windows/ftp/iis_list_exhaustion": { "name": "Microsoft IIS FTP Server LIST Stack Exhaustion", "full_name": "auxiliary/dos/windows/ftp/iis_list_exhaustion", "rank": 300, "disclosure_date": "2009-09-03", "type": "auxiliary", "author": [ "Kingcope", "Myo Soe" ], "description": "This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.", "references": [ "CVE-2009-2521", "BID-36273", "OSVDB-57753", "MSB-MS09-053", "URL-https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx", "URL-http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 21, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "is_install_path": true, "ref_name": "dos/windows/ftp/iis_list_exhaustion", "check": false }, "auxiliary_dos/windows/ftp/solarftp_user": { "name": "Solar FTP Server Malformed USER Denial of Service", "full_name": "auxiliary/dos/windows/ftp/solarftp_user", "rank": 300, "disclosure_date": "2011-02-22", "type": "auxiliary", "author": [ "x000 <3d3n@hotmail.com.br>", "C4SS!0 G0M3S ", "sinn3r " ], "description": "This module will send a format string as USER to Solar FTP, causing a\n READ violation in function \"__output_1()\" found in \"sfsservice.exe\"\n while trying to calculate the length of the string. This vulnerability\n affects versions 2.1.1 and earlier.", "references": [ "EDB-16204" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 21, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/windows/ftp/solarftp_user.rb", "is_install_path": true, "ref_name": "dos/windows/ftp/solarftp_user", "check": false }, "auxiliary_dos/windows/ftp/titan626_site": { "name": "Titan FTP Server 6.26.630 SITE WHO DoS", "full_name": "auxiliary/dos/windows/ftp/titan626_site", "rank": 300, "disclosure_date": "2008-10-14", "type": "auxiliary", "author": [ "kris katterjohn " ], "description": "The Titan FTP server v6.26 build 630 can be DoS'd by\n issuing \"SITE WHO\". You need a valid login so you\n can send this command.", "references": [ "CVE-2008-6082", "OSVDB-49177", "EDB-6753" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 21, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/windows/ftp/titan626_site.rb", "is_install_path": true, "ref_name": "dos/windows/ftp/titan626_site", "check": false }, "auxiliary_dos/windows/ftp/vicftps50_list": { "name": "Victory FTP Server 5.0 LIST DoS", "full_name": "auxiliary/dos/windows/ftp/vicftps50_list", "rank": 300, "disclosure_date": "2008-10-24", "type": "auxiliary", "author": [ "kris katterjohn " ], "description": "The Victory FTP Server v5.0 can be brought down by sending\n a very simple LIST command", "references": [ "CVE-2008-2031", "CVE-2008-6829", "OSVDB-44608", "EDB-6834" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 21, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/windows/ftp/vicftps50_list.rb", "is_install_path": true, "ref_name": "dos/windows/ftp/vicftps50_list", "check": false }, "auxiliary_dos/windows/ftp/winftp230_nlst": { "name": "WinFTP 2.3.0 NLST Denial of Service", "full_name": "auxiliary/dos/windows/ftp/winftp230_nlst", "rank": 300, "disclosure_date": "2008-09-26", "type": "auxiliary", "author": [ "kris katterjohn " ], "description": "This module is a very rough port of Julien Bedard's\n PoC. You need a valid login, but even anonymous can\n do it if it has permission to call NLST.", "references": [ "CVE-2008-5666", "OSVDB-49043", "EDB-6581" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 21, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/windows/ftp/winftp230_nlst.rb", "is_install_path": true, "ref_name": "dos/windows/ftp/winftp230_nlst", "check": false }, "auxiliary_dos/windows/ftp/xmeasy560_nlst": { "name": "XM Easy Personal FTP Server 5.6.0 NLST DoS", "full_name": "auxiliary/dos/windows/ftp/xmeasy560_nlst", "rank": 300, "disclosure_date": "2008-10-13", "type": "auxiliary", "author": [ "kris katterjohn " ], "description": "This module is a port of shinnai's script. You need\n a valid login, but even anonymous can do it as long\n as it has permission to call NLST.", "references": [ "CVE-2008-5626", "OSVDB-50837", "EDB-6741" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 21, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/windows/ftp/xmeasy560_nlst.rb", "is_install_path": true, "ref_name": "dos/windows/ftp/xmeasy560_nlst", "check": false }, "auxiliary_dos/windows/ftp/xmeasy570_nlst": { "name": "XM Easy Personal FTP Server 5.7.0 NLST DoS", "full_name": "auxiliary/dos/windows/ftp/xmeasy570_nlst", "rank": 300, "disclosure_date": "2009-03-27", "type": "auxiliary", "author": [ "kris katterjohn " ], "description": "You need a valid login to DoS this FTP server, but\n even anonymous can do it as long as it has permission\n to call NLST.", "references": [ "CVE-2008-5626", "OSVDB-50837", "EDB-8294" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 21, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/windows/ftp/xmeasy570_nlst.rb", "is_install_path": true, "ref_name": "dos/windows/ftp/xmeasy570_nlst", "check": false }, "auxiliary_dos/windows/games/kaillera": { "name": "Kaillera 0.86 Server Denial of Service", "full_name": "auxiliary/dos/windows/games/kaillera", "rank": 300, "disclosure_date": "2011-07-02", "type": "auxiliary", "author": [ "Sil3nt_Dre4m" ], "description": "The Kaillera 0.86 server can be shut down by sending any malformed packet\n after the initial \"hello\" packet.", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 27888, "targets": null, "mod_time": "2017-08-24 21:38:44 +0000", "path": "/modules/auxiliary/dos/windows/games/kaillera.rb", "is_install_path": true, "ref_name": "dos/windows/games/kaillera", "check": false }, "auxiliary_dos/windows/http/ms10_065_ii6_asp_dos": { "name": "Microsoft IIS 6.0 ASP Stack Exhaustion Denial of Service", "full_name": "auxiliary/dos/windows/http/ms10_065_ii6_asp_dos", "rank": 300, "disclosure_date": "2010-09-14", "type": "auxiliary", "author": [ "Heyder Andrade ", "Leandro Oliveira " ], "description": "The vulnerability allows remote unauthenticated attackers to force the IIS server\n to become unresponsive until the IIS service is restarted manually by the administrator.\n Required is that Active Server Pages are hosted by the IIS and that an ASP script reads\n out a Post Form value.", "references": [ "CVE-2010-1899", "OSVDB-67978", "MSB-MS10-065", "EDB-15167" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/windows/http/ms10_065_ii6_asp_dos.rb", "is_install_path": true, "ref_name": "dos/windows/http/ms10_065_ii6_asp_dos", "check": false }, "auxiliary_dos/windows/http/pi3web_isapi": { "name": "Pi3Web ISAPI DoS", "full_name": "auxiliary/dos/windows/http/pi3web_isapi", "rank": 300, "disclosure_date": "2008-11-13", "type": "auxiliary", "author": [ "kris katterjohn " ], "description": "The Pi3Web HTTP server crashes when a request is made for an invalid DLL\n file in /isapi for versions 2.0.13 and earlier. By default, the non-DLLs\n in this directory after installation are users.txt, install.daf and\n readme.daf.", "references": [ "CVE-2008-6938", "OSVDB-49998", "EDB-7109" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/windows/http/pi3web_isapi.rb", "is_install_path": true, "ref_name": "dos/windows/http/pi3web_isapi", "check": false }, "auxiliary_dos/windows/llmnr/ms11_030_dnsapi": { "name": "Microsoft Windows DNSAPI.dll LLMNR Buffer Underrun DoS", "full_name": "auxiliary/dos/windows/llmnr/ms11_030_dnsapi", "rank": 300, "disclosure_date": "2011-04-12", "type": "auxiliary", "author": [ "jduck " ], "description": "This module exploits a buffer underrun vulnerability in Microsoft's DNSAPI.dll\n as distributed with Windows Vista and later without KB2509553. By sending a\n specially crafted LLMNR query, containing a leading '.' character, an attacker\n can trigger stack exhaustion or potentially cause stack memory corruption.\n\n Although this vulnerability may lead to code execution, it has not been proven\n to be possible at the time of this writing.\n\n NOTE: In some circumstances, a '.' may be found before the top of the stack is\n reached. In these cases, this module may not be able to cause a crash.", "references": [ "CVE-2011-0657", "OSVDB-71780", "MSB-MS11-030" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 5355, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/windows/llmnr/ms11_030_dnsapi.rb", "is_install_path": true, "ref_name": "dos/windows/llmnr/ms11_030_dnsapi", "check": false }, "auxiliary_dos/windows/nat/nat_helper": { "name": "Microsoft Windows NAT Helper Denial of Service", "full_name": "auxiliary/dos/windows/nat/nat_helper", "rank": 300, "disclosure_date": "2006-10-26", "type": "auxiliary", "author": [ "MC " ], "description": "This module exploits a denial of service vulnerability\n within the Internet Connection Sharing service in\n Windows XP.", "references": [ "OSVDB-30096", "BID-20804", "CVE-2006-5614" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 53, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/windows/nat/nat_helper.rb", "is_install_path": true, "ref_name": "dos/windows/nat/nat_helper", "check": false }, "auxiliary_dos/windows/rdp/ms12_020_maxchannelids": { "name": "MS12-020 Microsoft Remote Desktop Use-After-Free DoS", "full_name": "auxiliary/dos/windows/rdp/ms12_020_maxchannelids", "rank": 300, "disclosure_date": "2012-03-16", "type": "auxiliary", "author": [ "Luigi Auriemma", "Daniel Godas-Lopez", "Alex Ionescu", "jduck ", "#ms12-020" ], "description": "This module exploits the MS12-020 RDP vulnerability originally discovered and\n reported by Luigi Auriemma. The flaw can be found in the way the T.125\n ConnectMCSPDU packet is handled in the maxChannelIDs field, which will result\n an invalid pointer being used, therefore causing a denial-of-service condition.", "references": [ "CVE-2012-0002", "MSB-MS12-020", "URL-http://www.privatepaste.com/ffe875e04a", "URL-http://pastie.org/private/4egcqt9nucxnsiksudy5dw", "URL-http://pastie.org/private/feg8du0e9kfagng4rrg", "URL-http://stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html", "EDB-18606", "URL-https://community.rapid7.com/community/metasploit/blog/2012/03/21/metasploit-update" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 3389, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/windows/rdp/ms12_020_maxchannelids.rb", "is_install_path": true, "ref_name": "dos/windows/rdp/ms12_020_maxchannelids", "check": false }, "auxiliary_dos/windows/smb/ms05_047_pnp": { "name": "Microsoft Plug and Play Service Registry Overflow", "full_name": "auxiliary/dos/windows/smb/ms05_047_pnp", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "hdm " ], "description": "This module triggers a stack buffer overflow in the Windows Plug\n and Play service. This vulnerability can be exploited on\n Windows 2000 without a valid user account. Since the PnP\n service runs inside the service.exe process, this module\n will result in a forced reboot on Windows 2000. Obtaining\n code execution is possible if user-controlled memory can\n be placed at 0x00000030, 0x0030005C, or 0x005C005C.", "references": [ "CVE-2005-2120", "MSB-MS05-047", "BID-15065", "OSVDB-18830" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 445, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/windows/smb/ms05_047_pnp.rb", "is_install_path": true, "ref_name": "dos/windows/smb/ms05_047_pnp", "check": false }, "auxiliary_dos/windows/smb/ms06_035_mailslot": { "name": "Microsoft SRV.SYS Mailslot Write Corruption", "full_name": "auxiliary/dos/windows/smb/ms06_035_mailslot", "rank": 300, "disclosure_date": "2006-07-11", "type": "auxiliary", "author": [ "hdm " ], "description": "This module triggers a kernel pool corruption bug in SRV.SYS. Each\n call to the mailslot write function results in a two byte return value\n being written into the response packet. The code which creates this packet\n fails to consider these two bytes in the allocation routine, resulting in\n a slow corruption of the kernel memory pool. These two bytes are almost\n always set to \"\\xff\\xff\" (a short integer with value of -1).", "references": [ "BID-19215", "OSVDB-27644", "CVE-2006-3942", "URL-http://www.coresecurity.com/common/showdoc.php?idx=562&idxseccion=10", "MSB-MS06-035" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 445, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/windows/smb/ms06_035_mailslot.rb", "is_install_path": true, "ref_name": "dos/windows/smb/ms06_035_mailslot", "check": false }, "auxiliary_dos/windows/smb/ms06_063_trans": { "name": "Microsoft SRV.SYS Pipe Transaction No Null", "full_name": "auxiliary/dos/windows/smb/ms06_063_trans", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "hdm " ], "description": "This module exploits a NULL pointer dereference flaw in the\n SRV.SYS driver of the Windows operating system. This bug was\n independently discovered by CORE Security and ISS.", "references": [ "OSVDB-27644", "MSB-MS06-063", "CVE-2006-3942", "BID-19215" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 445, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/windows/smb/ms06_063_trans.rb", "is_install_path": true, "ref_name": "dos/windows/smb/ms06_063_trans", "check": false }, "auxiliary_dos/windows/smb/ms09_001_write": { "name": "Microsoft SRV.SYS WriteAndX Invalid DataOffset", "full_name": "auxiliary/dos/windows/smb/ms09_001_write", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "j.v.vallejo " ], "description": "This module exploits a denial of service vulnerability in the\n SRV.SYS driver of the Windows operating system.\n\n This module has been tested successfully against Windows Vista.", "references": [ "MSB-MS09-001", "OSVDB-48153", "CVE-2008-4114", "BID-31179" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 445, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/windows/smb/ms09_001_write.rb", "is_install_path": true, "ref_name": "dos/windows/smb/ms09_001_write", "check": false }, "auxiliary_dos/windows/smb/ms09_050_smb2_negotiate_pidhigh": { "name": "Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference", "full_name": "auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "Laurent Gaffie ", "hdm " ], "description": "This module exploits an out of bounds function table dereference in the SMB\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows\tVista\n without SP1 does not seem affected by this flaw.", "references": [ "CVE-2009-3103", "BID-36299", "OSVDB-57799", "MSB-MS09-050", "URL-http://seclists.org/fulldisclosure/2009/Sep/0039.html", "URL-http://www.microsoft.com/technet/security/advisory/975497.mspx" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 445, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh.rb", "is_install_path": true, "ref_name": "dos/windows/smb/ms09_050_smb2_negotiate_pidhigh", "check": false }, "auxiliary_dos/windows/smb/ms09_050_smb2_session_logoff": { "name": "Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference", "full_name": "auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "sf " ], "description": "This module triggers a NULL pointer dereference in the SRV2.SYS kernel driver when processing\n an SMB2 logoff request before a session has been correctly negotiated, resulting in a BSOD.\n Effecting Vista SP1/SP2 (And possibly Server 2008 SP1/SP2), the flaw was resolved with MS09-050.", "references": [ "CVE-2009-3103", "OSVDB-57799", "MSB-MS09-050" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 445, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff.rb", "is_install_path": true, "ref_name": "dos/windows/smb/ms09_050_smb2_session_logoff", "check": false }, "auxiliary_dos/windows/smb/ms10_006_negotiate_response_loop": { "name": "Microsoft Windows 7 / Server 2008 R2 SMB Client Infinite Loop", "full_name": "auxiliary/dos/windows/smb/ms10_006_negotiate_response_loop", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "Laurent Gaffie ", "hdm " ], "description": "This module exploits a denial of service flaw in the Microsoft\n Windows SMB client on Windows 7 and Windows Server 2008 R2. To trigger\n this bug, run this module as a service and forces a vulnerable client\n to access the IP of this system as an SMB server. This can be accomplished\n by embedding a UNC path (\\HOST\\share\\something) into a web page if the\n target is using Internet Explorer, or a Word document otherwise.", "references": [ "CVE-2010-0017", "OSVDB-62244", "MSB-MS10-006", "URL-http://g-laurent.blogspot.com/2009/11/windows-7-server-2008r2-remote-kernel.html" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": null, "targets": null, "mod_time": "2017-08-24 21:38:44 +0000", "path": "/modules/auxiliary/dos/windows/smb/ms10_006_negotiate_response_loop.rb", "is_install_path": true, "ref_name": "dos/windows/smb/ms10_006_negotiate_response_loop", "check": false }, "auxiliary_dos/windows/smb/ms10_054_queryfs_pool_overflow": { "name": "Microsoft Windows SRV.SYS SrvSmbQueryFsInformation Pool Overflow DoS", "full_name": "auxiliary/dos/windows/smb/ms10_054_queryfs_pool_overflow", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "Laurent Gaffie ", "jduck " ], "description": "This module exploits a denial of service flaw in the Microsoft\n Windows SMB service on versions of Windows prior to the August 2010 Patch\n Tuesday. To trigger this bug, you must be able to access a share with\n at least read privileges. That generally means you will need authentication.\n However, if a system has a guest accessible share, you can trigger it\n without any authentication.", "references": [ "CVE-2010-2550", "OSVDB-66974", "MSB-MS10-054", "URL-http://seclists.org/fulldisclosure/2010/Aug/122" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 445, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/windows/smb/ms10_054_queryfs_pool_overflow.rb", "is_install_path": true, "ref_name": "dos/windows/smb/ms10_054_queryfs_pool_overflow", "check": false }, "auxiliary_dos/windows/smb/ms11_019_electbowser": { "name": "Microsoft Windows Browser Pool DoS", "full_name": "auxiliary/dos/windows/smb/ms11_019_electbowser", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "Cupidon-3005", "jduck " ], "description": "This module exploits a denial of service flaw in the Microsoft\n Windows SMB service on versions of Windows Server 2003 that have been\n configured as a domain controller. By sending a specially crafted election\n request, an attacker can cause a pool overflow.\n\n The vulnerability appears to be due to an error handling a length value\n while calculating the amount of memory to copy to a buffer. When there are\n zero bytes left in the buffer, the length value is improperly decremented\n and an integer underflow occurs. The resulting value is used in several\n calculations and is then passed as the length value to an inline memcpy\n operation.\n\n Unfortunately, the length value appears to be fixed at -2 (0xfffffffe) and\n causes considerable damage to kernel heap memory. While theoretically possible,\n it does not appear to be trivial to turn this vulnerability into remote (or\n even local) code execution.", "references": [ "CVE-2011-0654", "BID-46360", "OSVDB-70881", "MSB-MS11-019", "EDB-16166", "URL-http://seclists.org/fulldisclosure/2011/Feb/285" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 138, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/windows/smb/ms11_019_electbowser.rb", "is_install_path": true, "ref_name": "dos/windows/smb/ms11_019_electbowser", "check": false }, "auxiliary_dos/windows/smb/rras_vls_null_deref": { "name": "Microsoft RRAS InterfaceAdjustVLSPointers NULL Dereference", "full_name": "auxiliary/dos/windows/smb/rras_vls_null_deref", "rank": 300, "disclosure_date": "2006-06-14", "type": "auxiliary", "author": [ "hdm " ], "description": "This module triggers a NULL dereference in svchost.exe on\n all current versions of Windows that run the RRAS service. This\n service is only accessible without authentication on Windows XP\n SP1 (using the SRVSVC pipe).", "references": [ "OSVDB-64340" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 445, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/windows/smb/rras_vls_null_deref.rb", "is_install_path": true, "ref_name": "dos/windows/smb/rras_vls_null_deref", "check": false }, "auxiliary_dos/windows/smb/vista_negotiate_stop": { "name": "Microsoft Vista SP0 SMB Negotiate Protocol DoS", "full_name": "auxiliary/dos/windows/smb/vista_negotiate_stop", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "hdm " ], "description": "This module exploits a flaw in Windows Vista that allows a remote\n unauthenticated attacker to disable the SMB service. This vulnerability\n was silently fixed in Microsoft Vista Service Pack 1.", "references": [ "OSVDB-64341" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 445, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/windows/smb/vista_negotiate_stop.rb", "is_install_path": true, "ref_name": "dos/windows/smb/vista_negotiate_stop", "check": false }, "auxiliary_dos/windows/smtp/ms06_019_exchange": { "name": "MS06-019 Exchange MODPROP Heap Overflow", "full_name": "auxiliary/dos/windows/smtp/ms06_019_exchange", "rank": 300, "disclosure_date": "2004-11-12", "type": "auxiliary", "author": [ "pusscat " ], "description": "This module triggers a heap overflow vulnerability in MS\n Exchange that occurs when multiple malformed MODPROP values\n occur in a VCAL request.", "references": [ "BID-17908", "CVE-2006-0027", "MSB-MS06-019" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 25, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/windows/smtp/ms06_019_exchange.rb", "is_install_path": true, "ref_name": "dos/windows/smtp/ms06_019_exchange", "check": false }, "auxiliary_dos/windows/ssh/sysax_sshd_kexchange": { "name": "Sysax Multi-Server 6.10 SSHD Key Exchange Denial of Service", "full_name": "auxiliary/dos/windows/ssh/sysax_sshd_kexchange", "rank": 300, "disclosure_date": "2013-03-17", "type": "auxiliary", "author": [ "Matt \"hostess\" Andreko " ], "description": "This module sends a specially-crafted SSH Key Exchange causing the service to\n crash.", "references": [ "OSVDB-92081", "URL-http://www.mattandreko.com/2013/04/sysax-multi-server-610-ssh-dos.html" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 22, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/windows/ssh/sysax_sshd_kexchange.rb", "is_install_path": true, "ref_name": "dos/windows/ssh/sysax_sshd_kexchange", "check": false }, "auxiliary_dos/windows/tftp/pt360_write": { "name": "PacketTrap TFTP Server 2.2.5459.0 DoS", "full_name": "auxiliary/dos/windows/tftp/pt360_write", "rank": 300, "disclosure_date": "2008-10-29", "type": "auxiliary", "author": [ "kris katterjohn " ], "description": "The PacketTrap TFTP server version 2.2.5459.0 can be\n brought down by sending a special write request.", "references": [ "CVE-2008-1311", "OSVDB-42932", "EDB-6863" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 69, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/windows/tftp/pt360_write.rb", "is_install_path": true, "ref_name": "dos/windows/tftp/pt360_write", "check": false }, "auxiliary_dos/windows/tftp/solarwinds": { "name": "SolarWinds TFTP Server 10.4.0.10 Denial of Service", "full_name": "auxiliary/dos/windows/tftp/solarwinds", "rank": 300, "disclosure_date": "2010-05-21", "type": "auxiliary", "author": [ "Nullthreat" ], "description": "The SolarWinds TFTP server can be shut down by sending a 'netascii' read\n request with a specially crafted file name.", "references": [ "CVE-2010-2115", "OSVDB-64845", "EDB-12683" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 69, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/windows/tftp/solarwinds.rb", "is_install_path": true, "ref_name": "dos/windows/tftp/solarwinds", "check": false }, "auxiliary_dos/wireshark/capwap": { "name": "Wireshark CAPWAP Dissector DoS", "full_name": "auxiliary/dos/wireshark/capwap", "rank": 300, "disclosure_date": "2014-04-28", "type": "auxiliary", "author": [ "Laurent Butti", "j0sm1" ], "description": "This module injects a malformed UDP packet to crash Wireshark and TShark 1.8.0 to 1.8.7, as well\n as 1.6.0 to 1.6.15. The vulnerability exists in the CAPWAP dissector which fails to handle a\n packet correctly when an incorrect length is given.", "references": [ "CVE-2013-4074", "OSVDB-94091", "BID-60500" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 5247, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/wireshark/capwap.rb", "is_install_path": true, "ref_name": "dos/wireshark/capwap", "check": false }, "auxiliary_dos/wireshark/chunked": { "name": "Wireshark chunked_encoding_dissector Function DOS", "full_name": "auxiliary/dos/wireshark/chunked", "rank": 300, "disclosure_date": "2007-02-22", "type": "auxiliary", "author": [ "Matteo Cantoni " ], "description": "Wireshark crash when dissecting an HTTP chunked response.\n Versions affected: 0.99.5 (Bug 1394)", "references": [ "CVE-2007-3389", "OSVDB-37643", "URL-https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1394" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/wireshark/chunked.rb", "is_install_path": true, "ref_name": "dos/wireshark/chunked", "check": false }, "auxiliary_dos/wireshark/cldap": { "name": "Wireshark CLDAP Dissector DOS", "full_name": "auxiliary/dos/wireshark/cldap", "rank": 300, "disclosure_date": "2011-03-01", "type": "auxiliary", "author": [ "joernchen (Phenoelit)>" ], "description": "This module causes infinite recursion to occur within the\n CLDAP dissector by sending a specially crafted UDP packet.", "references": [ "CVE-2011-1140", "OSVDB-71552", "URL-http://www.wireshark.org/security/wnpa-sec-2011-04.html", "URL-https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5717" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 389, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/wireshark/cldap.rb", "is_install_path": true, "ref_name": "dos/wireshark/cldap", "check": false }, "auxiliary_dos/wireshark/ldap": { "name": "Wireshark LDAP Dissector DOS", "full_name": "auxiliary/dos/wireshark/ldap", "rank": 300, "disclosure_date": "2008-03-28", "type": "auxiliary", "author": [ "MC " ], "description": "The LDAP dissector in Wireshark 0.99.2 through 0.99.8 allows remote attackers\n to cause a denial of service (application crash) via a malformed packet.", "references": [ "CVE-2008-1562", "OSVDB-43840" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 389, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/dos/wireshark/ldap.rb", "is_install_path": true, "ref_name": "dos/wireshark/ldap", "check": false }, "auxiliary_fileformat/badpdf": { "name": "BADPDF Malicious PDF Creator", "full_name": "auxiliary/fileformat/badpdf", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "Assaf Baharav", "Yaron Fruchtmann", "Ido Solomon", "Richard Davy - secureyourit.co.uk" ], "description": "This module can either creates a blank PDF file which contains a UNC link which can be used\n to capture NetNTLM credentials, or if the PDFINJECT option is used it will inject the necessary\n code into an existing PDF document if possible.", "references": [ "CVE-2018-4993", "URL-https://research.checkpoint.com/ntlm-credentials-theft-via-pdf-files/" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2018-06-12 22:55:38 +0000", "path": "/modules/auxiliary/fileformat/badpdf.rb", "is_install_path": true, "ref_name": "fileformat/badpdf", "check": false }, "auxiliary_fileformat/multidrop": { "name": "Windows SMB Multi Dropper", "full_name": "auxiliary/fileformat/multidrop", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "Richard Davy - secureyourit.co.uk", "Lnk Creation Code by Mubix" ], "description": "This module dependent on the given filename extension creates either\n a .lnk, .scf, .url, desktop.ini file which includes a reference\n to the the specified remote host, causing SMB connections to be initiated\n from any user that views the file.", "references": [ "URL-https://malicious.link/blog/2012/02/11/ms08_068-ms10_046-fun-until-2018", "URL-https://malicious.link/post/2012/2012-02-19-developing-the-lnk-metasploit-post-module-with-mona/" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2018-06-10 21:53:40 +0000", "path": "/modules/auxiliary/fileformat/multidrop.rb", "is_install_path": true, "ref_name": "fileformat/multidrop", "check": false }, "auxiliary_fileformat/odt_badodt": { "name": "LibreOffice 6.03 /Apache OpenOffice 4.1.5 Malicious ODT File Generator", "full_name": "auxiliary/fileformat/odt_badodt", "rank": 300, "disclosure_date": "2018-05-01", "type": "auxiliary", "author": [ "Richard Davy - secureyourit.co.uk" ], "description": "Generates a Malicious ODT File which can be used with auxiliary/server/capture/smb or similar to capture hashes.", "references": [ "CVE-2018-10583", "URL-https://secureyourit.co.uk/wp/2018/05/01/creating-malicious-odt-files/" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": null, "targets": null, "mod_time": "2018-06-06 11:26:20 +0000", "path": "/modules/auxiliary/fileformat/odt_badodt.rb", "is_install_path": true, "ref_name": "fileformat/odt_badodt", "check": false }, "auxiliary_fuzzers/dns/dns_fuzzer": { "name": "DNS and DNSSEC Fuzzer", "full_name": "auxiliary/fuzzers/dns/dns_fuzzer", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "pello " ], "description": "This module will connect to a DNS server and perform DNS and\n DNSSEC protocol-level fuzzing. Note that this module may inadvertently\n crash the target server.", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 53, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/fuzzers/dns/dns_fuzzer.rb", "is_install_path": true, "ref_name": "fuzzers/dns/dns_fuzzer", "check": true }, "auxiliary_fuzzers/ftp/client_ftp": { "name": "Simple FTP Client Fuzzer", "full_name": "auxiliary/fuzzers/ftp/client_ftp", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "corelanc0d3r " ], "description": "This module will serve an FTP server and perform FTP client interaction fuzzing", "references": [ "URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/fuzzers/ftp/client_ftp.rb", "is_install_path": true, "ref_name": "fuzzers/ftp/client_ftp", "check": false }, "auxiliary_fuzzers/ftp/ftp_pre_post": { "name": "Simple FTP Fuzzer", "full_name": "auxiliary/fuzzers/ftp/ftp_pre_post", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "corelanc0d3r ", "jduck " ], "description": "This module will connect to a FTP server and perform pre- and post-authentication fuzzing", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 21, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/fuzzers/ftp/ftp_pre_post.rb", "is_install_path": true, "ref_name": "fuzzers/ftp/ftp_pre_post", "check": true }, "auxiliary_fuzzers/http/http_form_field": { "name": "HTTP Form Field Fuzzer", "full_name": "auxiliary/fuzzers/http/http_form_field", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "corelanc0d3r", "Paulino Calderon " ], "description": "This module will grab all fields from a form,\n and launch a series of POST actions, fuzzing the contents\n of the form fields. You can optionally fuzz headers too\n (option is enabled by default)", "references": [ "URL-http://www.corelan.be:8800/index.php/2010/11/12/metasploit-module-http-form-field-fuzzer" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/fuzzers/http/http_form_field.rb", "is_install_path": true, "ref_name": "fuzzers/http/http_form_field", "check": false }, "auxiliary_fuzzers/http/http_get_uri_long": { "name": "HTTP GET Request URI Fuzzer (Incrementing Lengths)", "full_name": "auxiliary/fuzzers/http/http_get_uri_long", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "nullthreat" ], "description": "This module sends a series of HTTP GET request with incrementing URL lengths.", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/fuzzers/http/http_get_uri_long.rb", "is_install_path": true, "ref_name": "fuzzers/http/http_get_uri_long", "check": false }, "auxiliary_fuzzers/http/http_get_uri_strings": { "name": "HTTP GET Request URI Fuzzer (Fuzzer Strings)", "full_name": "auxiliary/fuzzers/http/http_get_uri_strings", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "nullthreat" ], "description": "This module sends a series of HTTP GET request with malicious URIs.", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/fuzzers/http/http_get_uri_strings.rb", "is_install_path": true, "ref_name": "fuzzers/http/http_get_uri_strings", "check": false }, "auxiliary_fuzzers/ntp/ntp_protocol_fuzzer": { "name": "NTP Protocol Fuzzer", "full_name": "auxiliary/fuzzers/ntp/ntp_protocol_fuzzer", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "Jon Hart " ], "description": "A simplistic fuzzer for the Network Time Protocol that sends the\n following probes to understand NTP and look for anomalous NTP behavior:\n\n * All possible combinations of NTP versions and modes, even if not\n allowed or specified in the RFCs\n * Short versions of the above\n * Short, invalid datagrams\n * Full-size, random datagrams\n * All possible NTP control messages\n * All possible NTP private messages\n\n This findings of this fuzzer are not necessarily indicative of bugs,\n let alone vulnerabilities, rather they point out interesting things\n that might deserve more attention. Furthermore, this module is not\n particularly intelligent and there are many more areas of NTP that\n could be explored, including:\n\n * Warn if the response is 100% identical to the request\n * Warn if the \"mode\" (if applicable) doesn't align with what we expect,\n * Filter out the 12-byte mode 6 unsupported opcode errors.\n * Fuzz the control message payload offset/size/etc. There be bugs", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 123, "targets": null, "mod_time": "2017-09-12 09:54:09 +0000", "path": "/modules/auxiliary/fuzzers/ntp/ntp_protocol_fuzzer.rb", "is_install_path": true, "ref_name": "fuzzers/ntp/ntp_protocol_fuzzer", "check": true }, "auxiliary_fuzzers/smb/smb2_negotiate_corrupt": { "name": "SMB Negotiate SMB2 Dialect Corruption", "full_name": "auxiliary/fuzzers/smb/smb2_negotiate_corrupt", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "hdm " ], "description": "This module sends a series of SMB negotiate requests that advertise a\n SMB2 dialect with corrupted bytes.", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 445, "targets": null, "mod_time": "2017-08-24 21:38:44 +0000", "path": "/modules/auxiliary/fuzzers/smb/smb2_negotiate_corrupt.rb", "is_install_path": true, "ref_name": "fuzzers/smb/smb2_negotiate_corrupt", "check": false }, "auxiliary_fuzzers/smb/smb_create_pipe": { "name": "SMB Create Pipe Request Fuzzer", "full_name": "auxiliary/fuzzers/smb/smb_create_pipe", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "hdm " ], "description": "This module sends a series of SMB create pipe\n requests using malicious strings.", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 445, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/fuzzers/smb/smb_create_pipe.rb", "is_install_path": true, "ref_name": "fuzzers/smb/smb_create_pipe", "check": false }, "auxiliary_fuzzers/smb/smb_create_pipe_corrupt": { "name": "SMB Create Pipe Request Corruption", "full_name": "auxiliary/fuzzers/smb/smb_create_pipe_corrupt", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "hdm " ], "description": "This module sends a series of SMB create pipe requests with corrupted bytes.", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 445, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/fuzzers/smb/smb_create_pipe_corrupt.rb", "is_install_path": true, "ref_name": "fuzzers/smb/smb_create_pipe_corrupt", "check": false }, "auxiliary_fuzzers/smb/smb_negotiate_corrupt": { "name": "SMB Negotiate Dialect Corruption", "full_name": "auxiliary/fuzzers/smb/smb_negotiate_corrupt", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "hdm " ], "description": "This module sends a series of SMB negotiate requests with corrupted bytes", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 445, "targets": null, "mod_time": "2017-08-24 21:38:44 +0000", "path": "/modules/auxiliary/fuzzers/smb/smb_negotiate_corrupt.rb", "is_install_path": true, "ref_name": "fuzzers/smb/smb_negotiate_corrupt", "check": false }, "auxiliary_fuzzers/smb/smb_ntlm1_login_corrupt": { "name": "SMB NTLMv1 Login Request Corruption", "full_name": "auxiliary/fuzzers/smb/smb_ntlm1_login_corrupt", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "hdm " ], "description": "This module sends a series of SMB login requests using\n the NTLMv1 protocol with corrupted bytes.", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 445, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/fuzzers/smb/smb_ntlm1_login_corrupt.rb", "is_install_path": true, "ref_name": "fuzzers/smb/smb_ntlm1_login_corrupt", "check": false }, "auxiliary_fuzzers/smb/smb_tree_connect": { "name": "SMB Tree Connect Request Fuzzer", "full_name": "auxiliary/fuzzers/smb/smb_tree_connect", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "hdm " ], "description": "This module sends a series of SMB tree connect\n requests using malicious strings.", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 445, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/fuzzers/smb/smb_tree_connect.rb", "is_install_path": true, "ref_name": "fuzzers/smb/smb_tree_connect", "check": false }, "auxiliary_fuzzers/smb/smb_tree_connect_corrupt": { "name": "SMB Tree Connect Request Corruption", "full_name": "auxiliary/fuzzers/smb/smb_tree_connect_corrupt", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "hdm " ], "description": "This module sends a series of SMB tree connect requests with corrupted bytes.", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 445, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/fuzzers/smb/smb_tree_connect_corrupt.rb", "is_install_path": true, "ref_name": "fuzzers/smb/smb_tree_connect_corrupt", "check": false }, "auxiliary_fuzzers/smtp/smtp_fuzzer": { "name": "SMTP Simple Fuzzer", "full_name": "auxiliary/fuzzers/smtp/smtp_fuzzer", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "justme" ], "description": "SMTP Simple Fuzzer", "references": [ "URL-http://www.ietf.org/rfc/rfc2821.txt" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 25, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/fuzzers/smtp/smtp_fuzzer.rb", "is_install_path": true, "ref_name": "fuzzers/smtp/smtp_fuzzer", "check": true }, "auxiliary_fuzzers/ssh/ssh_kexinit_corrupt": { "name": "SSH Key Exchange Init Corruption", "full_name": "auxiliary/fuzzers/ssh/ssh_kexinit_corrupt", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "hdm " ], "description": "This module sends a series of SSH requests with a corrupted initial key exchange payload.", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 22, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/fuzzers/ssh/ssh_kexinit_corrupt.rb", "is_install_path": true, "ref_name": "fuzzers/ssh/ssh_kexinit_corrupt", "check": false }, "auxiliary_fuzzers/ssh/ssh_version_15": { "name": "SSH 1.5 Version Fuzzer", "full_name": "auxiliary/fuzzers/ssh/ssh_version_15", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "hdm " ], "description": "This module sends a series of SSH requests with malicious version strings.", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 22, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/fuzzers/ssh/ssh_version_15.rb", "is_install_path": true, "ref_name": "fuzzers/ssh/ssh_version_15", "check": false }, "auxiliary_fuzzers/ssh/ssh_version_2": { "name": "SSH 2.0 Version Fuzzer", "full_name": "auxiliary/fuzzers/ssh/ssh_version_2", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "hdm " ], "description": "This module sends a series of SSH requests with malicious version strings.", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 22, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/fuzzers/ssh/ssh_version_2.rb", "is_install_path": true, "ref_name": "fuzzers/ssh/ssh_version_2", "check": false }, "auxiliary_fuzzers/ssh/ssh_version_corrupt": { "name": "SSH Version Corruption", "full_name": "auxiliary/fuzzers/ssh/ssh_version_corrupt", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "hdm " ], "description": "This module sends a series of SSH requests with a corrupted version string", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 22, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/fuzzers/ssh/ssh_version_corrupt.rb", "is_install_path": true, "ref_name": "fuzzers/ssh/ssh_version_corrupt", "check": false }, "auxiliary_fuzzers/tds/tds_login_corrupt": { "name": "TDS Protocol Login Request Corruption Fuzzer", "full_name": "auxiliary/fuzzers/tds/tds_login_corrupt", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "hdm " ], "description": "This module sends a series of malformed TDS login requests.", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 1433, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/fuzzers/tds/tds_login_corrupt.rb", "is_install_path": true, "ref_name": "fuzzers/tds/tds_login_corrupt", "check": false }, "auxiliary_fuzzers/tds/tds_login_username": { "name": "TDS Protocol Login Request Username Fuzzer", "full_name": "auxiliary/fuzzers/tds/tds_login_username", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "hdm " ], "description": "This module sends a series of malformed TDS login requests.", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 1433, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/fuzzers/tds/tds_login_username.rb", "is_install_path": true, "ref_name": "fuzzers/tds/tds_login_username", "check": false }, "auxiliary_gather/advantech_webaccess_creds": { "name": "Advantech WebAccess 8.1 Post Authentication Credential Collector", "full_name": "auxiliary/gather/advantech_webaccess_creds", "rank": 300, "disclosure_date": "2017-01-21", "type": "auxiliary", "author": [ "h00die", "sinn3r " ], "description": "This module allows you to log into Advantech WebAccess 8.1, and collect all of the credentials.\n Although authentication is required, any level of user permission can exploit this vulnerability.\n\n Note that 8.2 is not suitable for this.", "references": [ "CVE-2016-5810", "URL-https://github.com/rapid7/metasploit-framework/pull/7859#issuecomment-274305229" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 80, "targets": null, "mod_time": "2018-07-12 17:34:52 +0000", "path": "/modules/auxiliary/gather/advantech_webaccess_creds.rb", "is_install_path": true, "ref_name": "gather/advantech_webaccess_creds", "check": false }, "auxiliary_gather/alienvault_iso27001_sqli": { "name": "AlienVault Authenticated SQL Injection Arbitrary File Read", "full_name": "auxiliary/gather/alienvault_iso27001_sqli", "rank": 300, "disclosure_date": "2014-03-30", "type": "auxiliary", "author": [ "Brandon Perry " ], "description": "AlienVault 4.5.0 is susceptible to an authenticated SQL injection attack via a PNG\n generation PHP file. This module exploits this to read an arbitrary file from\n the file system. Any authenticated user is able to exploit it, as administrator\n privileges aren't required.", "references": [ "EDB-32644" ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "", "rport": 443, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/gather/alienvault_iso27001_sqli.rb", "is_install_path": true, "ref_name": "gather/alienvault_iso27001_sqli", "check": false }, "auxiliary_gather/alienvault_newpolicyform_sqli": { "name": "AlienVault Authenticated SQL Injection Arbitrary File Read", "full_name": "auxiliary/gather/alienvault_newpolicyform_sqli", "rank": 300, "disclosure_date": "2014-05-09", "type": "auxiliary", "author": [ "Chris Hebert " ], "description": "AlienVault 4.6.1 and below is susceptible to an authenticated SQL injection attack against\n newpolicyform.php, using the 'insertinto' parameter. This module exploits the vulnerability\n to read an arbitrary file from the file system. Any authenticated user is able to exploit\n this, as administrator privileges are not required.", "references": [ "CVE-2014-5383", "OSVDB-106815", "EDB-33317", "URL-http://forums.alienvault.com/discussion/2690/security-advisories-v4-6-1-and-lower" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": 443, "targets": null, "mod_time": "2018-07-12 17:34:52 +0000", "path": "/modules/auxiliary/gather/alienvault_newpolicyform_sqli.rb", "is_install_path": true, "ref_name": "gather/alienvault_newpolicyform_sqli", "check": false }, "auxiliary_gather/android_browser_file_theft": { "name": "Android Browser File Theft", "full_name": "auxiliary/gather/android_browser_file_theft", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "Rafay Baloch", "joev " ], "description": "This module steals the cookie, password, and autofill databases from the\n Browser application on AOSP 4.3 and below.", "references": [ "URL-https://android.googlesource.com/platform/packages/apps/Browser/+/d2391b492dec778452238bc6d9d549d56d41c107%5E%21/#F0", "URL-https://code.google.com/p/chromium/issues/detail?id=90222" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/auxiliary/gather/android_browser_file_theft.rb", "is_install_path": true, "ref_name": "gather/android_browser_file_theft", "check": false }, "auxiliary_gather/android_browser_new_tab_cookie_theft": { "name": "Android Browser \"Open in New Tab\" Cookie Theft", "full_name": "auxiliary/gather/android_browser_new_tab_cookie_theft", "rank": 300, "disclosure_date": null, "type": "auxiliary", "author": [ "Rafay Baloch", "joev " ], "description": "In Android's stock AOSP Browser application and WebView component, the\n \"open in new tab\" functionality allows a file URL to be opened. On\n versions of Android before 4.4, the path to the sqlite cookie\n database could be specified. By saving a cookie containing a .\n\n IE Tabs, WScript and subsequent Powershell prompts all run as x86 even when run from\n an x64 iexplore.exe.\n\n By default, this module will not attempt to fire against IEs that come with Protected\n Mode enabled by default, because it can trigger a security prompt. However, if you are\n feeling brave, you can choose to ignore this restriction by setting the ALLOWPROMPT\n datastore option to true.", "references": [ "URL-http://support.microsoft.com/kb/182569", "URL-http://blog.invisibledenizen.org/2009/01/ieunsafescripting-metasploit-module.html", "URL-http://support.microsoft.com/kb/870669" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "x86", "rport": null, "targets": [ "Windows x86/x64" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/ie_unsafe_scripting.rb", "is_install_path": true, "ref_name": "windows/browser/ie_unsafe_scripting", "check": false }, "exploit_windows/browser/imgeviewer_tifmergemultifiles": { "name": "Viscom Image Viewer CP Pro 8.0/Gold 6.0 ActiveX Control", "full_name": "exploit/windows/browser/imgeviewer_tifmergemultifiles", "rank": 300, "disclosure_date": "2010-03-03", "type": "exploit", "author": [ "Dr_IDE", "TecR0c ", "mr_me " ], "description": "This module exploits a stack based buffer overflow in the Active control file\n ImageViewer2.OCX by passing an overly long argument to an insecure TifMergeMultiFiles()\n method. Exploitation results in code execution with the privileges of the user who\n browsed to the exploit page.\n\n The victim will first be required to trust the publisher Viscom Software.\n This module has been designed to bypass DEP and ASLR under XP IE8, Vista and Win7\n with Java support.", "references": [ "CVE-2010-5193", "OSVDB-78102", "EDB-15668", "URL-http://secunia.com/advisories/42445/", "URL-http://xforce.iss.net/xforce/xfdb/63666" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic", "Internet Explorer 6/7", "Internet Explorer 8 with JRE" ], "mod_time": "2018-07-12 17:34:52 +0000", "path": "/modules/exploits/windows/browser/imgeviewer_tifmergemultifiles.rb", "is_install_path": true, "ref_name": "windows/browser/imgeviewer_tifmergemultifiles", "check": false }, "exploit_windows/browser/indusoft_issymbol_internationalseparator": { "name": "InduSoft Web Studio ISSymbol.ocx InternationalSeparator() Heap Overflow", "full_name": "exploit/windows/browser/indusoft_issymbol_internationalseparator", "rank": 300, "disclosure_date": "2012-04-28", "type": "exploit", "author": [ "Alexander Gavrun", "Dmitriy Pletnev", "James Fitts ", "juan vazquez " ], "description": "This module exploits a heap overflow found in InduSoft Web Studio <= 61.6.00.00\n SP6. The overflow exists in the ISSymbol.ocx, and can be triggered with a long\n string argument for the InternationalSeparator() method of the ISSymbol control.\n This module uses the msvcr71.dll form the Java JRE6 to bypass ASLR.", "references": [ "CVE-2011-0340", "OSVDB-72865", "BID-47596", "ZDI-12-168", "URL-http://secunia.com/secunia_research/2011-37/" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic", "IE 6 on Windows XP SP3", "IE 7 on Windows XP SP3", "IE 8 on Windows XP SP3", "IE 7 on Windows Vista", "IE 8 on Windows Vista", "IE 8 on Windows 7", "IE 9 on Windows 7" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/indusoft_issymbol_internationalseparator.rb", "is_install_path": true, "ref_name": "windows/browser/indusoft_issymbol_internationalseparator", "check": false }, "exploit_windows/browser/inotes_dwa85w_bof": { "name": "IBM Lotus iNotes dwa85W ActiveX Buffer Overflow", "full_name": "exploit/windows/browser/inotes_dwa85w_bof", "rank": 300, "disclosure_date": "2012-06-01", "type": "exploit", "author": [ "Gaurav Baruah", "juan vazquez " ], "description": "This module exploits a buffer overflow vulnerability on the UploadControl\n ActiveX. The vulnerability exists in the handling of the \"Attachment_Times\"\n property, due to the insecure usage of the _swscanf. The affected ActiveX is\n provided by the dwa85W.dll installed with the IBM Lotus iNotes ActiveX installer.\n\n This module has been tested successfully on IE6-IE9 on Windows XP, Vista and 7,\n using the dwa85W.dll 85.3.3.0 as installed with Lotus Domino 8.5.3.\n\n In order to bypass ASLR the no aslr compatible module dwabho.dll is used. This one\n is installed with the iNotes ActiveX.", "references": [ "CVE-2012-2175", "OSVDB-82755", "BID-53879", "ZDI-12-132", "URL-http://www-304.ibm.com/support/docview.wss?uid=swg21596862" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic", "IE 6 on Windows XP SP3", "IE 7 on Windows XP SP3", "IE 8 on Windows XP SP3", "IE 7 on Windows Vista", "IE 8 on Windows Vista", "IE 8 on Windows 7", "IE 9 on Windows 7" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/inotes_dwa85w_bof.rb", "is_install_path": true, "ref_name": "windows/browser/inotes_dwa85w_bof", "check": false }, "exploit_windows/browser/intrust_annotatex_add": { "name": "Quest InTrust Annotation Objects Uninitialized Pointer", "full_name": "exploit/windows/browser/intrust_annotatex_add", "rank": 200, "disclosure_date": "2012-03-28", "type": "exploit", "author": [ "rgod ", "mr_me " ], "description": "This module exploits an uninitialized variable vulnerability in the\n Annotation Objects ActiveX component. The ActiveX component loads into memory without\n opting into ALSR so this module exploits the vulnerability against windows Vista and\n Windows 7 targets. A large heap spray is required to fulfill the requirement that EAX\n points to part of the ROP chain in a heap chunk and the calculated call will hit the\n pivot in a separate heap chunk. This will take some time in the users browser.", "references": [ "CVE-2012-5896", "OSVDB-80662", "BID-52765", "EDB-18674" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic", "Windows XP/Vista SP0-SP3 (IE6/IE7)", "Windows XP SP0-SP3 DEP bypass (IE8)", "Windows 7/Vista ALSR/DEP bypass (IE8)" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/intrust_annotatex_add.rb", "is_install_path": true, "ref_name": "windows/browser/intrust_annotatex_add", "check": false }, "exploit_windows/browser/java_basicservice_impl": { "name": "Sun Java Web Start BasicServiceImpl Code Execution", "full_name": "exploit/windows/browser/java_basicservice_impl", "rank": 600, "disclosure_date": "2010-10-12", "type": "exploit", "author": [ "Matthias Kaiser", "egypt " ], "description": "This module exploits a vulnerability in Java Runtime Environment\n that allows an attacker to escape the Java Sandbox. By injecting\n a parameter into a javaws call within the BasicServiceImpl class\n the default java sandbox policy file can be therefore overwritten.\n The vulnerability affects version 6 prior to update 22.\n\n NOTE: Exploiting this vulnerability causes several sinister-looking\n popup windows saying that Java is \"Downloading application.\"", "references": [ "CVE-2010-3563", "OSVDB-69043", "URL-http://mk41ser.blogspot.com" ], "is_server": false, "is_client": true, "platform": "Java,Windows", "arch": "", "rport": null, "targets": [ "Windows x86", "Generic (Java Payload)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/java_basicservice_impl.rb", "is_install_path": true, "ref_name": "windows/browser/java_basicservice_impl", "check": false }, "exploit_windows/browser/java_cmm": { "name": "Java CMM Remote Code Execution", "full_name": "exploit/windows/browser/java_cmm", "rank": 300, "disclosure_date": "2013-03-01", "type": "exploit", "author": [ "Unknown", "juan vazquez " ], "description": "This module abuses the Color Management classes from a Java Applet to run\n arbitrary Java code outside of the sandbox as exploited in the wild in February\n and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41\n and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1\n systems. This exploit doesn't bypass click-to-play, so the user must accept the java\n warning in order to run the malicious applet.", "references": [ "CVE-2013-1493", "OSVDB-90737", "BID-58238", "URL-https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493", "URL-http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html", "URL-http://pastie.org/pastes/6581034" ], "is_server": false, "is_client": true, "platform": "Java,Windows", "arch": "", "rport": null, "targets": [ "Generic (Java Payload)", "Windows x86 (Native Payload)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/java_cmm.rb", "is_install_path": true, "ref_name": "windows/browser/java_cmm", "check": false }, "exploit_windows/browser/java_codebase_trust": { "name": "Sun Java Applet2ClassLoader Remote Code Execution", "full_name": "exploit/windows/browser/java_codebase_trust", "rank": 600, "disclosure_date": "2011-02-15", "type": "exploit", "author": [ "Frederic Hoguin", "jduck " ], "description": "This module exploits a vulnerability in the Java Runtime Environment\n that allows an attacker to run an applet outside of the Java Sandbox. When\n an applet is invoked with:\n\n 1. A \"codebase\" parameter that points at a trusted directory\n 2. A \"code\" parameter that is a URL that does not contain any dots\n\n the applet will run outside of the sandbox.\n\n This vulnerability affects JRE prior to version 6 update 24.", "references": [ "CVE-2010-4452", "OSVDB-71193", "ZDI-11-084", "URL-http://fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/", "URL-http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html" ], "is_server": false, "is_client": true, "platform": "Java", "arch": "", "rport": null, "targets": [ "Generic (Java Payload)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/java_codebase_trust.rb", "is_install_path": true, "ref_name": "windows/browser/java_codebase_trust", "check": false }, "exploit_windows/browser/java_docbase_bof": { "name": "Sun Java Runtime New Plugin docbase Buffer Overflow", "full_name": "exploit/windows/browser/java_docbase_bof", "rank": 500, "disclosure_date": "2010-10-12", "type": "exploit", "author": [ "jduck " ], "description": "This module exploits a flaw in the new plugin component of the Sun Java\n Runtime Environment before v6 Update 22. By specifying specific parameters\n to the new plugin, an attacker can cause a stack-based buffer overflow and\n execute arbitrary code.\n\n When the new plugin is invoked with a \"launchjnlp\" parameter, it will\n copy the contents of the \"docbase\" parameter to a stack-buffer using the\n \"sprintf\" function. A string of 396 bytes is enough to overflow the 256\n byte stack buffer and overwrite some local variables as well as the saved\n return address.\n\n NOTE: The string being copied is first passed through the \"WideCharToMultiByte\".\n Due to this, only characters which have a valid localized multibyte\n representation are allowed. Invalid characters will be replaced with\n question marks ('?').\n\n This vulnerability was originally discovered independently by both Stephen\n Fewer and Berend Jan Wever (SkyLined). Although exhaustive testing hasn't\n been done, all versions since version 6 Update 10 are believed to be affected\n by this vulnerability.\n\n This vulnerability was patched as part of the October 2010 Oracle Patch\n release.", "references": [ "CVE-2010-3552", "OSVDB-68873", "BID-44023", "URL-http://blog.harmonysecurity.com/2010/10/oracle-java-ie-browser-plugin-stack.html", "ZDI-10-206", "URL-http://code.google.com/p/skylined/issues/detail?id=23", "URL-http://skypher.com/index.php/2010/10/13/issue-2-oracle-java-object-launchjnlp-docbase/", "URL-http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows Universal (msvcr71.dll ROP)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/java_docbase_bof.rb", "is_install_path": true, "ref_name": "windows/browser/java_docbase_bof", "check": false }, "exploit_windows/browser/java_mixer_sequencer": { "name": "Java MixerSequencer Object GM_Song Structure Handling Vulnerability", "full_name": "exploit/windows/browser/java_mixer_sequencer", "rank": 500, "disclosure_date": "2010-03-30", "type": "exploit", "author": [ "Peter Vreugdenhil", "juan vazquez " ], "description": "This module exploits a flaw within the handling of MixerSequencer objects\n in Java 6u18 and before.\n\n Exploitation id done by supplying a specially crafted MIDI file within an RMF\n File. When the MixerSequencer objects is used to play the file, the GM_Song\n structure is populated with a function pointer provided by a SONG block in the\n RMF. A Midi block that contains a MIDI with a specially crafted controller event\n is used to trigger the vulnerability.\n\n When triggering the vulnerability \"ebx\" points to a fake event in the MIDI file\n which stores the shellcode. A \"jmp ebx\" from msvcr71.dll is used to make the\n exploit reliable over java updates.", "references": [ "CVE-2010-0842", "OSVDB-63493", "BID-39077", "ZDI-10-060", "URL-http://vreugdenhilresearch.nl/java-midi-parse-vulnerabilities/" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows / Java 6 <=u18" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/java_mixer_sequencer.rb", "is_install_path": true, "ref_name": "windows/browser/java_mixer_sequencer", "check": false }, "exploit_windows/browser/java_ws_arginject_altjvm": { "name": "Sun Java Web Start Plugin Command Line Argument Injection", "full_name": "exploit/windows/browser/java_ws_arginject_altjvm", "rank": 600, "disclosure_date": "2010-04-09", "type": "exploit", "author": [ "jduck " ], "description": "This module exploits a flaw in the Web Start plugin component of Sun Java\n Web Start. The arguments passed to Java Web Start are not properly validated.\n By passing the lesser known -J option, an attacker can pass arbitrary options\n directly to the Java runtime. By utilizing the -XXaltjvm option, as discussed\n by Ruben Santamarta, an attacker can execute arbitrary code in the context of\n an unsuspecting browser user.\n\n This vulnerability was originally discovered independently by both Ruben\n Santamarta and Tavis Ormandy. Tavis reported that all versions since version\n 6 Update 10 \"are believed to be affected by this vulnerability.\"\n\n In order for this module to work, it must be ran as root on a server that\n does not serve SMB. Additionally, the target host must have the WebClient\n service (WebDAV Mini-Redirector) enabled.", "references": [ "CVE-2010-0886", "CVE-2010-1423", "OSVDB-63648", "BID-39346", "URL-http://archives.neohapsis.com/archives/fulldisclosure/2010-04/0122.html", "URL-http://www.reversemode.com/index.php?option=com_content&task=view&id=67&Itemid=1" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic", "Java Runtime on Windows x86" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/java_ws_arginject_altjvm.rb", "is_install_path": true, "ref_name": "windows/browser/java_ws_arginject_altjvm", "check": false }, "exploit_windows/browser/java_ws_double_quote": { "name": "Sun Java Web Start Double Quote Injection", "full_name": "exploit/windows/browser/java_ws_double_quote", "rank": 600, "disclosure_date": "2012-10-16", "type": "exploit", "author": [ "Rh0 " ], "description": "This module exploits a flaw in the Web Start component of the Sun Java\n Runtime Environment. Parameters initial-heap-size and max-heap-size in a JNLP\n file can contain a double quote which is not properly sanitized when creating\n the command line for javaw.exe. This allows the injection of the -XXaltjvm\n option to load a jvm.dll from a remote UNC path into the java process. Thus\n an attacker can execute arbitrary code in the context of a browser user.\n This flaw was fixed in Oct. 2012 and affects JRE <= 1.6.35 and <= 1.7.07.\n\n In order for this module to work, it must be run as root on a server that\n does not serve SMB (In most cases, this means non-Windows hosts). Additionally,\n the target host must have the WebClient service (WebDAV Mini-Redirector) enabled.\n Alternatively, a UNC path containing a jvm.dll can be specified, bypassing\n the Windows limitation for the Metasploit host.", "references": [ "CVE-2012-1533", "OSVDB-86348", "BID-56046", "URL-http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html", "URL-http://pastebin.com/eUucVage " ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic", "Java Runtime 1.6.31 to 1.6.35 and 1.7.03 to 1.7.07 on Windows x86" ], "mod_time": "2017-09-08 22:19:55 +0000", "path": "/modules/exploits/windows/browser/java_ws_double_quote.rb", "is_install_path": true, "ref_name": "windows/browser/java_ws_double_quote", "check": false }, "exploit_windows/browser/java_ws_vmargs": { "name": "Sun Java Web Start Plugin Command Line Argument Injection", "full_name": "exploit/windows/browser/java_ws_vmargs", "rank": 600, "disclosure_date": "2012-02-14", "type": "exploit", "author": [ "jduck " ], "description": "This module exploits a flaw in the Web Start component of the Sun Java\n Runtime Environment. The arguments passed to Java Web Start are not properly\n validated, allowing injection of arbitrary arguments to the JVM.\n\n By utilizing the lesser known -J option, an attacker can take advantage of\n the -XXaltjvm option, as discussed previously by Ruben Santamarta. This method\n allows an attacker to execute arbitrary code in the context of an unsuspecting\n browser user.\n\n In order for this module to work, it must be run as root on a server that\n does not serve SMB. Additionally, the target host must have the WebClient\n service (WebDAV Mini-Redirector) enabled.", "references": [ "CVE-2012-0500", "OSVDB-79227", "BID-52015", "URL-http://seclists.org/fulldisclosure/2012/Feb/251", "URL-http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic", "Java Runtime on Windows x86" ], "mod_time": "2017-09-08 22:19:55 +0000", "path": "/modules/exploits/windows/browser/java_ws_vmargs.rb", "is_install_path": true, "ref_name": "windows/browser/java_ws_vmargs", "check": false }, "exploit_windows/browser/juniper_sslvpn_ive_setupdll": { "name": "Juniper SSL-VPN IVE JuniperSetupDLL.dll ActiveX Control Buffer Overflow", "full_name": "exploit/windows/browser/juniper_sslvpn_ive_setupdll", "rank": 300, "disclosure_date": "2006-04-26", "type": "exploit", "author": [ "aushack " ], "description": "This module exploits a stack buffer overflow in the JuniperSetupDLL.dll\n library which is called by the JuniperSetup.ocx ActiveX\tcontrol,\n as part of the Juniper SSL-VPN (IVE) appliance. By specifying an\n overly long string to the ProductName object parameter, the stack\n is overwritten.", "references": [ "CVE-2006-2086", "OSVDB-25001", "BID-17712", "URL-http://archives.neohapsis.com/archives/fulldisclosure/2006-04/0743.html" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP Pro SP3 English", "Debugging" ], "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/exploits/windows/browser/juniper_sslvpn_ive_setupdll.rb", "is_install_path": true, "ref_name": "windows/browser/juniper_sslvpn_ive_setupdll", "check": false }, "exploit_windows/browser/kazaa_altnet_heap": { "name": "Kazaa Altnet Download Manager ActiveX Control Buffer Overflow", "full_name": "exploit/windows/browser/kazaa_altnet_heap", "rank": 300, "disclosure_date": "2007-10-03", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in the Altnet Download Manager ActiveX\n Control (amd4.dll) bundled with Kazaa Media Desktop 3.2.7.\n By sending an overly long string to the \"Install()\" method, an attacker may be\n able to execute arbitrary code.", "references": [ "CVE-2007-5217", "OSVDB-37785", "URL-http://secunia.com/advisories/26970/" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP0-SP2 / IE 6.0SP1 English" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/kazaa_altnet_heap.rb", "is_install_path": true, "ref_name": "windows/browser/kazaa_altnet_heap", "check": false }, "exploit_windows/browser/keyhelp_launchtripane_exec": { "name": "KeyHelp ActiveX LaunchTriPane Remote Code Execution Vulnerability", "full_name": "exploit/windows/browser/keyhelp_launchtripane_exec", "rank": 600, "disclosure_date": "2012-06-26", "type": "exploit", "author": [ "rgod ", "juan vazquez " ], "description": "This module exploits a code execution vulnerability in the KeyScript ActiveX\n control from keyhelp.ocx. It is packaged in several products or GE, such as\n Proficy Historian 4.5, 4.0, 3.5, and 3.1, Proficy HMI/SCADA 5.1 and 5.0, Proficy\n Pulse 1.0, Proficy Batch Execution 5.6, and SI7 I/O Driver between 7.20 and 7.42.\n When the control is installed with these products, the function \"LaunchTriPane\"\n will use ShellExecute to launch \"hh.exe\", with user controlled data as parameters.\n Because of this, the \"-decompile\" option can be abused to write arbitrary files on\n the remote system.\n\n Code execution can be achieved by first uploading the payload to the remote\n machine, and then upload another mof file, which enables Windows Management\n Instrumentation service to execute it. Please note that this module currently only\n works for Windows before Vista.\n\n On the other hand, the target host must have the WebClient service (WebDAV\n Mini-Redirector) enabled. It is enabled and automatically started by default on\n Windows XP SP3", "references": [ "CVE-2012-2516", "OSVDB-83311", "BID-55265", "ZDI-12-169", "URL-http://support.ge-ip.com/support/index?page=kbchannel&id=S:KB14863" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/keyhelp_launchtripane_exec.rb", "is_install_path": true, "ref_name": "windows/browser/keyhelp_launchtripane_exec", "check": false }, "exploit_windows/browser/logitechvideocall_start": { "name": "Logitech VideoCall ActiveX Control Buffer Overflow", "full_name": "exploit/windows/browser/logitechvideocall_start", "rank": 300, "disclosure_date": "2007-05-31", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in the Logitech VideoCall ActiveX\n Control (wcamxmp.dll 2.0.3470.448). By sending an overly long string to the\n \"Start()\" method, an attacker may be able to execute arbitrary code.", "references": [ "CVE-2007-2918", "OSVDB-36820", "BID-24254" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP Pro SP2 English" ], "mod_time": "2017-09-08 22:19:55 +0000", "path": "/modules/exploits/windows/browser/logitechvideocall_start.rb", "is_install_path": true, "ref_name": "windows/browser/logitechvideocall_start", "check": false }, "exploit_windows/browser/lpviewer_url": { "name": "iseemedia / Roxio / MGI Software LPViewer ActiveX Control Buffer Overflow", "full_name": "exploit/windows/browser/lpviewer_url", "rank": 300, "disclosure_date": "2008-10-06", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in LPViewer ActiveX control (LPControll.dll 3.2.0.2). When\n sending an overly long string to the URL() property an attacker may be able to execute arbitrary code.", "references": [ "CVE-2008-4384", "OSVDB-48946", "US-CERT-VU-848873", "BID-31604" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/lpviewer_url.rb", "is_install_path": true, "ref_name": "windows/browser/lpviewer_url", "check": false }, "exploit_windows/browser/macrovision_downloadandexecute": { "name": "Macrovision InstallShield Update Service Buffer Overflow", "full_name": "exploit/windows/browser/macrovision_downloadandexecute", "rank": 300, "disclosure_date": "2007-10-31", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in Macrovision InstallShield Update\n Service(Isusweb.dll 6.0.100.54472). By passing an overly long ProductCode string to\n the DownloadAndExecute method, an attacker may be able to execute arbitrary code.", "references": [ "CVE-2007-5660", "OSVDB-38347" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP0/SP1 Pro English", "Windows 2000 Pro English All" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/macrovision_downloadandexecute.rb", "is_install_path": true, "ref_name": "windows/browser/macrovision_downloadandexecute", "check": false }, "exploit_windows/browser/macrovision_unsafe": { "name": "Macrovision InstallShield Update Service ActiveX Unsafe Method", "full_name": "exploit/windows/browser/macrovision_unsafe", "rank": 600, "disclosure_date": "2007-10-20", "type": "exploit", "author": [ "MC " ], "description": "This module allows attackers to execute code via an unsafe method in Macrovision InstallShield 2008.", "references": [ "CVE-2007-5660", "OSVDB-38347", "BID-26280" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic" ], "mod_time": "2017-09-08 22:19:55 +0000", "path": "/modules/exploits/windows/browser/macrovision_unsafe.rb", "is_install_path": true, "ref_name": "windows/browser/macrovision_unsafe", "check": false }, "exploit_windows/browser/malwarebytes_update_exec": { "name": "Malwarebytes Anti-Malware and Anti-Exploit Update Remote Code Execution", "full_name": "exploit/windows/browser/malwarebytes_update_exec", "rank": 400, "disclosure_date": "2014-12-16", "type": "exploit", "author": [ "Yonathan Klijnsma", "Gabor Seljan", "todb " ], "description": "This module exploits a vulnerability in the update functionality of\n Malwarebytes Anti-Malware consumer before 2.0.3 and Malwarebytes\n Anti-Exploit consumer 1.03.1.1220.\n Due to the lack of proper update package validation, a man-in-the-middle\n (MITM) attacker could execute arbitrary code by spoofing the update server\n data-cdn.mbamupdates.com and uploading an executable. This module has\n been tested successfully with MBAM 2.0.2.1012 and MBAE 1.03.1.1220.", "references": [ "CVE-2014-4936", " OSVDB-116050", "URL-http://blog.0x3a.com/post/104954032239/cve-2014-4936-malwarebytes-anti-malware-and" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/malwarebytes_update_exec.rb", "is_install_path": true, "ref_name": "windows/browser/malwarebytes_update_exec", "check": false }, "exploit_windows/browser/maxthon_history_xcs": { "name": "Maxthon3 about:history XCS Trusted Zone Code Execution", "full_name": "exploit/windows/browser/maxthon_history_xcs", "rank": 600, "disclosure_date": "2012-11-26", "type": "exploit", "author": [ "Roberto Suggi Liverani", "sinn3r ", "juan vazquez " ], "description": "Cross Context Scripting (XCS) is possible in the Maxthon about:history page.\n Injection in such privileged/trusted browser zone can be used to modify\n configuration settings and execute arbitrary commands.\n\n Please note this module only works against specific versions of XCS. Currently,\n we've only successfully tested on Maxthon 3.1.7 build 600 up to 3.2.2 build 1000.", "references": [ "OSVDB-88191", "EDB-23225", "URL-http://blog.malerisch.net/2012/12/maxthon-cross-context-scripting-xcs-about-history-rce.html" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Maxthon 3 (prior to 3.3) on Windows" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/maxthon_history_xcs.rb", "is_install_path": true, "ref_name": "windows/browser/maxthon_history_xcs", "check": false }, "exploit_windows/browser/mcafee_mcsubmgr_vsprintf": { "name": "McAfee Subscription Manager Stack Buffer Overflow", "full_name": "exploit/windows/browser/mcafee_mcsubmgr_vsprintf", "rank": 300, "disclosure_date": "2006-08-01", "type": "exploit", "author": [ "skape " ], "description": "This module exploits a flaw in the McAfee Subscription Manager ActiveX control.\n Due to an unsafe use of vsprintf, it is possible to trigger a stack buffer overflow by\n passing a large string to one of the COM-exposed routines, such as IsAppExpired.\n This vulnerability was discovered by Karl Lynn of eEye.", "references": [ "CVE-2006-3961", "OSVDB-27698", "BID-19265" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP0/SP1" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/mcafee_mcsubmgr_vsprintf.rb", "is_install_path": true, "ref_name": "windows/browser/mcafee_mcsubmgr_vsprintf", "check": false }, "exploit_windows/browser/mcafee_mvt_exec": { "name": "McAfee Virtual Technician MVTControl 6.3.0.1911 GetObject Vulnerability", "full_name": "exploit/windows/browser/mcafee_mvt_exec", "rank": 600, "disclosure_date": "2012-04-30", "type": "exploit", "author": [ "rgod", "sinn3r " ], "description": "This module exploits a vulnerability found in McAfee Virtual Technician's\n MVTControl. This ActiveX control can be abused by using the GetObject() function\n to load additional unsafe classes such as WScript.Shell, therefore allowing remote\n code execution under the context of the user.", "references": [ "CVE-2012-4598", "OSVDB-81657", "EDB-18805", "URL-https://kc.mcafee.com/corporate/index?page=content&id=SB10028" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/mcafee_mvt_exec.rb", "is_install_path": true, "ref_name": "windows/browser/mcafee_mvt_exec", "check": false }, "exploit_windows/browser/mcafeevisualtrace_tracetarget": { "name": "McAfee Visual Trace ActiveX Control Buffer Overflow", "full_name": "exploit/windows/browser/mcafeevisualtrace_tracetarget", "rank": 300, "disclosure_date": "2007-07-07", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in the McAfee Visual Trace 3.25 ActiveX\n Control (NeoTraceExplorer.dll 1.0.0.1). By sending an overly long string to the\n \"TraceTarget()\" method, an attacker may be able to execute arbitrary code.", "references": [ "CVE-2006-6707", "OSVDB-32399", "URL-http://secunia.com/advisories/23463" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP Pro SP2 English" ], "mod_time": "2017-09-08 22:19:55 +0000", "path": "/modules/exploits/windows/browser/mcafeevisualtrace_tracetarget.rb", "is_install_path": true, "ref_name": "windows/browser/mcafeevisualtrace_tracetarget", "check": false }, "exploit_windows/browser/mirc_irc_url": { "name": "mIRC IRC URL Buffer Overflow", "full_name": "exploit/windows/browser/mirc_irc_url", "rank": 300, "disclosure_date": "2003-10-13", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in mIRC 6.1. By\n submitting an overly long and specially crafted URL to\n the 'irc' protocol, an attacker can overwrite the buffer\n and control program execution.", "references": [ "CVE-2003-1336", "OSVDB-2665", "BID-8819" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows 2000 Pro English All", "Windows XP Pro SP0/SP1 English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/mirc_irc_url.rb", "is_install_path": true, "ref_name": "windows/browser/mirc_irc_url", "check": false }, "exploit_windows/browser/mozilla_attribchildremoved": { "name": "Firefox 8/9 AttributeChildRemoved() Use-After-Free", "full_name": "exploit/windows/browser/mozilla_attribchildremoved", "rank": 200, "disclosure_date": "2011-12-06", "type": "exploit", "author": [ "regenrecht", "Lincoln ", "corelanc0d3r " ], "description": "This module exploits a use-after-free vulnerability in Firefox 8/8.0.1 and 9/9.0.1.\n Removal of child nodes from the nsDOMAttribute can allow for a child\n to still be accessible after removal due to a premature notification\n of AttributeChildRemoved. Since mFirstChild is not set to NULL until\n after this call is made, this means the removed child will be accessible\n after it has been removed. By carefully manipulating the memory layout,\n this can lead to arbitrary code execution.", "references": [ "CVE-2011-3659", "OSVDB-78736", "ZDI-12-110", "URL-https://bugzilla.mozilla.org/show_bug.cgi?id=708198" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic", "Windows XP - Firefox 8 / 8.0.1", "Windows XP - Firefox 9", "Windows XP - Firefox 9.0.1" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/mozilla_attribchildremoved.rb", "is_install_path": true, "ref_name": "windows/browser/mozilla_attribchildremoved", "check": false }, "exploit_windows/browser/mozilla_firefox_onreadystatechange": { "name": "Firefox onreadystatechange Event DocumentViewerImpl Use After Free", "full_name": "exploit/windows/browser/mozilla_firefox_onreadystatechange", "rank": 300, "disclosure_date": "2013-06-25", "type": "exploit", "author": [ "Nils", "Unknown", "w3bd3vil", "sinn3r ", "juan vazquez " ], "description": "This module exploits a vulnerability found on Firefox 17.0.6, specifically a use\n after free of a DocumentViewerImpl object, triggered via a specially crafted web\n page using onreadystatechange events and the window.stop() API, as exploited in the\n wild on 2013 August to target Tor Browser users.", "references": [ "CVE-2013-1690", "OSVDB-94584", "BID-60778", "URL-https://www.mozilla.org/security/announce/2013/mfsa2013-53.html", "URL-https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.html", "URL-https://bugzilla.mozilla.org/show_bug.cgi?id=901365", "URL-http://krash.in/ffn0day.txt", "URL-http://hg.mozilla.org/releases/mozilla-esr17/rev/2d5a85d7d3ae" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Firefox 17 & Firefox 21 / Windows XP SP3" ], "mod_time": "2017-09-08 22:19:55 +0000", "path": "/modules/exploits/windows/browser/mozilla_firefox_onreadystatechange.rb", "is_install_path": true, "ref_name": "windows/browser/mozilla_firefox_onreadystatechange", "check": false }, "exploit_windows/browser/mozilla_firefox_xmlserializer": { "name": "Firefox XMLSerializer Use After Free", "full_name": "exploit/windows/browser/mozilla_firefox_xmlserializer", "rank": 300, "disclosure_date": "2013-01-08", "type": "exploit", "author": [ "regenrecht", "juan vazquez " ], "description": "This module exploits a vulnerability found on Firefox 17.0 (< 17.0.2), specifically\n a use-after-free of an Element object, when using the serializeToStream method\n with a specially crafted OutputStream defining its own write function. This module\n has been tested successfully with Firefox 17.0.1 ESR, 17.0.1 and 17.0 on Windows XP\n SP3.", "references": [ "CVE-2013-0753", "OSVDB-89021", "BID-57209", "ZDI-13-006", "URL-http://www.mozilla.org/security/announce/2013/mfsa2013-16.html", "URL-https://bugzilla.mozilla.org/show_bug.cgi?id=814001" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Firefox 17 / Windows XP SP3" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/mozilla_firefox_xmlserializer.rb", "is_install_path": true, "ref_name": "windows/browser/mozilla_firefox_xmlserializer", "check": false }, "exploit_windows/browser/mozilla_interleaved_write": { "name": "Mozilla Firefox Interleaved document.write/appendChild Memory Corruption", "full_name": "exploit/windows/browser/mozilla_interleaved_write", "rank": 300, "disclosure_date": "2010-10-25", "type": "exploit", "author": [ "unknown", "scriptjunkie" ], "description": "This module exploits a code execution vulnerability in Mozilla\n Firefox caused by interleaved calls to document.write and appendChild.\n This module was written based on a live exploit found in the wild.", "references": [ "CVE-2010-3765", "OSVDB-68905", "BID-15352", "EDB-15352", "URL-https://bugzilla.mozilla.org/show_bug.cgi?id=607222", "URL-http://www.mozilla.org/security/announce/2010/mfsa2010-73.html" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Firefox 3.6.8 - 3.6.11, Windows XP/Windows Server 2003" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/mozilla_interleaved_write.rb", "is_install_path": true, "ref_name": "windows/browser/mozilla_interleaved_write", "check": false }, "exploit_windows/browser/mozilla_mchannel": { "name": "Mozilla Firefox 3.6.16 mChannel Use-After-Free Vulnerability", "full_name": "exploit/windows/browser/mozilla_mchannel", "rank": 300, "disclosure_date": "2011-05-10", "type": "exploit", "author": [ "regenrecht", "Rh0", "mr_me " ], "description": "This module exploits a use after free vulnerability in Mozilla\n Firefox 3.6.16. An OBJECT Element mChannel can be freed via the\n OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel\n becomes a dangling pointer and can be reused when setting the OBJECTs\n data attribute. (Discovered by regenrecht). This module uses heapspray\n with a minimal ROP chain to bypass DEP on Windows XP SP3. Additionlay,\n a windows 7 target was provided using JAVA 6 and below to avoid aslr.", "references": [ "CVE-2011-0065", "OSVDB-72085", "URL-https://bugzilla.mozilla.org/show_bug.cgi?id=634986", "URL-http://www.mozilla.org/security/announce/2011/mfsa2011-13.html" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic", "Firefox 3.6.16 on Windows XP SP3", "Firefox 3.6.16 on Windows 7 + Java" ], "mod_time": "2017-09-08 22:19:55 +0000", "path": "/modules/exploits/windows/browser/mozilla_mchannel.rb", "is_install_path": true, "ref_name": "windows/browser/mozilla_mchannel", "check": false }, "exploit_windows/browser/mozilla_nssvgvalue": { "name": "Firefox nsSVGValue Out-of-Bounds Access Vulnerability", "full_name": "exploit/windows/browser/mozilla_nssvgvalue", "rank": 200, "disclosure_date": "2011-12-06", "type": "exploit", "author": [ "regenrecht", "Lincoln ", "corelanc0d3r " ], "description": "This module exploits an out-of-bounds access flaw in Firefox 7 and 8 (<= 8.0.1).\n The notification of nsSVGValue observers via nsSVGValue::NotifyObservers(x,y)\n uses a loop which can result in an out-of-bounds access to attacker-controlled memory.\n The mObserver ElementAt() function (which picks up pointers), does not validate\n if a given index is out of bound. If a custom observer of nsSVGValue is created,\n which removes elements from the original observer,\n and memory layout is manipulated properly, the ElementAt() function might pick up\n an attacker provided pointer, which can be leveraged to gain remote arbitrary\n code execution.", "references": [ "CVE-2011-3658", "OSVDB-77953", "ZDI-12-056", "URL-https://bugzilla.mozilla.org/show_bug.cgi?id=708186" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic", "Windows XP - Firefox 7", "Windows XP - Firefox 8 (<= 8.0.1)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/mozilla_nssvgvalue.rb", "is_install_path": true, "ref_name": "windows/browser/mozilla_nssvgvalue", "check": false }, "exploit_windows/browser/mozilla_nstreerange": { "name": "Mozilla Firefox \"nsTreeRange\" Dangling Pointer Vulnerability", "full_name": "exploit/windows/browser/mozilla_nstreerange", "rank": 300, "disclosure_date": "2011-02-02", "type": "exploit", "author": [ "regenrecht", "xero" ], "description": "This module exploits a code execution vulnerability in Mozilla Firefox\n 3.6.x <= 3.6.16 and 3.5.x <= 3.5.17 found in nsTreeSelection.\n By overwriting a subfunction of invalidateSelection it is possible to free the\n nsTreeRange object that the function currently operates on.\n Any further operations on the freed object can result in remote code execution.\n Utilizing the call setup the function provides it's possible to bypass DEP\n without the need for a ROP. Sadly this exploit is still either dependent\n on Java or bound by ASLR because Firefox doesn't employ any ASLR-free\n modules anymore.", "references": [ "CVE-2011-0073", "OSVDB-72087", "BID-47663", "ZDI-11-157", "URL-https://bugzilla.mozilla.org/show_bug.cgi?id=630919", "URL-http://www.mozilla.org/security/announce/2011/mfsa2011-13.html" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Auto (Direct attack against Windows XP, otherwise through Java, if enabled)", "Firefox Runtime, fails with ASLR", "Java Runtime (7.10.3052.4), best against ASLR", "Java JVM (20.1.0.02)", "Java Regutils (6.0.260.3)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/mozilla_nstreerange.rb", "is_install_path": true, "ref_name": "windows/browser/mozilla_nstreerange", "check": false }, "exploit_windows/browser/mozilla_reduceright": { "name": "Mozilla Firefox Array.reduceRight() Integer Overflow", "full_name": "exploit/windows/browser/mozilla_reduceright", "rank": 300, "disclosure_date": "2011-06-21", "type": "exploit", "author": [ "Chris Rohlf", "Yan Ivnitskiy", "Matteo Memelli", "dookie2000ca", "sinn3r ", "mr_me ", "TecR0c " ], "description": "This module exploits a vulnerability found in Mozilla Firefox 3.6. When an\n array object is configured with a large length value, the reduceRight() method\n may cause an invalid index being used, allowing arbitrary remote code execution.\n Please note that the exploit requires a longer amount of time (compare to a\n typical browser exploit) in order to gain control of the machine.", "references": [ "CVE-2011-2371", "OSVDB-73184", "EDB-17974", "URL-https://bugzilla.mozilla.org/show_bug.cgi?id=664009" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic", "Mozilla Firefox 3.6.16 (no JAVA)", "Mozilla Firefox 3.6.16 (JAVA)" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/mozilla_reduceright.rb", "is_install_path": true, "ref_name": "windows/browser/mozilla_reduceright", "check": false }, "exploit_windows/browser/ms03_020_ie_objecttype": { "name": "MS03-020 Microsoft Internet Explorer Object Type", "full_name": "exploit/windows/browser/ms03_020_ie_objecttype", "rank": 300, "disclosure_date": "2003-06-04", "type": "exploit", "author": [ "skape " ], "description": "This module exploits a vulnerability in Internet Explorer's\n handling of the OBJECT type attribute.", "references": [ "CVE-2003-0344", "OSVDB-2967", "BID-7806", "MSB-MS03-020" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows NT/XP/2003 Automatic" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/ms03_020_ie_objecttype.rb", "is_install_path": true, "ref_name": "windows/browser/ms03_020_ie_objecttype", "check": false }, "exploit_windows/browser/ms05_054_onload": { "name": "MS05-054 Microsoft Internet Explorer JavaScript OnLoad Handler Remote Code Execution", "full_name": "exploit/windows/browser/ms05_054_onload", "rank": 300, "disclosure_date": "2005-11-21", "type": "exploit", "author": [ "Benjamin Tobias Franz", "Stuart Pearson", "Sam Sharps" ], "description": "This bug is triggered when the browser handles a JavaScript 'onLoad' handler in\n conjunction with an improperly initialized 'window()' JavaScript function.\n This exploit results in a call to an address lower than the heap. The javascript\n prompt() places our shellcode near where the call operand points to. We call\n prompt() multiple times in separate iframes to place our return address.\n We hide the prompts in a popup window behind the main window. We spray the heap\n a second time with our shellcode and point the return address to the heap. I use\n a fairly high address to make this exploit more reliable. IE will crash when the\n exploit completes. Also, please note that Internet Explorer must allow popups\n in order to continue exploitation.", "references": [ "MSB-MS05-054", "CVE-2005-1790", "OSVDB-17094", "BID-13799", "URL-http://www.cvedetails.com/cve/CVE-2005-1790" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Internet Explorer 6 on Windows XP", "Internet Explorer 6 Windows 2000" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/ms05_054_onload.rb", "is_install_path": true, "ref_name": "windows/browser/ms05_054_onload", "check": false }, "exploit_windows/browser/ms06_001_wmf_setabortproc": { "name": "Windows XP/2003/Vista Metafile Escape() SetAbortProc Code Execution", "full_name": "exploit/windows/browser/ms06_001_wmf_setabortproc", "rank": 500, "disclosure_date": "2005-12-27", "type": "exploit", "author": [ "hdm ", "san ", "O600KO78RUS " ], "description": "This module exploits a vulnerability in the GDI library included with\n Windows XP and 2003. This vulnerability uses the 'Escape' metafile function\n to execute arbitrary code through the SetAbortProc procedure. This module\n generates a random WMF record stream for each request.", "references": [ "CVE-2005-4560", "OSVDB-21987", "MSB-MS06-001", "BID-16074", "URL-http://www.microsoft.com/technet/security/advisory/912840.mspx", "URL-http://wvware.sourceforge.net/caolan/ora-wmf.html" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP/2003/Vista Automatic" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/ms06_001_wmf_setabortproc.rb", "is_install_path": true, "ref_name": "windows/browser/ms06_001_wmf_setabortproc", "check": false }, "exploit_windows/browser/ms06_013_createtextrange": { "name": "MS06-013 Microsoft Internet Explorer createTextRange() Code Execution", "full_name": "exploit/windows/browser/ms06_013_createtextrange", "rank": 300, "disclosure_date": "2006-03-19", "type": "exploit", "author": [ "Faithless ", "Darkeagle ", "hdm ", "justfriends4n0w ", "Unknown" ], "description": "This module exploits a code execution vulnerability in Microsoft Internet Explorer.\n Both IE6 and IE7 (Beta 2) are vulnerable. It will corrupt memory in a way, which, under\n certain circumstances, can lead to an invalid/corrupt table pointer dereference. EIP will point\n to a very remote, non-existent memory location. This module is the result of merging three\n different exploit submissions and has only been reliably tested against Windows XP SP2.\n This vulnerability was independently discovered by multiple parties. The heap spray method\n used by this exploit was pioneered by Skylined.", "references": [ "CVE-2006-1359", "OSVDB-24050", "MSB-MS06-013", "BID-17196", "US-CERT-VU-876678", "URL-http://secunia.com/secunia_research/2006-7/advisory/", "URL-http://seclists.org/lists/bugtraq/2006/Mar/0410.html", "URL-http://seclists.org/lists/fulldisclosure/2006/Mar/1439.html" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Internet Explorer 6 - (6.0.3790.0 - Windows XP SP2)", "Internet Explorer 7 - (7.0.5229.0 - Windows XP SP2)" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/ms06_013_createtextrange.rb", "is_install_path": true, "ref_name": "windows/browser/ms06_013_createtextrange", "check": false }, "exploit_windows/browser/ms06_055_vml_method": { "name": "MS06-055 Microsoft Internet Explorer VML Fill Method Code Execution", "full_name": "exploit/windows/browser/ms06_055_vml_method", "rank": 300, "disclosure_date": "2006-09-19", "type": "exploit", "author": [ "hdm ", "Aviv Raff ", "Trirat Puttaraksa (Kira) ", "Mr.Niega ", "M. Shirk " ], "description": "This module exploits a code execution vulnerability in Microsoft Internet Explorer using\n a buffer overflow in the VML processing code (VGX.dll). This module has been tested on\n Windows 2000 SP4, Windows XP SP0, and Windows XP SP2.", "references": [ "CVE-2006-4868", "OSVDB-28946", "MSB-MS06-055", "BID-20096" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows NT 4.0 -> Windows 2003 SP1" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/ms06_055_vml_method.rb", "is_install_path": true, "ref_name": "windows/browser/ms06_055_vml_method", "check": false }, "exploit_windows/browser/ms06_057_webview_setslice": { "name": "MS06-057 Microsoft Internet Explorer WebViewFolderIcon setSlice() Overflow", "full_name": "exploit/windows/browser/ms06_057_webview_setslice", "rank": 300, "disclosure_date": "2006-07-17", "type": "exploit", "author": [ "hdm " ], "description": "This module exploits a flaw in the WebViewFolderIcon ActiveX control\n included with Windows 2000, Windows XP, and Windows 2003. This flaw was published\n during the Month of Browser Bugs project (MoBB #18).", "references": [ "CVE-2006-3730", "OSVDB-27110", "MSB-MS06-057", "BID-19030" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP0-SP2 / IE 6.0SP1 English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/ms06_057_webview_setslice.rb", "is_install_path": true, "ref_name": "windows/browser/ms06_057_webview_setslice", "check": false }, "exploit_windows/browser/ms06_067_keyframe": { "name": "MS06-067 Microsoft Internet Explorer Daxctle.OCX KeyFrame Method Heap Buffer Overflow Vulnerability", "full_name": "exploit/windows/browser/ms06_067_keyframe", "rank": 300, "disclosure_date": "2006-11-14", "type": "exploit", "author": [ "Alexander Sotirov ", "skape " ], "description": "This module exploits a heap overflow vulnerability in the KeyFrame method of the\n direct animation ActiveX control. This is a port of the exploit implemented by\n Alexander Sotirov.", "references": [ "CVE-2006-4777", "OSVDB-28842", "BID-20047", "MSB-MS06-067" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows 2000/XP/2003 Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/ms06_067_keyframe.rb", "is_install_path": true, "ref_name": "windows/browser/ms06_067_keyframe", "check": false }, "exploit_windows/browser/ms06_071_xml_core": { "name": "MS06-071 Microsoft Internet Explorer XML Core Services HTTP Request Handling", "full_name": "exploit/windows/browser/ms06_071_xml_core", "rank": 300, "disclosure_date": "2006-10-10", "type": "exploit", "author": [ "Trirat Puttaraksa " ], "description": "This module exploits a code execution vulnerability in Microsoft XML Core Services which\n exists in the XMLHTTP ActiveX control. This module is the modified version of\n http://www.milw0rm.com/exploits/2743 - credit to str0ke. This module has been successfully\n tested on Windows 2000 SP4, Windows XP SP2, Windows 2003 Server SP0 with IE6\n + Microsoft XML Core Services 4.0 SP2.", "references": [ "CVE-2006-5745", "OSVDB-29425", "MSB-MS06-071", "BID-20915" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows 2000 SP4 -> Windows 2003 SP0" ], "mod_time": "2017-09-09 09:52:08 +0000", "path": "/modules/exploits/windows/browser/ms06_071_xml_core.rb", "is_install_path": true, "ref_name": "windows/browser/ms06_071_xml_core", "check": false }, "exploit_windows/browser/ms07_017_ani_loadimage_chunksize": { "name": "Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (HTTP)", "full_name": "exploit/windows/browser/ms07_017_ani_loadimage_chunksize", "rank": 500, "disclosure_date": "2007-03-28", "type": "exploit", "author": [ "hdm ", "skape ", "Solar Eclipse " ], "description": "This module exploits a buffer overflow vulnerability in the\n LoadAniIcon() function in USER32.dll. The flaw can be triggered through\n Internet Explorer 6 and 7 by using the CURSOR style sheet directive\n to load a malicious .ANI file. The module can also exploit Mozilla\n Firefox by using a UNC path in a moz-icon URL and serving the .ANI file\n over WebDAV. The vulnerable code in USER32.dll will catch any\n exceptions that occur while the invalid cursor is loaded, causing the\n exploit to silently fail when the wrong target has been chosen.\n\n This vulnerability was discovered by Alexander Sotirov of Determina\n and was rediscovered, in the wild, by McAfee.", "references": [ "CVE-2007-0038", "OSVDB-33629", "BID-23194", "MSB-MS07-017", "URL-http://www.microsoft.com/technet/security/advisory/935423.mspx" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "(Automatic) IE6, IE7 and Firefox on Windows NT, 2000, XP, 2003 and Vista", "IE6 on Windows NT, 2000, XP, 2003 (all languages)", "IE7 on Windows XP SP2, 2003 SP1, SP2 (all languages)", "IE7 and Firefox on Windows Vista (all languages)", "Firefox on Windows XP (English)", "Firefox on Windows 2003 (English)" ], "mod_time": "2017-10-19 19:55:58 +0000", "path": "/modules/exploits/windows/browser/ms07_017_ani_loadimage_chunksize.rb", "is_install_path": true, "ref_name": "windows/browser/ms07_017_ani_loadimage_chunksize", "check": false }, "exploit_windows/browser/ms08_041_snapshotviewer": { "name": "Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download", "full_name": "exploit/windows/browser/ms08_041_snapshotviewer", "rank": 600, "disclosure_date": "2008-07-07", "type": "exploit", "author": [ "MC " ], "description": "This module allows remote attackers to place arbitrary files on a users file system\n via the Microsoft Office Snapshot Viewer ActiveX Control.", "references": [ "CVE-2008-2463", "OSVDB-46749", "MSB-MS08-041", "BID-30114" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/ms08_041_snapshotviewer.rb", "is_install_path": true, "ref_name": "windows/browser/ms08_041_snapshotviewer", "check": false }, "exploit_windows/browser/ms08_053_mediaencoder": { "name": "Windows Media Encoder 9 wmex.dll ActiveX Buffer Overflow", "full_name": "exploit/windows/browser/ms08_053_mediaencoder", "rank": 300, "disclosure_date": "2008-09-09", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in Windows Media Encoder 9. When\n sending an overly long string to the GetDetailsString() method of wmex.dll\n an attacker may be able to execute arbitrary code.", "references": [ "CVE-2008-3008", "OSVDB-47962", "BID-31065", "MSB-MS08-053" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP2-SP3 IE 6.0 SP0-SP2" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/ms08_053_mediaencoder.rb", "is_install_path": true, "ref_name": "windows/browser/ms08_053_mediaencoder", "check": false }, "exploit_windows/browser/ms08_070_visual_studio_msmask": { "name": "Microsoft Visual Studio Mdmask32.ocx ActiveX Buffer Overflow", "full_name": "exploit/windows/browser/ms08_070_visual_studio_msmask", "rank": 300, "disclosure_date": "2008-08-13", "type": "exploit", "author": [ "koshi", "MC " ], "description": "This module exploits a stack buffer overflow in Microsoft's Visual Studio 6.0.\n When passing a specially crafted string to the Mask parameter of the\n Mdmask32.ocx ActiveX Control, an attacker may be able to execute arbitrary\n code.", "references": [ "CVE-2008-3704", "OSVDB-47475", "BID-30674", "MSB-MS08-070" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP0-SP2 IE 6.0 SP0-SP2" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/ms08_070_visual_studio_msmask.rb", "is_install_path": true, "ref_name": "windows/browser/ms08_070_visual_studio_msmask", "check": false }, "exploit_windows/browser/ms08_078_xml_corruption": { "name": "MS08-078 Microsoft Internet Explorer Data Binding Memory Corruption", "full_name": "exploit/windows/browser/ms08_078_xml_corruption", "rank": 300, "disclosure_date": "2008-12-07", "type": "exploit", "author": [ "hdm " ], "description": "This module exploits a vulnerability in the data binding feature of Internet\n Explorer. In order to execute code reliably, this module uses the .NET DLL\n memory technique pioneered by Alexander Sotirov and Mark Dowd. This method is\n used to create a fake vtable at a known location with all methods pointing\n to our payload. Since the .text segment of the .NET DLL is non-writable, a\n prefixed code stub is used to copy the payload into a new memory segment and\n continue execution from there.", "references": [ "CVE-2008-4844", "OSVDB-50622", "BID-32721", "MSB-MS08-078", "URL-http://www.microsoft.com/technet/security/advisory/961051.mspx", "URL-http://taossa.com/archive/bh08sotirovdowd.pdf" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/ms08_078_xml_corruption.rb", "is_install_path": true, "ref_name": "windows/browser/ms08_078_xml_corruption", "check": false }, "exploit_windows/browser/ms09_002_memory_corruption": { "name": "MS09-002 Microsoft Internet Explorer 7 CFunctionPointer Uninitialized Memory Corruption", "full_name": "exploit/windows/browser/ms09_002_memory_corruption", "rank": 300, "disclosure_date": "2009-02-10", "type": "exploit", "author": [ "dean " ], "description": "This module exploits an error related to the CFunctionPointer function when attempting\n to access uninitialized memory. A remote attacker could exploit this vulnerability to\n corrupt memory and execute arbitrary code on the system with the privileges of the victim.", "references": [ "CVE-2009-0075", "OSVDB-51839", "MSB-MS09-002" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP2-SP3 / Windows Vista SP0 / IE 7" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/ms09_002_memory_corruption.rb", "is_install_path": true, "ref_name": "windows/browser/ms09_002_memory_corruption", "check": false }, "exploit_windows/browser/ms09_043_owc_htmlurl": { "name": "Microsoft OWC Spreadsheet HTMLURL Buffer Overflow", "full_name": "exploit/windows/browser/ms09_043_owc_htmlurl", "rank": 300, "disclosure_date": "2009-08-11", "type": "exploit", "author": [ "jduck " ], "description": "This module exploits a buffer overflow in Microsoft's Office Web Components.\n When passing an overly long string as the \"HTMLURL\" parameter an attacker can\n execute arbitrary code.", "references": [ "CVE-2009-1534", "OSVDB-56916", "BID-35992", "MSB-MS09-043", "URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=819" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP3 - IE6 - Office XP SP0", "Windows XP SP3 - IE6 - Office XP SP3" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/ms09_043_owc_htmlurl.rb", "is_install_path": true, "ref_name": "windows/browser/ms09_043_owc_htmlurl", "check": false }, "exploit_windows/browser/ms09_043_owc_msdso": { "name": "Microsoft OWC Spreadsheet msDataSourceObject Memory Corruption", "full_name": "exploit/windows/browser/ms09_043_owc_msdso", "rank": 300, "disclosure_date": "2009-07-13", "type": "exploit", "author": [ "unknown", "hdm ", "Ahmed Obied", "DSR! " ], "description": "This module exploits a memory corruption vulnerability within versions 10 and 11 of\n the Office Web Component Spreadsheet ActiveX control. This module was based on\n an exploit found in the wild.", "references": [ "CVE-2009-1136", "OSVDB-55806", "MSB-MS09-043", "URL-http://ahmed.obied.net/software/code/exploits/ie_owc.py", "EDB-9163", "URL-http://www.microsoft.com/technet/security/advisory/973472.mspx" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/ms09_043_owc_msdso.rb", "is_install_path": true, "ref_name": "windows/browser/ms09_043_owc_msdso", "check": false }, "exploit_windows/browser/ms09_072_style_object": { "name": "MS09-072 Microsoft Internet Explorer Style getElementsByTagName Memory Corruption", "full_name": "exploit/windows/browser/ms09_072_style_object", "rank": 300, "disclosure_date": "2009-11-20", "type": "exploit", "author": [ "securitylab.ir ", "jduck " ], "description": "This module exploits a vulnerability in the getElementsByTagName function\n as implemented within Internet Explorer.", "references": [ "MSB-MS09-072", "CVE-2009-3672", "OSVDB-50622", "BID-37085", "URL-http://www.microsoft.com/technet/security/advisory/977981.mspx", "URL-http://taossa.com/archive/bh08sotirovdowd.pdf" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/ms09_072_style_object.rb", "is_install_path": true, "ref_name": "windows/browser/ms09_072_style_object", "check": false }, "exploit_windows/browser/ms10_002_aurora": { "name": "MS10-002 Microsoft Internet Explorer \"Aurora\" Memory Corruption", "full_name": "exploit/windows/browser/ms10_002_aurora", "rank": 300, "disclosure_date": "2010-01-14", "type": "exploit", "author": [ "unknown", "hdm " ], "description": "This module exploits a memory corruption flaw in Internet Explorer. This\n flaw was found in the wild and was a key component of the \"Operation Aurora\"\n attacks that lead to the compromise of a number of high profile companies. The\n exploit code is a direct port of the public sample published to the Wepawet\n malware analysis site. The technique used by this module is currently identical\n to the public sample, as such, only Internet Explorer 6 can be reliably exploited.", "references": [ "MSB-MS10-002", "CVE-2010-0249", "OSVDB-61697", "URL-http://www.microsoft.com/technet/security/advisory/979352.mspx", "URL-http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07237f1e2230d0f&type=js" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/ms10_002_aurora.rb", "is_install_path": true, "ref_name": "windows/browser/ms10_002_aurora", "check": false }, "exploit_windows/browser/ms10_002_ie_object": { "name": "MS10-002 Microsoft Internet Explorer Object Memory Use-After-Free", "full_name": "exploit/windows/browser/ms10_002_ie_object", "rank": 300, "disclosure_date": "2010-01-21", "type": "exploit", "author": [ "Peter Vreugdenhil", "juan vazquez ", "sinn3r " ], "description": "This module exploits a vulnerability found in Internet Explorer's\n mshtml component. Due to the way IE handles objects in memory, it is\n possible to cause a pointer in CTableRowCellsCollectionCacheItem::GetNext\n to be used even after it gets freed, therefore allowing remote code\n execution under the context of the user.\n\n This particular vulnerability was also one of 2012's Pwn2Own\n challenges, and was later explained by Peter Vreugdenhil with exploitation\n details. Instead of Peter's method, this module uses heap spraying like\n the 99% to store a specially crafted memory layout before re-using the\n freed memory.", "references": [ "MSB-MS10-002", "CVE-2010-0248", "OSVDB-61914", "URL-http://dvlabs.tippingpoint.com/blog/2012/03/15/pwn2own-2012-challenge-writeup", "ZDI-10-014" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic", "IE 8 on Windows XP SP3", "IE 8 on Windows 7 SP0" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/ms10_002_ie_object.rb", "is_install_path": true, "ref_name": "windows/browser/ms10_002_ie_object", "check": false }, "exploit_windows/browser/ms10_018_ie_behaviors": { "name": "MS10-018 Microsoft Internet Explorer DHTML Behaviors Use After Free", "full_name": "exploit/windows/browser/ms10_018_ie_behaviors", "rank": 400, "disclosure_date": "2010-03-09", "type": "exploit", "author": [ "unknown", "Trancer ", "Nanika", "jduck " ], "description": "This module exploits a use-after-free vulnerability within the DHTML behaviors\n functionality of Microsoft Internet Explorer versions 6 and 7. This bug was\n discovered being used in-the-wild and was previously known as the \"iepeers\"\n vulnerability. The name comes from Microsoft's suggested workaround to block\n access to the iepeers.dll file.\n\n According to Nico Waisman, \"The bug itself is when trying to persist an object\n using the setAttribute, which end up calling VariantChangeTypeEx with both the\n source and the destination being the same variant. So if you send as a variant\n an IDISPATCH the algorithm will try to do a VariantClear of the destination before\n using it. This will end up on a call to PlainRelease which deref the reference\n and clean the object.\"\n\n NOTE: Internet Explorer 8 and Internet Explorer 5 are not affected.", "references": [ "CVE-2010-0806", "OSVDB-62810", "BID-38615", "URL-http://www.microsoft.com/technet/security/advisory/981374.mspx", "URL-http://www.avertlabs.com/research/blog/index.php/2010/03/09/targeted-internet-explorer-0day-attack-announced-cve-2010-0806/", "URL-http://eticanicomana.blogspot.com/2010/03/aleatory-persitent-threat.html", "MSB-MS10-018" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "(Automatic) IE6, IE7 on Windows NT, 2000, XP, 2003 and Vista", "IE 6 SP0-SP2 (onclick)", "IE 7.0 (marquee)" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/ms10_018_ie_behaviors.rb", "is_install_path": true, "ref_name": "windows/browser/ms10_018_ie_behaviors", "check": false }, "exploit_windows/browser/ms10_018_ie_tabular_activex": { "name": "MS10-018 Microsoft Internet Explorer Tabular Data Control ActiveX Memory Corruption", "full_name": "exploit/windows/browser/ms10_018_ie_tabular_activex", "rank": 400, "disclosure_date": "2010-03-09", "type": "exploit", "author": [ "Unknown", "jduck " ], "description": "This module exploits a memory corruption vulnerability in the Internet Explorer\n Tabular Data ActiveX Control. Microsoft reports that version 5.01 and 6 of Internet\n Explorer are vulnerable.\n\n By specifying a long value as the \"DataURL\" parameter to this control, it is possible\n to write a NUL byte outside the bounds of an array. By targeting control flow data\n on the stack, an attacker can execute arbitrary code.", "references": [ "CVE-2010-0805", "OSVDB-63329", "BID-39025", "ZDI-10-034", "MSB-MS10-018" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic (Heap Spray)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/ms10_018_ie_tabular_activex.rb", "is_install_path": true, "ref_name": "windows/browser/ms10_018_ie_tabular_activex", "check": false }, "exploit_windows/browser/ms10_022_ie_vbscript_winhlp32": { "name": "MS10-022 Microsoft Internet Explorer Winhlp32.exe MsgBox Code Execution", "full_name": "exploit/windows/browser/ms10_022_ie_vbscript_winhlp32", "rank": 500, "disclosure_date": "2010-02-26", "type": "exploit", "author": [ "Maurycy Prodeus", "jduck " ], "description": "This module exploits a code execution vulnerability that occurs when a user\n presses F1 on MessageBox originated from VBscript within a web page. When the\n user hits F1, the MessageBox help functionality will attempt to load and use\n a HLP file from an SMB or WebDAV (if the WebDAV redirector is enabled) server.\n\n This particular version of the exploit implements a WebDAV server that will\n serve HLP file as well as a payload EXE. During testing warnings about the\n payload EXE being unsigned were witnessed. A future version of this module\n might use other methods that do not create such a warning.", "references": [ "CVE-2010-0483", "OSVDB-62632", "MSB-MS10-023", "URL-http://www.microsoft.com/technet/security/advisory/981169.mspx", "URL-http://blogs.technet.com/msrc/archive/2010/02/28/investigating-a-new-win32hlp-and-internet-explorer-issue.aspx", "URL-http://isec.pl/vulnerabilities/isec-0027-msgbox-helpfile-ie.txt" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic", "Internet Explorer on Windows" ], "mod_time": "2017-09-09 09:52:08 +0000", "path": "/modules/exploits/windows/browser/ms10_022_ie_vbscript_winhlp32.rb", "is_install_path": true, "ref_name": "windows/browser/ms10_022_ie_vbscript_winhlp32", "check": false }, "exploit_windows/browser/ms10_026_avi_nsamplespersec": { "name": "MS10-026 Microsoft MPEG Layer-3 Audio Stack Based Overflow", "full_name": "exploit/windows/browser/ms10_026_avi_nsamplespersec", "rank": 300, "disclosure_date": "2010-04-13", "type": "exploit", "author": [ "Yamata Li", "Shahin Ramezany ", "juan vazquez ", "Jordi Sanchez " ], "description": "This module exploits a buffer overflow in l3codecx.ax while processing a\n AVI files with MPEG Layer-3 audio contents. The overflow only allows to overwrite\n with 0's so the three least significant bytes of EIP saved on stack are\n overwritten and shellcode is mapped using the .NET DLL memory technique pioneered\n by Alexander Sotirov and Mark Dowd.\n\n Please note on IE 8 targets, your malicious URL must be a trusted site in order\n to load the .Net control.", "references": [ "CVE-2010-0480", "OSVDB-63749", "BID-39303", "MSB-MS10-026", "URL-https://www.exploit-db.com/moaub-5-microsoft-mpeg-layer-3-audio-stack-based-overflow/", "URL-http://www.phreedom.org/research/bypassing-browser-memory-protections/" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP3 Automatic" ], "mod_time": "2017-09-09 09:52:08 +0000", "path": "/modules/exploits/windows/browser/ms10_026_avi_nsamplespersec.rb", "is_install_path": true, "ref_name": "windows/browser/ms10_026_avi_nsamplespersec", "check": false }, "exploit_windows/browser/ms10_042_helpctr_xss_cmd_exec": { "name": "Microsoft Help Center XSS and Command Execution", "full_name": "exploit/windows/browser/ms10_042_helpctr_xss_cmd_exec", "rank": 600, "disclosure_date": "2010-06-09", "type": "exploit", "author": [ "Tavis Ormandy", "natron " ], "description": "Help and Support Center is the default application provided to access online\n documentation for Microsoft Windows. Microsoft supports accessing help documents\n directly via URLs by installing a protocol handler for the scheme \"hcp\". Due to\n an error in validation of input to hcp:// combined with a local cross site\n scripting vulnerability and a specialized mechanism to launch the XSS trigger,\n arbitrary command execution can be achieved.\n\n On IE7 on XP SP2 or SP3, code execution is automatic. If WMP9 is installed, it\n can be used to launch the exploit automatically. If IE8 and WMP11, either can\n be used to launch the attack, but both pop dialog boxes asking the user if\n execution should continue. This exploit detects if non-intrusive mechanisms are\n available and will use one if possible. In the case of both IE8 and WMP11, the\n exploit defaults to using an iframe on IE8, but is configurable by setting the\n DIALOGMECH option to \"none\" or \"player\".\n\n This module creates a WebDAV service from which the payload is copied to the\n victim machine.", "references": [ "CVE-2010-1885", "OSVDB-65264", "URL-http://www.microsoft.com/technet/security/advisory/2219475.mspx", "MSB-MS10-042" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/ms10_042_helpctr_xss_cmd_exec.rb", "is_install_path": true, "ref_name": "windows/browser/ms10_042_helpctr_xss_cmd_exec", "check": false }, "exploit_windows/browser/ms10_046_shortcut_icon_dllloader": { "name": "Microsoft Windows Shell LNK Code Execution", "full_name": "exploit/windows/browser/ms10_046_shortcut_icon_dllloader", "rank": 600, "disclosure_date": "2010-07-16", "type": "exploit", "author": [ "hdm ", "jduck ", "B_H" ], "description": "This module exploits a vulnerability in the handling of Windows\n Shortcut files (.LNK) that contain an icon resource pointing to a\n malicious DLL. This module creates a WebDAV service that can be used\n to run an arbitrary payload when accessed as a UNC path.", "references": [ "CVE-2010-2568", "OSVDB-66387", "MSB-MS10-046", "URL-http://www.microsoft.com/technet/security/advisory/2286198.mspx" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/ms10_046_shortcut_icon_dllloader.rb", "is_install_path": true, "ref_name": "windows/browser/ms10_046_shortcut_icon_dllloader", "check": false }, "exploit_windows/browser/ms10_090_ie_css_clip": { "name": "MS10-090 Microsoft Internet Explorer CSS SetUserClip Memory Corruption", "full_name": "exploit/windows/browser/ms10_090_ie_css_clip", "rank": 400, "disclosure_date": "2010-11-03", "type": "exploit", "author": [ "unknown", "Yuange", "Matteo Memelli", "jduck " ], "description": "This module exploits a memory corruption vulnerability within Microsoft's\n HTML engine (mshtml). When parsing an HTML page containing a specially\n crafted CSS tag, memory corruption occurs that can lead arbitrary code\n execution.\n\n It seems like Microsoft code inadvertently increments a vtable pointer to\n point to an unaligned address within the vtable's function pointers. This\n leads to the program counter being set to the address determined by the\n address \"[vtable+0x30+1]\". The particular address depends on the exact\n version of the mshtml library in use.\n\n Since the address depends on the version of mshtml, some versions may not\n be exploitable. Specifically, those ending up with a program counter value\n within another module, in kernel space, or just not able to be reached with\n various memory spraying techniques.\n\n Also, since the address is not controllable, it is unlikely to be possible\n to use ROP to bypass non-executable memory protections.", "references": [ "CVE-2010-3962", "OSVDB-68987", "BID-44536", "URL-http://www.microsoft.com/technet/security/advisory/2458511.mspx", "EDB-15421", "MSB-MS10-090" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic", "Debug", "Internet Explorer 6", "Internet Explorer 7" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/ms10_090_ie_css_clip.rb", "is_install_path": true, "ref_name": "windows/browser/ms10_090_ie_css_clip", "check": false }, "exploit_windows/browser/ms11_003_ie_css_import": { "name": "MS11-003 Microsoft Internet Explorer CSS Recursive Import Use After Free", "full_name": "exploit/windows/browser/ms11_003_ie_css_import", "rank": 400, "disclosure_date": "2010-11-29", "type": "exploit", "author": [ "passerby", "d0c_s4vage", "jduck " ], "description": "This module exploits a memory corruption vulnerability within Microsoft\\'s\n HTML engine (mshtml). When parsing an HTML page containing a recursive CSS\n import, a C++ object is deleted and later reused. This leads to arbitrary\n code execution.\n\n This exploit utilizes a combination of heap spraying and the\n .NET 2.0 'mscorie.dll' module to bypass DEP and ASLR. This module does not\n opt-in to ASLR. As such, this module should be reliable on all Windows\n versions with .NET 2.0.50727 installed.", "references": [ "CVE-2010-3971", "OSVDB-69796", "BID-45246", "URL-http://www.microsoft.com/technet/security/advisory/2488013.mspx", "URL-http://www.wooyun.org/bugs/wooyun-2010-0885", "URL-http://seclists.org/fulldisclosure/2010/Dec/110", "MSB-MS11-003" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic", "Internet Explorer 8", "Internet Explorer 7", "Internet Explorer 6", "Debug Target (Crash)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/ms11_003_ie_css_import.rb", "is_install_path": true, "ref_name": "windows/browser/ms11_003_ie_css_import", "check": false }, "exploit_windows/browser/ms11_050_mshtml_cobjectelement": { "name": "MS11-050 IE mshtml!CObjectElement Use After Free", "full_name": "exploit/windows/browser/ms11_050_mshtml_cobjectelement", "rank": 300, "disclosure_date": "2011-06-16", "type": "exploit", "author": [ "d0c_s4vage", "sinn3r ", "bannedit " ], "description": "This module exploits a use-after-free vulnerability in Internet Explorer. The\n vulnerability occurs when an invalid tag exists and other elements\n overlap/cover where the object tag should be when rendered (due to their\n styles/positioning). The mshtml!CObjectElement is then freed from memory because\n it is invalid. However, the mshtml!CDisplay object for the page continues to keep\n a reference to the freed and attempts to call a function on it, leading\n to the use-after-free.\n\n Please note that for IE 8 targets, JRE (Java Runtime Environment) is required\n to bypass DEP (Data Execution Prevention).", "references": [ "CVE-2011-1260", "OSVDB-72950", "MSB-MS11-050", "URL-http://d0cs4vage.blogspot.com/2011/06/insecticides-dont-kill-bugs-patch.html" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic", "Internet Explorer 7 on XP SP3", "Internet Explorer 7 on Windows Vista", "Internet Explorer 8 on XP SP3", "Internet Explorer 8 on Windows 7", "Debug Target (Crash)" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/ms11_050_mshtml_cobjectelement.rb", "is_install_path": true, "ref_name": "windows/browser/ms11_050_mshtml_cobjectelement", "check": false }, "exploit_windows/browser/ms11_081_option": { "name": "MS11-081 Microsoft Internet Explorer Option Element Use-After-Free", "full_name": "exploit/windows/browser/ms11_081_option", "rank": 300, "disclosure_date": "2012-10-11", "type": "exploit", "author": [ "Ivan Fratric", "juan vazquez ", "sinn3r " ], "description": "This module exploits a vulnerability in Microsoft Internet Explorer. A memory\n corruption may occur when the Option cache isn't updated properly, which allows\n other JavaScript methods to access a deleted Option element, and results in code\n execution under the context of the user.", "references": [ "CVE-2011-1996", "OSVDB-76208", "MSB-MS11-081", "URL-http://ifsec.blogspot.com/2011/10/internet-explorer-option-element-remote.html", "URL-http://pastebin.com/YLH725Aj" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic", "IE 8 on Windows XP SP3", "IE 8 on Windows Vista", "IE 8 on Windows 7" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/ms11_081_option.rb", "is_install_path": true, "ref_name": "windows/browser/ms11_081_option", "check": false }, "exploit_windows/browser/ms11_093_ole32": { "name": "MS11-093 Microsoft Windows OLE Object File Handling Remote Code Execution", "full_name": "exploit/windows/browser/ms11_093_ole32", "rank": 300, "disclosure_date": "2011-12-13", "type": "exploit", "author": [ "Luigi Auriemma", "juan vazquez " ], "description": "This module exploits a type confusion vulnerability in the OLE32 component of\n Windows XP SP3. The vulnerability exists in the CPropertyStorage::ReadMultiple\n function.\n\n A Visio document with a specially crafted Summary Information Stream embedded allows\n to get remote code execution through Internet Explorer, on systems with Visio Viewer\n installed.", "references": [ "MSB-MS11-093", "CVE-2011-3400", "OSVDB-77663", "BID-50977", "URL-http://aluigi.org/adv/ole32_1-adv.txt", "URL-http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=966" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic", "IE 6 on Windows XP SP3 / Visio Viewer 2010", "IE 7 on Windows XP SP3 / Visio Viewer 2010" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/ms11_093_ole32.rb", "is_install_path": true, "ref_name": "windows/browser/ms11_093_ole32", "check": false }, "exploit_windows/browser/ms12_004_midi": { "name": "MS12-004 midiOutPlayNextPolyEvent Heap Overflow", "full_name": "exploit/windows/browser/ms12_004_midi", "rank": 300, "disclosure_date": "2012-01-10", "type": "exploit", "author": [ "Shane Garrett", "juan vazquez ", "sinn3r " ], "description": "This module exploits a heap overflow vulnerability in the Windows Multimedia\n Library (winmm.dll). The vulnerability occurs when parsing specially crafted\n MIDI files. Remote code execution can be achieved by using the Windows Media Player\n ActiveX control.\n\n Exploitation is done by supplying a specially crafted MIDI file with\n specific events, causing the offset calculation being higher than what is\n available on the heap (0x400 allocated by WINMM!winmmAlloc), and then allowing\n us to either \"inc al\" or \"dec al\" a byte. This can be used to corrupt an array\n (CImplAry) we setup, and force the browser to confuse types from tagVARIANT objects,\n which leverages remote code execution under the context of the user.\n\n Note: At this time, for IE 8 target, msvcrt ROP is used by default. However,\n if you know your target's patch level, you may also try the 'MSHTML' advanced\n option for an info leak based attack. Currently, this module only supports two\n MSHTML builds: 8.0.6001.18702, which is often seen in a newly installed XP SP3.\n Or 8.0.6001.19120, which is patch level before the MS12-004 fix.\n\n Also, based on our testing, the vulnerability does not seem to trigger when\n the victim machine is operated via rdesktop.", "references": [ "MSB-MS12-004", "CVE-2012-0003", "OSVDB-78210", "BID-51292" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic", "IE 6 on Windows XP SP3", "IE 7 on Windows XP SP3", "IE 8 on Windows XP SP3" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/ms12_004_midi.rb", "is_install_path": true, "ref_name": "windows/browser/ms12_004_midi", "check": false }, "exploit_windows/browser/ms12_037_ie_colspan": { "name": "MS12-037 Microsoft Internet Explorer Fixed Table Col Span Heap Overflow", "full_name": "exploit/windows/browser/ms12_037_ie_colspan", "rank": 300, "disclosure_date": "2012-06-12", "type": "exploit", "author": [ "Alexandre Pelletier", "mr_me ", "binjo", "sinn3r ", "juan vazquez " ], "description": "This module exploits a heap overflow vulnerability in Internet Explorer caused\n by an incorrect handling of the span attribute for col elements from a fixed table,\n when they are modified dynamically by javascript code.", "references": [ "CVE-2012-1876", "OSVDB-82866", "BID-53848", "MSB-MS12-037" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic", "IE 8 on Windows XP SP3 with msvcrt ROP", "IE 8 on Windows 7 SP1" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/ms12_037_ie_colspan.rb", "is_install_path": true, "ref_name": "windows/browser/ms12_037_ie_colspan", "check": false }, "exploit_windows/browser/ms12_037_same_id": { "name": "MS12-037 Microsoft Internet Explorer Same ID Property Deleted Object Handling Memory Corruption", "full_name": "exploit/windows/browser/ms12_037_same_id", "rank": 300, "disclosure_date": "2012-06-12", "type": "exploit", "author": [ "Dark Son", "Unknown", "Yichong Lin", "juan vazquez " ], "description": "This module exploits a memory corruption flaw in Internet Explorer 8 when\n handling objects with the same ID property. At the moment this module targets\n IE8 over Windows XP SP3 and Windows 7. This module supports heap massaging\n as well as the heap spray method seen in the wild (Java msvcrt71.dll).", "references": [ "MSB-MS12-037", "CVE-2012-1875", "OSVDB-82865", "URL-http://labs.alienvault.com/labs/index.php/2012/ongoing-attacks-exploiting-cve-2012-1875/", "URL-https://twitter.com/binjo/status/212795802974830592", "URL-https://community.rapid7.com/community/metasploit/blog/2012/06/18/metasploit-exploits-critical-microsoft-vulnerabilities" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic", "IE 8 on Windows XP SP3 with msvcrt ROP", "IE 8 on Windows XP SP3 with JRE ROP", "IE 8 on Windows 7 SP1/Vista SP2 with JRE ROP" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/ms12_037_same_id.rb", "is_install_path": true, "ref_name": "windows/browser/ms12_037_same_id", "check": false }, "exploit_windows/browser/ms13_009_ie_slayoutrun_uaf": { "name": "MS13-009 Microsoft Internet Explorer SLayoutRun Use-After-Free", "full_name": "exploit/windows/browser/ms13_009_ie_slayoutrun_uaf", "rank": 200, "disclosure_date": "2013-02-13", "type": "exploit", "author": [ "Scott Bell " ], "description": "This module exploits a use-after-free vulnerability in Microsoft Internet Explorer\n where a CParaElement node is released but a reference is still kept\n in CDoc. This memory is reused when a CDoc relayout is performed.", "references": [ "CVE-2013-0025", "OSVDB-90122", "MSB-MS13-009", "URL-http://security-assessment.com/files/documents/advisory/ie_slayoutrun_uaf.pdf" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic", "IE 8 on Windows XP SP3" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/ms13_009_ie_slayoutrun_uaf.rb", "is_install_path": true, "ref_name": "windows/browser/ms13_009_ie_slayoutrun_uaf", "check": false }, "exploit_windows/browser/ms13_022_silverlight_script_object": { "name": "MS13-022 Microsoft Silverlight ScriptObject Unsafe Memory Access", "full_name": "exploit/windows/browser/ms13_022_silverlight_script_object", "rank": 300, "disclosure_date": "2013-03-12", "type": "exploit", "author": [ "James Forshaw", "Vitaliy Toropov", "juan vazquez " ], "description": "This module exploits a vulnerability in Microsoft Silverlight. The vulnerability exists on\n the Initialize() method from System.Windows.Browser.ScriptObject, which access memory in an\n unsafe manner. Since it is accessible for untrusted code (user controlled) it's possible\n to dereference arbitrary memory which easily leverages to arbitrary code execution. In order\n to bypass DEP/ASLR a second vulnerability is used, in the public WriteableBitmap class\n from System.Windows.dll. This module has been tested successfully on IE6 - IE10, Windows XP\n SP3 / Windows 7 SP1.", "references": [ "CVE-2013-0074", "CVE-2013-3896", "OSVDB-91147", "OSVDB-98223", "BID-58327", "BID-62793", "MSB-MS13-022", "MSB-MS13-087", "PACKETSTORM-123731" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "x86", "rport": null, "targets": [ "Windows x86/x64" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/ms13_022_silverlight_script_object.rb", "is_install_path": true, "ref_name": "windows/browser/ms13_022_silverlight_script_object", "check": false }, "exploit_windows/browser/ms13_037_svg_dashstyle": { "name": "MS13-037 Microsoft Internet Explorer COALineDashStyleArray Integer Overflow", "full_name": "exploit/windows/browser/ms13_037_svg_dashstyle", "rank": 300, "disclosure_date": "2013-03-06", "type": "exploit", "author": [ "Nicolas Joly", "4B5F5F4B", "juan vazquez ", "sinn3r " ], "description": "This module exploits an integer overflow vulnerability on Internet Explorer.\n The vulnerability exists in the handling of the dashstyle.array length for vml\n shapes on the vgx.dll module.\n\n The exploit has been built and tested specifically against Windows 7 SP1 with\n Internet Explorer 8. It uses either JRE6 or an information leak (to ntdll) to\n bypass ASLR, and by default the info leak is used. To make sure the leak is\n successful, the ntdll version should be either v6.1.7601.17514 (the default dll\n version on a newly installed/unpatched Windows 7 SP1), or ntdll.dll v6.1.7601.17725\n (installed after apply MS12-001). If the target doesn't have the version the exploit\n wants, it will refuse to attack by sending a fake 404 message (webpage not found).\n\n If you wish to try the JRE6 component instead to bypass ASLR, you can set the\n advanced datastore option to 'JRE6'. If JRE6 is chosen but the target doesn't\n have this particular component, the exploit will also refuse to attack by\n sending a 404 message.", "references": [ "CVE-2013-2551", "OSVDB-91197", "BID-58570", "MSB-MS13-037", "URL-http://binvul.com/viewthread.php?tid=311" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "x86", "rport": null, "targets": [ "IE 8 on Windows 7 SP1" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/ms13_037_svg_dashstyle.rb", "is_install_path": true, "ref_name": "windows/browser/ms13_037_svg_dashstyle", "check": false }, "exploit_windows/browser/ms13_055_canchor": { "name": "MS13-055 Microsoft Internet Explorer CAnchorElement Use-After-Free", "full_name": "exploit/windows/browser/ms13_055_canchor", "rank": 300, "disclosure_date": "2013-07-09", "type": "exploit", "author": [ "Jose Antonio Vazquez Gonzalez", "Orange Tsai", "Peter Vreugdenhil", "sinn3r " ], "description": "In IE8 standards mode, it's possible to cause a use-after-free condition by first\n creating an illogical table tree, where a CPhraseElement comes after CTableRow,\n with the final node being a sub table element. When the CPhraseElement's outer\n content is reset by using either outerText or outerHTML through an event handler,\n this triggers a free of its child element (in this case, a CAnchorElement, but\n some other objects apply too), but a reference is still kept in function\n SRunPointer::SpanQualifier. This function will then pass on the invalid reference\n to the next functions, eventually used in mshtml!CElement::Doc when it's trying to\n make a call to the object's SecurityContext virtual function at offset +0x70, which\n results a crash. An attacker can take advantage of this by first creating an\n CAnchorElement object, let it free, and then replace the freed memory with another\n fake object. Successfully doing so may allow arbitrary code execution under the\n context of the user.\n\n This bug is specific to Internet Explorer 8 only. It was originally discovered by\n Jose Antonio Vazquez Gonzalez and reported to iDefense, but was discovered again\n by Orange Tsai at Hitcon 2013.", "references": [ "CVE-2013-3163", "OSVDB-94981", "MSB-MS13-055", "URL-https://speakerd.s3.amazonaws.com/presentations/0df98910d26c0130e8927e81ab71b214/for-share.pdf" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic", "IE 8 on Windows XP SP3", "IE 8 on Windows 7" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/ms13_055_canchor.rb", "is_install_path": true, "ref_name": "windows/browser/ms13_055_canchor", "check": false }, "exploit_windows/browser/ms13_059_cflatmarkuppointer": { "name": "MS13-059 Microsoft Internet Explorer CFlatMarkupPointer Use-After-Free", "full_name": "exploit/windows/browser/ms13_059_cflatmarkuppointer", "rank": 300, "disclosure_date": "2013-06-27", "type": "exploit", "author": [ "corelanc0d3r", "sinn3r " ], "description": "This is a memory corruption bug found in Microsoft Internet Explorer. On IE 9,\n it seems to only affect certain releases of mshtml.dll, ranging from a newly\n installed IE9 (9.0.8112.16446), to 9.00.8112.16502 (July 2013 update). IE8\n requires a different way to trigger the vulnerability, but not currently covered\n by this module.\n\n The issue is specific to the browser's IE7 document compatibility, which can be\n defined in X-UA-Compatible, and the content editable mode must be enabled. An\n \"onmove\" event handler is also necessary to be able to trigger the bug, and the\n event will be run twice before the crash. The first time is due to the position\n change of the body element, which is also when a MSHTML!CFlatMarkupPointer::`vftable'\n object is created during a \"SelectAll\" command, and this object will be used later\n on for the crash. The second onmove event seems to be triggered by a InsertButton\n (or Insert-whatever) command, which is also responsible for the free of object\n CFlatMarkupPointer during page rendering. The EnsureRecalcNotify() function will\n then still return an invalid reference to CFlatMarkupPointer (stored in EBX), and\n then passes this on to the next functions (GetLineInfo -> QIClassID). When this\n reference arrives in function QIClassID, an access violation finally occurs when\n the function is trying to call QueryInterface() with the bad reference, and this\n results a crash. Successful control of the freed memory may leverage arbitrary code\n execution under the context of the user.\n\n Note: It is also possible to see a different object being freed and used, doesn't\n always have to be CFlatMarkupPointer.", "references": [ "CVE-2013-3184", "OSVDB-96182", "MSB-MS13-059", "BID-61668", "ZDI-13-194", "ZDI-13-195" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/ms13_059_cflatmarkuppointer.rb", "is_install_path": true, "ref_name": "windows/browser/ms13_059_cflatmarkuppointer", "check": false }, "exploit_windows/browser/ms13_069_caret": { "name": "MS13-069 Microsoft Internet Explorer CCaret Use-After-Free", "full_name": "exploit/windows/browser/ms13_069_caret", "rank": 300, "disclosure_date": "2013-09-10", "type": "exploit", "author": [ "corelanc0d3r", "sinn3r " ], "description": "This module exploits a use-after-free vulnerability found in Internet Explorer,\n specifically in how the browser handles the caret (text cursor) object. In IE's standards\n mode, the caret handling's vulnerable state can be triggered by first setting up an\n editable page with an input field, and then we can force the caret to update in an\n onbeforeeditfocus event by setting the body's innerHTML property. In this event handler,\n mshtml!CCaret::`vftable' can be freed using a document.write() function, however,\n mshtml!CCaret::UpdateScreenCaret remains unaware of this change, and still uses the\n same reference to the CCaret object. When the function tries to use this invalid reference\n to call a virtual function at offset 0x2c, it finally results a crash. Precise control of\n the freed object allows arbitrary code execution under the context of the user.", "references": [ "CVE-2013-3205", "OSVDB-97094", "MSB-MS13-069", "ZDI-13-217" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "IE 8 on Windows XP SP3" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/ms13_069_caret.rb", "is_install_path": true, "ref_name": "windows/browser/ms13_069_caret", "check": false }, "exploit_windows/browser/ms13_080_cdisplaypointer": { "name": "MS13-080 Microsoft Internet Explorer CDisplayPointer Use-After-Free", "full_name": "exploit/windows/browser/ms13_080_cdisplaypointer", "rank": 300, "disclosure_date": "2013-10-08", "type": "exploit", "author": [ "Unknown", "sinn3r " ], "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. It was originally\n found being exploited in the wild targeting Japanese and Korean IE8 users on Windows XP,\n around the same time frame as CVE-2013-3893, except this was kept out of the public eye by\n multiple research companies and the vendor until the October patch release.\n\n This issue is a use-after-free vulnerability in CDisplayPointer via the use of a\n \"onpropertychange\" event handler. To set up the appropriate buggy conditions, we first craft\n the DOM tree in a specific order, where a CBlockElement comes after the CTextArea element.\n If we use a select() function for the CTextArea element, two important things will happen:\n a CDisplayPointer object will be created for CTextArea, and it will also trigger another\n event called \"onselect\". The \"onselect\" event will allow us to set up for the actual event\n handler we want to abuse - the \"onpropertychange\" event. Since the CBlockElement is a child\n of CTextArea, if we do a node swap of CBlockElement in \"onselect\", this will trigger\n \"onpropertychange\". During \"onpropertychange\" event handling, a free of the CDisplayPointer\n object can be forced by using an \"Unselect\" (other approaches also apply), but a reference\n of this freed memory will still be kept by CDoc::ScrollPointerIntoView, specifically after\n the CDoc::GetLineInfo call, because it is still trying to use that to update\n CDisplayPointer's position. When this invalid reference arrives in QIClassID, a crash\n finally occurs due to accessing the freed memory. By controlling this freed memory, it is\n possible to achieve arbitrary code execution under the context of the user.", "references": [ "CVE-2013-3897", "OSVDB-98207", "MSB-MS13-080", "URL-http://blogs.technet.com/b/srd/archive/2013/10/08/ms13-080-addresses-two-vulnerabilities-under-limited-targeted-attacks.aspx", "URL-http://jsunpack.jeek.org/?report=847afb154a4e876d61f93404842d9a1b93a774fb" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic", "IE 7 on Windows XP SP3", "IE 8 on Windows XP SP3", "IE 8 on Windows 7" ], "mod_time": "2017-09-09 09:52:08 +0000", "path": "/modules/exploits/windows/browser/ms13_080_cdisplaypointer.rb", "is_install_path": true, "ref_name": "windows/browser/ms13_080_cdisplaypointer", "check": false }, "exploit_windows/browser/ms13_090_cardspacesigninhelper": { "name": "MS13-090 CardSpaceClaimCollection ActiveX Integer Underflow", "full_name": "exploit/windows/browser/ms13_090_cardspacesigninhelper", "rank": 300, "disclosure_date": "2013-11-08", "type": "exploit", "author": [ "Unknown", "juan vazquez " ], "description": "This module exploits a vulnerability on the CardSpaceClaimCollection class from the\n icardie.dll ActiveX control. The vulnerability exists while the handling of the\n CardSpaceClaimCollection object. CardSpaceClaimCollections stores a collection of\n elements on a SafeArray and keeps a size field, counting the number of elements on the\n collection. By calling the remove() method on an empty CardSpaceClaimCollection it is\n possible to underflow the length field, storing a negative integer. Later, a call to\n the add() method will use the corrupted length field to compute the address where write\n into the SafeArray data, allowing to corrupt memory with a pointer to controlled contents.\n This module achieves code execution by using VBScript as discovered in the wild on\n November 2013 to (1) create an array of html OBJECT elements, (2) create holes, (3) create\n a CardSpaceClaimCollection whose SafeArray data will reuse one of the holes, (4) corrupt\n one of the legit OBJECT elements with the described integer overflow and (5) achieve code\n execution by forcing the use of the corrupted OBJECT.", "references": [ "CVE-2013-3918", "OSVDB-99555", "BID-63631", "MSB-MS13-090", "URL-http://blogs.technet.com/b/msrc/archive/2013/11/11/activex-control-issue-being-addressed-in-update-tuesday.aspx" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP with IE 8" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/ms13_090_cardspacesigninhelper.rb", "is_install_path": true, "ref_name": "windows/browser/ms13_090_cardspacesigninhelper", "check": false }, "exploit_windows/browser/ms14_012_cmarkup_uaf": { "name": "MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free", "full_name": "exploit/windows/browser/ms14_012_cmarkup_uaf", "rank": 300, "disclosure_date": "2014-02-13", "type": "exploit", "author": [ "Unknown", "Jean-Jamil Khalife", "juan vazquez " ], "description": "This module exploits an use after free condition on Internet Explorer as used in the wild\n as part of \"Operation SnowMan\" in February 2014. The module uses Flash Player 12 in order to\n bypass ASLR and DEP.", "references": [ "CVE-2014-0322", "MSB-MS14-012", "BID-65551", "URL-http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html", "URL-http://hdwsec.fr/blog/CVE-2014-0322.html" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "x86", "rport": null, "targets": [ "Windows 7 SP1 / IE 10 / FP 12" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/ms14_012_cmarkup_uaf.rb", "is_install_path": true, "ref_name": "windows/browser/ms14_012_cmarkup_uaf", "check": false }, "exploit_windows/browser/ms14_012_textrange": { "name": "MS14-012 Microsoft Internet Explorer TextRange Use-After-Free", "full_name": "exploit/windows/browser/ms14_012_textrange", "rank": 300, "disclosure_date": "2014-03-11", "type": "exploit", "author": [ "Jason Kratzer", "sinn3r " ], "description": "This module exploits a use-after-free vulnerability found in Internet Explorer. The flaw\n was most likely introduced in 2013, therefore only certain builds of MSHTML are\n affected. In our testing with IE9, these vulnerable builds appear to be between\n 9.0.8112.16496 and 9.0.8112.16533, which implies the vulnerability shipped between\n August 2013, when it was introduced, until the fix issued in early March 2014.", "references": [ "CVE-2014-0307", "MSB-MS14-012" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/ms14_012_textrange.rb", "is_install_path": true, "ref_name": "windows/browser/ms14_012_textrange", "check": false }, "exploit_windows/browser/ms14_064_ole_code_execution": { "name": "MS14-064 Microsoft Internet Explorer Windows OLE Automation Array Remote Code Execution", "full_name": "exploit/windows/browser/ms14_064_ole_code_execution", "rank": 400, "disclosure_date": "2014-11-13", "type": "exploit", "author": [ "Robert Freeman", "yuange", "Rik van Duijn", "Wesley Neelen", "GradiusX ", "b33f", "sinn3r " ], "description": "This module exploits the Windows OLE Automation array vulnerability, CVE-2014-6332.\n The vulnerability is known to affect Internet Explorer 3.0 until version 11 within\n Windows 95 up to Windows 10, and no patch for Windows XP. However, this exploit will\n only target Windows XP and Windows 7 box due to the Powershell limitation.\n\n Windows XP by defaults supports VBS, therefore it is used as the attack vector. On other\n newer Windows systems, the exploit will try using Powershell instead.", "references": [ "CVE-2014-6332", "MSB-MS14-064", "OSVDB-114533", "EDB-35229", "EDB-35308", "URL-http://securityintelligence.com/ibm-x-force-researcher-finds-significant-vulnerability-in-microsoft-windows", "URL-https://forsec.nl/2014/11/cve-2014-6332-internet-explorer-msf-module" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP", "Windows 7" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb", "is_install_path": true, "ref_name": "windows/browser/ms14_064_ole_code_execution", "check": false }, "exploit_windows/browser/ms16_051_vbscript": { "name": "Internet Explorer 11 VBScript Engine Memory Corruption", "full_name": "exploit/windows/browser/ms16_051_vbscript", "rank": 300, "disclosure_date": "2016-05-10", "type": "exploit", "author": [ "Theori", "William Webb " ], "description": "This module exploits the memory corruption vulnerability (CVE-2016-0189)\n present in the VBScript engine of Internet Explorer 11.", "references": [ "CVE-2016-0189", "MSB-MS16-051" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "x64", "rport": null, "targets": [ "Automatic", "Windows 10 with IE 11" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/ms16_051_vbscript.rb", "is_install_path": true, "ref_name": "windows/browser/ms16_051_vbscript", "check": false }, "exploit_windows/browser/msvidctl_mpeg2": { "name": "Microsoft DirectShow (msvidctl.dll) MPEG-2 Memory Corruption", "full_name": "exploit/windows/browser/msvidctl_mpeg2", "rank": 300, "disclosure_date": "2009-07-05", "type": "exploit", "author": [ "Trancer " ], "description": "This module exploits a memory corruption within the MSVidCtl component of Microsoft\n DirectShow (BDATuner.MPEG2TuneRequest).\n By loading a specially crafted GIF file, an attacker can overrun a buffer and\n execute arbitrary code.\n\n ClassID is now configurable via an advanced option (otherwise randomized) - I)ruid", "references": [ "CVE-2008-0015", "OSVDB-55651", "BID-35558", "MSB-MS09-032", "MSB-MS09-037", "URL-http://www.microsoft.com/technet/security/advisory/972890.mspx" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/msvidctl_mpeg2.rb", "is_install_path": true, "ref_name": "windows/browser/msvidctl_mpeg2", "check": false }, "exploit_windows/browser/mswhale_checkforupdates": { "name": "Microsoft Whale Intelligent Application Gateway ActiveX Control Buffer Overflow", "full_name": "exploit/windows/browser/mswhale_checkforupdates", "rank": 300, "disclosure_date": "2009-04-15", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in Microsoft Whale Intelligent Application\n Gateway Whale Client. When sending an overly long string to CheckForUpdates()\n method of WhlMgr.dll (3.1.502.64) an attacker may be able to execute\n arbitrary code.", "references": [ "CVE-2007-2238", "OSVDB-53933", "URL-http://technet.microsoft.com/en-us/library/dd282918.aspx" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/mswhale_checkforupdates.rb", "is_install_path": true, "ref_name": "windows/browser/mswhale_checkforupdates", "check": false }, "exploit_windows/browser/msxml_get_definition_code_exec": { "name": "MS12-043 Microsoft XML Core Services MSXML Uninitialized Memory Corruption", "full_name": "exploit/windows/browser/msxml_get_definition_code_exec", "rank": 400, "disclosure_date": "2012-06-12", "type": "exploit", "author": [ "inking26", "binjo", "sinn3r ", "juan vazquez " ], "description": "This module exploits a memory corruption flaw in Microsoft XML Core Services\n when trying to access an uninitialized Node with the getDefinition API, which\n may corrupt memory allowing remote code execution.", "references": [ "CVE-2012-1889", "BID-53934", "OSVDB-82873", "MSB-MS12-043", "URL-http://technet.microsoft.com/en-us/security/advisory/2719615", "URL-http://www.zdnet.com/blog/security/state-sponsored-attackers-using-ie-zero-day-to-hijack-gmail-accounts/12462", "URL-https://community.rapid7.com/community/metasploit/blog/2012/06/18/metasploit-exploits-critical-microsoft-vulnerabilities" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic", "IE 6 on Windows XP SP3", "IE 7 on Windows XP SP3 / Vista SP2", "IE 8 on Windows XP SP3", "IE 8 with Java 6 on Windows XP SP3", "IE 8 with Java 6 on Windows 7 SP1/Vista SP2", "IE 9 with Java 6 on Windows 7 SP1" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/msxml_get_definition_code_exec.rb", "is_install_path": true, "ref_name": "windows/browser/msxml_get_definition_code_exec", "check": false }, "exploit_windows/browser/nctaudiofile2_setformatlikesample": { "name": "NCTAudioFile2 v2.x ActiveX Control SetFormatLikeSample() Buffer Overflow", "full_name": "exploit/windows/browser/nctaudiofile2_setformatlikesample", "rank": 300, "disclosure_date": "2007-01-24", "type": "exploit", "author": [ "MC ", "dookie", "jduck " ], "description": "This module exploits a stack buffer overflow in the NCTAudioFile2.Audio ActiveX\n Control provided by various audio applications. By sending an overly long\n string to the \"SetFormatLikeSample()\" method, an attacker may be able to\n execute arbitrary code.", "references": [ "CVE-2007-0018", "OSVDB-32032", "BID-22196", "US-CERT-VU-292713" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP2/SP3 Pro English (IE6)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/nctaudiofile2_setformatlikesample.rb", "is_install_path": true, "ref_name": "windows/browser/nctaudiofile2_setformatlikesample", "check": false }, "exploit_windows/browser/nis2004_antispam": { "name": "Norton AntiSpam 2004 SymSpamHelper ActiveX Control Buffer Overflow", "full_name": "exploit/windows/browser/nis2004_antispam", "rank": 300, "disclosure_date": "2004-03-19", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in Norton AntiSpam 2004. When\n sending an overly long string to the LaunchCustomRuleWizard() method\n of symspam.dll (2004.1.0.147) an attacker may be able to execute\n arbitrary code.", "references": [ "CVE-2004-0363", "OSVDB-6249", "BID-9916" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/nis2004_antispam.rb", "is_install_path": true, "ref_name": "windows/browser/nis2004_antispam", "check": false }, "exploit_windows/browser/nis2004_get": { "name": "Symantec Norton Internet Security 2004 ActiveX Control Buffer Overflow", "full_name": "exploit/windows/browser/nis2004_get", "rank": 300, "disclosure_date": "2007-05-16", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in the ISAlertDataCOM ActiveX\n Control (ISLAert.dll) provided by Symantec Norton Internet Security 2004.\n By sending an overly long string to the \"Get()\" method, an attacker may be\n able to execute arbitrary code.", "references": [ "CVE-2007-1689", "OSVDB-36164", "URL-http://securityresponse.symantec.com/avcenter/security/Content/2007.05.16.html" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP0/SP1 Pro English", "Windows 2000 Pro English All" ], "mod_time": "2017-09-09 09:52:08 +0000", "path": "/modules/exploits/windows/browser/nis2004_get.rb", "is_install_path": true, "ref_name": "windows/browser/nis2004_get", "check": false }, "exploit_windows/browser/notes_handler_cmdinject": { "name": "IBM Lotus Notes Client URL Handler Command Injection", "full_name": "exploit/windows/browser/notes_handler_cmdinject", "rank": 600, "disclosure_date": "2012-06-18", "type": "exploit", "author": [ "Moritz Jodeit", "Sean de Regge", "juan vazquez " ], "description": "This module exploits a command injection vulnerability in the URL handler for\n for the IBM Lotus Notes Client <= 8.5.3. The registered handler can be abused with\n a specially crafted notes:// URL to execute arbitrary commands with also arbitrary\n arguments. This module has been tested successfully on Windows XP SP3 with IE8,\n Google Chrome 23.0.1271.97 m and IBM Lotus Notes Client 8.5.2.", "references": [ "CVE-2012-2174", "OSVDB-83063", "BID-54070", "ZDI-12-154", "URL-http://pwnanisec.blogspot.com/2012/10/exploiting-command-injection.html", "URL-http://www-304.ibm.com/support/docview.wss?uid=swg21598348" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/notes_handler_cmdinject.rb", "is_install_path": true, "ref_name": "windows/browser/notes_handler_cmdinject", "check": false }, "exploit_windows/browser/novell_groupwise_gwcls1_actvx": { "name": "Novell GroupWise Client gwcls1.dll ActiveX Remote Code Execution", "full_name": "exploit/windows/browser/novell_groupwise_gwcls1_actvx", "rank": 300, "disclosure_date": "2013-01-30", "type": "exploit", "author": [ "rgod ", "juan vazquez " ], "description": "This module exploits a vulnerability in the Novell GroupWise Client gwcls1.dll\n ActiveX. Several methods in the GWCalServer control use user provided data as\n a pointer, which allows to read arbitrary memory and execute arbitrary code. This\n module has been tested successfully with GroupWise Client 2012 on IE6 - IE9. The\n JRE6 needs to be installed to achieve ASLR bypass.", "references": [ "CVE-2012-0439", "OSVDB-89700", "BID-57658", "ZDI-13-008", "URL-http://www.novell.com/support/kb/doc.php?id=7011688" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic", "IE 6 on Windows XP SP3", "IE 7 on Windows XP SP3", "IE 8 on Windows XP SP3", "IE 7 on Windows Vista", "IE 8 on Windows Vista", "IE 8 on Windows 7", "IE 9 on Windows 7" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/novell_groupwise_gwcls1_actvx.rb", "is_install_path": true, "ref_name": "windows/browser/novell_groupwise_gwcls1_actvx", "check": false }, "exploit_windows/browser/novelliprint_callbackurl": { "name": "Novell iPrint Client ActiveX Control call-back-url Buffer Overflow", "full_name": "exploit/windows/browser/novelliprint_callbackurl", "rank": 300, "disclosure_date": "2010-08-20", "type": "exploit", "author": [ "Trancer " ], "description": "This module exploits a stack-based buffer overflow in Novell iPrint Client 5.42.\n When sending an overly long string to the 'call-back-url' parameter in an\n op-client-interface-version action of ienipp.ocx an attacker may be able to\n execute arbitrary code.", "references": [ "CVE-2010-1527", "OSVDB-67411", "URL-http://secunia.com/secunia_research/2010-104/", "EDB-15042" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP0-SP2 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/novelliprint_callbackurl.rb", "is_install_path": true, "ref_name": "windows/browser/novelliprint_callbackurl", "check": false }, "exploit_windows/browser/novelliprint_datetime": { "name": "Novell iPrint Client ActiveX Control Date/Time Buffer Overflow", "full_name": "exploit/windows/browser/novelliprint_datetime", "rank": 500, "disclosure_date": "2009-12-08", "type": "exploit", "author": [ "jduck " ], "description": "This module exploits a stack buffer overflow in Novell iPrint Client 5.30. When\n passing a specially crafted date/time string via certain parameters to ienipp.ocx\n an attacker can execute arbitrary code.\n\n NOTE: The \"operation\" variable must be set to a valid command in order to reach this\n vulnerability.", "references": [ "CVE-2009-1569", "BID-37242", "OSVDB-60804", "URL-http://secunia.com/advisories/35004/" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "iPrint 5.30 Windows Client" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/novelliprint_datetime.rb", "is_install_path": true, "ref_name": "windows/browser/novelliprint_datetime", "check": false }, "exploit_windows/browser/novelliprint_executerequest": { "name": "Novell iPrint Client ActiveX Control ExecuteRequest Buffer Overflow", "full_name": "exploit/windows/browser/novelliprint_executerequest", "rank": 300, "disclosure_date": "2008-02-22", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in Novell iPrint Client 4.26. When\n sending an overly long string to the ExecuteRequest() property of ienipp.ocx\n an attacker may be able to execute arbitrary code.", "references": [ "CVE-2008-0935", "OSVDB-42063", "BID-27939" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP0-SP2 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/novelliprint_executerequest.rb", "is_install_path": true, "ref_name": "windows/browser/novelliprint_executerequest", "check": false }, "exploit_windows/browser/novelliprint_executerequest_dbg": { "name": "Novell iPrint Client ActiveX Control ExecuteRequest debug Buffer Overflow", "full_name": "exploit/windows/browser/novelliprint_executerequest_dbg", "rank": 300, "disclosure_date": "2010-08-04", "type": "exploit", "author": [ "Trancer " ], "description": "This module exploits a stack-based buffer overflow in Novell iPrint Client 5.40.\n When sending an overly long string to the 'debug' parameter in ExecuteRequest()\n property of ienipp.ocx an attacker may be able to execute arbitrary code.", "references": [ "CVE-2010-3106", "OSVDB-66960", "URL-http://dvlabs.tippingpoint.com/advisory/TPTI-10-06", "EDB-15001" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP0-SP2 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/novelliprint_executerequest_dbg.rb", "is_install_path": true, "ref_name": "windows/browser/novelliprint_executerequest_dbg", "check": false }, "exploit_windows/browser/novelliprint_getdriversettings": { "name": "Novell iPrint Client ActiveX Control Buffer Overflow", "full_name": "exploit/windows/browser/novelliprint_getdriversettings", "rank": 300, "disclosure_date": "2008-06-16", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in Novell iPrint Client 4.34. When\n sending an overly long string to the GetDriverSettings() property of ienipp.ocx\n an attacker may be able to execute arbitrary code.", "references": [ "CVE-2008-2908", "OSVDB-46194", "URL-http://secunia.com/advisories/30709/" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/novelliprint_getdriversettings.rb", "is_install_path": true, "ref_name": "windows/browser/novelliprint_getdriversettings", "check": false }, "exploit_windows/browser/novelliprint_getdriversettings_2": { "name": "Novell iPrint Client ActiveX Control Buffer Overflow", "full_name": "exploit/windows/browser/novelliprint_getdriversettings_2", "rank": 300, "disclosure_date": "2010-11-15", "type": "exploit", "author": [ "mr_me ", "Dr_IDE" ], "description": "This module exploits a stack buffer overflow in Novell iPrint Client 5.52. When\n sending an overly long string to the GetDriverSettings() property of ienipp.ocx\n an attacker may be able to execute arbitrary code.", "references": [ "CVE-2010-4321", "BID-44966", "OSVDB-69357", "ZDI-10-256", "EDB-16014", "URL-http://www.novell.com/support/viewContent.do?externalId=7007234" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/novelliprint_getdriversettings_2.rb", "is_install_path": true, "ref_name": "windows/browser/novelliprint_getdriversettings_2", "check": false }, "exploit_windows/browser/novelliprint_target_frame": { "name": "Novell iPrint Client ActiveX Control target-frame Buffer Overflow", "full_name": "exploit/windows/browser/novelliprint_target_frame", "rank": 500, "disclosure_date": "2009-12-08", "type": "exploit", "author": [ "jduck " ], "description": "This module exploits a stack buffer overflow in Novell iPrint Client 5.30. When\n passing an overly long string via the \"target-frame\" parameter to ienipp.ocx\n an attacker can execute arbitrary code.\n\n NOTE: The \"operation\" variable must be set to a valid command in order to reach this\n vulnerability.", "references": [ "CVE-2009-1568", "BID-37242", "OSVDB-60803", "URL-http://secunia.com/advisories/37169/" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "iPrint 5.30 Windows Client" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/novelliprint_target_frame.rb", "is_install_path": true, "ref_name": "windows/browser/novelliprint_target_frame", "check": false }, "exploit_windows/browser/ntr_activex_check_bof": { "name": "NTR ActiveX Control Check() Method Buffer Overflow", "full_name": "exploit/windows/browser/ntr_activex_check_bof", "rank": 300, "disclosure_date": "2012-01-11", "type": "exploit", "author": [ "Carsten Eiram", "juan vazquez " ], "description": "This module exploits a vulnerability found in NTR ActiveX 1.1.8. The\n vulnerability exists in the Check() method, due to the insecure usage of strcat to\n build a URL using the bstrParams parameter contents (note: this is also the reason\n why the module won't allow you to modify the URIPATH), which leads to code execution\n under the context of the user visiting a malicious web page. In order to bypass\n DEP and ASLR on Windows Vista and Windows 7 JRE 6 is needed.", "references": [ "CVE-2012-0266", "OSVDB-78252", "BID-51374", "URL-http://secunia.com/secunia_research/2012-1/" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic", "IE 6 on Windows XP SP3", "IE 7 on Windows XP SP3", "IE 8 on Windows XP SP3", "IE 7 on Windows Vista", "IE 8 on Windows Vista", "IE 8 on Windows 7", "IE 9 on Windows 7" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/ntr_activex_check_bof.rb", "is_install_path": true, "ref_name": "windows/browser/ntr_activex_check_bof", "check": false }, "exploit_windows/browser/ntr_activex_stopmodule": { "name": "NTR ActiveX Control StopModule() Remote Code Execution", "full_name": "exploit/windows/browser/ntr_activex_stopmodule", "rank": 300, "disclosure_date": "2012-01-11", "type": "exploit", "author": [ "Carsten Eiram", "juan vazquez " ], "description": "This module exploits a vulnerability found in the NTR ActiveX 1.1.8. The\n vulnerability exists in the StopModule() method, where the lModule parameter is\n used to dereference memory to get a function pointer, which leads to code execution\n under the context of the user visiting a malicious web page.", "references": [ "CVE-2012-0267", "OSVDB-78253", "BID-51374", "URL-http://secunia.com/secunia_research/2012-2/" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic", "IE 6 on Windows XP SP3", "IE 7 on Windows XP SP3", "IE 7 on Windows Vista" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/ntr_activex_stopmodule.rb", "is_install_path": true, "ref_name": "windows/browser/ntr_activex_stopmodule", "check": false }, "exploit_windows/browser/oracle_autovue_setmarkupmode": { "name": "Oracle AutoVue ActiveX Control SetMarkupMode Buffer Overflow", "full_name": "exploit/windows/browser/oracle_autovue_setmarkupmode", "rank": 300, "disclosure_date": "2012-04-18", "type": "exploit", "author": [ "Brian Gorenc", "juan vazquez " ], "description": "This module exploits a vulnerability found in the AutoVue.ocx ActiveX control.\n The vulnerability, due to the insecure usage of an strcpy like function in the\n SetMarkupMode method, when handling a specially crafted sMarkup argument, allows\n to trigger a stack based buffer overflow which leads to code execution under the\n context of the user visiting a malicious web page.\n\n The module has been successfully tested against Oracle AutoVue Desktop Version\n 20.0.0 (AutoVue.ocx 20.0.0.7330) on IE 6, 7, 8 and 9 (Java 6 needed to DEP and\n ASLR bypass).", "references": [ "CVE-2012-0549", "BID-53077", "OSVDB-81439", "URL-http://dvlabs.tippingpoint.com/advisory/TPTI-12-05", "URL-http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html", "URL-https://community.rapid7.com/community/metasploit/blog/2012/08/15/the-stack-cookies-bypass-on-cve-2012-0549" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic", "IE 6 on Windows XP SP3", "IE 7 on Windows XP SP3 / Windows Vista SP2", "IE 8 with Java 6 on Windows XP SP3/7 SP1/Vista SP2", "IE 9 with Java 6 on Windows 7 SP1" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/oracle_autovue_setmarkupmode.rb", "is_install_path": true, "ref_name": "windows/browser/oracle_autovue_setmarkupmode", "check": false }, "exploit_windows/browser/oracle_dc_submittoexpress": { "name": "Oracle Document Capture 10g ActiveX Control Buffer Overflow", "full_name": "exploit/windows/browser/oracle_dc_submittoexpress", "rank": 300, "disclosure_date": "2009-08-28", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in Oracle Document Capture 10g (10.1.3.5.0).\n Oracle Document Capture 10g comes bundled with a third party ActiveX control\n emsmtp.dll (6.0.1.0). When passing an overly long string to the method \"SubmitToExpress\"\n an attacker may be able to execute arbitrary code.", "references": [ "CVE-2007-4607", "OSVDB-38335", "BID-25467", "US-CERT-VU-281977" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/oracle_dc_submittoexpress.rb", "is_install_path": true, "ref_name": "windows/browser/oracle_dc_submittoexpress", "check": false }, "exploit_windows/browser/oracle_webcenter_checkoutandopen": { "name": "Oracle WebCenter Content CheckOutAndOpen.dll ActiveX Remote Code Execution", "full_name": "exploit/windows/browser/oracle_webcenter_checkoutandopen", "rank": 600, "disclosure_date": "2013-04-16", "type": "exploit", "author": [ "rgod ", "juan vazquez " ], "description": "This module exploits a vulnerability found in the Oracle WebCenter Content\n CheckOutAndOpenControl ActiveX. This vulnerability exists in openWebdav(), where\n user controlled input is used to call ShellExecuteExW(). This module abuses the\n control to execute an arbitrary HTA from a remote location. This module has been\n tested successfully with the CheckOutAndOpenControl ActiveX installed with Oracle\n WebCenter Content 11.1.1.6.0.", "references": [ "CVE-2013-1559", "OSVDB-92386", "BID-59122", "URL-http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html", "ZDI-13-094" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic" ], "mod_time": "2017-09-09 09:52:08 +0000", "path": "/modules/exploits/windows/browser/oracle_webcenter_checkoutandopen.rb", "is_install_path": true, "ref_name": "windows/browser/oracle_webcenter_checkoutandopen", "check": false }, "exploit_windows/browser/orbit_connecting": { "name": "Orbit Downloader Connecting Log Creation Buffer Overflow", "full_name": "exploit/windows/browser/orbit_connecting", "rank": 300, "disclosure_date": "2009-02-03", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in Orbit Downloader 2.8.4. When an\n attacker serves up a malicious web site, arbitrary code may be executed.\n The PAYLOAD windows/shell_bind_tcp works best.", "references": [ "CVE-2009-0187", "OSVDB-52294", "BID-33894" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP0-SP3 / IE 6.0 SP0-SP2" ], "mod_time": "2017-09-09 09:52:08 +0000", "path": "/modules/exploits/windows/browser/orbit_connecting.rb", "is_install_path": true, "ref_name": "windows/browser/orbit_connecting", "check": false }, "exploit_windows/browser/ovftool_format_string": { "name": "VMWare OVF Tools Format String Vulnerability", "full_name": "exploit/windows/browser/ovftool_format_string", "rank": 300, "disclosure_date": "2012-11-08", "type": "exploit", "author": [ "Jeremy Brown", "juan vazquez " ], "description": "This module exploits a format string vulnerability in VMWare OVF Tools 2.1 for\n Windows. The vulnerability occurs when printing error messages while parsing a\n a malformed OVF file. The module has been tested successfully with VMWare OVF Tools\n 2.1 on Windows XP SP3.", "references": [ "CVE-2012-3569", "OSVDB-87117", "BID-56468", "URL-http://www.vmware.com/security/advisories/VMSA-2012-0015.html" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "VMWare OVF Tools 2.1 on Windows XP SP3" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/ovftool_format_string.rb", "is_install_path": true, "ref_name": "windows/browser/ovftool_format_string", "check": false }, "exploit_windows/browser/pcvue_func": { "name": "PcVue 10.0 SV.UIGrdCtrl.1 'LoadObject()/SaveObject()' Trusted DWORD Vulnerability", "full_name": "exploit/windows/browser/pcvue_func", "rank": 200, "disclosure_date": "2011-10-05", "type": "exploit", "author": [ "Luigi Auriemma", "mr_me ", "TecR0c " ], "description": "This module exploits a function pointer control within SVUIGrd.ocx of PcVue 10.0.\n By setting a dword value for the SaveObject() or LoadObject(), an attacker can\n overwrite a function pointer and execute arbitrary code.", "references": [ "CVE-2011-4044", "OSVDB-77561", "BID-49795", "URL-http://aluigi.altervista.org/adv/pcvue_1-adv.txt" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Internet Explorer 6 / Internet Explorer 7" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/pcvue_func.rb", "is_install_path": true, "ref_name": "windows/browser/pcvue_func", "check": false }, "exploit_windows/browser/persits_xupload_traversal": { "name": "Persits XUpload ActiveX MakeHttpRequest Directory Traversal", "full_name": "exploit/windows/browser/persits_xupload_traversal", "rank": 600, "disclosure_date": "2009-09-29", "type": "exploit", "author": [ "jduck " ], "description": "This module exploits a directory traversal in Persits Software Inc's\n XUpload ActiveX control(version 3.0.0.3) that's included in HP LoadRunner 9.5.\n By passing a string containing \"..\\\" sequences to the MakeHttpRequest method,\n an attacker is able to write arbitrary files to arbitrary locations on disk.\n\n Code execution occurs by writing to the All Users Startup Programs directory.\n You may want to combine this module with the use of exploit/multi/handler since a\n user would have to log for the payload to execute.", "references": [ "CVE-2009-3693", "OSVDB-60001" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/persits_xupload_traversal.rb", "is_install_path": true, "ref_name": "windows/browser/persits_xupload_traversal", "check": false }, "exploit_windows/browser/quickr_qp2_bof": { "name": "IBM Lotus QuickR qp2 ActiveX Buffer Overflow", "full_name": "exploit/windows/browser/quickr_qp2_bof", "rank": 300, "disclosure_date": "2012-05-23", "type": "exploit", "author": [ "Gaurav Baruah", "juan vazquez " ], "description": "This module exploits a buffer overflow vulnerability on the UploadControl\n ActiveX. The vulnerability exists in the handling of the \"Attachment_Times\"\n property, due to the insecure usage of the _swscanf. The affected ActiveX is\n provided by the qp2.dll installed with the IBM Lotus Quickr product.\n\n This module has been tested successfully on IE6-IE9 on Windows XP, Vista and 7,\n using the qp2.dll 8.1.0.1800. In order to bypass ASLR the no aslr compatible module\n msvcr71.dll is used. This one is installed with the qp2 ActiveX.", "references": [ "CVE-2012-2176", "OSVDB-82166", "BID-53678", "ZDI-12-134", "URL-http://www-01.ibm.com/support/docview.wss?uid=swg21596191" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic", "IE 6 on Windows XP SP3", "IE 7 on Windows XP SP3", "IE 8 on Windows XP SP3", "IE 7 on Windows Vista", "IE 8 on Windows Vista", "IE 8 on Windows 7", "IE 9 on Windows 7" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/quickr_qp2_bof.rb", "is_install_path": true, "ref_name": "windows/browser/quickr_qp2_bof", "check": false }, "exploit_windows/browser/real_arcade_installerdlg": { "name": "Real Networks Arcade Games StubbyUtil.ProcessMgr ActiveX Arbitrary Code Execution", "full_name": "exploit/windows/browser/real_arcade_installerdlg", "rank": 300, "disclosure_date": "2011-04-03", "type": "exploit", "author": [ "rgod", "sinn3r " ], "description": "This module exploits a vulnerability in Real Networks Arcade Game's ActiveX control. The \"exec\"\n function found in InstallerDlg.dll (v2.6.0.445) allows remote attackers to run arbitrary commands\n on the victim machine.", "references": [ "OSVDB-71559", "EDB-17105" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows Universal" ], "mod_time": "2017-09-09 09:52:08 +0000", "path": "/modules/exploits/windows/browser/real_arcade_installerdlg.rb", "is_install_path": true, "ref_name": "windows/browser/real_arcade_installerdlg", "check": false }, "exploit_windows/browser/realplayer_cdda_uri": { "name": "RealNetworks RealPlayer CDDA URI Initialization Vulnerability", "full_name": "exploit/windows/browser/realplayer_cdda_uri", "rank": 300, "disclosure_date": "2010-11-15", "type": "exploit", "author": [ "bannedit ", "sinn3r " ], "description": "This module exploits an initialization flaw within RealPlayer 11/11.1 and\n RealPlayer SP 1.0 - 1.1.4. An abnormally long CDDA URI causes an object\n initialization failure. However, this failure is improperly handled and\n uninitialized memory executed.", "references": [ "CVE-2010-3747", "OSVDB-68673", "BID-44144", "ZDI-10-210", "URL-http://service.real.com/realplayer/security/10152010_player/en/" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "RealPlayer SP 1.0 - 1.1.4 Universal", "RealPlayer 11.0 - 11.1 Universal" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/realplayer_cdda_uri.rb", "is_install_path": true, "ref_name": "windows/browser/realplayer_cdda_uri", "check": false }, "exploit_windows/browser/realplayer_console": { "name": "RealPlayer rmoc3260.dll ActiveX Control Heap Corruption", "full_name": "exploit/windows/browser/realplayer_console", "rank": 300, "disclosure_date": "2008-03-08", "type": "exploit", "author": [ "Elazar Broad " ], "description": "This module exploits a heap corruption vulnerability in the RealPlayer ActiveX control.\n By sending a specially crafted string to the 'Console' property\n in the rmoc3260.dll control, an attacker may be able to execute\n arbitrary code.", "references": [ "CVE-2008-1309", "OSVDB-42946", "BID-28157", "URL-http://secunia.com/advisories/29315/" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0 English" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/realplayer_console.rb", "is_install_path": true, "ref_name": "windows/browser/realplayer_console", "check": false }, "exploit_windows/browser/realplayer_import": { "name": "RealPlayer ierpplug.dll ActiveX Control Playlist Name Buffer Overflow", "full_name": "exploit/windows/browser/realplayer_import", "rank": 300, "disclosure_date": "2007-10-18", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in RealOne Player V2 Gold Build 6.0.11.853 and\n RealPlayer 10.5 Build 6.0.12.1483. By sending an overly long string to the \"Import()\"\n method, an attacker may be able to execute arbitrary code.", "references": [ "CVE-2007-5601", "OSVDB-41430", "BID-26130" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "IE / RealOne Player 2 (6.0.11.853)", "IE / RealPlayer 10.5 (6.0.12.1483)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/realplayer_import.rb", "is_install_path": true, "ref_name": "windows/browser/realplayer_import", "check": false }, "exploit_windows/browser/realplayer_qcp": { "name": "RealNetworks Realplayer QCP Parsing Heap Overflow", "full_name": "exploit/windows/browser/realplayer_qcp", "rank": 200, "disclosure_date": "2011-08-16", "type": "exploit", "author": [ "Sean de Regge", "juan vazquez " ], "description": "This module exploits a heap overflow in Realplayer when handling a .QCP file.\n The specific flaw exists within qcpfformat.dll. A static 256 byte buffer is\n allocated on the heap and user-supplied data from the file is copied within a\n memory copy loop.\n\n This allows a remote attacker to execute arbitrary code running in the context\n of the web browser via a .QCP file with a specially crafted \"fmt\" chunk.\n At this moment this module exploits the flaw on Windows XP IE6, IE7.", "references": [ "CVE-2011-2950", "OSVDB-74549", "BID-49172", "ZDI-11-265", "URL-http://service.real.com/realplayer/security/08162011_player/en/" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic", "Internet Explorer 6 on XP SP3", "Internet Explorer 7 on XP SP3" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/realplayer_qcp.rb", "is_install_path": true, "ref_name": "windows/browser/realplayer_qcp", "check": false }, "exploit_windows/browser/realplayer_smil": { "name": "RealNetworks RealPlayer SMIL Buffer Overflow", "full_name": "exploit/windows/browser/realplayer_smil", "rank": 300, "disclosure_date": "2005-03-01", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in RealNetworks RealPlayer 10 and 8.\n By creating a URL link to a malicious SMIL file, a remote attacker could\n overflow a buffer and execute arbitrary code.\n When using this module, be sure to set the URIPATH with an extension of '.smil'.\n This module has been tested with RealPlayer 10 build 6.0.12.883 and RealPlayer 8\n build 6.0.9.584.", "references": [ "CVE-2005-0455", "OSVDB-14305", "BID-12698" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "RealPlayer 10/8 on Windows 2000 SP0-SP4 English", "RealPlayer 10/8 on Windows XP PRO SP0-SP1 English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/realplayer_smil.rb", "is_install_path": true, "ref_name": "windows/browser/realplayer_smil", "check": false }, "exploit_windows/browser/roxio_cineplayer": { "name": "Roxio CinePlayer ActiveX Control Buffer Overflow", "full_name": "exploit/windows/browser/roxio_cineplayer", "rank": 300, "disclosure_date": "2007-04-11", "type": "exploit", "author": [ "Trancer " ], "description": "This module exploits a stack-based buffer overflow in SonicPlayer ActiveX\n control (SonicMediaPlayer.dll) 3.0.0.1 installed by Roxio CinePlayer 3.2.\n By setting an overly long value to 'DiskType', an attacker can overrun\n a buffer and execute arbitrary code.", "references": [ "CVE-2007-1559", "OSVDB-34779", "BID-23412" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP0-SP3 / Windows Vista SP0-SP1 / IE 6.0 SP0-2 & IE 7.0" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/roxio_cineplayer.rb", "is_install_path": true, "ref_name": "windows/browser/roxio_cineplayer", "check": false }, "exploit_windows/browser/safari_xslt_output": { "name": "Apple Safari Webkit libxslt Arbitrary File Creation", "full_name": "exploit/windows/browser/safari_xslt_output", "rank": 600, "disclosure_date": "2011-07-20", "type": "exploit", "author": [ "Nicolas Gregoire" ], "description": "This module exploits a file creation vulnerability in the Webkit\n rendering engine. It is possible to redirect the output of a XSLT\n transformation to an arbitrary file. The content of the created file must be\n ASCII or UTF-8. The destination path can be relative or absolute. This module\n has been tested on Safari and Maxthon. Code execution can be achieved by first\n uploading the payload to the remote machine in VBS format, and then upload a MOF\n file, which enables Windows Management Instrumentation service to execute the VBS.", "references": [ "CVE-2011-1774", "OSVDB-74017", "URL-http://lists.apple.com/archives/Security-announce/2011/Jul/msg00002.html" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/browser/safari_xslt_output.rb", "is_install_path": true, "ref_name": "windows/browser/safari_xslt_output", "check": false }, "exploit_windows/browser/samsung_neti_wiewer_backuptoavi_bof": { "name": "Samsung NET-i Viewer Multiple ActiveX BackupToAvi() Remote Overflow", "full_name": "exploit/windows/browser/samsung_neti_wiewer_backuptoavi_bof", "rank": 300, "disclosure_date": "2012-04-21", "type": "exploit", "author": [ "Luigi Auriemma", "juan vazquez " ], "description": "This module exploits a vulnerability in the CNC_Ctrl.dll ActiveX control installed\n with the Samsung NET-i viewer 1.37.\n\n Specifically, when supplying a long string for the fname parameter to the\n BackupToAvi method, an integer overflow occurs, which leads to a posterior buffer\n overflow due to the use of memcpy with an incorrect size, resulting in remote code\n execution under the context of the user.", "references": [ "CVE-2012-4333", "OSVDB-81453", "BID-53193", "URL-http://aluigi.altervista.org/adv/netiware_1-adv.txt" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic", "IE 6 on Windows XP SP3", "IE 7 on Windows XP SP3" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/samsung_neti_wiewer_backuptoavi_bof.rb", "is_install_path": true, "ref_name": "windows/browser/samsung_neti_wiewer_backuptoavi_bof", "check": false }, "exploit_windows/browser/samsung_security_manager_put": { "name": "Samsung Security Manager 1.4 ActiveMQ Broker Service PUT Method Remote Code Execution", "full_name": "exploit/windows/browser/samsung_security_manager_put", "rank": 600, "disclosure_date": "2016-08-05", "type": "exploit", "author": [ "mr_me " ], "description": "This is an exploit against Samsung Security Manager that bypasses the patch in ZDI-15-156 & ZDI-16-481\n by exploiting the vulnerability against the client-side. This exploit has been tested successfully using\n IE, FireFox and Chrome by abusing a GET request XSS to bypass CORS and reach the vulnerable PUT. Finally\n a traversal is used in the PUT request to upload the code just where we want it and gain RCE as SYSTEM.", "references": [ "URL-http://www.zerodayinitiative.com/advisories/ZDI-15-156/", "URL-http://www.zerodayinitiative.com/advisories/ZDI-16-481/" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Samsung Security Manager 1.32 & 1.4 Universal" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/samsung_security_manager_put.rb", "is_install_path": true, "ref_name": "windows/browser/samsung_security_manager_put", "check": false }, "exploit_windows/browser/sapgui_saveviewtosessionfile": { "name": "SAP AG SAPgui EAI WebViewer3D Buffer Overflow", "full_name": "exploit/windows/browser/sapgui_saveviewtosessionfile", "rank": 300, "disclosure_date": "2009-03-31", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in Siemens Unigraphics Solutions\n Teamcenter Visualization EAI WebViewer3D ActiveX control that is bundled\n with SAPgui. When passing an overly long string the SaveViewToSessionFile()\n method, arbitrary code may be executed.", "references": [ "CVE-2007-4475", "OSVDB-53066", "US-CERT-VU-985449" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/sapgui_saveviewtosessionfile.rb", "is_install_path": true, "ref_name": "windows/browser/sapgui_saveviewtosessionfile", "check": false }, "exploit_windows/browser/siemens_solid_edge_selistctrlx": { "name": "Siemens Solid Edge ST4 SEListCtrlX ActiveX Remote Code Execution", "full_name": "exploit/windows/browser/siemens_solid_edge_selistctrlx", "rank": 300, "disclosure_date": "2013-05-26", "type": "exploit", "author": [ "rgod ", "juan vazquez " ], "description": "This module exploits the SEListCtrlX ActiveX installed with the Siemens Solid Edge product.\n The vulnerability exists on several APIs provided by the control, where user supplied input\n is handled as a memory pointer without proper validation, allowing an attacker to read and\n corrupt memory from the target process. This module abuses the methods NumChildren() and\n DeleteItem() in order to achieve memory info leak and remote code execution respectively.\n This module has been tested successfully on IE6-IE9 on Windows XP SP3 and Windows 7 SP1,\n using Solid Edge 10.4.", "references": [ "OSVDB-93696", "EDB-25712" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic", "IE 6 on Windows XP SP3", "IE 7 on Windows XP SP3", "IE 8 on Windows XP SP3", "IE 7 on Windows Vista", "IE 8 on Windows Vista", "IE 8 on Windows 7", "IE 9 on Windows 7" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/siemens_solid_edge_selistctrlx.rb", "is_install_path": true, "ref_name": "windows/browser/siemens_solid_edge_selistctrlx", "check": false }, "exploit_windows/browser/softartisans_getdrivename": { "name": "SoftArtisans XFile FileManager ActiveX Control Buffer Overflow", "full_name": "exploit/windows/browser/softartisans_getdrivename", "rank": 300, "disclosure_date": "2008-08-25", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in SoftArtisans XFile FileManager ActiveX control\n (SAFmgPwd.dll 2.0.5.3). When sending an overly long string to the GetDriveName() method\n an attacker may be able to execute arbitrary code.", "references": [ "CVE-2007-1682", "OSVDB-47794", "US-CERT-VU-914785", "BID-30826" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/softartisans_getdrivename.rb", "is_install_path": true, "ref_name": "windows/browser/softartisans_getdrivename", "check": false }, "exploit_windows/browser/sonicwall_addrouteentry": { "name": "SonicWall SSL-VPN NetExtender ActiveX Control Buffer Overflow", "full_name": "exploit/windows/browser/sonicwall_addrouteentry", "rank": 300, "disclosure_date": "2007-11-01", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in SonicWall SSL-VPN NetExtender.\n By sending an overly long string to the \"AddRouteEntry()\" method located\n in the NELaunchX.dll (1.0.0.26) Control, an attacker may be able to execute\n arbitrary code.", "references": [ "CVE-2007-5603", "OSVDB-39069", "URL-http://www.sec-consult.com/303.html" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "IE 6 / Windows XP SP2 Pro English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/sonicwall_addrouteentry.rb", "is_install_path": true, "ref_name": "windows/browser/sonicwall_addrouteentry", "check": false }, "exploit_windows/browser/symantec_altirisdeployment_downloadandinstall": { "name": "Symantec Altiris Deployment Solution ActiveX Control Arbitrary File Download and Execute", "full_name": "exploit/windows/browser/symantec_altirisdeployment_downloadandinstall", "rank": 600, "disclosure_date": "2009-09-09", "type": "exploit", "author": [ "MC " ], "description": "This module allows remote attackers to install and execute arbitrary files on a users file system via\n AeXNSPkgDLLib.dll (6.0.0.1418). This module was tested against Symantec Altiris Deployment Solution 6.9 sp3.", "references": [ "BID-36346", "CVE-2009-3028", "OSVDB-57893" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/symantec_altirisdeployment_downloadandinstall.rb", "is_install_path": true, "ref_name": "windows/browser/symantec_altirisdeployment_downloadandinstall", "check": false }, "exploit_windows/browser/symantec_altirisdeployment_runcmd": { "name": "Symantec Altiris Deployment Solution ActiveX Control Buffer Overflow", "full_name": "exploit/windows/browser/symantec_altirisdeployment_runcmd", "rank": 300, "disclosure_date": "2009-11-04", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in Symantec Altiris Deployment Solution.\n When sending an overly long string to RunCmd() method of\n AeXNSConsoleUtilities.dll (6.0.0.1426) an attacker may be able to execute arbitrary\n code.", "references": [ "CVE-2009-3033", "BID-37092", "OSVDB-60496" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/symantec_altirisdeployment_runcmd.rb", "is_install_path": true, "ref_name": "windows/browser/symantec_altirisdeployment_runcmd", "check": false }, "exploit_windows/browser/symantec_appstream_unsafe": { "name": "Symantec AppStream LaunchObj ActiveX Control Arbitrary File Download and Execute", "full_name": "exploit/windows/browser/symantec_appstream_unsafe", "rank": 600, "disclosure_date": "2009-01-15", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a vulnerability in Symantec AppStream Client 5.x. The vulnerability\n is in the LaunchObj ActiveX control (launcher.dll 5.1.0.82) containing the \"installAppMgr()\"\n method. The insecure method can be exploited to download and execute arbitrary files in the\n context of the currently logged-on user.", "references": [ "CVE-2008-4388", "OSVDB-51410" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/symantec_appstream_unsafe.rb", "is_install_path": true, "ref_name": "windows/browser/symantec_appstream_unsafe", "check": false }, "exploit_windows/browser/symantec_backupexec_pvcalendar": { "name": "Symantec BackupExec Calendar Control Buffer Overflow", "full_name": "exploit/windows/browser/symantec_backupexec_pvcalendar", "rank": 300, "disclosure_date": "2008-02-28", "type": "exploit", "author": [ "Elazar Broad " ], "description": "This module exploits a stack buffer overflow in Symantec BackupExec Calendar Control.\n By sending an overly long string to the \"_DOWText0\" property located\n in the pvcalendar.ocx control, an attacker may be able to execute\n arbitrary code.", "references": [ "CVE-2007-6016", "OSVDB-42358", "BID-26904", "URL-http://secunia.com/advisories/27885/" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP0-SP2 / IE 6.0 SP0-2 & IE 7.0 English" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/symantec_backupexec_pvcalendar.rb", "is_install_path": true, "ref_name": "windows/browser/symantec_backupexec_pvcalendar", "check": false }, "exploit_windows/browser/symantec_consoleutilities_browseandsavefile": { "name": "Symantec ConsoleUtilities ActiveX Control Buffer Overflow", "full_name": "exploit/windows/browser/symantec_consoleutilities_browseandsavefile", "rank": 300, "disclosure_date": "2009-11-02", "type": "exploit", "author": [ "Nikolas Sotiriu (lofi)" ], "description": "This module exploits a stack buffer overflow in Symantecs ConsoleUtilities.\n By sending an overly long string to the \"BrowseAndSaveFile()\" method located\n in the AeXNSConsoleUtilities.dll (6.0.0.1846) Control, an attacker may be able to\n execute arbitrary code", "references": [ "CVE-2009-3031", "OSVDB-59597", "BID-36698", "URL-http://sotiriu.de/adv/NSOADV-2009-001.txt", "URL-http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091102_00" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP3 English", "Windows XP SP2 Universal", "Windows XP SP2 Pro German", "Windows XP SP3 Pro German" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/symantec_consoleutilities_browseandsavefile.rb", "is_install_path": true, "ref_name": "windows/browser/symantec_consoleutilities_browseandsavefile", "check": false }, "exploit_windows/browser/synactis_connecttosynactis_bof": { "name": "Synactis PDF In-The-Box ConnectToSynactic Stack Buffer Overflow", "full_name": "exploit/windows/browser/synactis_connecttosynactis_bof", "rank": 300, "disclosure_date": "2013-05-30", "type": "exploit", "author": [ "h1ch4m", "sinn3r " ], "description": "This module exploits a vulnerability found in Synactis' PDF In-The-Box ActiveX\n component, specifically PDF_IN_1.ocx. When a long string of data is given\n to the ConnectToSynactis function, which is meant to be used for the ldCmdLine\n argument of a WinExec call, a strcpy routine can end up overwriting a TRegistry\n class pointer saved on the stack, resulting in arbitrary code execution under the\n context of the user.\n\n Also note that since the WinExec function is used to call the default browser,\n you must be aware that: 1) The default must be Internet Explorer, and 2) when the\n exploit runs, another browser will pop up.\n\n Synactis PDF In-The-Box is also used by other software such as Logic Print 2013,\n which is how the vulnerability was found and publicly disclosed.", "references": [ "OSVDB-93754", "EDB-25835" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic", "IE 7 on Windows XP SP3", "IE 8 on Windows XP SP3" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/synactis_connecttosynactis_bof.rb", "is_install_path": true, "ref_name": "windows/browser/synactis_connecttosynactis_bof", "check": false }, "exploit_windows/browser/systemrequirementslab_unsafe": { "name": "Husdawg, LLC. System Requirements Lab ActiveX Unsafe Method", "full_name": "exploit/windows/browser/systemrequirementslab_unsafe", "rank": 600, "disclosure_date": "2008-10-16", "type": "exploit", "author": [ "MC " ], "description": "This module allows attackers to execute code via an unsafe method in\n Husdawg, LLC. System Requirements Lab ActiveX Control (sysreqlab2.dll 2.30.0.0)", "references": [ "CVE-2008-4385", "OSVDB-50122", "US-CERT-VU-166651" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/systemrequirementslab_unsafe.rb", "is_install_path": true, "ref_name": "windows/browser/systemrequirementslab_unsafe", "check": false }, "exploit_windows/browser/teechart_pro": { "name": "TeeChart Professional ActiveX Control Trusted Integer Dereference", "full_name": "exploit/windows/browser/teechart_pro", "rank": 300, "disclosure_date": "2011-08-11", "type": "exploit", "author": [ "mr_me ", "sinn3r " ], "description": "This module exploits an integer overflow in TeeChart Pro ActiveX control. When\n sending an overly large/negative integer value to the AddSeries() property of\n TeeChart2010.ocx, the code will perform an arithmetic operation that wraps the\n value and is later directly trusted and called upon.\n\n This module has been designed to bypass DEP only under IE8 with Java support. Multiple\n versions (including the latest version) are affected by this vulnerability that date\n back to as far as 2001.\n\n The following controls are vulnerable:\n\n TeeChart5.ocx Version 5.0.1.0 (clsid: B6C10489-FB89-11D4-93C9-006008A7EED4);\n TeeChart6.ocx Version 6.0.0.5 (clsid: 536600D3-70FE-4C50-92FB-640F6BFC49AD);\n TeeChart7.ocx Version 7.0.1.4 (clsid: FAB9B41C-87D6-474D-AB7E-F07D78F2422E);\n TeeChart8.ocx Version 8.0.0.8 (clsid: BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196);\n TeeChart2010.ocx Version 2010.0.0.3 (clsid: FCB4B50A-E3F1-4174-BD18-54C3B3287258).\n\n The controls are deployed under several SCADA based systems including:\n\n Unitronics OPC server v1.3;\n BACnet Operator Workstation Version 1.0.76", "references": [ "OSVDB-74446", "URL-http://www.stratsec.net/Research/Advisories/TeeChart-Professional-Integer-Overflow" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic", "Windows XP SP0-SP3 (IE6/IE7)", "Windows XP SP0-SP3 + JAVA + DEP bypass (IE8)", "Windows 7 + JAVA + DEP bypass (IE8)" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/teechart_pro.rb", "is_install_path": true, "ref_name": "windows/browser/teechart_pro", "check": false }, "exploit_windows/browser/tom_sawyer_tsgetx71ex552": { "name": "Tom Sawyer Software GET Extension Factory Remote Code Execution", "full_name": "exploit/windows/browser/tom_sawyer_tsgetx71ex552", "rank": 300, "disclosure_date": "2011-05-03", "type": "exploit", "author": [ "Elazar Broad", "rgod", "juan vazquez " ], "description": "This module exploits a remote code execution vulnerability in the tsgetx71ex553.dll\n ActiveX control installed with Tom Sawyer GET Extension Factory due to an incorrect\n initialization under Internet Explorer.\n\n While the Tom Sawyer GET Extension Factory is installed with some versions of VMware\n Infrastructure Client, this module has been tested only with the versions installed\n with Embarcadero Technologies ER/Studio XE2 / Embarcadero Studio Portal 1.6. The ActiveX\n control tested is tsgetx71ex553.dll, version 5.5.3.238.\n\n This module achieves DEP and ASLR bypass using the well known msvcr71.dll rop chain. The\n dll is installed by default with the Embarcadero software, and loaded by the targeted\n ActiveX.", "references": [ "CVE-2011-2217", "OSVDB-73211", "BID-48099", "URL-http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=911" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic", "IE 6 on Windows XP SP3", "IE 7 on Windows XP SP3", "IE 8 on Windows XP SP3", "IE 8 on Windows 7 SP1" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/tom_sawyer_tsgetx71ex552.rb", "is_install_path": true, "ref_name": "windows/browser/tom_sawyer_tsgetx71ex552", "check": false }, "exploit_windows/browser/trendmicro_extsetowner": { "name": "Trend Micro Internet Security Pro 2010 ActiveX extSetOwner() Remote Code Execution", "full_name": "exploit/windows/browser/trendmicro_extsetowner", "rank": 300, "disclosure_date": "2010-08-25", "type": "exploit", "author": [ "Trancer " ], "description": "This module exploits a remote code execution vulnerability in Trend Micro\n Internet Security Pro 2010 ActiveX.\n When sending an invalid pointer to the extSetOwner() function of UfPBCtrl.dll\n an attacker may be able to execute arbitrary code.", "references": [ "CVE-2010-3189", "OSVDB-67561", "ZDI-10-165", "EDB-14878" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP0-SP2 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/trendmicro_extsetowner.rb", "is_install_path": true, "ref_name": "windows/browser/trendmicro_extsetowner", "check": false }, "exploit_windows/browser/trendmicro_officescan": { "name": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow", "full_name": "exploit/windows/browser/trendmicro_officescan", "rank": 300, "disclosure_date": "2007-02-12", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan\n Corporate Edition 7.3. By sending an overly long string to the\n \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control,\n an attacker may be able to execute arbitrary code.", "references": [ "CVE-2007-0325", "OSVDB-33040", "BID-22585" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP2 Pro English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/trendmicro_officescan.rb", "is_install_path": true, "ref_name": "windows/browser/trendmicro_officescan", "check": false }, "exploit_windows/browser/tumbleweed_filetransfer": { "name": "Tumbleweed FileTransfer vcst_eu.dll ActiveX Control Buffer Overflow", "full_name": "exploit/windows/browser/tumbleweed_filetransfer", "rank": 500, "disclosure_date": "2008-04-07", "type": "exploit", "author": [ "aushack " ], "description": "This module exploits a stack buffer overflow in the vcst_eu.dll\n FileTransfer Module (1.0.0.5) ActiveX control in the Tumbleweed\n SecureTransport suite. By sending an overly long string to the\n TransferFile() 'remotefile' function, an attacker may be able\n to execute arbitrary code.", "references": [ "CVE-2008-1724", "OSVDB-44252", "URL-http://www.aushack.com/200708-tumbleweed.txt" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Universal vcst_eu.dll", "Windows 2000 Pro English", "Windows XP Pro SP0/SP1 English" ], "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/exploits/windows/browser/tumbleweed_filetransfer.rb", "is_install_path": true, "ref_name": "windows/browser/tumbleweed_filetransfer", "check": false }, "exploit_windows/browser/ubisoft_uplay_cmd_exec": { "name": "Ubisoft uplay 2.0.3 ActiveX Control Arbitrary Code Execution", "full_name": "exploit/windows/browser/ubisoft_uplay_cmd_exec", "rank": 300, "disclosure_date": "2012-07-29", "type": "exploit", "author": [ "Tavis Ormandy ", "Ben Campbell ", "phillips321 ", "Richard Hicks " ], "description": "The uplay ActiveX component allows an attacker to execute any command line action.\n User must sign in, unless auto-sign in is enabled and uplay must not already be\n running. Due to the way the malicious executable is served (WebDAV), the module\n must be run on port 80, so please make sure you have enough privilege to do that.\n Ubisoft released patch 2.04 as of Mon 20th July.", "references": [ "CVE-2012-4177", "OSVDB-84402", "URL-http://seclists.org/fulldisclosure/2012/Jul/375", "URL-http://forums.ubi.com/showthread.php/699940-Uplay-PC-Patch-2-0-4-Security-fix" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/ubisoft_uplay_cmd_exec.rb", "is_install_path": true, "ref_name": "windows/browser/ubisoft_uplay_cmd_exec", "check": false }, "exploit_windows/browser/ultramjcam_openfiledig_bof": { "name": "TRENDnet SecurView Internet Camera UltraMJCam OpenFileDlg Buffer Overflow", "full_name": "exploit/windows/browser/ultramjcam_openfiledig_bof", "rank": 300, "disclosure_date": "2012-03-28", "type": "exploit", "author": [ "rgod", "sinn3r " ], "description": "This module exploits a vulnerability found in TRENDnet SecurView Internet\n Camera's ActiveX control. By supplying a long string of data as the sFilter\n argument of the OpenFileDlg() function, it is possible to trigger a buffer\n overflow condition due to WideCharToMultiByte (which converts unicode back to)\n overwriting the stack more than it should, which results arbitrary code execution\n under the context of the user.", "references": [ "CVE-2012-4876", "OSVDB-80661", "EDB-18675" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic", "IE 6 on Windows XP SP3", "IE 7 on Windows XP SP3", "IE 7 on Windows Vista" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/ultramjcam_openfiledig_bof.rb", "is_install_path": true, "ref_name": "windows/browser/ultramjcam_openfiledig_bof", "check": false }, "exploit_windows/browser/ultraoffice_httpupload": { "name": "Ultra Shareware Office Control ActiveX HttpUpload Buffer Overflow", "full_name": "exploit/windows/browser/ultraoffice_httpupload", "rank": 400, "disclosure_date": "2008-08-27", "type": "exploit", "author": [ "shinnai", "jduck " ], "description": "This module exploits a stack-based buffer overflow in Ultra Shareware's Office\n Control. When processing the 'HttpUpload' method, the arguments are concatenated\n together to form a command line to run a bundled version of cURL. If the command\n fails to run, a stack-based buffer overflow occurs when building the error\n message. This is due to the use of sprintf() without proper bounds checking.\n\n NOTE: Due to input restrictions, this exploit uses a heap-spray to get the payload\n into memory unmodified.", "references": [ "CVE-2008-3878", "OSVDB-47866", "BID-30861", "EDB-6318" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows Universal" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/ultraoffice_httpupload.rb", "is_install_path": true, "ref_name": "windows/browser/ultraoffice_httpupload", "check": false }, "exploit_windows/browser/verypdf_pdfview": { "name": "VeryPDF PDFView OCX ActiveX OpenPDF Heap Overflow", "full_name": "exploit/windows/browser/verypdf_pdfview", "rank": 300, "disclosure_date": "2008-06-16", "type": "exploit", "author": [ "MC ", "dean " ], "description": "The VeryPDF PDFView ActiveX control is prone to a heap buffer-overflow\n because it fails to properly bounds-check user-supplied data before copying\n it into an insufficiently sized memory buffer. An attacker can exploit this issue\n to execute arbitrary code within the context of the affected application.", "references": [ "CVE-2008-5492", "OSVDB-49871", "BID-32313" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/verypdf_pdfview.rb", "is_install_path": true, "ref_name": "windows/browser/verypdf_pdfview", "check": false }, "exploit_windows/browser/viscom_movieplayer_drawtext": { "name": "Viscom Software Movie Player Pro SDK ActiveX 6.8", "full_name": "exploit/windows/browser/viscom_movieplayer_drawtext", "rank": 300, "disclosure_date": "2010-01-12", "type": "exploit", "author": [ "shinnai", "TecR0c ", "mr_me " ], "description": "Stack-based buffer overflow in the MOVIEPLAYER.MoviePlayerCtrl.1 ActiveX control\n in MoviePlayer.ocx 6.8.0.0 in Viscom Software Movie Player Pro SDK ActiveX 6.8 allows\n remote attackers to execute arbitrary code via a long strFontName parameter to the\n DrawText method.\n\n The victim will first be required to trust the publisher Viscom Software.\n This module has been designed to bypass DEP and ASLR under XP IE8, Vista and Win7\n with Java support.", "references": [ "CVE-2010-0356", "OSVDB-61634", "EDB-12320" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic", "Windows IE6-7", "Windows IE8 + JAVA 6 (DEP & ASLR BYPASS)" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/viscom_movieplayer_drawtext.rb", "is_install_path": true, "ref_name": "windows/browser/viscom_movieplayer_drawtext", "check": false }, "exploit_windows/browser/vlc_amv": { "name": "VLC AMV Dangling Pointer Vulnerability", "full_name": "exploit/windows/browser/vlc_amv", "rank": 400, "disclosure_date": "2011-03-23", "type": "exploit", "author": [ "sinn3r " ], "description": "This module exploits VLC media player when handling a .AMV file. By flipping\n the 0x41st byte in the file format (video width/height), VLC crashes due to an\n invalid pointer, which allows remote attackers to gain arbitrary code execution.\n The vulnerable packages include: VLC 1.1.4, VLC 1.1.5, VLC 1.1.6, VLC 1.1.7. Also,\n please note that IE 8 targets require Java support in order to run properly.", "references": [ "CVE-2010-3275", "OSVDB-71277", "URL-http://www.coresecurity.com/content/vlc-vulnerabilities-amv-nsv-files", "URL-http://git.videolan.org/?p=vlc/vlc-1.1.git;a=commitdiff;h=fe44129dc6509b3347113ab0e1a0524af1e0dd11" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic", "Internet Explorer 6 on XP SP3", "Internet Explorer 7 on XP SP3", "Internet Explorer 8 on XP SP3", "Internet Explorer 7 on Vista" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/vlc_amv.rb", "is_install_path": true, "ref_name": "windows/browser/vlc_amv", "check": false }, "exploit_windows/browser/vlc_mms_bof": { "name": "VLC MMS Stream Handling Buffer Overflow", "full_name": "exploit/windows/browser/vlc_mms_bof", "rank": 300, "disclosure_date": "2012-03-15", "type": "exploit", "author": [ "Florent Hochwelker", "sinn3r ", "juan vazquez " ], "description": "This module exploits a buffer overflow in VLC media player VLC media player prior\n to 2.0.0. The vulnerability is due to a dangerous use of sprintf which can result\n in a stack buffer overflow when handling a malicious MMS URI.\n\n This module uses the browser as attack vector. A specially crafted MMS URI is\n used to trigger the overflow and get flow control through SEH overwrite. Control\n is transferred to code located in the heap through a standard heap spray.\n\n The module only targets IE6 and IE7 because no DEP/ASLR bypass has been provided.", "references": [ "CVE-2012-1775", "OSVDB-80188", "URL-http://www.videolan.org/security/sa1201.html", "URL-http://git.videolan.org/?p=vlc/vlc-2.0.git;a=commit;h=11a95cce96fffdbaba1be6034d7b42721667821c" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic", "Internet Explorer 6 on XP SP3", "Internet Explorer 7 on XP SP3" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/vlc_mms_bof.rb", "is_install_path": true, "ref_name": "windows/browser/vlc_mms_bof", "check": false }, "exploit_windows/browser/webdav_dll_hijacker": { "name": "WebDAV Application DLL Hijacker", "full_name": "exploit/windows/browser/webdav_dll_hijacker", "rank": 0, "disclosure_date": "2010-08-18", "type": "exploit", "author": [ "hdm ", "jduck ", "jcran " ], "description": "This module presents a directory of file extensions that can lead to\n code execution when opened from the share. The default EXTENSIONS option\n must be configured to specify a vulnerable application type.", "references": [ "URL-http://blog.zoller.lu/2010/08/cve-2010-xn-loadlibrarygetprocaddress.html", "URL-http://www.acrossecurity.com/aspr/ASPR-2010-08-18-1-PUB.txt" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/webdav_dll_hijacker.rb", "is_install_path": true, "ref_name": "windows/browser/webdav_dll_hijacker", "check": false }, "exploit_windows/browser/webex_ucf_newobject": { "name": "WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow", "full_name": "exploit/windows/browser/webex_ucf_newobject", "rank": 400, "disclosure_date": "2008-08-06", "type": "exploit", "author": [ "Tobias Klein", "Elazar Broad", "Guido Landi", "jduck " ], "description": "This module exploits a stack-based buffer overflow in WebEx's WebexUCFObject\n ActiveX Control. If a long string is passed to the 'NewObject' method, a stack-\n based buffer overflow will occur when copying attacker-supplied data using the\n sprintf function.\n\n It is noteworthy that this vulnerability was discovered and reported by multiple\n independent researchers. To quote iDefense's advisory, \"Before this issue was\n publicly reported, at least three independent security researchers had knowledge\n of this issue; thus, it is reasonable to believe that even more people were aware\n of this issue before disclosure.\"\n\n NOTE: Due to input restrictions, this exploit uses a heap-spray to get the payload\n into memory unmodified.", "references": [ "CVE-2008-3558", "OSVDB-47344", "BID-30578", "EDB-6220", "URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=849", "URL-http://www.trapkit.de/advisories/TKADV2008-009.txt", "URL-http://tk-blog.blogspot.com/2008/09/vulnerability-rediscovery-xss-and-webex.html", "URL-http://archives.neohapsis.com/archives/fulldisclosure/2008-08/0084.html", "URL-http://www.cisco.com/en/US/products/products_security_advisory09186a00809e2006.shtml" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows Universal" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/webex_ucf_newobject.rb", "is_install_path": true, "ref_name": "windows/browser/webex_ucf_newobject", "check": false }, "exploit_windows/browser/wellintech_kingscada_kxclientdownload": { "name": "KingScada kxClientDownload.ocx ActiveX Remote Code Execution", "full_name": "exploit/windows/browser/wellintech_kingscada_kxclientdownload", "rank": 400, "disclosure_date": "2014-01-14", "type": "exploit", "author": [ "Andrea Micalizzi", "juan vazquez " ], "description": "This module abuses the kxClientDownload.ocx ActiveX control distributed with WellingTech KingScada.\n The ProjectURL property can be abused to download and load arbitrary DLLs from\n arbitrary locations, leading to arbitrary code execution, because of a dangerous\n usage of LoadLibrary. Due to the nature of the vulnerability, this module will work\n only when Protected Mode is not present or not enabled.", "references": [ "CVE-2013-2827", "OSVDB-102135", "BID-64941", "ZDI-14-011", "URL-http://ics-cert.us-cert.gov/advisories/ICSA-13-344-01" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/wellintech_kingscada_kxclientdownload.rb", "is_install_path": true, "ref_name": "windows/browser/wellintech_kingscada_kxclientdownload", "check": false }, "exploit_windows/browser/winamp_playlist_unc": { "name": "Winamp Playlist UNC Path Computer Name Overflow", "full_name": "exploit/windows/browser/winamp_playlist_unc", "rank": 500, "disclosure_date": "2006-01-29", "type": "exploit", "author": [ "hdm ", "Faithless " ], "description": "This module exploits a vulnerability in the Winamp media player.\n This flaw is triggered when an audio file path is specified, inside a\n playlist, that consists of a UNC path with a long computer name. This\n module delivers the playlist via the browser. This module has only\n been successfully tested on Winamp 5.11 and 5.12.", "references": [ "CVE-2006-0476", "OSVDB-22789", "BID-16410" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Winamp 5.12 Universal" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/browser/winamp_playlist_unc.rb", "is_install_path": true, "ref_name": "windows/browser/winamp_playlist_unc", "check": false }, "exploit_windows/browser/winamp_ultravox": { "name": "Winamp Ultravox Streaming Metadata (in_mp3.dll) Buffer Overflow", "full_name": "exploit/windows/browser/winamp_ultravox", "rank": 300, "disclosure_date": "2008-01-18", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in Winamp 5.24. By\n sending an overly long artist tag, a remote attacker may\n be able to execute arbitrary code. This vulnerability can be\n exploited from the browser or the Winamp client itself.", "references": [ "CVE-2008-0065", "OSVDB-41707", "BID-27344" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Winamp 5.24" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/browser/winamp_ultravox.rb", "is_install_path": true, "ref_name": "windows/browser/winamp_ultravox", "check": false }, "exploit_windows/browser/windvd7_applicationtype": { "name": "WinDVD7 IASystemInfo.DLL ActiveX Control Buffer Overflow", "full_name": "exploit/windows/browser/windvd7_applicationtype", "rank": 300, "disclosure_date": "2007-03-20", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in IASystemInfo.dll ActiveX\n control in InterVideo WinDVD 7. By sending an overly long string\n to the \"ApplicationType()\" property, an attacker may be able to\n execute arbitrary code.", "references": [ "CVE-2007-0348", "OSVDB-34315", "BID-23071" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows 2000 Pro English ALL", "Windows XP Pro SP0/SP1 English" ], "mod_time": "2017-09-22 18:49:09 +0000", "path": "/modules/exploits/windows/browser/windvd7_applicationtype.rb", "is_install_path": true, "ref_name": "windows/browser/windvd7_applicationtype", "check": false }, "exploit_windows/browser/winzip_fileview": { "name": "WinZip FileView (WZFILEVIEW.FileViewCtrl.61) ActiveX Buffer Overflow", "full_name": "exploit/windows/browser/winzip_fileview", "rank": 300, "disclosure_date": "2007-11-02", "type": "exploit", "author": [ "dean " ], "description": "The FileView ActiveX control (WZFILEVIEW.FileViewCtrl.61) could allow a\n remote attacker to execute arbitrary code on the system. The control contains\n several unsafe methods and is marked safe for scripting and safe for initialization.\n A remote attacker could exploit this vulnerability to execute arbitrary code on the\n victim system. WinZip 10.0 <= Build 6667 are vulnerable.", "references": [ "CVE-2006-5198", "OSVDB-30433", "BID-21060" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP0-SP2/ IE 6.0 SP0-SP2 / IE 7" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/winzip_fileview.rb", "is_install_path": true, "ref_name": "windows/browser/winzip_fileview", "check": false }, "exploit_windows/browser/wmi_admintools": { "name": "Microsoft WMI Administration Tools ActiveX Buffer Overflow", "full_name": "exploit/windows/browser/wmi_admintools", "rank": 500, "disclosure_date": "2010-12-21", "type": "exploit", "author": [ "WooYun", "MC ", "jduck " ], "description": "This module exploits a memory trust issue in the Microsoft WMI\n Administration tools ActiveX control. When processing a specially crafted\n HTML page, the WEBSingleView.ocx ActiveX Control (1.50.1131.0) will treat\n the 'lCtxHandle' parameter to the 'AddContextRef' and 'ReleaseContext' methods\n as a trusted pointer. It makes an indirect call via this pointer which leads\n to arbitrary code execution.\n\n This exploit utilizes a combination of heap spraying and the\n .NET 2.0 'mscorie.dll' module to bypass DEP and ASLR. This module does not\n opt-in to ASLR. As such, this module should be reliable on all Windows\n versions.\n\n The WMI Administrative Tools are a standalone download & install (linked in the\n references).", "references": [ "OSVDB-69942", "CVE-2010-3973", "BID-45546", "URL-http://wooyun.org/bug.php?action=view&id=1006", "URL-http://secunia.com/advisories/42693", "URL-http://www.microsoft.com/downloads/en/details.aspx?FamilyID=6430f853-1120-48db-8cc5-f2abdc3ed314" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic", "Windows Universal", "Debug Target (Crash)" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/browser/wmi_admintools.rb", "is_install_path": true, "ref_name": "windows/browser/wmi_admintools", "check": false }, "exploit_windows/browser/x360_video_player_set_text_bof": { "name": "X360 VideoPlayer ActiveX Control Buffer Overflow", "full_name": "exploit/windows/browser/x360_video_player_set_text_bof", "rank": 300, "disclosure_date": "2015-01-30", "type": "exploit", "author": [ "Rh0", "juan vazquez " ], "description": "This module exploits a buffer overflow in the VideoPlayer.ocx ActiveX installed with the\n X360 Software. By setting an overly long value to 'ConvertFile()', an attacker can overrun\n a .data buffer to bypass ASLR/DEP and finally execute arbitrary code.", "references": [ "EDB-35948", "URL-https://rh0dev.github.io/blog/2015/fun-with-info-leaks/" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "x86", "rport": null, "targets": [ "Automatic" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/browser/x360_video_player_set_text_bof.rb", "is_install_path": true, "ref_name": "windows/browser/x360_video_player_set_text_bof", "check": false }, "exploit_windows/browser/xmplay_asx": { "name": "XMPlay 3.3.0.4 (ASX Filename) Buffer Overflow", "full_name": "exploit/windows/browser/xmplay_asx", "rank": 400, "disclosure_date": "2006-11-21", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in XMPlay 3.3.0.4.\n The vulnerability is caused due to a boundary error within\n the parsing of playlists containing an overly long file name.\n This module uses the ASX file format.", "references": [ "CVE-2006-6063", "OSVDB-30537", "BID-21206", "URL-http://secunia.com/advisories/22999/" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows 2000 Pro English SP4", "Windows XP Pro SP2 English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/xmplay_asx.rb", "is_install_path": true, "ref_name": "windows/browser/xmplay_asx", "check": false }, "exploit_windows/browser/yahoomessenger_fvcom": { "name": "Yahoo! Messenger YVerInfo.dll ActiveX Control Buffer Overflow", "full_name": "exploit/windows/browser/yahoomessenger_fvcom", "rank": 300, "disclosure_date": "2007-08-30", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in the Yahoo! Messenger ActiveX\n Control (YVerInfo.dll <= 2006.8.24.1). By sending an overly long string\n to the \"fvCom()\" method from a yahoo.com domain, an attacker may be able\n to execute arbitrary code.", "references": [ "CVE-2007-4515", "OSVDB-37739", "BID-25494", "URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=591" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP2 Pro English" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/browser/yahoomessenger_fvcom.rb", "is_install_path": true, "ref_name": "windows/browser/yahoomessenger_fvcom", "check": false }, "exploit_windows/browser/yahoomessenger_server": { "name": "Yahoo! Messenger 8.1.0.249 ActiveX Control Buffer Overflow", "full_name": "exploit/windows/browser/yahoomessenger_server", "rank": 400, "disclosure_date": "2007-06-05", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in the Yahoo! Webcam Upload ActiveX\n Control (ywcupl.dll) provided by Yahoo! Messenger version 8.1.0.249.\n By sending an overly long string to the \"Server()\" method, and then calling\n the \"Send()\" method, an attacker may be able to execute arbitrary code.\n Using the payloads \"windows/shell_bind_tcp\" and \"windows/shell_reverse_tcp\"\n yield for the best results.", "references": [ "CVE-2007-3147", "OSVDB-37082" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP0/SP1 Pro English", "Windows 2000 Pro English All" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/browser/yahoomessenger_server.rb", "is_install_path": true, "ref_name": "windows/browser/yahoomessenger_server", "check": false }, "exploit_windows/browser/zenturiprogramchecker_unsafe": { "name": "Zenturi ProgramChecker ActiveX Control Arbitrary File Download", "full_name": "exploit/windows/browser/zenturiprogramchecker_unsafe", "rank": 600, "disclosure_date": "2007-05-29", "type": "exploit", "author": [ "MC " ], "description": "This module allows remote attackers to place arbitrary files on a users file system\n via the Zenturi ProgramChecker sasatl.dll (1.5.0.531) ActiveX Control.", "references": [ "CVE-2007-2987", "OSVDB-36715", "BID-24217" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/browser/zenturiprogramchecker_unsafe.rb", "is_install_path": true, "ref_name": "windows/browser/zenturiprogramchecker_unsafe", "check": false }, "exploit_windows/browser/zenworks_helplauncher_exec": { "name": "AdminStudio LaunchHelp.dll ActiveX Arbitrary Code Execution", "full_name": "exploit/windows/browser/zenworks_helplauncher_exec", "rank": 300, "disclosure_date": "2011-10-19", "type": "exploit", "author": [ "rgod", "juan vazquez " ], "description": "This module exploits a vulnerability in AdminStudio LaunchHelp.dll ActiveX control. The\n LaunchProcess function found in LaunchHelp.HelpLauncher.1 allows remote attackers to run\n arbitrary commands on the victim machine. This module has been successfully tested with the\n ActiveX installed with AdminStudio 9.5, which also comes with Novell ZENworks Configuration\n Management 10 SP2, on IE 6 and IE 8 over Windows XP SP 3.", "references": [ "CVE-2011-2657", "OSVDB-76700", "BID-50274", "ZDI-11-318", "URL-http://www.novell.com/support/viewContent.do?externalId=7009570&sliceId=1" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows Universal" ], "mod_time": "2017-10-05 16:44:36 +0000", "path": "/modules/exploits/windows/browser/zenworks_helplauncher_exec.rb", "is_install_path": true, "ref_name": "windows/browser/zenworks_helplauncher_exec", "check": false }, "exploit_windows/dcerpc/ms03_026_dcom": { "name": "MS03-026 Microsoft RPC DCOM Interface Overflow", "full_name": "exploit/windows/dcerpc/ms03_026_dcom", "rank": 500, "disclosure_date": "2003-07-16", "type": "exploit", "author": [ "hdm ", "spoonm ", "cazz " ], "description": "This module exploits a stack buffer overflow in the RPCSS service, this vulnerability\n was originally found by the Last Stage of Delirium research group and has been\n widely exploited ever since. This module can exploit the English versions of\n Windows NT 4.0 SP3-6a, Windows 2000, Windows XP, and Windows 2003 all in one request :)", "references": [ "CVE-2003-0352", "OSVDB-2100", "MSB-MS03-026", "BID-8205" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 135, "targets": [ "Windows NT SP3-6a/2000/XP/2003 Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/dcerpc/ms03_026_dcom.rb", "is_install_path": true, "ref_name": "windows/dcerpc/ms03_026_dcom", "check": false }, "exploit_windows/dcerpc/ms05_017_msmq": { "name": "MS05-017 Microsoft Message Queueing Service Path Overflow", "full_name": "exploit/windows/dcerpc/ms05_017_msmq", "rank": 400, "disclosure_date": "2005-04-12", "type": "exploit", "author": [ "hdm " ], "description": "This module exploits a stack buffer overflow in the RPC interface\n to the Microsoft Message Queueing service. The offset to the\n return address changes based on the length of the system\n hostname, so this must be provided via the 'HNAME' option.\n Much thanks to snort.org and Jean-Baptiste Marchand's\n excellent MSRPC website.", "references": [ "CVE-2005-0059", "OSVDB-15458", "MSB-MS05-017", "BID-13112" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 2103, "targets": [ "Windows 2000 ALL / Windows XP SP0-SP1 (English)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/dcerpc/ms05_017_msmq.rb", "is_install_path": true, "ref_name": "windows/dcerpc/ms05_017_msmq", "check": false }, "exploit_windows/dcerpc/ms07_029_msdns_zonename": { "name": "MS07-029 Microsoft DNS RPC Service extractQuotedChar() Overflow (TCP)", "full_name": "exploit/windows/dcerpc/ms07_029_msdns_zonename", "rank": 500, "disclosure_date": "2007-04-12", "type": "exploit", "author": [ "hdm ", "Unknown" ], "description": "This module exploits a stack buffer overflow in the RPC interface\n of the Microsoft DNS service. The vulnerability is triggered\n when a long zone name parameter is supplied that contains\n escaped octal strings. This module is capable of bypassing NX/DEP\n protection on Windows 2003 SP1/SP2.", "references": [ "CVE-2007-1748", "OSVDB-34100", "MSB-MS07-029", "URL-http://www.microsoft.com/technet/security/advisory/935964.mspx" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 0, "targets": [ "Automatic (2000 SP0-SP4, 2003 SP0, 2003 SP1-SP2)", "Windows 2000 Server SP0-SP4+ English", "Windows 2000 Server SP0-SP4+ Italian", "Windows 2000 Server SP0-SP4+ French", "Windows 2003 Server SP0 English", "Windows 2003 Server SP0 French", "Windows 2003 Server SP1-SP2 English", "Windows 2003 Server SP1-SP2 French", "Windows 2003 Server SP1-SP2 Spanish", "Windows 2003 Server SP1-SP2 Italian", "Windows 2003 Server SP1-SP2 German" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/dcerpc/ms07_029_msdns_zonename.rb", "is_install_path": true, "ref_name": "windows/dcerpc/ms07_029_msdns_zonename", "check": false }, "exploit_windows/dcerpc/ms07_065_msmq": { "name": "MS07-065 Microsoft Message Queueing Service DNS Name Path Overflow", "full_name": "exploit/windows/dcerpc/ms07_065_msmq", "rank": 400, "disclosure_date": "2007-12-11", "type": "exploit", "author": [ "hdm " ], "description": "This module exploits a stack buffer overflow in the RPC interface\n to the Microsoft Message Queueing service. This exploit requires\n the target system to have been configured with a DNS name and\n for that name to be supplied in the 'DNAME' option. This name does\n not need to be served by a valid DNS server, only configured on\n the target machine.", "references": [ "CVE-2007-3039", "OSVDB-39123", "MSB-MS07-065" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 2103, "targets": [ "Windows 2000 Server English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/dcerpc/ms07_065_msmq.rb", "is_install_path": true, "ref_name": "windows/dcerpc/ms07_065_msmq", "check": false }, "exploit_windows/email/ms07_017_ani_loadimage_chunksize": { "name": "Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (SMTP)", "full_name": "exploit/windows/email/ms07_017_ani_loadimage_chunksize", "rank": 500, "disclosure_date": "2007-03-28", "type": "exploit", "author": [ "hdm ", "skape " ], "description": "This module exploits a buffer overflow vulnerability in the\n LoadAniIcon() function of USER32.dll. The flaw is triggered\n through Outlook Express by using the CURSOR style sheet\n directive to load a malicious .ANI file.\n\n This vulnerability was discovered by Alexander Sotirov of Determina\n and was rediscovered, in the wild, by McAfee.", "references": [ "MSB-MS07-017", "CVE-2007-0038", "CVE-2007-1765", "OSVDB-33629", "BID-23194", "URL-http://www.microsoft.com/technet/security/advisory/935423.mspx" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": 25, "targets": [ "Automatic", "Windows XP SP2 user32.dll 5.1.2600.2622", "Windows XP SP2 userenv.dll English", "Windows XP SP2 userenv.dll French", "Windows XP SP0/SP1 netui2.dll English", "Windows 2000 SP0-SP4 netui2.dll English", "Windows Vista user32.dll 6.0.6000.16386", "Windows XP SP2 user32.dll (5.1.2600.2180) Multi Language", "Windows XP SP2 user32.dll (5.1.2600.2180) English", "Windows XP SP2 userenv.dll Portuguese (Brazil)", "Windows XP SP1a userenv.dll English", "Windows XP SP1a shell32.dll English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/email/ms07_017_ani_loadimage_chunksize.rb", "is_install_path": true, "ref_name": "windows/email/ms07_017_ani_loadimage_chunksize", "check": false }, "exploit_windows/email/ms10_045_outlook_ref_only": { "name": "Outlook ATTACH_BY_REF_ONLY File Execution", "full_name": "exploit/windows/email/ms10_045_outlook_ref_only", "rank": 600, "disclosure_date": "2010-06-01", "type": "exploit", "author": [ "Yorick Koster " ], "description": "It has been discovered that certain e-mail message cause Outlook to create Windows\n shortcut-like attachments or messages within Outlook. Through specially crafted TNEF\n streams with certain MAPI attachment properties, it is possible to set a path name\n to files to be executed. When a user double clicks on such an attachment or message,\n Outlook will proceed to execute the file that is set by the path name value. These\n files can be local files, but also files stored remotely (on a file share, for example)\n can be used. Exploitation is limited by the fact that it is not possible for attackers\n to supply command line options.", "references": [ "MSB-MS10-045", "CVE-2010-0266", "OSVDB-66296", "BID-41446", "URL-http://www.akitasecurity.nl/advisory.php?id=AK20091001" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": 25, "targets": [ "Automatic" ], "mod_time": "2017-09-22 18:49:09 +0000", "path": "/modules/exploits/windows/email/ms10_045_outlook_ref_only.rb", "is_install_path": true, "ref_name": "windows/email/ms10_045_outlook_ref_only", "check": false }, "exploit_windows/email/ms10_045_outlook_ref_resolve": { "name": "Outlook ATTACH_BY_REF_RESOLVE File Execution", "full_name": "exploit/windows/email/ms10_045_outlook_ref_resolve", "rank": 600, "disclosure_date": "2010-06-01", "type": "exploit", "author": [ "Yorick Koster " ], "description": "It has been discovered that certain e-mail message cause Outlook to create Windows\n shortcut-like attachments or messages within Outlook. Through specially crafted TNEF\n streams with certain MAPI attachment properties, it is possible to set a path name\n to files to be executed. When a user double clicks on such an attachment or message,\n Outlook will proceed to execute the file that is set by the path name value. These\n files can be local files, but also file stored remotely for example on a file share.\n Exploitation is limited by the fact that its is not possible for attackers to supply\n command line options.", "references": [ "MSB-MS10-045", "CVE-2010-0266", "OSVDB-66296", "BID-41446", "URL-http://www.akitasecurity.nl/advisory.php?id=AK20091001" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": 25, "targets": [ "Automatic" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/email/ms10_045_outlook_ref_resolve.rb", "is_install_path": true, "ref_name": "windows/email/ms10_045_outlook_ref_resolve", "check": false }, "exploit_windows/emc/alphastor_agent": { "name": "EMC AlphaStor Agent Buffer Overflow", "full_name": "exploit/windows/emc/alphastor_agent", "rank": 500, "disclosure_date": "2008-05-27", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in EMC AlphaStor 3.1.\n By sending a specially crafted message, an attacker may\n be able to execute arbitrary code.", "references": [ "CVE-2008-2158", "OSVDB-45714", "URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=702" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 41025, "targets": [ "EMC AlphaStor 3.1" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/emc/alphastor_agent.rb", "is_install_path": true, "ref_name": "windows/emc/alphastor_agent", "check": false }, "exploit_windows/emc/alphastor_device_manager_exec": { "name": "EMC AlphaStor Device Manager Opcode 0x75 Command Injection", "full_name": "exploit/windows/emc/alphastor_device_manager_exec", "rank": 600, "disclosure_date": "2013-01-18", "type": "exploit", "author": [ "Anyway ", "Preston Thornburn ", "Mohsan Farid ", "Brent Morris ", "juan vazquez " ], "description": "This module exploits a flaw within the Device Manager (rrobtd.exe). When parsing the 0x75\n command, the process does not properly filter user supplied input allowing for arbitrary\n command injection. This module has been tested successfully on EMC AlphaStor 4.0 build 116\n with Windows 2003 SP2 and Windows 2008 R2.", "references": [ "CVE-2013-0928", "ZDI-13-033" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": 3000, "targets": [ "EMC AlphaStor 4.0 < build 800 / Windows Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/emc/alphastor_device_manager_exec.rb", "is_install_path": true, "ref_name": "windows/emc/alphastor_device_manager_exec", "check": true }, "exploit_windows/emc/networker_format_string": { "name": "EMC Networker Format String", "full_name": "exploit/windows/emc/networker_format_string", "rank": 300, "disclosure_date": "2012-08-29", "type": "exploit", "author": [ "Aaron Portnoy", "Luigi Auriemma ", "juan vazquez " ], "description": "This module exploits a format string vulnerability in the lg_sprintf function\n as implemented in liblocal.dll on EMC Networker products. This module exploits the\n vulnerability by using a specially crafted RPC call to the program number 0x5F3DD,\n version 0x02, and procedure 0x06. This module has been tested successfully on EMC\n Networker 7.6 SP3 on Windows XP SP3 and Windows 2003 SP2 (DEP bypass).", "references": [ "CVE-2012-2288", "OSVDB-85116", "BID-55330", "URL-http://aluigi.altervista.org/misc/aluigi0216_story.txt" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 111, "targets": [ "EMC Networker 7.6 SP3 / Windows Universal", "EMC Networker 7.6 SP3 / Windows XP SP3", "EMC Networker 7.6 SP3 / Windows 2003 SP2" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/emc/networker_format_string.rb", "is_install_path": true, "ref_name": "windows/emc/networker_format_string", "check": false }, "exploit_windows/emc/replication_manager_exec": { "name": "EMC Replication Manager Command Execution", "full_name": "exploit/windows/emc/replication_manager_exec", "rank": 500, "disclosure_date": "2011-02-07", "type": "exploit", "author": [ "Unknown", "Davy Douhine" ], "description": "This module exploits a remote command-injection vulnerability in EMC Replication Manager\n client (irccd.exe). By sending a specially crafted message invoking RunProgram function an\n attacker may be able to execute arbitrary commands with SYSTEM privileges. Affected\n products are EMC Replication Manager < 5.3. This module has been successfully tested\n against EMC Replication Manager 5.2.1 on XP/W2003. EMC Networker Module for Microsoft\n Applications 2.1 and 2.2 may be vulnerable too although this module have not been tested\n against these products.", "references": [ "CVE-2011-0647", "OSVDB-70853", "BID-46235", "URL-http://www.securityfocus.com/archive/1/516260", "ZDI-11-061" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": 6542, "targets": [ "EMC Replication Manager 5.2.1 / Windows Native Payload" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/emc/replication_manager_exec.rb", "is_install_path": true, "ref_name": "windows/emc/replication_manager_exec", "check": false }, "exploit_windows/fileformat/a_pdf_wav_to_mp3": { "name": "A-PDF WAV to MP3 v1.0.0 Buffer Overflow", "full_name": "exploit/windows/fileformat/a_pdf_wav_to_mp3", "rank": 300, "disclosure_date": "2010-08-17", "type": "exploit", "author": [ "d4rk-h4ck3r", "Dr_IDE", "dookie" ], "description": "This module exploits a buffer overflow in A-PDF WAV to MP3 v1.0.0. When\n the application is used to import a specially crafted m3u file, a buffer overflow occurs\n allowing arbitrary code execution.", "references": [ "OSVDB-67241", "EDB-14676", "EDB-14681" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/a_pdf_wav_to_mp3.rb", "is_install_path": true, "ref_name": "windows/fileformat/a_pdf_wav_to_mp3", "check": false }, "exploit_windows/fileformat/abbs_amp_lst": { "name": "ABBS Audio Media Player .LST Buffer Overflow", "full_name": "exploit/windows/fileformat/abbs_amp_lst", "rank": 300, "disclosure_date": "2013-06-30", "type": "exploit", "author": [ "Julian Ahrens", "modpr0be " ], "description": "This module exploits a buffer overflow in ABBS Audio Media Player. The vulnerability\n occurs when adding a specially crafted .lst file, allowing arbitrary code execution with the privileges\n of the user running the application. This module has been tested successfully on\n ABBS Audio Media Player 3.1 over Windows XP SP3 and Windows 7 SP1.", "references": [ "OSVDB-75096", "EDB-25204" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "ABBS Audio Media Player 3.1 / Windows XP SP3 / Windows 7 SP1" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/fileformat/abbs_amp_lst.rb", "is_install_path": true, "ref_name": "windows/fileformat/abbs_amp_lst", "check": false }, "exploit_windows/fileformat/acdsee_fotoslate_string": { "name": "ACDSee FotoSlate PLP File id Parameter Overflow", "full_name": "exploit/windows/fileformat/acdsee_fotoslate_string", "rank": 400, "disclosure_date": "2011-09-12", "type": "exploit", "author": [ "Parvez Anwar", "juan vazquez " ], "description": "This module exploits a buffer overflow in ACDSee FotoSlate 4.0 Build 146 via\n a specially crafted id parameter in a String element. When viewing a malicious\n PLP file with the ACDSee FotoSlate product, a remote attacker could overflow a\n buffer and execute arbitrary code. This exploit has been tested on systems such as\n Windows XP SP3, Windows Vista, and Windows 7.", "references": [ "CVE-2011-2595", "OSVDB-75425", "BID-49558" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "ACDSee FotoSlate 4.0 Build 146" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/acdsee_fotoslate_string.rb", "is_install_path": true, "ref_name": "windows/fileformat/acdsee_fotoslate_string", "check": false }, "exploit_windows/fileformat/acdsee_xpm": { "name": "ACDSee XPM File Section Buffer Overflow", "full_name": "exploit/windows/fileformat/acdsee_xpm", "rank": 400, "disclosure_date": "2007-11-23", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a buffer overflow in ACDSee 9.0.\n When viewing a malicious XPM file with the ACDSee product,\n a remote attacker could overflow a buffer and execute\n arbitrary code.", "references": [ "CVE-2007-2193", "OSVDB-35236", "BID-23620" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "ACDSee 9.0 (Build 1008)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/acdsee_xpm.rb", "is_install_path": true, "ref_name": "windows/fileformat/acdsee_xpm", "check": false }, "exploit_windows/fileformat/actfax_import_users_bof": { "name": "ActiveFax (ActFax) 4.3 Client Importer Buffer Overflow", "full_name": "exploit/windows/fileformat/actfax_import_users_bof", "rank": 300, "disclosure_date": "2012-08-28", "type": "exploit", "author": [ "Craig Freyman", "Brandon Perry", "juan vazquez " ], "description": "This module exploits a vulnerability in ActiveFax Server. The vulnerability is\n a stack based buffer overflow in the \"Import Users from File\" function, due to the\n insecure usage of strcpy while parsing the csv formatted file. The module creates a\n .exp file that must be imported with ActiveFax Server. It must be imported with the\n default character set 'ECMA-94 / Latin 1 (ISO 8859)'. The module has been tested\n successfully on ActFax Server 4.32 over Windows XP SP3 and Windows 7 SP1. In the\n Windows XP case, when ActFax runs as a service, it will execute as SYSTEM.", "references": [ "OSVDB-85175", "EDB-20915", "URL-http://www.pwnag3.com/2012/08/actfax-local-privilege-escalation.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "ActFax 4.32 / Windows XP SP3 EN / Windows 7 SP1" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/actfax_import_users_bof.rb", "is_install_path": true, "ref_name": "windows/fileformat/actfax_import_users_bof", "check": false }, "exploit_windows/fileformat/activepdf_webgrabber": { "name": "activePDF WebGrabber ActiveX Control Buffer Overflow", "full_name": "exploit/windows/fileformat/activepdf_webgrabber", "rank": 100, "disclosure_date": "2008-08-26", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in activePDF WebGrabber 3.8. When\n sending an overly long string to the GetStatus() method of APWebGrb.ocx (3.8.2.0)\n an attacker may be able to execute arbitrary code. This control is not marked safe\n for scripting, so choose your attack vector accordingly.", "references": [ "OSVDB-64579", "URL-http://www.activepdf.com/products/serverproducts/webgrabber/" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/activepdf_webgrabber.rb", "is_install_path": true, "ref_name": "windows/fileformat/activepdf_webgrabber", "check": false }, "exploit_windows/fileformat/adobe_collectemailinfo": { "name": "Adobe Collab.collectEmailInfo() Buffer Overflow", "full_name": "exploit/windows/fileformat/adobe_collectemailinfo", "rank": 400, "disclosure_date": "2008-02-08", "type": "exploit", "author": [ "MC ", "Didier Stevens " ], "description": "This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat Professional 8.1.1.\n By creating a specially crafted pdf that a contains malformed Collab.collectEmailInfo() call,\n an attacker may be able to execute arbitrary code.", "references": [ "CVE-2007-5659", "OSVDB-41495" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Adobe Reader v8.1.1 (Windows XP SP0-SP3 English)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/adobe_collectemailinfo.rb", "is_install_path": true, "ref_name": "windows/fileformat/adobe_collectemailinfo", "check": false }, "exploit_windows/fileformat/adobe_cooltype_sing": { "name": "Adobe CoolType SING Table \"uniqueName\" Stack Buffer Overflow", "full_name": "exploit/windows/fileformat/adobe_cooltype_sing", "rank": 500, "disclosure_date": "2010-09-07", "type": "exploit", "author": [ "Unknown", "sn0wfl0w", "jduck " ], "description": "This module exploits a vulnerability in the Smart INdependent Glyplets (SING) table\n handling within versions 8.2.4 and 9.3.4 of Adobe Reader. Prior versions are\n assumed to be vulnerable as well.", "references": [ "CVE-2010-2883", "OSVDB-67849", "URL-http://contagiodump.blogspot.com/2010/09/cve-david-leadbetters-one-point-lesson.html", "URL-http://www.adobe.com/support/security/advisories/apsa10-02.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/adobe_cooltype_sing.rb", "is_install_path": true, "ref_name": "windows/fileformat/adobe_cooltype_sing", "check": false }, "exploit_windows/fileformat/adobe_flashplayer_button": { "name": "Adobe Flash Player \"Button\" Remote Code Execution", "full_name": "exploit/windows/fileformat/adobe_flashplayer_button", "rank": 300, "disclosure_date": "2010-10-28", "type": "exploit", "author": [ "Unknown", "Haifei Li", "jduck " ], "description": "This module exploits a vulnerability in the handling of certain SWF movies\n within versions 9.x and 10.0 of Adobe Flash Player. Adobe Reader and Acrobat\n are also vulnerable, as are any other applications that may embed Flash player.\n\n Arbitrary code execution is achieved by embedding a specially crafted Flash\n movie into a PDF document. An AcroJS heap spray is used in order to ensure\n that the memory used by the invalid pointer issue is controlled.\n\n NOTE: This module uses a similar DEP bypass method to that used within the\n adobe_libtiff module. This method is unlikely to work across various\n Windows versions due to a hardcoded syscall number.", "references": [ "CVE-2010-3654", "OSVDB-68932", "BID-44504", "URL-http://www.adobe.com/support/security/advisories/apsa10-05.html", "URL-http://blog.fortinet.com/fuzz-my-life-flash-player-zero-day-vulnerability-cve-2010-3654/", "URL-http://feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/fileformat/adobe_flashplayer_button.rb", "is_install_path": true, "ref_name": "windows/fileformat/adobe_flashplayer_button", "check": false }, "exploit_windows/fileformat/adobe_flashplayer_newfunction": { "name": "Adobe Flash Player \"newfunction\" Invalid Pointer Use", "full_name": "exploit/windows/fileformat/adobe_flashplayer_newfunction", "rank": 300, "disclosure_date": "2010-06-04", "type": "exploit", "author": [ "Unknown", "jduck " ], "description": "This module exploits a vulnerability in the DoABC tag handling within\n versions 9.x and 10.0 of Adobe Flash Player. Adobe Reader and Acrobat are also\n vulnerable, as are any other applications that may embed Flash player.\n\n Arbitrary code execution is achieved by embedding a specially crafted Flash\n movie into a PDF document. An AcroJS heap spray is used in order to ensure\n that the memory used by the invalid pointer issue is controlled.\n\n NOTE: This module uses a similar DEP bypass method to that used within the\n adobe_libtiff module. This method is unlikely to work across various\n Windows versions due a the hardcoded syscall number.", "references": [ "CVE-2010-1297", "OSVDB-65141", "BID-40586", "URL-http://www.adobe.com/support/security/advisories/apsa10-01.html", "URL-http://feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/adobe_flashplayer_newfunction.rb", "is_install_path": true, "ref_name": "windows/fileformat/adobe_flashplayer_newfunction", "check": false }, "exploit_windows/fileformat/adobe_flatedecode_predictor02": { "name": "Adobe FlateDecode Stream Predictor 02 Integer Overflow", "full_name": "exploit/windows/fileformat/adobe_flatedecode_predictor02", "rank": 400, "disclosure_date": "2009-10-08", "type": "exploit", "author": [ "unknown", "jduck " ], "description": "This module exploits an integer overflow vulnerability in Adobe Reader and Adobe\n Acrobat Professional versions before 9.2.", "references": [ "CVE-2009-3459", "BID-36600", "OSVDB-58729", "URL-http://blogs.adobe.com/psirt/2009/10/adobe_reader_and_acrobat_issue_1.html", "URL-http://www.adobe.com/support/security/bulletins/apsb09-15.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Adobe Reader Windows Universal (JS Heap Spray)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/adobe_flatedecode_predictor02.rb", "is_install_path": true, "ref_name": "windows/fileformat/adobe_flatedecode_predictor02", "check": false }, "exploit_windows/fileformat/adobe_geticon": { "name": "Adobe Collab.getIcon() Buffer Overflow", "full_name": "exploit/windows/fileformat/adobe_geticon", "rank": 400, "disclosure_date": "2009-03-24", "type": "exploit", "author": [ "MC ", "Didier Stevens ", "jduck " ], "description": "This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat.\n Affected versions include < 7.1.1, < 8.1.3, and < 9.1. By creating a specially\n crafted pdf that a contains malformed Collab.getIcon() call, an attacker may\n be able to execute arbitrary code.", "references": [ "CVE-2009-0927", "OSVDB-53647", "ZDI-09-014" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Adobe Reader Universal (JS Heap Spray)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/adobe_geticon.rb", "is_install_path": true, "ref_name": "windows/fileformat/adobe_geticon", "check": false }, "exploit_windows/fileformat/adobe_illustrator_v14_eps": { "name": "Adobe Illustrator CS4 v14.0.0", "full_name": "exploit/windows/fileformat/adobe_illustrator_v14_eps", "rank": 500, "disclosure_date": "2009-12-03", "type": "exploit", "author": [ "pyrokinesis", "dookie" ], "description": "Adobe Illustrator CS4 (V14.0.0) Encapsulated Postscript (.eps)\n overlong DSC Comment Buffer Overflow Exploit", "references": [ "CVE-2009-4195", "BID-37192", "OSVDB-60632", "EDB-10281" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/adobe_illustrator_v14_eps.rb", "is_install_path": true, "ref_name": "windows/fileformat/adobe_illustrator_v14_eps", "check": false }, "exploit_windows/fileformat/adobe_jbig2decode": { "name": "Adobe JBIG2Decode Memory Corruption", "full_name": "exploit/windows/fileformat/adobe_jbig2decode", "rank": 400, "disclosure_date": "2009-02-19", "type": "exploit", "author": [ "natron ", "xort", "redsand", "MC ", "Didier Stevens " ], "description": "This module exploits a heap-based pointer corruption flaw in Adobe Reader 9.0.0 and earlier.\n This module relies upon javascript for the heap spray.", "references": [ "CVE-2009-0658", "OSVDB-52073" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Adobe Reader v9.0.0 (Windows XP SP3 English)", "Adobe Reader v8.1.2 (Windows XP SP2 English)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/adobe_jbig2decode.rb", "is_install_path": true, "ref_name": "windows/fileformat/adobe_jbig2decode", "check": false }, "exploit_windows/fileformat/adobe_libtiff": { "name": "Adobe Acrobat Bundled LibTIFF Integer Overflow", "full_name": "exploit/windows/fileformat/adobe_libtiff", "rank": 400, "disclosure_date": "2010-02-16", "type": "exploit", "author": [ "Microsoft", "villy ", "jduck " ], "description": "This module exploits an integer overflow vulnerability in Adobe Reader and Adobe Acrobat\n Professional versions 8.0 through 8.2 and 9.0 through 9.3.", "references": [ "CVE-2010-0188", "BID-38195", "OSVDB-62526", "URL-http://www.adobe.com/support/security/bulletins/apsb10-07.html", "URL-http://secunia.com/blog/76/", "URL-http://bugix-security.blogspot.com/2010/03/adobe-pdf-libtiff-working-exploitcve.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Adobe Reader 9.3.0 on Windows XP SP3 English (w/DEP bypass)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/adobe_libtiff.rb", "is_install_path": true, "ref_name": "windows/fileformat/adobe_libtiff", "check": false }, "exploit_windows/fileformat/adobe_media_newplayer": { "name": "Adobe Doc.media.newPlayer Use After Free Vulnerability", "full_name": "exploit/windows/fileformat/adobe_media_newplayer", "rank": 400, "disclosure_date": "2009-12-14", "type": "exploit", "author": [ "unknown", "hdm ", "pusscat ", "jduck " ], "description": "This module exploits a use after free vulnerability in Adobe Reader and Adobe Acrobat\n Professional versions up to and including 9.2.", "references": [ "CVE-2009-4324", "BID-37331", "OSVDB-60980" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Adobe Reader Windows English (JS Heap Spray)", "Adobe Reader Windows German (JS Heap Spray)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/adobe_media_newplayer.rb", "is_install_path": true, "ref_name": "windows/fileformat/adobe_media_newplayer", "check": false }, "exploit_windows/fileformat/adobe_pdf_embedded_exe": { "name": "Adobe PDF Embedded EXE Social Engineering", "full_name": "exploit/windows/fileformat/adobe_pdf_embedded_exe", "rank": 600, "disclosure_date": "2010-03-29", "type": "exploit", "author": [ "Colin Ames ", "jduck " ], "description": "This module embeds a Metasploit payload into an existing PDF file. The\n resulting PDF can be sent to a target as part of a social engineering attack.", "references": [ "CVE-2010-1240", "OSVDB-63667", "URL-http://blog.didierstevens.com/2010/04/06/update-escape-from-pdf/", "URL-http://blog.didierstevens.com/2010/03/31/escape-from-foxit-reader/", "URL-http://blog.didierstevens.com/2010/03/29/escape-from-pdf/", "URL-http://www.adobe.com/support/security/bulletins/apsb10-15.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Adobe Reader v8.x, v9.x / Windows XP SP3 (English/Spanish) / Windows Vista/7 (English)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/adobe_pdf_embedded_exe.rb", "is_install_path": true, "ref_name": "windows/fileformat/adobe_pdf_embedded_exe", "check": false }, "exploit_windows/fileformat/adobe_pdf_embedded_exe_nojs": { "name": "Adobe PDF Escape EXE Social Engineering (No JavaScript)", "full_name": "exploit/windows/fileformat/adobe_pdf_embedded_exe_nojs", "rank": 600, "disclosure_date": "2010-03-29", "type": "exploit", "author": [ "Jeremy Conway " ], "description": "This module embeds a Metasploit payload into an existing PDF file in\n a non-standard method. The resulting PDF can be sent to a target as\n part of a social engineering attack.", "references": [ "CVE-2010-1240", "OSVDB-63667", "URL-http://blog.didierstevens.com/2010/04/06/update-escape-from-pdf/", "URL-http://blog.didierstevens.com/2010/03/31/escape-from-foxit-reader/", "URL-http://blog.didierstevens.com/2010/03/29/escape-from-pdf/", "URL-http://www.adobe.com/support/security/bulletins/apsb10-15.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Adobe Reader <= v9.3.3 (Windows XP SP3 English)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/adobe_pdf_embedded_exe_nojs.rb", "is_install_path": true, "ref_name": "windows/fileformat/adobe_pdf_embedded_exe_nojs", "check": false }, "exploit_windows/fileformat/adobe_reader_u3d": { "name": "Adobe Reader U3D Memory Corruption Vulnerability", "full_name": "exploit/windows/fileformat/adobe_reader_u3d", "rank": 200, "disclosure_date": "2011-12-06", "type": "exploit", "author": [ "Felipe Andres Manzano", "sinn3r ", "juan vazquez ", "jduck " ], "description": "This module exploits a vulnerability in the U3D handling within\n versions 9.x through 9.4.6 and 10 through to 10.1.1 of Adobe Reader.\n The vulnerability is due to the use of uninitialized memory.\n\n Arbitrary code execution is achieved by embedding specially crafted U3D\n data into a PDF document. A heap spray via JavaScript is used in order to\n ensure that the memory used by the invalid pointer issue is controlled.", "references": [ "CVE-2011-2462", "OSVDB-77529", "BID-50922", "URL-http://www.adobe.com/support/security/advisories/apsa11-04.html", "URL-http://blog.9bplus.com/analyzing-cve-2011-2462", "URL-https://sites.google.com/site/felipeandresmanzano/PDFU3DExploitJS_CVE_2009_2990.py?attredirects=0", "URL-http://contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Adobe Reader 9.4.0 / 9.4.5 / 9.4.6 on Win XP SP3" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/adobe_reader_u3d.rb", "is_install_path": true, "ref_name": "windows/fileformat/adobe_reader_u3d", "check": false }, "exploit_windows/fileformat/adobe_toolbutton": { "name": "Adobe Reader ToolButton Use After Free", "full_name": "exploit/windows/fileformat/adobe_toolbutton", "rank": 300, "disclosure_date": "2013-08-08", "type": "exploit", "author": [ "Soroush Dalili", "Unknown", "sinn3r ", "juan vazquez " ], "description": "This module exploits a use after free condition on Adobe Reader versions 11.0.2, 10.1.6\n and 9.5.4 and prior. The vulnerability exists while handling the ToolButton object, where\n the cEnable callback can be used to early free the object memory. Later use of the object\n allows triggering the use after free condition. This module has been tested successfully\n on Adobe Reader 11.0.2, 10.0.4 and 9.5.0 on Windows XP SP3, as exploited in the wild in\n November, 2013.", "references": [ "CVE-2013-3346", "OSVDB-96745", "ZDI-13-212", "URL-http://www.adobe.com/support/security/bulletins/apsb13-15.html", "URL-http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/ms-windows-local-privilege-escalation-zero-day-in-the-wild.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP / Adobe Reader 9/10/11" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/fileformat/adobe_toolbutton.rb", "is_install_path": true, "ref_name": "windows/fileformat/adobe_toolbutton", "check": false }, "exploit_windows/fileformat/adobe_u3d_meshdecl": { "name": "Adobe U3D CLODProgressiveMeshDeclaration Array Overrun", "full_name": "exploit/windows/fileformat/adobe_u3d_meshdecl", "rank": 400, "disclosure_date": "2009-10-13", "type": "exploit", "author": [ "Felipe Andres Manzano ", "jduck " ], "description": "This module exploits an array overflow in Adobe Reader and Adobe Acrobat.\n Affected versions include < 7.1.4, < 8.2, and < 9.3. By creating a\n specially crafted pdf that a contains malformed U3D data, an attacker may\n be able to execute arbitrary code.", "references": [ "CVE-2009-3953", "OSVDB-61690", "URL-http://www.adobe.com/support/security/bulletins/apsb10-02.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Adobe Reader Windows Universal (JS Heap Spray)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/adobe_u3d_meshdecl.rb", "is_install_path": true, "ref_name": "windows/fileformat/adobe_u3d_meshdecl", "check": false }, "exploit_windows/fileformat/adobe_utilprintf": { "name": "Adobe util.printf() Buffer Overflow", "full_name": "exploit/windows/fileformat/adobe_utilprintf", "rank": 400, "disclosure_date": "2008-02-08", "type": "exploit", "author": [ "MC ", "Didier Stevens " ], "description": "This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat Professional\n < 8.1.3. By creating a specially crafted pdf that a contains malformed util.printf()\n entry, an attacker may be able to execute arbitrary code.", "references": [ "CVE-2008-2992", "OSVDB-49520" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Adobe Reader v8.1.2 (Windows XP SP3 English)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/adobe_utilprintf.rb", "is_install_path": true, "ref_name": "windows/fileformat/adobe_utilprintf", "check": false }, "exploit_windows/fileformat/allplayer_m3u_bof": { "name": "ALLPlayer M3U Buffer Overflow", "full_name": "exploit/windows/fileformat/allplayer_m3u_bof", "rank": 300, "disclosure_date": "2013-10-09", "type": "exploit", "author": [ "metacom", "Mike Czumak", "Gabor Seljan" ], "description": "This module exploits a stack-based buffer overflow vulnerability in\n ALLPlayer 5.8.1, caused by a long string in a playlist entry.\n By persuading the victim to open a specially-crafted .M3U file, a\n remote attacker could execute arbitrary code on the system or cause\n the application to crash. This module has been tested successfully on\n Windows 7 SP1.", "references": [ "CVE-2013-7409", "BID-62926", "BID-63896", "EDB-28855", "EDB-29549", "EDB-29798", "EDB-32041", "OSVDB-98283", "URL-http://www.allplayer.org/" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ " ALLPlayer 2.8.1 / Windows 7 SP1" ], "mod_time": "2018-07-09 13:22:08 +0000", "path": "/modules/exploits/windows/fileformat/allplayer_m3u_bof.rb", "is_install_path": true, "ref_name": "windows/fileformat/allplayer_m3u_bof", "check": false }, "exploit_windows/fileformat/altap_salamander_pdb": { "name": "Altap Salamander 2.5 PE Viewer Buffer Overflow", "full_name": "exploit/windows/fileformat/altap_salamander_pdb", "rank": 400, "disclosure_date": "2007-06-19", "type": "exploit", "author": [ "aushack " ], "description": "This module exploits a buffer overflow in Altap Salamander <= v2.5.\n By creating a malicious file and convincing a user to view the file with\n the Portable Executable Viewer plugin within a vulnerable version of\n Salamander, the PDB file string is copied onto the stack and the\n SEH can be overwritten.", "references": [ "CVE-2007-3314", "BID-24557", "OSVDB-37579", "URL-http://vuln.sg/salamander25-en.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Universal Salamander 2.5" ], "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/exploits/windows/fileformat/altap_salamander_pdb.rb", "is_install_path": true, "ref_name": "windows/fileformat/altap_salamander_pdb", "check": false }, "exploit_windows/fileformat/aol_desktop_linktag": { "name": "AOL Desktop 9.6 RTX Buffer Overflow", "full_name": "exploit/windows/fileformat/aol_desktop_linktag", "rank": 300, "disclosure_date": "2011-01-31", "type": "exploit", "author": [ "sup3r", "sickn3ss", "sinn3r ", "mr_me ", "silent_dream" ], "description": "This module exploits a vulnerability found in AOL Desktop 9.6's Tool\\rich.rct\n component. By supplying a long string of data in the hyperlink tag, rich.rct copies\n this data into a buffer using a strcpy function, which causes an overflow, and\n results arbitrary code execution.", "references": [ "OSVDB-70741", "EDB-16085" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "AOL Desktop 9.6 on Windows XP SP3", "AOL Desktop 9.6 on Windows XP SP3 - NX bypass", "AOL Desktop 9.6 on Windows 7" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/aol_desktop_linktag.rb", "is_install_path": true, "ref_name": "windows/fileformat/aol_desktop_linktag", "check": false }, "exploit_windows/fileformat/aol_phobos_bof": { "name": "AOL 9.5 Phobos.Playlist Import() Stack-based Buffer Overflow", "full_name": "exploit/windows/fileformat/aol_phobos_bof", "rank": 200, "disclosure_date": "2010-01-20", "type": "exploit", "author": [ "Trancer " ], "description": "This module exploits a stack-based buffer overflow within Phobos.dll of AOL 9.5.\n By setting an overly long value to 'Import()', an attacker can overrun a buffer\n and execute arbitrary code.\n\n NOTE: This ActiveX control is NOT marked safe for scripting or initialization.", "references": [ "OSVDB-61964", "EDB-11204", "URL-http://www.rec-sec.com/2010/01/25/aol-playlist-class-buffer-overflow/" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/aol_phobos_bof.rb", "is_install_path": true, "ref_name": "windows/fileformat/aol_phobos_bof", "check": false }, "exploit_windows/fileformat/apple_quicktime_pnsize": { "name": "Apple QuickTime PICT PnSize Buffer Overflow", "full_name": "exploit/windows/fileformat/apple_quicktime_pnsize", "rank": 400, "disclosure_date": "2011-08-08", "type": "exploit", "author": [ "MC ", "corelanc0d3r " ], "description": "This module exploits a vulnerability in Apple QuickTime Player 7.60.92.0.\n When opening a .mov file containing a specially crafted PnSize value, an attacker\n may be able to execute arbitrary code.", "references": [ "CVE-2011-0257", "OSVDB-74687", "EDB-17777", "BID-49144" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP3 with DEP bypass" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/apple_quicktime_pnsize.rb", "is_install_path": true, "ref_name": "windows/fileformat/apple_quicktime_pnsize", "check": false }, "exploit_windows/fileformat/apple_quicktime_rdrf": { "name": "Apple Quicktime 7 Invalid Atom Length Buffer Overflow", "full_name": "exploit/windows/fileformat/apple_quicktime_rdrf", "rank": 300, "disclosure_date": "2013-05-22", "type": "exploit", "author": [ "Jason Kratzer", "Tom Gallagher", "Paul Bates", "sinn3r " ], "description": "This module exploits a vulnerability found in Apple QuickTime. The flaw is\n triggered when QuickTime fails to properly handle the data length for certain\n atoms such as 'rdrf' or 'dref' in the Alis record, which may result a buffer\n overflow by loading a specially crafted .mov file, and allows arbitrary\n code execution under the context of the current user. Please note: Since an egghunter\n is used to search for the payload, this may require additional time for\n the exploit to complete.", "references": [ "CVE-2013-1017", "OSVDB-93625", "BID-60097", "URL-http://support.apple.com/kb/HT5770", "ZDI-13-110" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Quicktime 7.7.0 - 7.7.3 on Windows XP SP3" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/fileformat/apple_quicktime_rdrf.rb", "is_install_path": true, "ref_name": "windows/fileformat/apple_quicktime_rdrf", "check": false }, "exploit_windows/fileformat/apple_quicktime_texml": { "name": "Apple QuickTime TeXML Style Element Stack Buffer Overflow", "full_name": "exploit/windows/fileformat/apple_quicktime_texml", "rank": 300, "disclosure_date": "2012-05-15", "type": "exploit", "author": [ "Alexander Gavrun", "sinn3r ", "juan vazquez " ], "description": "This module exploits a vulnerability found in Apple QuickTime. When handling\n a TeXML file, it is possible to trigger a stack-based buffer overflow, and then\n gain arbitrary code execution under the context of the user. This is due to the\n QuickTime3GPP.gtx component not handling certain Style subfields properly, storing\n user-supplied data on the stack, which results the overflow.", "references": [ "OSVDB-81934", "CVE-2012-0663", "BID-53571", "ZDI-12-107", "URL-http://0x1byte.blogspot.com/2012/06/cve-2012-0663-and-cve-2012-0664-samples.html", "URL-http://support.apple.com/kb/HT1222" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "QuickTime 7.7.1 on Windows XP SP3", "QuickTime 7.7.0 on Windows XP SP3", "QuickTime 7.6.9 on Windows XP SP3" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/apple_quicktime_texml.rb", "is_install_path": true, "ref_name": "windows/fileformat/apple_quicktime_texml", "check": false }, "exploit_windows/fileformat/audio_coder_m3u": { "name": "AudioCoder .M3U Buffer Overflow", "full_name": "exploit/windows/fileformat/audio_coder_m3u", "rank": 300, "disclosure_date": "2013-05-01", "type": "exploit", "author": [ "metacom", "juan vazquez " ], "description": "This module exploits a buffer overflow in AudioCoder 0.8.18. The vulnerability\n occurs when adding an .m3u, allowing arbitrary code execution with the privileges\n of the user running AudioCoder. This module has been tested successfully on\n AudioCoder 0.8.18.5353 over Windows XP SP3 and Windows 7 SP1.", "references": [ "CVE-2017-8870", "OSVDB-92939", "EDB-25141" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "AudioCoder 0.8.18.5353 / Windows XP SP3 / Windows 7 SP1" ], "mod_time": "2018-07-12 17:34:52 +0000", "path": "/modules/exploits/windows/fileformat/audio_coder_m3u.rb", "is_install_path": true, "ref_name": "windows/fileformat/audio_coder_m3u", "check": false }, "exploit_windows/fileformat/audio_wkstn_pls": { "name": "Audio Workstation 6.4.2.4.3 pls Buffer Overflow", "full_name": "exploit/windows/fileformat/audio_wkstn_pls", "rank": 400, "disclosure_date": "2009-12-08", "type": "exploit", "author": [ "germaya_x", "dookie" ], "description": "This module exploits a buffer overflow in Audio Workstation 6.4.2.4.3.\n When opening a malicious pls file with the Audio Workstation,\n a remote attacker could overflow a buffer and execute\n arbitrary code.", "references": [ "CVE-2009-0476", "OSVDB-55424", "EDB-10353" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/audio_wkstn_pls.rb", "is_install_path": true, "ref_name": "windows/fileformat/audio_wkstn_pls", "check": false }, "exploit_windows/fileformat/audiotran_pls": { "name": "Audiotran 1.4.1 (PLS File) Stack Buffer Overflow", "full_name": "exploit/windows/fileformat/audiotran_pls", "rank": 400, "disclosure_date": "2010-01-09", "type": "exploit", "author": [ "Sebastien Duquette", "dookie" ], "description": "This module exploits a stack-based buffer overflow in Audiotran 1.4.1.\n An attacker must send the file to victim and the victim must open the file.\n Alternatively it may be possible to execute code remotely via an embedded\n PLS file within a browser, when the PLS extension is registered to Audiotran.\n This functionality has not been tested in this module.", "references": [ "CVE-2009-0476", "OSVDB-55424", "EDB-11079" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows Universal" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/fileformat/audiotran_pls.rb", "is_install_path": true, "ref_name": "windows/fileformat/audiotran_pls", "check": false }, "exploit_windows/fileformat/audiotran_pls_1424": { "name": "Audiotran PLS File Stack Buffer Overflow", "full_name": "exploit/windows/fileformat/audiotran_pls_1424", "rank": 400, "disclosure_date": "2010-09-09", "type": "exploit", "author": [ "Philip OKeefe" ], "description": "This module exploits a stack-based buffer overflow in Audiotran 1.4.2.4.\n An attacker must send the file to victim and the victim must open the file.\n Alternatively, it may be possible to execute code remotely via an embedded\n PLS file within a browser when the PLS extension is registered to Audiotran.\n This alternate vector has not been tested and cannot be exercised directly\n with this module.", "references": [ "EDB-14961" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows Universal" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/fileformat/audiotran_pls_1424.rb", "is_install_path": true, "ref_name": "windows/fileformat/audiotran_pls_1424", "check": false }, "exploit_windows/fileformat/aviosoft_plf_buf": { "name": "Aviosoft Digital TV Player Professional 1.0 Stack Buffer Overflow", "full_name": "exploit/windows/fileformat/aviosoft_plf_buf", "rank": 400, "disclosure_date": "2011-11-09", "type": "exploit", "author": [ "modpr0be", "sinn3r " ], "description": "This module exploits a vulnerability found in Aviosoft Digital TV Player\n Pro version 1.x. An overflow occurs when the process copies the content of a\n playlist file on to the stack, which may result arbitrary code execution under\n the context of the user.", "references": [ "OSVDB-77043", "EDB-18096" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Aviosoft DTV Player 1.0.1.2" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/fileformat/aviosoft_plf_buf.rb", "is_install_path": true, "ref_name": "windows/fileformat/aviosoft_plf_buf", "check": false }, "exploit_windows/fileformat/bacnet_csv": { "name": "BACnet OPC Client Buffer Overflow", "full_name": "exploit/windows/fileformat/bacnet_csv", "rank": 400, "disclosure_date": "2010-09-16", "type": "exploit", "author": [ "Jeremy Brown", "MC " ], "description": "This module exploits a stack buffer overflow in SCADA\n Engine BACnet OPC Client v1.0.24. When the BACnet OPC Client\n parses a specially crafted csv file, arbitrary code may be\n executed.", "references": [ "CVE-2010-4740", "OSVDB-68096", "BID-43289", "URL-http://www.us-cert.gov/control_systems/pdf/ICSA-10-264-01.pdf" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP3 English", "Windows 2000 SP4 English" ], "mod_time": "2018-07-08 18:46:04 +0000", "path": "/modules/exploits/windows/fileformat/bacnet_csv.rb", "is_install_path": true, "ref_name": "windows/fileformat/bacnet_csv", "check": false }, "exploit_windows/fileformat/beetel_netconfig_ini_bof": { "name": "Beetel Connection Manager NetConfig.ini Buffer Overflow", "full_name": "exploit/windows/fileformat/beetel_netconfig_ini_bof", "rank": 300, "disclosure_date": "2013-10-12", "type": "exploit", "author": [ "metacom", "wvu " ], "description": "This module exploits a stack-based buffer overflow on Beetel Connection Manager. The\n vulnerability exists in the parsing of the UserName parameter in the NetConfig.ini\n file. The module has been tested successfully on PCW_BTLINDV1.0.0B04 over Windows XP\n SP3 and Windows 7 SP1.", "references": [ "OSVDB-98714", "EDB-28969" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "PCW_BTLINDV1.0.0B04 (WinXP SP3, Win7 SP1)" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/fileformat/beetel_netconfig_ini_bof.rb", "is_install_path": true, "ref_name": "windows/fileformat/beetel_netconfig_ini_bof", "check": false }, "exploit_windows/fileformat/blazedvd_hdtv_bof": { "name": "BlazeVideo HDTV Player Pro v6.6 Filename Handling Vulnerability", "full_name": "exploit/windows/fileformat/blazedvd_hdtv_bof", "rank": 300, "disclosure_date": "2012-04-03", "type": "exploit", "author": [ "b33f", "sinn3r " ], "description": "This module exploits a vulnerability found in BlazeVideo HDTV Player's filename\n handling routine. When supplying a string of input data embedded in a .plf file,\n the MediaPlayerCtrl.dll component will try to extract a filename by using\n PathFindFileNameA(), and then copies whatever the return value is on the stack by\n using an inline strcpy. As a result, if this input data is long enough, it can cause\n a stack-based buffer overflow, which may lead to arbitrary code execution under the\n context of the user.", "references": [ "OSVDB-80896", "EDB-18693", "EDB-22931" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "BlazeVideo HDTV Player Pro v6.6.0.3" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/blazedvd_hdtv_bof.rb", "is_install_path": true, "ref_name": "windows/fileformat/blazedvd_hdtv_bof", "check": false }, "exploit_windows/fileformat/blazedvd_plf": { "name": "BlazeDVD 6.1 PLF Buffer Overflow", "full_name": "exploit/windows/fileformat/blazedvd_plf", "rank": 400, "disclosure_date": "2009-08-03", "type": "exploit", "author": [ "MC ", "Deepak Rathore", "Spencer McIntyre", "Ken Smith" ], "description": "This module exploits a stack over flow in BlazeDVD 5.1 and 6.2. When\n the application is used to open a specially crafted plf file,\n a buffer is overwritten allowing for the execution of arbitrary code.", "references": [ "CVE-2006-6199", "EDB-32737", "OSVDB-30770", "BID-35918" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "BlazeDVD 6.2", "BlazeDVD 5.1" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/blazedvd_plf.rb", "is_install_path": true, "ref_name": "windows/fileformat/blazedvd_plf", "check": false }, "exploit_windows/fileformat/boxoft_wav_to_mp3": { "name": "Boxoft WAV to MP3 Converter v1.1 Buffer Overflow", "full_name": "exploit/windows/fileformat/boxoft_wav_to_mp3", "rank": 300, "disclosure_date": "2015-08-31", "type": "exploit", "author": [ "Robbie Corley", "Shelby Pace" ], "description": "This module exploits a stack buffer overflow in Boxoft WAV to MP3 Converter versions 1.0 and 1.1.\n By constructing a specially crafted WAV file and attempting to convert it to an MP3 file in the\n application, a buffer is overwritten, which allows for running shellcode.", "references": [ "CVE-2015-7243", "EDB-38035" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Boxoft WAV to MP3 Converter v1.1" ], "mod_time": "2018-07-02 14:00:33 +0000", "path": "/modules/exploits/windows/fileformat/boxoft_wav_to_mp3.rb", "is_install_path": true, "ref_name": "windows/fileformat/boxoft_wav_to_mp3", "check": false }, "exploit_windows/fileformat/bpftp_client_bps_bof": { "name": "BulletProof FTP Client BPS Buffer Overflow", "full_name": "exploit/windows/fileformat/bpftp_client_bps_bof", "rank": 300, "disclosure_date": "2014-07-24", "type": "exploit", "author": [ "Gabor Seljan" ], "description": "This module exploits a stack-based buffer overflow vulnerability in\n BulletProof FTP Client 2010, caused by an overly long hostname.\n\n By persuading the victim to open a specially-crafted .BPS file, a\n remote attacker could execute arbitrary code on the system or cause\n the application to crash. This module has been tested successfully on\n Windows XP SP3.", "references": [ "EDB-34162", "EDB-34540", "EDB-35449", "OSVDB-109547", "CVE-2014-2973" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP3" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/bpftp_client_bps_bof.rb", "is_install_path": true, "ref_name": "windows/fileformat/bpftp_client_bps_bof", "check": false }, "exploit_windows/fileformat/bsplayer_m3u": { "name": "BS.Player 2.57 Buffer Overflow (Unicode SEH)", "full_name": "exploit/windows/fileformat/bsplayer_m3u", "rank": 300, "disclosure_date": "2010-01-07", "type": "exploit", "author": [ "C4SS!0 G0M3S", "Chris Gabriel" ], "description": "This module exploits a buffer overflow in BS.Player 2.57. When\n the playlist import is used to import a specially crafted m3u file,\n a buffer overflow occurs allowing arbitrary code execution.", "references": [ "OSVDB-82528", "EDB-15934" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP", "Windows 7" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/bsplayer_m3u.rb", "is_install_path": true, "ref_name": "windows/fileformat/bsplayer_m3u", "check": false }, "exploit_windows/fileformat/ca_cab": { "name": "CA Antivirus Engine CAB Buffer Overflow", "full_name": "exploit/windows/fileformat/ca_cab", "rank": 400, "disclosure_date": "2007-06-05", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in CA eTrust Antivirus 8.1.637.\n By creating a specially crafted CAB file, an attacker may be able\n to execute arbitrary code.", "references": [ "CVE-2007-2864", "OSVDB-35245", "BID-24330", "ZDI-07-035" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows 2000 All / Windows XP SP0/SP1 (CA eTrust Antivirus 8.1.637)" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/fileformat/ca_cab.rb", "is_install_path": true, "ref_name": "windows/fileformat/ca_cab", "check": false }, "exploit_windows/fileformat/cain_abel_4918_rdp": { "name": "Cain and Abel RDP Buffer Overflow", "full_name": "exploit/windows/fileformat/cain_abel_4918_rdp", "rank": 400, "disclosure_date": "2008-11-30", "type": "exploit", "author": [ "Trancek " ], "description": "This module exploits a stack-based buffer overflow in the Cain & Abel v4.9.24\n and below. An attacker must send the file to victim, and the victim must open\n the specially crafted RDP file under Tools -> Remote Desktop Password Decoder.", "references": [ "CVE-2008-5405", "OSVDB-50342", "EDB-7329", "BID-32543" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP2 English", "Windows XP SP0/1 English", "Windows XP SP2 Spanish" ], "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/exploits/windows/fileformat/cain_abel_4918_rdp.rb", "is_install_path": true, "ref_name": "windows/fileformat/cain_abel_4918_rdp", "check": false }, "exploit_windows/fileformat/ccmplayer_m3u_bof": { "name": "CCMPlayer 1.5 m3u Playlist Stack Based Buffer Overflow", "full_name": "exploit/windows/fileformat/ccmplayer_m3u_bof", "rank": 400, "disclosure_date": "2011-11-30", "type": "exploit", "author": [ "Rh0" ], "description": "This module exploits a stack based buffer overflow in CCMPlayer 1.5. Opening\n a m3u playlist with a long track name, a SEH exception record can be overwritten\n with parts of the controllable buffer. SEH execution is triggered after an\n invalid read of an injectable address, thus allowing arbitrary code execution.\n This module works on multiple Windows platforms including: Windows XP SP3,\n Windows Vista, and Windows 7.", "references": [ "CVE-2011-5170", "OSVDB-77453", "EDB-18178" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "CCMPlayer 1.5" ], "mod_time": "2018-07-08 18:46:04 +0000", "path": "/modules/exploits/windows/fileformat/ccmplayer_m3u_bof.rb", "is_install_path": true, "ref_name": "windows/fileformat/ccmplayer_m3u_bof", "check": false }, "exploit_windows/fileformat/chasys_draw_ies_bmp_bof": { "name": "Chasys Draw IES Buffer Overflow", "full_name": "exploit/windows/fileformat/chasys_draw_ies_bmp_bof", "rank": 300, "disclosure_date": "2013-07-26", "type": "exploit", "author": [ "Christopher Gabriel", "Longinos Recuero Bustos", "Javier 'soez'", "juan vazquez " ], "description": "This module exploits a buffer overflow vulnerability found in Chasys Draw IES\n (version 4.10.01). The vulnerability exists in the module flt_BMP.dll, while\n parsing BMP files, where the ReadFile function is used to store user provided data\n on the stack in an insecure way. It results in arbitrary code execution under the\n context of the user viewing a specially crafted BMP file. This module has been\n tested successfully with Chasys Draw IES 4.10.01 on Windows XP SP3 and Windows 7\n SP1.", "references": [ "CVE-2013-3928", "OSVDB-95689", "BID-61463", "URL-http://secunia.com/advisories/53773/", "URL-http://longinox.blogspot.com/2013/08/explot-stack-based-overflow-bypassing.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Chasys Draw IES 4.10.01 / Windows XP SP3 / Windows 7 SP1" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/fileformat/chasys_draw_ies_bmp_bof.rb", "is_install_path": true, "ref_name": "windows/fileformat/chasys_draw_ies_bmp_bof", "check": false }, "exploit_windows/fileformat/coolpdf_image_stream_bof": { "name": "Cool PDF Image Stream Buffer Overflow", "full_name": "exploit/windows/fileformat/coolpdf_image_stream_bof", "rank": 300, "disclosure_date": "2013-01-18", "type": "exploit", "author": [ "Francis Provencher", "Chris Gabriel", "juan vazquez " ], "description": "This module exploits a stack buffer overflow in Cool PDF Reader prior to version\n 3.0.2.256. The vulnerability is triggered when opening a malformed PDF file that\n contains a specially crafted image stream. This module has been tested successfully\n on Cool PDF 3.0.2.256 over Windows XP SP3 and Windows 7 SP1.", "references": [ "CVE-2012-4914", "OSVDB-89349", "EDB-24463", "URL-http://www.protekresearchlab.com/index.php?option=com_content&view=article&id=70&Itemid=70" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Cool PDF 3.0.2.256 / Windows 7 SP1 / Windows XP SP3" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/coolpdf_image_stream_bof.rb", "is_install_path": true, "ref_name": "windows/fileformat/coolpdf_image_stream_bof", "check": false }, "exploit_windows/fileformat/corelpdf_fusion_bof": { "name": "Corel PDF Fusion Stack Buffer Overflow", "full_name": "exploit/windows/fileformat/corelpdf_fusion_bof", "rank": 300, "disclosure_date": "2013-07-08", "type": "exploit", "author": [ "Kaveh Ghaemmaghami", "juan vazquez " ], "description": "This module exploits a stack-based buffer overflow vulnerability in version 1.11 of\n Corel PDF Fusion. The vulnerability exists while handling a XPS file with long entry\n names. In order for the payload to be executed, an attacker must convince the target\n user to open a specially crafted XPS file with Corel PDF Fusion. By doing so, the\n attacker can execute arbitrary code as the target user.", "references": [ "CVE-2013-3248", "OSVDB-94933", "BID-61010", "URL-http://secunia.com/advisories/52707/" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Corel PDF Fusion 1.11 / Windows XP SP3" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/corelpdf_fusion_bof.rb", "is_install_path": true, "ref_name": "windows/fileformat/corelpdf_fusion_bof", "check": false }, "exploit_windows/fileformat/csound_getnum_bof": { "name": "Csound hetro File Handling Stack Buffer Overflow", "full_name": "exploit/windows/fileformat/csound_getnum_bof", "rank": 300, "disclosure_date": "2012-02-23", "type": "exploit", "author": [ "Secunia", "juan vazquez " ], "description": "This module exploits a buffer overflow in Csound before 5.16.6.\n The overflow occurs when trying to import a malicious hetro file\n from tabular format.\n In order to achieve exploitation the user should import the malicious\n file through csound with a command like \"csound -U het_import msf.csd file.het\".\n This exploit doesn't work if the \"het_import\" command is used directly\n to convert the file.", "references": [ "CVE-2012-0270", "OSVDB-79491", "BID-52144", "URL-http://secunia.com/secunia_research/2012-3/", "URL-http://csound.git.sourceforge.net/git/gitweb.cgi?p=csound/csound5.git;a=commit;h=7d617a9551fb6c552ba16874b71266fcd90f3a6f" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Csound 5.15 / Windows XP SP3 / Windows 7 SP1" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/csound_getnum_bof.rb", "is_install_path": true, "ref_name": "windows/fileformat/csound_getnum_bof", "check": false }, "exploit_windows/fileformat/cutezip_bof": { "name": "GlobalSCAPE CuteZIP Stack Buffer Overflow", "full_name": "exploit/windows/fileformat/cutezip_bof", "rank": 300, "disclosure_date": "2011-02-12", "type": "exploit", "author": [ "C4SS!0 G0M3S ", "juan vazquez " ], "description": "This module exploits a stack-based buffer overflow vulnerability in version 2.1\n of CuteZIP.\n\n In order for the command to be executed, an attacker must convince the target user\n to open a specially crafted zip file with CuteZIP. By doing so, an attacker can\n execute arbitrary code as the target user.", "references": [ "OSVDB-85709", "EDB-16162", "BID-46375" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "CuteZIP 2.1 / Windows Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/cutezip_bof.rb", "is_install_path": true, "ref_name": "windows/fileformat/cutezip_bof", "check": false }, "exploit_windows/fileformat/cve_2017_8464_lnk_rce": { "name": "LNK Code Execution Vulnerability", "full_name": "exploit/windows/fileformat/cve_2017_8464_lnk_rce", "rank": 600, "disclosure_date": "2017-06-13", "type": "exploit", "author": [ "Uncredited", "Yorick Koster", "Spencer McIntyre" ], "description": "This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK)\n that contain a dynamic icon, loaded from a malicious DLL.\n\n This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is\n similar except an additional SpecialFolderDataBlock is included. The folder ID set\n in this SpecialFolderDataBlock is set to the Control Panel. This is enough to bypass\n the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary\n DLL file.\n\n If no PATH is specified, the module will use drive letters D through Z so the files\n may be placed in the root path of a drive such as a shared VM folder or USB drive.", "references": [ "CVE-2017-8464", "URL-https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464", "URL-http://www.vxjump.net/files/vuln_analysis/cve-2017-8464.txt", "URL-https://msdn.microsoft.com/en-us/library/dd871305.aspx", "URL-http://www.geoffchappell.com/notes/security/stuxnet/ctrlfldr.htm", "URL-https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86, x64", "rport": null, "targets": [ "Automatic", "Windows x64", "Windows x86" ], "mod_time": "2017-11-02 12:31:54 +0000", "path": "/modules/exploits/windows/fileformat/cve_2017_8464_lnk_rce.rb", "is_install_path": true, "ref_name": "windows/fileformat/cve_2017_8464_lnk_rce", "check": false }, "exploit_windows/fileformat/cyberlink_p2g_bof": { "name": "CyberLink Power2Go name Attribute (p2g) Stack Buffer Overflow Exploit", "full_name": "exploit/windows/fileformat/cyberlink_p2g_bof", "rank": 500, "disclosure_date": "2011-09-12", "type": "exploit", "author": [ "modpr0be ", "mr_me " ], "description": "This module exploits a stack buffer overflow in CyberLink Power2Go version 8.x\n The vulnerability is triggered when opening a malformed p2g file containing an overly\n long string in the 'name' attribute of the file element. This results in overwriting a\n structured exception handler record.", "references": [ "CVE-2011-5171", "BID-50997", "OSVDB-77600", "EDB-18220", "US-CERT-VU-158003" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "CyberLink Power2Go 8 (XP/Vista/win7) Universal" ], "mod_time": "2018-07-08 18:46:04 +0000", "path": "/modules/exploits/windows/fileformat/cyberlink_p2g_bof.rb", "is_install_path": true, "ref_name": "windows/fileformat/cyberlink_p2g_bof", "check": false }, "exploit_windows/fileformat/cytel_studio_cy3": { "name": "Cytel Studio 9.0 (CY3 File) Stack Buffer Overflow", "full_name": "exploit/windows/fileformat/cytel_studio_cy3", "rank": 400, "disclosure_date": "2011-10-02", "type": "exploit", "author": [ "Luigi Auriemma", "James Fitts " ], "description": "This module exploits a stack based buffer overflow found\n in Cytel Studio <= 9.0. The overflow is triggered during the\n copying of strings to a stack buffer of 256 bytes.", "references": [ "OSVDB-75991", "BID-49924", "URL-http://aluigi.altervista.org/adv/cytel_1-adv.txt" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Cytel Studio 9.0" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/cytel_studio_cy3.rb", "is_install_path": true, "ref_name": "windows/fileformat/cytel_studio_cy3", "check": false }, "exploit_windows/fileformat/deepburner_path": { "name": "AstonSoft DeepBurner (DBR File) Path Buffer Overflow", "full_name": "exploit/windows/fileformat/deepburner_path", "rank": 500, "disclosure_date": "2006-12-19", "type": "exploit", "author": [ "Expanders", "fl0 fl0w", "jduck " ], "description": "This module exploits a stack-based buffer overflow in versions 1.9.0.228,\n 1.8.0, and possibly other versions of AstonSoft's DeepBurner (Pro, Lite, etc).\n An attacker must send the file to victim and the victim must open the file.\n Alternatively it may be possible to execute code remotely via an embedded\n DBR file within a browser, since the DBR extension is registered to DeepBurner.", "references": [ "BID-21657", "OSVDB-32356", "CVE-2006-6665", "EDB-2950", "EDB-8335", "EDB-11315" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows Universal" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/fileformat/deepburner_path.rb", "is_install_path": true, "ref_name": "windows/fileformat/deepburner_path", "check": false }, "exploit_windows/fileformat/destinymediaplayer16": { "name": "Destiny Media Player 1.61 PLS M3U Buffer Overflow", "full_name": "exploit/windows/fileformat/destinymediaplayer16", "rank": 400, "disclosure_date": "2009-01-03", "type": "exploit", "author": [ "Trancek " ], "description": "This module exploits a stack-based buffer overflow in the Destiny Media Player 1.61.\n An attacker must send the file to victim and the victim must open the file. File-->Open Playlist", "references": [ "CVE-2009-3429", "OSVDB-53249", "EDB-7651", "BID-33091" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Destiny Universal", "Windows XP SP2 Spanish" ], "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/exploits/windows/fileformat/destinymediaplayer16.rb", "is_install_path": true, "ref_name": "windows/fileformat/destinymediaplayer16", "check": false }, "exploit_windows/fileformat/digital_music_pad_pls": { "name": "Digital Music Pad Version 8.2.3.3.4 Stack Buffer Overflow", "full_name": "exploit/windows/fileformat/digital_music_pad_pls", "rank": 300, "disclosure_date": "2010-09-17", "type": "exploit", "author": [ "Abhishek Lyall " ], "description": "This module exploits a buffer overflow in Digital Music Pad Version 8.2.3.3.4\n When opening a malicious pls file with the Digital Music Pad,\n a remote attacker could overflow a buffer and execute\n arbitrary code.", "references": [ "OSVDB-68178", "URL-http://secunia.com/advisories/41519/", "EDB-15134" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP2" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/digital_music_pad_pls.rb", "is_install_path": true, "ref_name": "windows/fileformat/digital_music_pad_pls", "check": false }, "exploit_windows/fileformat/djstudio_pls_bof": { "name": "DJ Studio Pro 5.1 .pls Stack Buffer Overflow", "full_name": "exploit/windows/fileformat/djstudio_pls_bof", "rank": 300, "disclosure_date": "2009-12-30", "type": "exploit", "author": [ "Sebastien Duquette", "Death-Shadow-Dark " ], "description": "This module exploits a stack-based buffer overflow in DJ Studio Pro 5.1.6.5.2.\n When handling a .pls file, DJ Studio will copy the user-supplied data on the stack\n without any proper bounds checking done beforehand, therefore allowing code\n execution under the context of the user.", "references": [ "CVE-2009-4656", "OSVDB-58159", "EDB-10827" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "DJ Studio Pro 5.1.6.5.2" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/djstudio_pls_bof.rb", "is_install_path": true, "ref_name": "windows/fileformat/djstudio_pls_bof", "check": false }, "exploit_windows/fileformat/djvu_imageurl": { "name": "DjVu DjVu_ActiveX_MSOffice.dll ActiveX ComponentBuffer Overflow", "full_name": "exploit/windows/fileformat/djvu_imageurl", "rank": 100, "disclosure_date": "2008-10-30", "type": "exploit", "author": [ "dean " ], "description": "This module exploits a stack buffer overflow in DjVu ActiveX Component. When sending an\n overly long string to the ImageURL() property of DjVu_ActiveX_MSOffice.dll (3.0)\n an attacker may be able to execute arbitrary code. This control is not marked safe\n for scripting, so choose your attack vector accordingly.", "references": [ "CVE-2008-4922", "OSVDB-49592", "BID-31987" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/djvu_imageurl.rb", "is_install_path": true, "ref_name": "windows/fileformat/djvu_imageurl", "check": false }, "exploit_windows/fileformat/dupscout_xml": { "name": "Dup Scout Enterprise v10.4.16 - Import Command Buffer Overflow", "full_name": "exploit/windows/fileformat/dupscout_xml", "rank": 300, "disclosure_date": "2017-03-29", "type": "exploit", "author": [ "Daniel Teixeira" ], "description": "This module exploits a buffer overflow in Dup Scout Enterprise v10.4.16\n by using the import command option to import a specially crafted xml file.", "references": [ "CVE-2017-7310" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows Universal" ], "mod_time": "2018-02-01 10:05:50 +0000", "path": "/modules/exploits/windows/fileformat/dupscout_xml.rb", "is_install_path": true, "ref_name": "windows/fileformat/dupscout_xml", "check": false }, "exploit_windows/fileformat/dvdx_plf_bof": { "name": "DVD X Player 5.5 .plf PlayList Buffer Overflow", "full_name": "exploit/windows/fileformat/dvdx_plf_bof", "rank": 300, "disclosure_date": "2007-06-02", "type": "exploit", "author": [ "n00b", "D3r K0n!G", "sickness", "sinn3r " ], "description": "This module exploits a stack-based buffer overflow on DVD X Player 5.5 Pro and\n Standard. By supplying a long string of data in a plf file (playlist), the\n MediaPlayerCtrl.dll component will attempt to extract a filename out of the string,\n and then copy it on the stack without any proper bounds checking, which causes a\n buffer overflow, and results in arbitrary code execution under the context of the user.\n\n This module has been designed to target common Windows systems such as:\n Windows XP SP2/SP3, Windows Vista, and Windows 7.", "references": [ "CVE-2007-3068", "OSVDB-36956", "BID-24278", "EDB-17745" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "DVD X Player 5.5 Standard / Pro" ], "mod_time": "2017-09-22 18:49:09 +0000", "path": "/modules/exploits/windows/fileformat/dvdx_plf_bof.rb", "is_install_path": true, "ref_name": "windows/fileformat/dvdx_plf_bof", "check": false }, "exploit_windows/fileformat/easycdda_pls_bof": { "name": "Easy CD-DA Recorder PLS Buffer Overflow", "full_name": "exploit/windows/fileformat/easycdda_pls_bof", "rank": 300, "disclosure_date": "2010-06-07", "type": "exploit", "author": [ "chap0", "Gabor Seljan", "juan vazquez " ], "description": "This module exploits a stack-based buffer overflow vulnerability in\n Easy CD-DA Recorder 2007 caused by an overlong string in a playlist entry.\n By persuading the victim to open a specially-crafted PLS file, a\n remote attacker can execute arbitrary code on the system or cause\n the application to crash. This module has been tested successfully on\n Windows XP SP3 and Windows 7 SP1.", "references": [ "BID-40631", "EDB-13761", "OSVDB-65256", "CVE-2010-2343", "URL-http://www.corelan.be:8800/advisories.php?id=CORELAN-10-048" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP3 / Windows 7 SP1 (DEP Bypass)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/easycdda_pls_bof.rb", "is_install_path": true, "ref_name": "windows/fileformat/easycdda_pls_bof", "check": false }, "exploit_windows/fileformat/emc_appextender_keyworks": { "name": "EMC ApplicationXtender (KeyWorks) ActiveX Control Buffer Overflow", "full_name": "exploit/windows/fileformat/emc_appextender_keyworks", "rank": 200, "disclosure_date": "2009-09-29", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in the KeyWorks KeyHelp ActiveX Control\n (KeyHelp.ocx 1.2.3120.0). This ActiveX Control comes bundled with EMC's\n Documentation ApplicationXtender 5.4.", "references": [ "CVE-2012-2515", "OSVDB-58423", "BID-36546" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" ], "mod_time": "2018-07-08 18:46:04 +0000", "path": "/modules/exploits/windows/fileformat/emc_appextender_keyworks.rb", "is_install_path": true, "ref_name": "windows/fileformat/emc_appextender_keyworks", "check": false }, "exploit_windows/fileformat/erdas_er_viewer_bof": { "name": "ERS Viewer 2011 ERS File Handling Buffer Overflow", "full_name": "exploit/windows/fileformat/erdas_er_viewer_bof", "rank": 300, "disclosure_date": "2013-04-23", "type": "exploit", "author": [ "Parvez Anwar", "juan vazquez " ], "description": "This module exploits a buffer overflow vulnerability found in ERS Viewer 2011\n (version 11.04). The vulnerability exists in the module ermapper_u.dll where the\n function ERM_convert_to_correct_webpath handles user provided data in an insecure\n way. It results in arbitrary code execution under the context of the user viewing\n a specially crafted .ers file. This module has been tested successfully with ERS\n Viewer 2011 (version 11.04) on Windows XP SP3 and Windows 7 SP1.", "references": [ "CVE-2013-0726", "OSVDB-92694", "BID-59379", "URL-http://secunia.com/advisories/51725/" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "ERS Viewer 2011 (v11.04) / Windows XP SP3 / Windows 7 SP1" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/fileformat/erdas_er_viewer_bof.rb", "is_install_path": true, "ref_name": "windows/fileformat/erdas_er_viewer_bof", "check": false }, "exploit_windows/fileformat/erdas_er_viewer_rf_report_error": { "name": "ERS Viewer 2013 ERS File Handling Buffer Overflow", "full_name": "exploit/windows/fileformat/erdas_er_viewer_rf_report_error", "rank": 300, "disclosure_date": "2013-05-23", "type": "exploit", "author": [ "James Fitts", "juan vazquez " ], "description": "This module exploits a buffer overflow vulnerability found in ERS Viewer 2013.\n The vulnerability exists in the module ermapper_u.dll, where the function\n rf_report_error handles user provided data in an insecure way. It results in\n arbitrary code execution under the context of the user viewing a specially crafted\n .ers file. This module has been tested successfully with ERS Viewer 2013 (versions\n 13.0.0.1151) on Windows XP SP3 and Windows 7 SP1.", "references": [ "CVE-2013-3482", "OSVDB-93650", "URL-http://secunia.com/advisories/53620/" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "ERS Viewer 2013 13.0.0.1151 / NO DEP / NO ASLR", "ERS Viewer 2013 13.0.0.1151 / DEP & ASLR bypass" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/fileformat/erdas_er_viewer_rf_report_error.rb", "is_install_path": true, "ref_name": "windows/fileformat/erdas_er_viewer_rf_report_error", "check": false }, "exploit_windows/fileformat/esignal_styletemplate_bof": { "name": "eSignal and eSignal Pro File Parsing Buffer Overflow in QUO", "full_name": "exploit/windows/fileformat/esignal_styletemplate_bof", "rank": 300, "disclosure_date": "2011-09-06", "type": "exploit", "author": [ "Luigi Auriemma", "TecR0c ", "mr_me " ], "description": "The software is unable to handle the \"\" files (even those\n original included in the program) like those with the registered\n extensions QUO, SUM and POR. Successful exploitation of this\n vulnerability may take up to several seconds due to the use of\n egghunter. Also, DEP bypass is unlikely due to the limited space for\n payload. This vulnerability affects versions 10.6.2425.1208 and earlier.", "references": [ "CVE-2011-3494", "OSVDB-75456", "BID-49600", "URL-http://aluigi.altervista.org/adv/esignal_1-adv.txt", "EDB-17837" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Win XP SP3 / Windows Vista / Windows 7" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/esignal_styletemplate_bof.rb", "is_install_path": true, "ref_name": "windows/fileformat/esignal_styletemplate_bof", "check": false }, "exploit_windows/fileformat/etrust_pestscan": { "name": "CA eTrust PestPatrol ActiveX Control Buffer Overflow", "full_name": "exploit/windows/fileformat/etrust_pestscan", "rank": 200, "disclosure_date": "2009-11-02", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in CA eTrust PestPatrol. When\n sending an overly long string to the Initialize() property of ppctl.dll (5.6.7.9)\n an attacker may be able to execute arbitrary code.", "references": [ "CVE-2009-4225", "OSVDB-60862" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/etrust_pestscan.rb", "is_install_path": true, "ref_name": "windows/fileformat/etrust_pestscan", "check": false }, "exploit_windows/fileformat/ezip_wizard_bof": { "name": "eZip Wizard 3.0 Stack Buffer Overflow", "full_name": "exploit/windows/fileformat/ezip_wizard_bof", "rank": 400, "disclosure_date": "2009-03-09", "type": "exploit", "author": [ "fl0 fl0w", "jduck ", "Lincoln" ], "description": "This module exploits a stack-based buffer overflow vulnerability in\n version 3.0 of ediSys Corp.'s eZip Wizard.\n\n In order for the command to be executed, an attacker must convince someone to\n open a specially crafted zip file with eZip Wizard, and access the specially\n file via double-clicking it. By doing so, an attacker can execute arbitrary\n code as the victim user.", "references": [ "CVE-2009-1028", "OSVDB-52815", "BID-34044", "URL-http://www.edisys.com/", "EDB-8180", "EDB-12059" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/ezip_wizard_bof.rb", "is_install_path": true, "ref_name": "windows/fileformat/ezip_wizard_bof", "check": false }, "exploit_windows/fileformat/fatplayer_wav": { "name": "Fat Player Media Player 0.6b0 Buffer Overflow", "full_name": "exploit/windows/fileformat/fatplayer_wav", "rank": 300, "disclosure_date": "2010-10-18", "type": "exploit", "author": [ "James Fitts ", "dookie" ], "description": "This module exploits a buffer overflow in Fat Player 0.6b. When\n the application is used to import a specially crafted wav file, a buffer overflow occurs\n allowing arbitrary code execution.", "references": [ "CVE-2009-4962", "OSVDB-57343", "EDB-15279" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/fatplayer_wav.rb", "is_install_path": true, "ref_name": "windows/fileformat/fatplayer_wav", "check": false }, "exploit_windows/fileformat/fdm_torrent": { "name": "Free Download Manager Torrent Parsing Buffer Overflow", "full_name": "exploit/windows/fileformat/fdm_torrent", "rank": 400, "disclosure_date": "2009-02-02", "type": "exploit", "author": [ "SkD ", "jduck " ], "description": "This module exploits a stack buffer overflow in Free Download Manager\n 3.0 Build 844. Arbitrary code execution could occur when parsing a\n specially crafted torrent file.", "references": [ "CVE-2009-0184", "OSVDB-54033", "BID-33555", "URL-http://freedownload.svn.sourceforge.net/viewvc/freedownload/FDM/vmsBtDownloadManager.cpp?r1=11&r2=18", "URL-http://freedownload.svn.sourceforge.net/viewvc/freedownload/FDM/Bittorrent/fdmbtsupp/vmsBtFileImpl.cpp?r1=9&r2=18", "URL-http://secunia.com/secunia_research/2009-5/", "URL-http://downloads.securityfocus.com/vulnerabilities/exploits/33555-SkD.pl" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Free Download Manager 3.0 (Build 844)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/fdm_torrent.rb", "is_install_path": true, "ref_name": "windows/fileformat/fdm_torrent", "check": false }, "exploit_windows/fileformat/feeddemon_opml": { "name": "FeedDemon Stack Buffer Overflow", "full_name": "exploit/windows/fileformat/feeddemon_opml", "rank": 500, "disclosure_date": "2009-02-09", "type": "exploit", "author": [ "fl0 fl0w", "dookie", "jduck " ], "description": "This module exploits a buffer overflow in FeedDemon v3.1.0.12. When the application\n is used to import a specially crafted opml file, a buffer overflow occurs allowing\n arbitrary code execution.\n\n All versions are suspected to be vulnerable. This vulnerability was originally reported\n against version 2.7 in February of 2009.", "references": [ "CVE-2009-0546", "OSVDB-51753", "BID-33630", "EDB-7995", "EDB-8010", "EDB-11379" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/feeddemon_opml.rb", "is_install_path": true, "ref_name": "windows/fileformat/feeddemon_opml", "check": false }, "exploit_windows/fileformat/foxit_reader_filewrite": { "name": "Foxit PDF Reader 4.2 Javascript File Write", "full_name": "exploit/windows/fileformat/foxit_reader_filewrite", "rank": 300, "disclosure_date": "2011-03-05", "type": "exploit", "author": [ "bannedit ", "Chris Evans" ], "description": "This module exploits an unsafe Javascript API implemented in Foxit PDF Reader\n version 4.2. The createDataObject() Javascript API function allows for writing\n arbitrary files to the file system. This issue was fixed in version 4.3.1.0218.\n\n Note: This exploit uses the All Users directory currently, which required\n administrator privileges to write to. This means an administrative user has to\n open the file to be successful. Kind of lame but thats how it goes sometimes in\n the world of file write bugs.", "references": [ "OSVDB-71104", "URL-http://scarybeastsecurity.blogspot.com/2011/03/dangerous-file-write-bug-in-foxit-pdf.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic", "Foxit PDF Reader v4.2 (Windows XP SP0-SP3)", "Foxit PDF Reader v4.2 (Windows Vista/7/8/2008)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/foxit_reader_filewrite.rb", "is_install_path": true, "ref_name": "windows/fileformat/foxit_reader_filewrite", "check": false }, "exploit_windows/fileformat/foxit_reader_launch": { "name": "Foxit Reader 3.0 Open Execute Action Stack Based Buffer Overflow", "full_name": "exploit/windows/fileformat/foxit_reader_launch", "rank": 400, "disclosure_date": "2009-03-09", "type": "exploit", "author": [ "Francisco Falcon", "bannedit " ], "description": "This module exploits a buffer overflow in Foxit Reader 3.0 builds 1301 and earlier.\n Due to the way Foxit Reader handles the input from an \"Launch\" action, it is possible\n to cause a stack-based buffer overflow, allowing an attacker to gain arbitrary code\n execution under the context of the user.", "references": [ "CVE-2009-0837", "OSVDB-55614", "BID-34035", "URL-http://www.coresecurity.com/content/foxit-reader-vulnerabilities" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Foxit Reader 3.0 Windows XP SP2" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/foxit_reader_launch.rb", "is_install_path": true, "ref_name": "windows/fileformat/foxit_reader_launch", "check": false }, "exploit_windows/fileformat/foxit_title_bof": { "name": "Foxit PDF Reader v4.1.1 Title Stack Buffer Overflow", "full_name": "exploit/windows/fileformat/foxit_title_bof", "rank": 500, "disclosure_date": "2010-11-13", "type": "exploit", "author": [ "dookie", "Sud0", "corelanc0d3r ", "jduck " ], "description": "This module exploits a stack buffer overflow in Foxit PDF Reader prior to version\n 4.2.0.0928. The vulnerability is triggered when opening a malformed PDF file that\n contains an overly long string in the Title field. This results in overwriting a\n structured exception handler record.\n\n NOTE: This exploit does not use javascript.", "references": [ "OSVDB-68648", "EDB-15532", "URL-http://www.corelan.be:8800/index.php/2010/11/13/offensive-security-exploit-weekend/" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Foxit Reader v4.1.1 XP Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/foxit_title_bof.rb", "is_install_path": true, "ref_name": "windows/fileformat/foxit_title_bof", "check": false }, "exploit_windows/fileformat/free_mp3_ripper_wav": { "name": "Free MP3 CD Ripper 1.1 WAV File Stack Buffer Overflow", "full_name": "exploit/windows/fileformat/free_mp3_ripper_wav", "rank": 500, "disclosure_date": "2011-08-27", "type": "exploit", "author": [ "Richard Leahy", "X-h4ck", "Tiago Henriques", "James Fitts " ], "description": "This module exploits a stack based buffer overflow found in Free MP3 CD\n Ripper 1.1. The overflow is triggered when an unsuspecting user opens a malicious\n WAV file.", "references": [ "CVE-2011-5165", "OSVDB-63349", "EDB-11975", "EDB-17727" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP3 EN" ], "mod_time": "2018-07-08 18:46:04 +0000", "path": "/modules/exploits/windows/fileformat/free_mp3_ripper_wav.rb", "is_install_path": true, "ref_name": "windows/fileformat/free_mp3_ripper_wav", "check": false }, "exploit_windows/fileformat/galan_fileformat_bof": { "name": "gAlan 0.2.1 Buffer Overflow", "full_name": "exploit/windows/fileformat/galan_fileformat_bof", "rank": 300, "disclosure_date": "2009-12-07", "type": "exploit", "author": [ "Jeremy Brown <0xjbrown41@gmail.com>", "loneferret" ], "description": "This module exploits a stack buffer overflow in gAlan 0.2.1\n by creating a specially crafted galan file.", "references": [ "OSVDB-60897", "EDB-10339" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/galan_fileformat_bof.rb", "is_install_path": true, "ref_name": "windows/fileformat/galan_fileformat_bof", "check": false }, "exploit_windows/fileformat/gsm_sim": { "name": "GSM SIM Editor 5.15 Buffer Overflow", "full_name": "exploit/windows/fileformat/gsm_sim", "rank": 300, "disclosure_date": "2010-07-07", "type": "exploit", "author": [ "Ruben Alejandro", "chap0 ", "Lincoln " ], "description": "This module exploits a stack-based buffer overflow in GSM SIM Editor 5.15.\n When opening a specially crafted .sms file in GSM SIM Editor a stack-based buffer\n overflow occurs which allows an attacker to execute arbitrary code.", "references": [ "CVE-2015-1171", "OSVDB-81161", "EDB-14258" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP3" ], "mod_time": "2018-07-12 17:34:52 +0000", "path": "/modules/exploits/windows/fileformat/gsm_sim.rb", "is_install_path": true, "ref_name": "windows/fileformat/gsm_sim", "check": false }, "exploit_windows/fileformat/gta_samp": { "name": "GTA SA-MP server.cfg Buffer Overflow", "full_name": "exploit/windows/fileformat/gta_samp", "rank": 300, "disclosure_date": "2011-09-18", "type": "exploit", "author": [ "Silent_Dream" ], "description": "This module exploits a stack-based buffer overflow in GTA SA-MP Server.\n This buffer overflow occurs when the application attempts to open a malformed\n server.cfg file. To exploit this vulnerability, an attacker must send the\n victim a server.cfg file and have them run samp-server.exe.", "references": [ "OSVDB-83433", "EDB-17893" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "GTA SA-MP (samp-server) v0.3.1.1" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/gta_samp.rb", "is_install_path": true, "ref_name": "windows/fileformat/gta_samp", "check": false }, "exploit_windows/fileformat/hhw_hhp_compiledfile_bof": { "name": "HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow", "full_name": "exploit/windows/fileformat/hhw_hhp_compiledfile_bof", "rank": 400, "disclosure_date": "2006-02-06", "type": "exploit", "author": [ "bratax", "jduck " ], "description": "This module exploits a stack buffer overflow in HTML Help Workshop 4.74\n By creating a specially crafted hhp file, an attacker may be able\n to execute arbitrary code.", "references": [ "CVE-2006-0564", "OSVDB-22941", "EDB-1488", "EDB-1490" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP English SP3" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/fileformat/hhw_hhp_compiledfile_bof.rb", "is_install_path": true, "ref_name": "windows/fileformat/hhw_hhp_compiledfile_bof", "check": false }, "exploit_windows/fileformat/hhw_hhp_contentfile_bof": { "name": "HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow", "full_name": "exploit/windows/fileformat/hhw_hhp_contentfile_bof", "rank": 400, "disclosure_date": "2006-02-06", "type": "exploit", "author": [ "bratax", "jduck " ], "description": "This module exploits a stack buffer overflow in HTML Help Workshop 4.74\n by creating a specially crafted hhp file.", "references": [ "CVE-2006-0564", "OSVDB-22941", "EDB-1470", "EDB-1495" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP English SP3" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/hhw_hhp_contentfile_bof.rb", "is_install_path": true, "ref_name": "windows/fileformat/hhw_hhp_contentfile_bof", "check": false }, "exploit_windows/fileformat/hhw_hhp_indexfile_bof": { "name": "HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow", "full_name": "exploit/windows/fileformat/hhw_hhp_indexfile_bof", "rank": 400, "disclosure_date": "2009-01-17", "type": "exploit", "author": [ "Encrypt3d.M!nd", "loneferret", "jduck " ], "description": "This module exploits a stack buffer overflow in HTML Help Workshop 4.74\n by creating a specially crafted hhp file.", "references": [ "CVE-2009-0133", "BID-33189", "OSVDB-22941", "EDB-10323", "EDB-10335" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP English SP3" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/hhw_hhp_indexfile_bof.rb", "is_install_path": true, "ref_name": "windows/fileformat/hhw_hhp_indexfile_bof", "check": false }, "exploit_windows/fileformat/homm3_h3m": { "name": "Heroes of Might and Magic III .h3m Map file Buffer Overflow", "full_name": "exploit/windows/fileformat/homm3_h3m", "rank": 300, "disclosure_date": "2015-07-29", "type": "exploit", "author": [ "Pierre Lindblad", "John AAkerblom" ], "description": "This module embeds an exploit into an uncompressed map file (.h3m) for\n Heroes of Might and Magic III. Once the map is started in-game, a\n buffer overflow occurring when loading object sprite names leads to\n shellcode execution.", "references": [ "EDB-37716" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "H3 Complete 4.0.0.0 [Heroes3.exe 78956DFAB3EB8DDF29F6A84CF7AD01EE]", "HD Mod 3.808 build 9 [Heroes3 HD.exe 56614D31CC6F077C2D511E6AF5619280]", "Heroes III Demo 1.0.0.0 [h3demo.exe 522B6F45F534058D02A561838559B1F4]" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/fileformat/homm3_h3m.rb", "is_install_path": true, "ref_name": "windows/fileformat/homm3_h3m", "check": false }, "exploit_windows/fileformat/ht_mp3player_ht3_bof": { "name": "HT-MP3Player 1.0 HT3 File Parsing Buffer Overflow", "full_name": "exploit/windows/fileformat/ht_mp3player_ht3_bof", "rank": 400, "disclosure_date": "2009-06-29", "type": "exploit", "author": [ "hack4love ", "His0k4", "jduck " ], "description": "This module exploits a stack buffer overflow in HT-MP3Player 1.0.\n Arbitrary code execution could occur when parsing a specially crafted\n .HT3 file.\n\n NOTE: The player installation does not register the file type to be\n handled. Therefore, a user must take extra steps to load this file.", "references": [ "CVE-2009-2485", "OSVDB-55449", "EDB-9034", "EDB-9038" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "HT-MP3Player 1.0" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/ht_mp3player_ht3_bof.rb", "is_install_path": true, "ref_name": "windows/fileformat/ht_mp3player_ht3_bof", "check": false }, "exploit_windows/fileformat/ibm_forms_viewer_fontname": { "name": "IBM Forms Viewer Unicode Buffer Overflow", "full_name": "exploit/windows/fileformat/ibm_forms_viewer_fontname", "rank": 300, "disclosure_date": "2013-12-05", "type": "exploit", "author": [ "rgod ", "juan vazquez " ], "description": "This module exploits a stack-based buffer overflow in IBM Forms Viewer. The vulnerability\n is due to a dangerous usage of a strcpy-like function, and occurs while parsing malformed\n XFDL files containing a long fontname value. This module has been tested successfully on IBM\n Forms Viewer 4.0 on Windows XP SP3 and Windows 7 SP1.", "references": [ "CVE-2013-5447", "OSVDB-100732", "ZDI-13-274", "URL-http://www-01.ibm.com/support/docview.wss?uid=swg21657500" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "IBM Forms Viewer 4.0 / Windows XP SP3 / Windows 7 SP1" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/ibm_forms_viewer_fontname.rb", "is_install_path": true, "ref_name": "windows/fileformat/ibm_forms_viewer_fontname", "check": false }, "exploit_windows/fileformat/ibm_pcm_ws": { "name": "IBM Personal Communications iSeries Access WorkStation 5.9 Profile", "full_name": "exploit/windows/fileformat/ibm_pcm_ws", "rank": 500, "disclosure_date": "2012-02-28", "type": "exploit", "author": [ "TecR0c " ], "description": "The IBM Personal Communications I-Series application WorkStation is susceptible to a\n stack-based buffer overflow vulnerability within file parsing in which data copied to a\n location in memory exceeds the size of the reserved destination area. The buffer is located\n on the runtime program stack.\n\n When the WorkStation file is opened it will reach the code path at 0x67575180 located in\n pcspref.dll which conducts string manipulation and validation on the data supplied in the\n WorkStation file. The application will first check if 'Profile' header exists and appends\n a dot with the next parameter within the file. It will then measure the character length\n of the header by calling strcspn with a dot as its null-terminated character.\n\n It will then write the header into memory and ensure the header ends with a NUL character.\n The parameter character array is passed to the strcpy() function. The application has\n declared a 52-element character array for the destination for strcpy function. The\n function does not perform bounds checking therefore, data can be written paste the end of\n the buffer variable resulting in corruption of adjacent variables including other local\n variables, program state information and function arguments. You will notice that the\n saved RETURN address at offset 0x6c is overwritten by the data written past the buffer.\n\n To ensure we can perform arbitrary code execution we must we provide a valid pointer at\n 0x74 which is used as an argument for the called function at 0x675751ED as an id file\n extension parameter. Once the caller regains control we will reach our RETURN. The Ret\n instruction will be used to pop the overwritten saved return address which was corrupted.\n\n This exploit has been written to bypass 2 mitigations DEP and ASLR on a Windows platform.\n\n Versions tested:\n IBM System i Access for Windows V6R1M0 version 06.01.0001.0000a\n Which bundles pcsws.exe version 5090.27271.709\n\n Tested on:\n Microsoft Windows XP [Version 5.1.2600]\n Microsoft Windows Vista [Version 6.0.6002]\n Microsoft Windows 7 [Version 6.1.7600]", "references": [ "CVE-2012-0201", "OSVDB-79657", "URL-https://www-304.ibm.com/support/docview.wss?uid=swg21586166" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "IBM WorkStation 5.9 (Windows XP SP3)", "IBM WorkStation 5.9 (Windows 7, Windows Vista)" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/fileformat/ibm_pcm_ws.rb", "is_install_path": true, "ref_name": "windows/fileformat/ibm_pcm_ws", "check": false }, "exploit_windows/fileformat/icofx_bof": { "name": "IcoFX Stack Buffer Overflow", "full_name": "exploit/windows/fileformat/icofx_bof", "rank": 300, "disclosure_date": "2013-12-10", "type": "exploit", "author": [ "Marcos Accossatto", "juan vazquez " ], "description": "This module exploits a stack-based buffer overflow vulnerability in version 2.1\n of IcoFX. The vulnerability exists while parsing .ICO files, where a specially\n crafted ICONDIR header providing an arbitrary long number of images in the file\n can be used to trigger the overflow when reading the ICONDIRENTRY structures.", "references": [ "CVE-2013-4988", "OSVDB-100826", "BID-64221", "EDB-30208", "URL-http://www.coresecurity.com/advisories/icofx-buffer-overflow-vulnerability" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "IcoFX 2.5 / Windows 7 SP1" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/fileformat/icofx_bof.rb", "is_install_path": true, "ref_name": "windows/fileformat/icofx_bof", "check": false }, "exploit_windows/fileformat/ideal_migration_ipj": { "name": "PointDev IDEAL Migration Buffer Overflow", "full_name": "exploit/windows/fileformat/ideal_migration_ipj", "rank": 500, "disclosure_date": "2009-12-05", "type": "exploit", "author": [ "Dr_IDE", "dookie", "jduck " ], "description": "This module exploits a stack buffer overflow in versions v9.7\n through v10.5 of IDEAL Administration and versions 4.5 and 4.51 of\n IDEAL Migration. All versions are suspected to be vulnerable.\n By creating a specially crafted ipj file, an attacker may be able\n to execute arbitrary code.\n\n NOTE: IDEAL Administration 10.5 is compiled with /SafeSEH", "references": [ "CVE-2009-4265", "OSVDB-60681", "EDB-10319", "EDB-12403", "EDB-12404", "EDB-12540" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "IDEAL Migration <= 4.5.1 on Windows XP", "IDEAL Administration <= 10.5 on Windows XP" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/fileformat/ideal_migration_ipj.rb", "is_install_path": true, "ref_name": "windows/fileformat/ideal_migration_ipj", "check": false }, "exploit_windows/fileformat/iftp_schedule_bof": { "name": "i-FTP Schedule Buffer Overflow", "full_name": "exploit/windows/fileformat/iftp_schedule_bof", "rank": 300, "disclosure_date": "2014-11-06", "type": "exploit", "author": [ "metacom", "Gabor Seljan" ], "description": "This module exploits a stack-based buffer overflow vulnerability in\n i-Ftp v2.20, caused by a long time value set for scheduled download.\n\n By persuading the victim to place a specially-crafted Schedule.xml file\n in the i-FTP folder, a remote attacker could execute arbitrary code on\n the system or cause the application to crash. This module has been\n tested successfully on Windows XP SP3.", "references": [ "EDB-35177", "OSVDB-114279" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP3" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/iftp_schedule_bof.rb", "is_install_path": true, "ref_name": "windows/fileformat/iftp_schedule_bof", "check": false }, "exploit_windows/fileformat/irfanview_jpeg2000_bof": { "name": "Irfanview JPEG2000 jp2 Stack Buffer Overflow", "full_name": "exploit/windows/fileformat/irfanview_jpeg2000_bof", "rank": 300, "disclosure_date": "2012-01-16", "type": "exploit", "author": [ "Parvez Anwar ", "mr_me ", "juan vazquez " ], "description": "This module exploits a stack-based buffer overflow vulnerability in\n version <= 4.3.2.0 of Irfanview's JPEG2000.dll plugin. This exploit has\n been tested on a specific version of irfanview (v4.3.2), although other\n versions may work also. The vulnerability is triggered via parsing an\n invalid qcd chunk structure and specifying a malformed qcd size and\n data.\n\n Payload delivery and vulnerability trigger can be executed in multiple\n ways. The user can double click the file, use the file dialog, open via\n the icon and drag/drop the file into Irfanview's window. An egg hunter\n is used for stability.", "references": [ "CVE-2012-0897", "OSVDB-78333", "BID-51426", "URL-http://www.greyhathacker.net/?p=525" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Irfanview 4.32 / Plugins 4.32 / Windows Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/irfanview_jpeg2000_bof.rb", "is_install_path": true, "ref_name": "windows/fileformat/irfanview_jpeg2000_bof", "check": false }, "exploit_windows/fileformat/ispvm_xcf_ispxcf": { "name": "Lattice Semiconductor ispVM System XCF File Handling Overflow", "full_name": "exploit/windows/fileformat/ispvm_xcf_ispxcf", "rank": 300, "disclosure_date": "2012-05-16", "type": "exploit", "author": [ "Unknown", "juan vazquez " ], "description": "This module exploits a vulnerability found in ispVM System 18.0.2. Due to the way\n ispVM handles .xcf files, it is possible to cause a buffer overflow with a specially\n crafted file, when a long value is supplied for the version attribute of the ispXCF\n tag. It results in arbitrary code execution under the context of the user.", "references": [ "OSVDB-82000", "BID-53562", "URL-http://secunia.com/advisories/48740/" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "ispVM System 18.0.2 / Windows XP SP3 / Windows 7 SP1" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/ispvm_xcf_ispxcf.rb", "is_install_path": true, "ref_name": "windows/fileformat/ispvm_xcf_ispxcf", "check": false }, "exploit_windows/fileformat/kingview_kingmess_kvl": { "name": "KingView Log File Parsing Buffer Overflow", "full_name": "exploit/windows/fileformat/kingview_kingmess_kvl", "rank": 300, "disclosure_date": "2012-11-20", "type": "exploit", "author": [ "Lucas Apa", "Carlos Mario Penagos Hollman", "juan vazquez " ], "description": "This module exploits a vulnerability found in KingView <= 6.55. It exists in\n the KingMess.exe application when handling log files, due to the insecure usage of\n sprintf. This module uses a malformed .kvl file which must be opened by the victim\n via the KingMess.exe application, through the 'Browse Log Files' option. The module\n has been tested successfully on KingView 6.52 and KingView 6.53 Free Trial over\n Windows XP SP3.", "references": [ "CVE-2012-4711", "OSVDB-89690", "BID-57909", "URL-http://ics-cert.us-cert.gov/pdf/ICSA-13-043-02.pdf" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "KingView 6.52 English / KingView 6.53 Free Trial / Kingmess.exe 65.20.2003.10300 / Windows XP SP3" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/kingview_kingmess_kvl.rb", "is_install_path": true, "ref_name": "windows/fileformat/kingview_kingmess_kvl", "check": false }, "exploit_windows/fileformat/lattice_pac_bof": { "name": "Lattice Semiconductor PAC-Designer 6.21 Symbol Value Buffer Overflow", "full_name": "exploit/windows/fileformat/lattice_pac_bof", "rank": 300, "disclosure_date": "2012-05-16", "type": "exploit", "author": [ "Unknown", "juan vazquez ", "sinn3r " ], "description": "This module exploits a vulnerability found in Lattice Semiconductor PAC-Designer\n 6.21. As a .pac file, when supplying a long string of data to the 'value' field\n under the 'SymbolicSchematicData' tag, it is possible to cause a memory corruption\n on the stack, which results in arbitrary code execution under the context of the\n user.", "references": [ "CVE-2012-2915", "OSVDB-82001", "EDB-19006", "BID-53566", "URL-http://secunia.com/advisories/48741" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "PAC-Designer 6.21 on Windows XP SP3" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/lattice_pac_bof.rb", "is_install_path": true, "ref_name": "windows/fileformat/lattice_pac_bof", "check": false }, "exploit_windows/fileformat/lotusnotes_lzh": { "name": "Lotus Notes 8.0.x - 8.5.2 FP2 - Autonomy Keyview (.lzh Attachment)", "full_name": "exploit/windows/fileformat/lotusnotes_lzh", "rank": 400, "disclosure_date": "2011-05-24", "type": "exploit", "author": [ "binaryhouse.net", "alino <26alino@gmail.com>" ], "description": "This module exploits a stack buffer overflow in Lotus Notes 8.5.2 when\n parsing a malformed, specially crafted LZH file. This vulnerability was\n discovered binaryhouse.net", "references": [ "CVE-2011-1213", "OSVDB-72706", "BID-48018", "URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=904", "URL-http://www.ibm.com/support/docview.wss?uid=swg21500034" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Lotus Notes 8.0.x - 8.5.2 FP2 / Windows Universal", "Lotus Notes 8.5.2 FP2 / Windows Universal / DEP" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/lotusnotes_lzh.rb", "is_install_path": true, "ref_name": "windows/fileformat/lotusnotes_lzh", "check": false }, "exploit_windows/fileformat/magix_musikmaker_16_mmm": { "name": "Magix Musik Maker 16 .mmm Stack Buffer Overflow", "full_name": "exploit/windows/fileformat/magix_musikmaker_16_mmm", "rank": 400, "disclosure_date": "2011-04-26", "type": "exploit", "author": [ "acidgen", "corelanc0d3r " ], "description": "This module exploits a stack buffer overflow in Magix Musik Maker 16.\n When opening a specially crafted arrangement file (.mmm) in the application, an\n unsafe strcpy() will allow you to overwrite a SEH handler. This exploit\n bypasses DEP & ASLR, and works on XP, Vista & Windows 7. Egghunter is used, and\n might require up to several seconds to receive a shell.", "references": [ "OSVDB-72063", "URL-http://www.corelan.be/advisories.php?id=CORELAN-11-002" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows Universal DEP & ASLR Bypass" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/magix_musikmaker_16_mmm.rb", "is_install_path": true, "ref_name": "windows/fileformat/magix_musikmaker_16_mmm", "check": false }, "exploit_windows/fileformat/mcafee_hercules_deletesnapshot": { "name": "McAfee Remediation Client ActiveX Control Buffer Overflow", "full_name": "exploit/windows/fileformat/mcafee_hercules_deletesnapshot", "rank": 100, "disclosure_date": "2008-08-04", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in McAfee Remediation Agent 4.5.0.41. When\n sending an overly long string to the DeleteSnapshot() method\n of enginecom.dll (3.7.0.9) an attacker may be able to execute arbitrary code.\n This control is not marked safe for scripting, so choose your attack vector accordingly.", "references": [ "OSVDB-94540", "EDB-16639" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/mcafee_hercules_deletesnapshot.rb", "is_install_path": true, "ref_name": "windows/fileformat/mcafee_hercules_deletesnapshot", "check": false }, "exploit_windows/fileformat/mcafee_showreport_exec": { "name": "McAfee SaaS MyCioScan ShowReport Remote Command Execution", "full_name": "exploit/windows/fileformat/mcafee_showreport_exec", "rank": 300, "disclosure_date": "2012-01-12", "type": "exploit", "author": [ "rgod", "sinn3r " ], "description": "This module exploits a vulnerability found in McAfee Security-as-a-Service.\n The ShowReport() function (located in the myCIOScn.dll ActiveX component) fails\n to check the FileName argument, and passes it on to a ShellExecuteW() function,\n therefore allows any malicious attacker to execute any process that's on the\n local system. However, if the victim machine is connected to a remote share\n (or something similar), then it's also possible to execute arbitrary code.\n Please note that a custom template is required for the payload, because the\n default Metasploit template is detectable by McAfee -- any Windows binary, such\n as calc.exe or notepad.exe, should bypass McAfee fine.", "references": [ "OSVDB-78310", "BID-51397", "ZDI-12-012" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Internet Explorer" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/fileformat/mcafee_showreport_exec.rb", "is_install_path": true, "ref_name": "windows/fileformat/mcafee_showreport_exec", "check": false }, "exploit_windows/fileformat/mediacoder_m3u": { "name": "MediaCoder .M3U Buffer Overflow", "full_name": "exploit/windows/fileformat/mediacoder_m3u", "rank": 300, "disclosure_date": "2013-06-24", "type": "exploit", "author": [ "metacom", "modpr0be ", "otoy " ], "description": "This module exploits a buffer overflow in MediaCoder 0.8.22. The vulnerability\n occurs when adding an .m3u, allowing arbitrary code execution under the context\n of the user. DEP bypass via ROP is supported on Windows 7, since the MediaCoder\n runs with DEP. This module has been tested successfully on MediaCoder 0.8.21.5539\n to 0.8.22.5530 over Windows XP SP3 and Windows 7 SP0.", "references": [ "CVE-2017-8869", "OSVDB-94522", "EDB-26403" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "MediaCoder 0.8.21 - 0.8.22 / Windows XP SP3 / Windows 7 SP0" ], "mod_time": "2018-07-12 17:34:52 +0000", "path": "/modules/exploits/windows/fileformat/mediacoder_m3u.rb", "is_install_path": true, "ref_name": "windows/fileformat/mediacoder_m3u", "check": false }, "exploit_windows/fileformat/mediajukebox": { "name": "Media Jukebox 8.0.400 Buffer Overflow (SEH)", "full_name": "exploit/windows/fileformat/mediajukebox", "rank": 300, "disclosure_date": "2009-07-01", "type": "exploit", "author": [ "Ron Henry ", "dijital1" ], "description": "This module exploits a stack buffer overflow in Media Jukebox 8.0.400\n by creating a specially crafted m3u or pls file.", "references": [ "OSVDB-55924", "CVE-2009-2650" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP3 - English", "Windows XP SP2 - English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/mediajukebox.rb", "is_install_path": true, "ref_name": "windows/fileformat/mediajukebox", "check": false }, "exploit_windows/fileformat/microp_mppl": { "name": "MicroP 0.1.1.1600 (MPPL File) Stack Buffer Overflow", "full_name": "exploit/windows/fileformat/microp_mppl", "rank": 500, "disclosure_date": "2010-08-23", "type": "exploit", "author": [ "James Fitts " ], "description": "This module exploits a vulnerability found in MicroP 0.1.1.1600. A stack-based\n buffer overflow occurs when the content of a .mppl file gets copied onto the stack,\n which overwrites the lpFileName parameter of a CreateFileA() function, and results\n arbitrary code execution under the context of the user.", "references": [ "CVE-2010-5299", "OSVDB-73627", "EDB-14720" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP3 / Vista / 7" ], "mod_time": "2018-07-08 18:46:04 +0000", "path": "/modules/exploits/windows/fileformat/microp_mppl.rb", "is_install_path": true, "ref_name": "windows/fileformat/microp_mppl", "check": false }, "exploit_windows/fileformat/millenium_mp3_pls": { "name": "Millenium MP3 Studio 2.0 (PLS File) Stack Buffer Overflow", "full_name": "exploit/windows/fileformat/millenium_mp3_pls", "rank": 500, "disclosure_date": "2009-07-30", "type": "exploit", "author": [ "Molotov", "dookie", "jduck " ], "description": "This module exploits a stack-based buffer overflow in Millenium MP3 Studio 2.0.\n An attacker must send the file to victim and the victim must open the file.\n Alternatively it may be possible to execute code remotely via an embedded\n PLS file within a browser, when the PLS extension is registered to Millenium MP3 Studio.\n This functionality has not been tested in this module.", "references": [ "OSVDB-56574", "EDB-9618", "EDB-10240" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows Universal" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/fileformat/millenium_mp3_pls.rb", "is_install_path": true, "ref_name": "windows/fileformat/millenium_mp3_pls", "check": false }, "exploit_windows/fileformat/mini_stream_pls_bof": { "name": "Mini-Stream RM-MP3 Converter v3.1.2.1 PLS File Stack Buffer Overflow", "full_name": "exploit/windows/fileformat/mini_stream_pls_bof", "rank": 500, "disclosure_date": "2010-07-16", "type": "exploit", "author": [ "Madjix", "Tiago Henriques", "James Fitts " ], "description": "This module exploits a stack based buffer overflow found in Mini-Stream RM-MP3\n Converter v3.1.2.1. The overflow is triggered when an unsuspecting victim\n opens the malicious PLS file.", "references": [ "CVE-2010-5081", "OSVDB-78078", "EDB-14373", "BID-34514" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Mini-stream RM-MP3 Converter v3.1.2.1.2010.03.30" ], "mod_time": "2018-07-09 13:22:08 +0000", "path": "/modules/exploits/windows/fileformat/mini_stream_pls_bof.rb", "is_install_path": true, "ref_name": "windows/fileformat/mini_stream_pls_bof", "check": false }, "exploit_windows/fileformat/mjm_coreplayer2011_s3m": { "name": "MJM Core Player 2011 .s3m Stack Buffer Overflow", "full_name": "exploit/windows/fileformat/mjm_coreplayer2011_s3m", "rank": 400, "disclosure_date": "2011-04-30", "type": "exploit", "author": [ "rick2600", "corelanc0d3r " ], "description": "This module exploits a stack buffer overflow in MJM Core Player 2011\n When opening a malicious s3m file in this application, a stack buffer overflow can be\n triggered, resulting in arbitrary code execution.\n This exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7.", "references": [ "OSVDB-72101", "URL-http://www.corelan.be/advisories.php?id=CORELAN-11-004" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows Universal Generic DEP & ASLR Bypass" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/fileformat/mjm_coreplayer2011_s3m.rb", "is_install_path": true, "ref_name": "windows/fileformat/mjm_coreplayer2011_s3m", "check": false }, "exploit_windows/fileformat/mjm_quickplayer_s3m": { "name": "MJM QuickPlayer 1.00 Beta 60a / QuickPlayer 2010 .s3m Stack Buffer Overflow", "full_name": "exploit/windows/fileformat/mjm_quickplayer_s3m", "rank": 400, "disclosure_date": "2011-04-30", "type": "exploit", "author": [ "rick2600", "corelanc0d3r " ], "description": "This module exploits a stack buffer overflow in MJM QuickPlayer 1.00 beta 60a\n and QuickPlayer 2010 (Multi-target exploit). When opening a malicious s3m file in\n one of these 2 applications, a stack buffer overflow can be triggered, resulting in\n arbitrary code execution.\n\n This exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7.", "references": [ "OSVDB-72102", "URL-http://www.corelan.be/advisories.php?id=CORELAN-11-003" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows Universal Generic DEP & ASLR Bypass" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/mjm_quickplayer_s3m.rb", "is_install_path": true, "ref_name": "windows/fileformat/mjm_quickplayer_s3m", "check": false }, "exploit_windows/fileformat/moxa_mediadbplayback": { "name": "MOXA MediaDBPlayback ActiveX Control Buffer Overflow", "full_name": "exploit/windows/fileformat/moxa_mediadbplayback", "rank": 200, "disclosure_date": "2010-10-19", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in MOXA_ActiveX_SDK. When\n sending an overly long string to the PlayFileName() of MediaDBPlayback.DLL (2.2.0.5)\n an attacker may be able to execute arbitrary code.", "references": [ "CVE-2010-4742", "OSVDB-68986", "URL-http://www.moxa.com" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/moxa_mediadbplayback.rb", "is_install_path": true, "ref_name": "windows/fileformat/moxa_mediadbplayback", "check": false }, "exploit_windows/fileformat/mplayer_m3u_bof": { "name": "MPlayer Lite M3U Buffer Overflow", "full_name": "exploit/windows/fileformat/mplayer_m3u_bof", "rank": 200, "disclosure_date": "2011-03-19", "type": "exploit", "author": [ "C4SS!0 and h1ch4m", "Gabor Seljan" ], "description": "This module exploits a stack-based buffer overflow vulnerability in\n MPlayer Lite r33064, caused by improper bounds checking of an URL entry.\n\n By persuading the victim to open a specially-crafted .M3U file, specifically by\n drag-and-dropping it to the player, a remote attacker can execute arbitrary\n code on the system.", "references": [ "BID-46926", "EDB-17013", "URL-http://www.mplayer-ww.com/eng/" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP3 (DEP Bypass) / MPlayer Lite r33064" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/mplayer_m3u_bof.rb", "is_install_path": true, "ref_name": "windows/fileformat/mplayer_m3u_bof", "check": false }, "exploit_windows/fileformat/mplayer_sami_bof": { "name": "MPlayer SAMI Subtitle File Buffer Overflow", "full_name": "exploit/windows/fileformat/mplayer_sami_bof", "rank": 300, "disclosure_date": "2011-05-19", "type": "exploit", "author": [ "Jacques Louw", "juan vazquez " ], "description": "This module exploits a stack-based buffer overflow found in the handling\n of SAMI subtitles files in MPlayer SVN Versions before 33471. It currently\n targets SMPlayer 0.6.8, which is distributed with a vulnerable version of MPlayer.\n\n The overflow is triggered when an unsuspecting victim opens a movie file first,\n followed by loading the malicious SAMI subtitles file from the GUI. Or, it can also\n be done from the console with the MPlayer \"-sub\" option.", "references": [ "BID-49149", "OSVDB-74604", "URL-http://labs.mwrinfosecurity.com/files/Advisories/mwri_mplayer-sami-subtitles_2011-08-12.pdf" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "SMPlayer 0.6.8 / mplayer.exe Sherpya-SVN-r29355-4.5.0 / Windows XP English SP3" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/fileformat/mplayer_sami_bof.rb", "is_install_path": true, "ref_name": "windows/fileformat/mplayer_sami_bof", "check": false }, "exploit_windows/fileformat/ms09_067_excel_featheader": { "name": "MS09-067 Microsoft Excel Malformed FEATHEADER Record Vulnerability", "full_name": "exploit/windows/fileformat/ms09_067_excel_featheader", "rank": 400, "disclosure_date": "2009-11-10", "type": "exploit", "author": [ "Sean Larsson", "jduck " ], "description": "This module exploits a vulnerability in the handling of the FEATHEADER record\n by Microsoft Excel. Revisions of Office XP and later prior to the release of the\n MS09-067 bulletin are vulnerable.\n\n When processing a FEATHEADER (Shared Feature) record, Microsoft used a data\n structure from the file to calculate a pointer offset without doing proper\n validation. Attacker supplied data is then used to calculate the location of an\n object, and in turn a virtual function call. This results in arbitrary code\n execution.\n\n NOTE: On some versions of Office, the user will need to dismiss a warning dialog\n prior to the payload executing.", "references": [ "CVE-2009-3129", "OSVDB-59860", "MSB-MS09-067", "BID-36945", "ZDI-09-083", "URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=832" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Microsoft Office 2002 (XP) SP3 base English on Windows XP SP3 English", "Microsoft Office 2002 (XP) SP3 w/kb969680 English on Windows XP SP3 English", "Microsoft Office 2003 SP0 English on Windows XP SP3 English", "Microsoft Office 2007 SP2 English on Windows XP SP3 English", "Crash Target for Debugging" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/fileformat/ms09_067_excel_featheader.rb", "is_install_path": true, "ref_name": "windows/fileformat/ms09_067_excel_featheader", "check": false }, "exploit_windows/fileformat/ms10_004_textbytesatom": { "name": "MS10-004 Microsoft PowerPoint Viewer TextBytesAtom Stack Buffer Overflow", "full_name": "exploit/windows/fileformat/ms10_004_textbytesatom", "rank": 400, "disclosure_date": "2010-02-09", "type": "exploit", "author": [ "SkD", "Snake", "jduck " ], "description": "This module exploits a stack buffer overflow vulnerability in the handling of\n the TextBytesAtom records by Microsoft PowerPoint Viewer. According to Microsoft,\n the PowerPoint Viewer distributed with Office 2003 SP3 and earlier, as well as\n Office 2004 for Mac, are vulnerable.\n\n NOTE: The vulnerable code path is not reachable on versions of Windows prior to\n Windows Vista.", "references": [ "CVE-2010-0033", "OSVDB-62241", "MSB-MS10-004", "ZDI-10-017" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Microsoft PowerPoint Viewer 2003", "Microsoft PowerPoint Viewer 2003 (kb949041 or kb956500) or Office 2003 SP3", "Microsoft PowerPoint Viewer 2003 (kb969615)", "Crash Target for Debugging" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/ms10_004_textbytesatom.rb", "is_install_path": true, "ref_name": "windows/fileformat/ms10_004_textbytesatom", "check": false }, "exploit_windows/fileformat/ms10_038_excel_obj_bof": { "name": "MS11-038 Microsoft Office Excel Malformed OBJ Record Handling Overflow", "full_name": "exploit/windows/fileformat/ms10_038_excel_obj_bof", "rank": 300, "disclosure_date": "2010-06-08", "type": "exploit", "author": [ "Nicolas Joly", "Shahin Ramezany ", "juan vazquez " ], "description": "This module exploits a vulnerability found in Excel 2002 of Microsoft Office XP.\n By supplying a .xls file with a malformed OBJ (recType 0x5D) record an attacker\n can get the control of the execution flow. This results in arbitrary code execution under\n the context of the user.", "references": [ "CVE-2010-0822", "OSVDB-65236", "BID-40520", "MSB-MS10-038", "URL-https://www.exploit-db.com/moaub-24-microsoft-excel-obj-record-stack-overflow/" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Microsoft Office Excel 2002 10.2614.2625 Service Pack 0(Office XP) on Windows XP SP3", "Microsoft Office Excel 2002 10.6501.6626 Service Pack 3 (Office XP SP3) on Windows XP SP3" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/fileformat/ms10_038_excel_obj_bof.rb", "is_install_path": true, "ref_name": "windows/fileformat/ms10_038_excel_obj_bof", "check": false }, "exploit_windows/fileformat/ms10_087_rtf_pfragments_bof": { "name": "MS10-087 Microsoft Word RTF pFragments Stack Buffer Overflow (File Format)", "full_name": "exploit/windows/fileformat/ms10_087_rtf_pfragments_bof", "rank": 500, "disclosure_date": "2010-11-09", "type": "exploit", "author": [ "wushi of team509", "unknown", "jduck ", "DJ Manila Ice, Vesh, CA" ], "description": "This module exploits a stack-based buffer overflow in the handling of the\n 'pFragments' shape property within the Microsoft Word RTF parser. All versions\n of Microsoft Office 2010, 2007, 2003, and XP prior to the release of the\n MS10-087 bulletin are vulnerable.\n\n This module does not attempt to exploit the vulnerability via Microsoft Outlook.\n\n The Microsoft Word RTF parser was only used by default in versions of Microsoft\n Word itself prior to Office 2007. With the release of Office 2007, Microsoft\n began using the Word RTF parser, by default, to handle rich-text messages within\n Outlook as well. It was possible to configure Outlook 2003 and earlier to use\n the Microsoft Word engine too, but it was not a default setting.\n\n It appears as though Microsoft Office 2000 is not vulnerable. It is unlikely that\n Microsoft will confirm or deny this since Office 2000 has reached its support\n cycle end-of-life.", "references": [ "CVE-2010-3333", "OSVDB-69085", "MSB-MS10-087", "BID-44652", "URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=880" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic", "Microsoft Office 2002 SP3 English on Windows XP SP3 English", "Microsoft Office 2003 SP3 English on Windows XP SP3 English", "Microsoft Office 2007 SP0 English on Windows XP SP3 English", "Microsoft Office 2007 SP0 English on Windows Vista SP0 English", "Microsoft Office 2007 SP0 English on Windows 7 SP0 English", "Crash Target for Debugging" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/ms10_087_rtf_pfragments_bof.rb", "is_install_path": true, "ref_name": "windows/fileformat/ms10_087_rtf_pfragments_bof", "check": false }, "exploit_windows/fileformat/ms11_006_createsizeddibsection": { "name": "MS11-006 Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow", "full_name": "exploit/windows/fileformat/ms11_006_createsizeddibsection", "rank": 500, "disclosure_date": "2010-12-15", "type": "exploit", "author": [ "Moti & Xu Hao", "Yaniv Miron aka Lament of ilhack", "jduck " ], "description": "This module exploits a stack-based buffer overflow in the handling of thumbnails\n within .MIC files and various Office documents. When processing a thumbnail bitmap\n containing a negative 'biClrUsed' value, a stack-based buffer overflow occurs. This\n leads to arbitrary code execution.\n\n In order to trigger the vulnerable code, the folder containing the document must be\n viewed using the \"Thumbnails\" view.", "references": [ "CVE-2010-3970", "OSVDB-70263", "MSB-MS11-006", "BID-45662", "URL-http://www.microsoft.com/technet/security/advisory/2490606.mspx" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic", "Windows 2000 SP0/SP4 English", "Windows XP SP3 English", "Crash Target for Debugging" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/ms11_006_createsizeddibsection.rb", "is_install_path": true, "ref_name": "windows/fileformat/ms11_006_createsizeddibsection", "check": false }, "exploit_windows/fileformat/ms11_021_xlb_bof": { "name": "MS11-021 Microsoft Office 2007 Excel .xlb Buffer Overflow", "full_name": "exploit/windows/fileformat/ms11_021_xlb_bof", "rank": 300, "disclosure_date": "2011-08-09", "type": "exploit", "author": [ "Aniway", "Unknown", "sinn3r ", "juan vazquez " ], "description": "This module exploits a vulnerability found in Excel of Microsoft Office 2007.\n By supplying a malformed .xlb file, an attacker can control the content (source)\n of a memcpy routine, and the number of bytes to copy, therefore causing a stack-\n based buffer overflow. This results in arbitrary code execution under the context of\n the user.", "references": [ "CVE-2011-0105", "OSVDB-71765", "MSB-MS11-021", "ZDI-11-121" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Microsoft Office Excel 2007 on Windows XP", "Microsoft Office Excel 2007 SP2 on Windows XP" ], "mod_time": "2017-09-22 18:49:09 +0000", "path": "/modules/exploits/windows/fileformat/ms11_021_xlb_bof.rb", "is_install_path": true, "ref_name": "windows/fileformat/ms11_021_xlb_bof", "check": false }, "exploit_windows/fileformat/ms12_005": { "name": "MS12-005 Microsoft Office ClickOnce Unsafe Object Package Handling Vulnerability", "full_name": "exploit/windows/fileformat/ms12_005", "rank": 600, "disclosure_date": "2012-01-10", "type": "exploit", "author": [ "Yorick Koster", "sinn3r " ], "description": "This module exploits a vulnerability found in Microsoft Office's ClickOnce\n feature. When handling a Macro document, the application fails to recognize\n certain file extensions as dangerous executables, which can be used to bypass\n the warning message. This can allow attackers to trick victims into opening the\n malicious document, which will load up either a python or ruby payload, and\n finally, download and execute an executable.", "references": [ "CVE-2012-0013", "OSVDB-78207", "MSB-MS12-005", "BID-51284", "URL-http://support.microsoft.com/default.aspx?scid=kb;EN-US;2584146", "URL-http://exploitshop.wordpress.com/2012/01/14/ms12-005-embedded-object-package-allow-arbitrary-code-execution/" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Microsoft Office Word 2007/2010 on Windows 7" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/ms12_005.rb", "is_install_path": true, "ref_name": "windows/fileformat/ms12_005", "check": false }, "exploit_windows/fileformat/ms12_027_mscomctl_bof": { "name": "MS12-027 MSCOMCTL ActiveX Buffer Overflow", "full_name": "exploit/windows/fileformat/ms12_027_mscomctl_bof", "rank": 200, "disclosure_date": "2012-04-10", "type": "exploit", "author": [ "Unknown", "juan vazquez ", "sinn3r " ], "description": "This module exploits a stack buffer overflow in MSCOMCTL.OCX. It uses a malicious\n RTF to embed the specially crafted MSComctlLib.ListViewCtrl.2 Control as exploited\n in the wild on April 2012.\n\n This module targets Office 2007 and Office 2010 targets. The DEP/ASLR bypass on Office\n 2010 is done with the Ikazuchi ROP chain proposed by Abysssec. This chain uses\n \"msgr3en.dll\", which will load after office got load, so the malicious file must\n be loaded through \"File / Open\" to achieve exploitation.", "references": [ "CVE-2012-0158", "OSVDB-81125", "BID-52911", "MSB-MS12-027", "URL-http://contagiodump.blogspot.com.es/2012/04/cve2012-0158-south-china-sea-insider.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Microsoft Office 2007 [no-SP/SP1/SP2/SP3] English on Windows [XP SP3 / 7 SP1] English", "Microsoft Office 2010 SP1 English on Windows [XP SP3 / 7 SP1] English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/ms12_027_mscomctl_bof.rb", "is_install_path": true, "ref_name": "windows/fileformat/ms12_027_mscomctl_bof", "check": false }, "exploit_windows/fileformat/ms13_071_theme": { "name": "MS13-071 Microsoft Windows Theme File Handling Arbitrary Code Execution", "full_name": "exploit/windows/fileformat/ms13_071_theme", "rank": 600, "disclosure_date": "2013-09-10", "type": "exploit", "author": [ "Eduardo Prado", "juan vazquez ", "Matthew Hall " ], "description": "This module exploits a vulnerability mainly affecting Microsoft Windows XP and Windows\n 2003. The vulnerability exists in the handling of the Screen Saver path, in the [boot]\n section. An arbitrary path can be used as screen saver, including a remote SMB resource,\n which allows for remote code execution when a malicious .theme file is opened, and the\n \"Screen Saver\" tab is viewed. The code execution is also triggered if the victim installs\n the malicious theme and stays away from the computer, when Windows tries to display the\n screensaver.", "references": [ "CVE-2013-0810", "OSVDB-97136", "MSB-MS13-071", "BID-62176", "URL-http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=1040", "URL-https://community.rapid7.com/community/metasploit/blog/2013/09/25/change-the-theme-get-a-shell" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP3 / Windows 2003 SP2" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/ms13_071_theme.rb", "is_install_path": true, "ref_name": "windows/fileformat/ms13_071_theme", "check": false }, "exploit_windows/fileformat/ms14_017_rtf": { "name": "MS14-017 Microsoft Word RTF Object Confusion", "full_name": "exploit/windows/fileformat/ms14_017_rtf", "rank": 300, "disclosure_date": "2014-04-01", "type": "exploit", "author": [ "Haifei Li", "Spencer McIntyre", "unknown" ], "description": "This module creates a malicious RTF file that when opened in\n vulnerable versions of Microsoft Word will lead to code execution.\n The flaw exists in how a listoverridecount field can be modified\n to treat one structure as another.\n\n This bug was originally seen being exploited in the wild starting\n in April 2014. This module was created by reversing a public\n malware sample.", "references": [ "CVE-2014-1761", "MSB-MS14-017", "URL-http://blogs.mcafee.com/mcafee-labs/close-look-rtf-zero-day-attack-cve-2014-1761-shows-sophistication-attackers", "URL-https://www.virustotal.com/en/file/e378eef9f4ea1511aa5e368cb0e52a8a68995000b8b1e6207717d9ed09e8555a/analysis/" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": [ "Microsoft Office 2010 SP2 English on Windows 7 SP1 English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/ms14_017_rtf.rb", "is_install_path": true, "ref_name": "windows/fileformat/ms14_017_rtf", "check": false }, "exploit_windows/fileformat/ms14_060_sandworm": { "name": "MS14-060 Microsoft Windows OLE Package Manager Code Execution", "full_name": "exploit/windows/fileformat/ms14_060_sandworm", "rank": 600, "disclosure_date": "2014-10-14", "type": "exploit", "author": [ "Unknown", "sinn3r ", "juan vazquez " ], "description": "This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE)\n allowing arbitrary code execution, publicly known as \"Sandworm\". Platforms such as Windows\n Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be\n vulnerable. However, based on our testing, the most reliable setup is on Windows platforms\n running Office 2013 and Office 2010 SP2. And please keep in mind that some other setups such\n as using Office 2010 SP1 might be less stable, and sometimes may end up with a crash due to\n a failure in the CPackage::CreateTempFileName function.\n\n This module will generate three files: an INF, a GIF, and a PPSX file. You are required to\n set up a SMB or Samba 3 server and host the INF and GIF there. Systems such as Ubuntu or an\n older version of Windows (such as XP) work best for this because they require little\n configuration to get going. The PPSX file is what you should send to your target.\n\n In detail, the vulnerability has to do with how the Object Packager 2 component\n (packager.dll) handles an INF file that contains malicious registry changes, which may be\n leveraged for code execution. First of all, Packager does not load the INF file directly.\n As an attacker, you can trick it to load your INF anyway by embedding the file path as\n a remote share in an OLE object. The packager will then treat it as a type of media file,\n and load it with the packager!CPackage::OLE2MPlayerReadFromStream function, which will\n download it with a CopyFileW call, save it in a temp folder, and pass that information for\n later. The exploit will do this loading process twice: first for a fake gif file that's\n actually the payload, and the second for the INF file.\n\n The packager will also look at each OLE object's XML Presentation Command, specifically the\n type and cmd property. In the exploit, \"verb\" media command type is used, and this triggers\n the packager!CPackage::DoVerb function. Also, \"-3\" is used as the fake gif file's cmd\n property, and \"3\" is used for the INF. When the cmd is \"-3\", DoVerb will bail. But when \"3\"\n is used (again, for the INF file), it will cause the packager to try to find appropriate\n handler for it, which will end up with C:\\Windows\\System32\\infDefaultInstall.exe, and that\n will install/run the malicious INF file, and finally give us arbitrary code execution.", "references": [ "CVE-2014-4114", "OSVDB-113140", "MSB-MS14-060", "BID-70419", "URL-http://www.isightpartners.com/2014/10/cve-2014-4114/", "URL-http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-windows-zero-day-vulnerability-cve-2014-4114-aka-sandworm/" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": [ "Windows 7 SP1 / Office 2010 SP2 / Office 2013" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/ms14_060_sandworm.rb", "is_install_path": true, "ref_name": "windows/fileformat/ms14_060_sandworm", "check": false }, "exploit_windows/fileformat/ms14_064_packager_python": { "name": "MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python", "full_name": "exploit/windows/fileformat/ms14_064_packager_python", "rank": 600, "disclosure_date": "2014-11-12", "type": "exploit", "author": [ "Haifei Li", "sinn3r ", "juan vazquez " ], "description": "This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE)\n allowing arbitrary code execution, bypassing the patch MS14-060, for the vulnerability\n publicly known as \"Sandworm\", on systems with Python for Windows installed. Windows Vista\n SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be vulnerable.\n However, based on our testing, the most reliable setup is on Windows platforms running\n Office 2013 and Office 2010 SP2. Please keep in mind that some other setups such as\n those using Office 2010 SP1 may be less stable, and may end up with a crash due to a\n failure in the CPackage::CreateTempFileName function.", "references": [ "CVE-2014-6352", "MSB-MS14-064", "BID-70690", "URL-http://blogs.mcafee.com/mcafee-labs/bypassing-microsofts-patch-for-the-sandworm-zero-day-even-editing-can-cause-harm" ], "is_server": true, "is_client": false, "platform": "Python", "arch": "python", "rport": null, "targets": [ "Windows 7 SP1 with Python for Windows / Office 2010 SP2 / Office 2013" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/ms14_064_packager_python.rb", "is_install_path": true, "ref_name": "windows/fileformat/ms14_064_packager_python", "check": false }, "exploit_windows/fileformat/ms14_064_packager_run_as_admin": { "name": "MS14-064 Microsoft Windows OLE Package Manager Code Execution", "full_name": "exploit/windows/fileformat/ms14_064_packager_run_as_admin", "rank": 600, "disclosure_date": "2014-10-21", "type": "exploit", "author": [ "Haifei Li", "sinn3r ", "juan vazquez " ], "description": "This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE)\n allowing arbitrary code execution, publicly exploited in the wild as MS14-060 patch bypass.\n The Microsoft update tried to fix the vulnerability publicly known as \"Sandworm\". Platforms\n such as Windows Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known\n to be vulnerable. However, based on our testing, the most reliable setup is on Windows\n platforms running Office 2013 and Office 2010 SP2. Please keep in mind that some other\n setups such as using Office 2010 SP1 might be less stable, and may end up with a\n crash due to a failure in the CPackage::CreateTempFileName function.", "references": [ "CVE-2014-6352", "MSB-MS14-064", "BID-70690", "URL-http://blogs.mcafee.com/mcafee-labs/bypassing-microsofts-patch-sandworm-zero-day-even-editing-dangerous" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": [ "Windows 7 SP1 / Office 2010 SP2 / Office 2013" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/ms14_064_packager_run_as_admin.rb", "is_install_path": true, "ref_name": "windows/fileformat/ms14_064_packager_run_as_admin", "check": false }, "exploit_windows/fileformat/ms15_020_shortcut_icon_dllloader": { "name": "Microsoft Windows Shell LNK Code Execution", "full_name": "exploit/windows/fileformat/ms15_020_shortcut_icon_dllloader", "rank": 600, "disclosure_date": "2015-03-10", "type": "exploit", "author": [ "Michael Heerklotz", "juan vazquez " ], "description": "This module exploits a vulnerability in the MS10-046 patch to abuse (again) the handling\n of Windows Shortcut files (.LNK) that contain an icon resource pointing to a malicious\n DLL. This module creates the required files to exploit the vulnerability. They must be\n uploaded to an UNC path accessible by the target. This module has been tested successfully\n on Windows 2003 SP2 with MS10-046 installed and Windows 2008 SP2 (32 bits) with MS14-027\n installed.", "references": [ "CVE-2015-0096", "MSB-MS15-020", "URL-http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Full-details-on-CVE-2015-0096-and-the-failed-MS10-046-Stuxnet/ba-p/6718459#.VQBOymTF9so", "URL-https://github.com/rapid7/metasploit-framework/pull/4911" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/ms15_020_shortcut_icon_dllloader.rb", "is_install_path": true, "ref_name": "windows/fileformat/ms15_020_shortcut_icon_dllloader", "check": false }, "exploit_windows/fileformat/ms15_100_mcl_exe": { "name": "MS15-100 Microsoft Windows Media Center MCL Vulnerability", "full_name": "exploit/windows/fileformat/ms15_100_mcl_exe", "rank": 600, "disclosure_date": "2015-09-08", "type": "exploit", "author": [ "sinn3r " ], "description": "This module exploits a vulnerability in Windows Media Center. By supplying\n an UNC path in the *.mcl file, a remote file will be automatically downloaded,\n which can result in arbitrary code execution.", "references": [ "CVE-2015-2509", "MSB-MS15-100" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/ms15_100_mcl_exe.rb", "is_install_path": true, "ref_name": "windows/fileformat/ms15_100_mcl_exe", "check": false }, "exploit_windows/fileformat/ms_visual_basic_vbp": { "name": "Microsoft Visual Basic VBP Buffer Overflow", "full_name": "exploit/windows/fileformat/ms_visual_basic_vbp", "rank": 400, "disclosure_date": "2007-09-04", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack overflow in Microsoft Visual\n Basic 6.0. When a specially crafted vbp file containing a long\n reference line, an attacker may be able to execute arbitrary\n code.", "references": [ "CVE-2007-4776", "OSVDB-36936", "BID-25629" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP2 English" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/fileformat/ms_visual_basic_vbp.rb", "is_install_path": true, "ref_name": "windows/fileformat/ms_visual_basic_vbp", "check": false }, "exploit_windows/fileformat/mswin_tiff_overflow": { "name": "MS13-096 Microsoft Tagged Image File Format (TIFF) Integer Overflow", "full_name": "exploit/windows/fileformat/mswin_tiff_overflow", "rank": 200, "disclosure_date": "2013-11-05", "type": "exploit", "author": [ "Unknown", "sinn3r " ], "description": "This module exploits a vulnerability found in Microsoft's Tagged Image File Format.\n It was originally discovered in the wild, targeting Windows XP and Windows Server 2003\n users running Microsoft Office, specifically in the Middle East and South Asia region.\n\n The flaw is due to a DWORD value extracted from the TIFF file that is embedded as a\n drawing in Microsoft Office, and how it gets calculated with user-controlled inputs,\n and stored in the EAX register. The 32-bit register will run out of storage space to\n represent the large value, which ends up being 0, but it still gets pushed as a\n dwBytes argument (size) for a HeapAlloc call. The HeapAlloc function will allocate a\n chunk anyway with size 0, and the address of this chunk is used as the destination buffer\n of a memcpy function, where the source buffer is the EXIF data (an extended image format\n supported by TIFF), and is also user-controlled. A function pointer in the chunk returned\n by HeapAlloc will end up being overwritten by the memcpy function, and then later used\n in OGL!GdipCreatePath. By successfully controlling this function pointer, and the\n memory layout using ActiveX, it is possible to gain arbitrary code execution under the\n context of the user.", "references": [ "CVE-2013-3906", "MSB-MS13-096", "OSVDB-99376", "URL-http://technet.microsoft.com/en-us/security/advisory/2896666", "URL-http://blogs.technet.com/b/srd/archive/2013/11/05/cve-2013-3906-a-graphics-vulnerability-exploited-through-word-documents.aspx" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP3 with Office Standard 2010" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/fileformat/mswin_tiff_overflow.rb", "is_install_path": true, "ref_name": "windows/fileformat/mswin_tiff_overflow", "check": false }, "exploit_windows/fileformat/msworks_wkspictureinterface": { "name": "Microsoft Works 7 WkImgSrv.dll WKsPictureInterface() ActiveX Code Execution", "full_name": "exploit/windows/fileformat/msworks_wkspictureinterface", "rank": 100, "disclosure_date": "2008-11-28", "type": "exploit", "author": [ "dean " ], "description": "The Microsoft Works ActiveX control (WkImgSrv.dll) could allow a remote attacker\n to execute arbitrary code on a system. By passing a negative integer to the\n WksPictureInterface method, an attacker could execute arbitrary code on the system\n with privileges of the victim. Change 168430090 /0X0A0A0A0A to 202116108 / 0x0C0C0C0C FOR IE6.\n This control is not marked safe for scripting, please choose your attack vector carefully.", "references": [ "CVE-2008-1898", "OSVDB-44458" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP2-SP3 IE 7.0" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/msworks_wkspictureinterface.rb", "is_install_path": true, "ref_name": "windows/fileformat/msworks_wkspictureinterface", "check": false }, "exploit_windows/fileformat/mymp3player_m3u": { "name": "Steinberg MyMP3Player 3.0 Buffer Overflow", "full_name": "exploit/windows/fileformat/mymp3player_m3u", "rank": 400, "disclosure_date": "2010-03-18", "type": "exploit", "author": [ "n3w7u", "m_101" ], "description": "This module exploits a stack buffer overflow in Steinberg MyMP3Player == 3.0. When\n the application is used to open a specially crafted m3u file, a buffer overflow occurs\n allowing arbitrary code execution.", "references": [ "OSVDB-64580", "EDB-11791" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows Universal", "Windows Universal (SEH)", "Windows XP SP3 French" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/mymp3player_m3u.rb", "is_install_path": true, "ref_name": "windows/fileformat/mymp3player_m3u", "check": false }, "exploit_windows/fileformat/netop": { "name": "NetOp Remote Control Client 9.5 Buffer Overflow", "full_name": "exploit/windows/fileformat/netop", "rank": 300, "disclosure_date": "2011-04-28", "type": "exploit", "author": [ "Ruben Alejandro \"chap0\"" ], "description": "This module exploits a stack-based buffer overflow in NetOp Remote Control 9.5.\n When opening a .dws file containing a specially crafted string longer then 520\n characters will allow an attacker to execute arbitrary code.", "references": [ "OSVDB-72291", "EDB-17223" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP3" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/netop.rb", "is_install_path": true, "ref_name": "windows/fileformat/netop", "check": false }, "exploit_windows/fileformat/nitro_reader_jsapi": { "name": "Nitro Pro PDF Reader 11.0.3.173 Javascript API Remote Code Execution", "full_name": "exploit/windows/fileformat/nitro_reader_jsapi", "rank": 600, "disclosure_date": "2017-07-24", "type": "exploit", "author": [ "mr_me ", "Brendan Coles ", "sinn3r " ], "description": "This module exploits an unsafe Javascript API implemented in Nitro and Nitro Pro\n PDF Reader version 11. The saveAs() Javascript API function allows for writing\n arbitrary files to the file system. Additionally, the launchURL() function allows\n an attacker to execute local files on the file system and bypass the security dialog\n\n Note: This is 100% reliable.", "references": [ "CVE-2017-7442", "URL-http://srcincite.io/advisories/src-2017-0005/", "URL-https://blogs.securiteam.com/index.php/archives/3251" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic" ], "mod_time": "2017-07-24 14:25:10 +0000", "path": "/modules/exploits/windows/fileformat/nitro_reader_jsapi.rb", "is_install_path": true, "ref_name": "windows/fileformat/nitro_reader_jsapi", "check": false }, "exploit_windows/fileformat/nuance_pdf_launch_overflow": { "name": "Nuance PDF Reader v6.0 Launch Stack Buffer Overflow", "full_name": "exploit/windows/fileformat/nuance_pdf_launch_overflow", "rank": 500, "disclosure_date": "2010-10-08", "type": "exploit", "author": [ "corelanc0d3r ", "rick2600" ], "description": "This module exploits a stack buffer overflow in Nuance PDF Reader v6.0. The vulnerability is\n triggered when opening a malformed PDF file that contains an overly long string in a /Launch field. This results in overwriting a structured exception handler record.\n This exploit does not use javascript.", "references": [ "OSVDB-68514", "URL-http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-062-stack-buffer-overflow-in-nuance-pdf-reader-v6-0/" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Nuance PDF Reader v6.x (XP SP3)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/nuance_pdf_launch_overflow.rb", "is_install_path": true, "ref_name": "windows/fileformat/nuance_pdf_launch_overflow", "check": false }, "exploit_windows/fileformat/office_dde_delivery": { "name": "Microsoft Office DDE Payload Delivery", "full_name": "exploit/windows/fileformat/office_dde_delivery", "rank": 0, "disclosure_date": "2017-10-09", "type": "exploit", "author": [ "mumbai" ], "description": "This module generates an DDE command to place within\n a word document, that when executed, will retrieve a HTA payload\n via HTTP from an web server.", "references": [ "URL-https://gist.github.com/xillwillx/171c24c8e23512a891910824f506f563", "URL-https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86, x64", "rport": null, "targets": [ "Microsoft Office" ], "mod_time": "2017-12-07 14:44:36 +0000", "path": "/modules/exploits/windows/fileformat/office_dde_delivery.rb", "is_install_path": true, "ref_name": "windows/fileformat/office_dde_delivery", "check": false }, "exploit_windows/fileformat/office_ms17_11882": { "name": "Microsoft Office CVE-2017-11882", "full_name": "exploit/windows/fileformat/office_ms17_11882", "rank": 0, "disclosure_date": "2017-11-15", "type": "exploit", "author": [ "mumbai", "embedi" ], "description": "Module exploits a flaw in how the Equation Editor that\n allows an attacker to execute arbitrary code in RTF files without\n interaction. The vulnerability is caused by the Equation Editor,\n to which fails to properly handle OLE objects in memory.", "references": [ "URL-https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about", "URL-https://github.com/embedi/CVE-2017-11882" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86, x64", "rport": null, "targets": [ "Microsoft Office" ], "mod_time": "2017-12-04 16:57:48 +0000", "path": "/modules/exploits/windows/fileformat/office_ms17_11882.rb", "is_install_path": true, "ref_name": "windows/fileformat/office_ms17_11882", "check": false }, "exploit_windows/fileformat/office_ole_multiple_dll_hijack": { "name": "Office OLE Multiple DLL Side Loading Vulnerabilities", "full_name": "exploit/windows/fileformat/office_ole_multiple_dll_hijack", "rank": 300, "disclosure_date": "2015-12-08", "type": "exploit", "author": [ "Yorick Koster" ], "description": "Multiple DLL side loading vulnerabilities were found in various COM components.\n These issues can be exploited by loading various these components as an embedded\n OLE object. When instantiating a vulnerable object Windows will try to load one\n or more DLLs from the current working directory. If an attacker convinces the\n victim to open a specially crafted (Office) document from a directory also\n containing the attacker's DLL file, it is possible to execute arbitrary code with\n the privileges of the target user. This can potentially result in the attacker\n taking complete control of the affected system.", "references": [ "CVE-2015-6132", "CVE-2015-6128", "CVE-2015-6133", "CVE-2016-0041", "CVE-2016-0100", "CVE-2016-3235", "MSB-MS15-132", "MSB-MS16-014", "MSB-MS16-025", "MSB-MS16-041", "MSB-MS16-070", "URL-https://securify.nl/advisory/SFY20150801/com__services_dll_side_loading_vulnerability.html", "URL-https://securify.nl/advisory/SFY20150805/event_viewer_snapin_multiple_dll_side_loading_vulnerabilities.html", "URL-https://securify.nl/advisory/SFY20150803/windows_authentication_ui_dll_side_loading_vulnerability.html", "URL-https://securify.nl/advisory/SFY20151102/shutdown_ux_dll_side_loading_vulnerability.html", "URL-https://securify.nl/advisory/SFY20150802/shockwave_flash_object_dll_side_loading_vulnerability.html", "URL-https://securify.nl/advisory/SFY20150806/ole_db_provider_for_oracle_multiple_dll_side_loading_vulnerabilities.html", "URL-https://securify.nl/advisory/SFY20150905/nps_datastore_server_dll_side_loading_vulnerability.html", "URL-https://securify.nl/advisory/SFY20150906/bda_mpeg2_transport_information_filter_dll_side_loading_vulnerability.html", "URL-https://securify.nl/advisory/SFY20151101/mapsupdatetask_task_dll_side_loading_vulnerability.html", "URL-https://securify.nl/advisory/SFY20150904/windows_mail_find_people_dll_side_loading_vulnerability.html", "URL-https://securify.nl/advisory/SFY20150804/microsoft_visio_multiple_dll_side_loading_vulnerabilities.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86, x64", "rport": null, "targets": [ "All", "COM+ Services / Windows Vista - 10 / Office 2007 - 2016 (MS15-132)", "Shockwave Flash Object / Windows 10 / Office 2013 (APSB15-28)", "Windows Authentication UI / Windows 10 / Office 2013 - 2016 (MS15-132)", "Shutdown UX / Windows 10 / Office 2016 (MS15-132)", "MapUpdateTask Tasks / Windows 10 / Office 2016 (MS16-014)", "Microsoft Visio 2010 / Windows 7 (MS16-070)", "Event Viewer Snapin / Windows Vista - 7 / Office 2007 - 2013 (MS15-132)", "OLE DB Provider for Oracle / Windows Vista - 7 / Office 2007 - 2013 (MS16-014)", "Windows Mail Find People / Windows Vista / Office 2010 (MS16-025)", "NPS Datastore server / Windows Vista / Office 2010 (MS16-014)", "BDA MPEG2 Transport Information Filter / Windows Vista / Office 2010 (MS16-014)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/office_ole_multiple_dll_hijack.rb", "is_install_path": true, "ref_name": "windows/fileformat/office_ole_multiple_dll_hijack", "check": false }, "exploit_windows/fileformat/office_word_hta": { "name": "Microsoft Office Word Malicious Hta Execution", "full_name": "exploit/windows/fileformat/office_word_hta", "rank": 600, "disclosure_date": "2017-04-14", "type": "exploit", "author": [ "Haifei Li", "ryHanson", "wdormann", "DidierStevens", "vysec", "Nixawk", "sinn3r " ], "description": "This module creates a malicious RTF file that when opened in\n vulnerable versions of Microsoft Word will lead to code execution.\n The flaw exists in how a olelink object can make a http(s) request,\n and execute hta code in response.\n\n This bug was originally seen being exploited in the wild starting\n in Oct 2016. This module was created by reversing a public\n malware sample.", "references": [ "CVE-2017-0199", "URL-https://securingtomorrow.mcafee.com/mcafee-labs/critical-office-zero-day-attacks-detected-wild/", "URL-https://www.fireeye.com/blog/threat-research/2017/04/acknowledgement_ofa.html", "URL-https://www.helpnetsecurity.com/2017/04/10/ms-office-zero-day/", "URL-https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html", "URL-https://www.checkpoint.com/defense/advisories/public/2017/cpai-2017-0251.html", "URL-https://github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Office%20zero-day%20(April%202017)/2017-04%20Office%20OLE2Link%20zero-day%20v0.4.pdf", "URL-https://blog.nviso.be/2017/04/12/analysis-of-a-cve-2017-0199-malicious-rtf-document/", "URL-https://www.hybrid-analysis.com/sample/ae48d23e39bf4619881b5c4dd2712b8fabd4f8bd6beb0ae167647995ba68100e?environmentId=100", "URL-https://www.mdsec.co.uk/2017/04/exploiting-cve-2017-0199-hta-handler-vulnerability/", "URL-https://www.microsoft.com/en-us/download/details.aspx?id=10725", "URL-https://msdn.microsoft.com/en-us/library/dd942294.aspx", "URL-https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-CFB/[MS-CFB].pdf", "URL-https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Microsoft Office Word" ], "mod_time": "2017-08-20 17:48:03 +0000", "path": "/modules/exploits/windows/fileformat/office_word_hta.rb", "is_install_path": true, "ref_name": "windows/fileformat/office_word_hta", "check": false }, "exploit_windows/fileformat/openoffice_ole": { "name": "OpenOffice OLE Importer DocumentSummaryInformation Stream Handling Overflow", "full_name": "exploit/windows/fileformat/openoffice_ole", "rank": 300, "disclosure_date": "2008-04-17", "type": "exploit", "author": [ "Marsu ", "juan vazquez " ], "description": "This module exploits a vulnerability in OpenOffice 2.3.1 and 2.3.0 on\n Microsoft Windows XP SP3.\n\n By supplying a OLE file with a malformed DocumentSummaryInformation stream, an\n attacker can gain control of the execution flow, which results arbitrary code\n execution under the context of the user.", "references": [ "CVE-2008-0320", "OSVDB-44472", "BID-28819", "EDB-5584", "URL-http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=694" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "OpenOffice 2.3.1 / 2.3.0 on Windows XP SP3" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/openoffice_ole.rb", "is_install_path": true, "ref_name": "windows/fileformat/openoffice_ole", "check": false }, "exploit_windows/fileformat/orbit_download_failed_bof": { "name": "Orbit Downloader URL Unicode Conversion Overflow", "full_name": "exploit/windows/fileformat/orbit_download_failed_bof", "rank": 300, "disclosure_date": "2008-04-03", "type": "exploit", "author": [ "Diego Juarez", "juan vazquez " ], "description": "This module exploits a stack-based buffer overflow in Orbit Downloader.\n The vulnerability is due to Orbit converting a URL ascii string to unicode\n in an insecure way with MultiByteToWideChar.\n The vulnerability is exploited with a specially crafted metalink file that\n should be opened with Orbit through the \"File->Add Metalink...\" option.", "references": [ "BID-28541", "OSVDB-44036", "CVE-2008-1602", "URL-http://www.coresecurity.com/content/orbit-downloader" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Orbit Downloader 6.4 on Windows XP SP3", "Orbit Downloader 6.4 on Windows 7" ], "mod_time": "2017-09-22 18:49:09 +0000", "path": "/modules/exploits/windows/fileformat/orbit_download_failed_bof.rb", "is_install_path": true, "ref_name": "windows/fileformat/orbit_download_failed_bof", "check": false }, "exploit_windows/fileformat/orbital_viewer_orb": { "name": "Orbital Viewer ORB File Parsing Buffer Overflow", "full_name": "exploit/windows/fileformat/orbital_viewer_orb", "rank": 500, "disclosure_date": "2010-02-27", "type": "exploit", "author": [ "jduck " ], "description": "This module exploits a stack-based buffer overflow in David Manthey's\n Orbital Viewer. When processing .ORB files, data is read from file into\n a fixed-size stack buffer using the fscanf function. Since no bounds\n checking is done, a buffer overflow can occur. Attackers can execute\n arbitrary code by convincing their victim to open an ORB file.", "references": [ "BID-38436", "OSVDB-62580", "CVE-2010-0688", "URL-http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-011-orbital-viewer-orb-buffer-overflow/", "EDB-11581" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Orbital Viewer 1.04 on Windows XP SP3" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/orbital_viewer_orb.rb", "is_install_path": true, "ref_name": "windows/fileformat/orbital_viewer_orb", "check": false }, "exploit_windows/fileformat/ovf_format_string": { "name": "VMWare OVF Tools Format String Vulnerability", "full_name": "exploit/windows/fileformat/ovf_format_string", "rank": 300, "disclosure_date": "2012-11-08", "type": "exploit", "author": [ "Jeremy Brown", "juan vazquez " ], "description": "This module exploits a format string vulnerability in VMWare OVF Tools 2.1 for\n Windows. The vulnerability occurs when printing error messages while parsing a\n a malformed OVF file. The module has been tested successfully with VMWare OVF Tools\n 2.1 on Windows XP SP3.", "references": [ "CVE-2012-3569", "OSVDB-87117", "BID-56468", "URL-http://www.vmware.com/security/advisories/VMSA-2012-0015.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "VMWare OVF Tools 2.1 on Windows XP SP3" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/ovf_format_string.rb", "is_install_path": true, "ref_name": "windows/fileformat/ovf_format_string", "check": false }, "exploit_windows/fileformat/proshow_cellimage_bof": { "name": "ProShow Gold v4.0.2549 (PSH File) Stack Buffer Overflow", "full_name": "exploit/windows/fileformat/proshow_cellimage_bof", "rank": 500, "disclosure_date": "2009-08-20", "type": "exploit", "author": [ "jduck " ], "description": "This module exploits a stack-based buffer overflow in ProShow Gold v4.0.2549.\n An attacker must send the file to victim and the victim must open the file.", "references": [ "CVE-2009-3214", "OSVDB-57226", "EDB-9483", "EDB-9519" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/proshow_cellimage_bof.rb", "is_install_path": true, "ref_name": "windows/fileformat/proshow_cellimage_bof", "check": false }, "exploit_windows/fileformat/proshow_load_bof": { "name": "Photodex ProShow Producer 5.0.3256 load File Handling Buffer Overflow", "full_name": "exploit/windows/fileformat/proshow_load_bof", "rank": 300, "disclosure_date": "2012-06-06", "type": "exploit", "author": [ "Julien Ahrens", "mr.pr0n", "juan vazquez " ], "description": "This module exploits a stack-based buffer overflow in Photodex ProShow Producer\n v5.0.3256 in the handling of the plugins load list file. An attacker must send the\n crafted \"load\" file to victim, who must store it in the installation directory. The\n vulnerability will be triggered the next time ProShow is opened. The module has been\n tested successfully on Windows XP SP3 and Windows 7 SP1.", "references": [ "OSVDB-83745", "EDB-19563", "EDB-20036", "URL-http://security.inshell.net/advisory/30" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Photodex ProShow Producer 5.0.3256 / Windows XP SP3 / Windows 7 SP1" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/proshow_load_bof.rb", "is_install_path": true, "ref_name": "windows/fileformat/proshow_load_bof", "check": false }, "exploit_windows/fileformat/publishit_pui": { "name": "Publish-It PUI Buffer Overflow (SEH)", "full_name": "exploit/windows/fileformat/publishit_pui", "rank": 300, "disclosure_date": "2014-02-05", "type": "exploit", "author": [ "Daniel Kazimirow", "Andrew Smith \"jakx_\"" ], "description": "This module exploits a stack based buffer overflow in Publish-It when\n processing a specially crafted .PUI file. This vulnerability could be\n exploited by a remote attacker to execute arbitrary code on the target\n machine by enticing a user of Publish-It to open a malicious .PUI file.", "references": [ "OSVDB-102911", "CVE-2014-0980", "EDB-31461" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Publish-It 3.6d" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/publishit_pui.rb", "is_install_path": true, "ref_name": "windows/fileformat/publishit_pui", "check": false }, "exploit_windows/fileformat/real_networks_netzip_bof": { "name": "Real Networks Netzip Classic 7.5.1 86 File Parsing Buffer Overflow Vulnerability", "full_name": "exploit/windows/fileformat/real_networks_netzip_bof", "rank": 400, "disclosure_date": "2011-01-30", "type": "exploit", "author": [ "C4SS!0 G0M3S", "TecR0c " ], "description": "This module exploits a stack-based buffer overflow vulnerability in\n version 7.5.1 86 of Real Networks Netzip Classic.\n In order for the command to be executed, an attacker must convince someone to\n load a specially crafted zip file with NetZip Classic.\n By doing so, an attacker can execute arbitrary code as the victim user.", "references": [ "OSVDB-83436", "EDB-16083", "BID-46059", "URL-http://proforma.real.com" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP3", "Windows 7/Windows Vista" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/real_networks_netzip_bof.rb", "is_install_path": true, "ref_name": "windows/fileformat/real_networks_netzip_bof", "check": false }, "exploit_windows/fileformat/real_player_url_property_bof": { "name": "RealPlayer RealMedia File Handling Buffer Overflow", "full_name": "exploit/windows/fileformat/real_player_url_property_bof", "rank": 300, "disclosure_date": "2012-12-14", "type": "exploit", "author": [ "suto " ], "description": "This module exploits a stack based buffer overflow on RealPlayer <=15.0.6.14.\n The vulnerability exists in the handling of real media files, due to the insecure\n usage of the GetPrivateProfileString function to retrieve the URL property from an\n InternetShortcut section.\n\n This module generates a malicious rm file which must be opened with RealPlayer via\n drag and drop or double click methods. It has been tested successfully on Windows\n XP SP3 with RealPlayer 15.0.5.109.", "references": [ "CVE-2012-5691", "OSVDB-88486", "BID-56956", "URL-http://service.real.com/realplayer/security/12142012_player/en/" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP3 / Real Player 15.0.5.109" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/real_player_url_property_bof.rb", "is_install_path": true, "ref_name": "windows/fileformat/real_player_url_property_bof", "check": false }, "exploit_windows/fileformat/realplayer_ver_attribute_bof": { "name": "RealNetworks RealPlayer Version Attribute Buffer Overflow", "full_name": "exploit/windows/fileformat/realplayer_ver_attribute_bof", "rank": 300, "disclosure_date": "2013-12-20", "type": "exploit", "author": [ "Gabor Seljan" ], "description": "This module exploits a stack-based buffer overflow vulnerability in\n version 16.0.3.51 and 16.0.2.32 of RealNetworks RealPlayer, caused by\n improper bounds checking of the version and encoding attributes inside\n the XML declaration.\n\n By persuading the victim to open a specially-crafted .RMP file, a\n remote attacker could execute arbitrary code on the system or cause\n the application to crash.", "references": [ "BID-64695", "EDB-30468", "OSVDB-101356", "CVE-2013-7260", "US-CERT-VU-698278", "URL-http://service.real.com/realplayer/security/12202013_player/en/" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP2/SP3 (DEP Bypass) / RealPlayer 16.0.3.51/16.0.2.32" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/realplayer_ver_attribute_bof.rb", "is_install_path": true, "ref_name": "windows/fileformat/realplayer_ver_attribute_bof", "check": false }, "exploit_windows/fileformat/safenet_softremote_groupname": { "name": "SafeNet SoftRemote GROUPNAME Buffer Overflow", "full_name": "exploit/windows/fileformat/safenet_softremote_groupname", "rank": 400, "disclosure_date": "2009-10-30", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in SafeNet SoftRemote\n Security Policy Editor <= 10.8.5. When an attacker\n creates a specially formatted security policy with an\n overly long GROUPNAME argument, it is possible to execute\n arbitrary code.", "references": [ "CVE-2009-3861", "OSVDB-59660", "URL-http://www.senseofsecurity.com.au/advisories/SOS-09-008" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP3 English", "WinSrv 2000 SP4 English", "WinSrv 2000 SP2 English", "WinSrv 2003 Enterprise Edition SP1 (v1023) English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/safenet_softremote_groupname.rb", "is_install_path": true, "ref_name": "windows/fileformat/safenet_softremote_groupname", "check": false }, "exploit_windows/fileformat/sascam_get": { "name": "SasCam Webcam Server v.2.6.5 Get() Method Buffer Overflow", "full_name": "exploit/windows/fileformat/sascam_get", "rank": 100, "disclosure_date": "2008-12-29", "type": "exploit", "author": [ "dean " ], "description": "The SasCam Webcam Server ActiveX control is vulnerable to a buffer overflow.\n By passing an overly long argument via the Get method, a remote attacker could\n overflow a buffer and execute arbitrary code on the system with the privileges\n of the user. This control is not marked safe for scripting, please choose your\n attack vector carefully.", "references": [ "CVE-2008-6898", "OSVDB-55945", "BID-33053" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP3 / IE 7" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/sascam_get.rb", "is_install_path": true, "ref_name": "windows/fileformat/sascam_get", "check": false }, "exploit_windows/fileformat/scadaphone_zip": { "name": "ScadaTEC ScadaPhone Stack Buffer Overflow", "full_name": "exploit/windows/fileformat/scadaphone_zip", "rank": 400, "disclosure_date": "2011-09-12", "type": "exploit", "author": [ "mr_me " ], "description": "This module exploits a stack-based buffer overflow vulnerability in\n version 5.3.11.1230 of scadaTEC's ScadaPhone.\n\n In order for the command to be executed, an attacker must convince someone to\n load a specially crafted project zip file with ScadaPhone.\n By doing so, an attacker can execute arbitrary code as the victim user.", "references": [ "CVE-2011-4535", "OSVDB-75375", "URL-http://www.scadatec.com/", "EDB-17817" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/scadaphone_zip.rb", "is_install_path": true, "ref_name": "windows/fileformat/scadaphone_zip", "check": false }, "exploit_windows/fileformat/shadow_stream_recorder_bof": { "name": "Shadow Stream Recorder 3.0.1.7 Buffer Overflow", "full_name": "exploit/windows/fileformat/shadow_stream_recorder_bof", "rank": 300, "disclosure_date": "2010-03-29", "type": "exploit", "author": [ "AlpHaNiX ", "b0telh0 " ], "description": "This module exploits a buffer overflow in Shadow Stream Recorder 3.0.1.7.\n Using the application to open a specially crafted asx file, a buffer\n overflow may occur to allow arbitrary code execution under the context\n of the user.", "references": [ "CVE-2009-1641", "OSVDB-81487", "EDB-11957", "BID-34864" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows Universal" ], "mod_time": "2018-07-08 18:46:04 +0000", "path": "/modules/exploits/windows/fileformat/shadow_stream_recorder_bof.rb", "is_install_path": true, "ref_name": "windows/fileformat/shadow_stream_recorder_bof", "check": false }, "exploit_windows/fileformat/shaper_pdf_bof": { "name": "PDF Shaper Buffer Overflow", "full_name": "exploit/windows/fileformat/shaper_pdf_bof", "rank": 300, "disclosure_date": "2015-10-03", "type": "exploit", "author": [ "metacom27 ", "metacom" ], "description": "PDF Shaper is prone to a security vulnerability when processing PDF files.\n The vulnerability appears when we use Convert PDF to Image and use a specially\n crafted PDF file. This module has been tested successfully on Win XP, Win 7,\n Win 8, Win 10.", "references": [ "URL-https://www.exploit-db.com/exploits/37760/" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/fileformat/shaper_pdf_bof.rb", "is_install_path": true, "ref_name": "windows/fileformat/shaper_pdf_bof", "check": false }, "exploit_windows/fileformat/somplplayer_m3u": { "name": "S.O.M.P.L 1.0 Player Buffer Overflow", "full_name": "exploit/windows/fileformat/somplplayer_m3u", "rank": 500, "disclosure_date": "2010-01-22", "type": "exploit", "author": [ "Rick2600", "dookie" ], "description": "This module exploits a buffer overflow in Simple Open Music Player v1.0. When\n the application is used to import a specially crafted m3u file, a buffer overflow occurs\n allowing arbitrary code execution.", "references": [ "OSVDB-64368", "EDB-11219" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/somplplayer_m3u.rb", "is_install_path": true, "ref_name": "windows/fileformat/somplplayer_m3u", "check": false }, "exploit_windows/fileformat/subtitle_processor_m3u_bof": { "name": "Subtitle Processor 7.7.1 .M3U SEH Unicode Buffer Overflow", "full_name": "exploit/windows/fileformat/subtitle_processor_m3u_bof", "rank": 300, "disclosure_date": "2011-04-26", "type": "exploit", "author": [ "Brandon Murphy", "sinn3r " ], "description": "This module exploits a vulnerability found in Subtitle Processor 7. By\n supplying a long string of data as a .m3u file, Subtitle Processor first converts\n this input in Unicode, which expands the string size, and then attempts to copy it\n inline on the stack. This results a buffer overflow with SEH overwritten, allowing\n arbitrary code execution.", "references": [ "OSVDB-72050", "EDB-17217", "URL-http://sourceforge.net/projects/subtitleproc/" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP3" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/subtitle_processor_m3u_bof.rb", "is_install_path": true, "ref_name": "windows/fileformat/subtitle_processor_m3u_bof", "check": false }, "exploit_windows/fileformat/syncbreeze_xml": { "name": "Sync Breeze Enterprise 9.5.16 - Import Command Buffer Overflow", "full_name": "exploit/windows/fileformat/syncbreeze_xml", "rank": 300, "disclosure_date": "2017-03-29", "type": "exploit", "author": [ "Daniel Teixeira" ], "description": "This module exploits a buffer overflow in Sync Breeze Enterprise 9.5.16\n by using the import command option to import a specially crafted xml file.", "references": [ "CVE-2017-7310", "EDB-41773" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows Universal" ], "mod_time": "2018-01-23 16:34:49 +0000", "path": "/modules/exploits/windows/fileformat/syncbreeze_xml.rb", "is_install_path": true, "ref_name": "windows/fileformat/syncbreeze_xml", "check": false }, "exploit_windows/fileformat/tfm_mmplayer_m3u_ppl_bof": { "name": "TFM MMPlayer (m3u/ppl File) Buffer Overflow", "full_name": "exploit/windows/fileformat/tfm_mmplayer_m3u_ppl_bof", "rank": 400, "disclosure_date": "2012-03-23", "type": "exploit", "author": [ "RjRjh Hack3r", "Brendan Coles " ], "description": "This module exploits a buffer overflow in MMPlayer 2.2\n The vulnerability is triggered when opening a malformed M3U/PPL file\n that contains an overly long string, which results in overwriting a\n SEH record, thus allowing arbitrary code execution under the context\n of the user.", "references": [ "CVE-2009-2566", "OSVDB-80532", "BID-52698", "EDB-18656", "EDB-18657" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows Universal" ], "mod_time": "2018-07-12 17:34:52 +0000", "path": "/modules/exploits/windows/fileformat/tfm_mmplayer_m3u_ppl_bof.rb", "is_install_path": true, "ref_name": "windows/fileformat/tfm_mmplayer_m3u_ppl_bof", "check": false }, "exploit_windows/fileformat/total_video_player_ini_bof": { "name": "Total Video Player 1.3.1 (Settings.ini) - SEH Buffer Overflow", "full_name": "exploit/windows/fileformat/total_video_player_ini_bof", "rank": 300, "disclosure_date": "2013-11-24", "type": "exploit", "author": [ "Mike Czumak", "Fr330wn4g3 " ], "description": "This module exploits a buffer overflow in Total Video Player 1.3.1. The vulnerability\n occurs opening malformed Settings.ini file e.g. \"C:\\Program Files\\Total Video Player\\\".\n This module has been tested successfully on Windows WinXp-Sp3-EN, Windows 7, and Windows 8.", "references": [ "OSVDB-100619", "EDB-29799" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows Universal" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/fileformat/total_video_player_ini_bof.rb", "is_install_path": true, "ref_name": "windows/fileformat/total_video_player_ini_bof", "check": false }, "exploit_windows/fileformat/tugzip": { "name": "TugZip 3.5 Zip File Parsing Buffer Overflow Vulnerability", "full_name": "exploit/windows/fileformat/tugzip", "rank": 400, "disclosure_date": "2008-10-28", "type": "exploit", "author": [ "Stefan Marin", "Lincoln", "TecR0c ", "mr_me " ], "description": "This module exploits a stack-based buffer overflow vulnerability\n in the latest version 3.5 of TugZip archiving utility.\n In order to trigger the vulnerability, an attacker must convince someone\n to load a specially crafted zip file with TugZip by double click or file open.\n By doing so, an attacker can execute arbitrary code as the victim user.", "references": [ "OSVDB-49371", "CVE-2008-4779", "BID-31913", "EDB-12008" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/tugzip.rb", "is_install_path": true, "ref_name": "windows/fileformat/tugzip", "check": false }, "exploit_windows/fileformat/ultraiso_ccd": { "name": "UltraISO CCD File Parsing Buffer Overflow", "full_name": "exploit/windows/fileformat/ultraiso_ccd", "rank": 500, "disclosure_date": "2009-04-03", "type": "exploit", "author": [ "jduck " ], "description": "This module exploits a stack-based buffer overflow in EZB Systems, Inc's\n UltraISO. When processing .CCD files, data is read from file into a\n fixed-size stack buffer. Since no bounds checking is done, a buffer overflow\n can occur. Attackers can execute arbitrary code by convincing their victim\n to open an CCD file.\n\n NOTE: A file with the same base name, but the extension of \"img\" must also\n exist. Opening either file will trigger the vulnerability, but the files must\n both exist.", "references": [ "CVE-2009-1260", "OSVDB-53275", "BID-34363", "BID-38613", "EDB-8343" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows Universal - Double-Click/Command Line Open Method", "Windows Universal - File->Open + Toolbar Open Methods" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/ultraiso_ccd.rb", "is_install_path": true, "ref_name": "windows/fileformat/ultraiso_ccd", "check": false }, "exploit_windows/fileformat/ultraiso_cue": { "name": "UltraISO CUE File Parsing Buffer Overflow", "full_name": "exploit/windows/fileformat/ultraiso_cue", "rank": 500, "disclosure_date": "2007-05-24", "type": "exploit", "author": [ "n00b", "jduck " ], "description": "This module exploits a stack-based buffer overflow in EZB Systems, Inc's\n UltraISO. When processing .CUE files, data is read from file into a\n fixed-size stack buffer. Since no bounds checking is done, a buffer overflow\n can occur. Attackers can execute arbitrary code by convincing their victim\n to open an CUE file.\n\n NOTE: A file with the same base name, but the extension of \"bin\" must also\n exist. Opening either file will trigger the vulnerability, but the files must\n both exist.", "references": [ "CVE-2007-2888", "OSVDB-36570", "BID-24140", "EDB-3978" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows - UltraISO v8.6.2.2011 portable", "Windows - UltraISO v8.6.0.1936" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/ultraiso_cue.rb", "is_install_path": true, "ref_name": "windows/fileformat/ultraiso_cue", "check": false }, "exploit_windows/fileformat/ursoft_w32dasm": { "name": "URSoft W32Dasm Disassembler Function Buffer Overflow", "full_name": "exploit/windows/fileformat/ursoft_w32dasm", "rank": 400, "disclosure_date": "2005-01-24", "type": "exploit", "author": [ "aushack " ], "description": "This module exploits a buffer overflow in W32Dasm <= v8.93.\n By creating a malicious file and convincing a user to disassemble\n the file with a vulnerable version of W32Dasm, the Imports/Exports\n function is copied to the stack and arbitrary code may be executed\n locally as the user.", "references": [ "CVE-2005-0308", "OSVDB-13169", "BID-12352", "URL-http://aluigi.altervista.org/adv/w32dasmbof-adv.txt" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP0" ], "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/exploits/windows/fileformat/ursoft_w32dasm.rb", "is_install_path": true, "ref_name": "windows/fileformat/ursoft_w32dasm", "check": false }, "exploit_windows/fileformat/varicad_dwb": { "name": "VariCAD 2010-2.05 EN (DWB File) Stack Buffer Overflow", "full_name": "exploit/windows/fileformat/varicad_dwb", "rank": 500, "disclosure_date": "2010-03-17", "type": "exploit", "author": [ "n00b", "dookie", "MC ", "jduck " ], "description": "This module exploits a stack-based buffer overflow in VariCAD 2010-2.05 EN.\n An attacker must send the file to victim and the victim must open the file.", "references": [ "OSVDB-63067", "BID-38815", "EDB-11789" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/varicad_dwb.rb", "is_install_path": true, "ref_name": "windows/fileformat/varicad_dwb", "check": false }, "exploit_windows/fileformat/videocharge_studio": { "name": "VideoCharge Studio Buffer Overflow (SEH)", "full_name": "exploit/windows/fileformat/videocharge_studio", "rank": 300, "disclosure_date": "2013-10-27", "type": "exploit", "author": [ "metacom", "Andrew Smith", "Christian Mehlmauer " ], "description": "This module exploits a stack based buffer overflow in VideoCharge Studio 2.12.3.685 when\n processing a specially crafted .VSC file. This vulnerability could be\n exploited by a remote attacker to execute arbitrary code on the target\n machine by enticing a user of VideoCharge Studio to open a malicious .VSC file.", "references": [ "OSVDB-69616", "EBD-29234" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "VideoCharge Studio 2.12.3.685" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/videocharge_studio.rb", "is_install_path": true, "ref_name": "windows/fileformat/videocharge_studio", "check": false }, "exploit_windows/fileformat/videolan_tivo": { "name": "VideoLAN VLC TiVo Buffer Overflow", "full_name": "exploit/windows/fileformat/videolan_tivo", "rank": 400, "disclosure_date": "2008-10-22", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a buffer overflow in VideoLAN VLC 0.9.4.\n By creating a malicious TY file, a remote attacker could overflow a\n buffer and execute arbitrary code.", "references": [ "CVE-2008-4654", "OSVDB-49181", "BID-31813" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "VideoLAN VLC 0.9.4 (XP SP3 English)", "VideoLAN VLC 0.9.2 (XP SP3 English)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/videolan_tivo.rb", "is_install_path": true, "ref_name": "windows/fileformat/videolan_tivo", "check": false }, "exploit_windows/fileformat/videospirit_visprj": { "name": "VeryTools Video Spirit Pro", "full_name": "exploit/windows/fileformat/videospirit_visprj", "rank": 400, "disclosure_date": "2011-04-11", "type": "exploit", "author": [ "Acidgen", "corelanc0d3r " ], "description": "This module exploits a stack buffer overflow in Video Spirit <= 1.70.\n When opening a malicious project file (.visprj), a stack buffer overflow occurs,\n resulting in arbitrary code execution.\n This exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7.", "references": [ "CVE-2011-0499", "CVE-2011-0500", "OSVDB-70619", "URL-http://www.corelan.be/advisories.php?id=CORELAN-11-001" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP/Vista/Win7/... Generic DEP & ASLR Bypass" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/videospirit_visprj.rb", "is_install_path": true, "ref_name": "windows/fileformat/videospirit_visprj", "check": false }, "exploit_windows/fileformat/visio_dxf_bof": { "name": "Microsoft Office Visio VISIODWG.DLL DXF File Handling Vulnerability", "full_name": "exploit/windows/fileformat/visio_dxf_bof", "rank": 400, "disclosure_date": "2010-05-04", "type": "exploit", "author": [ "Unknown", "Shahin Ramezany ", "juan vazquez " ], "description": "This module exploits a stack based overflow vulnerability in the handling\n of the DXF files by Microsoft Visio 2002. Revisions prior to the release of\n the MS bulletin MS10-028 are vulnerable. The overflow occurs when the application\n is used to import a specially crafted DXF file, while parsing the HEADER section\n of the DXF file.\n\n To trigger the vulnerability an attacker must convince someone to insert a\n specially crafted DXF file to a new document, go to 'Insert' -> 'CAD Drawing'", "references": [ "CVE-2010-1681", "OSVDB-64446", "BID-39836", "URL-http://www.coresecurity.com/content/ms-visio-dxf-buffer-overflow", "URL-https://www.exploit-db.com/moaub-8-microsoft-office-visio-dxf-file-stack-overflow/" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Visio 2002 English on Windows XP SP3 Spanish", "Visio 2002 English on Windows XP SP3 English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/visio_dxf_bof.rb", "is_install_path": true, "ref_name": "windows/fileformat/visio_dxf_bof", "check": false }, "exploit_windows/fileformat/visiwave_vwr_type": { "name": "VisiWave VWR File Parsing Vulnerability", "full_name": "exploit/windows/fileformat/visiwave_vwr_type", "rank": 500, "disclosure_date": "2011-05-20", "type": "exploit", "author": [ "mr_me ", "TecR0c " ], "description": "This module exploits a vulnerability found in VisiWave's Site Survey Report application.\n When processing .VWR files, VisiWaveReport.exe attempts to match a valid pointer based on the 'Type'\n property (valid ones include 'Properties', 'TitlePage', 'Details', 'Graph', 'Table', 'Text',\n 'Image'), but if a match isn't found, the function that's supposed to handle this routine\n ends up returning the input as a pointer, and later used in a CALL DWORD PTR [EDX+10]\n instruction. This allows attackers to overwrite it with any arbitrary value, and results code\n execution. A patch is available at visiwave.com; the fix is done by XORing the return value as\n null if no match is found, and then it is validated before use.\n\n NOTE: During installation, the application will register two file handles, VWS and VWR, which allows a\n victim user to 'double click' the malicious VWR file and execute code. This module was also built\n to bypass ASLR and DEP.", "references": [ "CVE-2011-2386", "OSVDB-72464", "URL-http://www.visiwave.com/blog/index.php?/archives/4-Version-2.1.9-Released.html", "URL-http://www.stratsec.net/Research/Advisories/VisiWave-Site-Survey-Report-Trusted-Pointer-%28SS-20" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP3/Windows 7 SP0" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/fileformat/visiwave_vwr_type.rb", "is_install_path": true, "ref_name": "windows/fileformat/visiwave_vwr_type", "check": false }, "exploit_windows/fileformat/vlc_modplug_s3m": { "name": "VideoLAN VLC ModPlug ReadS3M Stack Buffer Overflow", "full_name": "exploit/windows/fileformat/vlc_modplug_s3m", "rank": 200, "disclosure_date": "2011-04-07", "type": "exploit", "author": [ "jduck " ], "description": "This module exploits an input validation error in libmod_plugin as\n included with VideoLAN VLC 1.1.8. All versions prior to version 1.1.9\n are affected. By creating a malicious S3M file, a remote attacker\n could execute arbitrary code.\n\n Although other products that bundle libmodplug may be vulnerable, this\n module was only tested against VLC.\n\n NOTE: As of July 1st, 2010, VLC now calls SetProcessDEPPoly to\n permanently enable NX support on machines that support it. As such,\n this module is capable of bypassing DEP, but not ASLR.", "references": [ "CVE-2011-1574", "OSVDB-72143", "URL-http://modplug-xmms.git.sourceforge.net/git/gitweb.cgi?p=modplug-xmms/modplug-xmms;a=commitdiff;h=aecef259828a89bb00c2e6f78e89de7363b2237b", "URL-http://seclists.org/fulldisclosure/2011/Apr/113" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "VLC 1.1.8 on Windows XP SP3" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/vlc_modplug_s3m.rb", "is_install_path": true, "ref_name": "windows/fileformat/vlc_modplug_s3m", "check": false }, "exploit_windows/fileformat/vlc_realtext": { "name": "VLC Media Player RealText Subtitle Overflow", "full_name": "exploit/windows/fileformat/vlc_realtext", "rank": 400, "disclosure_date": "2008-11-05", "type": "exploit", "author": [ "Tobias Klein", "SkD", "juan vazquez " ], "description": "This module exploits a stack buffer overflow vulnerability in\n VideoLAN VLC < 0.9.6. The vulnerability exists in the parsing of\n RealText subtitle files.\n\n In order to exploit this, this module will generate two files:\n The .mp4 file is used to trick your victim into running. The .rt file\n is the actual malicious file that triggers the vulnerability, which\n should be placed under the same directory as the .mp4 file.", "references": [ "OSVDB-49809", "CVE-2008-5036", "BID-32125", "URL-http://www.trapkit.de/advisories/TKADV2008-011.txt", "URL-http://www.videolan.org/security/sa0810.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "VLC 0.9.4 on Windows XP SP3 / Windows 7 SP1" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/vlc_realtext.rb", "is_install_path": true, "ref_name": "windows/fileformat/vlc_realtext", "check": false }, "exploit_windows/fileformat/vlc_smb_uri": { "name": "VideoLAN Client (VLC) Win32 smb:// URI Buffer Overflow", "full_name": "exploit/windows/fileformat/vlc_smb_uri", "rank": 500, "disclosure_date": "2009-06-24", "type": "exploit", "author": [ "jduck " ], "description": "This module exploits a stack-based buffer overflow in the Win32AddConnection\n function of the VideoLAN VLC media player. Versions 0.9.9 through 1.0.1 are\n reportedly affected.\n\n This vulnerability is only present in Win32 builds of VLC.\n\n This payload was found to work with the windows/exec and\n windows/meterpreter/reverse_tcp payloads. However, the\n windows/meterpreter/reverse_ord_tcp was found not to work.", "references": [ "BID-35500", "OSVDB-55509", "CVE-2009-2484", "URL-http://git.videolan.org/?p=vlc.git;a=commit;h=e60a9038b13b5eb805a76755efc5c6d5e080180f", "EDB-9029" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "vlc 0.9.9 on Windows XP SP3" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/fileformat/vlc_smb_uri.rb", "is_install_path": true, "ref_name": "windows/fileformat/vlc_smb_uri", "check": false }, "exploit_windows/fileformat/vlc_webm": { "name": "VideoLAN VLC MKV Memory Corruption", "full_name": "exploit/windows/fileformat/vlc_webm", "rank": 400, "disclosure_date": "2011-01-31", "type": "exploit", "author": [ "Dan Rosenberg" ], "description": "This module exploits an input validation error in VideoLAN VLC\n < 1.1.7. By creating a malicious MKV or WebM file, a remote attacker\n could execute arbitrary code.\n\n NOTE: As of July 1st, 2010, VLC now calls SetProcessDEPPoly to\n permanently enable NX support on machines that support it.", "references": [ "OSVDB-70698", "CVE-2011-0531", "BID-46060", "URL-http://git.videolan.org/?p=vlc.git&a=commitdiff&h=59491dcedffbf97612d2c572943b56ee4289dd07&hp=f085cfc1c95b922e3c750ee93ec58c3f2d5f7456", "URL-http://www.videolan.org/security/sa1102.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "VLC 1.1.6 on Windows XP SP3" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/vlc_webm.rb", "is_install_path": true, "ref_name": "windows/fileformat/vlc_webm", "check": false }, "exploit_windows/fileformat/vuplayer_cue": { "name": "VUPlayer CUE Buffer Overflow", "full_name": "exploit/windows/fileformat/vuplayer_cue", "rank": 400, "disclosure_date": "2009-08-18", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack based overflow in VUPlayer <= 2.49. When\n the application is used to open a specially crafted cue file, a buffer is overwritten allowing\n for the execution of arbitrary code.", "references": [ "OSVDB-64581", "BID-33960" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "VUPlayer 2.49" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/fileformat/vuplayer_cue.rb", "is_install_path": true, "ref_name": "windows/fileformat/vuplayer_cue", "check": false }, "exploit_windows/fileformat/vuplayer_m3u": { "name": "VUPlayer M3U Buffer Overflow", "full_name": "exploit/windows/fileformat/vuplayer_m3u", "rank": 400, "disclosure_date": "2009-08-18", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack over flow in VUPlayer <= 2.49. When\n the application is used to open a specially crafted m3u file, an buffer is overwritten allowing\n for the execution of arbitrary code.", "references": [ "CVE-2006-6251", "OSVDB-31710" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "VUPlayer 2.49" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/vuplayer_m3u.rb", "is_install_path": true, "ref_name": "windows/fileformat/vuplayer_m3u", "check": false }, "exploit_windows/fileformat/watermark_master": { "name": "Watermark Master Buffer Overflow (SEH)", "full_name": "exploit/windows/fileformat/watermark_master", "rank": 300, "disclosure_date": "2013-11-01", "type": "exploit", "author": [ "metacom", "Andrew Smith" ], "description": "This module exploits a stack based buffer overflow in Watermark Master 2.2.23 when\n processing a specially crafted .WCF file. This vulnerability could be\n exploited by a remote attacker to execute arbitrary code on the target\n machine by enticing a user of Watermark Master to open a malicious .WCF file.", "references": [ "OSVDB-99226", "CVE-2013-6935", "EBD-29327" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows 7 x32 - Watermark Master 2.2.23", "Windows 7 x64 - Watermark Master 2.2.23" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/watermark_master.rb", "is_install_path": true, "ref_name": "windows/fileformat/watermark_master", "check": false }, "exploit_windows/fileformat/winamp_maki_bof": { "name": "Winamp MAKI Buffer Overflow", "full_name": "exploit/windows/fileformat/winamp_maki_bof", "rank": 300, "disclosure_date": "2009-05-20", "type": "exploit", "author": [ "Monica Sojeong Hong", "juan vazquez " ], "description": "This module exploits a stack based buffer overflow in Winamp 5.55. The flaw\n exists in the gen_ff.dll and occurs while parsing a specially crafted MAKI file,\n where memmove is used in an insecure way with user controlled data.\n\n To exploit the vulnerability the attacker must convince the victim to install the\n generated mcvcore.maki file in the \"scripts\" directory of the default \"Bento\" skin,\n or generate a new skin using the crafted mcvcore.maki file. The module has been\n tested successfully on Windows XP SP3 and Windows 7 SP1.", "references": [ "CVE-2009-1831", "OSVDB-54902", "BID-35052", "EDB-8783", "EDB-8772", "EDB-8770", "EDB-8767", "URL-http://vrt-sourcefire.blogspot.com/2009/05/winamp-maki-parsing-vulnerability.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Winamp 5.55 / Windows XP SP3 / Windows 7 SP1" ], "mod_time": "2017-09-22 18:49:09 +0000", "path": "/modules/exploits/windows/fileformat/winamp_maki_bof.rb", "is_install_path": true, "ref_name": "windows/fileformat/winamp_maki_bof", "check": false }, "exploit_windows/fileformat/winrar_name_spoofing": { "name": "WinRAR Filename Spoofing", "full_name": "exploit/windows/fileformat/winrar_name_spoofing", "rank": 600, "disclosure_date": "2009-09-28", "type": "exploit", "author": [ "chr1x", "juan vazquez " ], "description": "This module abuses a filename spoofing vulnerability in WinRAR. The vulnerability exists\n when opening ZIP files. The file names showed in WinRAR when opening a ZIP file come from\n the central directory, but the file names used to extract and open contents come from the\n Local File Header. This inconsistency allows to spoof file names when opening ZIP files\n with WinRAR, which can be abused to execute arbitrary code, as exploited in the wild in\n March 2014", "references": [ "OSVDB-62610", "BID-66383", "URL-http://securityaffairs.co/wordpress/23623/hacking/winrar-zero-day.html", "URL-http://an7isec.blogspot.co.il/" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/winrar_name_spoofing.rb", "is_install_path": true, "ref_name": "windows/fileformat/winrar_name_spoofing", "check": false }, "exploit_windows/fileformat/wireshark_mpeg_overflow": { "name": "Wireshark wiretap/mpeg.c Stack Buffer Overflow", "full_name": "exploit/windows/fileformat/wireshark_mpeg_overflow", "rank": 400, "disclosure_date": "2014-03-20", "type": "exploit", "author": [ "Wesley Neelen", "j0sm1" ], "description": "This module triggers a stack buffer overflow in Wireshark <= 1.8.12/1.10.5\n by generating a malicious file.", "references": [ "CVE-2014-2299", "URL-https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9843", "URL-http://www.wireshark.org/security/wnpa-sec-2014-04.html", "BID-66066" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "WinXP SP3 Spanish (bypass DEP)", "WinXP SP2/SP3 English (bypass DEP)" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/fileformat/wireshark_mpeg_overflow.rb", "is_install_path": true, "ref_name": "windows/fileformat/wireshark_mpeg_overflow", "check": false }, "exploit_windows/fileformat/wireshark_packet_dect": { "name": "Wireshark packet-dect.c Stack Buffer Overflow (local)", "full_name": "exploit/windows/fileformat/wireshark_packet_dect", "rank": 400, "disclosure_date": "2011-04-18", "type": "exploit", "author": [ "Paul Makowski", "sickness", "corelanc0d3r " ], "description": "This module exploits a stack buffer overflow in Wireshark <= 1.4.4\n When opening a malicious .pcap file in Wireshark, a stack buffer occurs,\n resulting in arbitrary code execution.\n\n Note: To exploit the vulnerability remotely with Scapy: sendp(rdpcap(\"file\")).", "references": [ "CVE-2011-1591", "OSVDB-71848", "URL-https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5838", "URL-https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5836", "EDB-17185" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Win32 Universal (Generic DEP & ASLR Bypass)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/wireshark_packet_dect.rb", "is_install_path": true, "ref_name": "windows/fileformat/wireshark_packet_dect", "check": false }, "exploit_windows/fileformat/wm_downloader_m3u": { "name": "WM Downloader 3.1.2.2 Buffer Overflow", "full_name": "exploit/windows/fileformat/wm_downloader_m3u", "rank": 300, "disclosure_date": "2010-07-28", "type": "exploit", "author": [ "fdisk", "dookie" ], "description": "This module exploits a buffer overflow in WM Downloader v3.1.2.2. When\n the application is used to import a specially crafted m3u file, a buffer overflow occurs\n allowing arbitrary code execution.", "references": [ "OSVDB-66911", "EDB-14497" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/wm_downloader_m3u.rb", "is_install_path": true, "ref_name": "windows/fileformat/wm_downloader_m3u", "check": false }, "exploit_windows/fileformat/xenorate_xpl_bof": { "name": "Xenorate 2.50 (.xpl) Universal Local Buffer Overflow (SEH)", "full_name": "exploit/windows/fileformat/xenorate_xpl_bof", "rank": 500, "disclosure_date": "2009-08-19", "type": "exploit", "author": [ "hack4love ", "germaya_x", "loneferret", "jduck " ], "description": "This module exploits a stack buffer overflow in Xenorate 2.50\n by creating a specially crafted xpl file.", "references": [ "OSVDB-57162", "EDB-10371" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP2 / SP3" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/xenorate_xpl_bof.rb", "is_install_path": true, "ref_name": "windows/fileformat/xenorate_xpl_bof", "check": false }, "exploit_windows/fileformat/xion_m3u_sehbof": { "name": "Xion Audio Player 1.0.126 Unicode Stack Buffer Overflow", "full_name": "exploit/windows/fileformat/xion_m3u_sehbof", "rank": 500, "disclosure_date": "2010-11-23", "type": "exploit", "author": [ "hadji samir ", "corelanc0d3r ", "digital1", "jduck ", "m_101" ], "description": "This module exploits a stack buffer overflow in Xion Audio Player prior to version\n 1.0.126. The vulnerability is triggered when opening a malformed M3U file that\n contains an overly long string. This results in overwriting a\n structured exception handler record.", "references": [ "OSVDB-66912", "EDB-14517", "EDB-14633", "EDB-15598" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Xion Audio Player v1.0.126 XP Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/xion_m3u_sehbof.rb", "is_install_path": true, "ref_name": "windows/fileformat/xion_m3u_sehbof", "check": false }, "exploit_windows/fileformat/xradio_xrl_sehbof": { "name": "xRadio 0.95b Buffer Overflow", "full_name": "exploit/windows/fileformat/xradio_xrl_sehbof", "rank": 300, "disclosure_date": "2011-02-08", "type": "exploit", "author": [ "b0telh0 " ], "description": "This module exploits a buffer overflow in xRadio 0.95b.\n Using the application to import a specially crafted xrl file,\n a buffer overflow occurs allowing arbitrary code execution.", "references": [ "CVE-2008-2789", "BID-46290", "EDB-16141" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/fileformat/xradio_xrl_sehbof.rb", "is_install_path": true, "ref_name": "windows/fileformat/xradio_xrl_sehbof", "check": false }, "exploit_windows/fileformat/zinfaudioplayer221_pls": { "name": "Zinf Audio Player 2.2.1 (PLS File) Stack Buffer Overflow", "full_name": "exploit/windows/fileformat/zinfaudioplayer221_pls", "rank": 400, "disclosure_date": "2004-09-24", "type": "exploit", "author": [ "Trancek ", "aushack " ], "description": "This module exploits a stack-based buffer overflow in the Zinf Audio Player 2.2.1.\n An attacker must send the file to victim and the victim must open the file.\n Alternatively it may be possible to execute code remotely via an embedded\n PLS file within a browser, when the PLS extension is registered to Zinf.\n This functionality has not been tested in this module.", "references": [ "CVE-2004-0964", "OSVDB-10416", "EDB-7888", "BID-11248" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Zinf Universal 2.2.1" ], "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/exploits/windows/fileformat/zinfaudioplayer221_pls.rb", "is_install_path": true, "ref_name": "windows/fileformat/zinfaudioplayer221_pls", "check": false }, "exploit_windows/firewall/blackice_pam_icq": { "name": "ISS PAM.dll ICQ Parser Buffer Overflow", "full_name": "exploit/windows/firewall/blackice_pam_icq", "rank": 500, "disclosure_date": "2004-03-18", "type": "exploit", "author": [ "spoonm " ], "description": "This module exploits a stack buffer overflow in the ISS products that use\n the iss-pam1.dll ICQ parser (Blackice/RealSecure). Successful exploitation\n will result in arbitrary code execution as LocalSystem. This exploit\n only requires 1 UDP packet, which can be both spoofed and sent to a broadcast\n address.\n\n The ISS exception handler will recover the process after each overflow, giving\n us the ability to bruteforce the service and exploit it multiple times.", "references": [ "CVE-2004-0362", "OSVDB-4355", "URL-http://www.eeye.com/html/Research/Advisories/AD20040318.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 1, "targets": [ "Bruteforce", "Bruteforce iis-pam1.dll", "Bruteforce NT 4.0", "iis-pam1.dll 3.6.06", "iis-pam1.dll 3.6.11", "WinNT SP3/SP4/SP5", "WinNT SP4/SP5", "WinNT SP5/SP6 - advapi32", "WinNT SP3/SP5/SP6 - shell32", "WinNT SP5/SP6 - mswsock", "WinXP SP0/SP1 - shell32", "WinXP SP0/SP1 - atl", "WinXP SP0/SP1 - atl", "WinXP SP0/SP1 - ws2_32", "WinXP SP0/SP1 - mswsock", "Windows 2000 Pro SP4 English", "Win2000 SP0 - SP4", "Win2000 SP2/SP3 - samlib", "Win2000 SP0/SP1 - activeds", "Windows XP Pro SP0 English", "Windows XP Pro SP1 English", "WinXP SP0 - SP1", "Win2003 SP0" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/firewall/blackice_pam_icq.rb", "is_install_path": true, "ref_name": "windows/firewall/blackice_pam_icq", "check": false }, "exploit_windows/firewall/kerio_auth": { "name": "Kerio Firewall 2.1.4 Authentication Packet Overflow", "full_name": "exploit/windows/firewall/kerio_auth", "rank": 200, "disclosure_date": "2003-04-28", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in Kerio Personal Firewall\n administration authentication process. This module has only been tested\n against Kerio Personal Firewall 2 (2.1.4).", "references": [ "CVE-2003-0220", "OSVDB-6294", "BID-7180" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 44334, "targets": [ "Windows 2000 Pro SP4 English", "Windows XP Pro SP0 English", "Windows XP Pro SP1 English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/firewall/kerio_auth.rb", "is_install_path": true, "ref_name": "windows/firewall/kerio_auth", "check": false }, "exploit_windows/ftp/32bitftp_list_reply": { "name": "32bit FTP Client Stack Buffer Overflow ", "full_name": "exploit/windows/ftp/32bitftp_list_reply", "rank": 400, "disclosure_date": "2010-10-12", "type": "exploit", "author": [ "fancy", "corelanc0d3r " ], "description": "This module exploits a stack buffer overflow in 32bit ftp client, triggered when trying to\n download a file that has an overly long filename.", "references": [ "OSVDB-68703", "URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "XP Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ftp/32bitftp_list_reply.rb", "is_install_path": true, "ref_name": "windows/ftp/32bitftp_list_reply", "check": false }, "exploit_windows/ftp/3cdaemon_ftp_user": { "name": "3Com 3CDaemon 2.0 FTP Username Overflow", "full_name": "exploit/windows/ftp/3cdaemon_ftp_user", "rank": 200, "disclosure_date": "2005-01-04", "type": "exploit", "author": [ "hdm ", "otr" ], "description": "This module exploits a vulnerability in the 3Com 3CDaemon\n FTP service. This package is being distributed from the 3Com\n web site and is recommended in numerous support documents.\n This module uses the USER command to trigger the overflow.", "references": [ "CVE-2005-0277", "OSVDB-12810", "OSVDB-12811", "BID-12155" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 21, "targets": [ "Automatic", "Windows 2000 English", "Windows XP English SP0/SP1", "Windows NT 4.0 SP4/SP5/SP6", "Windows 2000 Pro SP4 French", "Windows XP English SP3" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ftp/3cdaemon_ftp_user.rb", "is_install_path": true, "ref_name": "windows/ftp/3cdaemon_ftp_user", "check": true }, "exploit_windows/ftp/aasync_list_reply": { "name": "AASync v2.2.1.0 (Win32) Stack Buffer Overflow (LIST)", "full_name": "exploit/windows/ftp/aasync_list_reply", "rank": 400, "disclosure_date": "2010-10-12", "type": "exploit", "author": [ "corelanc0d3r " ], "description": "This module exploits a stack buffer overflow in AASync v2.2.1.0, triggered when\n processing the response on a LIST command. During the overflow, a structured exception\n handler record gets overwritten.", "references": [ "OSVDB-68701", "EDB-16738", "URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "XP SP3 Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ftp/aasync_list_reply.rb", "is_install_path": true, "ref_name": "windows/ftp/aasync_list_reply", "check": false }, "exploit_windows/ftp/ability_server_stor": { "name": "Ability Server 2.34 STOR Command Stack Buffer Overflow", "full_name": "exploit/windows/ftp/ability_server_stor", "rank": 300, "disclosure_date": "2004-10-22", "type": "exploit", "author": [ "muts", "Dark Eagle", "Peter Osterberg" ], "description": "This module exploits a stack-based buffer overflow in Ability Server 2.34.\n Ability Server fails to check input size when parsing 'STOR' and 'APPE' commands,\n which leads to a stack based buffer overflow. This plugin uses the 'STOR' command.\n\n The vulnerability has been confirmed on version 2.34 and has also been reported\n in version 2.25 and 2.32. Other versions may also be affected.", "references": [ "CVE-2004-1626", "OSVDB-11030", "EDB-588" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 21, "targets": [ "Automatic", "Windows XP SP2 ENG", "Windows XP SP3 ENG" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ftp/ability_server_stor.rb", "is_install_path": true, "ref_name": "windows/ftp/ability_server_stor", "check": true }, "exploit_windows/ftp/absolute_ftp_list_bof": { "name": "AbsoluteFTP 1.9.6 - 2.2.10 LIST Command Remote Buffer Overflow", "full_name": "exploit/windows/ftp/absolute_ftp_list_bof", "rank": 300, "disclosure_date": "2011-11-09", "type": "exploit", "author": [ "Node" ], "description": "This module exploits VanDyke Software AbsoluteFTP by overflowing\n a filename buffer related to the LIST command.", "references": [ "CVE-2011-5164", "OSVDB-77105", "EDB-18102" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "WinXP SP2 - Windows 7 SP1 / AbsoluteFTP 1.9.6 - 2.2.10.252" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ftp/absolute_ftp_list_bof.rb", "is_install_path": true, "ref_name": "windows/ftp/absolute_ftp_list_bof", "check": false }, "exploit_windows/ftp/ayukov_nftp": { "name": "Ayukov NFTP FTP Client Buffer Overflow", "full_name": "exploit/windows/ftp/ayukov_nftp", "rank": 300, "disclosure_date": "2017-10-21", "type": "exploit", "author": [ "Berk Cem Goksel", "Daniel Teixeira", "sinn3r " ], "description": "This module exploits a stack-based buffer overflow vulnerability against Ayukov NFTPD FTP\n Client 2.0 and earlier. By responding with a long string of data for the SYST request, it\n is possible to cause a denail-of-service condition on the FTP client, or arbitrary remote\n code exeuction under the context of the user if successfully exploited.", "references": [ "CVE-2017-15222", "EDB-43025" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP Pro SP3 English" ], "mod_time": "2018-01-03 20:52:57 +0000", "path": "/modules/exploits/windows/ftp/ayukov_nftp.rb", "is_install_path": true, "ref_name": "windows/ftp/ayukov_nftp", "check": false }, "exploit_windows/ftp/bison_ftp_bof": { "name": "BisonWare BisonFTP Server Buffer Overflow", "full_name": "exploit/windows/ftp/bison_ftp_bof", "rank": 300, "disclosure_date": "2011-08-07", "type": "exploit", "author": [ "localh0t", "veerendragg ", "Jay Turla" ], "description": "BisonWare BisonFTP Server 3.5 is prone to an overflow condition.\n This module exploits a buffer overflow vulnerability in the said\n application.", "references": [ "CVE-1999-1510", "BID-49109", "EDB-17649", "URL-http://secpod.org/msf/bison_server_bof.rb" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 21, "targets": [ "Bisonware FTP Server / Windows XP SP3 EN" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ftp/bison_ftp_bof.rb", "is_install_path": true, "ref_name": "windows/ftp/bison_ftp_bof", "check": true }, "exploit_windows/ftp/cesarftp_mkd": { "name": "Cesar FTP 0.99g MKD Command Buffer Overflow", "full_name": "exploit/windows/ftp/cesarftp_mkd", "rank": 200, "disclosure_date": "2006-06-12", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in the MKD verb in CesarFTP 0.99g.\n\n You must have valid credentials to trigger this vulnerability. Also, you\n only get one chance, so choose your target carefully.", "references": [ "CVE-2006-2961", "OSVDB-26364", "BID-18586", "URL-http://secunia.com/advisories/20574/" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 21, "targets": [ "Windows 2000 Pro SP4 English", "Windows 2000 Pro SP4 French", "Windows XP SP2/SP3 English", "Windows 2003 SP1 English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ftp/cesarftp_mkd.rb", "is_install_path": true, "ref_name": "windows/ftp/cesarftp_mkd", "check": true }, "exploit_windows/ftp/comsnd_ftpd_fmtstr": { "name": "ComSndFTP v1.3.7 Beta USER Format String (Write4) Vulnerability", "full_name": "exploit/windows/ftp/comsnd_ftpd_fmtstr", "rank": 400, "disclosure_date": "2012-06-08", "type": "exploit", "author": [ "ChaoYi Huang ", "rick2600 ", "mr_me ", "corelanc0d3r " ], "description": "This module exploits the ComSndFTP FTP Server version 1.3.7 beta by sending a specially\n crafted format string specifier as a username. The crafted username is sent to the server to\n overwrite the hardcoded function pointer from Ws2_32.dll!WSACleanup. Once this function pointer\n is triggered, the code bypasses dep and then repairs the pointer to execute arbitrary code.\n The SEH exit function is preferred so that the administrators are not left with an unhandled\n exception message. When using the meterpreter payload, the process will never die, allowing\n for continuous exploitation.", "references": [ "OSVDB-82798", "EDB-19024" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86", "rport": 21, "targets": [ "Automatic", "Windows XP SP3 - English", "Windows Server 2003 - English" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/ftp/comsnd_ftpd_fmtstr.rb", "is_install_path": true, "ref_name": "windows/ftp/comsnd_ftpd_fmtstr", "check": true }, "exploit_windows/ftp/dreamftp_format": { "name": "BolinTech Dream FTP Server 1.02 Format String", "full_name": "exploit/windows/ftp/dreamftp_format", "rank": 400, "disclosure_date": "2004-03-03", "type": "exploit", "author": [ "aushack " ], "description": "This module exploits a format string overflow in the BolinTech\n Dream FTP Server version 1.02. Based on the exploit by SkyLined.", "references": [ "CVE-2004-2074", "OSVDB-4986", "BID-9800", "EDB-823" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86", "rport": 21, "targets": [ "Dream FTP Server v1.02 Universal" ], "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/exploits/windows/ftp/dreamftp_format.rb", "is_install_path": true, "ref_name": "windows/ftp/dreamftp_format", "check": true }, "exploit_windows/ftp/easyfilesharing_pass": { "name": "Easy File Sharing FTP Server 2.0 PASS Overflow", "full_name": "exploit/windows/ftp/easyfilesharing_pass", "rank": 200, "disclosure_date": "2006-07-31", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in the Easy File Sharing 2.0\n service. By sending an overly long password, an attacker can execute\n arbitrary code.", "references": [ "CVE-2006-3952", "OSVDB-27646", "BID-19243" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 21, "targets": [ "Windows 2000 Pro English ALL", "Windows XP Pro SP0/SP1 English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ftp/easyfilesharing_pass.rb", "is_install_path": true, "ref_name": "windows/ftp/easyfilesharing_pass", "check": true }, "exploit_windows/ftp/easyftp_cwd_fixret": { "name": "EasyFTP Server CWD Command Stack Buffer Overflow", "full_name": "exploit/windows/ftp/easyftp_cwd_fixret", "rank": 500, "disclosure_date": "2010-02-16", "type": "exploit", "author": [ "Paul Makowski ", "jduck " ], "description": "This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11\n and earlier. EasyFTP fails to check input size when parsing 'CWD' commands, which\n leads to a stack based buffer overflow. EasyFTP allows anonymous access by\n default; valid credentials are typically unnecessary to exploit this vulnerability.\n\n After version 1.7.0.12, this package was renamed \"UplusFtp\".\n\n This exploit utilizes a small piece of code that I\\'ve referred to as 'fixRet'.\n This code allows us to inject of payload of ~500 bytes into a 264 byte buffer by\n 'fixing' the return address post-exploitation. See references for more information.", "references": [ "OSVDB-62134", "BID-38262", "URL-http://paulmakowski.wordpress.com/2010/02/28/increasing-payload-size-w-return-address-overwrite/", "URL-http://paulmakowski.wordpress.com/2010/04/19/metasploit-plugin-for-easyftp-server-exploit", "URL-http://seclists.org/bugtraq/2010/Feb/202" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 21, "targets": [ "Windows Universal - v1.7.0.2", "Windows Universal - v1.7.0.3", "Windows Universal - v1.7.0.4", "Windows Universal - v1.7.0.5", "Windows Universal - v1.7.0.6", "Windows Universal - v1.7.0.7", "Windows Universal - v1.7.0.8", "Windows Universal - v1.7.0.9", "Windows Universal - v1.7.0.10", "Windows Universal - v1.7.0.11" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ftp/easyftp_cwd_fixret.rb", "is_install_path": true, "ref_name": "windows/ftp/easyftp_cwd_fixret", "check": true }, "exploit_windows/ftp/easyftp_list_fixret": { "name": "EasyFTP Server LIST Command Stack Buffer Overflow", "full_name": "exploit/windows/ftp/easyftp_list_fixret", "rank": 500, "disclosure_date": "2010-07-05", "type": "exploit", "author": [ "Karn Ganeshan ", "MFR", "jduck " ], "description": "This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11.\n credit goes to Karn Ganeshan.\n\n NOTE: Although, this is likely to exploit the same vulnerability as the\n 'easyftp_cwd_fixret' exploit, it uses a slightly different vector.", "references": [ "OSVDB-62134", "EDB-14400", "EDB-14451" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 21, "targets": [ "Windows XP SP3 - Version 2002" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ftp/easyftp_list_fixret.rb", "is_install_path": true, "ref_name": "windows/ftp/easyftp_list_fixret", "check": true }, "exploit_windows/ftp/easyftp_mkd_fixret": { "name": "EasyFTP Server MKD Command Stack Buffer Overflow", "full_name": "exploit/windows/ftp/easyftp_mkd_fixret", "rank": 500, "disclosure_date": "2010-04-04", "type": "exploit", "author": [ "x90c ", "jduck " ], "description": "This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11\n and earlier. EasyFTP fails to check input size when parsing 'MKD' commands, which\n leads to a stack based buffer overflow.\n\n NOTE: EasyFTP allows anonymous access by default. However, in order to access the\n 'MKD' command, you must have access to an account that can create directories.\n\n After version 1.7.0.12, this package was renamed \"UplusFtp\".\n\n This exploit utilizes a small piece of code that I\\'ve referred to as 'fixRet'.\n This code allows us to inject of payload of ~500 bytes into a 264 byte buffer by\n 'fixing' the return address post-exploitation. See references for more information.", "references": [ "OSVDB-62134", "EDB-12044", "EDB-14399" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 21, "targets": [ "Windows Universal - v1.7.0.2", "Windows Universal - v1.7.0.3", "Windows Universal - v1.7.0.4", "Windows Universal - v1.7.0.5", "Windows Universal - v1.7.0.6", "Windows Universal - v1.7.0.7", "Windows Universal - v1.7.0.8", "Windows Universal - v1.7.0.9", "Windows Universal - v1.7.0.10", "Windows Universal - v1.7.0.11" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ftp/easyftp_mkd_fixret.rb", "is_install_path": true, "ref_name": "windows/ftp/easyftp_mkd_fixret", "check": true }, "exploit_windows/ftp/filecopa_list_overflow": { "name": "FileCopa FTP Server Pre 18 Jul Version", "full_name": "exploit/windows/ftp/filecopa_list_overflow", "rank": 200, "disclosure_date": "2006-07-19", "type": "exploit", "author": [ "Jacopo Cervini" ], "description": "This module exploits the buffer overflow found in the LIST command\n in fileCOPA FTP server pre 18 Jul 2006 version discovered by www.appsec.ch", "references": [ "CVE-2006-3726", "OSVDB-27389", "BID-19065" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 21, "targets": [ "Windows 2k Server SP4 English", "Windows XP Pro SP2 Italian" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ftp/filecopa_list_overflow.rb", "is_install_path": true, "ref_name": "windows/ftp/filecopa_list_overflow", "check": false }, "exploit_windows/ftp/filewrangler_list_reply": { "name": "FileWrangler 5.30 Stack Buffer Overflow", "full_name": "exploit/windows/ftp/filewrangler_list_reply", "rank": 400, "disclosure_date": "2010-10-12", "type": "exploit", "author": [ "nullthreat", "corelanc0d3r " ], "description": "This module exploits a buffer overflow in the FileWrangler client\n that is triggered when the client connects to a FTP server and lists\n the directory contents, containing an overly long directory name.", "references": [ "OSVDB-94555", "URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ftp/filewrangler_list_reply.rb", "is_install_path": true, "ref_name": "windows/ftp/filewrangler_list_reply", "check": false }, "exploit_windows/ftp/freefloatftp_user": { "name": "Free Float FTP Server USER Command Buffer Overflow", "full_name": "exploit/windows/ftp/freefloatftp_user", "rank": 300, "disclosure_date": "2012-06-12", "type": "exploit", "author": [ "D35m0nd142", "Doug Prostko " ], "description": "Freefloat FTP Server is prone to an overflow condition. It\n fails to properly sanitize user-supplied input resulting in a\n stack-based buffer overflow. With a specially crafted 'USER'\n command, a remote attacker can potentially have an unspecified\n impact.", "references": [ "OSVDB-69621", "EDB-23243" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 21, "targets": [ "FreeFloat / Windows XP SP3" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ftp/freefloatftp_user.rb", "is_install_path": true, "ref_name": "windows/ftp/freefloatftp_user", "check": true }, "exploit_windows/ftp/freefloatftp_wbem": { "name": "FreeFloat FTP Server Arbitrary File Upload", "full_name": "exploit/windows/ftp/freefloatftp_wbem", "rank": 600, "disclosure_date": "2012-12-07", "type": "exploit", "author": [ "sinn3r ", "juan vazquez " ], "description": "This module abuses multiple issues in FreeFloat: 1. No credential is actually\n needed to login; 2. User's default path is in C:\\, and this cannot be changed;\n 3. User can write to anywhere on the server's file system. As a result of these\n poor implementations, a malicious user can just log in and then upload files,\n and let WMI (Management Instrumentation service) to execute the payload uploaded.", "references": [ "OSVDB-88302", "OSVDB-88303" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": 21, "targets": [ "FreeFloat" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ftp/freefloatftp_wbem.rb", "is_install_path": true, "ref_name": "windows/ftp/freefloatftp_wbem", "check": true }, "exploit_windows/ftp/freeftpd_pass": { "name": "freeFTPd PASS Command Buffer Overflow", "full_name": "exploit/windows/ftp/freeftpd_pass", "rank": 300, "disclosure_date": "2013-08-20", "type": "exploit", "author": [ "Wireghoul", "TecR0c " ], "description": "freeFTPd 1.0.10 and below contains an overflow condition that is triggered as\n user-supplied input is not properly validated when handling a specially crafted\n PASS command. This may allow a remote attacker to cause a buffer overflow,\n resulting in a denial of service or allow the execution of arbitrary code.\n\n freeFTPd must have an account set to authorization anonymous user account.", "references": [ "OSVDB-96517", "EDB-27747", "BID-61905" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86", "rport": 21, "targets": [ "freeFTPd 1.0.10 and below on Windows Desktop Version" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/ftp/freeftpd_pass.rb", "is_install_path": true, "ref_name": "windows/ftp/freeftpd_pass", "check": true }, "exploit_windows/ftp/freeftpd_user": { "name": "freeFTPd 1.0 Username Overflow", "full_name": "exploit/windows/ftp/freeftpd_user", "rank": 200, "disclosure_date": "2005-11-16", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in the freeFTPd\n multi-protocol file transfer service. This flaw can only be\n exploited when logging has been enabled (non-default).", "references": [ "CVE-2005-3683", "OSVDB-20909", "BID-15457" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 21, "targets": [ "Automatic", "Windows 2000 English ALL", "Windows XP Pro SP0/SP1 English", "Windows NT SP5/SP6a English", "Windows 2003 Server English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ftp/freeftpd_user.rb", "is_install_path": true, "ref_name": "windows/ftp/freeftpd_user", "check": true }, "exploit_windows/ftp/ftpgetter_pwd_reply": { "name": "FTPGetter Standard v3.55.0.05 Stack Buffer Overflow (PWD)", "full_name": "exploit/windows/ftp/ftpgetter_pwd_reply", "rank": 400, "disclosure_date": "2010-10-12", "type": "exploit", "author": [ "ekse", "corelanc0d3r " ], "description": "This module exploits a buffer overflow in FTPGetter Standard v3.55.0.05 ftp client.\n When processing the response on a PWD command, a stack based buffer overflow occurs.\n This leads to arbitrary code execution when a structured exception handler gets\n overwritten.", "references": [ "OSVDB-68638", "URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "XP SP3 Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ftp/ftpgetter_pwd_reply.rb", "is_install_path": true, "ref_name": "windows/ftp/ftpgetter_pwd_reply", "check": false }, "exploit_windows/ftp/ftppad_list_reply": { "name": "FTPPad 1.2.0 Stack Buffer Overflow", "full_name": "exploit/windows/ftp/ftppad_list_reply", "rank": 400, "disclosure_date": "2010-10-12", "type": "exploit", "author": [ "corelanc0d3r" ], "description": "This module exploits a stack buffer overflow FTPPad 1.2.0 ftp client. The overflow is\n triggered when the client connects to a FTP server which sends an overly long directory\n and filename in response to a LIST command.\n\n This will cause an access violation, and will eventually overwrite the saved extended\n instruction pointer. Payload can be found at EDX+5c and ESI+5c, so a little pivot/\n sniper was needed to make this one work.", "references": [ "OSVDB-68714", "URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "XP SP3 Professional, English - shlwapi 6.00.2900.5912", "XP SP3 Professional, German - shlwapi 6.00.2900.5912", "XP SP3 Professional, English - shlwapi 6.00.2900.5512" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ftp/ftppad_list_reply.rb", "is_install_path": true, "ref_name": "windows/ftp/ftppad_list_reply", "check": false }, "exploit_windows/ftp/ftpshell51_pwd_reply": { "name": "FTPShell 5.1 Stack Buffer Overflow", "full_name": "exploit/windows/ftp/ftpshell51_pwd_reply", "rank": 400, "disclosure_date": "2010-10-12", "type": "exploit", "author": [ "corelanc0d3r " ], "description": "This module exploits a stack buffer overflow in FTPShell 5.1. The overflow gets\n triggered when the ftp client tries to process an overly long response to a PWD\n command. This will overwrite the saved EIP and structured exception handler.", "references": [ "OSVDB-68639", "URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP Universal" ], "mod_time": "2017-09-22 18:49:09 +0000", "path": "/modules/exploits/windows/ftp/ftpshell51_pwd_reply.rb", "is_install_path": true, "ref_name": "windows/ftp/ftpshell51_pwd_reply", "check": false }, "exploit_windows/ftp/ftpshell_cli_bof": { "name": "FTPShell client 6.70 (Enterprise edition) Stack Buffer Overflow", "full_name": "exploit/windows/ftp/ftpshell_cli_bof", "rank": 300, "disclosure_date": "2017-03-04", "type": "exploit", "author": [ "r4wd3r", "Daniel Teixeira" ], "description": "This module exploits a buffer overflow in the FTPShell client 6.70 (Enterprise\n edition) allowing remote code execution.", "references": [ "CVE-2018-7573", "EDB-44596" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows Universal" ], "mod_time": "2018-06-29 14:22:40 +0000", "path": "/modules/exploits/windows/ftp/ftpshell_cli_bof.rb", "is_install_path": true, "ref_name": "windows/ftp/ftpshell_cli_bof", "check": false }, "exploit_windows/ftp/ftpsynch_list_reply": { "name": "FTP Synchronizer Professional 4.0.73.274 Stack Buffer Overflow", "full_name": "exploit/windows/ftp/ftpsynch_list_reply", "rank": 400, "disclosure_date": "2010-10-12", "type": "exploit", "author": [ "myne-us", "corelanc0d3r " ], "description": "This module exploits a stack buffer overflow vulnerability in FTP Synchronizer Pro\n version 4.0.73.274 The overflow gets triggered by sending an overly long filename to\n the client in response to a LIST command.\n The LIST command gets issued when doing a preview or when you have just created a new\n sync profile and allow the tool to see the differences.\n This will overwrite a structured exception handler and trigger an access violation.", "references": [ "URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "XP Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ftp/ftpsynch_list_reply.rb", "is_install_path": true, "ref_name": "windows/ftp/ftpsynch_list_reply", "check": false }, "exploit_windows/ftp/gekkomgr_list_reply": { "name": "Gekko Manager FTP Client Stack Buffer Overflow", "full_name": "exploit/windows/ftp/gekkomgr_list_reply", "rank": 400, "disclosure_date": "2010-10-12", "type": "exploit", "author": [ "nullthreat", "corelanc0d3r " ], "description": "This module exploits a buffer overflow in Gekko Manager ftp client, triggered when\n processing the response received after sending a LIST request. If this response contains\n a long filename, a buffer overflow occurs, overwriting a structured exception handler.", "references": [ "OSVDB-68641", "URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "XP SP3 Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ftp/gekkomgr_list_reply.rb", "is_install_path": true, "ref_name": "windows/ftp/gekkomgr_list_reply", "check": false }, "exploit_windows/ftp/globalscapeftp_input": { "name": "GlobalSCAPE Secure FTP Server Input Overflow", "full_name": "exploit/windows/ftp/globalscapeftp_input", "rank": 500, "disclosure_date": "2005-05-01", "type": "exploit", "author": [ "Fairuzan Roslan ", "Mati Aharoni " ], "description": "This module exploits a buffer overflow in the GlobalSCAPE Secure FTP Server.\n All versions prior to 3.0.3 are affected by this flaw. A valid user account (\n or anonymous access) is required for this exploit to work.", "references": [ "CVE-2005-1415", "OSVDB-16049", "BID-13454", "URL-http://archives.neohapsis.com/archives/fulldisclosure/2005-04/0674.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 21, "targets": [ "GlobalSCAPE Secure FTP Server <= 3.0.2 Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ftp/globalscapeftp_input.rb", "is_install_path": true, "ref_name": "windows/ftp/globalscapeftp_input", "check": false }, "exploit_windows/ftp/goldenftp_pass_bof": { "name": "GoldenFTP PASS Stack Buffer Overflow", "full_name": "exploit/windows/ftp/goldenftp_pass_bof", "rank": 200, "disclosure_date": "2011-01-23", "type": "exploit", "author": [ "Craig Freyman", "bannedit ", "Joff Thyer " ], "description": "This module exploits a vulnerability in the Golden FTP service, using the PASS\n command to cause a buffer overflow. Please note that in order trigger the vulnerable\n code, the victim machine must have the \"Show new connections\" setting enabled. By\n default, this option is unchecked.", "references": [ "CVE-2006-6576", "OSVDB-35951", "BID-45957", "EDB-16036" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 21, "targets": [ "Automatic", "Windows XP Pro SP3", "Windows XP Pro SP2", "Windows XP Pro SP0/SP1" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ftp/goldenftp_pass_bof.rb", "is_install_path": true, "ref_name": "windows/ftp/goldenftp_pass_bof", "check": true }, "exploit_windows/ftp/httpdx_tolog_format": { "name": "HTTPDX tolog() Function Format String Vulnerability", "full_name": "exploit/windows/ftp/httpdx_tolog_format", "rank": 500, "disclosure_date": "2009-11-17", "type": "exploit", "author": [ "jduck " ], "description": "This module exploits a format string vulnerability in HTTPDX FTP server.\n By sending a specially crafted FTP command containing format specifiers, an\n attacker can corrupt memory and execute arbitrary code.\n\n By default logging is off for HTTP, but enabled for the 'moderator' user\n via FTP.", "references": [ "CVE-2009-4769", "OSVDB-60181" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 21, "targets": [ "Automatic Targeting", "httpdx 1.4 - Windows XP SP3 English", "httpdx 1.4.5 - Windows XP SP3 English", "httpdx 1.4.6 - Windows XP SP3 English", "httpdx 1.4.6b - Windows XP SP3 English", "httpdx 1.5 - Windows XP SP3 English" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/ftp/httpdx_tolog_format.rb", "is_install_path": true, "ref_name": "windows/ftp/httpdx_tolog_format", "check": true }, "exploit_windows/ftp/kmftp_utility_cwd": { "name": "Konica Minolta FTP Utility 1.00 Post Auth CWD Command SEH Overflow", "full_name": "exploit/windows/ftp/kmftp_utility_cwd", "rank": 300, "disclosure_date": "2015-08-23", "type": "exploit", "author": [ "Shankar Damodaran", "Muhamad Fadzil Ramli " ], "description": "This module exploits an SEH overflow in Konica Minolta FTP Server 1.00.\n Konica Minolta FTP fails to check input size when parsing 'CWD' commands, which\n leads to an SEH overflow. Konica FTP allows anonymous access by default; valid\n credentials are typically unnecessary to exploit this vulnerability.", "references": [ "CVE-2015-7768", "EBD-37908" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 21, "targets": [ "Windows 7 SP1 x86" ], "mod_time": "2018-07-12 17:34:52 +0000", "path": "/modules/exploits/windows/ftp/kmftp_utility_cwd.rb", "is_install_path": true, "ref_name": "windows/ftp/kmftp_utility_cwd", "check": true }, "exploit_windows/ftp/labf_nfsaxe": { "name": "LabF nfsAxe 3.7 FTP Client Stack Buffer Overflow", "full_name": "exploit/windows/ftp/labf_nfsaxe", "rank": 300, "disclosure_date": "2017-05-15", "type": "exploit", "author": [ "Tulpa", "Daniel Teixeira" ], "description": "This module exploits a buffer overflow in the LabF nfsAxe 3.7 FTP Client allowing remote\n code execution.", "references": [ "CVE-2017-18047", "EDB-42011" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows Universal" ], "mod_time": "2018-07-12 17:34:52 +0000", "path": "/modules/exploits/windows/ftp/labf_nfsaxe.rb", "is_install_path": true, "ref_name": "windows/ftp/labf_nfsaxe", "check": false }, "exploit_windows/ftp/leapftp_list_reply": { "name": "LeapFTP 3.0.1 Stack Buffer Overflow", "full_name": "exploit/windows/ftp/leapftp_list_reply", "rank": 400, "disclosure_date": "2010-10-12", "type": "exploit", "author": [ "corelanc0d3r ", "nullthreat" ], "description": "This module exploits a buffer overflow in the LeapFTP 3.0.1 client.\n This issue is triggered when a file with a long name is downloaded/opened.", "references": [ "OSVDB-68640", "URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ftp/leapftp_list_reply.rb", "is_install_path": true, "ref_name": "windows/ftp/leapftp_list_reply", "check": false }, "exploit_windows/ftp/leapftp_pasv_reply": { "name": "LeapWare LeapFTP v2.7.3.600 PASV Reply Client Overflow", "full_name": "exploit/windows/ftp/leapftp_pasv_reply", "rank": 300, "disclosure_date": "2003-06-09", "type": "exploit", "author": [ "aushack " ], "description": "This module exploits a buffer overflow in the LeapWare LeapFTP v2.7.3.600\n client that is triggered through an excessively long PASV reply command. This\n module was ported from the original exploit by drG4njubas with minor improvements.", "references": [ "CVE-2003-0558", "OSVDB-4587", "BID-7860", "EDB-54" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Universal LeapFTP.exe", "Windows 2000 SP0/4 English", "Windows XP SP0 English" ], "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/exploits/windows/ftp/leapftp_pasv_reply.rb", "is_install_path": true, "ref_name": "windows/ftp/leapftp_pasv_reply", "check": false }, "exploit_windows/ftp/ms09_053_ftpd_nlst": { "name": "MS09-053 Microsoft IIS FTP Server NLST Response Overflow", "full_name": "exploit/windows/ftp/ms09_053_ftpd_nlst", "rank": 500, "disclosure_date": "2009-08-31", "type": "exploit", "author": [ "Kingcope ", "hdm " ], "description": "This module exploits a stack buffer overflow flaw in the Microsoft IIS FTP\n service. The flaw is triggered when a special NLST argument is passed\n while the session has changed into a long directory path. For this exploit\n to work, the FTP server must be configured to allow write access to the\n file system (either anonymously or in conjunction with a real account)", "references": [ "EDB-9541", "CVE-2009-3023", "OSVDB-57589", "BID-36189", "MSB-MS09-053" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 21, "targets": [ "Windows 2000 SP4 English/Italian (IIS 5.0)", "Windows 2000 SP3 English (IIS 5.0)", "Windows 2000 SP0-SP3 Japanese (IIS 5.0)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ftp/ms09_053_ftpd_nlst.rb", "is_install_path": true, "ref_name": "windows/ftp/ms09_053_ftpd_nlst", "check": false }, "exploit_windows/ftp/netterm_netftpd_user": { "name": "NetTerm NetFTPD USER Buffer Overflow", "full_name": "exploit/windows/ftp/netterm_netftpd_user", "rank": 500, "disclosure_date": "2005-04-26", "type": "exploit", "author": [ "hdm " ], "description": "This module exploits a vulnerability in the NetTerm NetFTPD\n application. This package is part of the NetTerm package.\n This module uses the USER command to trigger the overflow.", "references": [ "CVE-2005-1323", "OSVDB-15865", "URL-http://seclists.org/lists/fulldisclosure/2005/Apr/0578.html", "BID-13396" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 21, "targets": [ "NetTerm NetFTPD Universal", "Windows 2000 English", "Windows XP English SP0/SP1", "Windows 2003 English", "Windows NT 4.0 SP4/SP5/SP6" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ftp/netterm_netftpd_user.rb", "is_install_path": true, "ref_name": "windows/ftp/netterm_netftpd_user", "check": true }, "exploit_windows/ftp/odin_list_reply": { "name": "Odin Secure FTP 4.1 Stack Buffer Overflow (LIST)", "full_name": "exploit/windows/ftp/odin_list_reply", "rank": 400, "disclosure_date": "2010-10-12", "type": "exploit", "author": [ "rick2600", "corelanc0d3r " ], "description": "This module exploits a stack buffer overflow in Odin Secure FTP 4.1,\n triggered when processing the response on a LIST command. During the overflow,\n a structured exception handler record gets overwritten.", "references": [ "OSVDB-68824", "URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "XP SP3 Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ftp/odin_list_reply.rb", "is_install_path": true, "ref_name": "windows/ftp/odin_list_reply", "check": false }, "exploit_windows/ftp/open_ftpd_wbem": { "name": "Open-FTPD 1.2 Arbitrary File Upload", "full_name": "exploit/windows/ftp/open_ftpd_wbem", "rank": 600, "disclosure_date": "2012-06-18", "type": "exploit", "author": [ "Serge Gorbunov", "Brendan Coles " ], "description": "This module exploits multiple vulnerabilities found in Open&Compact FTP\n server. The software contains an authentication bypass vulnerability and a\n arbitrary file upload vulnerability that allows a remote attacker to write\n arbitrary files to the file system as long as there is at least one user\n who has permission.\n\n Code execution can be achieved by first uploading the payload to the remote\n machine as an exe file, and then upload another mof file, which enables\n WMI (Management Instrumentation service) to execute the uploaded payload.\n Please note that this module currently only works for Windows before Vista.", "references": [ "OSVDB-65687", "EDB-13932", "CVE-2010-2620" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": 21, "targets": [ "Open&Compact FTP 1.2 on Windows (Before Vista)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ftp/open_ftpd_wbem.rb", "is_install_path": true, "ref_name": "windows/ftp/open_ftpd_wbem", "check": true }, "exploit_windows/ftp/oracle9i_xdb_ftp_pass": { "name": "Oracle 9i XDB FTP PASS Overflow (win32)", "full_name": "exploit/windows/ftp/oracle9i_xdb_ftp_pass", "rank": 500, "disclosure_date": "2003-08-18", "type": "exploit", "author": [ "MC " ], "description": "By passing an overly long string to the PASS command, a\n stack based buffer overflow occurs. David Litchfield, has\n illustrated multiple vulnerabilities in the Oracle 9i XML\n Database (XDB), during a seminar on \"Variations in exploit\n methods between Linux and Windows\" presented at the Blackhat\n conference.", "references": [ "CVE-2003-0727", "OSVDB-2449", "BID-8375", "URL-http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 2100, "targets": [ "Oracle 9.2.0.1 Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ftp/oracle9i_xdb_ftp_pass.rb", "is_install_path": true, "ref_name": "windows/ftp/oracle9i_xdb_ftp_pass", "check": true }, "exploit_windows/ftp/oracle9i_xdb_ftp_unlock": { "name": "Oracle 9i XDB FTP UNLOCK Overflow (win32)", "full_name": "exploit/windows/ftp/oracle9i_xdb_ftp_unlock", "rank": 500, "disclosure_date": "2003-08-18", "type": "exploit", "author": [ "MC ", "David Litchfield " ], "description": "By passing an overly long token to the UNLOCK command, a\n stack based buffer overflow occurs. David Litchfield, has\n illustrated multiple vulnerabilities in the Oracle 9i XML\n Database (XDB), during a seminar on \"Variations in exploit\n methods between Linux and Windows\" presented at the Blackhat\n conference. Oracle9i includes a number of default accounts,\n including dbsnmp:dbsmp, scott:tiger, system:manager, and\n sys:change_on_install.", "references": [ "CVE-2003-0727", "OSVDB-2449", "BID-8375", "URL-http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 2100, "targets": [ "Oracle 9.2.0.1 Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ftp/oracle9i_xdb_ftp_unlock.rb", "is_install_path": true, "ref_name": "windows/ftp/oracle9i_xdb_ftp_unlock", "check": true }, "exploit_windows/ftp/pcman_put": { "name": "PCMAN FTP Server Buffer Overflow - PUT Command", "full_name": "exploit/windows/ftp/pcman_put", "rank": 300, "disclosure_date": "2015-08-07", "type": "exploit", "author": [ "Jay Turla", "Chris Higgins" ], "description": "This module exploits a buffer overflow vulnerability found in the PUT command of the\n PCMAN FTP v2.0.7 Server. This requires authentication but by default anonymous\n credentials are enabled.", "references": [ "CVE-2013-4730", "EDB-37731", "OSVDB-94624" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 21, "targets": [ "Windows XP SP3 English" ], "mod_time": "2018-07-08 18:46:04 +0000", "path": "/modules/exploits/windows/ftp/pcman_put.rb", "is_install_path": true, "ref_name": "windows/ftp/pcman_put", "check": true }, "exploit_windows/ftp/pcman_stor": { "name": "PCMAN FTP Server Post-Authentication STOR Command Stack Buffer Overflow", "full_name": "exploit/windows/ftp/pcman_stor", "rank": 300, "disclosure_date": "2013-06-27", "type": "exploit", "author": [ "Christian (Polunchis) Ramirez", "Rick (nanotechz9l) Flores" ], "description": "This module exploits a buffer overflow vulnerability found in the STOR command of the\n PCMAN FTP v2.07 Server when the \"/../\" parameters are also sent to the server. Please\n note authentication is required in order to trigger the vulnerability. The overflowing\n string will also be seen on the FTP server log console.", "references": [ "CVE-2013-4730", "OSVDB-94624", "EDB-27703" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 21, "targets": [ "Windows XP SP3 English" ], "mod_time": "2018-07-08 18:46:04 +0000", "path": "/modules/exploits/windows/ftp/pcman_stor.rb", "is_install_path": true, "ref_name": "windows/ftp/pcman_stor", "check": true }, "exploit_windows/ftp/proftp_banner": { "name": "ProFTP 2.9 Banner Remote Buffer Overflow", "full_name": "exploit/windows/ftp/proftp_banner", "rank": 300, "disclosure_date": "2009-08-25", "type": "exploit", "author": [ "His0k4 " ], "description": "This module exploits a buffer overflow in the ProFTP 2.9\n client that is triggered through an excessively long welcome message.", "references": [ "CVE-2009-3976", "OSVDB-57394", "URL-http://www.labtam-inc.com/index.php?act=products&pid=1" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ftp/proftp_banner.rb", "is_install_path": true, "ref_name": "windows/ftp/proftp_banner", "check": false }, "exploit_windows/ftp/quickshare_traversal_write": { "name": "QuickShare File Server 1.2.1 Directory Traversal Vulnerability", "full_name": "exploit/windows/ftp/quickshare_traversal_write", "rank": 600, "disclosure_date": "2011-02-03", "type": "exploit", "author": [ "modpr0be", "sinn3r " ], "description": "This module exploits a vulnerability found in QuickShare File Server's FTP\n service. By supplying \"../\" in the file path, it is possible to trigger a\n directory traversal flaw, allowing the attacker to read a file outside the\n virtual directory. By default, the \"Writable\" option is enabled during account\n creation, therefore this makes it possible to create a file at an arbitrary\n location, which leads to remote code execution.", "references": [ "OSVDB-70776", "EDB-16105", "URL-http://www.quicksharehq.com/blog/quickshare-file-server-1-2-2-released.html", "URL-http://www.digital-echidna.org/2011/02/quickshare-file-share-1-2-1-directory-traversal-vulnerability/" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": 21, "targets": [ "QuickShare File Server 1.2.1" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ftp/quickshare_traversal_write.rb", "is_install_path": true, "ref_name": "windows/ftp/quickshare_traversal_write", "check": true }, "exploit_windows/ftp/ricoh_dl_bof": { "name": "Ricoh DC DL-10 SR10 FTP USER Command Buffer Overflow", "full_name": "exploit/windows/ftp/ricoh_dl_bof", "rank": 300, "disclosure_date": "2012-03-01", "type": "exploit", "author": [ "Julien Ahrens", "sinn3r " ], "description": "This module exploits a vulnerability found in Ricoh DC's DL-10 SR10 FTP\n service. By supplying a long string of data to the USER command, it is\n possible to trigger a stack-based buffer overflow, which allows remote code\n execution under the context of the user.\n\n Please note that in order to trigger the vulnerability, the server must\n be configured with a log file name (by default, it's disabled).", "references": [ "CVE-2012-5002", "OSVDB-79691", "URL-http://secunia.com/advisories/47912", "URL-http://www.inshell.net/2012/03/ricoh-dc-software-dl-10-ftp-server-sr10-exe-remote-buffer-overflow-vulnerability/" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 21, "targets": [ "Windows XP SP3" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ftp/ricoh_dl_bof.rb", "is_install_path": true, "ref_name": "windows/ftp/ricoh_dl_bof", "check": true }, "exploit_windows/ftp/sami_ftpd_list": { "name": "Sami FTP Server LIST Command Buffer Overflow", "full_name": "exploit/windows/ftp/sami_ftpd_list", "rank": 100, "disclosure_date": "2013-02-27", "type": "exploit", "author": [ "superkojiman", "Doug Prostko " ], "description": "This module exploits a stack based buffer overflow on Sami FTP Server 2.0.1.\n The vulnerability exists in the processing of LIST commands. In order to trigger\n the vulnerability, the \"Log\" tab must be viewed in the Sami FTP Server managing\n application, in the target machine. On the other hand, the source IP address used\n to connect with the FTP Server is needed. If the user can't provide it, the module\n will try to resolve it. This module has been tested successfully on Sami FTP Server\n 2.0.1 over Windows XP SP3.", "references": [ "OSVDB-90815", "BID-58247", "EDB-24557" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 21, "targets": [ "Sami FTP Server 2.0.1 / Windows XP SP3" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ftp/sami_ftpd_list.rb", "is_install_path": true, "ref_name": "windows/ftp/sami_ftpd_list", "check": false }, "exploit_windows/ftp/sami_ftpd_user": { "name": "KarjaSoft Sami FTP Server v2.02 USER Overflow", "full_name": "exploit/windows/ftp/sami_ftpd_user", "rank": 300, "disclosure_date": "2006-01-24", "type": "exploit", "author": [ "aushack " ], "description": "This module exploits the KarjaSoft Sami FTP Server version 2.02\n by sending an excessively long USER string. The stack is overwritten\n when the administrator attempts to view the FTP logs. Therefore, this exploit\n is passive and requires end-user interaction. Keep this in mind when selecting\n payloads. When the server is restarted, it will re-execute the exploit until\n the logfile is manually deleted via the file system.", "references": [ "CVE-2006-0441", "CVE-2006-2212", "OSVDB-25670", "BID-16370", "BID-22045", "BID-17835", "EDB-1448", "EDB-1452", "EDB-1462", "EDB-3127", "EDB-3140" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "x86", "rport": 21, "targets": [ "Automatic", "Windows 2000 Pro All - English", "Windows 2000 Pro All - Italian", "Windows 2000 Pro All - French", "Windows XP SP0/1 - English" ], "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/exploits/windows/ftp/sami_ftpd_user.rb", "is_install_path": true, "ref_name": "windows/ftp/sami_ftpd_user", "check": true }, "exploit_windows/ftp/sasser_ftpd_port": { "name": "Sasser Worm avserve FTP PORT Buffer Overflow", "full_name": "exploit/windows/ftp/sasser_ftpd_port", "rank": 200, "disclosure_date": "2004-05-10", "type": "exploit", "author": [ "valsmith ", "chamuco ", "aushack " ], "description": "This module exploits the FTP server component of the Sasser worm.\n By sending an overly long PORT command the stack can be overwritten.", "references": [ "OSVDB-6197" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86", "rport": 5554, "targets": [ "Windows XP SP0", "Windows XP SP1" ], "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/exploits/windows/ftp/sasser_ftpd_port.rb", "is_install_path": true, "ref_name": "windows/ftp/sasser_ftpd_port", "check": false }, "exploit_windows/ftp/scriptftp_list": { "name": "ScriptFTP LIST Remote Buffer Overflow", "full_name": "exploit/windows/ftp/scriptftp_list", "rank": 400, "disclosure_date": "2011-10-12", "type": "exploit", "author": [ "modpr0be", "TecR0c ", "mr_me " ], "description": "AmmSoft's ScriptFTP client is susceptible to a remote buffer overflow\n vulnerability that is triggered when processing a sufficiently long\n filename during a FTP LIST command resulting in overwriting the\n exception handler. Social engineering of executing a specially crafted\n ftp file by double click will result in connecting to our malicious\n server and perform arbitrary code execution which allows the attacker to\n gain the same rights as the user running ScriptFTP. This vulnerability\n affects versions 3.3 and earlier.", "references": [ "CVE-2011-3976", "OSVDB-75633", "EDB-17876", "US-CERT-VU-440219" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP3 / Windows Vista" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/ftp/scriptftp_list.rb", "is_install_path": true, "ref_name": "windows/ftp/scriptftp_list", "check": false }, "exploit_windows/ftp/seagull_list_reply": { "name": "Seagull FTP v3.3 Build 409 Stack Buffer Overflow", "full_name": "exploit/windows/ftp/seagull_list_reply", "rank": 400, "disclosure_date": "2010-10-12", "type": "exploit", "author": [ "corelanc0d3r " ], "description": "This module exploits a buffer overflow in the Seagull FTP client that gets\n triggered when the ftp client processes a response to a LIST command. If the\n response contains an overly long file/folder name, a buffer overflow occurs,\n overwriting a structured exception handler.", "references": [ "OSVDB-94556", "URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "XP Universal" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/ftp/seagull_list_reply.rb", "is_install_path": true, "ref_name": "windows/ftp/seagull_list_reply", "check": false }, "exploit_windows/ftp/servu_chmod": { "name": "Serv-U FTP Server Buffer Overflow", "full_name": "exploit/windows/ftp/servu_chmod", "rank": 300, "disclosure_date": "2004-12-31", "type": "exploit", "author": [ "theLightCosine " ], "description": "This module exploits a stack buffer overflow in the site chmod command\n in versions of Serv-U FTP Server prior to 4.2.\n\n You must have valid credentials to trigger this vulnerability. Exploitation\n also leaves the service in a non-functional state.", "references": [ "CVE-2004-2111", "OSVDB-3713", "BID-9483" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 21, "targets": [ "Windows 2000 SP0-4 EN", "Windows XP SP0-1 EN" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ftp/servu_chmod.rb", "is_install_path": true, "ref_name": "windows/ftp/servu_chmod", "check": true }, "exploit_windows/ftp/servu_mdtm": { "name": "Serv-U FTPD MDTM Overflow", "full_name": "exploit/windows/ftp/servu_mdtm", "rank": 400, "disclosure_date": "2004-02-26", "type": "exploit", "author": [ "spoonm " ], "description": "This is an exploit for the Serv-U\\'s MDTM command timezone\n overflow. It has been heavily tested against versions\n 4.0.0.4/4.1.0.0/4.1.0.3/5.0.0.0 with success against\n nt4/2k/xp/2k3. I have also had success against version 3,\n but only tested 1 version/os. The bug is in all versions\n prior to 5.0.0.4, but this exploit will not work against\n versions not listed above. You only get one shot, but it\n should be OS/SP independent.\n\n This exploit is a single hit, the service dies after the\n shellcode finishes execution.", "references": [ "CVE-2004-0330", "OSVDB-4073", "URL-http://archives.neohapsis.com/archives/bugtraq/2004-02/0654.html", "BID-9751" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 21, "targets": [ "Serv-U Uber-Leet Universal ServUDaemon.exe", "Serv-U 4.0.0.4/4.1.0.0/4.1.0.3 ServUDaemon.exe", "Serv-U 5.0.0.0 ServUDaemon.exe" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ftp/servu_mdtm.rb", "is_install_path": true, "ref_name": "windows/ftp/servu_mdtm", "check": true }, "exploit_windows/ftp/slimftpd_list_concat": { "name": "SlimFTPd LIST Concatenation Overflow", "full_name": "exploit/windows/ftp/slimftpd_list_concat", "rank": 500, "disclosure_date": "2005-07-21", "type": "exploit", "author": [ "Fairuzan Roslan " ], "description": "This module exploits a stack buffer overflow in the SlimFTPd\n server. The flaw is triggered when a LIST command is\n received with an overly-long argument. This vulnerability\n affects all versions of SlimFTPd prior to 3.16 and was\n discovered by Raphael Rigo.", "references": [ "CVE-2005-2373", "OSVDB-18172", "BID-14339" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 21, "targets": [ "SlimFTPd Server <= 3.16 Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ftp/slimftpd_list_concat.rb", "is_install_path": true, "ref_name": "windows/ftp/slimftpd_list_concat", "check": false }, "exploit_windows/ftp/trellian_client_pasv": { "name": "Trellian FTP Client 3.01 PASV Remote Buffer Overflow", "full_name": "exploit/windows/ftp/trellian_client_pasv", "rank": 300, "disclosure_date": "2010-04-11", "type": "exploit", "author": [ "zombiefx", "dookie" ], "description": "This module exploits a buffer overflow in the Trellian 3.01 FTP client that is triggered\n through an excessively long PASV message.", "references": [ "CVE-2010-1465", "OSVDB-63812", "EDB-12152" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ftp/trellian_client_pasv.rb", "is_install_path": true, "ref_name": "windows/ftp/trellian_client_pasv", "check": false }, "exploit_windows/ftp/turboftp_port": { "name": "Turbo FTP Server 1.30.823 PORT Overflow", "full_name": "exploit/windows/ftp/turboftp_port", "rank": 500, "disclosure_date": "2012-10-03", "type": "exploit", "author": [ "Zhao Liang", "Lincoln", "corelanc0d3r", "thelightcosine" ], "description": "This module exploits a buffer overflow vulnerability found in the PORT\n command in Turbo FTP Server 1.30.823 & 1.30.826, which results in remote\n code execution under the context of SYSTEM.", "references": [ "EDB-22161", "OSVDB-85887" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 21, "targets": [ "Automatic", "Windows Universal TurboFtp 1.30.823", "Windows Universal TurboFtp 1.30.826" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ftp/turboftp_port.rb", "is_install_path": true, "ref_name": "windows/ftp/turboftp_port", "check": true }, "exploit_windows/ftp/vermillion_ftpd_port": { "name": "Vermillion FTP Daemon PORT Command Memory Corruption", "full_name": "exploit/windows/ftp/vermillion_ftpd_port", "rank": 500, "disclosure_date": "2009-09-23", "type": "exploit", "author": [ "jduck " ], "description": "This module exploits an out-of-bounds array access in the Arcane Software\n Vermillion FTP server. By sending a specially crafted FTP PORT command,\n an attacker can corrupt stack memory and execute arbitrary code.\n\n This particular issue is caused by processing data bound by attacker\n controlled input while writing into a 4 byte stack buffer. Unfortunately,\n the writing that occurs is not a simple byte copy.\n\n Processing is done using a source ptr (p) and a destination pointer (q).\n The vulnerable function walks the input string and continues while the\n source byte is non-null. If a comma is encountered, the function increments\n the destination pointer. If an ascii digit [0-9] is encountered, the\n following occurs:\n\n *q = (*q * 10) + (*p - '0');\n\n All other input characters are ignored in this loop.\n\n As a consequence, an attacker must craft input such that modifications\n to the current values on the stack result in usable values. In this exploit,\n the low two bytes of the return address are adjusted to point at the\n location of a 'call edi' instruction within the binary. This was chosen\n since 'edi' points at the source buffer when the function returns.\n\n NOTE: This server can be installed as a service using \"vftpd.exe install\".\n If so, the service does not restart automatically, giving an attacker only\n one attempt.", "references": [ "OSVDB-62163", "EDB-11293" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 21, "targets": [ "Automatic Targeting", "vftpd 1.31 - Windows XP SP3 English" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/ftp/vermillion_ftpd_port.rb", "is_install_path": true, "ref_name": "windows/ftp/vermillion_ftpd_port", "check": true }, "exploit_windows/ftp/warftpd_165_pass": { "name": "War-FTPD 1.65 Password Overflow", "full_name": "exploit/windows/ftp/warftpd_165_pass", "rank": 200, "disclosure_date": "1998-03-19", "type": "exploit", "author": [ "hdm " ], "description": "This exploits the buffer overflow found in the PASS command\n in War-FTPD 1.65. This particular module will only work\n reliably against Windows 2000 targets. The server must be\n configured to allow anonymous logins for this exploit to\n succeed. A failed attempt will bring down the service\n completely.", "references": [ "CVE-1999-0256", "OSVDB-875", "BID-10078" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 21, "targets": [ "Windows 2000" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ftp/warftpd_165_pass.rb", "is_install_path": true, "ref_name": "windows/ftp/warftpd_165_pass", "check": false }, "exploit_windows/ftp/warftpd_165_user": { "name": "War-FTPD 1.65 Username Overflow", "full_name": "exploit/windows/ftp/warftpd_165_user", "rank": 200, "disclosure_date": "1998-03-19", "type": "exploit", "author": [ "Fairuzan Roslan " ], "description": "This module exploits a buffer overflow found in the USER command\n of War-FTPD 1.65.", "references": [ "CVE-1999-0256", "OSVDB-875", "BID-10078" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 21, "targets": [ "Automatic", "Windows 2000 SP0-SP4 English", "Windows XP SP0-SP1 English", "Windows XP SP2 English", "Windows XP SP3 English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ftp/warftpd_165_user.rb", "is_install_path": true, "ref_name": "windows/ftp/warftpd_165_user", "check": false }, "exploit_windows/ftp/wftpd_size": { "name": "Texas Imperial Software WFTPD 3.23 SIZE Overflow", "full_name": "exploit/windows/ftp/wftpd_size", "rank": 200, "disclosure_date": "2006-08-23", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a buffer overflow in the SIZE verb in\n Texas Imperial's Software WFTPD 3.23.", "references": [ "CVE-2006-4318", "OSVDB-28134", "BID-19617" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 21, "targets": [ "Windows 2000 Pro SP4 English", "Windows XP Pro SP1 English", "Windows XP Pro SP2 English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ftp/wftpd_size.rb", "is_install_path": true, "ref_name": "windows/ftp/wftpd_size", "check": false }, "exploit_windows/ftp/winaxe_server_ready": { "name": "WinaXe 7.7 FTP Client Remote Buffer Overflow", "full_name": "exploit/windows/ftp/winaxe_server_ready", "rank": 400, "disclosure_date": "2016-11-03", "type": "exploit", "author": [ "Chris Higgins", "hyp3rlix" ], "description": "This module exploits a buffer overflow in the WinaXe 7.7 FTP client.\n This issue is triggered when a client connects to the server and is\n expecting the Server Ready response.", "references": [ "EDB-40693", "URL-http://hyp3rlinx.altervista.org/advisories/WINAXE-FTP-CLIENT-REMOTE-BUFFER-OVERFLOW.txt" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ftp/winaxe_server_ready.rb", "is_install_path": true, "ref_name": "windows/ftp/winaxe_server_ready", "check": false }, "exploit_windows/ftp/wing_ftp_admin_exec": { "name": "Wing FTP Server Authenticated Command Execution", "full_name": "exploit/windows/ftp/wing_ftp_admin_exec", "rank": 600, "disclosure_date": "2014-06-19", "type": "exploit", "author": [ "Nicholas Nam " ], "description": "This module exploits the embedded Lua interpreter in the admin web interface for\n versions 4.3.8 and below. When supplying a specially crafted HTTP POST request\n an attacker can use os.execute() to execute arbitrary system commands on\n the target with SYSTEM privileges.", "references": [ "URL-http://www.wftpserver.com" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": 5466, "targets": [ "Windows VBS Stager" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ftp/wing_ftp_admin_exec.rb", "is_install_path": true, "ref_name": "windows/ftp/wing_ftp_admin_exec", "check": true }, "exploit_windows/ftp/wsftp_server_503_mkd": { "name": "WS-FTP Server 5.03 MKD Overflow", "full_name": "exploit/windows/ftp/wsftp_server_503_mkd", "rank": 500, "disclosure_date": "2004-11-29", "type": "exploit", "author": [ "et ", "Reed Arvin " ], "description": "This module exploits the buffer overflow found in the MKD\n command in IPSWITCH WS_FTP Server 5.03 discovered by Reed\n Arvin.", "references": [ "CVE-2004-1135", "OSVDB-12509", "BID-11772" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 21, "targets": [ "WS-FTP Server 5.03 Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ftp/wsftp_server_503_mkd.rb", "is_install_path": true, "ref_name": "windows/ftp/wsftp_server_503_mkd", "check": true }, "exploit_windows/ftp/wsftp_server_505_xmd5": { "name": "Ipswitch WS_FTP Server 5.05 XMD5 Overflow", "full_name": "exploit/windows/ftp/wsftp_server_505_xmd5", "rank": 200, "disclosure_date": "2006-09-14", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a buffer overflow in the XMD5 verb in\n IPSWITCH WS_FTP Server 5.05.", "references": [ "CVE-2006-4847", "OSVDB-28939", "BID-20076" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 21, "targets": [ "Windows 2000 Pro SP4 English", "Windows XP Pro SP0 English", "Windows XP Pro SP1 English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ftp/wsftp_server_505_xmd5.rb", "is_install_path": true, "ref_name": "windows/ftp/wsftp_server_505_xmd5", "check": true }, "exploit_windows/ftp/xftp_client_pwd": { "name": "Xftp FTP Client 3.0 PWD Remote Buffer Overflow", "full_name": "exploit/windows/ftp/xftp_client_pwd", "rank": 300, "disclosure_date": "2010-04-22", "type": "exploit", "author": [ "zombiefx", "dookie" ], "description": "This module exploits a buffer overflow in the Xftp 3.0 FTP client that is triggered\n through an excessively long PWD message.", "references": [ "OSVDB-63968", "EDB-12332" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ftp/xftp_client_pwd.rb", "is_install_path": true, "ref_name": "windows/ftp/xftp_client_pwd", "check": false }, "exploit_windows/ftp/xlink_client": { "name": "Xlink FTP Client Buffer Overflow", "full_name": "exploit/windows/ftp/xlink_client", "rank": 300, "disclosure_date": "2009-10-03", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in Xlink FTP Client 32\n Version 3.01 that comes bundled with Omni-NFS Enterprise 5.2.\n When an overly long FTP server response is received by a client,\n arbitrary code may be executed.", "references": [ "CVE-2006-5792", "OSVDB-33969", "URL-http://www.xlink.com" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP Pro SP3 English", "Windows 2000 SP4 English" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/ftp/xlink_client.rb", "is_install_path": true, "ref_name": "windows/ftp/xlink_client", "check": false }, "exploit_windows/ftp/xlink_server": { "name": "Xlink FTP Server Buffer Overflow", "full_name": "exploit/windows/ftp/xlink_server", "rank": 400, "disclosure_date": "2009-10-03", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in Xlink FTP Server\n that comes bundled with Omni-NFS Enterprise 5.2.\n When a overly long FTP request is sent to the server,\n arbitrary code may be executed.", "references": [ "CVE-2006-5792", "OSVDB-58646", "URL-http://www.xlink.com" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 21, "targets": [ "Omni-NFS Enterprise V5.2" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ftp/xlink_server.rb", "is_install_path": true, "ref_name": "windows/ftp/xlink_server", "check": true }, "exploit_windows/games/mohaa_getinfo": { "name": "Medal of Honor Allied Assault getinfo Stack Buffer Overflow", "full_name": "exploit/windows/games/mohaa_getinfo", "rank": 500, "disclosure_date": "2004-07-17", "type": "exploit", "author": [ "Jacopo Cervini" ], "description": "This module exploits a stack based buffer overflow in the getinfo\n command of Medal Of Honor Allied Assault.", "references": [ "CVE-2004-0735", "OSVDB-8061", "EDB-357", "BID-10743" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 12203, "targets": [ "Medal Of Honor Allied Assault v 1.0 Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/games/mohaa_getinfo.rb", "is_install_path": true, "ref_name": "windows/games/mohaa_getinfo", "check": false }, "exploit_windows/games/racer_503beta5": { "name": "Racer v0.5.3 Beta 5 Buffer Overflow", "full_name": "exploit/windows/games/racer_503beta5", "rank": 500, "disclosure_date": "2008-08-10", "type": "exploit", "author": [ "Trancek " ], "description": "This module exploits the Racer Car and Racing Simulator game\n versions v0.5.3 beta 5 and earlier. Both the client and server listen\n on UDP port 26000. By sending an overly long buffer we are able to\n execute arbitrary code remotely.", "references": [ "CVE-2007-4370", "OSVDB-39601", "EDB-4283", "BID-25297" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 26000, "targets": [ "Fmodex.dll - Universal", "Win XP SP2 English", "Win XP SP2 Spanish" ], "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/exploits/windows/games/racer_503beta5.rb", "is_install_path": true, "ref_name": "windows/games/racer_503beta5", "check": false }, "exploit_windows/games/ut2004_secure": { "name": "Unreal Tournament 2004 \"secure\" Overflow (Win32)", "full_name": "exploit/windows/games/ut2004_secure", "rank": 400, "disclosure_date": "2004-06-18", "type": "exploit", "author": [ "stinko " ], "description": "This is an exploit for the GameSpy secure query in\n the Unreal Engine.\n\n This exploit only requires one UDP packet, which can\n be both spoofed and sent to a broadcast address.\n Usually, the GameSpy query server listens on port 7787,\n but you can manually specify the port as well.\n\n The RunServer.sh script will automatically restart the\n server upon a crash, giving us the ability to\n bruteforce the service and exploit it multiple\n times.", "references": [ "CVE-2004-0608", "OSVDB-7217", "BID-10570" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 7787, "targets": [ "UT2004 Build 3186" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/games/ut2004_secure.rb", "is_install_path": true, "ref_name": "windows/games/ut2004_secure", "check": true }, "exploit_windows/http/adobe_robohelper_authbypass": { "name": "Adobe RoboHelp Server 8 Arbitrary File Upload and Execute", "full_name": "exploit/windows/http/adobe_robohelper_authbypass", "rank": 600, "disclosure_date": "2009-09-23", "type": "exploit", "author": [ "MC " ], "description": "This module exploits an authentication bypass vulnerability which\n allows remote attackers to upload and execute arbitrary code.", "references": [ "CVE-2009-3068", "OSVDB-57896", "URL-http://www.intevydis.com/blog/?p=69", "ZDI-09-066" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 8080, "targets": [ "Universal Windows Target" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/adobe_robohelper_authbypass.rb", "is_install_path": true, "ref_name": "windows/http/adobe_robohelper_authbypass", "check": false }, "exploit_windows/http/altn_securitygateway": { "name": "Alt-N SecurityGateway username Buffer Overflow", "full_name": "exploit/windows/http/altn_securitygateway", "rank": 200, "disclosure_date": "2008-06-02", "type": "exploit", "author": [ "jduck " ], "description": "Alt-N SecurityGateway is prone to a buffer overflow condition. This\n is due to insufficient bounds checking on the \"username\"\n parameter. Successful exploitation could result in code\n execution with SYSTEM level privileges.\n\n NOTE: This service doesn't restart, you'll only get one shot. However,\n it often survives a successful exploitation attempt.", "references": [ "CVE-2008-4193", "OSVDB-45854", "BID-29457" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 4000, "targets": [ "Automatic Targeting", "SecurityGateway 1.0.1 Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/altn_securitygateway.rb", "is_install_path": true, "ref_name": "windows/http/altn_securitygateway", "check": true }, "exploit_windows/http/altn_webadmin": { "name": "Alt-N WebAdmin USER Buffer Overflow", "full_name": "exploit/windows/http/altn_webadmin", "rank": 200, "disclosure_date": "2003-06-24", "type": "exploit", "author": [ "MC " ], "description": "Alt-N WebAdmin is prone to a buffer overflow condition. This\n is due to insufficient bounds checking on the USER\n parameter. Successful exploitation could result in code\n execution with SYSTEM level privileges.", "references": [ "CVE-2003-0471", "OSVDB-2207", "BID-8024", "URL-http://www.nessus.org/plugins/index.php?view=single&id=11771" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 1000, "targets": [ "Automatic", "WebAdmin 2.0.4 Universal", "WebAdmin 2.0.3 Universal", "WebAdmin 2.0.2 Universal", "WebAdmin 2.0.1 Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/altn_webadmin.rb", "is_install_path": true, "ref_name": "windows/http/altn_webadmin", "check": false }, "exploit_windows/http/amlibweb_webquerydll_app": { "name": "Amlibweb NetOpacs webquery.dll Stack Buffer Overflow", "full_name": "exploit/windows/http/amlibweb_webquerydll_app", "rank": 300, "disclosure_date": "2010-08-03", "type": "exploit", "author": [ "aushack " ], "description": "This module exploits a stack buffer overflow in Amlib's Amlibweb\n Library Management System (NetOpacs). The webquery.dll\n API is available through IIS requests. By specifying\n an overly long string to the 'app' parameter, SeH can be\n reliably overwritten allowing for arbitrary remote code execution.\n In addition, it is possible to overwrite EIP by specifying\n an arbitrary parameter name with an '=' terminator.", "references": [ "OSVDB-66814", "BID-42293", "URL-http://www.aushack.com/advisories/" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86", "rport": 80, "targets": [ "Windows 2000 Pro All - English" ], "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/exploits/windows/http/amlibweb_webquerydll_app.rb", "is_install_path": true, "ref_name": "windows/http/amlibweb_webquerydll_app", "check": true }, "exploit_windows/http/apache_chunked": { "name": "Apache Win32 Chunked Encoding", "full_name": "exploit/windows/http/apache_chunked", "rank": 400, "disclosure_date": "2002-06-19", "type": "exploit", "author": [ "hdm ", "jduck " ], "description": "This module exploits the chunked transfer integer wrap\n vulnerability in Apache version 1.2.x to 1.3.24. This\n particular module has been tested with all versions of the\n official Win32 build between 1.3.9 and 1.3.24. Additionally,\n it should work against most co-branded and bundled versions\n of Apache (Oracle 8i, 9i, IBM HTTPD, etc).\n\n You will need to use the Check() functionality to determine\n the exact target version prior to launching the exploit. The\n version of Apache bundled with Oracle 8.1.7 will not\n automatically restart, so if you use the wrong target value,\n the server will crash.", "references": [ "CVE-2002-0392", "OSVDB-838", "BID-5033" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Windows Generic Bruteforce", "Apache.org Build 1.3.9->1.3.19", "Apache.org Build 1.3.22->1.3.24", "Apache.org Build 1.3.19->1.3.24", "Apache.org Build 1.3.22", "Apache.org Build 1.3.17->1.3.24 (Windows 2000)", "Apache.org Build 1.3.17->1.3.24 (Windows NT)", "Windows 2003 English SP0", "Windows 2000 English", "Oracle 8.1.7 Apache 1.3.12", "Oracle 9.1.0 Apache 1.3.12", "Oracle 9.2.0 Apache 1.3.22", "Debugging Target" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/apache_chunked.rb", "is_install_path": true, "ref_name": "windows/http/apache_chunked", "check": true }, "exploit_windows/http/apache_mod_rewrite_ldap": { "name": "Apache Module mod_rewrite LDAP Protocol Buffer Overflow", "full_name": "exploit/windows/http/apache_mod_rewrite_ldap", "rank": 500, "disclosure_date": "2006-07-28", "type": "exploit", "author": [ "aushack " ], "description": "This module exploits the mod_rewrite LDAP protocol scheme handling\n flaw discovered by Mark Dowd, which produces an off-by-one overflow.\n Apache versions 1.3.29-36, 2.0.47-58, and 2.2.1-2 are vulnerable.\n This module requires REWRITEPATH to be set accurately. In addition,\n the target must have 'RewriteEngine on' configured, with a specific\n 'RewriteRule' condition enabled to allow for exploitation.\n\n The flaw affects multiple platforms, however this module currently\n only supports Windows based installations.", "references": [ "CVE-2006-3747", "OSVDB-27588", "BID-19204", "URL-http://archives.neohapsis.com/archives/bugtraq/2006-07/0514.html", "EDB-3680", "EDB-3996", "EDB-2237" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Automatic" ], "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/exploits/windows/http/apache_mod_rewrite_ldap.rb", "is_install_path": true, "ref_name": "windows/http/apache_mod_rewrite_ldap", "check": true }, "exploit_windows/http/apache_modjk_overflow": { "name": "Apache mod_jk 1.2.20 Buffer Overflow", "full_name": "exploit/windows/http/apache_modjk_overflow", "rank": 500, "disclosure_date": "2007-03-02", "type": "exploit", "author": [ "Nicob " ], "description": "This is a stack buffer overflow exploit for mod_jk 1.2.20.\n Should work on any Win32 OS.", "references": [ "CVE-2007-0774", "OSVDB-33855", "BID-22791", "ZDI-07-008" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "mod_jk 1.2.20 (Apache 1.3.x/2.0.x/2.2.x) (any win32 OS/language)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/apache_modjk_overflow.rb", "is_install_path": true, "ref_name": "windows/http/apache_modjk_overflow", "check": true }, "exploit_windows/http/avaya_ccr_imageupload_exec": { "name": "Avaya IP Office Customer Call Reporter ImageUpload.ashx Remote Command Execution", "full_name": "exploit/windows/http/avaya_ccr_imageupload_exec", "rank": 600, "disclosure_date": "2012-06-28", "type": "exploit", "author": [ "rgod ", "juan vazquez " ], "description": "This module exploits an authentication bypass vulnerability on Avaya IP Office\n Customer Call Reporter, which allows a remote user to upload arbitrary files\n through the ImageUpload.ashx component. It can be abused to upload and execute\n arbitrary ASP .NET code. The vulnerability has been tested successfully on Avaya IP\n Office Customer Call Reporter 7.0.4.2 and 8.0.8.15 on Windows 2003 SP2.", "references": [ "CVE-2012-3811", "OSVDB-83399", "BID-54225", "URL-https://downloads.avaya.com/css/P8/documents/100164021", "ZDI-12-106" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Avaya IP Office Customer Call Reporter 7.0 and 8.0 / Microsoft Windows Server 2003 SP2" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/avaya_ccr_imageupload_exec.rb", "is_install_path": true, "ref_name": "windows/http/avaya_ccr_imageupload_exec", "check": false }, "exploit_windows/http/badblue_ext_overflow": { "name": "BadBlue 2.5 EXT.dll Buffer Overflow", "full_name": "exploit/windows/http/badblue_ext_overflow", "rank": 500, "disclosure_date": "2003-04-20", "type": "exploit", "author": [ "acaro " ], "description": "This is a stack buffer overflow exploit for BadBlue version 2.5.", "references": [ "CVE-2005-0595", "OSVDB-14238", "BID-7387" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "BadBlue 2.5 (Universal)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/badblue_ext_overflow.rb", "is_install_path": true, "ref_name": "windows/http/badblue_ext_overflow", "check": true }, "exploit_windows/http/badblue_passthru": { "name": "BadBlue 2.72b PassThru Buffer Overflow", "full_name": "exploit/windows/http/badblue_passthru", "rank": 500, "disclosure_date": "2007-12-10", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in the PassThru\n functionality in ext.dll in BadBlue 2.72b and earlier.", "references": [ "CVE-2007-6377", "OSVDB-42416", "BID-26803" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "BadBlue EE 2.7 Universal", "BadBlue 2.72b Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/badblue_passthru.rb", "is_install_path": true, "ref_name": "windows/http/badblue_passthru", "check": false }, "exploit_windows/http/bea_weblogic_jsessionid": { "name": "BEA WebLogic JSESSIONID Cookie Value Overflow", "full_name": "exploit/windows/http/bea_weblogic_jsessionid", "rank": 400, "disclosure_date": "2009-01-13", "type": "exploit", "author": [ "pusscat " ], "description": "This module exploits a buffer overflow in BEA's WebLogic plugin. The vulnerable\n code is only accessible when clustering is configured. A request containing a\n long JSESSION cookie value can lead to arbitrary code execution.", "references": [ "CVE-2008-5457", "OSVDB-51311" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Windows Apache 2.2 - WebLogic module version 1.0.1136334", "Windows Apache 2.2 - WebLogic module version 1.0.1150354" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/http/bea_weblogic_jsessionid.rb", "is_install_path": true, "ref_name": "windows/http/bea_weblogic_jsessionid", "check": false }, "exploit_windows/http/bea_weblogic_post_bof": { "name": "Oracle Weblogic Apache Connector POST Request Buffer Overflow", "full_name": "exploit/windows/http/bea_weblogic_post_bof", "rank": 500, "disclosure_date": "2008-07-17", "type": "exploit", "author": [ "KingCope", "juan vazquez " ], "description": "This module exploits a stack based buffer overflow in the BEA\n Weblogic Apache plugin.\n\n The connector fails to properly handle specially crafted HTTP POST\n requests, resulting a buffer overflow due to the insecure usage\n of sprintf. Currently, this module works over Windows systems without DEP,\n and has been tested with Windows 2000 / XP.\n\n In addition, the Weblogic Apache plugin version is fingerprinted with a POST\n request containing a specially crafted Transfer-Encoding header.", "references": [ "CVE-2008-3257", "OSVDB-47096", "BID-30273" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Automatic", "BEA WebLogic 8.1 SP6 - mod_wl_20.so / Apache 2.0 / Windows [XP/2000]", "BEA WebLogic 8.1 SP5 - mod_wl_20.so / Apache 2.0 / Windows [XP/2000]", "BEA WebLogic 8.1 SP4 - mod_wl_20.so / Apache 2.0 / Windows [XP/2000]" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/bea_weblogic_post_bof.rb", "is_install_path": true, "ref_name": "windows/http/bea_weblogic_post_bof", "check": true }, "exploit_windows/http/bea_weblogic_transfer_encoding": { "name": "BEA Weblogic Transfer-Encoding Buffer Overflow", "full_name": "exploit/windows/http/bea_weblogic_transfer_encoding", "rank": 500, "disclosure_date": "2008-09-09", "type": "exploit", "author": [ "pusscat " ], "description": "This module exploits a stack based buffer overflow in the BEA\n Weblogic Apache plugin. This vulnerability exists in the\n error reporting for unknown Transfer-Encoding headers.\n You may have to run this twice due to timing issues with handlers.", "references": [ "CVE-2008-4008", "OSVDB-49283" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Windows Apache 2.2 version Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/bea_weblogic_transfer_encoding.rb", "is_install_path": true, "ref_name": "windows/http/bea_weblogic_transfer_encoding", "check": false }, "exploit_windows/http/belkin_bulldog": { "name": "Belkin Bulldog Plus Web Service Buffer Overflow", "full_name": "exploit/windows/http/belkin_bulldog", "rank": 200, "disclosure_date": "2009-03-08", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in Belkin Bulldog Plus\n 4.0.2 build 1219. When sending a specially crafted http request,\n an attacker may be able to execute arbitrary code.", "references": [ "OSVDB-54395", "BID-34033", "EDB-8173" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Windows XP SP3 English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/belkin_bulldog.rb", "is_install_path": true, "ref_name": "windows/http/belkin_bulldog", "check": false }, "exploit_windows/http/ca_arcserve_rpc_authbypass": { "name": "CA Arcserve D2D GWT RPC Credential Information Disclosure", "full_name": "exploit/windows/http/ca_arcserve_rpc_authbypass", "rank": 600, "disclosure_date": "2011-07-25", "type": "exploit", "author": [ "bannedit ", "rgod" ], "description": "This module exploits an information disclosure vulnerability in the CA Arcserve\n D2D r15 web server. The information disclosure can be triggered by sending a\n specially crafted RPC request to the homepage servlet. This causes CA Arcserve to\n disclosure the username and password in cleartext used for authentication. This\n username and password pair are Windows credentials with Administrator access.", "references": [ "CVE-2011-3011", "OSVDB-74162", "EDB-17574" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 8014, "targets": [ "Automatic" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/ca_arcserve_rpc_authbypass.rb", "is_install_path": true, "ref_name": "windows/http/ca_arcserve_rpc_authbypass", "check": false }, "exploit_windows/http/ca_igateway_debug": { "name": "CA iTechnology iGateway Debug Mode Buffer Overflow", "full_name": "exploit/windows/http/ca_igateway_debug", "rank": 200, "disclosure_date": "2005-10-06", "type": "exploit", "author": [ "aushack " ], "description": "This module exploits a vulnerability in the Computer Associates\n iTechnology iGateway component. When True is enabled\n in igateway.conf (non-default), it is possible to overwrite the stack\n and execute code remotely. This module works best with Ordinal payloads.", "references": [ "CVE-2005-3190", "OSVDB-19920", "URL-http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=33485", "EDB-1243", "BID-15025" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 5250, "targets": [ "iGateway 3.0.40621.0" ], "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/exploits/windows/http/ca_igateway_debug.rb", "is_install_path": true, "ref_name": "windows/http/ca_igateway_debug", "check": true }, "exploit_windows/http/ca_totaldefense_regeneratereports": { "name": "CA Total Defense Suite reGenerateReports Stored Procedure SQL Injection", "full_name": "exploit/windows/http/ca_totaldefense_regeneratereports", "rank": 600, "disclosure_date": "2011-04-13", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a SQL injection flaw in CA Total Defense Suite R12.\n When supplying a specially crafted soap request to '/UNCWS/Management.asmx', an\n attacker can abuse the reGenerateReports stored procedure by injecting arbitrary sql\n statements into the ReportIDs element.", "references": [ "ZDI-11-134", "OSVDB-74968", "CVE-2011-1653" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": 34443, "targets": [ "Windows Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/ca_totaldefense_regeneratereports.rb", "is_install_path": true, "ref_name": "windows/http/ca_totaldefense_regeneratereports", "check": false }, "exploit_windows/http/cogent_datahub_command": { "name": "Cogent DataHub Command Injection", "full_name": "exploit/windows/http/cogent_datahub_command", "rank": 0, "disclosure_date": "2014-04-29", "type": "exploit", "author": [ "John Leitch", "juan vazquez " ], "description": "This module exploits an injection vulnerability in Cogent DataHub prior\n to 7.3.5. The vulnerability exists in the GetPermissions.asp page, which\n makes insecure use of the datahub_command function with user controlled\n data, allowing execution of arbitrary datahub commands and scripts. This\n module has been tested successfully with Cogent DataHub 7.3.4 on\n Windows 7 SP1. Please also note that after exploitation, the remote service\n will most likely hang and restart manually.", "references": [ "ZDI-14-136", "CVE-2014-3789", "BID-67486" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Cogent DataHub < 7.3.5" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/cogent_datahub_command.rb", "is_install_path": true, "ref_name": "windows/http/cogent_datahub_command", "check": true }, "exploit_windows/http/cogent_datahub_request_headers_bof": { "name": "Cogent DataHub HTTP Server Buffer Overflow", "full_name": "exploit/windows/http/cogent_datahub_request_headers_bof", "rank": 300, "disclosure_date": "2013-07-26", "type": "exploit", "author": [ "rgod ", "juan vazquez " ], "description": "This module exploits a stack based buffer overflow on Cogent DataHub 7.3.0. The\n vulnerability exists in the HTTP server. While handling HTTP headers, a\n strncpy() function is used in a dangerous way. This module has been tested\n successfully on Cogent DataHub 7.3.0 (Demo) on Windows XP SP3.", "references": [ "CVE-2013-0680", "OSVDB-95819", "BID-53455", "ZDI-13-178", "URL-http://www.cogentdatahub.com/Info/130712_ZDI-CAN-1915_Response.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Windows XP SP3 English / Cogent DataHub 7.3.0" ], "mod_time": "2018-07-09 13:22:08 +0000", "path": "/modules/exploits/windows/http/cogent_datahub_request_headers_bof.rb", "is_install_path": true, "ref_name": "windows/http/cogent_datahub_request_headers_bof", "check": true }, "exploit_windows/http/coldfusion_fckeditor": { "name": "ColdFusion 8.0.1 Arbitrary File Upload and Execute", "full_name": "exploit/windows/http/coldfusion_fckeditor", "rank": 600, "disclosure_date": "2009-07-03", "type": "exploit", "author": [ "MC " ], "description": "This module exploits the Adobe ColdFusion 8.0.1 FCKeditor 'CurrentFolder' File Upload\n and Execute vulnerability.", "references": [ "CVE-2009-2265", "OSVDB-55684" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Universal Windows Target" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/coldfusion_fckeditor.rb", "is_install_path": true, "ref_name": "windows/http/coldfusion_fckeditor", "check": false }, "exploit_windows/http/cyclope_ess_sqli": { "name": "Cyclope Employee Surveillance Solution v6 SQL Injection", "full_name": "exploit/windows/http/cyclope_ess_sqli", "rank": 600, "disclosure_date": "2012-08-08", "type": "exploit", "author": [ "loneferret", "sinn3r " ], "description": "This module exploits a SQL injection found in Cyclope Employee Surveillance\n Solution. Because the login script does not properly handle the user-supplied\n username parameter, a malicious user can manipulate the SQL query, and allows\n arbitrary code execution under the context of 'SYSTEM'.", "references": [ "OSVDB-84517", "EDB-20393" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 7879, "targets": [ "Cyclope Employee Surveillance Solution v6.2 or older" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/cyclope_ess_sqli.rb", "is_install_path": true, "ref_name": "windows/http/cyclope_ess_sqli", "check": true }, "exploit_windows/http/desktopcentral_file_upload": { "name": "ManageEngine Desktop Central AgentLogUpload Arbitrary File Upload", "full_name": "exploit/windows/http/desktopcentral_file_upload", "rank": 600, "disclosure_date": "2013-11-11", "type": "exploit", "author": [ "Thomas Hibbert " ], "description": "This module exploits an arbitrary file upload vulnerability in Desktop Central v7 to\n v8 build 80293. A malicious user can upload a JSP file into the web root without\n authentication, leading to arbitrary code execution as SYSTEM.", "references": [ "CVE-2013-7390", "OSVDB-100008", "URL-http://security-assessment.com/files/documents/advisory/Desktop%20Central%20Arbitrary%20File%20Upload.pdf", "URL-http://seclists.org/fulldisclosure/2013/Nov/130" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86", "rport": 8020, "targets": [ "Desktop Central v7 - v8 build 80292 / Windows" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/desktopcentral_file_upload.rb", "is_install_path": true, "ref_name": "windows/http/desktopcentral_file_upload", "check": true }, "exploit_windows/http/desktopcentral_statusupdate_upload": { "name": "ManageEngine Desktop Central StatusUpdate Arbitrary File Upload", "full_name": "exploit/windows/http/desktopcentral_statusupdate_upload", "rank": 600, "disclosure_date": "2014-08-31", "type": "exploit", "author": [ "Pedro Ribeiro " ], "description": "This module exploits an arbitrary file upload vulnerability in ManageEngine DesktopCentral\n v7 to v9 build 90054 (including the MSP versions).\n A malicious user can upload a JSP file into the web root without authentication, leading to\n arbitrary code execution as SYSTEM. Some early builds of version 7 are not exploitable as\n they do not ship with a bundled Java compiler.", "references": [ "CVE-2014-5005", "OSVDB-110643", "URL-http://seclists.org/fulldisclosure/2014/Aug/88" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86", "rport": 8020, "targets": [ "Desktop Central v7 to v9 build 90054 / Windows" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/desktopcentral_statusupdate_upload.rb", "is_install_path": true, "ref_name": "windows/http/desktopcentral_statusupdate_upload", "check": true }, "exploit_windows/http/disk_pulse_enterprise_bof": { "name": "Disk Pulse Enterprise Login Buffer Overflow", "full_name": "exploit/windows/http/disk_pulse_enterprise_bof", "rank": 600, "disclosure_date": "2016-10-03", "type": "exploit", "author": [ "Chris Higgins", "Tulpa Security" ], "description": "This module exploits a stack buffer overflow in Disk Pulse Enterprise\n 9.0.34. If a malicious user sends a malicious HTTP login request,\n it is possible to execute a payload that would run under the Windows\n NT AUTHORITY\\SYSTEM account. Due to size constraints, this module\n uses the Egghunter technique.", "references": [ "EDB-40452" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Disk Pulse Enterprise 9.0.34" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/disk_pulse_enterprise_bof.rb", "is_install_path": true, "ref_name": "windows/http/disk_pulse_enterprise_bof", "check": true }, "exploit_windows/http/disk_pulse_enterprise_get": { "name": "Disk Pulse Enterprise GET Buffer Overflow", "full_name": "exploit/windows/http/disk_pulse_enterprise_get", "rank": 600, "disclosure_date": "2017-08-25", "type": "exploit", "author": [ "Chance Johnson", "Nipun Jaswal & Anurag Srivastava" ], "description": "This module exploits an SEH buffer overflow in Disk Pulse Enterprise\n 9.9.16. If a malicious user sends a crafted HTTP GET request\n it is possible to execute a payload that would run under the Windows\n NT AUTHORITY\\SYSTEM account.", "references": [ "EDB-42560" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Disk Pulse Enterprise 9.9.16" ], "mod_time": "2017-09-13 11:46:57 +0000", "path": "/modules/exploits/windows/http/disk_pulse_enterprise_get.rb", "is_install_path": true, "ref_name": "windows/http/disk_pulse_enterprise_get", "check": true }, "exploit_windows/http/diskboss_get_bof": { "name": "DiskBoss Enterprise GET Buffer Overflow", "full_name": "exploit/windows/http/diskboss_get_bof", "rank": 600, "disclosure_date": "2016-12-05", "type": "exploit", "author": [ "vportal", "Ahmad Mahfouz", "Gabor Seljan", "Jacob Robles" ], "description": "This module exploits a stack-based buffer overflow vulnerability\n in the web interface of DiskBoss Enterprise v7.5.12, v7.4.28, and v8.2.14,\n caused by improper bounds checking of the request path in HTTP GET\n requests sent to the built-in web server. This module has been\n tested successfully on Windows XP SP3 and Windows 7 SP1.", "references": [ "EDB-40869", "EDB-42395" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Automatic Targeting", "DiskBoss Enterprise v7.4.28", "DiskBoss Enterprise v7.5.12", "DiskBoss Enterprise v8.2.14" ], "mod_time": "2017-12-08 10:42:43 +0000", "path": "/modules/exploits/windows/http/diskboss_get_bof.rb", "is_install_path": true, "ref_name": "windows/http/diskboss_get_bof", "check": true }, "exploit_windows/http/disksavvy_get_bof": { "name": "DiskSavvy Enterprise GET Buffer Overflow", "full_name": "exploit/windows/http/disksavvy_get_bof", "rank": 600, "disclosure_date": "2016-12-01", "type": "exploit", "author": [ "vportal", "Gabor Seljan" ], "description": "This module exploits a stack-based buffer overflow vulnerability\n in the web interface of DiskSavvy Enterprise v9.1.14 and v9.3.14,\n caused by improper bounds checking of the request path in HTTP GET\n requests sent to the built-in web server. This module has been\n tested successfully on Windows XP SP3 and Windows 7 SP1.", "references": [ "CVE-2017-6187", "EDB-40869" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Automatic Targeting", "DiskSavvy Enterprise v9.1.14", "DiskSavvy Enterprise v9.3.14" ], "mod_time": "2018-07-12 17:34:52 +0000", "path": "/modules/exploits/windows/http/disksavvy_get_bof.rb", "is_install_path": true, "ref_name": "windows/http/disksavvy_get_bof", "check": true }, "exploit_windows/http/disksorter_bof": { "name": "Disk Sorter Enterprise GET Buffer Overflow", "full_name": "exploit/windows/http/disksorter_bof", "rank": 500, "disclosure_date": "2017-03-15", "type": "exploit", "author": [ "Daniel Teixeira" ], "description": "This module exploits a stack-based buffer overflow vulnerability\n in the web interface of Disk Sorter Enterprise v9.5.12, caused by\n improper bounds checking of the request path in HTTP GET requests\n sent to the built-in web server. This module has been tested\n successfully on Windows 7 SP1 x86.", "references": [ "CVE-2017-7230" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Disk Sorter Enterprise v9.5.12" ], "mod_time": "2018-07-12 17:34:52 +0000", "path": "/modules/exploits/windows/http/disksorter_bof.rb", "is_install_path": true, "ref_name": "windows/http/disksorter_bof", "check": true }, "exploit_windows/http/dup_scout_enterprise_login_bof": { "name": "Dup Scout Enterprise Login Buffer Overflow", "full_name": "exploit/windows/http/dup_scout_enterprise_login_bof", "rank": 600, "disclosure_date": "2017-11-14", "type": "exploit", "author": [ "Chris Higgins", "sickness" ], "description": "This module exploits a stack buffer overflow in Dup Scout Enterprise\n 10.0.18. The buffer overflow exists via the web interface during\n login. This gives NT AUTHORITY\\SYSTEM access.", "references": [ "CVE-2017-13696", "EDB-43145" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Dup Scout Enterprise 10.0.18" ], "mod_time": "2018-07-12 17:34:52 +0000", "path": "/modules/exploits/windows/http/dup_scout_enterprise_login_bof.rb", "is_install_path": true, "ref_name": "windows/http/dup_scout_enterprise_login_bof", "check": true }, "exploit_windows/http/dupscts_bof": { "name": "Dup Scout Enterprise GET Buffer Overflow", "full_name": "exploit/windows/http/dupscts_bof", "rank": 500, "disclosure_date": "2017-03-15", "type": "exploit", "author": [ "vportal", "Daniel Teixeira" ], "description": "This module exploits a stack-based buffer overflow vulnerability\n in the web interface of Dup Scout Enterprise v9.5.14, caused by\n improper bounds checking of the request path in HTTP GET requests\n sent to the built-in web server. This module has been tested\n successfully on Windows 7 SP1 x86.", "references": [ ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Dup Scout Enterprise v9.5.14" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/dupscts_bof.rb", "is_install_path": true, "ref_name": "windows/http/dupscts_bof", "check": true }, "exploit_windows/http/easychatserver_seh": { "name": "Easy Chat Server User Registeration Buffer Overflow (SEH)", "full_name": "exploit/windows/http/easychatserver_seh", "rank": 300, "disclosure_date": "2017-10-09", "type": "exploit", "author": [ "Marco Rivoli", "Aitezaz Mohsin" ], "description": "This module exploits a buffer overflow during user registration in Easy Chat Server software.", "references": [ "EDB-42155" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Easy Chat Server 2.0 to 3.1" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/easychatserver_seh.rb", "is_install_path": true, "ref_name": "windows/http/easychatserver_seh", "check": false }, "exploit_windows/http/easyfilesharing_post": { "name": "Easy File Sharing HTTP Server 7.2 POST Buffer Overflow", "full_name": "exploit/windows/http/easyfilesharing_post", "rank": 300, "disclosure_date": "2017-06-12", "type": "exploit", "author": [ "bl4ck h4ck3r", "Marco Rivoli " ], "description": "This module exploits a POST buffer overflow in the Easy File Sharing FTP Server 7.2 software.", "references": [ "EDB-42186" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Easy File Sharing 7.2 HTTP" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/easyfilesharing_post.rb", "is_install_path": true, "ref_name": "windows/http/easyfilesharing_post", "check": false }, "exploit_windows/http/easyfilesharing_seh": { "name": "Easy File Sharing HTTP Server 7.2 SEH Overflow", "full_name": "exploit/windows/http/easyfilesharing_seh", "rank": 300, "disclosure_date": "2015-12-02", "type": "exploit", "author": [ "Starwarsfan2099 " ], "description": "This module exploits a SEH overflow in the Easy File Sharing FTP Server 7.2 software.", "references": [ "EDB-39008" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Easy File Sharing 7.2 HTTP" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/easyfilesharing_seh.rb", "is_install_path": true, "ref_name": "windows/http/easyfilesharing_seh", "check": false }, "exploit_windows/http/easyftp_list": { "name": "EasyFTP Server list.html path Stack Buffer Overflow", "full_name": "exploit/windows/http/easyftp_list", "rank": 500, "disclosure_date": "2010-02-18", "type": "exploit", "author": [ "ThE g0bL!N", "jduck " ], "description": "This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11\n and earlier. EasyFTP fails to check input size when parsing the 'path' parameter\n supplied to an HTTP GET request, which leads to a stack based buffer overflow.\n EasyFTP allows anonymous access by default; valid credentials are typically\n unnecessary to exploit this vulnerability.\n\n After version 1.7.0.12, this package was renamed \"UplusFtp\".\n\n Due to limited space, as well as difficulties using an egghunter, the use of\n staged, ORD, and/or shell payloads is recommended.", "references": [ "OSVDB-66614", "EDB-11500" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 8080, "targets": [ "Windows XP SP3 - Easy FTP Server Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/easyftp_list.rb", "is_install_path": true, "ref_name": "windows/http/easyftp_list", "check": true }, "exploit_windows/http/edirectory_host": { "name": "Novell eDirectory NDS Server Host Header Overflow", "full_name": "exploit/windows/http/edirectory_host", "rank": 500, "disclosure_date": "2006-10-21", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in Novell eDirectory 8.8.1.\n The web interface does not validate the length of the\n HTTP Host header prior to using the value of that header in an\n HTTP redirect.", "references": [ "CVE-2006-5478", "OSVDB-29993", "BID-20655" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 8028, "targets": [ "Novell eDirectory 8.8.1" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/edirectory_host.rb", "is_install_path": true, "ref_name": "windows/http/edirectory_host", "check": false }, "exploit_windows/http/edirectory_imonitor": { "name": "eDirectory 8.7.3 iMonitor Remote Stack Buffer Overflow", "full_name": "exploit/windows/http/edirectory_imonitor", "rank": 500, "disclosure_date": "2005-08-11", "type": "exploit", "author": [ "Unknown", "Matt Olney " ], "description": "This module exploits a stack buffer overflow in eDirectory 8.7.3\n iMonitor service. This vulnerability was discovered by Peter\n Winter-Smith of NGSSoftware.\n\n NOTE: repeated exploitation attempts may cause eDirectory to crash. It does\n not restart automatically in a default installation.", "references": [ "CVE-2005-2551", "OSVDB-18703", "BID-14548" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 8008, "targets": [ "Windows (ALL) - eDirectory 8.7.3 iMonitor" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/edirectory_imonitor.rb", "is_install_path": true, "ref_name": "windows/http/edirectory_imonitor", "check": false }, "exploit_windows/http/efs_easychatserver_username": { "name": "EFS Easy Chat Server Authentication Request Handling Buffer Overflow", "full_name": "exploit/windows/http/efs_easychatserver_username", "rank": 500, "disclosure_date": "2007-08-14", "type": "exploit", "author": [ "LSO ", "Brendan Coles " ], "description": "This module exploits a stack buffer overflow in EFS Software Easy Chat\n Server versions 2.0 to 3.1. By sending an overly long authentication\n request, an attacker may be able to execute arbitrary code.", "references": [ "CVE-2004-2466", "OSVDB-7416", "OSVDB-106841", "BID-25328" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Automatic Targeting", "Easy Chat Server 2.0", "Easy Chat Server 2.1 - 3.1" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/efs_easychatserver_username.rb", "is_install_path": true, "ref_name": "windows/http/efs_easychatserver_username", "check": true }, "exploit_windows/http/efs_fmws_userid_bof": { "name": "Easy File Management Web Server Stack Buffer Overflow", "full_name": "exploit/windows/http/efs_fmws_userid_bof", "rank": 300, "disclosure_date": "2014-05-20", "type": "exploit", "author": [ "superkojiman", "Julien Ahrens", "TecR0c " ], "description": "Easy File Management Web Server v4.0 and v5.3 contains a stack buffer\n overflow condition that is triggered as user-supplied input is not\n properly validated when handling the UserID cookie. This may allow a\n remote attacker to execute arbitrary code.", "references": [ "CVE-2014-3791", "OSVDB-107241", "EDB-33610", "BID-67542", "URL-http://www.cnnvd.org.cn/vulnerability/show/cv_id/2014050536", "URL-http://www.web-file-management.com/" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86", "rport": 80, "targets": [ "Automatic Targeting", "Efmws 5.3 Universal", "Efmws 4.0 Universal" ], "mod_time": "2018-07-12 17:34:52 +0000", "path": "/modules/exploits/windows/http/efs_fmws_userid_bof.rb", "is_install_path": true, "ref_name": "windows/http/efs_fmws_userid_bof", "check": true }, "exploit_windows/http/ektron_xslt_exec": { "name": "Ektron 8.02 XSLT Transform Remote Code Execution", "full_name": "exploit/windows/http/ektron_xslt_exec", "rank": 600, "disclosure_date": "2012-10-16", "type": "exploit", "author": [ "Rich Lundeen", "juan vazquez ", "Nicolas \"Nicob\" Gregoire" ], "description": "This module exploits a vulnerability in Ektron CMS 8.02 (before SP5). The\n vulnerability exists due to the insecure usage of XslCompiledTransform, using a\n XSLT controlled by the user. The module has been tested successfully on Ektron CMS\n 8.02 over Windows 2003 SP2, which allows to execute arbitrary code with NETWORK\n SERVICE privileges.", "references": [ "CVE-2012-5357", "OSVDB-88107", "URL-http://webstersprodigy.net/2012/10/25/cve-2012-5357cve-1012-5358-cool-ektron-xslt-rce-bugs/", "URL-http://technet.microsoft.com/en-us/security/msvr/msvr12-016" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Windows 2003 SP2 / Ektron CMS400 8.02" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/ektron_xslt_exec.rb", "is_install_path": true, "ref_name": "windows/http/ektron_xslt_exec", "check": true }, "exploit_windows/http/ektron_xslt_exec_ws": { "name": "Ektron 8.5, 8.7, 9.0 XSLT Transform Remote Code Execution", "full_name": "exploit/windows/http/ektron_xslt_exec_ws", "rank": 600, "disclosure_date": "2015-02-05", "type": "exploit", "author": [ "catatonicprime" ], "description": "Ektron 8.5, 8.7 <= sp1, 9.0 < sp1 have\nvulnerabilities in various operations within the ServerControlWS.asmx\nweb services. These vulnerabilities allow for RCE without authentication and\nexecute in the context of IIS on the remote system.", "references": [ "CVE-2015-0923", "US-CERT-VU-377644", "URL-http://www.websecuritywatch.com/xxe-arbitrary-code-execution-in-ektron-cms/" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Windows 2008 R2 / Ektron CMS400 8.5" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/ektron_xslt_exec_ws.rb", "is_install_path": true, "ref_name": "windows/http/ektron_xslt_exec_ws", "check": true }, "exploit_windows/http/ericom_access_now_bof": { "name": "Ericom AccessNow Server Buffer Overflow", "full_name": "exploit/windows/http/ericom_access_now_bof", "rank": 300, "disclosure_date": "2014-06-02", "type": "exploit", "author": [ "Unknown", "juan vazquez " ], "description": "This module exploits a stack based buffer overflow in Ericom AccessNow Server. The\n vulnerability is due to an insecure usage of vsprintf with user controlled data,\n which can be triggered with a malformed HTTP request. This module has been tested\n successfully with Ericom AccessNow Server 2.4.0.2 on Windows XP SP3 and Windows 2003\n Server SP2.", "references": [ "ZDI-14-160", "CVE-2014-3913", "BID-67777", "URL-http://www.ericom.com/security-ERM-2014-610.asp" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86", "rport": 8080, "targets": [ "Ericom AccessNow Server 2.4.0.2 / Windows [XP SP3 / 2003 SP2]" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/ericom_access_now_bof.rb", "is_install_path": true, "ref_name": "windows/http/ericom_access_now_bof", "check": true }, "exploit_windows/http/ezserver_http": { "name": "EZHomeTech EzServer Stack Buffer Overflow Vulnerability", "full_name": "exploit/windows/http/ezserver_http", "rank": 600, "disclosure_date": "2012-06-18", "type": "exploit", "author": [ "modpr0be " ], "description": "This module exploits a stack buffer overflow in the EZHomeTech EZServer\n for versions 6.4.017 and earlier. If a malicious user sends packets\n containing an overly long string, it may be possible to execute a\n payload remotely. Due to size constraints, this module uses the\n Egghunter technique.", "references": [ "OSVDB-83065", "BID-54056", "EDB-19266", "URL-http://www.spentera.com/2012/06/ezhometech-ezserver-6-4-017-stack-overflow-vulnerability/" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 8000, "targets": [ "EzHomeTech EzServer <= 6.4.017 (Windows XP Universal)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/ezserver_http.rb", "is_install_path": true, "ref_name": "windows/http/ezserver_http", "check": false }, "exploit_windows/http/fdm_auth_header": { "name": "Free Download Manager Remote Control Server Buffer Overflow", "full_name": "exploit/windows/http/fdm_auth_header", "rank": 500, "disclosure_date": "2009-02-02", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in Free Download Manager\n Remote Control 2.5 Build 758. When sending a specially crafted\n Authorization header, an attacker may be able to execute arbitrary code.", "references": [ "CVE-2009-0183", "OSVDB-51745" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Free Download Manager 2.5 Build 758" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/fdm_auth_header.rb", "is_install_path": true, "ref_name": "windows/http/fdm_auth_header", "check": false }, "exploit_windows/http/generic_http_dll_injection": { "name": "Generic Web Application DLL Injection", "full_name": "exploit/windows/http/generic_http_dll_injection", "rank": 0, "disclosure_date": "2015-03-04", "type": "exploit", "author": [ "Matthew Hall " ], "description": "This is a general-purpose module for exploiting conditions where a HTTP request\n triggers a DLL load from an specified SMB share. This module serves payloads as\n DLLs over an SMB service and allows an arbitrary HTTP URL to be called that would\n trigger the load of the DLL.", "references": [ "CWE-427" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86, x64", "rport": 80, "targets": [ "Windows x86", "Windows x64" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/generic_http_dll_injection.rb", "is_install_path": true, "ref_name": "windows/http/generic_http_dll_injection", "check": false }, "exploit_windows/http/geutebrueck_gcore_x64_rce_bo": { "name": "Geutebrueck GCore - GCoreServer.exe Buffer Overflow RCE", "full_name": "exploit/windows/http/geutebrueck_gcore_x64_rce_bo", "rank": 300, "disclosure_date": "2017-01-24", "type": "exploit", "author": [ "Luca Cappiello", "Maurice Popp" ], "description": "This module exploits a stack Buffer Overflow in the GCore server (GCoreServer.exe).\n The vulnerable webserver is running on Port 13003 and Port 13004, does not require\n authentication and affects all versions from 2003 till July 2016 (Version 1.4.YYYYY).", "references": [ "EDB-41153", "CVE-2017-11517", "URL-www.geutebrueck.com" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 13003, "targets": [ "Automatic Targeting", "GCore 1.3.8.42, Windows x64 (Win7+)", "GCore 1.4.2.37, Windows x64 (Win7+)" ], "mod_time": "2017-11-08 20:21:40 +0000", "path": "/modules/exploits/windows/http/geutebrueck_gcore_x64_rce_bo.rb", "is_install_path": true, "ref_name": "windows/http/geutebrueck_gcore_x64_rce_bo", "check": true }, "exploit_windows/http/gitstack_rce": { "name": "GitStack Unsanitized Argument RCE", "full_name": "exploit/windows/http/gitstack_rce", "rank": 500, "disclosure_date": "2018-01-15", "type": "exploit", "author": [ "Kacper Szurek", "Jacob Robles" ], "description": "This module exploits a remote code execution vulnerability that\n exists in GitStack through v2.3.10, caused by an unsanitized argument\n being passed to an exec function call. This module has been tested\n on GitStack v2.3.10.", "references": [ "CVE-2018-5955", "EDB-43777", "EDB-44044", "URL-https://security.szurek.pl/gitstack-2310-unauthenticated-rce.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Automatic" ], "mod_time": "2018-03-09 07:31:55 +0000", "path": "/modules/exploits/windows/http/gitstack_rce.rb", "is_install_path": true, "ref_name": "windows/http/gitstack_rce", "check": false }, "exploit_windows/http/hp_autopass_license_traversal": { "name": "HP AutoPass License Server File Upload", "full_name": "exploit/windows/http/hp_autopass_license_traversal", "rank": 500, "disclosure_date": "2014-01-10", "type": "exploit", "author": [ "rgod ", "juan vazquez " ], "description": "This module exploits a code execution flaw in HP AutoPass License Server. It abuses two\n weaknesses in order to get its objective. First, the AutoPass application doesn't enforce\n authentication in the CommunicationServlet component. Second, it's possible to abuse a\n directory traversal when uploading files thorough the same component, allowing to upload\n an arbitrary payload embedded in a JSP. The module has been tested successfully on\n HP AutoPass License Server 8.01 as installed with HP Service Virtualization 3.50.", "references": [ "CVE-2013-6221", "ZDI-14-195", "BID-67989", "URL-https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c04333125" ], "is_server": true, "is_client": false, "platform": "Java", "arch": "java", "rport": 5814, "targets": [ "Windows 2003 SP2 / HP AutoPass License Server 8.01 / HP Service Virtualization 3.50", "Windows 2008 32 bits/ HP AutoPass License Server 8.01 / HP Service Virtualization 3.50", "Windows 2008 64 bits/ HP AutoPass License Server 8.01 / HP Service Virtualization 3.50", "Windows 2012 / HP AutoPass License Server 8.01 / HP Service Virtualization 3.50" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/http/hp_autopass_license_traversal.rb", "is_install_path": true, "ref_name": "windows/http/hp_autopass_license_traversal", "check": true }, "exploit_windows/http/hp_imc_bims_upload": { "name": "HP Intelligent Management Center BIMS UploadServlet Directory Traversal", "full_name": "exploit/windows/http/hp_imc_bims_upload", "rank": 600, "disclosure_date": "2013-10-08", "type": "exploit", "author": [ "rgod ", "juan vazquez " ], "description": "This module exploits a directory traversal vulnerability on the version 5.2 of the BIMS\n component from the HP Intelligent Management Center. The vulnerability exists in the\n UploadServlet, allowing the user to download and upload arbitrary files. This module has\n been tested successfully on HP Intelligent Management Center with BIMS 5.2 E0401 on Windows\n 2003 SP2.", "references": [ "CVE-2013-4822", "OSVDB-98247", "BID-62895", "ZDI-13-238", "URL-https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03943425" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "java", "rport": 8080, "targets": [ "HP Intelligent Management Center 5.1 E0202 - 5.2 E0401 / BIMS 5.1 E0201 - 5.2 E0401 / Windows" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/hp_imc_bims_upload.rb", "is_install_path": true, "ref_name": "windows/http/hp_imc_bims_upload", "check": true }, "exploit_windows/http/hp_imc_mibfileupload": { "name": "HP Intelligent Management Center Arbitrary File Upload", "full_name": "exploit/windows/http/hp_imc_mibfileupload", "rank": 500, "disclosure_date": "2013-03-07", "type": "exploit", "author": [ "rgod ", "juan vazquez " ], "description": "This module exploits a code execution flaw in HP Intelligent Management Center.\n The vulnerability exists in the mibFileUpload which is accepting unauthenticated\n file uploads and handling zip contents in an insecure way. Combining both weaknesses\n a remote attacker can accomplish arbitrary file upload. This module has been tested\n successfully on HP Intelligent Management Center 5.1 E0202 over Windows 2003 SP2.", "references": [ "CVE-2012-5201", "OSVDB-91026", "BID-58385", "ZDI-13-050", "URL-https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03689276" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "java", "rport": 8080, "targets": [ "HP Intelligent Management Center 5.1 E0202 / Windows" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/http/hp_imc_mibfileupload.rb", "is_install_path": true, "ref_name": "windows/http/hp_imc_mibfileupload", "check": true }, "exploit_windows/http/hp_loadrunner_copyfiletoserver": { "name": "HP LoadRunner EmulationAdmin Web Service Directory Traversal", "full_name": "exploit/windows/http/hp_loadrunner_copyfiletoserver", "rank": 600, "disclosure_date": "2013-10-30", "type": "exploit", "author": [ "rgod ", "juan vazquez " ], "description": "This module exploits a directory traversal vulnerability in version 11.52 of HP\n LoadRunner. The vulnerability exists in the EmulationAdmin web service, specifically\n in the copyFileToServer method, allowing the upload of arbitrary files. This module has\n been tested successfully on HP LoadRunner 11.52 on Windows 2003 SP2.", "references": [ "CVE-2013-4837", "OSVDB-99231", "BID-63475", "ZDI-13-259", "URL-https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03969437" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "java", "rport": 8080, "targets": [ "HP LoadRunner 11.52" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/hp_loadrunner_copyfiletoserver.rb", "is_install_path": true, "ref_name": "windows/http/hp_loadrunner_copyfiletoserver", "check": true }, "exploit_windows/http/hp_mpa_job_acct": { "name": "HP Managed Printing Administration jobAcct Remote Command Execution", "full_name": "exploit/windows/http/hp_mpa_job_acct", "rank": 600, "disclosure_date": "2011-12-21", "type": "exploit", "author": [ "Andrea Micalizzi", "juan vazquez " ], "description": "This module exploits an arbitrary file upload vulnerability on HP Managed Printing\n Administration 2.6.3 and prior versions. The vulnerability exists in the UploadFiles()\n function from the MPAUploader.Uploader.1 control, loaded and used by the server.\n The function can be abused via directory traversal and null byte injection in order\n to achieve arbitrary file upload. In order to exploit successfully, a few conditions\n must be met. First, a writable location under the context of Internet Guest Account\n (IUSR_*) or Everyone is required. By default, this module will attempt to write to\n /hpmpa/userfiles/, but the WRITEWEBFOLDER option can be used to provide\n another writable path. Second, the writable path must also be readable by a browser,\n so this typically means a location under wwwroot. Finally, you cannot overwrite\n a file with the same name as the payload.", "references": [ "CVE-2011-4166", "OSVDB-78015", "BID-51174", "ZDI-11-352", "URL-https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03128469" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "HP Managed Printing Administration 2.6.3 / Microsoft Windows [XP SP3 | Server 2003 SP2]" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/hp_mpa_job_acct.rb", "is_install_path": true, "ref_name": "windows/http/hp_mpa_job_acct", "check": true }, "exploit_windows/http/hp_nnm_getnnmdata_hostname": { "name": "HP OpenView Network Node Manager getnnmdata.exe (Hostname) CGI Buffer Overflow", "full_name": "exploit/windows/http/hp_nnm_getnnmdata_hostname", "rank": 500, "disclosure_date": "2010-05-11", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53.\n By sending specially crafted Hostname parameter to the getnnmdata.exe CGI,\n an attacker may be able to execute arbitrary code.", "references": [ "CVE-2010-1555", "OSVDB-64976" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "HP OpenView Network Node Manager 7.50", "HP OpenView Network Node Manager 7.53" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/hp_nnm_getnnmdata_hostname.rb", "is_install_path": true, "ref_name": "windows/http/hp_nnm_getnnmdata_hostname", "check": false }, "exploit_windows/http/hp_nnm_getnnmdata_icount": { "name": "HP OpenView Network Node Manager getnnmdata.exe (ICount) CGI Buffer Overflow", "full_name": "exploit/windows/http/hp_nnm_getnnmdata_icount", "rank": 500, "disclosure_date": "2010-05-11", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53.\n By sending specially crafted ICount parameter to the getnnmdata.exe CGI,\n an attacker may be able to execute arbitrary code.", "references": [ "CVE-2010-1554", "OSVDB-64976" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "HP OpenView Network Node Manager 7.50", "HP OpenView Network Node Manager 7.53" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/hp_nnm_getnnmdata_icount.rb", "is_install_path": true, "ref_name": "windows/http/hp_nnm_getnnmdata_icount", "check": false }, "exploit_windows/http/hp_nnm_getnnmdata_maxage": { "name": "HP OpenView Network Node Manager getnnmdata.exe (MaxAge) CGI Buffer Overflow", "full_name": "exploit/windows/http/hp_nnm_getnnmdata_maxage", "rank": 500, "disclosure_date": "2010-05-11", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53.\n By sending specially crafted MaxAge parameter to the getnnmdata.exe CGI,\n an attacker may be able to execute arbitrary code.", "references": [ "CVE-2010-1553", "OSVDB-64976" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "HP OpenView Network Node Manager 7.50", "HP OpenView Network Node Manager 7.53" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/hp_nnm_getnnmdata_maxage.rb", "is_install_path": true, "ref_name": "windows/http/hp_nnm_getnnmdata_maxage", "check": false }, "exploit_windows/http/hp_nnm_nnmrptconfig_nameparams": { "name": "HP OpenView NNM nnmRptConfig nameParams Buffer Overflow", "full_name": "exploit/windows/http/hp_nnm_nnmrptconfig_nameparams", "rank": 300, "disclosure_date": "2011-01-10", "type": "exploit", "author": [ "sinn3r ", "MC " ], "description": "This module exploits a vulnerability in HP NNM's nnmRptConfig.exe.\n A remote user can send a long string data to the nameParams parameter via\n a POST request, which causes an overflow on the stack when function\n ov.sprintf_new() is used, and gain arbitrary code execution.'", "references": [ "CVE-2011-0266", "OSVDB-70473", "ZDI-11-008" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Automatic", "HP NNM 7.53 Windows Server 2003 Enterprise", "HP OpenView Network Node Manager 7.50" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/hp_nnm_nnmrptconfig_nameparams.rb", "is_install_path": true, "ref_name": "windows/http/hp_nnm_nnmrptconfig_nameparams", "check": false }, "exploit_windows/http/hp_nnm_nnmrptconfig_schdparams": { "name": "HP OpenView NNM nnmRptConfig.exe schdParams Buffer Overflow", "full_name": "exploit/windows/http/hp_nnm_nnmrptconfig_schdparams", "rank": 300, "disclosure_date": "2011-01-10", "type": "exploit", "author": [ "sinn3r " ], "description": "This module exploits NNM's nnmRptConfig.exe. Similar to other NNM CGI bugs,\n the overflow occurs during a ov.sprintf_new() call, which allows an attacker to\n overwrite data on the stack, and gain arbitrary code execution.", "references": [ "CVE-2011-0267", "OSVDB-70473", "ZDI-11-009" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "NNM 7.53 - Windows Server 2003 Ent" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/hp_nnm_nnmrptconfig_schdparams.rb", "is_install_path": true, "ref_name": "windows/http/hp_nnm_nnmrptconfig_schdparams", "check": false }, "exploit_windows/http/hp_nnm_openview5": { "name": "HP OpenView Network Node Manager OpenView5.exe CGI Buffer Overflow", "full_name": "exploit/windows/http/hp_nnm_openview5", "rank": 500, "disclosure_date": "2007-12-06", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50.\n By sending a specially crafted CGI request, an attacker may be able to execute\n arbitrary code.", "references": [ "CVE-2007-6204", "OSVDB-39530", "BID-26741" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "HP OpenView Network Node Manager 7.50 / Windows 2000 All" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/hp_nnm_openview5.rb", "is_install_path": true, "ref_name": "windows/http/hp_nnm_openview5", "check": false }, "exploit_windows/http/hp_nnm_ovalarm_lang": { "name": "HP OpenView Network Node Manager ovalarm.exe CGI Buffer Overflow", "full_name": "exploit/windows/http/hp_nnm_ovalarm_lang", "rank": 500, "disclosure_date": "2009-12-09", "type": "exploit", "author": [ "jduck " ], "description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53.\n By sending a specially crafted CGI request to ovalarm.exe, an attacker can execute\n arbitrary code.\n\n This specific vulnerability is due to a call to \"sprintf_new\" in the \"isWide\"\n function within \"ovalarm.exe\". A stack buffer overflow occurs when processing an\n HTTP request that contains the following.\n\n 1. An \"Accept-Language\" header longer than 100 bytes\n 2. An \"OVABverbose\" URI variable set to \"on\", \"true\" or \"1\"\n\n The vulnerability is related to \"_WebSession::GetWebLocale()\".\n\n NOTE: This exploit has been tested successfully with a reverse_ord_tcp payload.", "references": [ "CVE-2009-4179", "OSVDB-60930", "BID-37347", "URL-http://dvlabs.tippingpoint.com/advisory/TPTI-09-12", "URL-http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01950877" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "HP OpenView Network Node Manager 7.53", "HP OpenView Network Node Manager 7.53 (Windows 2003)" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/http/hp_nnm_ovalarm_lang.rb", "is_install_path": true, "ref_name": "windows/http/hp_nnm_ovalarm_lang", "check": false }, "exploit_windows/http/hp_nnm_ovas": { "name": "HP OpenView NNM 7.53, 7.51 OVAS.EXE Pre-Authentication Stack Buffer Overflow", "full_name": "exploit/windows/http/hp_nnm_ovas", "rank": 400, "disclosure_date": "2008-04-02", "type": "exploit", "author": [ "bannedit ", "muts" ], "description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager versions 7.53 and earlier.\n Specifically this vulnerability is caused by a failure to properly handle user supplied input within the\n HTTP request including headers and the actual URL GET request.\n\n Exploitation is tricky due to character restrictions. It was necessary to utilize a egghunter shellcode\n which was alphanumeric encoded by muts in the original exploit.\n\n If you plan on using exploit this for a remote shell, you will likely want to migrate to a different process\n as soon as possible. Any connections get reset after a short period of time. This is probably some timeout\n handling code that causes this.", "references": [ "CVE-2008-1697", "OSVDB-43992", "BID-28569" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 7510, "targets": [ "Automatic Targeting", "Windows 2003/zip.dll OpenView 7.53", "Windows 2000/jvm.dll OpenView NNM 7.51" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/hp_nnm_ovas.rb", "is_install_path": true, "ref_name": "windows/http/hp_nnm_ovas", "check": true }, "exploit_windows/http/hp_nnm_ovbuildpath_textfile": { "name": "HP OpenView Network Node Manager ov.dll _OVBuildPath Buffer Overflow", "full_name": "exploit/windows/http/hp_nnm_ovbuildpath_textfile", "rank": 300, "disclosure_date": "2011-11-01", "type": "exploit", "author": [ "Anyway ", "juan vazquez ", "sinn3r " ], "description": "This module exploits a stack buffer overflow in HP OpenView Network Node\n Manager 7.53 prior to NNM_01213 without the SSRT100649 hotfix. By specifying a long\n 'textFile' argument when calling the 'webappmon.exe' CGI program, an attacker can\n cause a stack-based buffer overflow and execute arbitrary code.\n\n The vulnerable code is within the \"_OVBuildPath\" function within \"ov.dll\". There\n are no stack cookies, so exploitation is achieved by overwriting the saved return\n address.\n\n The vulnerability is due to the use of the function \"_OVConcatPath\" which finally\n uses \"strcat\" in an insecure way. User controlled data is concatenated to a string\n which contains the OpenView installation path.\n\n To achieve reliable exploitation a directory traversal in OpenView5.exe\n (OSVDB 44359) is being used to retrieve OpenView logs and disclose the installation\n path. If the installation path cannot be guessed the default installation path\n is used.", "references": [ "CVE-2011-3167", "OSVDB-76775", "BID-50471", "ZDI-12-002", "URL-https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03054052" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "HP OpenView Network Node Manager 7.53 / Windows 2000 SP4 & Windows XP SP3" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/http/hp_nnm_ovbuildpath_textfile.rb", "is_install_path": true, "ref_name": "windows/http/hp_nnm_ovbuildpath_textfile", "check": false }, "exploit_windows/http/hp_nnm_ovwebhelp": { "name": "HP OpenView Network Node Manager OvWebHelp.exe CGI Buffer Overflow", "full_name": "exploit/windows/http/hp_nnm_ovwebhelp", "rank": 500, "disclosure_date": "2009-12-09", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50.\n By sending a specially crafted CGI request to OvWebHelp.exe, an attacker may be able to execute\n arbitrary code.", "references": [ "CVE-2009-4178", "OSVDB-60929", "BID-37340" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "HP OpenView Network Node Manager 7.50" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/hp_nnm_ovwebhelp.rb", "is_install_path": true, "ref_name": "windows/http/hp_nnm_ovwebhelp", "check": false }, "exploit_windows/http/hp_nnm_ovwebsnmpsrv_main": { "name": "HP OpenView Network Node Manager ovwebsnmpsrv.exe main Buffer Overflow", "full_name": "exploit/windows/http/hp_nnm_ovwebsnmpsrv_main", "rank": 500, "disclosure_date": "2010-06-16", "type": "exploit", "author": [ "jduck " ], "description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53\n prior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe'\n CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code.\n\n This vulnerability is triggerable via either a GET or POST request. The buffer being\n written to is 1024 bytes in size. It is important to note that this vulnerability must\n be exploited by overwriting SEH. Otherwise, CVE-2010-1961 is triggered!\n\n The vulnerable code is within the \"main\" function within \"ovwebsnmpsrv.exe\" with a\n timestamp prior to April 7th, 2010. There are no stack cookies, so exploitation is\n easily achieved by overwriting SEH structures.\n\n There exists some unreliability when running this exploit. It is not completely clear why\n at this time, but may be related to OVWDB or session management. Also, on some attempts\n OV NNM may report invalid characters in the URL. It is not clear what is causing this\n either.", "references": [ "CVE-2010-1964", "OSVDB-65552", "BID-40873", "ZDI-10-108" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "HP OpenView Network Node Manager 7.53 w/NNM_01201", "HP OpenView Network Node Manager 7.53 (Windows 2003)", "Debug Target" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/hp_nnm_ovwebsnmpsrv_main.rb", "is_install_path": true, "ref_name": "windows/http/hp_nnm_ovwebsnmpsrv_main", "check": false }, "exploit_windows/http/hp_nnm_ovwebsnmpsrv_ovutil": { "name": "HP OpenView Network Node Manager ovwebsnmpsrv.exe ovutil Buffer Overflow", "full_name": "exploit/windows/http/hp_nnm_ovwebsnmpsrv_ovutil", "rank": 500, "disclosure_date": "2010-06-16", "type": "exploit", "author": [ "jduck " ], "description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53\n prior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe'\n CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code.\n\n This vulnerability is triggerable via either a GET or POST request. It is interesting to\n note that this vulnerability cannot be exploited by overwriting SEH, since attempting\n to would trigger CVE-2010-1964.\n\n The vulnerable code is within a sub-function called from \"main\" within \"ovwebsnmpsrv.exe\"\n with a timestamp prior to April 7th, 2010. This function contains a 256 byte stack buffer\n which is passed to the \"getProxiedStorageAddress\" function within ovutil.dll. When\n processing the address results in an error, the buffer is overflowed in a call to sprintf_new.\n There are no stack cookies present, so exploitation is easily achieved by overwriting the\n saved return address.\n\n There exists some unreliability when running this exploit. It is not completely clear why\n at this time, but may be related to OVWDB or session management. Also, on some attempts\n OV NNM may report invalid characters in the URL. It is not clear what is causing this\n either.", "references": [ "CVE-2010-1961", "OSVDB-65428", "BID-40638", "ZDI-10-106", "URL-http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02217439" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "HP OpenView Network Node Manager 7.53 w/NNM_01201", "HP OpenView Network Node Manager 7.53 (Windows 2003)", "Debug Target" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/hp_nnm_ovwebsnmpsrv_ovutil.rb", "is_install_path": true, "ref_name": "windows/http/hp_nnm_ovwebsnmpsrv_ovutil", "check": false }, "exploit_windows/http/hp_nnm_ovwebsnmpsrv_uro": { "name": "HP OpenView Network Node Manager ovwebsnmpsrv.exe Unrecognized Option Buffer Overflow", "full_name": "exploit/windows/http/hp_nnm_ovwebsnmpsrv_uro", "rank": 500, "disclosure_date": "2010-06-08", "type": "exploit", "author": [ "jduck " ], "description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53\n prior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe'\n CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code.\n The vulnerable code is within the option parsing function within \"ovwebsnmpsrv.exe\" with a\n timestamp prior to April 7th, 2010.\n\n Reaching the vulnerable code requires a 'POST' request with an 'arg' parameter that, when combined\n with some static text, exceeds 10240 bytes. The parameter must begin with a dash. It is\n important to note that this vulnerability must be exploited by overwriting SEH. This is since\n overflowing the buffer with controllable data always triggers an access violation when\n attempting to write static text beyond the end of the stack.\n\n Exploiting this issue is a bit tricky due to a restrictive character set. In order to accomplish\n arbitrary code execution, a double-backward jump is used in combination with the Alpha2\n encoder.", "references": [ "CVE-2010-1960", "OSVDB-65427", "BID-40637", "ZDI-10-105" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "HP OpenView Network Node Manager 7.53 w/NNM_01206", "Debug Target" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/http/hp_nnm_ovwebsnmpsrv_uro.rb", "is_install_path": true, "ref_name": "windows/http/hp_nnm_ovwebsnmpsrv_uro", "check": false }, "exploit_windows/http/hp_nnm_snmp": { "name": "HP OpenView Network Node Manager Snmp.exe CGI Buffer Overflow", "full_name": "exploit/windows/http/hp_nnm_snmp", "rank": 500, "disclosure_date": "2009-12-09", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50.\n By sending a specially crafted CGI request to Snmp.exe, an attacker may be able to execute\n arbitrary code.", "references": [ "CVE-2009-3849", "OSVDB-60933" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "HP OpenView Network Node Manager 7.50 / Windows 2000 All" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/hp_nnm_snmp.rb", "is_install_path": true, "ref_name": "windows/http/hp_nnm_snmp", "check": false }, "exploit_windows/http/hp_nnm_snmpviewer_actapp": { "name": "HP OpenView Network Node Manager snmpviewer.exe Buffer Overflow", "full_name": "exploit/windows/http/hp_nnm_snmpviewer_actapp", "rank": 500, "disclosure_date": "2010-05-11", "type": "exploit", "author": [ "jduck " ], "description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53\n prior to NNM_01203. By making a specially crafted HTTP request to the \"snmpviewer.exe\"\n CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary\n code.\n\n The vulnerable code lies within a function within \"snmpviewer.exe\" with a\n timestamp prior to April 7th, 2010. This vulnerability is triggerable via either a GET\n or POST request. The request must contain 'act' and 'app' parameters which, when\n combined, total more than the 1024 byte stack buffer can hold.\n\n It is important to note that this vulnerability must be exploited by overwriting SEH.\n While the saved return address can be smashed, a function call that occurs before\n the function returns calls \"exit\".", "references": [ "CVE-2010-1552", "OSVDB-64975", "BID-40068", "ZDI-10-083", "URL-http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02153379" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "HP OpenView Network Node Manager 7.53 w/NNM_01201", "HP OpenView Network Node Manager 7.53 (Windows 2003)", "Debug Target" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/http/hp_nnm_snmpviewer_actapp.rb", "is_install_path": true, "ref_name": "windows/http/hp_nnm_snmpviewer_actapp", "check": false }, "exploit_windows/http/hp_nnm_toolbar_01": { "name": "HP OpenView Network Node Manager Toolbar.exe CGI Buffer Overflow", "full_name": "exploit/windows/http/hp_nnm_toolbar_01", "rank": 500, "disclosure_date": "2009-01-07", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50.\n By sending a specially crafted CGI request to Toolbar.exe, an attacker may be able to execute\n arbitrary code.", "references": [ "CVE-2008-0067", "OSVDB-53222", "BID-33147" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "HP OpenView Network Node Manager 7.50 / Windows 2000 All" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/hp_nnm_toolbar_01.rb", "is_install_path": true, "ref_name": "windows/http/hp_nnm_toolbar_01", "check": false }, "exploit_windows/http/hp_nnm_toolbar_02": { "name": "HP OpenView Network Node Manager Toolbar.exe CGI Cookie Handling Buffer Overflow", "full_name": "exploit/windows/http/hp_nnm_toolbar_02", "rank": 300, "disclosure_date": "2009-01-21", "type": "exploit", "author": [ "Oren Isacson", "juan vazquez ", "sinn3r " ], "description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.0\n and 7.53. By sending a CGI request with a specially OvOSLocale cookie to Toolbar.exe, an\n attacker may be able to execute arbitrary code. Please note that this module only works\n against a specific build (i.e. NNM 7.53_01195)", "references": [ "CVE-2009-0920", "OSVDB-53242", "BID-34294", "URL-http://www.coresecurity.com/content/openview-buffer-overflows" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Automatic", "HP OpenView Network Node Manager Release B.07.00", "HP OpenView Network Node Manager 7.53 Patch 01195" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/http/hp_nnm_toolbar_02.rb", "is_install_path": true, "ref_name": "windows/http/hp_nnm_toolbar_02", "check": false }, "exploit_windows/http/hp_nnm_webappmon_execvp": { "name": "HP OpenView Network Node Manager execvp_nc Buffer Overflow", "full_name": "exploit/windows/http/hp_nnm_webappmon_execvp", "rank": 500, "disclosure_date": "2010-07-20", "type": "exploit", "author": [ "Shahin Ramezany ", "sinn3r ", "jduck " ], "description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53\n prior to NNM_01207 or NNM_01206 without the SSRT100025 hotfix. By specifying a long 'sel'\n parameter when calling methods within the 'webappmon.exe' CGI program, an attacker can\n cause a stack-based buffer overflow and execute arbitrary code.\n\n This vulnerability is not triggerable via a GET request due to limitations on the\n request size. The buffer being targeted is 16384 bytes in size. There are actually two\n adjacent buffers that both get overflowed (one into the other), and strcat is used.\n\n The vulnerable code is within the \"execvp_nc\" function within \"ov.dll\" prior to\n v 1.30.12.69. There are no stack cookies, so exploitation is easily achieved by\n overwriting the saved return address or SEH frame.\n\n This vulnerability might also be triggerable via other CGI programs, however this was\n not fully investigated.", "references": [ "CVE-2010-2703", "OSVDB-66514", "BID-41829", "ZDI-10-137", "URL-http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02286088" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Automatic", "HP OpenView Network Node Manager 7.53 w/NNM_01206", "HP OpenView Network Node Manager 7.53 (Windows 2003)", "Debug Target" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/http/hp_nnm_webappmon_execvp.rb", "is_install_path": true, "ref_name": "windows/http/hp_nnm_webappmon_execvp", "check": false }, "exploit_windows/http/hp_nnm_webappmon_ovjavalocale": { "name": "HP NNM CGI webappmon.exe OvJavaLocale Buffer Overflow", "full_name": "exploit/windows/http/hp_nnm_webappmon_ovjavalocale", "rank": 500, "disclosure_date": "2010-08-03", "type": "exploit", "author": [ "Nahuel Riva", "sinn3r ", "jduck " ], "description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53.\n By sending a request containing a cookie longer than 5120 bytes, an attacker can overflow\n a stack buffer and execute arbitrary code.\n\n The vulnerable code is within the OvWwwDebug function. The static-sized stack buffer is\n declared within this function. When the vulnerability is triggered, the stack trace looks\n like the following:\n\n #0 ...\n #1 sprintf_new(local_stack_buf, fmt, cookie);\n #2 OvWwwDebug(\" HTTP_COOKIE=%s\\n\", cookie);\n #3 ?OvWwwInit@@YAXAAHQAPADPBD@Z(x, x, x);\n #4 sub_405ee0(\"nnm\", \"webappmon\");\n\n No validation is done on the cookie argument. There are no stack cookies, so exploitation\n is easily achieved by overwriting the saved return address or SEH frame.\n\n The original advisory detailed an attack vector using the \"OvJavaLocale\" cookie being\n passed in a request to \"webappmon.exe\". Further research shows that several different\n cookie values, as well as several different CGI applications, can be used.\n '", "references": [ "CVE-2010-2709", "OSVDB-66932", "BID-42154", "URL-http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02446520", "URL-http://www.coresecurity.com/content/hp-nnm-ovjavalocale-buffer-overflow" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Automatic", "HP OpenView Network Node Manager 7.53", "HP OpenView Network Node Manager 7.53 (Windows 2003)", "Debug Target" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/http/hp_nnm_webappmon_ovjavalocale.rb", "is_install_path": true, "ref_name": "windows/http/hp_nnm_webappmon_ovjavalocale", "check": false }, "exploit_windows/http/hp_openview_insight_backdoor": { "name": "HP OpenView Performance Insight Server Backdoor Account Code Execution", "full_name": "exploit/windows/http/hp_openview_insight_backdoor", "rank": 600, "disclosure_date": "2011-01-31", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a hidden account in the com.trinagy.security.XMLUserManager Java\n class. When using this account, an attacker can abuse the\n com.trinagy.servlet.HelpManagerServlet class and write arbitrary files to the system\n allowing the execution of arbitrary code.\n\n NOTE: This module has only been tested against HP OpenView Performance Insight Server 5.41.0", "references": [ "CVE-2011-0276", "OSVDB-70754" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Universal Windows Target" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/http/hp_openview_insight_backdoor.rb", "is_install_path": true, "ref_name": "windows/http/hp_openview_insight_backdoor", "check": false }, "exploit_windows/http/hp_pcm_snac_update_certificates": { "name": "HP ProCurve Manager SNAC UpdateCertificatesServlet File Upload", "full_name": "exploit/windows/http/hp_pcm_snac_update_certificates", "rank": 600, "disclosure_date": "2013-09-09", "type": "exploit", "author": [ "rgod ", "juan vazquez " ], "description": "This module exploits a path traversal flaw in the HP ProCurve Manager SNAC Server. The\n vulnerability in the UpdateCertificatesServlet allows an attacker to upload arbitrary\n files, just having into account binary writes aren't allowed. Additionally, authentication\n can be bypassed in order to upload the file. This module has been tested successfully on\n the SNAC server installed with HP ProCurve Manager 4.0.", "references": [ "CVE-2013-4812", "OSVDB-97155", "BID-62348", "ZDI-13-225" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "java", "rport": 443, "targets": [ "HP ProCurve Manager 4.0 SNAC Server" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/hp_pcm_snac_update_certificates.rb", "is_install_path": true, "ref_name": "windows/http/hp_pcm_snac_update_certificates", "check": true }, "exploit_windows/http/hp_pcm_snac_update_domain": { "name": "HP ProCurve Manager SNAC UpdateDomainControllerServlet File Upload", "full_name": "exploit/windows/http/hp_pcm_snac_update_domain", "rank": 600, "disclosure_date": "2013-09-09", "type": "exploit", "author": [ "rgod ", "juan vazquez " ], "description": "This module exploits a path traversal flaw in the HP ProCurve Manager SNAC Server. The\n vulnerability in the UpdateDomainControllerServlet allows an attacker to upload arbitrary\n files, just having into account binary writes aren't allowed. Additionally, authentication\n can be bypassed in order to upload the file. This module has been tested successfully on\n the SNAC server installed with HP ProCurve Manager 4.0.", "references": [ "CVE-2013-4811", "OSVDB-97154", "BID-62349", "ZDI-13-226" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "java", "rport": 443, "targets": [ "HP ProCurve Manager 4.0 SNAC Server" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/hp_pcm_snac_update_domain.rb", "is_install_path": true, "ref_name": "windows/http/hp_pcm_snac_update_domain", "check": true }, "exploit_windows/http/hp_power_manager_filename": { "name": "HP Power Manager 'formExportDataLogs' Buffer Overflow", "full_name": "exploit/windows/http/hp_power_manager_filename", "rank": 300, "disclosure_date": "2011-10-19", "type": "exploit", "author": [ "Alin Rad Pop", "Rodrigo Escobar ", "sinn3r " ], "description": "This module exploits a buffer overflow in HP Power Manager's 'formExportDataLogs'.\n By creating a malformed request specifically for the fileName parameter, a stack-based\n buffer overflow occurs due to a long error message (which contains the fileName),\n which may result in arbitrary remote code execution under the context of 'SYSTEM'.", "references": [ "CVE-2009-3999", "OSVDB-61848", "BID-37867" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Windows XP SP3 / Win Server 2003 SP0" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/http/hp_power_manager_filename.rb", "is_install_path": true, "ref_name": "windows/http/hp_power_manager_filename", "check": false }, "exploit_windows/http/hp_power_manager_login": { "name": "Hewlett-Packard Power Manager Administration Buffer Overflow", "full_name": "exploit/windows/http/hp_power_manager_login", "rank": 200, "disclosure_date": "2009-11-04", "type": "exploit", "author": [ "MC ", "sinn3r " ], "description": "This module exploits a stack buffer overflow in Hewlett-Packard Power Manager 4.2.\n Sending a specially crafted POST request with an overly long Login string, an\n attacker may be able to execute arbitrary code.", "references": [ "CVE-2009-2685", "OSVDB-59684" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Windows 2000 SP4 English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/hp_power_manager_login.rb", "is_install_path": true, "ref_name": "windows/http/hp_power_manager_login", "check": false }, "exploit_windows/http/hp_sitescope_dns_tool": { "name": "HP SiteScope DNS Tool Command Injection", "full_name": "exploit/windows/http/hp_sitescope_dns_tool", "rank": 400, "disclosure_date": "2015-10-09", "type": "exploit", "author": [ "Kirk Hayes", "Charles Riggs", "Juan Vazquez" ], "description": "This module exploits a command injection vulnerability\n discovered in HP SiteScope 11.30 and earlier versions (tested in 11.26\n and 11.30). The vulnerability exists in the DNS Tool allowing an\n attacker to execute arbitrary commands in the context of the service. By\n default, HP SiteScope installs and runs as SYSTEM in Windows and does\n not require authentication. This vulnerability only exists on the\n Windows version. The Linux version is unaffected.", "references": [ "URL-https://community.rapid7.com/community/metasploit/blog/2015/10/09/r7-2015-17-hp-sitescope-dns-tool-command-injection", "URL-http://www8.hp.com/us/en/software-solutions/sitescope-application-monitoring/index.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 8080, "targets": [ "HP SiteScope 11.30 / Microsoft Windows 7 and higher", "HP SiteScope 11.30 / CMD" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/hp_sitescope_dns_tool.rb", "is_install_path": true, "ref_name": "windows/http/hp_sitescope_dns_tool", "check": false }, "exploit_windows/http/hp_sitescope_runomagentcommand": { "name": "HP SiteScope Remote Code Execution", "full_name": "exploit/windows/http/hp_sitescope_runomagentcommand", "rank": 0, "disclosure_date": "2013-07-29", "type": "exploit", "author": [ "rgod ", "juan vazquez " ], "description": "This module exploits a code execution flaw in HP SiteScope.\n The vulnerability exists in the opcactivate.vbs script, which\n is reachable from the APIBSMIntegrationImpl AXIS service, and\n uses WScript.Shell.run() to execute cmd.exe with user provided\n data. Note that the opcactivate.vbs component is installed\n with the (optional) HP Operations Agent component. The module\n has been tested successfully on HP SiteScope 11.20 (with HP\n Operations Agent) over Windows 2003 SP2.", "references": [ "CVE-2013-2367", "OSVDB-95824", "BID-61506", "ZDI-13-205" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": 8080, "targets": [ "HP SiteScope 11.20 (with Operations Agent) / Windows 2003 SP2" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/hp_sitescope_runomagentcommand.rb", "is_install_path": true, "ref_name": "windows/http/hp_sitescope_runomagentcommand", "check": true }, "exploit_windows/http/httpdx_handlepeer": { "name": "HTTPDX h_handlepeer() Function Buffer Overflow", "full_name": "exploit/windows/http/httpdx_handlepeer", "rank": 500, "disclosure_date": "2009-10-08", "type": "exploit", "author": [ "Pankaj Kohli ", "Trancer ", "jduck " ], "description": "This module exploits a stack-based buffer overflow vulnerability in HTTPDX HTTP server 1.4. The\n vulnerability is caused due to a boundary error within the \"h_handlepeer()\" function in http.cpp.\n By sending an overly long HTTP request, an attacker can overrun a buffer and execute arbitrary code.", "references": [ "OSVDB-58714", "CVE-2009-3711", "URL-http://www.pank4j.com/exploits/httpdxb0f.php", "URL-http://www.rec-sec.com/2009/10/16/httpdx-buffer-overflow-exploit/" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "httpdx 1.4 - Windows XP SP3 English", "httpdx 1.4 - Windows 2003 SP2 English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/httpdx_handlepeer.rb", "is_install_path": true, "ref_name": "windows/http/httpdx_handlepeer", "check": true }, "exploit_windows/http/httpdx_tolog_format": { "name": "HTTPDX tolog() Function Format String Vulnerability", "full_name": "exploit/windows/http/httpdx_tolog_format", "rank": 500, "disclosure_date": "2009-11-17", "type": "exploit", "author": [ "jduck " ], "description": "This module exploits a format string vulnerability in HTTPDX HTTP server.\n By sending a specially crafted HTTP request containing format specifiers, an\n attacker can corrupt memory and execute arbitrary code.\n\n By default logging is off for HTTP, but enabled for the 'moderator' user\n via FTP.", "references": [ "CVE-2009-4769", "OSVDB-60182" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Automatic Targeting", "httpdx 1.4 - Windows XP SP3 English", "httpdx 1.4.5 - Windows XP SP3 English", "httpdx 1.4.6 - Windows XP SP3 English", "httpdx 1.4.6b - Windows XP SP3 English", "httpdx 1.5 - Windows XP SP3 English", "Debug target" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/http/httpdx_tolog_format.rb", "is_install_path": true, "ref_name": "windows/http/httpdx_tolog_format", "check": true }, "exploit_windows/http/ia_webmail": { "name": "IA WebMail 3.x Buffer Overflow", "full_name": "exploit/windows/http/ia_webmail", "rank": 200, "disclosure_date": "2003-11-03", "type": "exploit", "author": [ "hdm " ], "description": "This exploits a stack buffer overflow in the IA WebMail server.\n This exploit has not been tested against a live system at\n this time.", "references": [ "CVE-2003-1192", "OSVDB-2757", "BID-8965", "URL-http://www.k-otik.net/exploits/11.19.iawebmail.pl.php" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "IA WebMail 3.x" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/ia_webmail.rb", "is_install_path": true, "ref_name": "windows/http/ia_webmail", "check": false }, "exploit_windows/http/ibm_tivoli_endpoint_bof": { "name": "IBM Tivoli Endpoint Manager POST Query Buffer Overflow", "full_name": "exploit/windows/http/ibm_tivoli_endpoint_bof", "rank": 400, "disclosure_date": "2011-05-31", "type": "exploit", "author": [ "bannedit ", "Jeremy Brown <0xjbrown@gmail.com>" ], "description": "This module exploits a stack based buffer overflow in the way IBM Tivoli\n Endpoint Manager versions 3.7.1, 4.1, 4.1.1, 4.3.1 handles long POST query\n arguments.\n\n This issue can be triggered by sending a specially crafted HTTP POST request to\n the service (lcfd.exe) listening on TCP port 9495. To trigger this issue authorization\n is required. This exploit makes use of a second vulnerability, a hardcoded account\n (tivoli/boss) is used to bypass the authorization restriction.", "references": [ "CVE-2011-1220", "OSVDB-72713", "OSVDB-72751", "BID-48049", "ZDI-11-169" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 9495, "targets": [ "Automatic", "Windows Server 2003 SP0", "Windows Server 2003 SP1", "Windows Server 2003 SP2" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/ibm_tivoli_endpoint_bof.rb", "is_install_path": true, "ref_name": "windows/http/ibm_tivoli_endpoint_bof", "check": false }, "exploit_windows/http/ibm_tpmfosd_overflow": { "name": "IBM TPM for OS Deployment 5.1.0.x rembo.exe Buffer Overflow", "full_name": "exploit/windows/http/ibm_tpmfosd_overflow", "rank": 400, "disclosure_date": "2007-05-02", "type": "exploit", "author": [ "toto" ], "description": "This is a stack buffer overflow exploit for IBM Tivoli Provisioning Manager\n for OS Deployment version 5.1.0.X.", "references": [ "CVE-2007-1868", "OSVDB-34678", "BID-23264", "URL-http://dvlabs.tippingpoint.com/advisory/TPTI-07-05" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 443, "targets": [ "TPMfOSD 5.1 (Windows 2000 SP4 - English)", "TPMfOSD 5.1 (Windows 2003 All - English)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/ibm_tpmfosd_overflow.rb", "is_install_path": true, "ref_name": "windows/http/ibm_tpmfosd_overflow", "check": false }, "exploit_windows/http/ibm_tsm_cad_header": { "name": "IBM Tivoli Storage Manager Express CAD Service Buffer Overflow", "full_name": "exploit/windows/http/ibm_tsm_cad_header", "rank": 400, "disclosure_date": "2007-09-24", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in the IBM Tivoli Storage Manager Express CAD Service (5.3.3).\n By sending an overly long GET request, it may be possible for an attacker to execute arbitrary code.", "references": [ "CVE-2007-4880", "OSVDB-38161", "BID-25743" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 1581, "targets": [ "IBM Tivoli Storage Manager Express 5.3.3" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/ibm_tsm_cad_header.rb", "is_install_path": true, "ref_name": "windows/http/ibm_tsm_cad_header", "check": false }, "exploit_windows/http/icecast_header": { "name": "Icecast Header Overwrite", "full_name": "exploit/windows/http/icecast_header", "rank": 500, "disclosure_date": "2004-09-28", "type": "exploit", "author": [ "spoonm ", "Luigi Auriemma " ], "description": "This module exploits a buffer overflow in the header parsing of icecast\n versions 2.0.1 and earlier, discovered by Luigi Auriemma. Sending 32\n HTTP headers will cause a write one past the end of a pointer array. On\n win32 this happens to overwrite the saved instruction pointer, and on\n linux (depending on compiler, etc) this seems to generally overwrite\n nothing crucial (read not exploitable).\n\n This exploit uses ExitThread(), this will leave icecast thinking the\n thread is still in use, and the thread counter won't be decremented.\n This means for each time your payload exits, the counter will be left\n incremented, and eventually the threadpool limit will be maxed. So you\n can multihit, but only till you fill the threadpool.", "references": [ "CVE-2004-1561", "OSVDB-10406", "BID-11271", "URL-http://archives.neohapsis.com/archives/bugtraq/2004-09/0366.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 8000, "targets": [ "Automatic" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/icecast_header.rb", "is_install_path": true, "ref_name": "windows/http/icecast_header", "check": false }, "exploit_windows/http/integard_password_bof": { "name": "Race River Integard Home/Pro LoginAdmin Password Stack Buffer Overflow", "full_name": "exploit/windows/http/integard_password_bof", "rank": 500, "disclosure_date": "2010-09-07", "type": "exploit", "author": [ "Lincoln", "Nullthreat", "rick2600", "corelanc0d3r ", "jduck " ], "description": "This module exploits a stack buffer overflow in Race river's Integard Home/Pro\n internet content filter HTTP Server. Versions prior to 2.0.0.9037 and 2.2.0.9037 are\n vulnerable.\n\n The administration web page on port 18881 is vulnerable to a remote buffer overflow\n attack. By sending a long character string in the password field, both the structured\n exception handler and the saved extended instruction pointer are over written, allowing\n an attacker to gain control of the application and the underlying operating system\n remotely.\n\n The administration website service runs with SYSTEM privileges, and automatically\n restarts when it crashes.", "references": [ "OSVDB-67909", "URL-http://www.corelan.be:8800/advisories.php?id=CORELAN-10-061" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 18881, "targets": [ "Automatic Targeting", "Integard Home 2.0.0.9021", "Integard Pro 2.2.0.9026" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/http/integard_password_bof.rb", "is_install_path": true, "ref_name": "windows/http/integard_password_bof", "check": false }, "exploit_windows/http/intersystems_cache": { "name": "InterSystems Cache UtilConfigHome.csp Argument Buffer Overflow", "full_name": "exploit/windows/http/intersystems_cache", "rank": 500, "disclosure_date": "2009-09-29", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in InterSystems Cache 2009.1.\n By sending a specially crafted GET request, an attacker may be able to execute\n arbitrary code.", "references": [ "OSVDB-60549", "BID-37177" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 57772, "targets": [ "Windows 2000 SP4 English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/intersystems_cache.rb", "is_install_path": true, "ref_name": "windows/http/intersystems_cache", "check": false }, "exploit_windows/http/intrasrv_bof": { "name": "Intrasrv 1.0 Buffer Overflow", "full_name": "exploit/windows/http/intrasrv_bof", "rank": 0, "disclosure_date": "2013-05-30", "type": "exploit", "author": [ "xis_one", "PsychoSpy " ], "description": "This module exploits a boundary condition error in Intrasrv Simple Web\n Server 1.0. The web interface does not validate the boundaries of an\n HTTP request string prior to copying the data to an insufficiently sized\n buffer. Successful exploitation leads to arbitrary remote code execution\n in the context of the application.", "references": [ "OSVDB-94097", "EDB-18397", "BID-60229" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "v1.0 - XP / Win7" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/intrasrv_bof.rb", "is_install_path": true, "ref_name": "windows/http/intrasrv_bof", "check": true }, "exploit_windows/http/ipswitch_wug_maincfgret": { "name": "Ipswitch WhatsUp Gold 8.03 Buffer Overflow", "full_name": "exploit/windows/http/ipswitch_wug_maincfgret", "rank": 500, "disclosure_date": "2004-08-25", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a buffer overflow in IPswitch WhatsUp Gold 8.03. By\n posting a long string for the value of 'instancename' in the _maincfgret.cgi\n script an attacker can overflow a buffer and execute arbitrary code on the system.", "references": [ "CVE-2004-0798", "OSVDB-9177", "BID-11043" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "WhatsUP Gold 8.03 Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/ipswitch_wug_maincfgret.rb", "is_install_path": true, "ref_name": "windows/http/ipswitch_wug_maincfgret", "check": false }, "exploit_windows/http/jira_collector_traversal": { "name": "JIRA Issues Collector Directory Traversal", "full_name": "exploit/windows/http/jira_collector_traversal", "rank": 300, "disclosure_date": "2014-02-26", "type": "exploit", "author": [ "Philippe Arteau", "juan vazquez " ], "description": "This module exploits a directory traversal flaw in JIRA 6.0.3. The vulnerability exists\n in the issues collector code, while handling attachments provided by the user. It can be\n exploited in Windows environments to get remote code execution. This module has been tested\n successfully on JIRA 6.0.3 with Windows 2003 SP2 Server.", "references": [ "CVE-2014-2314", "OSVDB-103807", "BID-65849", "URL-https://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2014-02-26", "URL-http://blog.h3xstream.com/2014/02/jira-path-traversal-explained.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 8080, "targets": [ "Jira 6.0.3 / Windows 2003 SP2" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/jira_collector_traversal.rb", "is_install_path": true, "ref_name": "windows/http/jira_collector_traversal", "check": true }, "exploit_windows/http/kaseya_uploader": { "name": "Kaseya VSA uploader.aspx Arbitrary File Upload", "full_name": "exploit/windows/http/kaseya_uploader", "rank": 600, "disclosure_date": "2015-09-23", "type": "exploit", "author": [ "Pedro Ribeiro " ], "description": "This module exploits an arbitrary file upload vulnerability found in Kaseya VSA versions\n between 7 and 9.1. A malicious unauthenticated user can upload an ASP file to an arbitrary\n directory leading to arbitrary code execution with IUSR privileges. This module has been\n tested with Kaseya v7.0.0.17, v8.0.0.10 and v9.0.0.3.", "references": [ "CVE-2015-6922", "ZDI-15-449", "URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/kaseya-vsa-vuln-2.txt", "URL-http://seclists.org/bugtraq/2015/Sep/132" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86", "rport": 80, "targets": [ "Kaseya VSA v7 to v9.1" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/kaseya_uploader.rb", "is_install_path": true, "ref_name": "windows/http/kaseya_uploader", "check": true }, "exploit_windows/http/kaseya_uploadimage_file_upload": { "name": "Kaseya uploadImage Arbitrary File Upload", "full_name": "exploit/windows/http/kaseya_uploadimage_file_upload", "rank": 600, "disclosure_date": "2013-11-11", "type": "exploit", "author": [ "Thomas Hibbert " ], "description": "This module exploits an arbitrary file upload vulnerability found in Kaseya versions below\n 6.3.0.2. A malicious user can upload an ASP file to an arbitrary directory without previous\n authentication, leading to arbitrary code execution with IUSR privileges.", "references": [ "OSVDB-99984", "BID-63782", "EDB-29675", "URL-http://security-assessment.com/files/documents/advisory/Kaseya%20File%20Upload.pdf" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86", "rport": 80, "targets": [ "Kaseya KServer / Windows" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/kaseya_uploadimage_file_upload.rb", "is_install_path": true, "ref_name": "windows/http/kaseya_uploadimage_file_upload", "check": true }, "exploit_windows/http/kolibri_http": { "name": "Kolibri HTTP Server HEAD Buffer Overflow", "full_name": "exploit/windows/http/kolibri_http", "rank": 400, "disclosure_date": "2010-12-26", "type": "exploit", "author": [ "mr_me ", "TheLeader", "sinn3r " ], "description": "This exploits a stack buffer overflow in version 2 of the Kolibri HTTP server.", "references": [ "CVE-2002-2268", "OSVDB-70808", "BID-6289", "EDB-15834" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Windows XP sp3", "Windows Server 2003 sp2" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/kolibri_http.rb", "is_install_path": true, "ref_name": "windows/http/kolibri_http", "check": true }, "exploit_windows/http/landesk_thinkmanagement_upload_asp": { "name": "LANDesk Lenovo ThinkManagement Console Remote Command Execution", "full_name": "exploit/windows/http/landesk_thinkmanagement_upload_asp", "rank": 600, "disclosure_date": "2012-02-15", "type": "exploit", "author": [ "Andrea Micalizzi", "juan vazquez " ], "description": "This module can be used to execute a payload on LANDesk Lenovo\n ThinkManagement Suite 9.0.2 and 9.0.3.\n\n The payload is uploaded as an ASP script by sending a specially crafted\n SOAP request to \"/landesk/managementsuite/core/core.anonymous/ServerSetup.asmx\"\n , via a \"RunAMTCommand\" operation with the command '-PutUpdateFileCore'\n as the argument.\n\n After execution, the ASP script with the payload is deleted by sending\n another specially crafted SOAP request to \"WSVulnerabilityCore/VulCore.asmx\"\n via a \"SetTaskLogByFile\" operation.", "references": [ "CVE-2012-1195", "CVE-2012-1196", "OSVDB-79276", "OSVDB-79277", "BID-52023", "EDB-18622", "EDB-18623" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "LANDesk Lenovo ThinkManagement Suite 9.0.2 / 9.0.3 / Microsoft Windows Server 2003 SP2" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/landesk_thinkmanagement_upload_asp.rb", "is_install_path": true, "ref_name": "windows/http/landesk_thinkmanagement_upload_asp", "check": false }, "exploit_windows/http/lexmark_markvision_gfd_upload": { "name": "Lexmark MarkVision Enterprise Arbitrary File Upload", "full_name": "exploit/windows/http/lexmark_markvision_gfd_upload", "rank": 600, "disclosure_date": "2014-12-09", "type": "exploit", "author": [ "Andrea Micalizzi", "juan vazquez " ], "description": "This module exploits a code execution flaw in Lexmark MarkVision Enterprise before version 2.1.\n A directory traversal vulnerability in the GfdFileUploadServlet servlet allows an unauthenticated\n attacker to upload arbitrary files, including arbitrary JSP code. This module has been\n tested successfully on Lexmark MarkVision Enterprise 2.0 with Windows 2003 SP2.", "references": [ "CVE-2014-8741", "ZDI-14-410", "URL-http://support.lexmark.com/index?page=content&id=TE666&locale=EN&userlocale=EN_US" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "java", "rport": 9788, "targets": [ "Lexmark Markvision Enterprise 2.0" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/lexmark_markvision_gfd_upload.rb", "is_install_path": true, "ref_name": "windows/http/lexmark_markvision_gfd_upload", "check": true }, "exploit_windows/http/mailenable_auth_header": { "name": "MailEnable Authorization Header Buffer Overflow", "full_name": "exploit/windows/http/mailenable_auth_header", "rank": 500, "disclosure_date": "2005-04-24", "type": "exploit", "author": [ "David Maciejak " ], "description": "This module exploits a remote buffer overflow in the MailEnable web service.\n The vulnerability is triggered when a large value is placed into the Authorization\n header of the web request. MailEnable Enterprise Edition versions prior to 1.0.5 and\n MailEnable Professional versions prior to 1.55 are affected.", "references": [ "CVE-2005-1348", "OSVDB-15913", "OSVDB-15737", "BID-13350", "URL-http://www.nessus.org/plugins/index.php?view=single&id=18123" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "MEHTTPS.exe Universal" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/http/mailenable_auth_header.rb", "is_install_path": true, "ref_name": "windows/http/mailenable_auth_header", "check": true }, "exploit_windows/http/manage_engine_opmanager_rce": { "name": "ManageEngine OpManager Remote Code Execution", "full_name": "exploit/windows/http/manage_engine_opmanager_rce", "rank": 0, "disclosure_date": "2015-09-14", "type": "exploit", "author": [ "xistence " ], "description": "This module exploits a default credential vulnerability in ManageEngine OpManager, where a\n default hidden account \"IntegrationUser\" with administrator privileges exists. The account\n has a default password of \"plugin\" which cannot be reset through the user interface. By\n log-in and abusing the default administrator's SQL query functionality, it's possible to\n write a WAR payload to disk and trigger an automatic deployment of this payload. This\n module has been tested successfully on OpManager v11.0 and v11.4-v11.6 for Windows.", "references": [ "EDB-38174", "CVE-2015-7765", "CVE-2015-7766", "URL-http://seclists.org/fulldisclosure/2015/Sep/66", "URL-https://support.zoho.com/portal/manageengine/helpcenter/articles/pgsql-submitquery-do-vulnerability" ], "is_server": true, "is_client": false, "platform": "Java", "arch": "java", "rport": 80, "targets": [ "ManageEngine OpManager <= v11.6" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/http/manage_engine_opmanager_rce.rb", "is_install_path": true, "ref_name": "windows/http/manage_engine_opmanager_rce", "check": true }, "exploit_windows/http/manageengine_adshacluster_rce": { "name": "Manage Engine Exchange Reporter Plus Unauthenticated RCE", "full_name": "exploit/windows/http/manageengine_adshacluster_rce", "rank": 600, "disclosure_date": "2018-06-28", "type": "exploit", "author": [ "Kacper Szurek " ], "description": "This module exploits a remote code execution vulnerability that\n exists in Exchange Reporter Plus <= 5310, caused by execution of\n bcp.exe file inside ADSHACluster servlet", "references": [ "URL-https://security.szurek.pl/manage-engine-exchange-reporter-plus-unauthenticated-rce.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86, x64", "rport": 8181, "targets": [ "Automatic" ], "mod_time": "2018-07-12 14:27:28 +0000", "path": "/modules/exploits/windows/http/manageengine_adshacluster_rce.rb", "is_install_path": true, "ref_name": "windows/http/manageengine_adshacluster_rce", "check": true }, "exploit_windows/http/manageengine_appmanager_exec": { "name": "ManageEngine Applications Manager Remote Code Execution", "full_name": "exploit/windows/http/manageengine_appmanager_exec", "rank": 600, "disclosure_date": "2018-03-07", "type": "exploit", "author": [ "Mehmet Ince " ], "description": "This module exploits command injection vulnerability in the ManageEngine Application Manager product.\n An unauthenticated user can execute a operating system command under the context of privileged user.\n\n Publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials\n by accessing given system. This endpoint calls a several internal classes and then executes powershell script\n without validating user supplied parameter when the given system is OfficeSharePointServer.", "references": [ "CVE-2018-7890", "BID-103358", "URL-https://pentest.blog/advisory-manageengine-applications-manager-remote-code-execution-sqli-and/", "URL-https://pitstop.manageengine.com/portal/community/topic/security-vulnerability-issues-fixed-upgrade-to-the-latest-version-of-applications-manager" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86, x64", "rport": 9090, "targets": [ "Automatic" ], "mod_time": "2018-03-19 23:27:18 +0000", "path": "/modules/exploits/windows/http/manageengine_appmanager_exec.rb", "is_install_path": true, "ref_name": "windows/http/manageengine_appmanager_exec", "check": true }, "exploit_windows/http/manageengine_apps_mngr": { "name": "ManageEngine Applications Manager Authenticated Code Execution", "full_name": "exploit/windows/http/manageengine_apps_mngr", "rank": 200, "disclosure_date": "2011-04-08", "type": "exploit", "author": [ "Jacob Giannantonio " ], "description": "This module logs into the Manage Engine Applications Manager to upload a\n payload to the file system and a batch script that executes the payload.", "references": [ "EDB-17152" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 9090, "targets": [ "Automatic" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/http/manageengine_apps_mngr.rb", "is_install_path": true, "ref_name": "windows/http/manageengine_apps_mngr", "check": false }, "exploit_windows/http/manageengine_connectionid_write": { "name": "ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability", "full_name": "exploit/windows/http/manageengine_connectionid_write", "rank": 600, "disclosure_date": "2015-12-14", "type": "exploit", "author": [ "sinn3r " ], "description": "This module exploits a vulnerability found in ManageEngine Desktop Central 9. When\n uploading a 7z file, the FileUploadServlet class does not check the user-controlled\n ConnectionId parameter in the FileUploadServlet class. This allows a remote attacker to\n inject a null bye at the end of the value to create a malicious file with an arbitrary\n file type, and then place it under a directory that allows server-side scripts to run,\n which results in remote code execution under the context of SYSTEM.\n\n Please note that by default, some ManageEngine Desktop Central versions run on port 8020,\n but older ones run on port 8040. Also, using this exploit will leave debugging information\n produced by FileUploadServlet in file rdslog0.txt.\n\n This exploit was successfully tested on version 9, build 90109 and build 91084.", "references": [ "URL-https://community.rapid7.com/community/infosec/blog/2015/12/14/r7-2015-22-manageengine-desktop-central-9-fileuploadservlet-connectionid-vulnerability-cve-2015-8249", "CVE-2015-8249" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 8020, "targets": [ "ManageEngine Desktop Central 9 on Windows" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/manageengine_connectionid_write.rb", "is_install_path": true, "ref_name": "windows/http/manageengine_connectionid_write", "check": true }, "exploit_windows/http/maxdb_webdbm_database": { "name": "MaxDB WebDBM Database Parameter Overflow", "full_name": "exploit/windows/http/maxdb_webdbm_database", "rank": 400, "disclosure_date": "2006-08-29", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in the MaxDB WebDBM\n service. By sending a specially-crafted HTTP request that contains\n an overly long database name. A remote attacker could overflow a buffer\n and execute arbitrary code on the system with privileges of the wahttp process.\n\n This module has been tested against MaxDB 7.6.00.16 and MaxDB 7.6.00.27.", "references": [ "CVE-2006-4305", "OSVDB-28300", "BID-19660" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 9999, "targets": [ "MaxDB 7.6.00.16", "MaxDB 7.6.00.27" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/maxdb_webdbm_database.rb", "is_install_path": true, "ref_name": "windows/http/maxdb_webdbm_database", "check": false }, "exploit_windows/http/maxdb_webdbm_get_overflow": { "name": "MaxDB WebDBM GET Buffer Overflow", "full_name": "exploit/windows/http/maxdb_webdbm_get_overflow", "rank": 400, "disclosure_date": "2005-04-26", "type": "exploit", "author": [ "hdm " ], "description": "This module exploits a stack buffer overflow in the MaxDB WebDBM\n service. This service is included with many recent versions\n of the MaxDB and SAPDB products. This particular module is\n capable of exploiting Windows systems through the use of an\n SEH frame overwrite. The offset to the SEH frame may change\n depending on where MaxDB has been installed, this module\n assumes a web root path with the same length as:\n\n C:\\Program Files\\sdb\\programs\\web\\Documents", "references": [ "CVE-2005-0684", "OSVDB-15816", "URL-http://www.idefense.com/application/poi/display?id=234&type=vulnerabilities", "BID-13368" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 9999, "targets": [ "MaxDB 7.5.00.11 / 7.5.00.24", "Windows 2000 English", "Windows XP English SP0/SP1", "Windows 2003 English", "Windows NT 4.0 SP4/SP5/SP6" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/maxdb_webdbm_get_overflow.rb", "is_install_path": true, "ref_name": "windows/http/maxdb_webdbm_get_overflow", "check": false }, "exploit_windows/http/mcafee_epolicy_source": { "name": "McAfee ePolicy Orchestrator / ProtectionPilot Overflow", "full_name": "exploit/windows/http/mcafee_epolicy_source", "rank": 200, "disclosure_date": "2006-07-17", "type": "exploit", "author": [ "muts ", "xbxice ", "hdm ", "aushack " ], "description": "This is an exploit for the McAfee HTTP Server (NAISERV.exe).\n McAfee ePolicy Orchestrator 2.5.1 <= 3.5.0 and ProtectionPilot 1.1.0 are\n known to be vulnerable. By sending a large 'Source' header, the stack can\n be overwritten. This module is based on the exploit by xbxice and muts.\n Due to size constraints, this module uses the Egghunter technique.", "references": [ "CVE-2006-5156", "OSVDB-29421", "EDB-2467", "BID-20288" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86", "rport": 81, "targets": [ "Automatic", "ePo 2.5.1 (Service Pack 1)", "ePo 3.5.0/ProtectionPilot 1.1.0" ], "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/exploits/windows/http/mcafee_epolicy_source.rb", "is_install_path": true, "ref_name": "windows/http/mcafee_epolicy_source", "check": true }, "exploit_windows/http/mdaemon_worldclient_form2raw": { "name": "MDaemon WorldClient form2raw.cgi Stack Buffer Overflow", "full_name": "exploit/windows/http/mdaemon_worldclient_form2raw", "rank": 500, "disclosure_date": "2003-12-29", "type": "exploit", "author": [ "aushack " ], "description": "This module exploits a stack buffer overflow in Alt-N MDaemon SMTP server for\n versions 6.8.5 and earlier. When WorldClient HTTP server is installed (default),\n a CGI script is provided to accept html FORM based emails and deliver via MDaemon.exe,\n by writing the CGI output to the Raw Queue. When X-FromCheck is enabled (also default),\n the temporary form2raw.cgi data is copied by MDaemon.exe and a stack based\n overflow occurs when an excessively long From field is specified.\n The RawQueue is processed every 1 minute by default, to a maximum of 60 minutes.\n Keep this in mind when choosing payloads or setting WfsDelay... You'll need to wait.\n\n Furthermore, this exploit uses a direct memory jump into a nopsled (which isn't very\n reliable). Once the payload is written into the Raw Queue by Form2Raw, MDaemon will\n continue to crash/execute the payload until the CGI output is manually deleted\n from the queue in C:\\MDaemon\\RawFiles\\*.raw.", "references": [ "CVE-2003-1200", "OSVDB-3255", "BID-9317" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86", "rport": 3000, "targets": [ "Universal MDaemon.exe", "Debugging test" ], "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/exploits/windows/http/mdaemon_worldclient_form2raw.rb", "is_install_path": true, "ref_name": "windows/http/mdaemon_worldclient_form2raw", "check": true }, "exploit_windows/http/minishare_get_overflow": { "name": "Minishare 1.4.1 Buffer Overflow", "full_name": "exploit/windows/http/minishare_get_overflow", "rank": 200, "disclosure_date": "2004-11-07", "type": "exploit", "author": [ "acaro " ], "description": "This is a simple buffer overflow for the minishare web\n server. This flaw affects all versions prior to 1.4.2. This\n is a plain stack buffer overflow that requires a \"jmp esp\" to reach\n the payload, making this difficult to target many platforms\n at once. This module has been successfully tested against\n 1.4.1. Version 1.3.4 and below do not seem to be vulnerable.", "references": [ "CVE-2004-2271", "OSVDB-11530", "BID-11620", "URL-http://archives.neohapsis.com/archives/fulldisclosure/2004-11/0208.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Automatic", "Windows 2000 SP0-SP3 English", "Windows 2000 SP4 English", "Windows XP SP0-SP1 English", "Windows XP SP2 English", "Windows 2003 SP0 English", "Windows 2003 SP1 English", "Windows 2003 SP2 English", "Windows NT 4.0 SP6", "Windows XP SP2 German", "Windows XP SP2 Polish", "Windows XP SP2 French", "Windows XP SP3 French" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/minishare_get_overflow.rb", "is_install_path": true, "ref_name": "windows/http/minishare_get_overflow", "check": false }, "exploit_windows/http/miniweb_upload_wbem": { "name": "MiniWeb (Build 300) Arbitrary File Upload", "full_name": "exploit/windows/http/miniweb_upload_wbem", "rank": 600, "disclosure_date": "2013-04-09", "type": "exploit", "author": [ "AkaStep", "Brendan Coles " ], "description": "This module exploits a vulnerability in MiniWeb HTTP server (build 300).\n The software contains a file upload vulnerability that allows an\n unauthenticated remote attacker to write arbitrary files to the file system.\n\n Code execution can be achieved by first uploading the payload to the remote\n machine as an exe file, and then upload another mof file, which enables\n WMI (Management Instrumentation service) to execute the uploaded payload.\n Please note that this module currently only works for Windows before Vista.", "references": [ "OSVDB-92198", "OSVDB-92200", "PACKETSTORM-121168" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 8000, "targets": [ "MiniWeb build 300 on Windows (Before Vista)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/miniweb_upload_wbem.rb", "is_install_path": true, "ref_name": "windows/http/miniweb_upload_wbem", "check": true }, "exploit_windows/http/navicopa_get_overflow": { "name": "NaviCOPA 2.0.1 URL Handling Buffer Overflow", "full_name": "exploit/windows/http/navicopa_get_overflow", "rank": 500, "disclosure_date": "2006-09-28", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in NaviCOPA 2.0.1.\n The vulnerability is caused due to a boundary error within the\n handling of URL parameters.", "references": [ "CVE-2006-5112", "OSVDB-29257", "BID-20250" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "NaviCOPA 2.0.1 Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/navicopa_get_overflow.rb", "is_install_path": true, "ref_name": "windows/http/navicopa_get_overflow", "check": true }, "exploit_windows/http/netdecision_http_bof": { "name": "NetDecision 4.5.1 HTTP Server Buffer Overflow", "full_name": "exploit/windows/http/netdecision_http_bof", "rank": 300, "disclosure_date": "2012-02-24", "type": "exploit", "author": [ "Prabhu S Angadi", "sinn3r " ], "description": "This module exploits a vulnerability found in NetDecision's HTTP service\n (located in C:\\Program Files\\NetDecision\\Bin\\HttpSvr.exe). By supplying a\n long string of data to the URL, an overflow may occur if the data gets handled\n by HTTP Server's active window. In other words, in order to gain remote code\n execution, the victim is probably looking at HttpSvr's window.", "references": [ "CVE-2012-1465", "OSVDB-79651", "URL-http://secunia.com/advisories/48168/", "URL-http://secpod.org/advisories/SecPod_Netmechanica_NetDecision_HTTP_Server_DoS_Vuln.txt" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "NetDecision 4.5.1 on XP SP3" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/netdecision_http_bof.rb", "is_install_path": true, "ref_name": "windows/http/netdecision_http_bof", "check": true }, "exploit_windows/http/netgear_nms_rce": { "name": "NETGEAR ProSafe Network Management System 300 Arbitrary File Upload", "full_name": "exploit/windows/http/netgear_nms_rce", "rank": 600, "disclosure_date": "2016-02-04", "type": "exploit", "author": [ "Pedro Ribeiro " ], "description": "Netgear's ProSafe NMS300 is a network management utility that runs on Windows systems.\n The application has a file upload vulnerability that can be exploited by an\n unauthenticated remote attacker to execute code as the SYSTEM user.\n Two servlets are vulnerable, FileUploadController (located at\n /lib-1.0/external/flash/fileUpload.do) and FileUpload2Controller (located at /fileUpload.do).\n This module exploits the latter, and has been tested with versions 1.5.0.2, 1.4.0.17 and\n 1.1.0.13.", "references": [ "CVE-2016-1525", "US-CERT-VU-777024", "URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear_nms_rce.txt", "URL-http://seclists.org/fulldisclosure/2016/Feb/30" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86", "rport": 8080, "targets": [ "NETGEAR ProSafe Network Management System 300 / Windows" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/netgear_nms_rce.rb", "is_install_path": true, "ref_name": "windows/http/netgear_nms_rce", "check": true }, "exploit_windows/http/novell_imanager_upload": { "name": "Novell iManager getMultiPartParameters Arbitrary File Upload", "full_name": "exploit/windows/http/novell_imanager_upload", "rank": 600, "disclosure_date": "2010-10-01", "type": "exploit", "author": [ "jduck " ], "description": "This module exploits a directory traversal vulnerability which\n allows remote attackers to upload and execute arbitrary code.\n\n PortalModuleInstallManager", "references": [ "OSVDB-68320", "ZDI-10-190", "URL-http://www.novell.com/support/viewContent.do?externalId=7006515&sliceId=2" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 8080, "targets": [ "Universal Windows Target" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/novell_imanager_upload.rb", "is_install_path": true, "ref_name": "windows/http/novell_imanager_upload", "check": false }, "exploit_windows/http/novell_mdm_lfi": { "name": "Novell Zenworks Mobile Managment MDM.php Local File Inclusion Vulnerability", "full_name": "exploit/windows/http/novell_mdm_lfi", "rank": 600, "disclosure_date": "2013-03-13", "type": "exploit", "author": [ "steponequit", "Andrea Micalizzi (aka rgod)" ], "description": "This module exercises a vulnerability in Novel Zenworks Mobile Management's Mobile Device Management component\n which can allow unauthenticated remote code execution. Due to a flaw in the MDM.php script's input validation,\n remote attackers can both upload and execute code via a directory traversal flaw exposed in the 'language'\n parameter of a POST call to DUSAP.php.", "references": [ "CVE-2013-1081", "OSVDB-91119", "ZDI-13-087", "URL-http://www.novell.com/support/kb/doc.php?id=7011895" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Novell Zenworks Mobile Device Management on Windows" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/novell_mdm_lfi.rb", "is_install_path": true, "ref_name": "windows/http/novell_mdm_lfi", "check": true }, "exploit_windows/http/novell_messenger_acceptlang": { "name": "Novell Messenger Server 2.0 Accept-Language Overflow", "full_name": "exploit/windows/http/novell_messenger_acceptlang", "rank": 200, "disclosure_date": "2006-04-13", "type": "exploit", "author": [ "hdm " ], "description": "This module exploits a stack buffer overflow in Novell GroupWise\n Messenger Server v2.0. This flaw is triggered by any HTTP\n request with an Accept-Language header greater than 16 bytes.\n To overwrite the return address on the stack, we must first\n pass a memcpy() operation that uses pointers we supply. Due to the\n large list of restricted characters and the limitations of the current\n encoder modules, very few payloads are usable.", "references": [ "CVE-2006-0992", "OSVDB-24617", "BID-17503" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 8300, "targets": [ "Groupwise Messenger DClient.dll v10510.37" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/novell_messenger_acceptlang.rb", "is_install_path": true, "ref_name": "windows/http/novell_messenger_acceptlang", "check": false }, "exploit_windows/http/nowsms": { "name": "Now SMS/MMS Gateway Buffer Overflow", "full_name": "exploit/windows/http/nowsms", "rank": 400, "disclosure_date": "2008-02-19", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in Now SMS/MMS Gateway v2007.06.27.\n By sending a specially crafted GET request, an attacker may be able to execute\n arbitrary code.", "references": [ "CVE-2008-0871", "OSVDB-42953", "BID-27896" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 8800, "targets": [ "Now SMS/MMS Gateway v2007.06.27" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/nowsms.rb", "is_install_path": true, "ref_name": "windows/http/nowsms", "check": false }, "exploit_windows/http/octopusdeploy_deploy": { "name": "Octopus Deploy Authenticated Code Execution", "full_name": "exploit/windows/http/octopusdeploy_deploy", "rank": 600, "disclosure_date": "2017-05-15", "type": "exploit", "author": [ "James Otten " ], "description": "This module can be used to execute a payload on an Octopus Deploy server given\n valid credentials or an API key. The payload is executed as a powershell script step\n on the Octopus Deploy server during a deployment.", "references": [ "URL-https://octopus.com" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Windows Powershell" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/http/octopusdeploy_deploy.rb", "is_install_path": true, "ref_name": "windows/http/octopusdeploy_deploy", "check": true }, "exploit_windows/http/oracle9i_xdb_pass": { "name": "Oracle 9i XDB HTTP PASS Overflow (win32)", "full_name": "exploit/windows/http/oracle9i_xdb_pass", "rank": 500, "disclosure_date": "2003-08-18", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in the authorization\n code of the Oracle 9i HTTP XDB service. David Litchfield,\n has illustrated multiple vulnerabilities in the Oracle\n 9i XML Database (XDB), during a seminar on \"Variations\n in exploit methods between Linux and Windows\" presented\n at the Blackhat conference.", "references": [ "CVE-2003-0727", "OSVDB-2449", "BID-8375", "URL-http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 8080, "targets": [ "Oracle 9.2.0.1 Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/oracle9i_xdb_pass.rb", "is_install_path": true, "ref_name": "windows/http/oracle9i_xdb_pass", "check": true }, "exploit_windows/http/oracle_beehive_evaluation": { "name": "Oracle BeeHive 2 voice-servlet processEvaluation() Vulnerability", "full_name": "exploit/windows/http/oracle_beehive_evaluation", "rank": 600, "disclosure_date": "2010-06-09", "type": "exploit", "author": [ "1c239c43f521145fa8385d64a9c32243", "mr_me ", "sinn3r " ], "description": "This module exploits a vulnerability found in Oracle BeeHive. The processEvaluation method\n found in voice-servlet can be abused to write a malicious file onto the target machine, and\n gain remote arbitrary code execution under the context of SYSTEM.", "references": [ "CVE-2010-4417", "ZDI-11-020", "URL-http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 7777, "targets": [ "Oracle Beehive 2" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/oracle_beehive_evaluation.rb", "is_install_path": true, "ref_name": "windows/http/oracle_beehive_evaluation", "check": true }, "exploit_windows/http/oracle_beehive_prepareaudiotoplay": { "name": "Oracle BeeHive 2 voice-servlet prepareAudioToPlay() Arbitrary File Upload", "full_name": "exploit/windows/http/oracle_beehive_prepareaudiotoplay", "rank": 600, "disclosure_date": "2015-11-10", "type": "exploit", "author": [ "mr_me ", "sinn3r " ], "description": "This module exploits a vulnerability found in Oracle BeeHive. The prepareAudioToPlay method\n found in voice-servlet can be abused to write a malicious file onto the target machine, and\n gain remote arbitrary code execution under the context of SYSTEM. Authentication is not\n required to exploit this vulnerability.", "references": [ "ZDI-15-550", "URL-http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 7777, "targets": [ "Oracle Beehive 2" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/oracle_beehive_prepareaudiotoplay.rb", "is_install_path": true, "ref_name": "windows/http/oracle_beehive_prepareaudiotoplay", "check": true }, "exploit_windows/http/oracle_btm_writetofile": { "name": "Oracle Business Transaction Management FlashTunnelService Remote Code Execution", "full_name": "exploit/windows/http/oracle_btm_writetofile", "rank": 600, "disclosure_date": "2012-08-07", "type": "exploit", "author": [ "rgod ", "sinn3r ", "juan vazquez " ], "description": "This module exploits abuses the FlashTunnelService SOAP web service on Oracle\n Business Transaction Management 12.1.0.7 to upload arbitrary files, without\n authentication, using the WriteToFile method. The same method contains a directory\n traversal vulnerability, which allows to upload the files to arbitrary locations.\n\n In order to execute remote code two techniques are provided. If the Oracle app has\n been deployed in the same WebLogic Samples Domain a JSP can be uploaded to the web\n root. If a new Domain has been used to deploy the Oracle application, the Windows\n Management Instrumentation service can be used to execute arbitrary code.\n\n Both techniques have been successfully tested on default installs of Oracle BTM\n 12.1.0.7, Weblogic 12.1.1 and Windows 2003 SP2. Default path traversal depths are\n provided, but the user can configure the traversal depth using the DEPTH option.", "references": [ "OSVDB-85087", "BID-54839", "EDB-20318" ], "is_server": true, "is_client": false, "platform": "Java,Windows", "arch": "", "rport": 7001, "targets": [ "Oracle BTM 12.1.0.7 / Weblogic 12.1.1 with Samples Domain / Java", "Oracle BTM 12.1.0.7 / Windows 2003 SP2 through WMI" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/http/oracle_btm_writetofile.rb", "is_install_path": true, "ref_name": "windows/http/oracle_btm_writetofile", "check": false }, "exploit_windows/http/oracle_endeca_exec": { "name": "Oracle Endeca Server Remote Command Execution", "full_name": "exploit/windows/http/oracle_endeca_exec", "rank": 600, "disclosure_date": "2013-07-16", "type": "exploit", "author": [ "rgod ", "juan vazquez " ], "description": "This module exploits a command injection vulnerability on the Oracle Endeca\n Server 7.4.0. The vulnerability exists on the createDataStore method from the\n controlSoapBinding web service. The vulnerable method only exists on the 7.4.0\n branch and isn't available on the 7.5.5.1 branch. In addition, the injection\n has been found to be Windows specific. This module has been tested successfully\n on Endeca Server 7.4.0.787 over Windows 2008 R2 (64 bits).", "references": [ "CVE-2013-3763", "BID-61217", "OSVDB-95269", "ZDI-13-190", "URL-http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x64, x86", "rport": 7770, "targets": [ "Oracle Endeca Server 7.4.0 / Microsoft Windows 2008 R2 64 bits" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/oracle_endeca_exec.rb", "is_install_path": true, "ref_name": "windows/http/oracle_endeca_exec", "check": true }, "exploit_windows/http/oracle_event_processing_upload": { "name": "Oracle Event Processing FileUploadServlet Arbitrary File Upload", "full_name": "exploit/windows/http/oracle_event_processing_upload", "rank": 600, "disclosure_date": "2014-04-21", "type": "exploit", "author": [ "rgod ", "juan vazquez " ], "description": "This module exploits an arbitrary file upload vulnerability in Oracle Event Processing\n 11.1.1.7.0. The FileUploadServlet component, which requires no authentication, can be\n abused to upload a malicious file onto an arbitrary location due to a directory traversal\n flaw, and compromise the server. By default Oracle Event Processing uses a Jetty\n Application Server without JSP support, which limits the attack to WbemExec. The current\n WbemExec technique only requires arbitrary write to the file system, but at the moment the\n module only supports Windows 2003 SP2 or older.", "references": [ "CVE-2014-2424", "ZDI-14-106", "BID-66871", "URL-http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86", "rport": 9002, "targets": [ "Oracle Event Processing 11.1.1.7.0 / Windows 2003 SP2 through WMI" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/oracle_event_processing_upload.rb", "is_install_path": true, "ref_name": "windows/http/oracle_event_processing_upload", "check": true }, "exploit_windows/http/osb_uname_jlist": { "name": "Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability", "full_name": "exploit/windows/http/osb_uname_jlist", "rank": 600, "disclosure_date": "2010-07-13", "type": "exploit", "author": [ "MC " ], "description": "This module exploits an authentication bypass vulnerability\n in login.php. In conjunction with the authentication bypass issue,\n the 'jlist' parameter in property_box.php can be used to execute\n arbitrary system commands.\n This module was tested against Oracle Secure Backup version 10.3.0.1.0", "references": [ "CVE-2010-0904", "OSVDB-66338", "ZDI-10-118" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": 443, "targets": [ "Windows Universal" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/http/osb_uname_jlist.rb", "is_install_path": true, "ref_name": "windows/http/osb_uname_jlist", "check": false }, "exploit_windows/http/peercast_url": { "name": "PeerCast URL Handling Buffer Overflow", "full_name": "exploit/windows/http/peercast_url", "rank": 200, "disclosure_date": "2006-03-08", "type": "exploit", "author": [ "hdm " ], "description": "This module exploits a stack buffer overflow in PeerCast <= v0.1216.\n The vulnerability is caused due to a boundary error within the\n handling of URL parameters.", "references": [ "CVE-2006-1148", "OSVDB-23777", "BID-17040" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 7144, "targets": [ "Automatic", "Windows 2000 English SP0-SP4", "Windows 2003 English SP0-SP1", "Windows XP English SP0/SP1", "Windows XP English SP0/SP2" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/peercast_url.rb", "is_install_path": true, "ref_name": "windows/http/peercast_url", "check": false }, "exploit_windows/http/php_apache_request_headers_bof": { "name": "PHP apache_request_headers Function Buffer Overflow", "full_name": "exploit/windows/http/php_apache_request_headers_bof", "rank": 300, "disclosure_date": "2012-05-08", "type": "exploit", "author": [ "Vincent Danen", "juan vazquez " ], "description": "This module exploits a stack based buffer overflow in the CGI version of PHP\n 5.4.x before 5.4.3. The vulnerability is due to the insecure handling of the\n HTTP headers.\n\n This module has been tested against the thread safe version of PHP 5.4.2,\n from \"windows.php.net\", running with Apache 2.2.22 from \"apachelounge.com\".", "references": [ "CVE-2012-2329", "OSVDB-82215", "BID-53455", "URL-http://www.php.net/archive/2012.php#id2012-05-08-1", "URL-http://www.php.net/ChangeLog-5.php#5.4.3", "URL-https://bugzilla.redhat.com/show_bug.cgi?id=820000" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Windows XP SP3 / Windows 2003 Server SP2 (No DEP) / PHP 5.4.2 Thread safe" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/php_apache_request_headers_bof.rb", "is_install_path": true, "ref_name": "windows/http/php_apache_request_headers_bof", "check": false }, "exploit_windows/http/privatewire_gateway": { "name": "Private Wire Gateway Buffer Overflow", "full_name": "exploit/windows/http/privatewire_gateway", "rank": 200, "disclosure_date": "2006-06-26", "type": "exploit", "author": [ "Michael Thumann " ], "description": "This exploits a buffer overflow in the ADMCREG.EXE used\n in the PrivateWire Online Registration Facility.", "references": [ "CVE-2006-3252", "OSVDB-26861", "BID-18647" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Windows 2000 English SP0", "Windows 2000 English SP1", "Windows 2000 English SP2", "Windows 2000 English SP3", "Windows 2000 English SP4", "Windows 2003 English SP0/SP1", "Debugging" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/privatewire_gateway.rb", "is_install_path": true, "ref_name": "windows/http/privatewire_gateway", "check": false }, "exploit_windows/http/psoproxy91_overflow": { "name": "PSO Proxy v0.91 Stack Buffer Overflow", "full_name": "exploit/windows/http/psoproxy91_overflow", "rank": 200, "disclosure_date": "2004-02-20", "type": "exploit", "author": [ "aushack " ], "description": "This module exploits a buffer overflow in the PSO Proxy v0.91 web server.\n If a client sends an excessively long string the stack is overwritten.", "references": [ "CVE-2004-0313", "OSVDB-4028", "EDB-156", "BID-9706" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 8080, "targets": [ "Automatic", "Windows 2000 Pro SP0-4 English", "Windows 2000 Pro SP0-4 French", "Windows 2000 Pro SP0-4 Italian", "Windows XP Pro SP0/1 English", "Windows XP Pro SP2 English" ], "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/exploits/windows/http/psoproxy91_overflow.rb", "is_install_path": true, "ref_name": "windows/http/psoproxy91_overflow", "check": true }, "exploit_windows/http/rabidhamster_r4_log": { "name": "RabidHamster R4 Log Entry sprintf() Buffer Overflow", "full_name": "exploit/windows/http/rabidhamster_r4_log", "rank": 300, "disclosure_date": "2012-02-09", "type": "exploit", "author": [ "Luigi Auriemma", "sinn3r " ], "description": "This module exploits a vulnerability found in RabidHamster R4's web server.\n By supplying a malformed HTTP request, it is possible to trigger a stack-based\n buffer overflow when generating a log, which may result in arbitrary code\n execution under the context of the user.", "references": [ "OSVDB-79007", "URL-http://aluigi.altervista.org/adv/r4_1-adv.txt", "URL-http://secunia.com/advisories/47901/" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 8888, "targets": [ "R4 v1.25" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/rabidhamster_r4_log.rb", "is_install_path": true, "ref_name": "windows/http/rabidhamster_r4_log", "check": true }, "exploit_windows/http/rejetto_hfs_exec": { "name": "Rejetto HttpFileServer Remote Command Execution", "full_name": "exploit/windows/http/rejetto_hfs_exec", "rank": 600, "disclosure_date": "2014-09-11", "type": "exploit", "author": [ "Daniele Linguaglossa ", "Muhamad Fadzil Ramli " ], "description": "Rejetto HttpFileServer (HFS) is vulnerable to remote command execution attack due to a\n poor regex in the file ParserLib.pas. This module exploits the HFS scripting commands by\n using '%00' to bypass the filtering. This module has been tested successfully on HFS 2.3b\n over Windows XP SP3, Windows 7 SP1 and Windows 8.", "references": [ "CVE-2014-6287", "OSVDB-111386", "URL-http://seclists.org/bugtraq/2014/Sep/85", "URL-http://www.rejetto.com/wiki/index.php?title=HFS:_scripting_commands" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Automatic" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/rejetto_hfs_exec.rb", "is_install_path": true, "ref_name": "windows/http/rejetto_hfs_exec", "check": true }, "exploit_windows/http/sambar6_search_results": { "name": "Sambar 6 Search Results Buffer Overflow", "full_name": "exploit/windows/http/sambar6_search_results", "rank": 300, "disclosure_date": "2003-06-21", "type": "exploit", "author": [ "hdm ", "Andrew Griffiths ", "aushack " ], "description": "This module exploits a buffer overflow found in the\n /search/results.stm application that comes with Sambar 6.\n This code is a direct port of Andrew Griffiths's SMUDGE\n exploit, the only changes made were to the nops and payload.\n This exploit causes the service to die, whether you provided\n the correct target or not.", "references": [ "CVE-2004-2086", "OSVDB-5786", "BID-9607" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86", "rport": 80, "targets": [ "Automatic", "Windows 2000", "Windows XP" ], "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/exploits/windows/http/sambar6_search_results.rb", "is_install_path": true, "ref_name": "windows/http/sambar6_search_results", "check": true }, "exploit_windows/http/sap_configservlet_exec_noauth": { "name": "SAP ConfigServlet Remote Code Execution", "full_name": "exploit/windows/http/sap_configservlet_exec_noauth", "rank": 500, "disclosure_date": "2012-11-01", "type": "exploit", "author": [ "Dmitry Chastuhin", "Andras Kabai" ], "description": "This module allows remote code execution via operating system commands through the\n SAP ConfigServlet without any authentication. This module has been tested successfully\n with SAP NetWeaver 7.00 and 7.01 on Windows Server 2008 R2.", "references": [ "OSVDB-92704", "EDB-24996", "URL-http://erpscan.com/wp-content/uploads/2012/11/Breaking-SAP-Portal-HackerHalted-2012.pdf" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": 50000, "targets": [ "Windows generic" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/sap_configservlet_exec_noauth.rb", "is_install_path": true, "ref_name": "windows/http/sap_configservlet_exec_noauth", "check": true }, "exploit_windows/http/sap_host_control_cmd_exec": { "name": "SAP NetWeaver HostControl Command Injection", "full_name": "exploit/windows/http/sap_host_control_cmd_exec", "rank": 200, "disclosure_date": "2012-08-14", "type": "exploit", "author": [ "Michael Jordon", "juan vazquez " ], "description": "This module exploits a command injection vulnerability in the SAPHostControl\n Service, by sending a specially crafted SOAP request to the management console.\n\n In order to deal with the spaces and length limitations, a WebDAV service is\n created to run an arbitrary payload when accessed as a UNC path. Because of this,\n the target host must have the WebClient service (WebDAV Mini-Redirector) enabled.\n It is enabled and automatically started by default on Windows XP SP3, but disabled\n by default on Windows 2003 SP2.", "references": [ "OSVDB-84821", "URL-http://www.contextis.com/research/blog/sap4/", "URL-https://websmp130.sap-ag.de/sap/support/notes/1341333" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": 1128, "targets": [ "SAP NetWeaver 7.02 SP6 / Windows with WebClient enabled" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/sap_host_control_cmd_exec.rb", "is_install_path": true, "ref_name": "windows/http/sap_host_control_cmd_exec", "check": true }, "exploit_windows/http/sapdb_webtools": { "name": "SAP DB 7.4 WebTools Buffer Overflow", "full_name": "exploit/windows/http/sapdb_webtools", "rank": 500, "disclosure_date": "2007-07-05", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in SAP DB 7.4 WebTools.\n By sending an overly long GET request, it may be possible for\n an attacker to execute arbitrary code.", "references": [ "CVE-2007-3614", "OSVDB-37838", "BID-24773" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 9999, "targets": [ "SAP DB 7.4 WebTools" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/sapdb_webtools.rb", "is_install_path": true, "ref_name": "windows/http/sapdb_webtools", "check": false }, "exploit_windows/http/savant_31_overflow": { "name": "Savant 3.1 Web Server Overflow", "full_name": "exploit/windows/http/savant_31_overflow", "rank": 500, "disclosure_date": "2002-09-10", "type": "exploit", "author": [ "aushack " ], "description": "This module exploits a stack buffer overflow in Savant 3.1 Web Server. The service\n supports a maximum of 10 threads (for a default install). Each exploit attempt\n generally causes a thread to die whether successful or not. Therefore, in a default\n configuration, you only have 10 chances.\n\n Due to the limited space available for the payload in this exploit module, use of the\n \"ord\" payloads is recommended.", "references": [ "CVE-2002-1120", "OSVDB-9829", "BID-5686", "EDB-787" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86", "rport": 80, "targets": [ "Universal Savant.exe", "Windows 2000 Pro All - English", "Windows 2000 Pro All - Italian", "Windows 2000 Pro All - French", "Windows XP Pro SP2 - English" ], "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/exploits/windows/http/savant_31_overflow.rb", "is_install_path": true, "ref_name": "windows/http/savant_31_overflow", "check": true }, "exploit_windows/http/sepm_auth_bypass_rce": { "name": "Symantec Endpoint Protection Manager Authentication Bypass and Code Execution", "full_name": "exploit/windows/http/sepm_auth_bypass_rce", "rank": 600, "disclosure_date": "2015-07-31", "type": "exploit", "author": [ "Markus Wulftange", "bperry" ], "description": "This module exploits three separate vulnerabilities in Symantec Endpoint Protection Manager\n in order to achieve a remote shell on the box as NT AUTHORITY\\SYSTEM. The vulnerabilities\n include an authentication bypass, a directory traversal and a privilege escalation to\n get privileged code execution.", "references": [ "CVE-2015-1486", "CVE-2015-1487", "CVE-2015-1489", "URL-http://codewhitesec.blogspot.com/2015/07/symantec-endpoint-protection.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 8443, "targets": [ "Automatic" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/sepm_auth_bypass_rce.rb", "is_install_path": true, "ref_name": "windows/http/sepm_auth_bypass_rce", "check": false }, "exploit_windows/http/serviio_checkstreamurl_cmd_exec": { "name": "Serviio Media Server checkStreamUrl Command Execution", "full_name": "exploit/windows/http/serviio_checkstreamurl_cmd_exec", "rank": 600, "disclosure_date": "2017-05-03", "type": "exploit", "author": [ "Gjoko Krstic(LiquidWorm) ", "Brendan Coles " ], "description": "This module exploits an unauthenticated remote command execution vulnerability\n in the console component of Serviio Media Server versions 1.4 to 1.8 on\n Windows operating systems.\n\n The console service (on port 23423 by default) exposes a REST API which\n which does not require authentication.\n\n The 'action' API endpoint does not sufficiently sanitize user-supplied data\n in the 'VIDEO' parameter of the 'checkStreamUrl' method. This parameter is\n used in a call to cmd.exe resulting in execution of arbitrary commands.\n\n This module has been tested successfully on Serviio Media Server versions\n 1.4.0, 1.5.0, 1.6.0 and 1.8.0 on Windows 7.", "references": [ "OSVDB-41961", "PACKETSTORM-142387", "URL-http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5408.php", "URL-https://blogs.securiteam.com/index.php/archives/3094" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": 23423, "targets": [ "Automatic Targeting" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/serviio_checkstreamurl_cmd_exec.rb", "is_install_path": true, "ref_name": "windows/http/serviio_checkstreamurl_cmd_exec", "check": true }, "exploit_windows/http/servu_session_cookie": { "name": "Rhinosoft Serv-U Session Cookie Buffer Overflow", "full_name": "exploit/windows/http/servu_session_cookie", "rank": 400, "disclosure_date": "2009-11-01", "type": "exploit", "author": [ "Nikolas Rangos ", "M.Yanagishita ", "jduck " ], "description": "This module exploits a buffer overflow in Rhinosoft Serv-U 9.0.0.5.\n Sending a specially crafted POST request with an overly long session cookie\n string, an attacker may be able to execute arbitrary code.", "references": [ "CVE-2009-4006", "OSVDB-59772", "URL-http://rangos.de/ServU-ADV.txt" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Windows 2003 SP2 English (NX)", "Windows 2000 SP4 and XP SP3 English (SEH)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/servu_session_cookie.rb", "is_install_path": true, "ref_name": "windows/http/servu_session_cookie", "check": true }, "exploit_windows/http/shoutcast_format": { "name": "SHOUTcast DNAS/win32 1.9.4 File Request Format String Overflow", "full_name": "exploit/windows/http/shoutcast_format", "rank": 200, "disclosure_date": "2004-12-23", "type": "exploit", "author": [ "MC ", "mandragore " ], "description": "This module exploits a format string vulnerability in the\n Nullsoft SHOUTcast server for Windows. The vulnerability is\n triggered by requesting a file path that contains format\n string specifiers. This vulnerability was discovered by\n Tomasz Trojanowski and Damian Put.", "references": [ "CVE-2004-1373", "OSVDB-12585", "BID-12096" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 8000, "targets": [ "Automatic", "Windows NT SP5/SP6a English", "Windows 2000 English ALL", "Windows XP Pro SP0/SP1 English", "Windows 2003 Server English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/shoutcast_format.rb", "is_install_path": true, "ref_name": "windows/http/shoutcast_format", "check": true }, "exploit_windows/http/shttpd_post": { "name": "SHTTPD URI-Encoded POST Request Overflow", "full_name": "exploit/windows/http/shttpd_post", "rank": 200, "disclosure_date": "2006-10-06", "type": "exploit", "author": [ "LMH ", "hdm ", "skOd" ], "description": "This module exploits a stack buffer overflow in SHTTPD <= 1.34.\n The vulnerability is caused due to a boundary error within the\n handling of POST requests. Based on an original exploit by skOd\n but using a different method found by hdm.", "references": [ "CVE-2006-5216", "OSVDB-29565", "URL-http://shttpd.sourceforge.net", "BID-20393" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Automatic", "Windows NT English SP5-SP6", "Windows 2000 Spanish SP4", "Windows 2000 French SP4", "Windows 2000 English SP0-SP4", "Windows 2000 French SP0-SP4", "Windows 2003 Server English SP0-SP1", "Windows XP German SP2", "Windows XP German SP1", "Windows XP English SP2", "Windows XP English SP0-SP1" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/shttpd_post.rb", "is_install_path": true, "ref_name": "windows/http/shttpd_post", "check": false }, "exploit_windows/http/solarwinds_fsm_userlogin": { "name": "Solarwinds Firewall Security Manager 6.6.5 Client Session Handling Vulnerability", "full_name": "exploit/windows/http/solarwinds_fsm_userlogin", "rank": 600, "disclosure_date": "2015-03-13", "type": "exploit", "author": [ "rgod", "mr_me ", "sinn3r " ], "description": "This module exploits multiple vulnerabilities found in Solarwinds Firewall Security Manager\n 6.6.5. The first vulnerability is an authentication bypass via the Change Advisor interface\n due to a user-controlled session.putValue API in userlogin.jsp, allowing the attacker to set\n the 'username' attribute before authentication. The second problem is that the settings-new.jsp\n file will only check the 'username' attribute before authorizing the 'uploadFile' action,\n which can be exploited and allows the attacker to upload a fake xls host list file to the\n server, and results in arbitrary code execution under the context of SYSTEM.\n\n Depending on the installation, by default the Change Advisor web server is listening on port\n 48080 for an express install. Otherwise, this service may appear on port 8080.\n\n Solarwinds has released a fix for this vulnerability as FSM-v6.6.5-HotFix1.zip, noted in the\n references for this module.", "references": [ "CVE-2015-2284", "OSVDB-81634", "ZDI-15-107", "URL-http://downloads.solarwinds.com/solarwinds/Release/HotFix/FSM-v6.6.5-HotFix1.zip" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 48080, "targets": [ "Solarwinds Firewall Security Manager 6.6.5" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/solarwinds_fsm_userlogin.rb", "is_install_path": true, "ref_name": "windows/http/solarwinds_fsm_userlogin", "check": true }, "exploit_windows/http/solarwinds_storage_manager_sql": { "name": "Solarwinds Storage Manager 5.1.0 SQL Injection", "full_name": "exploit/windows/http/solarwinds_storage_manager_sql", "rank": 600, "disclosure_date": "2011-12-07", "type": "exploit", "author": [ "r ", "muts", "sinn3r " ], "description": "This module exploits a SQL injection found in Solarwinds Storage Manager\n login interface. It will send a malicious SQL query to create a JSP file\n under the web root directory, and then let it download and execute our malicious\n executable under the context of SYSTEM.", "references": [ "OSVDB-81634", "EDB-18818", "URL-http://ddilabs.blogspot.com/2012/02/solarwinds-storage-manager-server-sql.html", "URL-http://www.solarwinds.com/documentation/storage/storagemanager/docs/ReleaseNotes/vulnerability.htm" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": 9000, "targets": [ "Windows Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/solarwinds_storage_manager_sql.rb", "is_install_path": true, "ref_name": "windows/http/solarwinds_storage_manager_sql", "check": true }, "exploit_windows/http/sonicwall_scrutinizer_sqli": { "name": "Dell SonicWALL (Plixer) Scrutinizer 9 SQL Injection", "full_name": "exploit/windows/http/sonicwall_scrutinizer_sqli", "rank": 600, "disclosure_date": "2012-07-22", "type": "exploit", "author": [ "muts", "Devon Kearns", "sinn3r " ], "description": "This module exploits a vulnerability found in Dell SonicWall Scrutinizer.\n While handling the 'q' parameter, the PHP application does not properly filter\n the user-supplied data, which can be manipulated to inject SQL commands, and\n then gain remote code execution. Please note that authentication is NOT needed\n to exploit this vulnerability.", "references": [ "CVE-2012-2962", "OSVDB-84232", "EDB-20033", "BID-54625", "URL-http://www.sonicwall.com/shared/download/Dell_SonicWALL_Scrutinizer_Service_Bulletin_for_SQL_injection_vulnerability_CVE.pdf" ], "is_server": true, "is_client": false, "platform": "PHP", "arch": "php", "rport": 80, "targets": [ "Dell SonicWall Scrutinizer 9.5.1 or older" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/sonicwall_scrutinizer_sqli.rb", "is_install_path": true, "ref_name": "windows/http/sonicwall_scrutinizer_sqli", "check": true }, "exploit_windows/http/steamcast_useragent": { "name": "Streamcast HTTP User-Agent Buffer Overflow", "full_name": "exploit/windows/http/steamcast_useragent", "rank": 200, "disclosure_date": "2008-01-24", "type": "exploit", "author": [ "LSO ", "aushack " ], "description": "This module exploits a stack buffer overflow in Streamcast <= 0.9.75. By sending\n an overly long User-Agent in an HTTP GET request, an attacker may be able to\n execute arbitrary code.", "references": [ "CVE-2008-0550", "OSVDB-42670", "URL-http://aluigi.altervista.org/adv/steamcazz-adv.txt", "BID-33898" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 8000, "targets": [ "Windows 2000 Pro English All", "Windows XP Pro SP0/SP1 English" ], "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/exploits/windows/http/steamcast_useragent.rb", "is_install_path": true, "ref_name": "windows/http/steamcast_useragent", "check": true }, "exploit_windows/http/sws_connection_bof": { "name": "Simple Web Server Connection Header Buffer Overflow", "full_name": "exploit/windows/http/sws_connection_bof", "rank": 300, "disclosure_date": "2012-07-20", "type": "exploit", "author": [ "mr.pr0n", "juan vazquez " ], "description": "This module exploits a vulnerability in Simple Web Server 2.2 rc2. A remote user\n can send a long string data in the Connection Header to causes an overflow on the\n stack when function vsprintf() is used, and gain arbitrary code execution. The\n module has been tested successfully on Windows 7 SP1 and Windows XP SP3.", "references": [ "OSVDB-84310", "EDB-19937", "URL-http://ghostinthelab.wordpress.com/2012/07/19/simplewebserver-2-2-rc2-remote-buffer-overflow-exploit/" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "SimpleWebServer 2.2-rc2 / Windows XP SP3 / Windows 7 SP1" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/sws_connection_bof.rb", "is_install_path": true, "ref_name": "windows/http/sws_connection_bof", "check": true }, "exploit_windows/http/sybase_easerver": { "name": "Sybase EAServer 5.2 Remote Stack Buffer Overflow", "full_name": "exploit/windows/http/sybase_easerver", "rank": 200, "disclosure_date": "2005-07-25", "type": "exploit", "author": [ "Unknown" ], "description": "This module exploits a stack buffer overflow in the Sybase EAServer Web\n Console. The offset to the SEH frame appears to change depending\n on what version of Java is in use by the remote server, making this\n exploit somewhat unreliable.", "references": [ "CVE-2005-2297", "OSVDB-17996", "BID-14287" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 8080, "targets": [ "Automatic", "Windows All - Sybase EAServer 5.2 - jdk 1.3.1_11", "Windows All - Sybase EAServer 5.2 - jdk 1.3.?.?", "Windows All - Sybase EAServer 5.2 - jdk 1.4.2_06", "Windows All - Sybase EAServer 5.2 - jdk 1.4.1_02" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/sybase_easerver.rb", "is_install_path": true, "ref_name": "windows/http/sybase_easerver", "check": false }, "exploit_windows/http/syncbreeze_bof": { "name": "Sync Breeze Enterprise GET Buffer Overflow", "full_name": "exploit/windows/http/syncbreeze_bof", "rank": 500, "disclosure_date": "2017-03-15", "type": "exploit", "author": [ "Daniel Teixeira", "Andrew Smith", "Owais Mehtab", "Milton Valencia (wetw0rk)" ], "description": "This module exploits a stack-based buffer overflow vulnerability\n in the web interface of Sync Breeze Enterprise v9.4.28, v10.0.28,\n and v10.1.16, caused by improper bounds checking of the request in\n HTTP GET and POST requests sent to the built-in web server. This\n module has been tested successfully on Windows 7 SP1 x86.", "references": [ "CVE-2017-14980" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Automatic", "Sync Breeze Enterprise v9.4.28", "Sync Breeze Enterprise v10.0.28", "Sync Breeze Enterprise v10.1.16" ], "mod_time": "2018-07-12 17:34:52 +0000", "path": "/modules/exploits/windows/http/syncbreeze_bof.rb", "is_install_path": true, "ref_name": "windows/http/syncbreeze_bof", "check": true }, "exploit_windows/http/sysax_create_folder": { "name": "Sysax Multi Server 5.64 Create Folder Buffer Overflow", "full_name": "exploit/windows/http/sysax_create_folder", "rank": 300, "disclosure_date": "2012-07-29", "type": "exploit", "author": [ "Craig Freyman", "Matt \"hostess\" Andreko" ], "description": "This module exploits a stack buffer overflow in the create folder function in\n Sysax Multi Server 5.64. This issue was fixed in 5.66. In order to trigger the\n vulnerability valid credentials with the create folder permission must be provided.\n The HTTP option must be enabled on Sysax too.\n\n This module will log into the server, get a SID token, find the root folder, and\n then proceed to exploit the server. Successful exploits result in SYSTEM access.\n This exploit works on XP SP3, and Server 2003 SP1-SP2.", "references": [ "CVE-2012-6530", "OSVDB-82329", "EDB-20676", "EDB-18420", "URL-http://www.pwnag3.com/2012/01/sysax-multi-server-550-exploit.html", "URL-http://www.mattandreko.com/2012/07/sysax-564-http-remote-buffer-overflow.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Windows XP SP3 / Sysax Multi Server 5.64", "Windows 2003 SP1-SP2 / Sysax Multi Server 5.64" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/sysax_create_folder.rb", "is_install_path": true, "ref_name": "windows/http/sysax_create_folder", "check": false }, "exploit_windows/http/trackercam_phparg_overflow": { "name": "TrackerCam PHP Argument Buffer Overflow", "full_name": "exploit/windows/http/trackercam_phparg_overflow", "rank": 200, "disclosure_date": "2005-02-18", "type": "exploit", "author": [ "hdm " ], "description": "This module exploits a simple stack buffer overflow in the\n TrackerCam web server. All current versions of this software\n are vulnerable to a large number of security issues. This\n module abuses the directory traversal flaw to gain\n information about the system and then uses the PHP overflow\n to execute arbitrary code.", "references": [ "CVE-2005-0478", "OSVDB-13953", "OSVDB-13955", "BID-12592", "URL-http://aluigi.altervista.org/adv/tcambof-adv.txt" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 8090, "targets": [ "Windows 2000 English", "Windows XP English SP0/SP1", "Windows NT 4.0 SP4/SP5/SP6" ], "mod_time": "2017-08-14 01:40:17 +0000", "path": "/modules/exploits/windows/http/trackercam_phparg_overflow.rb", "is_install_path": true, "ref_name": "windows/http/trackercam_phparg_overflow", "check": true }, "exploit_windows/http/trackit_file_upload": { "name": "Numara / BMC Track-It! FileStorageService Arbitrary File Upload", "full_name": "exploit/windows/http/trackit_file_upload", "rank": 600, "disclosure_date": "2014-10-07", "type": "exploit", "author": [ "Pedro Ribeiro " ], "description": "This module exploits an arbitrary file upload vulnerability in Numara / BMC Track-It!\n v8 to v11.X.\n The application exposes the FileStorageService .NET remoting service on port 9010\n (9004 for version 8) which accepts unauthenticated uploads. This can be abused by\n a malicious user to upload a ASP or ASPX file to the web root leading to arbitrary\n code execution as NETWORK SERVICE or SYSTEM.\n This module has been tested successfully on versions 11.3.0.355, 10.0.51.135, 10.0.50.107,\n 10.0.0.143, 9.0.30.248 and 8.0.2.51.", "references": [ "CVE-2014-4872", "OSVDB-112741", "US-CERT-VU-121036", "URL-http://seclists.org/fulldisclosure/2014/Oct/34" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86", "rport": 80, "targets": [ "Numara / BMC Track-It! v9 to v11.X - Windows" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/trackit_file_upload.rb", "is_install_path": true, "ref_name": "windows/http/trackit_file_upload", "check": true }, "exploit_windows/http/trendmicro_officescan": { "name": "Trend Micro OfficeScan Remote Stack Buffer Overflow", "full_name": "exploit/windows/http/trendmicro_officescan", "rank": 400, "disclosure_date": "2007-06-28", "type": "exploit", "author": [ "toto" ], "description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan\n cgiChkMasterPwd.exe (running with SYSTEM privileges).", "references": [ "CVE-2008-1365", "OSVDB-42499" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 8080, "targets": [ "Windows 2000 - Trend Micro OfficeScan 7.3.0.1293)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/trendmicro_officescan.rb", "is_install_path": true, "ref_name": "windows/http/trendmicro_officescan", "check": false }, "exploit_windows/http/trendmicro_officescan_widget_exec": { "name": "Trend Micro OfficeScan Remote Code Execution", "full_name": "exploit/windows/http/trendmicro_officescan_widget_exec", "rank": 600, "disclosure_date": "2017-10-07", "type": "exploit", "author": [ "mr_me ", "Mehmet Ince " ], "description": "This module exploits the authentication bypass and command injection vulnerability together. Unauthenticated users can execute a\n terminal command under the context of the web server user.\n\n The specific flaw exists within the management interface, which listens on TCP port 443 by default. The Trend Micro Officescan product\n has a widget feature which is implemented with PHP. Talker.php takes ack and hash parameters but doesn't validate these values, which\n leads to an authentication bypass for the widget. Proxy.php files under the mod TMCSS folder take multiple parameters but the process\n does not properly validate a user-supplied string before using it to execute a system call. Due to combination of these vulnerabilities,\n unauthenticated users can execute a terminal command under the context of the web server user.", "references": [ "CVE-2017-11394", "URL-https://pentest.blog/one-ring-to-rule-them-all-same-rce-on-multiple-trend-micro-products/", "URL-http://www.zerodayinitiative.com/advisories/ZDI-17-521/" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86, x64", "rport": 443, "targets": [ "Automatic Targeting", "OfficeScan 11", "OfficeScan XG" ], "mod_time": "2018-07-12 17:34:52 +0000", "path": "/modules/exploits/windows/http/trendmicro_officescan_widget_exec.rb", "is_install_path": true, "ref_name": "windows/http/trendmicro_officescan_widget_exec", "check": true }, "exploit_windows/http/ultraminihttp_bof": { "name": "Ultra Mini HTTPD Stack Buffer Overflow", "full_name": "exploit/windows/http/ultraminihttp_bof", "rank": 300, "disclosure_date": "2013-07-10", "type": "exploit", "author": [ "superkojiman", "PsychoSpy ", "OJ Reeves " ], "description": "This module exploits a stack based buffer overflow in Ultra Mini HTTPD 1.21,\n allowing remote attackers to execute arbitrary code via a long resource name in an HTTP\n request. This exploit has to deal with the fact that the application's request handler\n thread is terminated after 60 seconds by a \"monitor\" thread. To do this, it allocates\n some RWX memory, copies the payload to it and creates another thread. When done, it\n terminates the current thread so that it doesn't crash and hence doesn't bring down\n the process with it.", "references": [ "OSVDB-95164", "EDB-26739", "CVE-2013-5019", "BID-61130" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "v1.21 - Windows Server 2000", "v1.21 - Windows XP SP0", "v1.21 - Windows XP SP2/SP3", "v1.21 - Windows Server 2003 (Enterprise)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/ultraminihttp_bof.rb", "is_install_path": true, "ref_name": "windows/http/ultraminihttp_bof", "check": false }, "exploit_windows/http/umbraco_upload_aspx": { "name": "Umbraco CMS Remote Command Execution", "full_name": "exploit/windows/http/umbraco_upload_aspx", "rank": 600, "disclosure_date": "2012-06-28", "type": "exploit", "author": [ "Toby Clarke", "juan vazquez " ], "description": "This module can be used to execute a payload on Umbraco CMS 4.7.0.378.\n The payload is uploaded as an ASPX script by sending a specially crafted\n SOAP request to codeEditorSave.asmx, which permits unauthorized file upload\n via the SaveDLRScript operation. SaveDLRScript is also subject to a path\n traversal vulnerability, allowing code to be placed into the web-accessible\n /umbraco/ directory.\n\n The module writes, executes and then overwrites an ASPX script; note that\n though the script content is removed, the file remains on the target. Automatic\n cleanup of the file is intended if a meterpreter payload is used.\n\n This module has been tested successfully on Umbraco CMS 4.7.0.378 on a Windows\n 7 32-bit SP1. In this scenario, the \"IIS APPPOOL\\ASP.NET v4.0\" user must have\n write permissions on the Windows Temp folder.", "references": [ "OSVDB-83765", "EDB-19671", "URL-http://blog.gdssecurity.com/labs/2012/7/3/find-bugs-faster-with-a-webmatrix-local-reference-instance.html", "URL-http://umbraco.codeplex.com/workitem/18192" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Umbraco CMS 4.7.0.378 / Microsoft Windows 7 Professional 32-bit SP1" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/http/umbraco_upload_aspx.rb", "is_install_path": true, "ref_name": "windows/http/umbraco_upload_aspx", "check": false }, "exploit_windows/http/vmware_vcenter_chargeback_upload": { "name": "VMware vCenter Chargeback Manager ImageUploadServlet Arbitrary File Upload", "full_name": "exploit/windows/http/vmware_vcenter_chargeback_upload", "rank": 600, "disclosure_date": "2013-05-15", "type": "exploit", "author": [ "Andrea Micalizzi", "juan vazquez " ], "description": "This module exploits a code execution flaw in VMware vCenter Chargeback Manager,\n where the ImageUploadServlet servlet allows unauthenticated file upload. The files\n are uploaded to the /cbmui/images/ web path, where JSP code execution is allowed.\n The module has been tested successfully on VMware vCenter Chargeback Manager 2.0.1\n on Windows 2003 SP2.", "references": [ "CVE-2013-3520", "OSVDB-94188", "BID-60484", "ZDI-13-147" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86", "rport": 443, "targets": [ "VMware vCenter Chargeback Manager 2.0.1 / Windows 2003 SP2" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/vmware_vcenter_chargeback_upload.rb", "is_install_path": true, "ref_name": "windows/http/vmware_vcenter_chargeback_upload", "check": true }, "exploit_windows/http/vxsrchs_bof": { "name": "VX Search Enterprise GET Buffer Overflow", "full_name": "exploit/windows/http/vxsrchs_bof", "rank": 500, "disclosure_date": "2017-03-15", "type": "exploit", "author": [ "Daniel Teixeira" ], "description": "This module exploits a stack-based buffer overflow vulnerability\n in the web interface of VX Search Enterprise v9.5.12, caused by\n improper bounds checking of the request path in HTTP GET requests\n sent to the built-in web server. This module has been tested\n successfully on Windows 7 SP1 x86.", "references": [ ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "VX Search Enterprise v9.5.12" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/vxsrchs_bof.rb", "is_install_path": true, "ref_name": "windows/http/vxsrchs_bof", "check": true }, "exploit_windows/http/webster_http": { "name": "Webster HTTP Server GET Buffer Overflow", "full_name": "exploit/windows/http/webster_http", "rank": 200, "disclosure_date": "2002-12-02", "type": "exploit", "author": [ "aushack " ], "description": "This exploits a stack buffer overflow in the Webster HTTP server.\n The server and source code was released within an article from\n the Microsoft Systems Journal in February 1996 titled \"Write a\n Simple HTTP-based Server Using MFC and Windows Sockets\".", "references": [ "CVE-2002-2268", "OSVDB-44106", "BID-6289", "URL-http://www.microsoft.com/msj/archive/s25f.aspx", "URL-http://www.netdave.com/webster/webster.htm" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Windows XP SP0", "Debug" ], "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/exploits/windows/http/webster_http.rb", "is_install_path": true, "ref_name": "windows/http/webster_http", "check": false }, "exploit_windows/http/xampp_webdav_upload_php": { "name": "XAMPP WebDAV PHP Upload", "full_name": "exploit/windows/http/xampp_webdav_upload_php", "rank": 600, "disclosure_date": "2012-01-14", "type": "exploit", "author": [ "theLightCosine " ], "description": "This module exploits weak WebDAV passwords on XAMPP servers.\n It uses supplied credentials to upload a PHP payload and\n execute it.", "references": [ ], "is_server": true, "is_client": false, "platform": "PHP", "arch": "php", "rport": 80, "targets": [ "Automatic" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/xampp_webdav_upload_php.rb", "is_install_path": true, "ref_name": "windows/http/xampp_webdav_upload_php", "check": false }, "exploit_windows/http/xitami_if_mod_since": { "name": "Xitami 2.5c2 Web Server If-Modified-Since Overflow", "full_name": "exploit/windows/http/xitami_if_mod_since", "rank": 200, "disclosure_date": "2007-09-24", "type": "exploit", "author": [ "aushack " ], "description": "This module exploits a stack buffer overflow in the iMatix Corporation\n Xitami Web Server. If a malicious user sends an\tIf-Modified-Since\n header containing an overly long string, it may be possible to\n execute a payload remotely. Due to size constraints, this module uses\n the Egghunter technique.", "references": [ "CVE-2007-5067", "OSVDB-40594", "OSVDB-40595", "BID-25772", "EDB-4450" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "xigui32.exe Universal", "xitami.exe Universal" ], "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/exploits/windows/http/xitami_if_mod_since.rb", "is_install_path": true, "ref_name": "windows/http/xitami_if_mod_since", "check": true }, "exploit_windows/http/zenworks_assetmgmt_uploadservlet": { "name": "Novell ZENworks Asset Management Remote Execution", "full_name": "exploit/windows/http/zenworks_assetmgmt_uploadservlet", "rank": 600, "disclosure_date": "2011-11-02", "type": "exploit", "author": [ "Unknown", "juan vazquez " ], "description": "This module exploits a path traversal flaw in Novell ZENworks Asset Management\n 7.5. By exploiting the CatchFileServlet, an attacker can upload a malicious file\n outside of the MalibuUploadDirectory and then make a secondary request that allows\n for arbitrary code execution.", "references": [ "CVE-2011-2653", "OSVDB-77583", "BID-50966", "ZDI-11-342", "URL-http://download.novell.com/Download?buildid=hPvHtXeNmCU~" ], "is_server": true, "is_client": false, "platform": "Java", "arch": "", "rport": 8080, "targets": [ "Java Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/http/zenworks_assetmgmt_uploadservlet.rb", "is_install_path": true, "ref_name": "windows/http/zenworks_assetmgmt_uploadservlet", "check": false }, "exploit_windows/http/zenworks_uploadservlet": { "name": "Novell ZENworks Configuration Management Remote Execution", "full_name": "exploit/windows/http/zenworks_uploadservlet", "rank": 600, "disclosure_date": "2010-03-30", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a code execution flaw in Novell ZENworks Configuration Management 10.2.0.\n By exploiting the UploadServlet, an attacker can upload a malicious file outside of the TEMP directory\n and then make a secondary request that allows for arbitrary code execution.", "references": [ "CVE-2010-5324", "OSVDB-63412", "BID-39114", "ZDI-10-078", "URL-http://tucanalamigo.blogspot.com/2010/04/pdc-de-zdi-10-078.html", "URL-http://www.novell.com/support/kb/doc.php?id=7005573" ], "is_server": true, "is_client": false, "platform": "Java,Linux,Windows", "arch": "", "rport": 80, "targets": [ "Java Universal", "Windows x86", "Linux x86" ], "mod_time": "2018-07-08 18:46:04 +0000", "path": "/modules/exploits/windows/http/zenworks_uploadservlet.rb", "is_install_path": true, "ref_name": "windows/http/zenworks_uploadservlet", "check": false }, "exploit_windows/iis/iis_webdav_scstoragepathfromurl": { "name": " Microsoft IIS WebDav ScStoragePathFromUrl Overflow", "full_name": "exploit/windows/iis/iis_webdav_scstoragepathfromurl", "rank": 0, "disclosure_date": "2017-03-26", "type": "exploit", "author": [ "Zhiniang Peng", "Chen Wu", "Dominic Chell ", "firefart", "zcgonvh ", "Rich Whitcroft", "Lincoln" ], "description": "Buffer overflow in the ScStoragePathFromUrl function\n in the WebDAV service in Internet Information Services (IIS) 6.0\n in Microsoft Windows Server 2003 R2 allows remote attackers to\n execute arbitrary code via a long header beginning with\n \"If: " ], "description": "This module can be used to execute a payload on IIS servers that\n have world-writeable directories. The payload is uploaded as an ASP\n script via a WebDAV PUT request.\n\n The target IIS machine must meet these conditions to be considered\n as exploitable: It allows 'Script resource access', Read and Write\n permission, and supports ASP.", "references": [ "OSVDB-397", "BID-12141" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Automatic" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/iis/iis_webdav_upload_asp.rb", "is_install_path": true, "ref_name": "windows/iis/iis_webdav_upload_asp", "check": false }, "exploit_windows/iis/ms01_023_printer": { "name": "MS01-023 Microsoft IIS 5.0 Printer Host Header Overflow", "full_name": "exploit/windows/iis/ms01_023_printer", "rank": 400, "disclosure_date": "2001-05-01", "type": "exploit", "author": [ "hdm " ], "description": "This exploits a buffer overflow in the request processor of\n the Internet Printing Protocol ISAPI module in IIS. This\n module works against Windows 2000 service pack 0 and 1. If\n the service stops responding after a successful compromise,\n run the exploit a couple more times to completely kill the\n hung process.", "references": [ "CVE-2001-0241", "OSVDB-3323", "BID-2674", "MSB-MS01-023", "URL-http://seclists.org/lists/bugtraq/2001/May/0005.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Windows 2000 English SP0-SP1" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/iis/ms01_023_printer.rb", "is_install_path": true, "ref_name": "windows/iis/ms01_023_printer", "check": true }, "exploit_windows/iis/ms01_026_dbldecode": { "name": "MS01-026 Microsoft IIS/PWS CGI Filename Double Decode Command Execution", "full_name": "exploit/windows/iis/ms01_026_dbldecode", "rank": 600, "disclosure_date": "2001-05-15", "type": "exploit", "author": [ "jduck " ], "description": "This module will execute an arbitrary payload on a Microsoft IIS installation\n that is vulnerable to the CGI double-decode vulnerability of 2001.\n\n NOTE: This module will leave a metasploit payload in the IIS scripts directory.", "references": [ "CVE-2001-0333", "OSVDB-556", "BID-2708", "MSB-MS01-026", "URL-http://marc.info/?l=bugtraq&m=98992056521300&w=2" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Automatic" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/iis/ms01_026_dbldecode.rb", "is_install_path": true, "ref_name": "windows/iis/ms01_026_dbldecode", "check": true }, "exploit_windows/iis/ms01_033_idq": { "name": "MS01-033 Microsoft IIS 5.0 IDQ Path Overflow", "full_name": "exploit/windows/iis/ms01_033_idq", "rank": 400, "disclosure_date": "2001-06-18", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in the IDQ ISAPI handler for\n Microsoft Index Server.", "references": [ "CVE-2001-0500", "OSVDB-568", "MSB-MS01-033", "BID-2880" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Windows 2000 Pro English SP0", "Windows 2000 Pro English SP1-SP2" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/iis/ms01_033_idq.rb", "is_install_path": true, "ref_name": "windows/iis/ms01_033_idq", "check": false }, "exploit_windows/iis/ms02_018_htr": { "name": "MS02-018 Microsoft IIS 4.0 .HTR Path Overflow", "full_name": "exploit/windows/iis/ms02_018_htr", "rank": 400, "disclosure_date": "2002-04-10", "type": "exploit", "author": [ "stinko " ], "description": "This exploits a buffer overflow in the ISAPI ISM.DLL used to\n process HTR scripting in IIS 4.0. This module works against\n Windows NT 4 Service Packs 3, 4, and 5. The server will\n continue to process requests until the payload being\n executed has exited. If you've set EXITFUNC to 'seh', the\n server will continue processing requests, but you will have\n trouble terminating a bind shell. If you set EXITFUNC to\n thread, the server will crash upon exit of the bind shell.\n The payload is alpha-numerically encoded without a NOP sled\n because otherwise the data gets mangled by the filters.", "references": [ "CVE-1999-0874", "OSVDB-3325", "BID-307", "URL-http://www.eeye.com/html/research/advisories/AD19990608.html", "MSB-MS02-018" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Windows NT 4.0 SP3", "Windows NT 4.0 SP4", "Windows NT 4.0 SP5" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/iis/ms02_018_htr.rb", "is_install_path": true, "ref_name": "windows/iis/ms02_018_htr", "check": false }, "exploit_windows/iis/ms02_065_msadc": { "name": "MS02-065 Microsoft IIS MDAC msadcs.dll RDS DataStub Content-Type Overflow", "full_name": "exploit/windows/iis/ms02_065_msadc", "rank": 300, "disclosure_date": "2002-11-20", "type": "exploit", "author": [ "aushack " ], "description": "This module can be used to execute arbitrary code on IIS servers\n that expose the /msadc/msadcs.dll Microsoft Data Access Components\n (MDAC) Remote Data Service (RDS) DataFactory service. The service is\n exploitable even when RDS is configured to deny remote connections\n (handsafe.reg). The service is vulnerable to a heap overflow where\n the RDS DataStub 'Content-Type' string is overly long. Microsoft Data\n Access Components (MDAC) 2.1 through 2.6 are known to be vulnerable.", "references": [ "OSVDB-14502", "BID-6214", "CVE-2002-1142", "MSB-MS02-065", "URL-http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0082.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Windows 2000 Pro English SP0" ], "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/exploits/windows/iis/ms02_065_msadc.rb", "is_install_path": true, "ref_name": "windows/iis/ms02_065_msadc", "check": true }, "exploit_windows/iis/ms03_007_ntdll_webdav": { "name": "MS03-007 Microsoft IIS 5.0 WebDAV ntdll.dll Path Overflow", "full_name": "exploit/windows/iis/ms03_007_ntdll_webdav", "rank": 500, "disclosure_date": "2003-05-30", "type": "exploit", "author": [ "hdm " ], "description": "This exploits a buffer overflow in NTDLL.dll on Windows 2000\n through the SEARCH WebDAV method in IIS. This particular\n module only works against Windows 2000. It should have a\n reasonable chance of success against any service pack.", "references": [ "CVE-2003-0109", "OSVDB-4467", "BID-7116", "MSB-MS03-007" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Automatic Brute Force" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/iis/ms03_007_ntdll_webdav.rb", "is_install_path": true, "ref_name": "windows/iis/ms03_007_ntdll_webdav", "check": true }, "exploit_windows/iis/msadc": { "name": "MS99-025 Microsoft IIS MDAC msadcs.dll RDS Arbitrary Remote Command Execution", "full_name": "exploit/windows/iis/msadc", "rank": 600, "disclosure_date": "1998-07-17", "type": "exploit", "author": [ "aushack " ], "description": "This module can be used to execute arbitrary commands on IIS servers\n that expose the /msadc/msadcs.dll Microsoft Data Access Components\n (MDAC) Remote Data Service (RDS) DataFactory service using VbBusObj\n or AdvancedDataFactory to inject shell commands into Microsoft Access\n databases (MDBs), MSSQL databases and ODBC/JET Data Source Name (DSN).\n Based on the msadcs.pl v2 exploit by Rain.Forest.Puppy, which was actively\n used in the wild in the late Ninties. MDAC versions affected include MDAC\n 1.5, 2.0, 2.0 SDK, 2.1 and systems with the MDAC Sample Pages for RDS\n installed, and NT4 Servers with the NT Option Pack installed or upgraded\n 2000 systems often running IIS3/4/5 however some vulnerable installations\n can still be found on newer Windows operating systems. Note that newer\n releases of msadcs.dll can still be abused however by default remote\n connections to the RDS is denied. Consider using VERBOSE if you're unable\n to successfully execute a command, as the error messages are detailed\n and useful for debugging. Also set NAME to obtain the remote hostname,\n and METHOD to use the alternative VbBusObj technique.", "references": [ "OSVDB-272", "BID-529", "CVE-1999-1011", "MSB-MS98-004", "MSB-MS99-025" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Automatic" ], "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/exploits/windows/iis/msadc.rb", "is_install_path": true, "ref_name": "windows/iis/msadc", "check": true }, "exploit_windows/imap/eudora_list": { "name": "Qualcomm WorldMail 3.0 IMAPD LIST Buffer Overflow", "full_name": "exploit/windows/imap/eudora_list", "rank": 500, "disclosure_date": "2005-12-20", "type": "exploit", "author": [ "MC ", "jduck " ], "description": "This module exploits a stack buffer overflow in the Qualcomm WorldMail IMAP Server\n version 3.0 (builds 6.1.19.0 through 6.1.22.0). Version 6.1.22.1 fixes this\n particular vulnerability.\n\n NOTE: The service does NOT restart automatically by default. You may be limited to\n only one attempt, so choose wisely!", "references": [ "CVE-2005-4267", "OSVDB-22097", "BID-15980" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 143, "targets": [ "Automatic", "WorldMail 3 Version 6.1.19.0", "WorldMail 3 Version 6.1.20.0", "WorldMail 3 Version 6.1.22.0" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/imap/eudora_list.rb", "is_install_path": true, "ref_name": "windows/imap/eudora_list", "check": true }, "exploit_windows/imap/imail_delete": { "name": "IMail IMAP4D Delete Overflow", "full_name": "exploit/windows/imap/imail_delete", "rank": 200, "disclosure_date": "2004-11-12", "type": "exploit", "author": [ "spoonm " ], "description": "This module exploits a buffer overflow in the 'DELETE'\n command of the IMail IMAP4D service. This vulnerability\n can only be exploited with a valid username and password.\n This flaw was patched in version 8.14.", "references": [ "CVE-2004-1520", "OSVDB-11838", "BID-11675" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 143, "targets": [ "Windows XP sp0 comctl32.dll" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/imap/imail_delete.rb", "is_install_path": true, "ref_name": "windows/imap/imail_delete", "check": false }, "exploit_windows/imap/ipswitch_search": { "name": "Ipswitch IMail IMAP SEARCH Buffer Overflow", "full_name": "exploit/windows/imap/ipswitch_search", "rank": 200, "disclosure_date": "2007-07-18", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in Ipswitch IMail Server 2006.1 IMAP SEARCH\n verb. By sending an overly long string, an attacker can overwrite the\n buffer and control program execution.\n In order for this module to be successful, the IMAP user must have at least one\n message.", "references": [ "CVE-2007-3925", "OSVDB-36219", "BID-24962" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 143, "targets": [ "Windows 2000 Pro SP4 English", "Windows 2003 SP0 English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/imap/ipswitch_search.rb", "is_install_path": true, "ref_name": "windows/imap/ipswitch_search", "check": false }, "exploit_windows/imap/mailenable_login": { "name": "MailEnable IMAPD (2.34/2.35) Login Request Buffer Overflow", "full_name": "exploit/windows/imap/mailenable_login", "rank": 500, "disclosure_date": "2006-12-11", "type": "exploit", "author": [ "MC " ], "description": "MailEnable's IMAP server contains a buffer overflow\n vulnerability in the Login command.", "references": [ "CVE-2006-6423", "OSVDB-32125", "BID-21492" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 143, "targets": [ "MailEnable 2.35 Pro", "MailEnable 2.34 Pro" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/imap/mailenable_login.rb", "is_install_path": true, "ref_name": "windows/imap/mailenable_login", "check": false }, "exploit_windows/imap/mailenable_status": { "name": "MailEnable IMAPD (1.54) STATUS Request Buffer Overflow", "full_name": "exploit/windows/imap/mailenable_status", "rank": 500, "disclosure_date": "2005-07-13", "type": "exploit", "author": [ "MC " ], "description": "MailEnable's IMAP server contains a buffer overflow\n vulnerability in the STATUS command. With proper\n credentials, this could allow for the execution of arbitrary\n code.", "references": [ "CVE-2005-2278", "OSVDB-17844", "BID-14243", "URL-http://www.nessus.org/plugins/index.php?view=single&id=19193" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 143, "targets": [ "MailEnable 1.54 Pro Universal", "Windows XP Pro SP0/SP1 English", "Windows 2000 Pro English ALL", "Windows 2003 Server English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/imap/mailenable_status.rb", "is_install_path": true, "ref_name": "windows/imap/mailenable_status", "check": false }, "exploit_windows/imap/mailenable_w3c_select": { "name": "MailEnable IMAPD W3C Logging Buffer Overflow", "full_name": "exploit/windows/imap/mailenable_w3c_select", "rank": 500, "disclosure_date": "2005-10-03", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a buffer overflow in the W3C logging\n functionality of the MailEnable IMAPD service. Logging is\n not enabled by default and this exploit requires a valid\n username and password to exploit the flaw. MailEnable\n Professional version 1.6 and prior and MailEnable Enterprise\n version 1.1 and prior are affected.", "references": [ "CVE-2005-3155", "OSVDB-19842", "BID-15006" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 143, "targets": [ "MailEnable 1.54 Pro Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/imap/mailenable_w3c_select.rb", "is_install_path": true, "ref_name": "windows/imap/mailenable_w3c_select", "check": true }, "exploit_windows/imap/mdaemon_cram_md5": { "name": "Mdaemon 8.0.3 IMAPD CRAM-MD5 Authentication Overflow", "full_name": "exploit/windows/imap/mdaemon_cram_md5", "rank": 500, "disclosure_date": "2004-11-12", "type": "exploit", "author": [ "Unknown" ], "description": "This module exploits a buffer overflow in the CRAM-MD5\n authentication of the MDaemon IMAP service. This\n vulnerability was discovered by Muts.", "references": [ "CVE-2004-1520", "OSVDB-11838", "BID-11675" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 143, "targets": [ "MDaemon IMAP 8.0.3 Windows XP SP2" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/imap/mdaemon_cram_md5.rb", "is_install_path": true, "ref_name": "windows/imap/mdaemon_cram_md5", "check": false }, "exploit_windows/imap/mdaemon_fetch": { "name": "MDaemon 9.6.4 IMAPD FETCH Buffer Overflow", "full_name": "exploit/windows/imap/mdaemon_fetch", "rank": 500, "disclosure_date": "2008-03-13", "type": "exploit", "author": [ "Jacopo Cervini", "aushack " ], "description": "This module exploits a stack buffer overflow in the Alt-N MDaemon IMAP Server\n version 9.6.4 by sending an overly long FETCH BODY command. Valid IMAP\n account credentials are required. Credit to Matteo Memelli", "references": [ "CVE-2008-1358", "OSVDB-43111", "BID-28245", "EDB-5248" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 143, "targets": [ "MDaemon Version 9.6.4" ], "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/exploits/windows/imap/mdaemon_fetch.rb", "is_install_path": true, "ref_name": "windows/imap/mdaemon_fetch", "check": true }, "exploit_windows/imap/mercur_imap_select_overflow": { "name": "Mercur v5.0 IMAP SP3 SELECT Buffer Overflow", "full_name": "exploit/windows/imap/mercur_imap_select_overflow", "rank": 200, "disclosure_date": "2006-03-17", "type": "exploit", "author": [ "Jacopo Cervini " ], "description": "Mercur v5.0 IMAP server is prone to a remotely exploitable\n stack-based buffer overflow vulnerability. This issue is due\n to a failure of the application to properly bounds check\n user-supplied data prior to copying it to a fixed size memory buffer.\n Credit to Tim Taylor for discover the vulnerability.", "references": [ "CVE-2006-1255", "OSVDB-23950", "BID-17138" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 143, "targets": [ "Windows 2000 Server SP4 English", "Windows 2000 Pro SP1 English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/imap/mercur_imap_select_overflow.rb", "is_install_path": true, "ref_name": "windows/imap/mercur_imap_select_overflow", "check": false }, "exploit_windows/imap/mercur_login": { "name": "Mercur Messaging 2005 IMAP Login Buffer Overflow", "full_name": "exploit/windows/imap/mercur_login", "rank": 200, "disclosure_date": "2006-03-17", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in Atrium Mercur IMAP 5.0 SP3.\n Since the room for shellcode is small, using the reverse ordinal payloads\n yields the best results.", "references": [ "CVE-2006-1255", "OSVDB-23950", "BID-17138", "URL-http://archives.neohapsis.com/archives/fulldisclosure/2006-03/1104.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 143, "targets": [ "Windows 2000 Pro SP4 English", "Windows XP Pro SP2 English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/imap/mercur_login.rb", "is_install_path": true, "ref_name": "windows/imap/mercur_login", "check": false }, "exploit_windows/imap/mercury_login": { "name": "Mercury/32 LOGIN Buffer Overflow", "full_name": "exploit/windows/imap/mercury_login", "rank": 200, "disclosure_date": "2007-03-06", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in Mercury/32 <= 4.01b IMAPD\n LOGIN verb. By sending a specially crafted login command, a buffer\n is corrupted, and code execution is possible. This vulnerability was\n discovered by (mu-b at digit-labs.org).", "references": [ "CVE-2007-1373", "OSVDB-33883" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 143, "targets": [ "Windows 2000 SP0-SP4 English", "Windows XP Pro SP0/SP1 English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/imap/mercury_login.rb", "is_install_path": true, "ref_name": "windows/imap/mercury_login", "check": true }, "exploit_windows/imap/mercury_rename": { "name": "Mercury/32 v4.01a IMAP RENAME Buffer Overflow", "full_name": "exploit/windows/imap/mercury_rename", "rank": 200, "disclosure_date": "2004-11-29", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow vulnerability in the\n Mercury/32 v.4.01a IMAP service.", "references": [ "CVE-2004-1211", "OSVDB-12508", "BID-11775", "URL-http://www.nessus.org/plugins/index.php?view=single&id=15867" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 143, "targets": [ "Automatic", "Windows 2000 SP4 English", "Windows XP Pro SP0 English", "Windows XP Pro SP1 English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/imap/mercury_rename.rb", "is_install_path": true, "ref_name": "windows/imap/mercury_rename", "check": true }, "exploit_windows/imap/novell_netmail_append": { "name": "Novell NetMail IMAP APPEND Buffer Overflow", "full_name": "exploit/windows/imap/novell_netmail_append", "rank": 200, "disclosure_date": "2006-12-23", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in Novell's Netmail 3.52 IMAP APPEND\n verb. By sending an overly long string, an attacker can overwrite the\n buffer and control program execution.", "references": [ "CVE-2006-6425", "OSVDB-31362", "BID-21723", "ZDI-06-054" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 143, "targets": [ "Windows 2000 SP0-SP4 English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/imap/novell_netmail_append.rb", "is_install_path": true, "ref_name": "windows/imap/novell_netmail_append", "check": false }, "exploit_windows/imap/novell_netmail_auth": { "name": "Novell NetMail IMAP AUTHENTICATE Buffer Overflow", "full_name": "exploit/windows/imap/novell_netmail_auth", "rank": 200, "disclosure_date": "2007-01-07", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in Novell's NetMail 3.52 IMAP AUTHENTICATE\n GSSAPI command. By sending an overly long string, an attacker can overwrite the\n buffer and control program execution. Using the PAYLOAD of windows/shell_bind_tcp\n or windows/shell_reverse_tcp allows for the most reliable results.", "references": [ "OSVDB-55175" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 143, "targets": [ "Windows 2000 SP0-SP4 English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/imap/novell_netmail_auth.rb", "is_install_path": true, "ref_name": "windows/imap/novell_netmail_auth", "check": false }, "exploit_windows/imap/novell_netmail_status": { "name": "Novell NetMail IMAP STATUS Buffer Overflow", "full_name": "exploit/windows/imap/novell_netmail_status", "rank": 200, "disclosure_date": "2005-11-18", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in Novell's NetMail 3.52 IMAP STATUS\n verb. By sending an overly long string, an attacker can overwrite the\n buffer and control program execution.", "references": [ "CVE-2005-3314", "OSVDB-20956", "BID-15491" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 143, "targets": [ "Windows 2000 SP0-SP4 English" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/imap/novell_netmail_status.rb", "is_install_path": true, "ref_name": "windows/imap/novell_netmail_status", "check": false }, "exploit_windows/imap/novell_netmail_subscribe": { "name": "Novell NetMail IMAP SUBSCRIBE Buffer Overflow", "full_name": "exploit/windows/imap/novell_netmail_subscribe", "rank": 200, "disclosure_date": "2006-12-23", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in Novell's NetMail 3.52 IMAP SUBSCRIBE\n verb. By sending an overly long string, an attacker can overwrite the\n buffer and control program execution.", "references": [ "CVE-2006-6761", "OSVDB-31360", "BID-21728", "URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=454" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 143, "targets": [ "Windows 2000 SP0-SP4 English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/imap/novell_netmail_subscribe.rb", "is_install_path": true, "ref_name": "windows/imap/novell_netmail_subscribe", "check": false }, "exploit_windows/isapi/ms00_094_pbserver": { "name": "MS00-094 Microsoft IIS Phone Book Service Overflow", "full_name": "exploit/windows/isapi/ms00_094_pbserver", "rank": 400, "disclosure_date": "2000-12-04", "type": "exploit", "author": [ "aushack " ], "description": "This is an exploit for the Phone Book Service /pbserver/pbserver.dll\n described in MS00-094. By sending an overly long URL argument\n for phone book updates, it is possible to overwrite the stack. This\n module has only been tested against Windows 2000 SP1.", "references": [ "CVE-2000-1089", "OSVDB-463", "BID-2048", "MSB-MS00-094" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Windows 2000 SP1", "Windows 2000 SP0", "Windows NT SP6" ], "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/exploits/windows/isapi/ms00_094_pbserver.rb", "is_install_path": true, "ref_name": "windows/isapi/ms00_094_pbserver", "check": true }, "exploit_windows/isapi/ms03_022_nsiislog_post": { "name": "MS03-022 Microsoft IIS ISAPI nsiislog.dll ISAPI POST Overflow", "full_name": "exploit/windows/isapi/ms03_022_nsiislog_post", "rank": 400, "disclosure_date": "2003-06-25", "type": "exploit", "author": [ "hdm " ], "description": "This exploits a buffer overflow found in the nsiislog.dll\n ISAPI filter that comes with Windows Media Server. This\n module will also work against the 'patched' MS03-019\n version. This vulnerability was addressed by MS03-022.", "references": [ "CVE-2003-0349", "OSVDB-4535", "BID-8035", "MSB-MS03-022", "URL-http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0120.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Brute Force", "Windows 2000 -MS03-019", "Windows 2000 +MS03-019", "Windows XP -MS03-019" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/isapi/ms03_022_nsiislog_post.rb", "is_install_path": true, "ref_name": "windows/isapi/ms03_022_nsiislog_post", "check": true }, "exploit_windows/isapi/ms03_051_fp30reg_chunked": { "name": "MS03-051 Microsoft IIS ISAPI FrontPage fp30reg.dll Chunked Overflow", "full_name": "exploit/windows/isapi/ms03_051_fp30reg_chunked", "rank": 400, "disclosure_date": "2003-11-11", "type": "exploit", "author": [ "hdm " ], "description": "This is an exploit for the chunked encoding buffer overflow\n described in MS03-051 and originally reported by Brett\n Moore. This particular modules works against versions of\n Windows 2000 between SP0 and SP3. Service Pack 4 fixes the\n issue.", "references": [ "CVE-2003-0822", "OSVDB-2952", "BID-9007", "MSB-MS03-051" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Windows 2000 SP0-SP3", "Windows 2000 07/22/02", "Windows 2000 10/06/99" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/isapi/ms03_051_fp30reg_chunked.rb", "is_install_path": true, "ref_name": "windows/isapi/ms03_051_fp30reg_chunked", "check": true }, "exploit_windows/isapi/rsa_webagent_redirect": { "name": "Microsoft IIS ISAPI RSA WebAgent Redirect Overflow", "full_name": "exploit/windows/isapi/rsa_webagent_redirect", "rank": 400, "disclosure_date": "2005-10-21", "type": "exploit", "author": [ "hdm " ], "description": "This module exploits a stack buffer overflow in the SecurID Web\n Agent for IIS. This ISAPI filter runs in-process with\n inetinfo.exe, any attempt to exploit this flaw will result\n in the termination and potential restart of the IIS service.", "references": [ "CVE-2005-4734", "OSVDB-20151" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "RSA WebAgent 5.2", "RSA WebAgent 5.3", "RSA WebAgent 5.2 on Windows 2000 English", "RSA WebAgent 5.3 on Windows 2000 English", "RSA WebAgent 5.2 on Windows XP SP0-SP1 English", "RSA WebAgent 5.3 on Windows XP SP0-SP1 English", "RSA WebAgent 5.2 on Windows XP SP2 English", "RSA WebAgent 5.3 on Windows XP SP2 English", "RSA WebAgent 5.2 on Windows 2003 English SP0", "RSA WebAgent 5.3 on Windows 2003 English SP0" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/isapi/rsa_webagent_redirect.rb", "is_install_path": true, "ref_name": "windows/isapi/rsa_webagent_redirect", "check": true }, "exploit_windows/isapi/w3who_query": { "name": "Microsoft IIS ISAPI w3who.dll Query String Overflow", "full_name": "exploit/windows/isapi/w3who_query", "rank": 400, "disclosure_date": "2004-12-06", "type": "exploit", "author": [ "hdm " ], "description": "This module exploits a stack buffer overflow in the w3who.dll ISAPI\n application. This vulnerability was discovered Nicolas\n Gregoire and this code has been successfully tested against\n Windows 2000 and Windows XP (SP2). When exploiting Windows\n XP, the payload must call RevertToSelf before it will be\n able to spawn a command shell.", "references": [ "CVE-2004-1134", "OSVDB-12258", "URL-http://www.exaprobe.com/labs/advisories/esa-2004-1206.html", "BID-11820" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Automatic Detection", "Windows 2000 RESKIT DLL [Windows 2000]", "Windows 2000 RESKIT DLL [Windows XP]" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/isapi/w3who_query.rb", "is_install_path": true, "ref_name": "windows/isapi/w3who_query", "check": true }, "exploit_windows/ldap/imail_thc": { "name": "IMail LDAP Service Buffer Overflow", "full_name": "exploit/windows/ldap/imail_thc", "rank": 200, "disclosure_date": "2004-02-17", "type": "exploit", "author": [ "hdm " ], "description": "This exploits a buffer overflow in the LDAP service that is\n part of the IMail product. This module was tested against\n version 7.10 and 8.5, both running on Windows 2000.", "references": [ "CVE-2004-0297", "OSVDB-3984", "BID-9682", "URL-http://secunia.com/advisories/10880/" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 389, "targets": [ "Windows 2000 English", "Windows 2000 IMail 8.x" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ldap/imail_thc.rb", "is_install_path": true, "ref_name": "windows/ldap/imail_thc", "check": false }, "exploit_windows/ldap/pgp_keyserver7": { "name": "Network Associates PGP KeyServer 7 LDAP Buffer Overflow", "full_name": "exploit/windows/ldap/pgp_keyserver7", "rank": 400, "disclosure_date": "2001-07-16", "type": "exploit", "author": [ "aushack " ], "description": "This module exploits a stack buffer overflow in the LDAP service that is\n part of the NAI PGP Enterprise product suite. This module was tested\n against PGP KeyServer v7.0. Due to space restrictions, egghunter is\n used to find our payload - therefore you may wish to adjust WfsDelay.", "references": [ "CVE-2001-1320", "OSVDB-4742", "BID-3046", "URL-http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/ldapv3/" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 389, "targets": [ "Universal PGPcertd.exe" ], "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/exploits/windows/ldap/pgp_keyserver7.rb", "is_install_path": true, "ref_name": "windows/ldap/pgp_keyserver7", "check": false }, "exploit_windows/license/calicclnt_getconfig": { "name": "Computer Associates License Client GETCONFIG Overflow", "full_name": "exploit/windows/license/calicclnt_getconfig", "rank": 200, "disclosure_date": "2005-03-02", "type": "exploit", "author": [ "hdm ", "aushack " ], "description": "This module exploits a vulnerability in the CA License Client\n service. This exploit will only work if your IP address can be\n resolved from the target system point of view. This can be\n accomplished on a local network by running the 'nmbd' service\n that comes with Samba. If you are running this exploit from\n Windows and do not filter udp port 137, this should not be a\n problem (if the target is on the same network segment). Due to\n the bugginess of the software, you are only allowed one connection\n to the agent port before it starts ignoring you. If it wasn't for this\n issue, it would be possible to repeatedly exploit this bug.", "references": [ "CVE-2005-0581", "OSVDB-14389", "BID-12705", "URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=213" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 10203, "targets": [ "Automatic", "Windows 2000 English", "Windows XP English SP0-1", "Windows XP English SP2", "Windows 2003 English SP0" ], "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/exploits/windows/license/calicclnt_getconfig.rb", "is_install_path": true, "ref_name": "windows/license/calicclnt_getconfig", "check": false }, "exploit_windows/license/calicserv_getconfig": { "name": "Computer Associates License Server GETCONFIG Overflow", "full_name": "exploit/windows/license/calicserv_getconfig", "rank": 300, "disclosure_date": "2005-03-02", "type": "exploit", "author": [ "hdm ", "aushack " ], "description": "This module exploits an vulnerability in the CA License Server\n network service. By sending an excessively long GETCONFIG\n packet the stack may be overwritten.", "references": [ "CVE-2005-0581", "OSVDB-14389", "BID-12705", "URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=213" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 10202, "targets": [ "Automatic", "Windows 2000 English", "Windows XP English SP0-1", "Windows XP English SP2", "Windows 2003 English SP0" ], "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/exploits/windows/license/calicserv_getconfig.rb", "is_install_path": true, "ref_name": "windows/license/calicserv_getconfig", "check": true }, "exploit_windows/license/flexnet_lmgrd_bof": { "name": "FlexNet License Server Manager lmgrd Buffer Overflow", "full_name": "exploit/windows/license/flexnet_lmgrd_bof", "rank": 300, "disclosure_date": "2012-03-23", "type": "exploit", "author": [ "Luigi Auriemma", "Alexander Gavrun", "juan vazquez ", "sinn3r " ], "description": "This module exploits a vulnerability in the FlexNet\n License Server Manager.\n\n The vulnerability is due to the insecure usage of memcpy\n in the lmgrd service when handling network packets, which\n results in a stack buffer overflow.\n\n In order to improve reliability, this module will make lots of\n connections to lmgrd during each attempt to maximize its success.", "references": [ "OSVDB-81899", "BID-52718", "ZDI-12-052", "URL-http://aluigi.altervista.org/adv/lmgrd_1-adv.txt", "URL-http://www.flexerasoftware.com/pl/13057.htm" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 27000, "targets": [ "Debug", "Autodesk Licensing Server Tools 11.5 / lmgrd 11.5.0.0 / Windows XP SP3", "Alias License Tools 10.8.0.7 / lmgrd 10.8.0.7 / Windows XP SP3", "Alias License Tools 10.8 / lmgrd 10.8.0.2 / Windows XP SP3" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/license/flexnet_lmgrd_bof.rb", "is_install_path": true, "ref_name": "windows/license/flexnet_lmgrd_bof", "check": false }, "exploit_windows/license/sentinel_lm7_udp": { "name": "SentinelLM UDP Buffer Overflow", "full_name": "exploit/windows/license/sentinel_lm7_udp", "rank": 200, "disclosure_date": "2005-03-07", "type": "exploit", "author": [ "hdm " ], "description": "This module exploits a simple stack buffer overflow in the Sentinel\n License Manager. The SentinelLM service is installed with a\n wide selection of products and seems particular popular with\n academic products. If the wrong target value is selected,\n the service will crash and not restart.", "references": [ "CVE-2005-0353", "OSVDB-14605", "BID-12742" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 5093, "targets": [ "Automatic", "SentinelLM 7.2.0.0 Windows NT 4.0 SP4/SP5/SP6", "SentinelLM 7.2.0.0 Windows 2000 English", "SentinelLM 7.2.0.0 Windows 2000 German", "SentinelLM 7.2.0.0 Windows XP English SP0/SP1", "SentinelLM 7.2.0.0 Windows 2003 English SP0" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/license/sentinel_lm7_udp.rb", "is_install_path": true, "ref_name": "windows/license/sentinel_lm7_udp", "check": true }, "exploit_windows/local/adobe_sandbox_adobecollabsync": { "name": "AdobeCollabSync Buffer Overflow Adobe Reader X Sandbox Bypass", "full_name": "exploit/windows/local/adobe_sandbox_adobecollabsync", "rank": 500, "disclosure_date": "2013-05-14", "type": "exploit", "author": [ "Felipe Andres Manzano", "juan vazquez " ], "description": "This module exploits a vulnerability on Adobe Reader X Sandbox. The\n vulnerability is due to a sandbox rule allowing a Low Integrity AcroRd32.exe\n process to write register values which can be used to trigger a buffer overflow on\n the AdobeCollabSync component, allowing to achieve Medium Integrity Level\n privileges from a Low Integrity AcroRd32.exe process. This module has been tested\n successfully on Adobe Reader X 10.1.4 over Windows 7 SP1.", "references": [ "CVE-2013-2730", "OSVDB-93355", "URL-http://blog.binamuse.com/2013/05/adobe-reader-x-collab-sandbox-bypass.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": [ "Adobe Reader X 10.1.4 / Windows 7 SP1" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/local/adobe_sandbox_adobecollabsync.rb", "is_install_path": true, "ref_name": "windows/local/adobe_sandbox_adobecollabsync", "check": true }, "exploit_windows/local/agnitum_outpost_acs": { "name": "Agnitum Outpost Internet Security Local Privilege Escalation", "full_name": "exploit/windows/local/agnitum_outpost_acs", "rank": 600, "disclosure_date": "2013-08-02", "type": "exploit", "author": [ "Ahmad Moghimi", "juan vazquez " ], "description": "This module exploits a directory traversal vulnerability on Agnitum Outpost Internet\n Security 8.1. The vulnerability exists in the acs.exe component, allowing the user to load\n arbitrary DLLs through the acsipc_server named pipe, and finally execute arbitrary\n code with SYSTEM privileges. This module has been tested successfully on Windows 7 SP1 with\n Agnitum Outpost Internet Security 8.1 (32 bits and 64 bits versions).", "references": [ "OSVDB-96208", "EDB-27282" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86, x64", "rport": null, "targets": [ "Agnitum Outpost Internet Security 8.1" ], "mod_time": "2018-06-14 15:15:29 +0000", "path": "/modules/exploits/windows/local/agnitum_outpost_acs.rb", "is_install_path": true, "ref_name": "windows/local/agnitum_outpost_acs", "check": true }, "exploit_windows/local/always_install_elevated": { "name": "Windows AlwaysInstallElevated MSI", "full_name": "exploit/windows/local/always_install_elevated", "rank": 600, "disclosure_date": "2010-03-18", "type": "exploit", "author": [ "Ben Campbell ", "Parvez Anwar" ], "description": "This module checks the AlwaysInstallElevated registry keys which dictates if\n .MSI files should be installed with elevated privileges (NT AUTHORITY\\SYSTEM).\n The generated .MSI file has an embedded executable which is extracted and run\n by the installer. After execution the .MSI file intentionally fails installation\n (by calling some invalid VBS) to prevent it being registered on the system.\n By running this with the /quiet argument the error will not be seen by the user.", "references": [ "URL-http://www.greyhathacker.net/?p=185", "URL-http://msdn.microsoft.com/en-us/library/aa367561(VS.85).aspx", "URL-http://rewtdance.blogspot.co.uk/2013/03/metasploit-msi-payload-generation.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86, x64", "rport": null, "targets": [ "Windows" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/local/always_install_elevated.rb", "is_install_path": true, "ref_name": "windows/local/always_install_elevated", "check": true }, "exploit_windows/local/applocker_bypass": { "name": "AppLocker Execution Prevention Bypass", "full_name": "exploit/windows/local/applocker_bypass", "rank": 600, "disclosure_date": "2015-08-03", "type": "exploit", "author": [ "Casey Smith", "OJ Reeves" ], "description": "This module will generate a .NET service executable on the target and utilize\n InstallUtil to run the payload bypassing the AppLocker protection.\n\n Currently only the InstallUtil method is provided, but future methods can be\n added easily.", "references": [ "URL-https://gist.github.com/subTee/fac6af078937dda81e57" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86, x64", "rport": null, "targets": [ "Windows" ], "mod_time": "2018-05-23 13:44:53 +0000", "path": "/modules/exploits/windows/local/applocker_bypass.rb", "is_install_path": true, "ref_name": "windows/local/applocker_bypass", "check": false }, "exploit_windows/local/ask": { "name": "Windows Escalate UAC Execute RunAs", "full_name": "exploit/windows/local/ask", "rank": 600, "disclosure_date": "2012-01-03", "type": "exploit", "author": [ "mubix ", "b00stfr3ak" ], "description": "This module will attempt to elevate execution level using\n the ShellExecute undocumented RunAs flag to bypass low\n UAC settings.", "references": [ ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/local/ask.rb", "is_install_path": true, "ref_name": "windows/local/ask", "check": false }, "exploit_windows/local/bthpan": { "name": "MS14-062 Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation", "full_name": "exploit/windows/local/bthpan", "rank": 200, "disclosure_date": "2014-07-18", "type": "exploit", "author": [ "Matt Bergin ", "Jay Smith " ], "description": "A vulnerability within Microsoft Bluetooth Personal Area Networking module,\n BthPan.sys, can allow an attacker to inject memory controlled by the attacker\n into an arbitrary location. This can be used by an attacker to overwrite\n HalDispatchTable+0x4 and execute arbitrary code by subsequently calling\n NtQueryIntervalProfile.", "references": [ "MSB-MS14-062", "CVE-2014-4971", "URL-https://www.korelogic.com/Resources/Advisories/KL-001-2014-002.txt", "OSVDB-109387" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": [ "Windows XP SP3" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/local/bthpan.rb", "is_install_path": true, "ref_name": "windows/local/bthpan", "check": true }, "exploit_windows/local/bypassuac": { "name": "Windows Escalate UAC Protection Bypass", "full_name": "exploit/windows/local/bypassuac", "rank": 600, "disclosure_date": "2010-12-31", "type": "exploit", "author": [ "David Kennedy \"ReL1K\" ", "mitnick", "mubix " ], "description": "This module will bypass Windows UAC by utilizing the trusted publisher\n certificate through process injection. It will spawn a second shell that\n has the UAC flag turned off.", "references": [ "URL-http://www.trustedsec.com/december-2010/bypass-windows-uac/" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows x86", "Windows x64" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/local/bypassuac.rb", "is_install_path": true, "ref_name": "windows/local/bypassuac", "check": false }, "exploit_windows/local/bypassuac_comhijack": { "name": "Windows Escalate UAC Protection Bypass (Via COM Handler Hijack)", "full_name": "exploit/windows/local/bypassuac_comhijack", "rank": 600, "disclosure_date": "1900-01-01", "type": "exploit", "author": [ "Matt Nelson", "b33f", "OJ Reeves" ], "description": "This module will bypass Windows UAC by creating COM handler registry entries in the\n HKCU hive. When certain high integrity processes are loaded, these registry entries\n are referenced resulting in the process loading user-controlled DLLs. These DLLs\n contain the payloads that result in elevated sessions. Registry key modifications\n are cleaned up after payload invocation.\n\n This module requires the architecture of the payload to match the OS, but the\n current low-privilege Meterpreter session architecture can be different. If\n specifying EXE::Custom your DLL should call ExitProcess() after starting your\n payload in a separate process.\n\n This module invokes the target binary via cmd.exe on the target. Therefore if\n cmd.exe access is restricted, this module will not run correctly.", "references": [ "URL-https://wikileaks.org/ciav7p1/cms/page_13763373.html", "URL-https://github.com/FuzzySecurity/Defcon25/Defcon25_UAC-0day-All-Day_v1.2.pdf" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic" ], "mod_time": "2017-10-03 13:36:29 +0000", "path": "/modules/exploits/windows/local/bypassuac_comhijack.rb", "is_install_path": true, "ref_name": "windows/local/bypassuac_comhijack", "check": true }, "exploit_windows/local/bypassuac_eventvwr": { "name": "Windows Escalate UAC Protection Bypass (Via Eventvwr Registry Key)", "full_name": "exploit/windows/local/bypassuac_eventvwr", "rank": 600, "disclosure_date": "2016-08-15", "type": "exploit", "author": [ "Matt Nelson", "Matt Graeber", "OJ Reeves" ], "description": "This module will bypass Windows UAC by hijacking a special key in the Registry under\n the current user hive, and inserting a custom command that will get invoked when\n the Windows Event Viewer is launched. It will spawn a second shell that has the UAC\n flag turned off.\n\n This module modifies a registry key, but cleans up the key once the payload has\n been invoked.\n\n The module does not require the architecture of the payload to match the OS. If\n specifying EXE::Custom your DLL should call ExitProcess() after starting your\n payload in a separate process.", "references": [ ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows x86", "Windows x64" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/local/bypassuac_eventvwr.rb", "is_install_path": true, "ref_name": "windows/local/bypassuac_eventvwr", "check": true }, "exploit_windows/local/bypassuac_fodhelper": { "name": "Windows UAC Protection Bypass (Via FodHelper Registry Key)", "full_name": "exploit/windows/local/bypassuac_fodhelper", "rank": 600, "disclosure_date": "2017-05-12", "type": "exploit", "author": [ "winscriptingblog", "amaloteaux " ], "description": "This module will bypass Windows 10 UAC by hijacking a special key in the Registry under\n the current user hive, and inserting a custom command that will get invoked when\n the Windows fodhelper.exe application is launched. It will spawn a second shell that has the UAC\n flag turned off.\n\n This module modifies a registry key, but cleans up the key once the payload has\n been invoked.\n\n The module does not require the architecture of the payload to match the OS. If\n specifying EXE::Custom your DLL should call ExitProcess() after starting your\n payload in a separate process.", "references": [ ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows x86", "Windows x64" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/local/bypassuac_fodhelper.rb", "is_install_path": true, "ref_name": "windows/local/bypassuac_fodhelper", "check": true }, "exploit_windows/local/bypassuac_injection": { "name": "Windows Escalate UAC Protection Bypass (In Memory Injection)", "full_name": "exploit/windows/local/bypassuac_injection", "rank": 600, "disclosure_date": "2010-12-31", "type": "exploit", "author": [ "David Kennedy \"ReL1K\" ", "mitnick", "mubix ", "Ben Campbell ", "Lesage", "OJ Reeves" ], "description": "This module will bypass Windows UAC by utilizing the trusted publisher\n certificate through process injection. It will spawn a second shell that\n has the UAC flag turned off. This module uses the Reflective DLL Injection\n technique to drop only the DLL payload binary instead of three separate\n binaries in the standard technique. However, it requires the correct\n architecture to be selected, (use x64 for SYSWOW64 systems also).\n If specifying EXE::Custom your DLL should call ExitProcess() after starting\n your payload in a separate process.", "references": [ ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows x86", "Windows x64" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/local/bypassuac_injection.rb", "is_install_path": true, "ref_name": "windows/local/bypassuac_injection", "check": false }, "exploit_windows/local/bypassuac_injection_winsxs": { "name": "Windows Escalate UAC Protection Bypass (In Memory Injection) abusing WinSXS", "full_name": "exploit/windows/local/bypassuac_injection_winsxs", "rank": 600, "disclosure_date": "2017-04-06", "type": "exploit", "author": [ "Ernesto Fernandez \"L3cr0f\" " ], "description": "This module will bypass Windows UAC by utilizing the trusted publisher\n certificate through process injection. It will spawn a second shell that\n has the UAC flag turned off by abusing the way \"WinSxS\" works in Windows\n systems. This module uses the Reflective DLL Injection technique to drop\n only the DLL payload binary instead of three seperate binaries in the\n standard technique. However, it requires the correct architecture to be\n selected, (use x64 for SYSWOW64 systems also).", "references": [ "URL-https://github.com/L3cr0f/DccwBypassUAC" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows x86", "Windows x64" ], "mod_time": "2017-06-18 11:34:58 +0000", "path": "/modules/exploits/windows/local/bypassuac_injection_winsxs.rb", "is_install_path": true, "ref_name": "windows/local/bypassuac_injection_winsxs", "check": false }, "exploit_windows/local/bypassuac_sluihijack": { "name": "Windows UAC Protection Bypass (Via Slui File Handler Hijack)", "full_name": "exploit/windows/local/bypassuac_sluihijack", "rank": 600, "disclosure_date": "2018-01-15", "type": "exploit", "author": [ "bytecode-77", "gushmazuko" ], "description": "This module will bypass UAC on Windows 8-10 by hijacking a special key in the Registry under\n the Current User hive, and inserting a custom command that will get invoked when any binary\n (.exe) application is launched. But slui.exe is an auto-elevated binary that is vulnerable\n to file handler hijacking. When we run slui.exe with changed Registry key\n (HKCU:\\Software\\Classes\\exefile\\shell\\open\\command), it will run our custom command as Admin\n instead of slui.exe.\n\n The module modifies the registry in order for this exploit to work. The modification is\n reverted once the exploitation attempt has finished.\n\n The module does not require the architecture of the payload to match the OS. If\n specifying EXE::Custom your DLL should call ExitProcess() after starting the\n payload in a different process.", "references": [ ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows x86", "Windows x64" ], "mod_time": "2018-05-23 12:53:48 +0000", "path": "/modules/exploits/windows/local/bypassuac_sluihijack.rb", "is_install_path": true, "ref_name": "windows/local/bypassuac_sluihijack", "check": true }, "exploit_windows/local/bypassuac_vbs": { "name": "Windows Escalate UAC Protection Bypass (ScriptHost Vulnerability)", "full_name": "exploit/windows/local/bypassuac_vbs", "rank": 600, "disclosure_date": "2015-08-22", "type": "exploit", "author": [ "Vozzie", "Ben Campbell " ], "description": "This module will bypass Windows UAC by utilizing the missing .manifest on the script host\n cscript/wscript.exe binaries.", "references": [ ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/local/bypassuac_vbs.rb", "is_install_path": true, "ref_name": "windows/local/bypassuac_vbs", "check": false }, "exploit_windows/local/capcom_sys_exec": { "name": "Windows Capcom.sys Kernel Execution Exploit (x64 only)", "full_name": "exploit/windows/local/capcom_sys_exec", "rank": 300, "disclosure_date": "1999-01-01", "type": "exploit", "author": [ "TheWack0lian", "OJ Reeves" ], "description": "This module abuses the Capcom.sys kernel driver's function that allows for an\n arbitrary function to be executed in the kernel from user land. This function\n purposely disables SMEP prior to invoking a function given by the caller.\n This has been tested on Windows 7, 8.1 and Windows 10 (x64).", "references": [ "URL-https://twitter.com/TheWack0lian/status/779397840762245124" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x64", "rport": null, "targets": [ "Windows x64 (<= 10)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/local/capcom_sys_exec.rb", "is_install_path": true, "ref_name": "windows/local/capcom_sys_exec", "check": true }, "exploit_windows/local/current_user_psexec": { "name": "PsExec via Current User Token", "full_name": "exploit/windows/local/current_user_psexec", "rank": 600, "disclosure_date": "1999-01-01", "type": "exploit", "author": [ "egypt ", "jabra" ], "description": "This module uploads an executable file to the victim system, creates\n a share containing that executable, creates a remote service on each\n target system using a UNC path to that file, and finally starts the\n service(s).\n\n The result is similar to psexec but with the added benefit of using\n the session's current authentication token instead of having to know\n a password or hash.", "references": [ "CVE-1999-0504", "OSVDB-3106", "URL-http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86, x64", "rport": null, "targets": [ "Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/local/current_user_psexec.rb", "is_install_path": true, "ref_name": "windows/local/current_user_psexec", "check": false }, "exploit_windows/local/cve_2017_8464_lnk_lpe": { "name": "LNK Code Execution Vulnerability", "full_name": "exploit/windows/local/cve_2017_8464_lnk_lpe", "rank": 600, "disclosure_date": "2017-06-13", "type": "exploit", "author": [ "Uncredited", "Yorick Koster", "Spencer McIntyre" ], "description": "This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK)\n that contain a dynamic icon, loaded from a malicious DLL.\n\n This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is\n similar except an additional SpecialFolderDataBlock is included. The folder ID set\n in this SpecialFolderDataBlock is set to the Control Panel. This is enough to bypass\n the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary\n DLL file.\n\n The PATH option must be an absolute path to a writeable directory which is indexed for\n searching. If no PATH is specified, the module defaults to %USERPROFILE%.", "references": [ "CVE-2017-8464", "URL-https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464", "URL-http://www.vxjump.net/files/vuln_analysis/cve-2017-8464.txt", "URL-https://msdn.microsoft.com/en-us/library/dd871305.aspx", "URL-http://www.geoffchappell.com/notes/security/stuxnet/ctrlfldr.htm", "URL-https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86, x64", "rport": null, "targets": [ "Windows x64", "Windows x86" ], "mod_time": "2017-11-04 18:50:20 +0000", "path": "/modules/exploits/windows/local/cve_2017_8464_lnk_lpe.rb", "is_install_path": true, "ref_name": "windows/local/cve_2017_8464_lnk_lpe", "check": true }, "exploit_windows/local/ikeext_service": { "name": "IKE and AuthIP IPsec Keyring Modules Service (IKEEXT) Missing DLL", "full_name": "exploit/windows/local/ikeext_service", "rank": 400, "disclosure_date": "2012-10-09", "type": "exploit", "author": [ "Ben Campbell " ], "description": "This module exploits a missing DLL loaded by the 'IKE and AuthIP Keyring Modules'\n (IKEEXT) service which runs as SYSTEM, and starts automatically in default\n installations of Vista-Win8. It requires an insecure bin path to plant the DLL payload.", "references": [ "URL-https://www.htbridge.com/advisory/HTB23108", "URL-https://www.htbridge.com/vulnerability/uncontrolled-search-path-element.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows x86", "Windows x64" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/local/ikeext_service.rb", "is_install_path": true, "ref_name": "windows/local/ikeext_service", "check": true }, "exploit_windows/local/ipass_launch_app": { "name": "iPass Mobile Client Service Privilege Escalation", "full_name": "exploit/windows/local/ipass_launch_app", "rank": 600, "disclosure_date": "2015-03-12", "type": "exploit", "author": [ "h0ng10" ], "description": "The named pipe, \\IPEFSYSPCPIPE, can be accessed by normal users to interact\n with the iPass service. The service provides a LaunchAppSysMode command which\n allows to execute arbitrary commands as SYSTEM.", "references": [ "CVE-2015-0925", "URL-https://www.mogwaisecurity.de/advisories/MSA-2015-03.txt" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": [ "Windows" ], "mod_time": "2018-07-12 17:34:52 +0000", "path": "/modules/exploits/windows/local/ipass_launch_app.rb", "is_install_path": true, "ref_name": "windows/local/ipass_launch_app", "check": true }, "exploit_windows/local/lenovo_systemupdate": { "name": "Lenovo System Update Privilege Escalation", "full_name": "exploit/windows/local/lenovo_systemupdate", "rank": 600, "disclosure_date": "2015-04-12", "type": "exploit", "author": [ "Michael Milvich", "Sofiane Talmat", "h0ng10" ], "description": "The named pipe, \\SUPipeServer, can be accessed by normal users to interact with the\n System update service. The service provides the possibility to execute arbitrary\n commands as SYSTEM if a valid security token is provided. This token can be generated\n by calling the GetSystemInfoData function in the DLL tvsutil.dll. Please, note that the\n System Update is stopped by default but can be started/stopped calling the Executable\n ConfigService.exe.", "references": [ "OSVDB-121522", "CVE-2015-2219", "URL-http://www.ioactive.com/pdfs/Lenovo_System_Update_Multiple_Privilege_Escalations.pdf" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": [ "Windows" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/local/lenovo_systemupdate.rb", "is_install_path": true, "ref_name": "windows/local/lenovo_systemupdate", "check": true }, "exploit_windows/local/mov_ss": { "name": "Microsoft Windows POP/MOV SS Local Privilege Elevation Vulnerability", "full_name": "exploit/windows/local/mov_ss", "rank": 600, "disclosure_date": "2018-05-08", "type": "exploit", "author": [ "Nick Peterson", "Nemanja Mulasmajic", "Can Bölük ", "bwatters-r7" ], "description": "This module exploits a vulnerability in a statement in the system programming guide\n of the Intel 64 and IA-32 architectures software developer's manual being mishandled\n in various operating system kerneles, resulting in unexpected behavior for #DB\n excpetions that are deferred by MOV SS or POP SS.\n\n This module will upload the pre-compiled exploit and use it to execute the final\n payload in order to gain remote code execution.", "references": [ "CVE-2018-8897", "EDB-44697", "BID-104071", "URL-https://github.com/can1357/CVE-2018-8897/", "URL-https://blog.can.ac/2018/05/11/arbitrary-code-execution-at-ring-0-using-cve-2018-8897/" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows x64" ], "mod_time": "2018-07-27 11:35:31 +0000", "path": "/modules/exploits/windows/local/mov_ss.rb", "is_install_path": true, "ref_name": "windows/local/mov_ss", "check": false }, "exploit_windows/local/mqac_write": { "name": "MQAC.sys Arbitrary Write Privilege Escalation", "full_name": "exploit/windows/local/mqac_write", "rank": 200, "disclosure_date": "2014-07-22", "type": "exploit", "author": [ "Matt Bergin", "Spencer McIntyre" ], "description": "A vulnerability within the MQAC.sys module allows an attacker to\n overwrite an arbitrary location in kernel memory.\n\n This module will elevate itself to SYSTEM, then inject the payload\n into another SYSTEM process.", "references": [ "CVE-2014-4971", "EDB-34112", "URL-https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": [ "Windows XP SP3" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/local/mqac_write.rb", "is_install_path": true, "ref_name": "windows/local/mqac_write", "check": true }, "exploit_windows/local/ms10_015_kitrap0d": { "name": "Windows SYSTEM Escalation via KiTrap0D", "full_name": "exploit/windows/local/ms10_015_kitrap0d", "rank": 500, "disclosure_date": "2010-01-19", "type": "exploit", "author": [ "Tavis Ormandy", "HD Moore", "Pusscat", "OJ Reeves" ], "description": "This module will create a new session with SYSTEM privileges via the\n KiTrap0D exploit by Tavis Ormandy. If the session in use is already\n elevated then the exploit will not run. The module relies on kitrap0d.x86.dll,\n and is not supported on x64 editions of Windows.", "references": [ "CVE-2010-0232", "OSVDB-61854", "MSB-MS10-015", "EDB-11199", "URL-http://seclists.org/fulldisclosure/2010/Jan/341" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows 2K SP4 - Windows 7 (x86)" ], "mod_time": "2017-11-23 08:35:55 +0000", "path": "/modules/exploits/windows/local/ms10_015_kitrap0d.rb", "is_install_path": true, "ref_name": "windows/local/ms10_015_kitrap0d", "check": true }, "exploit_windows/local/ms10_092_schelevator": { "name": "Windows Escalate Task Scheduler XML Privilege Escalation", "full_name": "exploit/windows/local/ms10_092_schelevator", "rank": 600, "disclosure_date": "2010-09-13", "type": "exploit", "author": [ "jduck " ], "description": "This module exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet.\n When processing task files, the Windows Task Scheduler only uses a CRC32\n checksum to validate that the file has not been tampered with. Also, In a default\n configuration, normal users can read and write the task files that they have\n created. By modifying the task file and creating a CRC32 collision, an attacker\n can execute arbitrary commands with SYSTEM privileges.\n\n NOTE: Thanks to webDEViL for the information about disable/enable.", "references": [ "OSVDB-68518", "CVE-2010-3338", "BID-44357", "MSB-MS10-092", "EDB-15589" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86, x64", "rport": null, "targets": [ "Windows Vista, 7, and 2008" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/local/ms10_092_schelevator.rb", "is_install_path": true, "ref_name": "windows/local/ms10_092_schelevator", "check": true }, "exploit_windows/local/ms11_080_afdjoinleaf": { "name": "MS11-080 AfdJoinLeaf Privilege Escalation", "full_name": "exploit/windows/local/ms11_080_afdjoinleaf", "rank": 200, "disclosure_date": "2011-11-30", "type": "exploit", "author": [ "Matteo Memelli", "Spencer McIntyre" ], "description": "This module exploits a flaw in the AfdJoinLeaf function of the\n afd.sys driver to overwrite data in kernel space. An address\n within the HalDispatchTable is overwritten and when triggered\n with a call to NtQueryIntervalProfile will execute shellcode.\n\n This module will elevate itself to SYSTEM, then inject the payload\n into another SYSTEM process before restoring its own token to\n avoid causing system instability.", "references": [ "CVE-2011-2005", "OSVDB-76232", "EDB-18176", "MSB-MS11-080", "URL-http://www.offensive-security.com/vulndev/ms11-080-voyage-into-ring-zero/" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": [ "Automatic", "Windows XP SP2 / SP3", "Windows Server 2003 SP2" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/local/ms11_080_afdjoinleaf.rb", "is_install_path": true, "ref_name": "windows/local/ms11_080_afdjoinleaf", "check": false }, "exploit_windows/local/ms13_005_hwnd_broadcast": { "name": "MS13-005 HWND_BROADCAST Low to Medium Integrity Privilege Escalation", "full_name": "exploit/windows/local/ms13_005_hwnd_broadcast", "rank": 600, "disclosure_date": "2012-11-27", "type": "exploit", "author": [ "Tavis Ormandy", "Axel Souchet", "Ben Campbell " ], "description": "Due to a problem with isolating window broadcast messages in the Windows kernel,\n an attacker can broadcast commands from a lower Integrity Level process to a\n higher Integrity Level process, thereby effecting a privilege escalation. This\n issue affects Windows Vista, 7, 8, Server 2008, Server 2008 R2, Server 2012, and\n RT. Note that spawning a command prompt with the shortcut key combination Win+Shift+#\n does not work in Vista, so the attacker will have to check if the user is already\n running a command prompt and set SPAWN_PROMPT false.\n\n Three exploit techniques are available with this module. The WEB technique will\n execute a powershell encoded payload from a Web location. The FILE technique\n will drop an executable to the file system, set it to medium integrity and execute\n it. The TYPE technique will attempt to execute a powershell encoded payload directly\n from the command line, but may take some time to complete.", "references": [ "CVE-2013-0008", "MSB-MS13-005", "OSVDB-88966", "URL-http://blog.cmpxchg8b.com/2013/02/a-few-years-ago-while-working-on.html" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows x86", "Windows x64" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/local/ms13_005_hwnd_broadcast.rb", "is_install_path": true, "ref_name": "windows/local/ms13_005_hwnd_broadcast", "check": false }, "exploit_windows/local/ms13_053_schlamperei": { "name": "Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei)", "full_name": "exploit/windows/local/ms13_053_schlamperei", "rank": 200, "disclosure_date": "2013-12-01", "type": "exploit", "author": [ "Nils", "Jon", "Donato Capitella ", "Ben Campbell " ], "description": "This module leverages a kernel pool overflow in Win32k which allows local privilege escalation.\n The kernel shellcode nulls the ACL for the winlogon.exe process (a SYSTEM process).\n This allows any unprivileged process to freely migrate to winlogon.exe, achieving\n privilege escalation. This exploit was used in pwn2own 2013 by MWR to break out of chrome's sandbox.\n NOTE: when a meterpreter session started by this exploit exits, winlogin.exe is likely to crash.", "references": [ "CVE-2013-1300", "MSB-MS13-053", "URL-https://labs.mwrinfosecurity.com/blog/2013/09/06/mwr-labs-pwn2own-2013-write-up---kernel-exploit/" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": [ "Windows 7 SP0/SP1" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/local/ms13_053_schlamperei.rb", "is_install_path": true, "ref_name": "windows/local/ms13_053_schlamperei", "check": true }, "exploit_windows/local/ms13_081_track_popup_menu": { "name": "Windows TrackPopupMenuEx Win32k NULL Page", "full_name": "exploit/windows/local/ms13_081_track_popup_menu", "rank": 200, "disclosure_date": "2013-10-08", "type": "exploit", "author": [ "Seth Gibson", "Dan Zentner", "Matias Soler", "Spencer McIntyre" ], "description": "This module exploits a vulnerability in win32k.sys where under\n specific conditions TrackPopupMenuEx will pass a NULL pointer to\n the MNEndMenuState procedure. This module has been tested\n successfully on Windows 7 SP0 and Windows 7 SP1.", "references": [ "CVE-2013-3881", "OSVDB-98212", "BID-62830", "MSB-MS13-081", "URL-http://endgame.com/news/microsoft-win32k-null-page-vulnerability-technical-analysis.html", "URL-http://immunityproducts.blogspot.com/2013/11/exploiting-cve-2013-3881-win32k-null.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": [ "Windows 7 SP0/SP1" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/local/ms13_081_track_popup_menu.rb", "is_install_path": true, "ref_name": "windows/local/ms13_081_track_popup_menu", "check": true }, "exploit_windows/local/ms13_097_ie_registry_symlink": { "name": "MS13-097 Registry Symlink IE Sandbox Escape", "full_name": "exploit/windows/local/ms13_097_ie_registry_symlink", "rank": 500, "disclosure_date": "2013-12-10", "type": "exploit", "author": [ "James Forshaw", "juan vazquez " ], "description": "This module exploits a vulnerability in Internet Explorer Sandbox which allows to\n escape the Enhanced Protected Mode and execute code with Medium Integrity. The\n vulnerability exists in the IESetProtectedModeRegKeyOnly function from the ieframe.dll\n component, which can be abused to force medium integrity IE to user influenced keys.\n By using registry symlinks it's possible force IE to add a policy entry in the registry\n and finally bypass Enhanced Protected Mode.", "references": [ "CVE-2013-5045", "MSB-MS13-097", "BID-64115", "URL-https://github.com/tyranid/IE11SandboxEscapes" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "IE 8 - 11" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/local/ms13_097_ie_registry_symlink.rb", "is_install_path": true, "ref_name": "windows/local/ms13_097_ie_registry_symlink", "check": false }, "exploit_windows/local/ms14_009_ie_dfsvc": { "name": "MS14-009 .NET Deployment Service IE Sandbox Escape", "full_name": "exploit/windows/local/ms14_009_ie_dfsvc", "rank": 500, "disclosure_date": "2014-02-11", "type": "exploit", "author": [ "James Forshaw", "juan vazquez " ], "description": "This module abuses a process creation policy in Internet Explorer's sandbox, specifically\n in the .NET Deployment Service (dfsvc.exe), which allows the attacker to escape the\n Enhanced Protected Mode, and execute code with Medium Integrity.", "references": [ "CVE-2014-0257", "MSB-MS14-009", "BID-65417", "URL-https://github.com/tyranid/IE11SandboxEscapes" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "IE 8 - 11" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb", "is_install_path": true, "ref_name": "windows/local/ms14_009_ie_dfsvc", "check": true }, "exploit_windows/local/ms14_058_track_popup_menu": { "name": "Windows TrackPopupMenu Win32k NULL Pointer Dereference", "full_name": "exploit/windows/local/ms14_058_track_popup_menu", "rank": 300, "disclosure_date": "2014-10-14", "type": "exploit", "author": [ "Unknown", "juan vazquez ", "Spencer McIntyre", "OJ Reeves " ], "description": "This module exploits a NULL Pointer Dereference in win32k.sys, the vulnerability\n can be triggered through the use of TrackPopupMenu. Under special conditions, the\n NULL pointer dereference can be abused on xxxSendMessageTimeout to achieve arbitrary\n code execution. This module has been tested successfully on Windows XP SP3, Windows\n 2003 SP2, Windows 7 SP1 and Windows 2008 32bits. Also on Windows 7 SP1 and Windows\n 2008 R2 SP1 64 bits.", "references": [ "CVE-2014-4113", "OSVDB-113167", "BID-70364", "MSB-MS14-058", "URL-http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-a-windows-kernel-mode-vulnerability-cve-2014-4113/" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86, x64", "rport": null, "targets": [ "Windows x86", "Windows x64" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/local/ms14_058_track_popup_menu.rb", "is_install_path": true, "ref_name": "windows/local/ms14_058_track_popup_menu", "check": true }, "exploit_windows/local/ms14_070_tcpip_ioctl": { "name": "MS14-070 Windows tcpip!SetAddrOptions NULL Pointer Dereference", "full_name": "exploit/windows/local/ms14_070_tcpip_ioctl", "rank": 200, "disclosure_date": "2014-11-11", "type": "exploit", "author": [ "Matt Bergin ", "Jay Smith " ], "description": "A vulnerability within the Microsoft TCP/IP protocol driver tcpip.sys\n can allow a local attacker to trigger a NULL pointer dereference by using a\n specially crafted IOCTL. This flaw can be abused to elevate privileges to\n SYSTEM.", "references": [ "CVE-2014-4076", "MSB-MS14-070", "OSVDB-114532", "URL-https://blog.korelogic.com/blog/2015/01/28/2k3_tcpip_setaddroptions_exploit_dev", "URL-https://www.korelogic.com/Resources/Advisories/KL-001-2015-001.txt" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": [ "Windows Server 2003 SP2" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/local/ms14_070_tcpip_ioctl.rb", "is_install_path": true, "ref_name": "windows/local/ms14_070_tcpip_ioctl", "check": true }, "exploit_windows/local/ms15_004_tswbproxy": { "name": "MS15-004 Microsoft Remote Desktop Services Web Proxy IE Sandbox Escape", "full_name": "exploit/windows/local/ms15_004_tswbproxy", "rank": 400, "disclosure_date": "2015-01-13", "type": "exploit", "author": [ "Unknown", "Henry Li", "juan vazquez " ], "description": "This module abuses a process creation policy in Internet Explorer's\n sandbox; specifically, Microsoft's RemoteApp and Desktop Connections runtime\n proxy, TSWbPrxy.exe. This vulnerability allows the attacker to escape the\n Protected Mode and execute code with Medium Integrity. At the moment, this\n module only bypass Protected Mode on Windows 7 SP1 and prior (32 bits). This\n module has been tested successfully on Windows 7 SP1 (32 bits) with IE 8 and IE\n 11.", "references": [ "CVE-2015-0016", "MSB-MS15-004", "URL-http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2015-0016-escaping-the-internet-explorer-sandbox/" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": [ "Protected Mode (Windows 7) / 32 bits" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/local/ms15_004_tswbproxy.rb", "is_install_path": true, "ref_name": "windows/local/ms15_004_tswbproxy", "check": true }, "exploit_windows/local/ms15_051_client_copy_image": { "name": "Windows ClientCopyImage Win32k Exploit", "full_name": "exploit/windows/local/ms15_051_client_copy_image", "rank": 300, "disclosure_date": "2015-05-12", "type": "exploit", "author": [ "Unknown", "hfirefox", "OJ Reeves", "Spencer McIntyre" ], "description": "This module exploits improper object handling in the win32k.sys kernel mode driver.\n This module has been tested on vulnerable builds of Windows 7 x64 and x86, and\n Windows 2008 R2 SP1 x64.", "references": [ "CVE-2015-1701", "MSB-MS15-051", "URL-https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html", "URL-https://github.com/hfiref0x/CVE-2015-1701", "URL-https://technet.microsoft.com/library/security/MS15-051" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86, x64", "rport": null, "targets": [ "Windows x86", "Windows x64" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/local/ms15_051_client_copy_image.rb", "is_install_path": true, "ref_name": "windows/local/ms15_051_client_copy_image", "check": true }, "exploit_windows/local/ms15_078_atmfd_bof": { "name": "MS15-078 Microsoft Windows Font Driver Buffer Overflow", "full_name": "exploit/windows/local/ms15_078_atmfd_bof", "rank": 0, "disclosure_date": "2015-07-11", "type": "exploit", "author": [ "Eugene Ching", "Mateusz Jurczyk", "Cedric Halbronn", "juan vazquez " ], "description": "This module exploits a pool based buffer overflow in the atmfd.dll driver when parsing\n a malformed font. The vulnerability was exploited by the hacking team and disclosed in\n the July data leak. This module has been tested successfully on vulnerable builds of\n Windows 8.1 x64.", "references": [ "CVE-2015-2426", "CVE-2015-2433", "MSB-MS15-078", "MSB-MS15-080", "URL-https://github.com/vlad902/hacking-team-windows-kernel-lpe", "URL-https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2015/september/exploiting-cve-2015-2426-and-how-i-ported-it-to-a-recent-windows-8.1-64-bit/", "URL-https://code.google.com/p/google-security-research/issues/detail?id=369", "URL-https://code.google.com/p/google-security-research/issues/detail?id=480" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x64", "rport": null, "targets": [ "Windows 8.1 x64" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/local/ms15_078_atmfd_bof.rb", "is_install_path": true, "ref_name": "windows/local/ms15_078_atmfd_bof", "check": true }, "exploit_windows/local/ms16_014_wmi_recv_notif": { "name": "Windows WMI Recieve Notification Exploit", "full_name": "exploit/windows/local/ms16_014_wmi_recv_notif", "rank": 300, "disclosure_date": "2015-12-04", "type": "exploit", "author": [ "smmrootkit", "de7ec7ed", "de7ec7ed" ], "description": "This module exploits an uninitialized stack variable in the WMI subsystem of ntoskrnl.\n This module has been tested on vulnerable builds of Windows 7 SP0 x64 and Windows 7 SP1 x64.", "references": [ "CVE-2016-0040", "MSB-MS16-014", "URL-https://github.com/de7ec7ed/CVE-2016-0040", "URL-https://github.com/Rootkitsmm/cve-2016-0040", "URL-https://technet.microsoft.com/en-us/library/security/ms16-014.aspx" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x64", "rport": null, "targets": [ "Windows 7 SP0/SP1" ], "mod_time": "2018-05-03 11:30:05 +0000", "path": "/modules/exploits/windows/local/ms16_014_wmi_recv_notif.rb", "is_install_path": true, "ref_name": "windows/local/ms16_014_wmi_recv_notif", "check": true }, "exploit_windows/local/ms16_016_webdav": { "name": "MS16-016 mrxdav.sys WebDav Local Privilege Escalation", "full_name": "exploit/windows/local/ms16_016_webdav", "rank": 600, "disclosure_date": "2016-02-09", "type": "exploit", "author": [ "Tamas Koczka", "William Webb " ], "description": "This module exploits the vulnerability in mrxdav.sys described by MS16-016. The module will spawn\n a process on the target system and elevate its privileges to NT AUTHORITY\\SYSTEM before executing\n the specified payload within the context of the elevated process.", "references": [ "CVE-2016-0051", "MSB-MS16-016" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": [ "Windows 7 SP1" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/local/ms16_016_webdav.rb", "is_install_path": true, "ref_name": "windows/local/ms16_016_webdav", "check": true }, "exploit_windows/local/ms16_032_secondary_logon_handle_privesc": { "name": "MS16-032 Secondary Logon Handle Privilege Escalation", "full_name": "exploit/windows/local/ms16_032_secondary_logon_handle_privesc", "rank": 300, "disclosure_date": "2016-03-21", "type": "exploit", "author": [ "James Forshaw", "b33f", "khr0x40sh" ], "description": "This module exploits the lack of sanitization of standard handles in Windows' Secondary\n Logon Service. The vulnerability is known to affect versions of Windows 7-10 and 2k8-2k12\n 32 and 64 bit. This module will only work against those versions of Windows with\n Powershell 2.0 or later and systems with two or more CPU cores.", "references": [ "MS-MS16-032", "CVE-2016-0099", "URL-https://twitter.com/FuzzySec/status/723254004042612736", "URL-https://googleprojectzero.blogspot.co.uk/2016/03/exploiting-leaked-thread-handle.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows x86", "Windows x64" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/local/ms16_032_secondary_logon_handle_privesc.rb", "is_install_path": true, "ref_name": "windows/local/ms16_032_secondary_logon_handle_privesc", "check": true }, "exploit_windows/local/ms_ndproxy": { "name": "MS14-002 Microsoft Windows ndproxy.sys Local Privilege Escalation", "full_name": "exploit/windows/local/ms_ndproxy", "rank": 200, "disclosure_date": "2013-11-27", "type": "exploit", "author": [ "Unknown", "ryujin", "Shahin Ramezany", "juan vazquez " ], "description": "This module exploits a flaw in the ndproxy.sys driver on Windows XP SP3 and Windows 2003\n SP2 systems, exploited in the wild in November, 2013. The vulnerability exists while\n processing an IO Control Code 0x8fff23c8 or 0x8fff23cc, where user provided input is used\n to access an array unsafely, and the value is used to perform a call, leading to a NULL\n pointer dereference which is exploitable on both Windows XP and Windows 2003 systems. This\n module has been tested successfully on Windows XP SP3 and Windows 2003 SP2. In order to\n work the service \"Routing and Remote Access\" must be running on the target system.", "references": [ "CVE-2013-5065", "MSB-MS14-002", "OSVDB-100368", "BID-63971", "EDB-30014", "URL-http://labs.portcullis.co.uk/blog/cve-2013-5065-ndproxy-array-indexing-error-unpatched-vulnerability/", "URL-http://technet.microsoft.com/en-us/security/advisory/2914486", "URL-http://www.secniu.com/blog/?p=53", "URL-http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/ms-windows-local-privilege-escalation-zero-day-in-the-wild.html", "URL-http://blog.spiderlabs.com/2013/12/the-kernel-is-calling-a-zeroday-pointer-cve-2013-5065-ring-ring.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": [ "Automatic", "Windows XP SP3", "Windows Server 2003 SP2" ], "mod_time": "2018-03-29 12:03:33 +0000", "path": "/modules/exploits/windows/local/ms_ndproxy.rb", "is_install_path": true, "ref_name": "windows/local/ms_ndproxy", "check": true }, "exploit_windows/local/novell_client_nicm": { "name": "Novell Client 2 SP3 nicm.sys Local Privilege Escalation", "full_name": "exploit/windows/local/novell_client_nicm", "rank": 200, "disclosure_date": "2013-05-22", "type": "exploit", "author": [ "Unknown", "juan vazquez " ], "description": "This module exploits a flaw in the nicm.sys driver to execute arbitrary code in\n kernel space. The vulnerability occurs while handling ioctl requests with code\n 0x143B6B, where a user provided pointer is used as function pointer. The module\n has been tested successfully on Windows 7 SP1 with Novell Client 2 SP3.", "references": [ "CVE-2013-3956", "OSVDB-93718", "URL-http://www.novell.com/support/kb/doc.php?id=7012497", "URL-http://pastebin.com/GB4iiEwR" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": [ "Automatic", "Windows 7 SP1" ], "mod_time": "2018-07-12 17:34:52 +0000", "path": "/modules/exploits/windows/local/novell_client_nicm.rb", "is_install_path": true, "ref_name": "windows/local/novell_client_nicm", "check": true }, "exploit_windows/local/novell_client_nwfs": { "name": "Novell Client 4.91 SP4 nwfs.sys Local Privilege Escalation", "full_name": "exploit/windows/local/novell_client_nwfs", "rank": 200, "disclosure_date": "2008-06-26", "type": "exploit", "author": [ "Ruben Santamarta", "juan vazquez " ], "description": "This module exploits a flaw in the nwfs.sys driver to overwrite data in kernel\n space. The corruption occurs while handling ioctl requests with code 0x1438BB,\n where a 0x00000009 dword is written to an arbitrary address. An entry within the\n HalDispatchTable is overwritten in order to execute arbitrary code when\n NtQueryIntervalProfile is called. The module has been tested successfully on\n Windows XP SP3 with Novell Client 4.91 SP4.", "references": [ "CVE-2008-3158", "OSVDB-46578", "BID-30001" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": [ "Automatic", "Windows XP SP3" ], "mod_time": "2018-07-08 18:46:04 +0000", "path": "/modules/exploits/windows/local/novell_client_nwfs.rb", "is_install_path": true, "ref_name": "windows/local/novell_client_nwfs", "check": false }, "exploit_windows/local/ntapphelpcachecontrol": { "name": "MS15-001 Microsoft Windows NtApphelpCacheControl Improper Authorization Check", "full_name": "exploit/windows/local/ntapphelpcachecontrol", "rank": 300, "disclosure_date": "2014-09-30", "type": "exploit", "author": [ "James Forshaw", "sinn3r " ], "description": "On Windows, the system call NtApphelpCacheControl (the code is actually in ahcache.sys)\n allows application compatibility data to be cached for quick reuse when new processes are\n created. A normal user can query the cache but cannot add new cached entries as the\n operation is restricted to administrators. This is checked in the function\n AhcVerifyAdminContext.\n\n This function has a vulnerability where it doesn't correctly check the impersonation token\n of the caller to determine if the user is an administrator. It reads the caller's\n impersonation token using PsReferenceImpersonationToken and then does a comparison between\n the user SID in the token to LocalSystem's SID. It doesn't check the impersonation level\n of the token so it's possible to get an identify token on your thread from a local system\n process and bypass this check.\n\n This module currently only affects Windows 8 and Windows 8.1, and requires access to\n C:\\Windows\\System\\ComputerDefaults.exe (although this can be improved).", "references": [ "MSB-MS15-001", "CVE-2015-0002", "OSVEB-116497", "EDB-35661", "URL-https://code.google.com/p/google-security-research/issues/detail?id=118" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86, x64", "rport": null, "targets": [ "Windows 8 / Windows 8.1 (x86 and x64)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/local/ntapphelpcachecontrol.rb", "is_install_path": true, "ref_name": "windows/local/ntapphelpcachecontrol", "check": true }, "exploit_windows/local/nvidia_nvsvc": { "name": "Nvidia (nvsvc) Display Driver Service Local Privilege Escalation", "full_name": "exploit/windows/local/nvidia_nvsvc", "rank": 200, "disclosure_date": "2012-12-25", "type": "exploit", "author": [ "Peter Wintersmith", "Ben Campbell " ], "description": "The named pipe, \\pipe\\nsvr, has a NULL DACL allowing any authenticated user to\n interact with the service. It contains a stacked based buffer overflow as a result\n of a memmove operation. Note the slight spelling differences: the executable is 'nvvsvc.exe',\n the service name is 'nvsvc', and the named pipe is 'nsvr'.\n\n This exploit automatically targets nvvsvc.exe versions dated Nov 3 2011, Aug 30 2012, and Dec 1 2012.\n It has been tested on Windows 7 64-bit against nvvsvc.exe dated Dec 1 2012.", "references": [ "CVE-2013-0109", "OSVDB-88745", "URL-http://nvidia.custhelp.com/app/answers/detail/a_id/3288" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x64", "rport": null, "targets": [ "Windows x64" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/local/nvidia_nvsvc.rb", "is_install_path": true, "ref_name": "windows/local/nvidia_nvsvc", "check": true }, "exploit_windows/local/panda_psevents": { "name": "Panda Security PSEvents Privilege Escalation", "full_name": "exploit/windows/local/panda_psevents", "rank": 600, "disclosure_date": "2016-06-27", "type": "exploit", "author": [ "h00die ", "Security-Assessment.com" ], "description": "PSEvents.exe within several Panda Security products runs hourly with SYSTEM privileges.\n When run, it checks a user writable folder for certain DLL files, and if any are found\n they are automatically run.\n Vulnerable Products:\n Panda Global Protection 2016 (<=16.1.2)\n Panda Antivirus Pro 2016 (<=16.1.2)\n Panda Small Business Protection (<=16.1.2)\n Panda Internet Security 2016 (<=16.1.2)", "references": [ ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows x86", "Windows x64" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/local/panda_psevents.rb", "is_install_path": true, "ref_name": "windows/local/panda_psevents", "check": true }, "exploit_windows/local/payload_inject": { "name": "Windows Manage Memory Payload Injection", "full_name": "exploit/windows/local/payload_inject", "rank": 600, "disclosure_date": "2011-10-12", "type": "exploit", "author": [ "Carlos Perez ", "sinn3r " ], "description": "This module will inject a payload into memory of a process. If a payload\n isn't selected, then it'll default to a reverse x86 TCP meterpreter. If the PID\n datastore option isn't specified, then it'll inject into notepad.exe instead.", "references": [ ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86, x64", "rport": null, "targets": [ "Windows" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/local/payload_inject.rb", "is_install_path": true, "ref_name": "windows/local/payload_inject", "check": false }, "exploit_windows/local/persistence": { "name": "Windows Persistent Registry Startup Payload Installer", "full_name": "exploit/windows/local/persistence", "rank": 600, "disclosure_date": "2011-10-19", "type": "exploit", "author": [ "Carlos Perez ", "g0tmi1k" ], "description": "This module will install a payload that is executed during boot.\n It will be executed either at user logon or system startup via the registry\n value in \"CurrentVersion\\Run\" (depending on privilege and selected method).", "references": [ ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/local/persistence.rb", "is_install_path": true, "ref_name": "windows/local/persistence", "check": false }, "exploit_windows/local/powershell_cmd_upgrade": { "name": "Windows Command Shell Upgrade (Powershell)", "full_name": "exploit/windows/local/powershell_cmd_upgrade", "rank": 600, "disclosure_date": "1999-01-01", "type": "exploit", "author": [ "Ben Campbell " ], "description": "This module executes Powershell to upgrade a Windows Shell session\n to a full Meterpreter session.", "references": [ ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/local/powershell_cmd_upgrade.rb", "is_install_path": true, "ref_name": "windows/local/powershell_cmd_upgrade", "check": false }, "exploit_windows/local/powershell_remoting": { "name": "Powershell Remoting Remote Command Execution", "full_name": "exploit/windows/local/powershell_remoting", "rank": 600, "disclosure_date": "1999-01-01", "type": "exploit", "author": [ "Ben Campbell " ], "description": "This module uses Powershell Remoting (TCP 47001) to inject payloads on target machines.\n If RHOSTS are specified, it will try to resolve the IPs to hostnames, otherwise\n use a HOSTFILE to supply a list of known hostnames.", "references": [ "CVE-1999-0504", "OSVDB-3106" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/local/powershell_remoting.rb", "is_install_path": true, "ref_name": "windows/local/powershell_remoting", "check": false }, "exploit_windows/local/ppr_flatten_rec": { "name": "Windows EPATHOBJ::pprFlattenRec Local Privilege Escalation", "full_name": "exploit/windows/local/ppr_flatten_rec", "rank": 200, "disclosure_date": "2013-05-15", "type": "exploit", "author": [ "Tavis Ormandy ", "progmboy ", "Keebie4e", "egypt ", "sinn3r ", "Ben Campbell ", "juan vazquez ", "OJ Reeves" ], "description": "This module exploits a vulnerability on EPATHOBJ::pprFlattenRec due to the usage\n of uninitialized data which allows to corrupt memory. At the moment, the module has\n been tested successfully on Windows XP SP3, Windows 2003 SP1, and Windows 7 SP1.", "references": [ "CVE-2013-3660", "EDB-25912", "OSVDB-93539", "MSB-MS13-053", "URL-http://seclists.org/fulldisclosure/2013/May/91" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": [ "Automatic" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/local/ppr_flatten_rec.rb", "is_install_path": true, "ref_name": "windows/local/ppr_flatten_rec", "check": true }, "exploit_windows/local/ps_persist": { "name": "Powershell Payload Execution", "full_name": "exploit/windows/local/ps_persist", "rank": 600, "disclosure_date": "2012-08-14", "type": "exploit", "author": [ "RageLtMan ", "Matt \"hostess\" Andreko" ], "description": "This module generates a dynamic executable on the session host using .NET templates.\n Code is pulled from C# templates and impregnated with a payload before being\n sent to a modified PowerShell session with .NET 4 loaded. The compiler builds\n the executable (standard or Windows service) in memory and produces a binary\n which can be started/installed and downloaded for later use. After compilation the\n PoweShell session can also sign the executable if provided a path the a .pfx formatted\n certificate.", "references": [ ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Universal" ], "mod_time": "2017-09-27 07:41:06 +0000", "path": "/modules/exploits/windows/local/ps_persist.rb", "is_install_path": true, "ref_name": "windows/local/ps_persist", "check": false }, "exploit_windows/local/ps_wmi_exec": { "name": "Authenticated WMI Exec via Powershell", "full_name": "exploit/windows/local/ps_wmi_exec", "rank": 600, "disclosure_date": "2012-08-19", "type": "exploit", "author": [ "RageLtMan " ], "description": "This module uses WMI execution to launch a payload instance on a remote machine.\n In order to avoid AV detection, all execution is performed in memory via psh-net\n encoded payload. Persistence option can be set to keep the payload looping while\n a handler is present to receive it. By default the module runs as the current\n process owner. The module can be configured with credentials for the remote host\n with which to launch the process.", "references": [ ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/local/ps_wmi_exec.rb", "is_install_path": true, "ref_name": "windows/local/ps_wmi_exec", "check": false }, "exploit_windows/local/pxeexploit": { "name": "PXE Exploit Server", "full_name": "exploit/windows/local/pxeexploit", "rank": 600, "disclosure_date": "2011-08-05", "type": "exploit", "author": [ "scriptjunkie" ], "description": "This module provides a PXE server, running a DHCP and TFTP server.\n The default configuration loads a linux kernel and initrd into memory that\n reads the hard drive; placing the payload on the hard drive of any Windows\n partition seen.\n\n Note: the displayed IP address of a target is the address this DHCP server\n handed out, not the \"normal\" IP address the host uses.", "references": [ ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/local/pxeexploit.rb", "is_install_path": true, "ref_name": "windows/local/pxeexploit", "check": false }, "exploit_windows/local/razer_zwopenprocess": { "name": "Razer Synapse rzpnk.sys ZwOpenProcess", "full_name": "exploit/windows/local/razer_zwopenprocess", "rank": 300, "disclosure_date": "2017-03-22", "type": "exploit", "author": [ "Spencer McIntyre" ], "description": "A vulnerability exists in the latest version of Razer Synapse\n (v2.20.15.1104 as of the day of disclosure) which can be leveraged\n locally by a malicious application to elevate its privileges to those of\n NT_AUTHORITY\\SYSTEM. The vulnerability lies in a specific IOCTL handler\n in the rzpnk.sys driver that passes a PID specified by the user to\n ZwOpenProcess. This can be issued by an application to open a handle to\n an arbitrary process with the necessary privileges to allocate, read and\n write memory in the specified process.\n\n This exploit leverages this vulnerability to open a handle to the\n winlogon process (which runs as NT_AUTHORITY\\SYSTEM) and infect it by\n installing a hook to execute attacker controlled shellcode. This hook is\n then triggered on demand by calling user32!LockWorkStation(), resulting\n in the attacker's payload being executed with the privileges of the\n infected winlogon process. In order for the issued IOCTL to work, the\n RazerIngameEngine.exe process must not be running. This exploit will\n check if it is, and attempt to kill it as necessary.\n\n The vulnerable software can be found here:\n https://www.razerzone.com/synapse/. No Razer hardware needs to be\n connected in order to leverage this vulnerability.\n\n This exploit is not opsec-safe due to the user being logged out as part\n of the exploitation process.", "references": [ "CVE-2017-9769", "URL-https://warroom.securestate.com/cve-2017-9769/" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows x64" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/local/razer_zwopenprocess.rb", "is_install_path": true, "ref_name": "windows/local/razer_zwopenprocess", "check": true }, "exploit_windows/local/registry_persistence": { "name": "Windows Registry Only Persistence", "full_name": "exploit/windows/local/registry_persistence", "rank": 600, "disclosure_date": "2015-07-01", "type": "exploit", "author": [ "Donny Maasland " ], "description": "This module will install a payload that is executed during boot.\n It will be executed either at user logon or system startup via the registry\n value in \"CurrentVersion\\Run\" (depending on privilege and selected method).\n The payload will be installed completely in registry.", "references": [ ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/local/registry_persistence.rb", "is_install_path": true, "ref_name": "windows/local/registry_persistence", "check": true }, "exploit_windows/local/run_as": { "name": "Windows Run Command As User", "full_name": "exploit/windows/local/run_as", "rank": 600, "disclosure_date": "1999-01-01", "type": "exploit", "author": [ "Kx499", "Ben Campbell " ], "description": "This module will login with the specified username/password and execute the\n supplied command as a hidden process. Output is not returned by default.\n Unless targeting a local user either set the DOMAIN, or specify a UPN user\n format (e.g. user@domain). This uses the CreateProcessWithLogonW WinAPI function.\n\n A custom command line can be sent instead of uploading an executable.\n APPLICAITON_NAME and COMMAND_LINE are passed to lpApplicationName and lpCommandLine\n respectively. See the MSDN documentation for how these two values interact.", "references": [ "URL-https://msdn.microsoft.com/en-us/library/windows/desktop/ms682431" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/local/run_as.rb", "is_install_path": true, "ref_name": "windows/local/run_as", "check": false }, "exploit_windows/local/s4u_persistence": { "name": "Windows Manage User Level Persistent Payload Installer", "full_name": "exploit/windows/local/s4u_persistence", "rank": 600, "disclosure_date": "2013-01-02", "type": "exploit", "author": [ "Thomas McCarthy \"smilingraccoon\" ", "Brandon McCann \"zeknox\" " ], "description": "Creates a scheduled task that will run using service-for-user (S4U).\n This allows the scheduled task to run even as an unprivileged user\n that is not logged into the device. This will result in lower security\n context, allowing access to local resources only. The module\n requires 'Logon as a batch job' permissions (SeBatchLogonRight).", "references": [ "URL-http://www.pentestgeek.com/2013/02/11/scheduled-tasks-with-s4u-and-on-demand-persistence/", "URL-http://www.scriptjunkie.us/2013/01/running-code-from-a-non-elevated-account-at-any-time/" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/local/s4u_persistence.rb", "is_install_path": true, "ref_name": "windows/local/s4u_persistence", "check": false }, "exploit_windows/local/service_permissions": { "name": "Windows Escalate Service Permissions Local Privilege Escalation", "full_name": "exploit/windows/local/service_permissions", "rank": 500, "disclosure_date": "2012-10-15", "type": "exploit", "author": [ "scriptjunkie" ], "description": "This module attempts to exploit existing administrative privileges to obtain\n a SYSTEM session. If directly creating a service fails, this module will inspect\n existing services to look for insecure file or configuration permissions that may\n be hijacked. It will then attempt to restart the replaced service to run the\n payload. This will result in a new session when this succeeds.", "references": [ ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86, x64", "rport": null, "targets": [ "Automatic" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/local/service_permissions.rb", "is_install_path": true, "ref_name": "windows/local/service_permissions", "check": false }, "exploit_windows/local/trusted_service_path": { "name": "Windows Service Trusted Path Privilege Escalation", "full_name": "exploit/windows/local/trusted_service_path", "rank": 600, "disclosure_date": "2001-10-25", "type": "exploit", "author": [ "sinn3r " ], "description": "This module exploits a logic flaw due to how the lpApplicationName parameter\n is handled. When the lpApplicationName contains a space, the file name is\n ambiguous. Take this file path as example: C:\\program files\\hello.exe;\n The Windows API will try to interpret this as two possible paths:\n C:\\program.exe, and C:\\program files\\hello.exe, and then execute all of them.\n To some software developers, this is an unexpected behavior, which becomes a\n security problem if an attacker is able to place a malicious executable in one\n of these unexpected paths, sometimes escalate privileges if run as SYSTEM.\n Some software such as OpenVPN 2.1.1, OpenSSH Server 5, and others have the\n same problem.\n\n The offensive technique is also described in Writing Secure Code (2nd Edition),\n Chapter 23, in the section \"Calling Processes Security\" on page 676.", "references": [ "URL-http://msdn.microsoft.com/en-us/library/windows/desktop/ms682425(v=vs.85).aspx", "URL-http://www.microsoft.com/learning/en/us/book.aspx?id=5957&locale=en-us" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/local/trusted_service_path.rb", "is_install_path": true, "ref_name": "windows/local/trusted_service_path", "check": true }, "exploit_windows/local/virtual_box_guest_additions": { "name": "VirtualBox Guest Additions VBoxGuest.sys Privilege Escalation", "full_name": "exploit/windows/local/virtual_box_guest_additions", "rank": 200, "disclosure_date": "2014-07-15", "type": "exploit", "author": [ "Matt Bergin ", "Jay Smith " ], "description": "A vulnerability within the VBoxGuest driver allows an attacker to inject memory they\n control into an arbitrary location they define. This can be used by an attacker to\n overwrite HalDispatchTable+0x4 and execute arbitrary code by subsequently calling\n NtQueryIntervalProfile on Windows XP SP3 systems. This has been tested with VBoxGuest\n Additions up to 4.3.10r93012.", "references": [ "CVE-2014-2477", "URL-https://www.korelogic.com/Resources/Advisories/KL-001-2014-001.txt" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": [ "Windows XP SP3" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/local/virtual_box_guest_additions.rb", "is_install_path": true, "ref_name": "windows/local/virtual_box_guest_additions", "check": true }, "exploit_windows/local/virtual_box_opengl_escape": { "name": "VirtualBox 3D Acceleration Virtual Machine Escape", "full_name": "exploit/windows/local/virtual_box_opengl_escape", "rank": 200, "disclosure_date": "2014-03-11", "type": "exploit", "author": [ "Francisco Falcon", "Florian Ledoux", "juan vazquez " ], "description": "This module exploits a vulnerability in the 3D Acceleration support for VirtualBox. The\n vulnerability exists in the remote rendering of OpenGL-based 3D graphics. By sending a\n sequence of specially crafted rendering messages, a virtual machine can exploit an out\n of bounds array access to corrupt memory and escape to the host. This module has been\n tested successfully on Windows 7 SP1 (64 bits) as Host running Virtual Box 4.3.6.", "references": [ "CVE-2014-0983", "BID-66133", "URL-http://www.coresecurity.com/advisories/oracle-virtualbox-3d-acceleration-multiple-memory-corruption-vulnerabilities", "URL-http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=oracle_virtualbox_3d_acceleration" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x64", "rport": null, "targets": [ "VirtualBox 4.3.6 / Windows 7 SP1 / 64 bits (ASLR/DEP bypass)" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/local/virtual_box_opengl_escape.rb", "is_install_path": true, "ref_name": "windows/local/virtual_box_opengl_escape", "check": true }, "exploit_windows/local/vss_persistence": { "name": "Persistent Payload in Windows Volume Shadow Copy", "full_name": "exploit/windows/local/vss_persistence", "rank": 600, "disclosure_date": "2011-10-21", "type": "exploit", "author": [ "Jedediah Rodriguez " ], "description": "This module will attempt to create a persistent payload in a new volume shadow copy. This is\n based on the VSSOwn Script originally posted by Tim Tomes and Mark Baggett. This module has\n been tested successfully on Windows 7. In order to achieve persistence through the RUNKEY\n option, the user should need password in order to start session on the target machine.", "references": [ "URL-http://pauldotcom.com/2011/11/safely-dumping-hashes-from-liv.html", "URL-http://www.irongeek.com/i.php?page=videos/hack3rcon2/tim-tomes-and-mark-baggett-lurking-in-the-shadows" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows 7" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/local/vss_persistence.rb", "is_install_path": true, "ref_name": "windows/local/vss_persistence", "check": false }, "exploit_windows/local/wmi": { "name": "Windows Management Instrumentation (WMI) Remote Command Execution", "full_name": "exploit/windows/local/wmi", "rank": 600, "disclosure_date": "1999-01-01", "type": "exploit", "author": [ "Ben Campbell " ], "description": "This module executes powershell on the remote host using the current\n user credentials or those supplied. Instead of using PSEXEC over TCP\n port 445 we use the WMIC command to start a Remote Procedure Call on\n TCP port 135 and an ephemeral port. Set ReverseListenerComm to tunnel\n traffic through that session.\n\n The result is similar to psexec but with the added benefit of using\n the session's current authentication token instead of having to know\n a password or hash.\n\n The remote host must be configured to allow remote Windows Management\n Instrumentation.", "references": [ "CVE-1999-0504", "OSVDB-3106", "URL-http://passing-the-hash.blogspot.co.uk/2013/07/WMIS-PowerSploit-Shells.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/local/wmi.rb", "is_install_path": true, "ref_name": "windows/local/wmi", "check": false }, "exploit_windows/local/wmi_persistence": { "name": "WMI Event Subscription Persistence", "full_name": "exploit/windows/local/wmi_persistence", "rank": 300, "disclosure_date": "2017-06-06", "type": "exploit", "author": [ "Nick Tyrer <@NickTyrer>" ], "description": "This module will create a permanent WMI event subscription to achieve file-less persistence using one\n of five methods. The EVENT method will create an event filter that will query the event log for an EVENT_ID_TRIGGER\n (default: failed logon request id 4625) that also contains a specified USERNAME_TRIGGER (note: failed logon auditing\n must be enabled on the target for this method to work, this can be enabled using \"auditpol.exe /set /subcategory:Logon\n /failure:Enable\"). When these criteria are met a command line event consumer will trigger an encoded powershell payload.\n The INTERVAL method will create an event filter that triggers the payload after the specified CALLBACK_INTERVAL. The LOGON\n method will create an event filter that will trigger the payload after the system has an uptime of 4 minutes. The PROCESS\n method will create an event filter that triggers the payload when the specified process is started. The WAITFOR method\n creates an event filter that utilizes the Microsoft binary waitfor.exe to wait for a signal specified by WAITFOR_TRIGGER\n before executing the payload. The signal can be sent from a windows host on a LAN utilizing the waitfor.exe command\n (note: requires target to have port 445 open). Additionally a custom command can be specified to run once the trigger is\n activated using the advanced option CUSTOM_PS_COMMAND. This module requires administrator level privileges as well as a\n high integrity process. It is also recommended not to use stageless payloads due to powershell script length limitations.", "references": [ "URL-https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf", "URL-https://learn-powershell.net/2013/08/14/powershell-and-events-permanent-wmi-event-subscriptions/" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/local/wmi_persistence.rb", "is_install_path": true, "ref_name": "windows/local/wmi_persistence", "check": false }, "exploit_windows/lotus/domino_http_accept_language": { "name": "IBM Lotus Domino Web Server Accept-Language Stack Buffer Overflow", "full_name": "exploit/windows/lotus/domino_http_accept_language", "rank": 200, "disclosure_date": "2008-05-20", "type": "exploit", "author": [ "Fairuzan Roslan ", "Earl Marcus klks " ], "description": "This module exploits a stack buffer overflow in IBM Lotus Domino Web Server\n prior to version 7.0.3FP1 and 8.0.1. This flaw is triggered by any HTTP\n request with an Accept-Language header greater than 114 bytes.", "references": [ "CVE-2008-2240", "OSVDB-45415", "BID-29310", "URL-http://www-01.ibm.com/support/docview.wss?uid=swg21303057" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Automatic", "Lotus Domino 7.0 on Windows 2003 SP1 English(NX)", "Lotus Domino 7.0 on Windows 2003 SP2 English(NX)", "Lotus Domino 7.0 on Windows 2003/2000/XP English(NO NX)", "Lotus Domino 8.0 on Windows 2003 SP1 English(NX)", "Lotus Domino 8.0 on Windows 2003 SP2 English(NX)", "Lotus Domino 8.0 on Windows 2003/2000/XP English(NO NX)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/lotus/domino_http_accept_language.rb", "is_install_path": true, "ref_name": "windows/lotus/domino_http_accept_language", "check": false }, "exploit_windows/lotus/domino_icalendar_organizer": { "name": "IBM Lotus Domino iCalendar MAILTO Buffer Overflow", "full_name": "exploit/windows/lotus/domino_icalendar_organizer", "rank": 300, "disclosure_date": "2010-09-14", "type": "exploit", "author": [ "A. Plaskett", "sinn3r " ], "description": "This module exploits a vulnerability found in IBM Lotus Domino iCalendar. By\n sending a long string of data as the \"ORGANIZER;mailto\" header, process \"nRouter.exe\"\n crashes due to a Cstrcpy() routine in nnotes.dll, which allows remote attackers to\n gain arbitrary code execution.\n\n Note: In order to trigger the vulnerable code path, a valid Domino mailbox account\n is needed.", "references": [ "CVE-2010-3407", "OSVDB-68040", "ZDI-10-177", "URL-http://labs.mwrinfosecurity.com/advisories/lotus_domino_ical_stack_buffer_overflow/", "URL-http://www-01.ibm.com/support/docview.wss?rs=475&uid=swg21446515" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 25, "targets": [ "Lotus Domino 8.5 on Windows 2000 SP4", "Lotus Domino 8.5 on Windows Server 2003 SP0", "Lotus Domino 8.5 on Windows Server 2003 SP2" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/lotus/domino_icalendar_organizer.rb", "is_install_path": true, "ref_name": "windows/lotus/domino_icalendar_organizer", "check": true }, "exploit_windows/lotus/domino_sametime_stmux": { "name": "IBM Lotus Domino Sametime STMux.exe Stack Buffer Overflow", "full_name": "exploit/windows/lotus/domino_sametime_stmux", "rank": 200, "disclosure_date": "2008-05-21", "type": "exploit", "author": [ "aushack ", "riaf " ], "description": "This module exploits a stack buffer overflow in Lotus Domino\\'s Sametime\n Server. By sending an overly long POST request to the Multiplexer\n STMux.exe service we are able to overwrite SEH. Based on the exploit\n by Manuel Santamarina Suarez.", "references": [ "CVE-2008-2499", "OSVDB-45610", "BID-29328", "ZDI-08-028" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86", "rport": 1533, "targets": [ "Lotus Sametime 7.5 on Windows Server 2000 SP4", "Lotus Sametime 7.5 on Windows Server 2003 SP1", "Lotus Sametime 7.5 on Windows Server 2003 SP2", "Lotus Sametime 7.5.1 Windows Server 2003 SP2", "Lotus Sametime 8.0.0 Windows Server 2003 SP2" ], "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/exploits/windows/lotus/domino_sametime_stmux.rb", "is_install_path": true, "ref_name": "windows/lotus/domino_sametime_stmux", "check": true }, "exploit_windows/lotus/lotusnotes_lzh": { "name": "Lotus Notes 8.0.x - 8.5.2 FP2 - Autonomy Keyview (.lzh Attachment)", "full_name": "exploit/windows/lotus/lotusnotes_lzh", "rank": 300, "disclosure_date": "2011-05-24", "type": "exploit", "author": [ "binaryhouse.net", "alino <26alino@gmail.com>" ], "description": "This module exploits a stack buffer overflow in Lotus Notes 8.5.2 when\n parsing a malformed, specially crafted LZH file. This vulnerability was\n discovered binaryhouse.net", "references": [ "CVE-2011-1213", "OSVDB-72706", "BID-48018", "URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=904", "URL-http://www.ibm.com/support/docview.wss?uid=swg21500034" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": 25, "targets": [ "Lotus Notes 8.0.x - 8.5.2 FP2 / Windows Universal", "Lotus Notes 8.5.2 FP2 / Windows Universal / DEP" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/lotus/lotusnotes_lzh.rb", "is_install_path": true, "ref_name": "windows/lotus/lotusnotes_lzh", "check": false }, "exploit_windows/lpd/hummingbird_exceed": { "name": "Hummingbird Connectivity 10 SP5 LPD Buffer Overflow", "full_name": "exploit/windows/lpd/hummingbird_exceed", "rank": 200, "disclosure_date": "2005-05-27", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in Hummingbird Connectivity\n 10 LPD Daemon. This module has only been tested against Hummingbird\n Exceed v10 with SP5.", "references": [ "CVE-2005-1815", "OSVDB-16957", "BID-13788" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 515, "targets": [ "Automatic", "Windows 2000 English SP0-SP4", "Windows XP English SP0/SP1" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/lpd/hummingbird_exceed.rb", "is_install_path": true, "ref_name": "windows/lpd/hummingbird_exceed", "check": false }, "exploit_windows/lpd/niprint": { "name": "NIPrint LPD Request Overflow", "full_name": "exploit/windows/lpd/niprint", "rank": 400, "disclosure_date": "2003-11-05", "type": "exploit", "author": [ "hdm " ], "description": "This module exploits a stack buffer overflow in the\n Network Instrument NIPrint LPD service. Inspired by\n Immunity's VisualSploit :-)", "references": [ "CVE-2003-1141", "OSVDB-2774", "BID-8968", "URL-http://www.immunitysec.com/documentation/vs_niprint.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 515, "targets": [ "NIPrint3.EXE (TDS:0x3a045ff2)", "Windows XP SP3", "Windows 7 x64" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/lpd/niprint.rb", "is_install_path": true, "ref_name": "windows/lpd/niprint", "check": false }, "exploit_windows/lpd/saplpd": { "name": "SAP SAPLPD 6.28 Buffer Overflow", "full_name": "exploit/windows/lpd/saplpd", "rank": 400, "disclosure_date": "2008-02-04", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in SAPlpd 6.28 (SAP Release 6.40) .\n By sending an overly long argument, an attacker may be able to execute arbitrary\n code.", "references": [ "CVE-2008-0621", "OSVDB-41127", "BID-27613" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 515, "targets": [ "SAPlpd 6.28.0.1 (SAP Release 6.40)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/lpd/saplpd.rb", "is_install_path": true, "ref_name": "windows/lpd/saplpd", "check": false }, "exploit_windows/lpd/wincomlpd_admin": { "name": "WinComLPD Buffer Overflow", "full_name": "exploit/windows/lpd/wincomlpd_admin", "rank": 400, "disclosure_date": "2008-02-04", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in WinComLPD <= 3.0.2.\n By sending an overly long authentication packet to the remote\n administration service, an attacker may be able to execute arbitrary\n code.", "references": [ "CVE-2008-5159", "OSVDB-42861", "BID-27614" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 13500, "targets": [ "WinComLPD 3.0.2.623" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/lpd/wincomlpd_admin.rb", "is_install_path": true, "ref_name": "windows/lpd/wincomlpd_admin", "check": false }, "exploit_windows/misc/achat_bof": { "name": "Achat Unicode SEH Buffer Overflow", "full_name": "exploit/windows/misc/achat_bof", "rank": 300, "disclosure_date": "2014-12-18", "type": "exploit", "author": [ "Peter Kasza ", "Balazs Bucsay " ], "description": "This module exploits a Unicode SEH buffer overflow in Achat. By\n sending a crafted message to the default port 9256/UDP, it's possible to overwrite the\n SEH handler. Even when the exploit is reliable, it depends on timing since there are\n two threads overflowing the stack in the same time. This module has been tested on\n Achat v0.150 running on Windows XP SP3 and Windows 7.", "references": [ "CWE-121" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 9256, "targets": [ "Achat beta v0.150 / Windows XP SP3 / Windows 7 SP1" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/achat_bof.rb", "is_install_path": true, "ref_name": "windows/misc/achat_bof", "check": false }, "exploit_windows/misc/actfax_raw_server_bof": { "name": "ActFax 5.01 RAW Server Buffer Overflow", "full_name": "exploit/windows/misc/actfax_raw_server_bof", "rank": 300, "disclosure_date": "2013-02-05", "type": "exploit", "author": [ "Craig Freyman", "corelanc0d3r", "juan vazquez " ], "description": "This module exploits a vulnerability in ActFax Server 5.01 RAW server. The RAW\n Server can be used to transfer fax messages without any underlying protocols. To\n note significant fields in the fax being transferred, like the fax number or the\n recipient, ActFax data fields can be used. This module exploits a buffer overflow\n in the handling of the @F506 fields due to the insecure usage of strcpy. This\n module has been tested successfully on ActFax 5.01 over Windows XP SP3 (English).", "references": [ "OSVDB-89944", "BID-57789", "EDB-24467", "URL-http://www.pwnag3.com/2013/02/actfax-raw-server-exploit.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "ActFax 5.01 / Windows XP SP3" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/actfax_raw_server_bof.rb", "is_install_path": true, "ref_name": "windows/misc/actfax_raw_server_bof", "check": false }, "exploit_windows/misc/agentxpp_receive_agentx": { "name": "AgentX++ Master AgentX::receive_agentx Stack Buffer Overflow", "full_name": "exploit/windows/misc/agentxpp_receive_agentx", "rank": 400, "disclosure_date": "2010-04-16", "type": "exploit", "author": [ "jduck " ], "description": "This exploits a stack buffer overflow in the AgentX++ library, as used by\n various applications. By sending a specially crafted request, an attacker can\n execute arbitrary code, potentially with SYSTEM privileges.\n\n This module was tested successfully against master.exe as included with Real\n Network\\'s Helix Server v12. When installed as a service with Helix Server,\n the service runs as SYSTEM, has no recovery action, but will start automatically\n on boot.\n\n This module does not work with NX/XD enabled but could be modified easily to\n do so. The address", "references": [ "CVE-2010-1318", "OSVDB-63919", "URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=867" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 705, "targets": [ "Helix Server v12 and v13 - master.exe" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/agentxpp_receive_agentx.rb", "is_install_path": true, "ref_name": "windows/misc/agentxpp_receive_agentx", "check": false }, "exploit_windows/misc/allmediaserver_bof": { "name": "ALLMediaServer 0.8 Buffer Overflow", "full_name": "exploit/windows/misc/allmediaserver_bof", "rank": 300, "disclosure_date": "2012-07-04", "type": "exploit", "author": [ "motaz reda ", "modpr0be ", "juan vazquez " ], "description": "This module exploits a stack buffer overflow in ALLMediaServer 0.8. The vulnerability\n is caused due to a boundary error within the handling of HTTP request.\n\n While the exploit supports DEP bypass via ROP, on Windows 7 the stack pivoting isn't\n reliable across virtual (VMWare, VirtualBox) and physical environments. Because of\n this the module isn't using DEP bypass on the Windows 7 SP1 target, where by default\n DEP is OptIn and AllMediaServer won't run with DEP.", "references": [ "CVE-2017-17932", "OSVDB-83889", "EDB-19625" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 888, "targets": [ "ALLMediaServer 0.8 / Windows XP SP3 - English", "ALLMediaServer 0.8 / Windows 7 SP1 - English" ], "mod_time": "2018-07-12 17:34:52 +0000", "path": "/modules/exploits/windows/misc/allmediaserver_bof.rb", "is_install_path": true, "ref_name": "windows/misc/allmediaserver_bof", "check": false }, "exploit_windows/misc/altiris_ds_sqli": { "name": "Symantec Altiris DS SQL Injection", "full_name": "exploit/windows/misc/altiris_ds_sqli", "rank": 300, "disclosure_date": "2008-05-15", "type": "exploit", "author": [ "Brett Moore", "3v0lver" ], "description": "This module exploits a SQL injection flaw in Symantec Altiris Deployment Solution 6.8\n to 6.9.164. The vulnerability exists on axengine.exe which fails to adequately sanitize\n numeric input fields in \"UpdateComputer\" notification Requests. In order to spawn a shell,\n several SQL injections are required in close succession, first to enable xp_cmdshell, then\n retrieve the payload via TFTP and finally execute it. The module also has the capability\n to disable or enable local application authentication. In order to work the target system\n must have a tftp client available.", "references": [ "CVE-2008-2286", "OSVDB-45313", "BID-29198", "URL-http://www.zerodayinitiative.com/advisories/ZDI-08-024" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": 402, "targets": [ "Windows 2003 (with tftp client available)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/altiris_ds_sqli.rb", "is_install_path": true, "ref_name": "windows/misc/altiris_ds_sqli", "check": true }, "exploit_windows/misc/apple_quicktime_rtsp_response": { "name": "Apple QuickTime 7.3 RTSP Response Header Buffer Overflow", "full_name": "exploit/windows/misc/apple_quicktime_rtsp_response", "rank": 300, "disclosure_date": "2007-11-23", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in Apple QuickTime 7.3. By sending an overly long\n RTSP response to a client, an attacker may be able to execute arbitrary code.", "references": [ "CVE-2007-6166", "OSVDB-40876", "BID-26549", "EDB-4648" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "QuickTime 7.3, QuickTime Player 7.3" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/apple_quicktime_rtsp_response.rb", "is_install_path": true, "ref_name": "windows/misc/apple_quicktime_rtsp_response", "check": false }, "exploit_windows/misc/asus_dpcproxy_overflow": { "name": "Asus Dpcproxy Buffer Overflow", "full_name": "exploit/windows/misc/asus_dpcproxy_overflow", "rank": 200, "disclosure_date": "2008-03-21", "type": "exploit", "author": [ "Jacopo Cervini" ], "description": "This module exploits a stack buffer overflow in Asus Dpcroxy version 2.0.0.19.\n It should be vulnerable until version 2.0.0.24.\n Credit to Luigi Auriemma", "references": [ "CVE-2008-1491", "OSVDB-43638", "BID-28394" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 623, "targets": [ "Asus Dpcroxy version 2.00.19 Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/asus_dpcproxy_overflow.rb", "is_install_path": true, "ref_name": "windows/misc/asus_dpcproxy_overflow", "check": false }, "exploit_windows/misc/avaya_winpmd_unihostrouter": { "name": "Avaya WinPMD UniteHostRouter Buffer Overflow", "full_name": "exploit/windows/misc/avaya_winpmd_unihostrouter", "rank": 300, "disclosure_date": "2011-05-23", "type": "exploit", "author": [ "AbdulAziz Hariri", "Unknown", "juan vazquez " ], "description": "This module exploits a stack buffer overflow in Avaya WinPMD. The vulnerability\n exists in the UniteHostRouter service, due to the insecure usage of memcpy when\n parsing specially crafted \"To:\" headers. The module has been tested successfully on\n Avaya WinPMD 3.8.2 over Windows XP SP3 and Windows 2003 SP2.", "references": [ "OSVDB-82764", "OSVDB-73269", "BID-47947", "EDB-18397", "URL-https://downloads.avaya.com/css/P8/documents/100140122", "URL-http://secunia.com/advisories/44062" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 3217, "targets": [ "Avaya WinPMD 3.8.2 / Windows XP SP3", "Avaya WinPMD 3.8.2 / Windows 2003 SP2" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/avaya_winpmd_unihostrouter.rb", "is_install_path": true, "ref_name": "windows/misc/avaya_winpmd_unihostrouter", "check": false }, "exploit_windows/misc/avidphoneticindexer": { "name": "Avid Media Composer 5.5 - Avid Phonetic Indexer Buffer Overflow", "full_name": "exploit/windows/misc/avidphoneticindexer", "rank": 300, "disclosure_date": "2011-11-29", "type": "exploit", "author": [ "vt [nick.freeman " ], "description": "This module exploits a stack buffer overflow in process\n AvidPhoneticIndexer.exe (port 4659), which comes as part of the Avid Media Composer\n 5.5 Editing Suite. This daemon sometimes starts on a different port; if you start\n it standalone it will run on port 4660.", "references": [ "CVE-2011-5003", "OSVDB-77376", "URL-http://www.security-assessment.com/files/documents/advisory/Avid_Media_Composer-Phonetic_Indexer-Remote_Stack_Buffer_Overflow.pdf" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 4659, "targets": [ "Windows XP Professional SP3" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/avidphoneticindexer.rb", "is_install_path": true, "ref_name": "windows/misc/avidphoneticindexer", "check": false }, "exploit_windows/misc/bakbone_netvault_heap": { "name": "BakBone NetVault Remote Heap Overflow", "full_name": "exploit/windows/misc/bakbone_netvault_heap", "rank": 200, "disclosure_date": "2005-04-01", "type": "exploit", "author": [ "hdm ", "nolimit.bugtraq " ], "description": "This module exploits a heap overflow in the BakBone NetVault\n Process Manager service. This code is a direct port of the netvault.c\n code written by nolimit and BuzzDee.", "references": [ "CVE-2005-1009", "OSVDB-15234", "BID-12967" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 20031, "targets": [ "Automatic", "Windows 2000 SP4 English", "Windows XP SP0/SP1 English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/bakbone_netvault_heap.rb", "is_install_path": true, "ref_name": "windows/misc/bakbone_netvault_heap", "check": true }, "exploit_windows/misc/bcaaa_bof": { "name": "Blue Coat Authentication and Authorization Agent (BCAAA) 5 Buffer Overflow", "full_name": "exploit/windows/misc/bcaaa_bof", "rank": 400, "disclosure_date": "2011-04-04", "type": "exploit", "author": [ "Paul Harrington", "Travis Warren", "sinn3r " ], "description": "This module exploits a stack buffer overflow in process bcaaa-130.exe (port 16102),\n which comes as part of the Blue Coat Authentication proxy. Please note that by default,\n this exploit will attempt up to three times in order to successfully gain remote code\n execution (in some cases, it takes as many as five times). This can cause your activity\n to look even more suspicious. To modify the number of exploit attempts, set the\n ATTEMPTS option.", "references": [ "CVE-2011-5124", "OSVDB-72095", "URL-https://kb.bluecoat.com/index?page=content&id=SA55", "URL-http://seclists.org/bugtraq/2011/Jul/44" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 16102, "targets": [ "BCAAA Version 5.4.6.1.54128" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/bcaaa_bof.rb", "is_install_path": true, "ref_name": "windows/misc/bcaaa_bof", "check": false }, "exploit_windows/misc/bigant_server": { "name": "BigAnt Server 2.2 Buffer Overflow", "full_name": "exploit/windows/misc/bigant_server", "rank": 200, "disclosure_date": "2008-04-15", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in BigAnt Server 2.2.\n By sending a specially crafted packet, an attacker may be\n able to execute arbitrary code.", "references": [ "CVE-2008-1914", "OSVDB-44454", "BID-28795" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 6080, "targets": [ "Windows 2000 Pro All English", "Windows XP Pro SP0/SP1 English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/bigant_server.rb", "is_install_path": true, "ref_name": "windows/misc/bigant_server", "check": false }, "exploit_windows/misc/bigant_server_250": { "name": "BigAnt Server 2.50 SP1 Buffer Overflow", "full_name": "exploit/windows/misc/bigant_server_250", "rank": 500, "disclosure_date": "2008-04-15", "type": "exploit", "author": [ "Dr_IDE " ], "description": "This exploits a stack buffer overflow in the BigAnt Messaging Service,\n part of the BigAnt Server product suite. This module was tested\n successfully against version 2.50 SP1.", "references": [ "CVE-2008-1914", "OSVDB-44454", "EDB-9673", "EDB-9690" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 6660, "targets": [ "BigAnt 2.5 Universal", "Windows 2000 Pro All English", "Windows XP Pro SP0/SP1 English" ], "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/exploits/windows/misc/bigant_server_250.rb", "is_install_path": true, "ref_name": "windows/misc/bigant_server_250", "check": false }, "exploit_windows/misc/bigant_server_dupf_upload": { "name": "BigAnt Server DUPF Command Arbitrary File Upload", "full_name": "exploit/windows/misc/bigant_server_dupf_upload", "rank": 600, "disclosure_date": "2013-01-09", "type": "exploit", "author": [ "Hamburgers Maccoy", "juan vazquez " ], "description": "This exploits an arbitrary file upload vulnerability in BigAnt Server 2.97 SP7.\n A lack of authentication allows to make unauthenticated file uploads through a DUPF\n command. Additionally the filename option in the same command can be used to launch\n a directory traversal attack and achieve arbitrary file upload.\n\n The module uses the Windows Management Instrumentation service to execute an\n arbitrary payload on vulnerable installations of BigAnt on Windows XP and 2003. It\n has been successfully tested on BigAnt Server 2.97 SP7 over Windows XP SP3 and 2003\n SP2.", "references": [ "CVE-2012-6274", "US-CERT-VU-990652", "BID-57214", "OSVDB-89342" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 6661, "targets": [ "BigAnt Server 2.97 SP7" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/misc/bigant_server_dupf_upload.rb", "is_install_path": true, "ref_name": "windows/misc/bigant_server_dupf_upload", "check": false }, "exploit_windows/misc/bigant_server_sch_dupf_bof": { "name": "BigAnt Server 2 SCH And DUPF Buffer Overflow", "full_name": "exploit/windows/misc/bigant_server_sch_dupf_bof", "rank": 300, "disclosure_date": "2013-01-09", "type": "exploit", "author": [ "Hamburgers Maccoy", "juan vazquez " ], "description": "This exploits a stack buffer overflow in BigAnt Server 2.97 SP7. The\n vulnerability is due to the dangerous usage of strcpy while handling errors. This\n module uses a combination of SCH and DUPF request to trigger the vulnerability, and\n has been tested successfully against version 2.97 SP7 over Windows XP SP3 and\n Windows 2003 SP2.", "references": [ "CVE-2012-6275", "US-CERT-VU-990652", "BID-57214", "OSVDB-89344" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 6661, "targets": [ "BigAnt Server 2.97 SP7 / Windows XP SP3", "BigAnt Server 2.97 SP7 / Windows 2003 SP2" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/bigant_server_sch_dupf_bof.rb", "is_install_path": true, "ref_name": "windows/misc/bigant_server_sch_dupf_bof", "check": false }, "exploit_windows/misc/bigant_server_usv": { "name": "BigAnt Server 2.52 USV Buffer Overflow", "full_name": "exploit/windows/misc/bigant_server_usv", "rank": 500, "disclosure_date": "2009-12-29", "type": "exploit", "author": [ "Lincoln", "DouBle_Zer0", "jduck " ], "description": "This exploits a stack buffer overflow in the BigAnt Messaging Service,\n part of the BigAnt Server product suite. This module was tested\n successfully against version 2.52.\n\n NOTE: The AntServer service does not restart, you only get one shot.", "references": [ "CVE-2009-4660", "OSVDB-61386", "EDB-10765", "EDB-10973" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 6660, "targets": [ "BigAnt 2.52 Universal" ], "mod_time": "2018-07-12 17:34:52 +0000", "path": "/modules/exploits/windows/misc/bigant_server_usv.rb", "is_install_path": true, "ref_name": "windows/misc/bigant_server_usv", "check": false }, "exploit_windows/misc/bomberclone_overflow": { "name": "Bomberclone 0.11.6 Buffer Overflow", "full_name": "exploit/windows/misc/bomberclone_overflow", "rank": 200, "disclosure_date": "2006-02-16", "type": "exploit", "author": [ "Jacopo Cervini " ], "description": "This module exploits a stack buffer overflow in Bomberclone 0.11.6 for Windows.\n The return address is overwritten with lstrcpyA memory address,\n the second and third value are the destination buffer,\n the fourth value is the source address of our buffer in the stack.\n This exploit is like a return in libc.\n\n ATTENTION\n The shellcode is exec ONLY when someone try to close bomberclone.", "references": [ "CVE-2006-0460", "OSVDB-23263", "BID-16697" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 11000, "targets": [ "Automatic", "Windows XP SP2 Italian", "Windows 2000 SP1 English", "Windows 2000 SP1 English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/bomberclone_overflow.rb", "is_install_path": true, "ref_name": "windows/misc/bomberclone_overflow", "check": false }, "exploit_windows/misc/bopup_comm": { "name": "Bopup Communications Server Buffer Overflow", "full_name": "exploit/windows/misc/bopup_comm", "rank": 400, "disclosure_date": "2009-06-18", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in Bopup Communications Server 3.2.26.5460.\n By sending a specially crafted packet, an attacker may be\n able to execute arbitrary code.", "references": [ "CVE-2009-2227", "OSVDB-55275", "URL-http://www.blabsoft.com/products/server", "EDB-9002" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 19810, "targets": [ "Bopup Communications Server 3.2.26.5460" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/bopup_comm.rb", "is_install_path": true, "ref_name": "windows/misc/bopup_comm", "check": false }, "exploit_windows/misc/borland_interbase": { "name": "Borland Interbase Create-Request Buffer Overflow", "full_name": "exploit/windows/misc/borland_interbase", "rank": 200, "disclosure_date": "2007-07-24", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in Borland Interbase 2007.\n By sending a specially crafted create-request packet, a remote\n attacker may be able to execute arbitrary code.", "references": [ "CVE-2007-3566", "OSVDB-38602", "URL-http://dvlabs.tippingpoint.com/advisory/TPTI-07-13" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 3050, "targets": [ "Windows 2000 English All / Borland InterBase 2007" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/borland_interbase.rb", "is_install_path": true, "ref_name": "windows/misc/borland_interbase", "check": false }, "exploit_windows/misc/borland_starteam": { "name": "Borland CaliberRM StarTeam Multicast Service Buffer Overflow", "full_name": "exploit/windows/misc/borland_starteam", "rank": 200, "disclosure_date": "2008-04-02", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in Borland CaliberRM 2006. By sending\n a specially crafted GET request to the STMulticastService, an attacker may be\n able to execute arbitrary code.", "references": [ "CVE-2008-0311", "OSVDB-44039", "BID-28602" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 3057, "targets": [ "Windows 2000 SP4 English", "Windows 2003 SP0 English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/borland_starteam.rb", "is_install_path": true, "ref_name": "windows/misc/borland_starteam", "check": false }, "exploit_windows/misc/citrix_streamprocess": { "name": "Citrix Provisioning Services 5.6 streamprocess.exe Buffer Overflow", "full_name": "exploit/windows/misc/citrix_streamprocess", "rank": 400, "disclosure_date": "2011-01-20", "type": "exploit", "author": [ "mog" ], "description": "This module exploits a stack buffer overflow in Citrix Provisioning Services 5.6.\n By sending a specially crafted packet to the Provisioning Services server, a fixed\n length buffer on the stack can be overflowed and arbitrary code can be executed.", "references": [ "OSVDB-70597", "ZDI-11-023", "URL-http://secunia.com/advisories/42954/", "URL-http://support.citrix.com/article/CTX127149" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 6905, "targets": [ "Windows XP SP3 / Windows Server 2003 SP2 / Windows Vista" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/citrix_streamprocess.rb", "is_install_path": true, "ref_name": "windows/misc/citrix_streamprocess", "check": false }, "exploit_windows/misc/citrix_streamprocess_data_msg": { "name": "Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020000 Buffer Overflow", "full_name": "exploit/windows/misc/citrix_streamprocess_data_msg", "rank": 300, "disclosure_date": "2011-11-04", "type": "exploit", "author": [ "AbdulAziz Hariri", "alino <26alino@gmail.com>" ], "description": "This module exploits a remote buffer overflow in the Citrix Provisioning Services\n 5.6 SP1 (without Hotfix CPVS56SP1E043) by sending a malformed packet to the\n 6905/UDP port. The module has been successfully tested on Windows Server 2003 SP2,\n Windows 7, and Windows XP SP3.", "references": [ "OSVDB-75780", "BID-49803", "ZDI-12-009", "URL-http://support.citrix.com/article/CTX130846" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 6905, "targets": [ "Citrix Provisioning Services 5.6 SP1" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/citrix_streamprocess_data_msg.rb", "is_install_path": true, "ref_name": "windows/misc/citrix_streamprocess_data_msg", "check": false }, "exploit_windows/misc/citrix_streamprocess_get_boot_record_request": { "name": "Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020004 Buffer Overflow", "full_name": "exploit/windows/misc/citrix_streamprocess_get_boot_record_request", "rank": 300, "disclosure_date": "2011-11-04", "type": "exploit", "author": [ "alino <26alino@gmail.com>", "juan vazquez " ], "description": "This module exploits a remote buffer overflow in the Citrix Provisioning Services\n 5.6 SP1 (without Hotfix CPVS56SP1E043) by sending a malformed packet with the opcode\n 0x40020004 (GetBootRecordRequest) to the 6905/UDP port. The module, which allows\n code execution under the context of SYSTEM, has been successfully tested on Windows Server\n 2003 SP2 and Windows XP SP3.", "references": [ "OSVDB-75780", "BID-49803", "URL-http://support.citrix.com/article/CTX130846" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 6905, "targets": [ "Citrix Provisioning Services 5.6 SP1" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/citrix_streamprocess_get_boot_record_request.rb", "is_install_path": true, "ref_name": "windows/misc/citrix_streamprocess_get_boot_record_request", "check": false }, "exploit_windows/misc/citrix_streamprocess_get_footer": { "name": "Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020002 Buffer Overflow", "full_name": "exploit/windows/misc/citrix_streamprocess_get_footer", "rank": 300, "disclosure_date": "2011-11-04", "type": "exploit", "author": [ "alino <26alino@gmail.com>", "juan vazquez " ], "description": "This module exploits a remote buffer overflow in the Citrix Provisioning Services\n 5.6 SP1 (without Hotfix CPVS56SP1E043) by sending a malformed packet with the opcode\n 0x40020002 (GetFooterRequest) to the 6905/UDP port. The module, which allows code execution\n under the context of SYSTEM, has been successfully tested on Windows Server 2003 SP2\n and Windows XP SP3.", "references": [ "OSVDB-75780", "BID-49803", "URL-http://support.citrix.com/article/CTX130846" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 6905, "targets": [ "Citrix Provisioning Services 5.6 SP1" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/citrix_streamprocess_get_footer.rb", "is_install_path": true, "ref_name": "windows/misc/citrix_streamprocess_get_footer", "check": false }, "exploit_windows/misc/citrix_streamprocess_get_objects": { "name": "Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020006 Buffer Overflow", "full_name": "exploit/windows/misc/citrix_streamprocess_get_objects", "rank": 300, "disclosure_date": "2011-11-04", "type": "exploit", "author": [ "Anyway ", "alino <26alino@gmail.com>", "juan vazquez " ], "description": "This module exploits a remote buffer overflow in the Citrix Provisioning Services\n 5.6 SP1 (without Hotfix CPVS56SP1E043) by sending a malformed packet with the opcode\n 0x40020006 (GetObjetsRequest) to the 6905/UDP port. The module, which allows code execution\n under the context of SYSTEM, has been successfully tested on Windows Server 2003 SP2\n and Windows XP SP3.", "references": [ "OSVDB-75780", "BID-49803", "URL-http://support.citrix.com/article/CTX130846", "ZDI-12-010" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 6905, "targets": [ "Citrix Provisioning Services 5.6 SP1" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/citrix_streamprocess_get_objects.rb", "is_install_path": true, "ref_name": "windows/misc/citrix_streamprocess_get_objects", "check": false }, "exploit_windows/misc/cloudme_sync": { "name": "CloudMe Sync v1.10.9", "full_name": "exploit/windows/misc/cloudme_sync", "rank": 500, "disclosure_date": "2018-01-17", "type": "exploit", "author": [ "hyp3rlinx", "Daniel Teixeira" ], "description": "This module exploits a stack-based buffer overflow vulnerability\n in CloudMe Sync v1.10.9 client application. This module has been\n tested successfully on Windows 7 SP1 x86.", "references": [ "CVE-2018-6892", "EDB-44027" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 8888, "targets": [ "CloudMe Sync v1.10.9" ], "mod_time": "2018-02-20 17:40:33 +0000", "path": "/modules/exploits/windows/misc/cloudme_sync.rb", "is_install_path": true, "ref_name": "windows/misc/cloudme_sync", "check": false }, "exploit_windows/misc/commvault_cmd_exec": { "name": "Commvault Communications Service (cvd) Command Injection", "full_name": "exploit/windows/misc/commvault_cmd_exec", "rank": 400, "disclosure_date": "2017-12-12", "type": "exploit", "author": [ "b0yd" ], "description": "This module exploits a command injection vulnerability\n discovered in Commvault Service v11 SP5 and earlier versions (tested in v11 SP5\n and v10). The vulnerability exists in the cvd.exe service and allows an\n attacker to execute arbitrary commands in the context of the service. By\n default, the Commvault Communications service installs and runs as SYSTEM in\n Windows and does not require authentication. This vulnerability was discovered\n in the Windows version. The Linux version wasn't tested.", "references": [ "CVE-2017-18044", "URL-https://www.securifera.com/advisories/sec-2017-0001/" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 8400, "targets": [ "Commvault Communications Service (cvd) / Microsoft Windows 7 and higher" ], "mod_time": "2018-07-12 17:34:52 +0000", "path": "/modules/exploits/windows/misc/commvault_cmd_exec.rb", "is_install_path": true, "ref_name": "windows/misc/commvault_cmd_exec", "check": false }, "exploit_windows/misc/disk_savvy_adm": { "name": "Disk Savvy Enterprise v10.4.18", "full_name": "exploit/windows/misc/disk_savvy_adm", "rank": 500, "disclosure_date": "2017-01-31", "type": "exploit", "author": [ "Daniel Teixeira" ], "description": "This module exploits a stack-based buffer overflow vulnerability\n in Disk Savvy Enterprise v10.4.18, caused by improper bounds\n checking of the request sent to the built-in server. This module\n has been tested successfully on Windows 7 SP1 x86.", "references": [ ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 9124, "targets": [ "Disk Savvy Enterprise v10.4.18" ], "mod_time": "2018-07-12 17:34:52 +0000", "path": "/modules/exploits/windows/misc/disk_savvy_adm.rb", "is_install_path": true, "ref_name": "windows/misc/disk_savvy_adm", "check": false }, "exploit_windows/misc/doubletake": { "name": "DoubleTake/HP StorageWorks Storage Mirroring Service Authentication Overflow", "full_name": "exploit/windows/misc/doubletake", "rank": 200, "disclosure_date": "2008-06-04", "type": "exploit", "author": [ "ri0t " ], "description": "This module exploits a stack buffer overflow in the authentication mechanism of\n NSI Doubletake which is also rebranded as HP Storage Works. This vulnerability\n was found by Titon of Bastard Labs.", "references": [ "CVE-2008-1661", "OSVDB-45924" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 1100, "targets": [ "doubletake 4.5.0", "doubletake 4.4.2", "doubletake 4.5.0.1819" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/doubletake.rb", "is_install_path": true, "ref_name": "windows/misc/doubletake", "check": false }, "exploit_windows/misc/eiqnetworks_esa": { "name": "eIQNetworks ESA License Manager LICMGR_ADDLICENSE Overflow", "full_name": "exploit/windows/misc/eiqnetworks_esa", "rank": 200, "disclosure_date": "2006-07-24", "type": "exploit", "author": [ "MC ", "ri0t ", "kf " ], "description": "This module exploits a stack buffer overflow in eIQnetworks\n Enterprise Security Analyzer. During the processing of\n long arguments to the LICMGR_ADDLICENSE command, a stack-based\n buffer overflow occurs. This module has only been tested\n against ESA v2.1.13.", "references": [ "CVE-2006-3838", "OSVDB-27526", "BID-19163", "ZDI-06-024" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 10616, "targets": [ "Automatic", "EnterpriseSecurityAnalyzerv21 Universal", "EiQ Enterprise Security Analyzer Offset 494 Windows 2000 SP0-SP4 English", "EiQ Enterprise Security Analyzer Offset 494 Windows XP English SP1/SP2", "EiQ Enterprise Security Analyzer Offset 494 Windows Server 2003 SP0/SP1", "Astaro Report Manager (OEM) Offset 1262 Windows 2000 SP0-SP4 English", "Astaro Report Manager (OEM) Offset 1262 Windows XP English SP1/SP2", "Astaro Report Manager (OEM) Offset 1262 Windows Server 2003 English SP0/SP1", "Fortinet FortiReporter (OEM) Offset 1262 Windows 2000 SP0-SP4 English", "Fortinet FortiReporter (OEM) Offset 1262 Windows XP English SP1/SP2", "Fortinet FortiReporter (OEM) Offset 1262 Windows Server 2003 English SP0/SP1", "iPolicy Security Reporter (OEM) Offset 1262 Windows 2000 SP0-SP4 English", "iPolicy Security Reporter (OEM) Offset 1262 Windows XP English SP1/SP2", "iPolicy Security Reporter (OEM) Offset 1262 Windows Server 2003 English SP0/SP1", "SanMina Viking Multi-Log Manager (OEM) Offset 1262 Windows 2000 SP0-SP4 English", "SanMina Viking Multi-Log Manager (OEM) Offset 1262 Windows XP English SP1/SP2", "SanMina Viking Multi-Log Manager (OEM) Offset 1262 Windows Server 2003 English SP0/SP1", "Secure Computing G2 Security Reporter (OEM) Offset 1262 Windows 2000 SP0-SP4 English", "Secure Computing G2 Security Reporter (OEM) Offset 1262 Windows XP English SP1/SP2", "Secure Computing G2 Security Reporter (OEM) Offset 1262 Windows Server 2003 English SP0/SP1", "Top Layer Network Security Analyzer (OEM) Offset 1262 Windows 2000 SP0-SP4 English", "Top Layer Network Security Analyzer (OEM) Offset 1262 Windows XP English SP1/SP2", "Top Layer Network Security Analyzer (OEM) Offset 1262 Windows Server 2003 English SP0/SP1" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/eiqnetworks_esa.rb", "is_install_path": true, "ref_name": "windows/misc/eiqnetworks_esa", "check": false }, "exploit_windows/misc/eiqnetworks_esa_topology": { "name": "eIQNetworks ESA Topology DELETEDEVICE Overflow", "full_name": "exploit/windows/misc/eiqnetworks_esa_topology", "rank": 200, "disclosure_date": "2006-07-25", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in eIQnetworks\n Enterprise Security Analyzer. During the processing of\n long arguments to the DELETEDEVICE command in the Topology\n server, a stack-based buffer overflow occurs.\n\n This module has only been tested against ESA v2.1.13.", "references": [ "CVE-2006-3838", "OSVDB-27528", "BID-19164" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 10628, "targets": [ "Automatic", "Windows 2000 SP4 English", "Windows XP SP2 English", "Windows 2003 SP1 English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/eiqnetworks_esa_topology.rb", "is_install_path": true, "ref_name": "windows/misc/eiqnetworks_esa_topology", "check": false }, "exploit_windows/misc/enterasys_netsight_syslog_bof": { "name": "Enterasys NetSight nssyslogd.exe Buffer Overflow", "full_name": "exploit/windows/misc/enterasys_netsight_syslog_bof", "rank": 300, "disclosure_date": "2011-12-19", "type": "exploit", "author": [ "Jeremy Brown", "rgod ", "juan vazquez " ], "description": "This module exploits a stack buffer overflow in Enterasys NetSight. The\n vulnerability exists in the Syslog service (nssylogd.exe) when parsing a specially\n crafted PRIO from a syslog message. The module has been tested successfully on\n Enterasys NetSight 4.0.1.34 over Windows XP SP3 and Windows 2003 SP2.", "references": [ "CVE-2011-5227", "OSVDB-77971", "BID-51124", "ZDI-11-350" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 514, "targets": [ "Enterasys NetSight 4.0.1.34 / Windows XP SP3", "Enterasys NetSight 4.0.1.34 / Windows 2003 SP2" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/enterasys_netsight_syslog_bof.rb", "is_install_path": true, "ref_name": "windows/misc/enterasys_netsight_syslog_bof", "check": false }, "exploit_windows/misc/eureka_mail_err": { "name": "Eureka Email 2.2q ERR Remote Buffer Overflow", "full_name": "exploit/windows/misc/eureka_mail_err", "rank": 300, "disclosure_date": "2009-10-22", "type": "exploit", "author": [ "Francis Provencher (Protek Research Labs)", "Dr_IDE", "dookie", "jduck " ], "description": "This module exploits a buffer overflow in the Eureka Email 2.2q\n client that is triggered through an excessively long ERR message.\n\n NOTE: this exploit isn't very reliable. Unfortunately reaching the\n vulnerable code can only be done when manually checking mail (Ctrl-M).\n Checking at startup will not reach the code targeted here.", "references": [ "CVE-2009-3837", "OSVDB-59262", "EDB-10235" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Win XP SP3 English", "Win XP SP2 English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/eureka_mail_err.rb", "is_install_path": true, "ref_name": "windows/misc/eureka_mail_err", "check": false }, "exploit_windows/misc/fb_cnct_group": { "name": "Firebird Relational Database CNCT Group Number Buffer Overflow", "full_name": "exploit/windows/misc/fb_cnct_group", "rank": 300, "disclosure_date": "2013-01-31", "type": "exploit", "author": [ "Spencer McIntyre" ], "description": "This module exploits a vulnerability in Firebird SQL Server. A specially\n crafted packet can be sent which will overwrite a pointer allowing the attacker to\n control where data is read from. Shortly, following the controlled read, the\n pointer is called resulting in code execution.\n\n The vulnerability exists with a group number extracted from the CNCT information,\n which is sent by the client, and whose size is not properly checked.\n\n This module uses an existing call to memcpy, just prior to the vulnerable code,\n which allows a small amount of data to be written to the stack. A two-phases\n stack pivot allows to execute the ROP chain which ultimately is used to execute\n VirtualAlloc and bypass DEP.", "references": [ "CVE-2013-2492", "OSVDB-91044" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86", "rport": 3050, "targets": [ "Windows FB 2.5.2.26539", "Windows FB 2.5.1.26351", "Windows FB 2.1.5.18496", "Windows FB 2.1.4.18393", "Debug" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/misc/fb_cnct_group.rb", "is_install_path": true, "ref_name": "windows/misc/fb_cnct_group", "check": true }, "exploit_windows/misc/fb_isc_attach_database": { "name": "Firebird Relational Database isc_attach_database() Buffer Overflow", "full_name": "exploit/windows/misc/fb_isc_attach_database", "rank": 200, "disclosure_date": "2007-10-03", "type": "exploit", "author": [ "Ramon de C Valle ", "Adriano Lima " ], "description": "This module exploits a stack buffer overflow in Borland InterBase\n by sending a specially crafted create request.", "references": [ "CVE-2007-5243", "OSVDB-38607", "BID-25917", "URL-http://www.risesecurity.org/advisories/RISE-2007002.txt" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86", "rport": 3050, "targets": [ "Brute Force", "Firebird WI-V2.0.0.12748 WI-V2.0.1.12855 (unicode.nls)", "Debug" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/fb_isc_attach_database.rb", "is_install_path": true, "ref_name": "windows/misc/fb_isc_attach_database", "check": false }, "exploit_windows/misc/fb_isc_create_database": { "name": "Firebird Relational Database isc_create_database() Buffer Overflow", "full_name": "exploit/windows/misc/fb_isc_create_database", "rank": 200, "disclosure_date": "2007-10-03", "type": "exploit", "author": [ "Ramon de C Valle ", "Adriano Lima " ], "description": "This module exploits a stack buffer overflow in Borland InterBase\n by sending a specially crafted create request.", "references": [ "CVE-2007-5243", "OSVDB-38606", "BID-25917", "URL-http://www.risesecurity.org/advisories/RISE-2007002.txt" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86", "rport": 3050, "targets": [ "Brute Force", "Firebird WI-V2.0.0.12748 WI-V2.0.1.12855 (unicode.nls)", "Debug" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/fb_isc_create_database.rb", "is_install_path": true, "ref_name": "windows/misc/fb_isc_create_database", "check": false }, "exploit_windows/misc/fb_svc_attach": { "name": "Firebird Relational Database SVC_attach() Buffer Overflow", "full_name": "exploit/windows/misc/fb_svc_attach", "rank": 200, "disclosure_date": "2007-10-03", "type": "exploit", "author": [ "Ramon de C Valle ", "Adriano Lima " ], "description": "This module exploits a stack buffer overflow in Borland InterBase\n by sending a specially crafted service attach request.", "references": [ "CVE-2007-5243", "OSVDB-38605", "BID-25917", "URL-http://www.risesecurity.org/advisories/RISE-2007002.txt" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86", "rport": 3050, "targets": [ "Brute Force", "Firebird WI-V1.5.3.4870 WI-V1.5.4.4910", "Debug" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/fb_svc_attach.rb", "is_install_path": true, "ref_name": "windows/misc/fb_svc_attach", "check": false }, "exploit_windows/misc/gh0st": { "name": "Gh0st Client buffer Overflow", "full_name": "exploit/windows/misc/gh0st", "rank": 300, "disclosure_date": "2017-07-27", "type": "exploit", "author": [ "Professor Plum" ], "description": "This module exploits a Memory buffer overflow in the Gh0st client (C2 server)", "references": [ ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Gh0st Beta 3.6" ], "mod_time": "2017-09-04 20:57:23 +0000", "path": "/modules/exploits/windows/misc/gh0st.rb", "is_install_path": true, "ref_name": "windows/misc/gh0st", "check": true }, "exploit_windows/misc/gimp_script_fu": { "name": "GIMP script-fu Server Buffer Overflow", "full_name": "exploit/windows/misc/gimp_script_fu", "rank": 300, "disclosure_date": "2012-05-18", "type": "exploit", "author": [ "Joseph Sheridan", "juan vazquez " ], "description": "This module exploits a buffer overflow in the script-fu server\n component on GIMP <= 2.6.12. By sending a specially crafted packet, an\n attacker may be able to achieve remote code execution under the context\n of the user.\n\n This module has been tested on GIMP for Windows from installers\n provided by Jernej Simoncic.", "references": [ "CVE-2012-2763", "OSVDB-82429", "BID-53741", "EDB-18956", "URL-http://www.reactionpenetrationtesting.co.uk/advisories/scriptfu-buffer-overflow-GIMP-2.6.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 10008, "targets": [ "GIMP 2.6.10 (no DEP) / Windows XP SP3 / Windows 7 SP1", "GIMP 2.6.1 (no DEP) / Windows XP SP3 / Windows 7 SP1" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/gimp_script_fu.rb", "is_install_path": true, "ref_name": "windows/misc/gimp_script_fu", "check": false }, "exploit_windows/misc/hp_dataprotector_cmd_exec": { "name": "HP Data Protector 8.10 Remote Command Execution", "full_name": "exploit/windows/misc/hp_dataprotector_cmd_exec", "rank": 600, "disclosure_date": "2014-11-02", "type": "exploit", "author": [ "Christian Ramirez", "Henoch Barrera", "Matthew Hall " ], "description": "This module exploits a remote command execution on HP Data Protector 8.10. Arbitrary\n commands can be executed by sending crafted requests with opcode 28 to the OmniInet\n service listening on the TCP/5555 port. Since there is a strict length limitation on\n the command, rundll32.exe is executed, and the payload is provided through a DLL by a\n fake SMB server. This module has been tested successfully on HP Data Protector 8.1 on\n Windows 7 SP1.", "references": [ "CVE-2014-2623", "OSVDB-109069", "EDB-34066", "URL-https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04373818" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": 5555, "targets": [ "HP Data Protector 8.10 / Windows" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/misc/hp_dataprotector_cmd_exec.rb", "is_install_path": true, "ref_name": "windows/misc/hp_dataprotector_cmd_exec", "check": true }, "exploit_windows/misc/hp_dataprotector_crs": { "name": "HP Data Protector Cell Request Service Buffer Overflow", "full_name": "exploit/windows/misc/hp_dataprotector_crs", "rank": 300, "disclosure_date": "2013-06-03", "type": "exploit", "author": [ "e6af8de8b1d4b2b6d5ba2610cbf9cd38", "juan vazquez " ], "description": "This module exploits a stack-based buffer overflow in the Hewlett-Packard Data Protector\n product. The vulnerability, due to the insecure usage of _swprintf, exists at the Cell\n Request Service (crs.exe) when parsing packets with opcode 211. This module has been tested\n successfully on HP Data Protector 6.20 and 7.00 on Windows XP SP3.", "references": [ "CVE-2013-2333", "OSVDB-93867", "BID-60309", "ZDI-13-130" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic", "HP Data Protector 6.20 build 370 / Windows XP SP3", "HP Data Protector 7.00 build 72 / Windows XP SP3" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/hp_dataprotector_crs.rb", "is_install_path": true, "ref_name": "windows/misc/hp_dataprotector_crs", "check": true }, "exploit_windows/misc/hp_dataprotector_dtbclslogin": { "name": "HP Data Protector DtbClsLogin Buffer Overflow", "full_name": "exploit/windows/misc/hp_dataprotector_dtbclslogin", "rank": 300, "disclosure_date": "2010-09-09", "type": "exploit", "author": [ "AbdulAziz Hariri", "juan vazquez " ], "description": "This module exploits a stack buffer overflow in HP Data Protector 4.0 SP1. The\n overflow occurs during the login process, in the DtbClsLogin function provided by\n the dpwindtb.dll component, where the Utf8Cpy (strcpy like function) is used in an\n insecure way with the username. A successful exploitation will lead to code execution\n with the privileges of the \"dpwinsdr.exe\" (HP Data Protector Express Domain Server\n Service) process, which runs as SYSTEM by default.", "references": [ "CVE-2010-3007", "OSVDB-67973", "BID-43105", "ZDI-10-174", "URL-http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02498535" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 3817, "targets": [ "HP Data Protector Express 4.0 SP1 (build 43064) / Windows XP SP3" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/hp_dataprotector_dtbclslogin.rb", "is_install_path": true, "ref_name": "windows/misc/hp_dataprotector_dtbclslogin", "check": true }, "exploit_windows/misc/hp_dataprotector_encrypted_comms": { "name": "HP Data Protector Encrypted Communication Remote Command Execution", "full_name": "exploit/windows/misc/hp_dataprotector_encrypted_comms", "rank": 300, "disclosure_date": "2016-04-18", "type": "exploit", "author": [ "Jon Barg", "Ian Lovering" ], "description": "This module exploits a well known remote code execution exploit after establishing encrypted\n control communications with a Data Protector agent. This allows exploitation of Data\n Protector agents that have been configured to only use encrypted control communications.\n\n This exploit works by executing the payload with Microsoft PowerShell so will only work\n against Windows Vista or newer. Tested against Data Protector 9.0 installed on Windows\n Server 2008 R2.", "references": [ "CVE-2016-2004", "URL-http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05085988" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 5555, "targets": [ "Automatic" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/hp_dataprotector_encrypted_comms.rb", "is_install_path": true, "ref_name": "windows/misc/hp_dataprotector_encrypted_comms", "check": true }, "exploit_windows/misc/hp_dataprotector_exec_bar": { "name": "HP Data Protector Backup Client Service Remote Code Execution", "full_name": "exploit/windows/misc/hp_dataprotector_exec_bar", "rank": 600, "disclosure_date": "2014-01-02", "type": "exploit", "author": [ "Aniway.Anyway ", "juan vazquez " ], "description": "This module abuses the Backup Client Service (OmniInet.exe) to achieve remote code\n execution. The vulnerability exists in the EXEC_BAR operation, which allows to\n execute arbitrary processes. This module has been tested successfully on HP Data\n Protector 6.20 on Windows 2003 SP2 and Windows 2008 R2.", "references": [ "CVE-2013-2347", "BID-64647", "ZDI-14-008", "URL-https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03822422", "URL-http://ddilabs.blogspot.com/2014/02/fun-with-hp-data-protector-execbar.html" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": 5555, "targets": [ "HP Data Protector 6.20 build 370 / VBScript CMDStager", "HP Data Protector 6.20 build 370 / Powershell" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/hp_dataprotector_exec_bar.rb", "is_install_path": true, "ref_name": "windows/misc/hp_dataprotector_exec_bar", "check": true }, "exploit_windows/misc/hp_dataprotector_install_service": { "name": "HP Data Protector 6.10/6.11/6.20 Install Service", "full_name": "exploit/windows/misc/hp_dataprotector_install_service", "rank": 600, "disclosure_date": "2011-11-02", "type": "exploit", "author": [ "Ben Turner" ], "description": "This module exploits HP Data Protector OmniInet process on Windows only.\n This exploit invokes the install service function which allows an attacker to create a\n custom payload in the format of an executable.\n\n To ensure this works, the SMB server created in MSF must have a share called Omniback\n which has a subfolder i386, i.e. \\\\192.168.1.1\\Omniback\\i386\\", "references": [ "CVE-2011-0922", "URL-http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02781143" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": 5555, "targets": [ "HP Data Protector 6.10/6.11/6.20 / Windows" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/misc/hp_dataprotector_install_service.rb", "is_install_path": true, "ref_name": "windows/misc/hp_dataprotector_install_service", "check": true }, "exploit_windows/misc/hp_dataprotector_new_folder": { "name": "HP Data Protector Create New Folder Buffer Overflow", "full_name": "exploit/windows/misc/hp_dataprotector_new_folder", "rank": 300, "disclosure_date": "2012-03-12", "type": "exploit", "author": [ "juan vazquez ", "sinn3r " ], "description": "This module exploits a stack buffer overflow in HP Data Protector 5. The overflow\n occurs in the creation of new folders, where the name of the folder is handled in a\n insecure way by the dpwindtb.dll component. While the overflow occurs in the stack, the\n folder name is split in fragments in this insecure copy. Because of this, this module\n uses egg hunting to search a non corrupted copy of the payload in the heap. On the other\n hand the overflowed buffer is stored in a frame protected by stack cookies, because of\n this SEH handler overwrite is used.\n\n Any user of HP Data Protector Express is able to create new folders and trigger the\n vulnerability. Moreover, in the default installation the 'Admin' user has an empty\n password. Successful exploitation will lead to code execution with the privileges of\n the \"dpwinsdr.exe\" (HP Data Protector Express Domain Server Service) process, which\n runs as SYSTEM by default.", "references": [ "CVE-2012-0124", "OSVDB-80105", "BID-52431", "URL-https://community.rapid7.com/community/metasploit/blog/2012/07/06/an-example-of-egghunting-to-exploit-cve-2012-0124" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 3817, "targets": [ "HP Data Protector Express 6.0.00.11974 / Windows XP SP3", "HP Data Protector Express 5.0.00.59287 / Windows XP SP3" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/hp_dataprotector_new_folder.rb", "is_install_path": true, "ref_name": "windows/misc/hp_dataprotector_new_folder", "check": false }, "exploit_windows/misc/hp_dataprotector_traversal": { "name": "HP Data Protector Backup Client Service Directory Traversal", "full_name": "exploit/windows/misc/hp_dataprotector_traversal", "rank": 500, "disclosure_date": "2014-01-02", "type": "exploit", "author": [ "Brian Gorenc", "juan vazquez " ], "description": "This module exploits a directory traversal vulnerability in the Hewlett-Packard Data\n Protector product. The vulnerability exists in the Backup Client Service (OmniInet.exe)\n and is triggered when parsing packets with opcode 42. This module has been tested\n successfully on HP Data Protector 6.20 on Windows 2003 SP2 and Windows XP SP3.", "references": [ "CVE-2013-6194", "OSVDB-101630", "BID-64647", "ZDI-14-003", "URL-https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03822422" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 5555, "targets": [ "HP Data Protector 6.20 build 370 / Windows 2003 SP2" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/hp_dataprotector_traversal.rb", "is_install_path": true, "ref_name": "windows/misc/hp_dataprotector_traversal", "check": true }, "exploit_windows/misc/hp_imc_dbman_restartdb_unauth_rce": { "name": "HPE iMC dbman RestartDB Unauthenticated RCE", "full_name": "exploit/windows/misc/hp_imc_dbman_restartdb_unauth_rce", "rank": 600, "disclosure_date": "2017-05-15", "type": "exploit", "author": [ "sztivi", "Chris Lyne", "Brendan Coles " ], "description": "This module exploits a remote command execution vulnerablity in\n Hewlett Packard Enterprise Intelligent Management Center before\n version 7.3 E0504P04.\n\n The dbman service allows unauthenticated remote users to restart\n a user-specified database instance (OpCode 10008), however the\n instance ID is not sanitized, allowing execution of arbitrary\n operating system commands as SYSTEM. This service listens on\n TCP port 2810 by default.\n\n This module has been tested successfully on iMC PLAT v7.2 (E0403)\n on Windows 7 SP1 (EN).", "references": [ "CVE-2017-5816", "EDB-43198", "ZDI-17-340", "URL-https://www.securityfocus.com/bid/98469/info", "URL-https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03745en_us" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 2810, "targets": [ "Automatic" ], "mod_time": "2018-01-05 11:28:14 +0000", "path": "/modules/exploits/windows/misc/hp_imc_dbman_restartdb_unauth_rce.rb", "is_install_path": true, "ref_name": "windows/misc/hp_imc_dbman_restartdb_unauth_rce", "check": true }, "exploit_windows/misc/hp_imc_dbman_restoredbase_unauth_rce": { "name": "HPE iMC dbman RestoreDBase Unauthenticated RCE", "full_name": "exploit/windows/misc/hp_imc_dbman_restoredbase_unauth_rce", "rank": 600, "disclosure_date": "2017-05-15", "type": "exploit", "author": [ "sztivi", "Chris Lyne", "Brendan Coles " ], "description": "This module exploits a remote command execution vulnerablity in\n Hewlett Packard Enterprise Intelligent Management Center before\n version 7.3 E0504P04.\n\n The dbman service allows unauthenticated remote users to restore\n a user-specified database (OpCode 10007), however the database\n connection username is not sanitized resulting in command injection,\n allowing execution of arbitrary operating system commands as SYSTEM.\n This service listens on TCP port 2810 by default.\n\n This module has been tested successfully on iMC PLAT v7.2 (E0403)\n on Windows 7 SP1 (EN).", "references": [ "CVE-2017-5817", "EDB-43195", "ZDI-17-341", "URL-https://www.securityfocus.com/bid/98469/info", "URL-https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03745en_us" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 2810, "targets": [ "Automatic" ], "mod_time": "2018-01-05 11:28:48 +0000", "path": "/modules/exploits/windows/misc/hp_imc_dbman_restoredbase_unauth_rce.rb", "is_install_path": true, "ref_name": "windows/misc/hp_imc_dbman_restoredbase_unauth_rce", "check": true }, "exploit_windows/misc/hp_imc_uam": { "name": "HP Intelligent Management Center UAM Buffer Overflow", "full_name": "exploit/windows/misc/hp_imc_uam", "rank": 300, "disclosure_date": "2012-08-29", "type": "exploit", "author": [ "e6af8de8b1d4b2b6d5ba2610cbf9cd38", "sinn3r ", "juan vazquez " ], "description": "This module exploits a remote buffer overflow in HP Intelligent Management Center\n UAM. The vulnerability exists in the uam.exe component, when using sprint in a\n insecure way for logging purposes. The vulnerability can be triggered by sending a\n malformed packet to the 1811/UDP port. The module has been successfully tested on\n HP iMC 5.0 E0101 and UAM 5.0 E0102 over Windows Server 2003 SP2 (DEP bypass).", "references": [ "CVE-2012-3274", "OSVDB-85060", "BID-55271", "ZDI-12-171", "URL-https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03589863" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 1811, "targets": [ "HP iMC 5.0 E0101 / UAM 5.0 E0102 on Windows 2003 SP2" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/hp_imc_uam.rb", "is_install_path": true, "ref_name": "windows/misc/hp_imc_uam", "check": false }, "exploit_windows/misc/hp_loadrunner_magentproc": { "name": "HP LoadRunner magentproc.exe Overflow", "full_name": "exploit/windows/misc/hp_loadrunner_magentproc", "rank": 300, "disclosure_date": "2013-07-27", "type": "exploit", "author": [ "Unknown", "juan vazquez " ], "description": "This module exploits a stack buffer overflow in HP LoadRunner before 11.52. The\n vulnerability exists on the LoadRunner Agent Process magentproc.exe. By sending\n a specially crafted packet, an attacker may be able to execute arbitrary code.", "references": [ "CVE-2013-4800", "OSVDB-95644", "ZDI-13-169" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 443, "targets": [ "Windows XP SP3 / HP LoadRunner 11.50" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/hp_loadrunner_magentproc.rb", "is_install_path": true, "ref_name": "windows/misc/hp_loadrunner_magentproc", "check": false }, "exploit_windows/misc/hp_loadrunner_magentproc_cmdexec": { "name": "HP Mercury LoadRunner Agent magentproc.exe Remote Command Execution", "full_name": "exploit/windows/misc/hp_loadrunner_magentproc_cmdexec", "rank": 600, "disclosure_date": "2010-05-06", "type": "exploit", "author": [ "Unknown", "aushack " ], "description": "This module exploits a remote command execution vulnerablity in HP LoadRunner before 9.50\n and also HP Performance Center before 9.50. HP LoadRunner 12.53 and other versions are\n also most likely vulneable if the (non-default) SSL option is turned off.\n By sending a specially crafted packet, an attacker can execute commands remotely.\n The service is vulnerable provided the Secure Channel feature is disabled (default).", "references": [ "CVE-2010-1549", "ZDI-10-080", "BID-39965", "URL-https://support.hpe.com/hpsc/doc/public/display?docId=c00912968" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": 54345, "targets": [ "Windows (Dropper)" ], "mod_time": "2017-12-29 16:35:12 +0000", "path": "/modules/exploits/windows/misc/hp_loadrunner_magentproc_cmdexec.rb", "is_install_path": true, "ref_name": "windows/misc/hp_loadrunner_magentproc_cmdexec", "check": false }, "exploit_windows/misc/hp_magentservice": { "name": "HP Diagnostics Server magentservice.exe Overflow", "full_name": "exploit/windows/misc/hp_magentservice", "rank": 200, "disclosure_date": "2012-01-12", "type": "exploit", "author": [ "AbdulAziz Hariri", "hal" ], "description": "This module exploits a stack buffer overflow in HP Diagnostics Server\n magentservice.exe service. By sending a specially crafted packet, an attacker\n may be able to execute arbitrary code. Originally found and posted by\n AbdulAziz Harir via ZDI.", "references": [ "OSVDB-72815", "CVE-2011-4789", "ZDI-12-016" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 23472, "targets": [ "Diagnostics Server 9.10" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/hp_magentservice.rb", "is_install_path": true, "ref_name": "windows/misc/hp_magentservice", "check": false }, "exploit_windows/misc/hp_omniinet_1": { "name": "HP OmniInet.exe MSG_PROTOCOL Buffer Overflow", "full_name": "exploit/windows/misc/hp_omniinet_1", "rank": 500, "disclosure_date": "2009-12-17", "type": "exploit", "author": [ "EgiX ", "Fairuzan Roslan ", "jduck " ], "description": "This module exploits a stack-based buffer overflow in the Hewlett-Packard\n OmniInet NT Service. By sending a specially crafted MSG_PROTOCOL (0x010b)\n packet, a remote attacker may be able to execute arbitrary code with elevated\n privileges.\n\n This service is installed with HP OpenView Data Protector, HP Application\n Recovery Manager and potentially other products. This exploit has been tested\n against versions 6.1, 6.0, and 5.50 of Data Protector. and versions 6.0 and 6.1\n of Application Recovery Manager.\n\n NOTE: There are actually two consecutive wcscpy() calls in the program (which\n may be why ZDI considered them two separate issues). However, this module only\n exploits the first one.", "references": [ "CVE-2007-2280", "BID-37396", "OSVDB-61206", "ZDI-09-099" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 5555, "targets": [ "Automatic Targeting", "HP OpenView Storage Data Protector A.05.50: INET, internal build 330", "HP OpenView Storage Data Protector A.06.00: INET, internal build 331", "HP StorageWorks Application Recovery Manager A.06.00: INET, internal build 81", "HP Application Recovery Manager software A.06.10: INET, internal build 282" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/hp_omniinet_1.rb", "is_install_path": true, "ref_name": "windows/misc/hp_omniinet_1", "check": true }, "exploit_windows/misc/hp_omniinet_2": { "name": "HP OmniInet.exe MSG_PROTOCOL Buffer Overflow", "full_name": "exploit/windows/misc/hp_omniinet_2", "rank": 500, "disclosure_date": "2009-12-17", "type": "exploit", "author": [ "EgiX ", "Fairuzan Roslan ", "jduck " ], "description": "This module exploits a stack-based buffer overflow in the Hewlett-Packard\n OmniInet NT Service. By sending a specially crafted MSG_PROTOCOL (0x010b)\n packet, a remote attacker may be able to execute arbitrary code with elevated\n privileges.\n\n This service is installed with HP OpenView Data Protector, HP Application\n Recovery Manager and potentially other products. This exploit has been tested\n against versions 6.1, 6.0, and 5.50 of Data Protector. and versions 6.0 and 6.1\n of Application Recovery Manager.\n\n NOTE: There are actually two consecutive wcscpy() calls in the program (which\n may be why ZDI considered them two separate issues). However, this module only\n exploits the second one.", "references": [ "CVE-2009-3844", "BID-37250", "OSVDB-60852", "ZDI-09-091" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 5555, "targets": [ "Automatic Targeting", "HP OpenView Storage Data Protector A.05.50: INET, internal build 330", "HP OpenView Storage Data Protector A.06.00: INET, internal build 331", "HP StorageWorks Application Recovery Manager A.06.00: INET, internal build 81", "HP Application Recovery Manager software A.06.10: INET, internal build 282" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/hp_omniinet_2.rb", "is_install_path": true, "ref_name": "windows/misc/hp_omniinet_2", "check": true }, "exploit_windows/misc/hp_omniinet_3": { "name": "HP OmniInet.exe Opcode 27 Buffer Overflow", "full_name": "exploit/windows/misc/hp_omniinet_3", "rank": 500, "disclosure_date": "2011-06-29", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a buffer overflow in the Hewlett-Packard\n OmniInet NT Service. By sending a specially crafted opcode 27 packet,\n a remote attacker may be able to execute arbitrary code.", "references": [ "CVE-2011-1865", "OSVDB-73571", "URL-http://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 5555, "targets": [ "HP Data Protector A.06.10 Build 611 / A.06.11 Build 243" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/misc/hp_omniinet_3.rb", "is_install_path": true, "ref_name": "windows/misc/hp_omniinet_3", "check": true }, "exploit_windows/misc/hp_omniinet_4": { "name": "HP OmniInet.exe Opcode 20 Buffer Overflow", "full_name": "exploit/windows/misc/hp_omniinet_4", "rank": 400, "disclosure_date": "2011-06-29", "type": "exploit", "author": [ "Oren Isacson", "muts", "dookie", "sinn3r ", "corelanc0d3r " ], "description": "This module exploits a vulnerability found in HP Data Protector's OmniInet\n process. By supplying a long string of data as the file path with opcode '20',\n a buffer overflow can occur when this data is being written on the stack where\n no proper bounds checking is done beforehand, which results arbitrary code\n execution under the context of SYSTEM. This module is also made against systems\n such as Windows Server 2003 or Windows Server 2008 that have DEP and/or ASLR\n enabled by default.", "references": [ "CVE-2011-1865", "OSVDB-73571", "EDB-17468", "URL-http://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities", "URL-http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02872182" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 5555, "targets": [ "HP Data Protector A.06.10 b611 / A.06.11 b243 XP SP3/Win2003/Win2008" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/hp_omniinet_4.rb", "is_install_path": true, "ref_name": "windows/misc/hp_omniinet_4", "check": false }, "exploit_windows/misc/hp_operations_agent_coda_34": { "name": "HP Operations Agent Opcode coda.exe 0x34 Buffer Overflow", "full_name": "exploit/windows/misc/hp_operations_agent_coda_34", "rank": 300, "disclosure_date": "2012-07-09", "type": "exploit", "author": [ "Luigi Auriemma", "juan vazquez " ], "description": "This module exploits a buffer overflow vulnerability in HP Operations Agent for\n Windows. The vulnerability exists in the HP Software Performance Core Program\n component (coda.exe) when parsing requests for the 0x34 opcode. This module has\n been tested successfully on HP Operations Agent 11.00 over Windows XP SP3 and\n Windows 2003 SP2 (DEP bypass).\n\n The coda.exe components runs only for localhost by default, network access must be\n granted through its configuration to be remotely exploitable. On the other hand it\n runs on a random TCP port, to make easier reconnaissance a check function is\n provided.", "references": [ "CVE-2012-2019", "OSVDB-83673", "BID-54362", "ZDI-12-114" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "HP Operations Agent 11.00 / Windows XP SP3", "HP Operations Agent 11.00 / Windows 2003 SP2" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/hp_operations_agent_coda_34.rb", "is_install_path": true, "ref_name": "windows/misc/hp_operations_agent_coda_34", "check": true }, "exploit_windows/misc/hp_operations_agent_coda_8c": { "name": "HP Operations Agent Opcode coda.exe 0x8c Buffer Overflow", "full_name": "exploit/windows/misc/hp_operations_agent_coda_8c", "rank": 300, "disclosure_date": "2012-07-09", "type": "exploit", "author": [ "Luigi Auriemma", "juan vazquez " ], "description": "This module exploits a buffer overflow vulnerability in HP Operations Agent for\n Windows. The vulnerability exists in the HP Software Performance Core Program\n component (coda.exe) when parsing requests for the 0x8c opcode. This module has\n been tested successfully on HP Operations Agent 11.00 over Windows XP SP3 and\n Windows 2003 SP2 (DEP bypass).\n\n The coda.exe components runs only for localhost by default, network access must be\n granted through its configuration to be remotely exploitable. On the other hand it\n runs on a random TCP port, to make easier reconnaissance a check function is\n provided.", "references": [ "CVE-2012-2020", "OSVDB-83674", "BID-54362", "ZDI-12-115" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "HP Operations Agent 11.00 / Windows XP SP3", "HP Operations Agent 11.00 / Windows 2003 SP2" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/hp_operations_agent_coda_8c.rb", "is_install_path": true, "ref_name": "windows/misc/hp_operations_agent_coda_8c", "check": true }, "exploit_windows/misc/hp_ovtrace": { "name": "HP OpenView Operations OVTrace Buffer Overflow", "full_name": "exploit/windows/misc/hp_ovtrace", "rank": 200, "disclosure_date": "2007-08-09", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in HP OpenView Operations version A.07.50.\n By sending a specially crafted packet, a remote attacker may be able to execute arbitrary code.", "references": [ "CVE-2007-3872", "OSVDB-39527", "BID-25255" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 5051, "targets": [ "Windows 2000 Advanced Server All English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/hp_ovtrace.rb", "is_install_path": true, "ref_name": "windows/misc/hp_ovtrace", "check": false }, "exploit_windows/misc/hta_server": { "name": "HTA Web Server", "full_name": "exploit/windows/misc/hta_server", "rank": 0, "disclosure_date": "2016-10-06", "type": "exploit", "author": [ "Spencer McIntyre" ], "description": "This module hosts an HTML Application (HTA) that when opened will run a\n payload via Powershell. When a user navigates to the HTA file they will\n be prompted by IE twice before the payload is executed.", "references": [ "URL-https://www.trustedsec.com/july-2015/malicious-htas/" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Powershell x86", "Powershell x64" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/hta_server.rb", "is_install_path": true, "ref_name": "windows/misc/hta_server", "check": false }, "exploit_windows/misc/ib_isc_attach_database": { "name": "Borland InterBase isc_attach_database() Buffer Overflow", "full_name": "exploit/windows/misc/ib_isc_attach_database", "rank": 400, "disclosure_date": "2007-10-03", "type": "exploit", "author": [ "Ramon de C Valle ", "Adriano Lima " ], "description": "This module exploits a stack buffer overflow in Borland InterBase\n by sending a specially crafted attach request.", "references": [ "CVE-2007-5243", "OSVDB-38607", "BID-25917", "URL-http://www.risesecurity.org/advisories/RISE-2007002.txt" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86", "rport": 3050, "targets": [ "Brute Force", "Borland InterBase WI-V8.1.0.257", "Borland InterBase WI-V8.0.0.123", "Borland InterBase WI-V7.5.0.129 WI-V7.5.1.80", "Borland InterBase WI-V7.0.1.1", "Borland InterBase WI-V6.5.0.28", "Borland InterBase WI-V6.0.1.6", "Borland InterBase WI-V6.0.0.627 WI-V6.0.1.0 WI-O6.0.1.6 WI-O6.0.2.0", "Borland InterBase WI-V5.5.0.742", "Borland InterBase WI-V5.1.1.680", "Debug" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/ib_isc_attach_database.rb", "is_install_path": true, "ref_name": "windows/misc/ib_isc_attach_database", "check": false }, "exploit_windows/misc/ib_isc_create_database": { "name": "Borland InterBase isc_create_database() Buffer Overflow", "full_name": "exploit/windows/misc/ib_isc_create_database", "rank": 400, "disclosure_date": "2007-10-03", "type": "exploit", "author": [ "Ramon de C Valle ", "Adriano Lima " ], "description": "This module exploits a stack buffer overflow in Borland InterBase\n by sending a specially crafted create request.", "references": [ "CVE-2007-5243", "OSVDB-38606", "BID-25917", "URL-http://www.risesecurity.org/advisories/RISE-2007002.txt" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86", "rport": 3050, "targets": [ "Brute Force", "Borland InterBase WI-V8.1.0.257", "Borland InterBase WI-V8.0.0.123", "Borland InterBase WI-V7.5.0.129 WI-V7.5.1.80", "Borland InterBase WI-V7.0.1.1", "Borland InterBase WI-V6.5.0.28", "Borland InterBase WI-V6.0.1.6", "Borland InterBase WI-V6.0.0.627 WI-V6.0.1.0 WI-O6.0.1.6 WI-O6.0.2.0", "Borland InterBase WI-V5.5.0.742", "Borland InterBase WI-V5.1.1.680", "Debug" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/ib_isc_create_database.rb", "is_install_path": true, "ref_name": "windows/misc/ib_isc_create_database", "check": false }, "exploit_windows/misc/ib_svc_attach": { "name": "Borland InterBase SVC_attach() Buffer Overflow", "full_name": "exploit/windows/misc/ib_svc_attach", "rank": 400, "disclosure_date": "2007-10-03", "type": "exploit", "author": [ "Ramon de C Valle ", "Adriano Lima " ], "description": "This module exploits a stack buffer overflow in Borland InterBase\n by sending a specially crafted service attach request.", "references": [ "CVE-2007-5243", "OSVDB-38605", "BID-25917", "URL-http://www.risesecurity.org/advisories/RISE-2007002.txt" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86", "rport": 3050, "targets": [ "Brute Force", "Borland InterBase WI-V8.1.0.257", "Borland InterBase WI-V8.0.0.123", "Borland InterBase WI-V7.5.0.129 WI-V7.5.1.80", "Borland InterBase WI-V7.0.1.1", "Borland InterBase WI-V6.5.0.28", "Borland InterBase WI-V6.0.1.6", "Borland InterBase WI-V6.0.0.627 WI-V6.0.1.0 WI-O6.0.1.6 WI-O6.0.2.0", "Borland InterBase WI-V5.5.0.742", "Borland InterBase WI-V5.1.1.680", "Debug" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/ib_svc_attach.rb", "is_install_path": true, "ref_name": "windows/misc/ib_svc_attach", "check": false }, "exploit_windows/misc/ibm_cognos_tm1admsd_bof": { "name": "IBM Cognos tm1admsd.exe Overflow", "full_name": "exploit/windows/misc/ibm_cognos_tm1admsd_bof", "rank": 300, "disclosure_date": "2012-04-02", "type": "exploit", "author": [ "Unknown", "juan vazquez " ], "description": "This module exploits a stack buffer overflow in IBM Cognos Analytic Server\n Admin service. The vulnerability exists in the tm1admsd.exe component, due to a\n dangerous copy of user controlled data to the stack, via memcpy, without validating\n the supplied length and data. The module has been tested successfully on IBM Cognos\n Express 9.5 over Windows XP SP3.", "references": [ "CVE-2012-0202", "OSVDB-80876", "BID-52847", "ZDI-12-101", "URL-http://www-01.ibm.com/support/docview.wss?uid=swg21590314" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 5498, "targets": [ "IBM Cognos Express 9.5 / Windows XP SP3" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/ibm_cognos_tm1admsd_bof.rb", "is_install_path": true, "ref_name": "windows/misc/ibm_cognos_tm1admsd_bof", "check": false }, "exploit_windows/misc/ibm_director_cim_dllinject": { "name": "IBM System Director Agent DLL Injection", "full_name": "exploit/windows/misc/ibm_director_cim_dllinject", "rank": 600, "disclosure_date": "2009-03-10", "type": "exploit", "author": [ "Bernhard Mueller", "kingcope", "juan vazquez " ], "description": "This module abuses the \"wmicimsv\" service on IBM System Director Agent 5.20.3\n to accomplish arbitrary DLL injection and execute arbitrary code with SYSTEM\n privileges.\n\n In order to accomplish remote DLL injection it uses a WebDAV service as disclosed\n by kingcope on December 2012. Because of this, the target host must have the\n WebClient service (WebDAV Mini-Redirector) enabled. It is enabled and automatically\n started by default on Windows XP SP3, but disabled by default on Windows 2003 SP2.", "references": [ "CVE-2009-0880", "OSVDB-52616", "OSVDB-88102", "BID-34065", "URL-https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20090305-2_IBM_director_privilege_escalation.txt", "URL-http://seclists.org/bugtraq/2012/Dec/5" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": 6988, "targets": [ "IBM System Director Agent 5.20.3 / Windows with WebClient enabled" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/ibm_director_cim_dllinject.rb", "is_install_path": true, "ref_name": "windows/misc/ibm_director_cim_dllinject", "check": true }, "exploit_windows/misc/ibm_tsm_cad_ping": { "name": "IBM Tivoli Storage Manager Express CAD Service Buffer Overflow", "full_name": "exploit/windows/misc/ibm_tsm_cad_ping", "rank": 400, "disclosure_date": "2009-11-04", "type": "exploit", "author": [ "jduck " ], "description": "This module exploits a stack buffer overflow in the IBM Tivoli Storage Manager Express CAD Service.\n By sending a \"ping\" packet containing a long string, an attacker can execute arbitrary code.\n\n NOTE: the dsmcad.exe service must be in a particular state (CadWaitingStatus = 1) in order\n for the vulnerable code to be reached. This state doesn't appear to be reachable when the\n TSM server is not running. This service does not restart.", "references": [ "CVE-2009-3853", "OSVDB-59632" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 1582, "targets": [ "IBM Tivoli Storage Manager Express 5.3.6.2" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/ibm_tsm_cad_ping.rb", "is_install_path": true, "ref_name": "windows/misc/ibm_tsm_cad_ping", "check": false }, "exploit_windows/misc/ibm_tsm_rca_dicugetidentify": { "name": "IBM Tivoli Storage Manager Express RCA Service Buffer Overflow", "full_name": "exploit/windows/misc/ibm_tsm_rca_dicugetidentify", "rank": 500, "disclosure_date": "2009-11-04", "type": "exploit", "author": [ "jduck " ], "description": "This module exploits a stack buffer overflow in the IBM Tivoli Storage Manager Express Remote\n Client Agent service. By sending a \"dicuGetIdentify\" request packet containing a long\n NodeName parameter, an attacker can execute arbitrary code.\n\n NOTE: this exploit first connects to the CAD service to start the RCA service and obtain\n the port number on which it runs. This service does not restart.", "references": [ "CVE-2008-4828", "OSVDB-54232", "BID-34803" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 1582, "targets": [ "IBM Tivoli Storage Manager Express 5.3.6.2" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/ibm_tsm_rca_dicugetidentify.rb", "is_install_path": true, "ref_name": "windows/misc/ibm_tsm_rca_dicugetidentify", "check": false }, "exploit_windows/misc/ibm_websphere_java_deserialize": { "name": "IBM WebSphere RCE Java Deserialization Vulnerability", "full_name": "exploit/windows/misc/ibm_websphere_java_deserialize", "rank": 600, "disclosure_date": "2015-11-06", "type": "exploit", "author": [ "Liatsis Fotios " ], "description": "This module exploits a vulnerability in IBM's WebSphere Application Server. An unsafe deserialization\n call of unauthenticated Java objects exists to the Apache Commons Collections (ACC) library, which allows\n remote arbitrary code execution. Authentication is not required in order to exploit this vulnerability.", "references": [ "CVE-2015-7450", "URL-https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/CommonsCollections1.java", "URL-http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability", "URL-https://www.tenable.com/plugins/index.php?view=single&id=87171" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": "8880", "targets": [ "IBM WebSphere 7.0.0.0" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/ibm_websphere_java_deserialize.rb", "is_install_path": true, "ref_name": "windows/misc/ibm_websphere_java_deserialize", "check": false }, "exploit_windows/misc/itunes_extm3u_bof": { "name": "Apple iTunes 10 Extended M3U Stack Buffer Overflow", "full_name": "exploit/windows/misc/itunes_extm3u_bof", "rank": 300, "disclosure_date": "2012-06-21", "type": "exploit", "author": [ "Rh0 ", "sinn3r " ], "description": "This module exploits a stack buffer overflow in iTunes 10.4.0.80 to 10.6.1.7.\n When opening an extended .m3u file containing an \"#EXTINF:\" tag description,\n iTunes will copy the content after \"#EXTINF:\" without appropriate checking\n from a heap buffer to a stack buffer, writing beyond the stack buffer's boundary,\n which allows code execution under the context of the user.\n\n Please note before using this exploit, you must have precise knowledge of the\n victim machine's QuickTime version (if installed), and then select your target\n accordingly.\n\n In addition, even though this exploit can be used as remote, you should be aware\n the victim's browser behavior when opening an itms link. For example,\n IE/Firefox/Opera by default will ask the user for permission before launching the\n itms link by iTunes. Chrome will ask for permission, but also spits a warning.\n Safari would be an ideal target, because it will open the link without any\n user interaction.", "references": [ "OSVDB-83220", "EDB-19322", "URL-http://pastehtml.com/view/c25uhk4ab.html" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "x86", "rport": null, "targets": [ "iTunes 10.4.0.80 to 10.6.1.7 with QuickTime 7.69 on XP SP3", "iTunes 10.4.0.80 to 10.6.1.7 with QuickTime 7.70 on XP SP3", "iTunes 10.4.0.80 to 10.6.1.7 with QuickTime 7.71 on XP SP3", "iTunes 10.4.0.80 to 10.6.1.7 with QuickTime 7.72 on XP SP3" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/itunes_extm3u_bof.rb", "is_install_path": true, "ref_name": "windows/misc/itunes_extm3u_bof", "check": false }, "exploit_windows/misc/landesk_aolnsrvr": { "name": "LANDesk Management Suite 8.7 Alert Service Buffer Overflow", "full_name": "exploit/windows/misc/landesk_aolnsrvr", "rank": 200, "disclosure_date": "2007-04-13", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in LANDesk Management Suite 8.7. By sending\n an overly long string to the Alert Service, a buffer is overwritten and arbitrary\n code can be executed.", "references": [ "CVE-2007-1674", "OSVDB-34964", "URL-http://www.tippingpoint.com/security/advisories/TSRT-07-04.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 65535, "targets": [ "Alerting Proxy 2000/2003/XP", "Alerting Proxy 2003 SP1-2 (NX support)", "Alerting Proxy XP SP2 (NX support)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/landesk_aolnsrvr.rb", "is_install_path": true, "ref_name": "windows/misc/landesk_aolnsrvr", "check": false }, "exploit_windows/misc/lianja_db_net": { "name": "Lianja SQL 1.0.0RC5.1 db_netserver Stack Buffer Overflow", "full_name": "exploit/windows/misc/lianja_db_net", "rank": 300, "disclosure_date": "2013-05-22", "type": "exploit", "author": [ "Spencer McIntyre" ], "description": "This module exploits a stack buffer overflow in the db_netserver process, which\n is spawned by the Lianja SQL server. The issue is fixed in Lianja SQL 1.0.0RC5.2.", "references": [ "CVE-2013-3563", "OSVDB-93759" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86", "rport": 8001, "targets": [ "Lianja SQL 1.0.0RC5.1 / Windows Server 2003 SP1-SP2", "Lianja SQL 1.0.0RC5.1 / Windows XP SP3" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/lianja_db_net.rb", "is_install_path": true, "ref_name": "windows/misc/lianja_db_net", "check": true }, "exploit_windows/misc/manageengine_eventlog_analyzer_rce": { "name": "ManageEngine EventLog Analyzer Remote Code Execution", "full_name": "exploit/windows/misc/manageengine_eventlog_analyzer_rce", "rank": 0, "disclosure_date": "2015-07-11", "type": "exploit", "author": [ "xistence " ], "description": "This module exploits a SQL query functionality in ManageEngine EventLog Analyzer v10.6\n build 10060 and previous versions. Every authenticated user, including the default \"guest\"\n account can execute SQL queries directly on the underlying Postgres database server. The\n queries are executed as the \"postgres\" user which has full privileges and thus is able to\n write files to disk. This way a JSP payload can be uploaded and executed with SYSTEM\n privileges on the web server. This module has been tested successfully on ManageEngine\n EventLog Analyzer 10.0 (build 10003) over Windows 7 SP1.", "references": [ "EDB-38173", "CVE-2015-7387", "URL-http://seclists.org/fulldisclosure/2015/Sep/59" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86", "rport": 8400, "targets": [ "ManageEngine EventLog Analyzer 10.0 (build 10003) / Windows 7 SP1" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/manageengine_eventlog_analyzer_rce.rb", "is_install_path": true, "ref_name": "windows/misc/manageengine_eventlog_analyzer_rce", "check": true }, "exploit_windows/misc/mercury_phonebook": { "name": "Mercury/32 PH Server Module Buffer Overflow", "full_name": "exploit/windows/misc/mercury_phonebook", "rank": 200, "disclosure_date": "2005-12-19", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack-based buffer overflow in\n Mercury/32 <= v4.01b PH Server Module. This issue is\n due to a failure of the application to properly bounds check\n user-supplied data prior to copying it to a fixed size memory buffer.", "references": [ "CVE-2005-4411", "OSVDB-22103", "BID-16396" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 105, "targets": [ "Windows XP Pro SP0/SP1 English", "Windows 2000 Pro English ALL" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/mercury_phonebook.rb", "is_install_path": true, "ref_name": "windows/misc/mercury_phonebook", "check": false }, "exploit_windows/misc/mini_stream": { "name": "Mini-Stream 3.0.1.1 Buffer Overflow", "full_name": "exploit/windows/misc/mini_stream", "rank": 300, "disclosure_date": "2009-12-25", "type": "exploit", "author": [ "Unknown", "Ron Henry " ], "description": "This module exploits a stack buffer overflow in Mini-Stream 3.0.1.1\n By creating a specially crafted pls file, an attacker may be able\n to execute arbitrary code.", "references": [ "CVE-2009-5109", "OSVDB-61341", "EDB-10745" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP3 ENG", "Windows XP SP2 ENG" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/misc/mini_stream.rb", "is_install_path": true, "ref_name": "windows/misc/mini_stream", "check": false }, "exploit_windows/misc/mirc_privmsg_server": { "name": "mIRC PRIVMSG Handling Stack Buffer Overflow", "full_name": "exploit/windows/misc/mirc_privmsg_server", "rank": 300, "disclosure_date": "2008-10-02", "type": "exploit", "author": [ "aushack " ], "description": "This module exploits a buffer overflow in the mIRC IRC Client v6.34 and earlier.\n By enticing a mIRC user to connect to this server module, an excessively long PRIVMSG\n command can be sent, overwriting the stack. Due to size restrictions, ordinal payloads\n may be necessary. This module is based on the code by SkD.", "references": [ "CVE-2008-4449", "OSVDB-48752", "BID-31552", "EDB-6666" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP3" ], "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/exploits/windows/misc/mirc_privmsg_server.rb", "is_install_path": true, "ref_name": "windows/misc/mirc_privmsg_server", "check": false }, "exploit_windows/misc/ms07_064_sami": { "name": "MS07-064 Microsoft DirectX DirectShow SAMI Buffer Overflow", "full_name": "exploit/windows/misc/ms07_064_sami", "rank": 300, "disclosure_date": "2007-12-11", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in the DirectShow Synchronized\n Accessible Media Interchanged (SAMI) parser in quartz.dll. This module\n has only been tested with Windows Media Player (6.4.09.1129) and\n DirectX 8.0.", "references": [ "CVE-2007-3901", "OSVDB-39126", "MSB-MS07-064", "BID-26789" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows 2000 Pro SP4 English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/ms07_064_sami.rb", "is_install_path": true, "ref_name": "windows/misc/ms07_064_sami", "check": false }, "exploit_windows/misc/ms10_104_sharepoint": { "name": "MS10-104 Microsoft Office SharePoint Server 2007 Remote Code Execution", "full_name": "exploit/windows/misc/ms10_104_sharepoint", "rank": 600, "disclosure_date": "2010-12-14", "type": "exploit", "author": [ "Oleksandr Mirosh", "James Burton", "juan vazquez " ], "description": "This module exploits a vulnerability found in SharePoint Server 2007 SP2. The\n software contains a directory traversal, that allows a remote attacker to write\n arbitrary files to the filesystem, sending a specially crafted SOAP ConvertFile\n request to the Office Document Conversions Launcher Service, which results in code\n execution under the context of 'SYSTEM'.\n\n The module uses the Windows Management Instrumentation service to execute an\n arbitrary payload on vulnerable installations of SharePoint on Windows 2003 Servers.\n It has been successfully tested on Office SharePoint Server 2007 SP2 over Windows\n 2003 SP2.", "references": [ "CVE-2010-3964", "OSVDB-69817", "BID-45264", "MSB-MS10-104", "ZDI-10-287" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 8082, "targets": [ "Microsoft Office SharePoint Server 2007 SP2 / Microsoft Windows Server 2003 SP2" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/ms10_104_sharepoint.rb", "is_install_path": true, "ref_name": "windows/misc/ms10_104_sharepoint", "check": true }, "exploit_windows/misc/netcat110_nt": { "name": "Netcat v1.10 NT Stack Buffer Overflow", "full_name": "exploit/windows/misc/netcat110_nt", "rank": 500, "disclosure_date": "2004-12-27", "type": "exploit", "author": [ "aushack " ], "description": "This module exploits a stack buffer overflow in Netcat v1.10 NT. By sending\n an overly long string we are able to overwrite SEH. The vulnerability\n exists when netcat is used to bind (-e) an executable to a port in doexec.c.\n This module tested successfully using \"c:\\>nc -L -p 31337 -e ftp\".", "references": [ "CVE-2004-1317", "OSVDB-12612", "BID-12106", "EDB-726" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": [ "Universal nc.exe" ], "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/exploits/windows/misc/netcat110_nt.rb", "is_install_path": true, "ref_name": "windows/misc/netcat110_nt", "check": false }, "exploit_windows/misc/nettransport": { "name": "NetTransport Download Manager 2.90.510 Buffer Overflow", "full_name": "exploit/windows/misc/nettransport", "rank": 300, "disclosure_date": "2010-01-02", "type": "exploit", "author": [ "Lincoln", "dookie" ], "description": "This exploits a stack buffer overflow in NetTransport Download Manager,\n part of the NetXfer suite. This module was tested\n successfully against version 2.90.510.", "references": [ "CVE-2017-17968", "OSVDB-61435", "EDB-10911" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 22222, "targets": [ "Windows Universal" ], "mod_time": "2018-07-12 17:34:52 +0000", "path": "/modules/exploits/windows/misc/nettransport.rb", "is_install_path": true, "ref_name": "windows/misc/nettransport", "check": false }, "exploit_windows/misc/nvidia_mental_ray": { "name": "Nvidia Mental Ray Satellite Service Arbitrary DLL Injection", "full_name": "exploit/windows/misc/nvidia_mental_ray", "rank": 600, "disclosure_date": "2013-12-10", "type": "exploit", "author": [ "Luigi Auriemma", "Donato Ferrante", "Ben Campbell " ], "description": "The Nvidia Mental Ray Satellite Service listens for control commands on port 7414.\n When it receives the command to load a DLL (via an UNC path) it will try to\n connect back to the host on port 7514. If a TCP connection is successful it will\n then attempt to load the DLL. This module has been tested successfully on Win7 x64\n with Nvidia Mental Ray Satellite Service v3.11.1.", "references": [ "URL-http://revuln.com/files/ReVuln_NVIDIA_mental_ray.pdf", "OSVDB-100827" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": 7414, "targets": [ "Windows x64" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/nvidia_mental_ray.rb", "is_install_path": true, "ref_name": "windows/misc/nvidia_mental_ray", "check": false }, "exploit_windows/misc/plugx": { "name": "PlugX Controller Stack Overflow", "full_name": "exploit/windows/misc/plugx", "rank": 300, "disclosure_date": "2017-07-27", "type": "exploit", "author": [ "Professor Plum" ], "description": "This module exploits a Stack buffer overflow in the PlugX Controller (C2 server)", "references": [ ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 13579, "targets": [ "PlugX Type I (old)", "PlugX Type I", "PlugX Type II" ], "mod_time": "2017-09-04 20:57:23 +0000", "path": "/modules/exploits/windows/misc/plugx.rb", "is_install_path": true, "ref_name": "windows/misc/plugx", "check": true }, "exploit_windows/misc/poisonivy_21x_bof": { "name": "Poison Ivy 2.1.x C2 Buffer Overflow", "full_name": "exploit/windows/misc/poisonivy_21x_bof", "rank": 300, "disclosure_date": "2016-06-03", "type": "exploit", "author": [ "Jos Wetzels" ], "description": "This module exploits a stack buffer overflow in the Poison Ivy 2.1.x C&C server.\n The exploit does not need to know the password chosen for the bot/server communication.", "references": [ "URL-http://samvartaka.github.io/exploitation/2016/06/03/dead-rats-exploiting-malware" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 3460, "targets": [ "Poison Ivy 2.1.4 on Windows XP SP3" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/poisonivy_21x_bof.rb", "is_install_path": true, "ref_name": "windows/misc/poisonivy_21x_bof", "check": true }, "exploit_windows/misc/poisonivy_bof": { "name": "Poison Ivy Server Buffer Overflow", "full_name": "exploit/windows/misc/poisonivy_bof", "rank": 300, "disclosure_date": "2012-06-24", "type": "exploit", "author": [ "Andrzej Dereszowski", "Gal Badishi", "juan vazquez ", "Jos Wetzels" ], "description": "This module exploits a stack buffer overflow in the Poison Ivy 2.2.0 to 2.3.2 C&C server.\n The exploit does not need to know the password chosen for the bot/server communication.", "references": [ "OSVDB-83774", "EDB-19613", "URL-http://www.signal11.eu/en/research/articles/targeted_2010.pdf", "URL-http://samvartaka.github.io/malware/2015/09/07/poison-ivy-reliable-exploitation/" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 3460, "targets": [ "Poison Ivy 2.2.0 on Windows XP SP3 / Windows 7 SP1", "Poison Ivy 2.3.0 on Windows XP SP3 / Windows 7 SP1", "Poison Ivy 2.3.1, 2.3.2 on Windows XP SP3 / Windows 7 SP1" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/poisonivy_bof.rb", "is_install_path": true, "ref_name": "windows/misc/poisonivy_bof", "check": true }, "exploit_windows/misc/poppeeper_date": { "name": "POP Peeper v3.4 DATE Buffer Overflow", "full_name": "exploit/windows/misc/poppeeper_date", "rank": 300, "disclosure_date": "2009-02-27", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in POP Peeper v3.4.\n When a specially crafted DATE string is sent to a client,\n an attacker may be able to execute arbitrary code. This\n module is based off of krakowlabs code.", "references": [ "CVE-2009-1029", "OSVDB-53560", "BID-34093" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "POP Peeper v3.4" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/poppeeper_date.rb", "is_install_path": true, "ref_name": "windows/misc/poppeeper_date", "check": false }, "exploit_windows/misc/poppeeper_uidl": { "name": "POP Peeper v3.4 UIDL Buffer Overflow", "full_name": "exploit/windows/misc/poppeeper_uidl", "rank": 300, "disclosure_date": "2009-02-27", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in POP Peeper v3.4.\n When a specially crafted UIDL string is sent to a client,\n an attacker may be able to execute arbitrary code. This\n module is based off of krakowlabs code.", "references": [ "OSVDB-53559", "CVE-2009-1029", "BID-33926" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "POP Peeper v3.4" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/poppeeper_uidl.rb", "is_install_path": true, "ref_name": "windows/misc/poppeeper_uidl", "check": false }, "exploit_windows/misc/realtek_playlist": { "name": "Realtek Media Player Playlist Buffer Overflow", "full_name": "exploit/windows/misc/realtek_playlist", "rank": 500, "disclosure_date": "2008-12-16", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in Realtek Media Player(RtlRack) A4.06.\n When a Realtek Media Player client opens a specially crafted playlist, an\n attacker may be able to execute arbitrary code.", "references": [ "CVE-2008-5664", "OSVDB-50715", "BID-32860" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Realtek Media Player(RtlRack) A4.06 (XP Pro All English)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/realtek_playlist.rb", "is_install_path": true, "ref_name": "windows/misc/realtek_playlist", "check": false }, "exploit_windows/misc/sap_2005_license": { "name": "SAP Business One License Manager 2005 Buffer Overflow", "full_name": "exploit/windows/misc/sap_2005_license", "rank": 500, "disclosure_date": "2009-08-01", "type": "exploit", "author": [ "Jacopo Cervini" ], "description": "This module exploits a stack buffer overflow in the SAP Business One 2005\n License Manager 'NT Naming Service' A and B releases. By sending an\n excessively long string the stack is overwritten enabling arbitrary\n code execution.", "references": [ "OSVDB-56837", "CVE-2009-4988", "BID-35933", "EDB-9319" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 30000, "targets": [ "Sap Business One 2005 B1 Universal" ], "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/exploits/windows/misc/sap_2005_license.rb", "is_install_path": true, "ref_name": "windows/misc/sap_2005_license", "check": false }, "exploit_windows/misc/sap_netweaver_dispatcher": { "name": "SAP NetWeaver Dispatcher DiagTraceR3Info Buffer Overflow", "full_name": "exploit/windows/misc/sap_netweaver_dispatcher", "rank": 300, "disclosure_date": "2012-05-08", "type": "exploit", "author": [ "Martin Gallo", "juan vazquez " ], "description": "This module exploits a stack buffer overflow in the SAP NetWeaver Dispatcher\n service. The overflow occurs in the DiagTraceR3Info() function and allows a remote\n attacker to execute arbitrary code by supplying a special crafted Diag packet. The\n Dispatcher service is only vulnerable if the Developer Traces have been configured\n at levels 2 or 3. The module has been successfully tested on SAP Netweaver 7.0 EHP2\n SP6 over Windows XP SP3 and Windows 2003 SP2 (DEP bypass).", "references": [ "OSVDB-81759", "CVE-2012-2611", "BID-53424", "EDB-20705", "URL-http://www.coresecurity.com/content/sap-netweaver-dispatcher-multiple-vulnerabilities", "URL-http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=Uncovering_SAP_vulnerabilities_reversing_and_breaking_the_Diag_protocol" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 3200, "targets": [ "SAP Netweaver 7.0 EHP2 SP6 / Windows XP SP3", "SAP Netweaver 7.0 EHP2 SP6 / Windows 2003 SP2" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/sap_netweaver_dispatcher.rb", "is_install_path": true, "ref_name": "windows/misc/sap_netweaver_dispatcher", "check": false }, "exploit_windows/misc/shixxnote_font": { "name": "ShixxNOTE 6.net Font Field Overflow", "full_name": "exploit/windows/misc/shixxnote_font", "rank": 500, "disclosure_date": "2004-10-04", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a buffer overflow in ShixxNOTE 6.net.\n The vulnerability is caused due to boundary errors in the\n handling of font fields.", "references": [ "CVE-2004-1595", "OSVDB-10721", "BID-11409" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 2000, "targets": [ "ShixxNOTE 6.net Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/shixxnote_font.rb", "is_install_path": true, "ref_name": "windows/misc/shixxnote_font", "check": false }, "exploit_windows/misc/solidworks_workgroup_pdmwservice_file_write": { "name": "SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary File Write", "full_name": "exploit/windows/misc/solidworks_workgroup_pdmwservice_file_write", "rank": 400, "disclosure_date": "2014-02-22", "type": "exploit", "author": [ "Mohamed Shetta ", "Brendan Coles " ], "description": "This module exploits a remote arbitrary file write vulnerability in\n SolidWorks Workgroup PDM 2014 SP2 and prior.\n\n For targets running Windows Vista or newer the payload is written to the\n startup folder for all users and executed upon next user logon.\n\n For targets before Windows Vista code execution can be achieved by first\n uploading the payload as an exe file, and then upload another mof file,\n which schedules WMI to execute the uploaded payload.\n\n This module has been tested successfully on SolidWorks Workgroup PDM\n 2011 SP0 on Windows XP SP3 (EN) and Windows 7 SP1 (EN).", "references": [ "CVE-2014-100015", "EDB-31831", "OSVDB-103671" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 30000, "targets": [ "Automatic", "SolidWorks Workgroup PDM <= 2014 SP2 (Windows XP SP0-SP3)", "SolidWorks Workgroup PDM <= 2014 SP2 (Windows Vista onwards)" ], "mod_time": "2018-07-12 17:34:52 +0000", "path": "/modules/exploits/windows/misc/solidworks_workgroup_pdmwservice_file_write.rb", "is_install_path": true, "ref_name": "windows/misc/solidworks_workgroup_pdmwservice_file_write", "check": true }, "exploit_windows/misc/splayer_content_type": { "name": "SPlayer 3.7 Content-Type Buffer Overflow", "full_name": "exploit/windows/misc/splayer_content_type", "rank": 300, "disclosure_date": "2011-05-04", "type": "exploit", "author": [ "xsploitedsec ", "sinn3r " ], "description": "This module exploits a vulnerability in SPlayer v3.7 or prior. When SPlayer\n requests the URL of a media file (video or audio), it is possible to gain arbitrary\n remote code execution due to a buffer overflow caused by an exceeding length of data\n as the 'Content-Type' parameter.", "references": [ "OSVDB-72181", "EDB-17243" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP2/XP3" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/misc/splayer_content_type.rb", "is_install_path": true, "ref_name": "windows/misc/splayer_content_type", "check": false }, "exploit_windows/misc/stream_down_bof": { "name": "CoCSoft StreamDown 6.8.0 Buffer Overflow", "full_name": "exploit/windows/misc/stream_down_bof", "rank": 400, "disclosure_date": "2011-12-27", "type": "exploit", "author": [ "Fady Mohamed Osman " ], "description": "Stream Down 6.8.0 seh based buffer overflow triggered when processing\n the server response packet. During the overflow a structured exception\n handler is overwritten.", "references": [ "CVE-2011-5052", "OSVDB-78043", "BID-51190", "URL-http://www.dark-masters.tk/", "URL-http://secunia.com/advisories/47343/", "EDB-18283" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "StreamDown 6.8.0" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/misc/stream_down_bof.rb", "is_install_path": true, "ref_name": "windows/misc/stream_down_bof", "check": false }, "exploit_windows/misc/talkative_response": { "name": "Talkative IRC v0.4.4.16 Response Buffer Overflow", "full_name": "exploit/windows/misc/talkative_response", "rank": 300, "disclosure_date": "2009-03-17", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in Talkative IRC v0.4.4.16.\n When a specially crafted response string is sent to a client,\n an attacker may be able to execute arbitrary code.", "references": [ "OSVDB-64582", "BID-34141", "EDB-8227" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP3 English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/talkative_response.rb", "is_install_path": true, "ref_name": "windows/misc/talkative_response", "check": false }, "exploit_windows/misc/tiny_identd_overflow": { "name": "TinyIdentD 2.2 Stack Buffer Overflow", "full_name": "exploit/windows/misc/tiny_identd_overflow", "rank": 200, "disclosure_date": "2007-05-14", "type": "exploit", "author": [ "Jacopo Cervini " ], "description": "This module exploits a stack based buffer overflow in TinyIdentD version 2.2.\n If we send a long string to the ident service we can overwrite the return\n address and execute arbitrary code. Credit to Maarten Boone.", "references": [ "CVE-2007-2711", "OSVDB-36053", "BID-23981" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 113, "targets": [ "Automatic", "Windows 2000 Server SP4 English", "Windows XP SP2 Italian" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/tiny_identd_overflow.rb", "is_install_path": true, "ref_name": "windows/misc/tiny_identd_overflow", "check": false }, "exploit_windows/misc/trendmicro_cmdprocessor_addtask": { "name": "TrendMicro Control Manger CmdProcessor.exe Stack Buffer Overflow", "full_name": "exploit/windows/misc/trendmicro_cmdprocessor_addtask", "rank": 400, "disclosure_date": "2011-12-07", "type": "exploit", "author": [ "Luigi Auriemma", "Blue" ], "description": "This module exploits a vulnerability in the CmdProcessor.exe component of Trend\n Micro Control Manger up to version 5.5.\n\n The specific flaw exists within CmdProcessor.exe service running on TCP port\n 20101. The vulnerable function is the CGenericScheduler::AddTask function of\n cmdHandlerRedAlertController.dll. When processing a specially crafted IPC packet,\n controlled data is copied into a 256-byte stack buffer. This can be exploited\n to execute remote code under the context of the user.", "references": [ "CVE-2011-5001", "OSVDB-77585", "ZDI-11-345" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 20101, "targets": [ "Windows 2003 Server SP2 (DEP Bypass)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/trendmicro_cmdprocessor_addtask.rb", "is_install_path": true, "ref_name": "windows/misc/trendmicro_cmdprocessor_addtask", "check": false }, "exploit_windows/misc/ufo_ai": { "name": "UFO: Alien Invasion IRC Client Buffer Overflow", "full_name": "exploit/windows/misc/ufo_ai", "rank": 200, "disclosure_date": "2009-10-28", "type": "exploit", "author": [ "Jason Geffner", "dookie" ], "description": "This module exploits a buffer overflow in the IRC client component of\n UFO: Alien Invasion 2.2.1.", "references": [ "OSVDB-65689", "EDB-14013" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/ufo_ai.rb", "is_install_path": true, "ref_name": "windows/misc/ufo_ai", "check": false }, "exploit_windows/misc/vmhgfs_webdav_dll_sideload": { "name": "DLL Side Loading Vulnerability in VMware Host Guest Client Redirector", "full_name": "exploit/windows/misc/vmhgfs_webdav_dll_sideload", "rank": 300, "disclosure_date": "2016-08-05", "type": "exploit", "author": [ "Yorick Koster" ], "description": "A DLL side loading vulnerability was found in the VMware Host Guest Client Redirector,\n a component of VMware Tools. This issue can be exploited by luring a victim into\n opening a document from the attacker's share. An attacker can exploit this issue to\n execute arbitrary code with the privileges of the target user. This can potentially\n result in the attacker taking complete control of the affected system. If the WebDAV\n Mini-Redirector is enabled, it is possible to exploit this issue over the internet.", "references": [ "CVE-2016-5330", "URL-https://securify.nl/advisory/SFY20151201/dll_side_loading_vulnerability_in_vmware_host_guest_client_redirector.html", "URL-http://www.vmware.com/in/security/advisories/VMSA-2016-0010.html" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows x64", "Windows x86" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/misc/vmhgfs_webdav_dll_sideload.rb", "is_install_path": true, "ref_name": "windows/misc/vmhgfs_webdav_dll_sideload", "check": false }, "exploit_windows/misc/weblogic_deserialize": { "name": "Oracle Weblogic Server Deserialization RCE", "full_name": "exploit/windows/misc/weblogic_deserialize", "rank": 0, "disclosure_date": "2018-04-17", "type": "exploit", "author": [ "brianwrf", "Jacob Robles" ], "description": "An unauthenticated attacker with network access to the Oracle Weblogic\n Server T3 interface can send a serialized object to the interface to\n execute code on vulnerable hosts.", "references": [ "CVE-2018-2628", "EDB-44553" ], "is_server": false, "is_client": true, "platform": "", "arch": "", "rport": 7001, "targets": [ "Windows" ], "mod_time": "2018-08-09 14:51:56 +0000", "path": "/modules/exploits/windows/misc/weblogic_deserialize.rb", "is_install_path": true, "ref_name": "windows/misc/weblogic_deserialize", "check": false }, "exploit_windows/misc/windows_rsh": { "name": "Windows RSH Daemon Buffer Overflow", "full_name": "exploit/windows/misc/windows_rsh", "rank": 200, "disclosure_date": "2007-07-24", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a vulnerability in Windows RSH daemon 1.8.\n The vulnerability is due to a failure to check for the length of input sent\n to the RSH server. A CPORT of 512 -> 1023 must be configured for the exploit\n to be successful.", "references": [ "CVE-2007-4006", "OSVDB-38572", "BID-25044" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 514, "targets": [ "Windows 2003 SP1 English", "Windows XP Pro SP2 English", "Windows 2000 Pro SP4 English" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/misc/windows_rsh.rb", "is_install_path": true, "ref_name": "windows/misc/windows_rsh", "check": false }, "exploit_windows/misc/wireshark_lua": { "name": "Wireshark console.lua Pre-Loading Script Execution", "full_name": "exploit/windows/misc/wireshark_lua", "rank": 600, "disclosure_date": "2011-07-18", "type": "exploit", "author": [ "Haifei Li", "sinn3r " ], "description": "This module exploits a vulnerability in Wireshark 1.6 or less. When opening a\n pcap file, Wireshark will actually check if there's a 'console.lua' file in the same\n directory, and then parse/execute the script if found. Versions affected by this\n vulnerability: 1.6.0 to 1.6.1, 1.4.0 to 1.4.8", "references": [ "CVE-2011-3360", "OSVDB-75347", "URL-https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6136", "URL-http://technet.microsoft.com/en-us/security/msvr/msvr11-014" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Wireshark 1.6.1 or less" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/misc/wireshark_lua.rb", "is_install_path": true, "ref_name": "windows/misc/wireshark_lua", "check": false }, "exploit_windows/misc/wireshark_packet_dect": { "name": "Wireshark packet-dect.c Stack Buffer Overflow", "full_name": "exploit/windows/misc/wireshark_packet_dect", "rank": 400, "disclosure_date": "2011-04-18", "type": "exploit", "author": [ "Paul Makowski", "sickness", "corelanc0d3r " ], "description": "This module exploits a stack buffer overflow in Wireshark <= 1.4.4\n by sending a malicious packet.", "references": [ "CVE-2011-1591", "OSVDB-71848", "URL-https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5838", "URL-https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5836", "EDB-17185" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Win32 Universal (Generic DEP & ASLR Bypass)" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/misc/wireshark_packet_dect.rb", "is_install_path": true, "ref_name": "windows/misc/wireshark_packet_dect", "check": false }, "exploit_windows/mmsp/ms10_025_wmss_connect_funnel": { "name": "Windows Media Services ConnectFunnel Stack Buffer Overflow", "full_name": "exploit/windows/mmsp/ms10_025_wmss_connect_funnel", "rank": 500, "disclosure_date": "2010-04-13", "type": "exploit", "author": [ "jduck " ], "description": "This module exploits a stack buffer overflow in the Windows Media\n Unicast Service version 4.1.0.3930 (NUMS.exe). By sending a specially\n crafted FunnelConnect request, an attacker can execute arbitrary code\n under the \"NetShowServices\" user account. Windows Media Services 4.1 ships\n with Windows 2000 Server, but is not installed by default.\n\n NOTE: This service does NOT restart automatically. Successful, as well as\n unsuccessful exploitation attempts will kill the service which prevents\n additional attempts.", "references": [ "CVE-2010-0478", "OSVDB-63726", "MSB-MS10-025", "URL-https://www.lexsi.com/abonnes/labs/adviso-cve-2010-0478.txt" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 1755, "targets": [ "Windows 2000 Pro SP4 English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/mmsp/ms10_025_wmss_connect_funnel.rb", "is_install_path": true, "ref_name": "windows/mmsp/ms10_025_wmss_connect_funnel", "check": false }, "exploit_windows/motorola/timbuktu_fileupload": { "name": "Timbuktu Pro Directory Traversal/File Upload", "full_name": "exploit/windows/motorola/timbuktu_fileupload", "rank": 600, "disclosure_date": "2008-05-10", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a directory traversal vulnerability in Motorola's\n Timbuktu Pro for Windows 8.6.5.", "references": [ "CVE-2008-1117", "OSVDB-43544" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 407, "targets": [ "Automatic" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/motorola/timbuktu_fileupload.rb", "is_install_path": true, "ref_name": "windows/motorola/timbuktu_fileupload", "check": false }, "exploit_windows/mssql/lyris_listmanager_weak_pass": { "name": "Lyris ListManager MSDE Weak sa Password", "full_name": "exploit/windows/mssql/lyris_listmanager_weak_pass", "rank": 600, "disclosure_date": "2005-12-08", "type": "exploit", "author": [ "hdm " ], "description": "This module exploits a weak password vulnerability in the\n Lyris ListManager MSDE install. During installation, the 'sa'\n account password is set to 'lminstall'. Once the install\n completes, it is set to 'lyris' followed by the process\n ID of the installer. This module brute forces all possible\n process IDs that would be used by the installer.", "references": [ "CVE-2005-4145", "OSVDB-21559" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 1433, "targets": [ "Automatic" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/mssql/lyris_listmanager_weak_pass.rb", "is_install_path": true, "ref_name": "windows/mssql/lyris_listmanager_weak_pass", "check": false }, "exploit_windows/mssql/ms02_039_slammer": { "name": "MS02-039 Microsoft SQL Server Resolution Overflow", "full_name": "exploit/windows/mssql/ms02_039_slammer", "rank": 400, "disclosure_date": "2002-07-24", "type": "exploit", "author": [ "hdm " ], "description": "This is an exploit for the SQL Server 2000 resolution\n service buffer overflow. This overflow is triggered by\n sending a udp packet to port 1434 which starts with 0x04 and\n is followed by long string terminating with a colon and a\n number. This module should work against any vulnerable SQL\n Server 2000 or MSDE install (pre-SP3).", "references": [ "CVE-2002-0649", "OSVDB-4578", "BID-5310", "MSB-MS02-039" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 1434, "targets": [ "MSSQL 2000 / MSDE <= SP2" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/mssql/ms02_039_slammer.rb", "is_install_path": true, "ref_name": "windows/mssql/ms02_039_slammer", "check": true }, "exploit_windows/mssql/ms02_056_hello": { "name": "MS02-056 Microsoft SQL Server Hello Overflow", "full_name": "exploit/windows/mssql/ms02_056_hello", "rank": 400, "disclosure_date": "2002-08-05", "type": "exploit", "author": [ "MC " ], "description": "By sending malformed data to TCP port 1433, an\n unauthenticated remote attacker could overflow a buffer and\n possibly execute code on the server with SYSTEM level\n privileges. This module should work against any vulnerable\n SQL Server 2000 or MSDE install (< SP3).", "references": [ "CVE-2002-1123", "OSVDB-10132", "BID-5411", "MSB-MS02-056" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 1433, "targets": [ "MSSQL 2000 / MSDE <= SP2" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/mssql/ms02_056_hello.rb", "is_install_path": true, "ref_name": "windows/mssql/ms02_056_hello", "check": true }, "exploit_windows/mssql/ms09_004_sp_replwritetovarbin": { "name": "MS09-004 Microsoft SQL Server sp_replwritetovarbin Memory Corruption", "full_name": "exploit/windows/mssql/ms09_004_sp_replwritetovarbin", "rank": 400, "disclosure_date": "2008-12-09", "type": "exploit", "author": [ "jduck " ], "description": "A heap-based buffer overflow can occur when calling the undocumented\n \"sp_replwritetovarbin\" extended stored procedure. This vulnerability affects\n all versions of Microsoft SQL Server 2000 and 2005, Windows Internal Database,\n and Microsoft Desktop Engine (MSDE) without the updates supplied in MS09-004.\n Microsoft patched this vulnerability in SP3 for 2005 without any public\n mention.\n\n An authenticated database session is required to access the vulnerable code.\n That said, it is possible to access the vulnerable code via an SQL injection\n vulnerability.\n\n This exploit smashes several pointers, as shown below.\n\n 1. pointer to a 32-bit value that is set to 0\n 2. pointer to a 32-bit value that is set to a length influenced by the buffer\n length.\n 3. pointer to a 32-bit value that is used as a vtable pointer. In MSSQL 2000,\n this value is referenced with a displacement of 0x38. For MSSQL 2005, the\n displacement is 0x10. The address of our buffer is conveniently stored in\n ecx when this instruction is executed.\n 4. On MSSQL 2005, an additional vtable ptr is smashed, which is referenced with\n a displacement of 4. This pointer is not used by this exploit.\n\n This particular exploit replaces the previous dual-method exploit. It uses\n a technique where the value contained in ecx becomes the stack. From there,\n return oriented programming is used to normalize the execution state and\n finally execute the payload via a \"jmp esp\". All addresses used were found\n within the sqlservr.exe memory space, yielding very reliable code execution\n using only a single query.\n\n NOTE: The MSSQL server service does not automatically restart by default. That\n said, some exceptions are caught and will not result in terminating the process.\n If the exploit crashes the service prior to hijacking the stack, it won't die.\n Otherwise, it's a goner.", "references": [ "OSVDB-50589", "CVE-2008-5416", "BID-32710", "MSB-MS09-004", "EDB-7501" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 1433, "targets": [ "Automatic", "MSSQL 2000 / MSDE SP0 (8.00.194)", "MSSQL 2000 / MSDE SP1 (8.00.384)", "MSSQL 2000 / MSDE SP2 (8.00.534)", "MSSQL 2000 / MSDE SP3 (8.00.760)", "MSSQL 2000 / MSDE SP4 (8.00.2039)", "MSSQL 2005 SP0 (9.00.1399.06)", "MSSQL 2005 SP1 (9.00.2047.00)", "MSSQL 2005 SP2 (9.00.3042.00)", "CRASHER" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin.rb", "is_install_path": true, "ref_name": "windows/mssql/ms09_004_sp_replwritetovarbin", "check": true }, "exploit_windows/mssql/ms09_004_sp_replwritetovarbin_sqli": { "name": "MS09-004 Microsoft SQL Server sp_replwritetovarbin Memory Corruption via SQL Injection", "full_name": "exploit/windows/mssql/ms09_004_sp_replwritetovarbin_sqli", "rank": 600, "disclosure_date": "2008-12-09", "type": "exploit", "author": [ "jduck ", "Rodrigo Marcos" ], "description": "A heap-based buffer overflow can occur when calling the undocumented\n \"sp_replwritetovarbin\" extended stored procedure. This vulnerability affects\n all versions of Microsoft SQL Server 2000 and 2005, Windows Internal Database,\n and Microsoft Desktop Engine (MSDE) without the updates supplied in MS09-004.\n Microsoft patched this vulnerability in SP3 for 2005 without any public\n mention.\n\n This exploit smashes several pointers, as shown below.\n\n 1. pointer to a 32-bit value that is set to 0\n 2. pointer to a 32-bit value that is set to a length influenced by the buffer\n length.\n 3. pointer to a 32-bit value that is used as a vtable pointer. In MSSQL 2000,\n this value is referenced with a displacement of 0x38. For MSSQL 2005, the\n displacement is 0x10. The address of our buffer is conveniently stored in\n ecx when this instruction is executed.\n 4. On MSSQL 2005, an additional vtable ptr is smashed, which is referenced with\n a displacement of 4. This pointer is not used by this exploit.\n\n This particular exploit replaces the previous dual-method exploit. It uses\n a technique where the value contained in ecx becomes the stack. From there,\n return oriented programming is used to normalize the execution state and\n finally execute the payload via a \"jmp esp\". All addresses used were found\n within the sqlservr.exe memory space, yielding very reliable code execution\n using only a single query.\n\n NOTE: The MSSQL server service does not automatically restart by default. That\n said, some exceptions are caught and will not result in terminating the process.\n If the exploit crashes the service prior to hijacking the stack, it won't die.\n Otherwise, it's a goner.", "references": [ "OSVDB-50589", "CVE-2008-5416", "BID-32710", "MSB-MS09-004", "EDB-7501", "URL-http://www.secforce.co.uk/blog/2011/01/exploiting-ms09-004-via-sql-injection/" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Automatic", "MSSQL 2000 / MSDE SP0 (8.00.194)", "MSSQL 2000 / MSDE SP1 (8.00.384)", "MSSQL 2000 / MSDE SP2 (8.00.534)", "MSSQL 2000 / MSDE SP3 (8.00.760)", "MSSQL 2000 / MSDE SP4 (8.00.2039)", "MSSQL 2005 SP0 (9.00.1399.06)", "MSSQL 2005 SP1 (9.00.2047.00)", "MSSQL 2005 SP2 (9.00.3042.00)", "CRASHER" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin_sqli.rb", "is_install_path": true, "ref_name": "windows/mssql/ms09_004_sp_replwritetovarbin_sqli", "check": true }, "exploit_windows/mssql/mssql_clr_payload": { "name": "Microsoft SQL Server Clr Stored Procedure Payload Execution", "full_name": "exploit/windows/mssql/mssql_clr_payload", "rank": 600, "disclosure_date": "1999-01-01", "type": "exploit", "author": [ "Lee Christensen", "Nathan Kirk", "OJ Reeves" ], "description": "This module executes an arbitrary native payload on a Microsoft SQL\n server by loading a custom SQL CLR Assembly into the target SQL\n installation, and calling it directly with a base64-encoded payload.\n\n The module requires working credentials in order to connect directly to the\n MSSQL Server.\n\n This method requires the user to have sufficient privileges to install a custom\n SQL CRL DLL, and invoke the custom stored procedure that comes with it.\n\n This exploit does not leave any binaries on disk.\n\n Tested on MS SQL Server versions: 2005, 2012, 2016 (all x64).", "references": [ "URL-http://sekirkity.com/command-execution-in-sql-server-via-fileless-clr-based-custom-stored-procedure/" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86, x64", "rport": 1433, "targets": [ "Automatic" ], "mod_time": "2017-09-10 14:15:39 +0000", "path": "/modules/exploits/windows/mssql/mssql_clr_payload.rb", "is_install_path": true, "ref_name": "windows/mssql/mssql_clr_payload", "check": true }, "exploit_windows/mssql/mssql_linkcrawler": { "name": "Microsoft SQL Server Database Link Crawling Command Execution", "full_name": "exploit/windows/mssql/mssql_linkcrawler", "rank": 500, "disclosure_date": "2000-01-01", "type": "exploit", "author": [ "Antti Rantasaari ", "Scott Sutherland \"nullbind\" " ], "description": "This module can be used to crawl MS SQL Server database links and deploy\n Metasploit payloads through links configured with sysadmin privileges using a\n valid SQL Server Login.\n\n If you are attempting to obtain multiple reverse shells using this module we\n recommend setting the \"DisablePayloadHandler\" advanced option to \"true\", and setting\n up a exploit/multi/handler to run in the background as a job to support multiple incoming\n shells.\n\n If you are interested in deploying payloads to specific servers this module also\n supports that functionality via the \"DEPLOYLIST\" option.\n\n Currently, the module is capable of delivering payloads to both 32bit and 64bit\n Windows systems via powershell memory injection methods based on Matthew Graeber's\n work. As a result, the target server must have powershell installed. By default,\n all of the crawl information is saved to a CSV formatted log file and MSF loot so\n that the tool can also be used for auditing without deploying payloads.", "references": [ "URL-http://www.slideshare.net/nullbind/sql-server-exploitation-escalation-pilfering-appsec-usa-2012", "URL-http://msdn.microsoft.com/en-us/library/ms188279.aspx", "URL-http://www.exploit-monday.com/2011_10_16_archive.html" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86, x64", "rport": 1433, "targets": [ "Automatic" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/mssql/mssql_linkcrawler.rb", "is_install_path": true, "ref_name": "windows/mssql/mssql_linkcrawler", "check": false }, "exploit_windows/mssql/mssql_payload": { "name": "Microsoft SQL Server Payload Execution", "full_name": "exploit/windows/mssql/mssql_payload", "rank": 600, "disclosure_date": "2000-05-30", "type": "exploit", "author": [ "David Kennedy \"ReL1K\" ", "jduck " ], "description": "This module executes an arbitrary payload on a Microsoft SQL Server by using\n the \"xp_cmdshell\" stored procedure. Currently, three delivery methods are supported.\n\n First, the original method uses Windows 'debug.com'. File size restrictions are\n avoided by incorporating the debug bypass method presented by SecureStat at\n Defcon 17. Since this method invokes ntvdm, it is not available on x64 systems.\n\n A second method takes advantage of the Command Stager subsystem. This allows using\n various techniques, such as using a TFTP server, to send the executable. By default\n the Command Stager uses 'wcsript.exe' to generate the executable on the target.\n\n Finally, ReL1K's latest method utilizes PowerShell to transmit and recreate the\n payload on the target.\n\n NOTE: This module will leave a payload executable on the target system when the\n attack is finished.", "references": [ "CVE-2000-0402", "OSVDB-557", "BID-1281", "CVE-2000-1209", "OSVDB-15757", "BID-4797" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86, x64", "rport": 1433, "targets": [ "Automatic" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/mssql/mssql_payload.rb", "is_install_path": true, "ref_name": "windows/mssql/mssql_payload", "check": true }, "exploit_windows/mssql/mssql_payload_sqli": { "name": "Microsoft SQL Server Payload Execution via SQL Injection", "full_name": "exploit/windows/mssql/mssql_payload_sqli", "rank": 600, "disclosure_date": "2000-05-30", "type": "exploit", "author": [ "David Kennedy \"ReL1K\" ", "jduck ", "Rodrigo Marcos" ], "description": "This module will execute an arbitrary payload on a Microsoft SQL\n Server, using a SQL injection vulnerability.\n\n Once a vulnerability is identified this module\n will use xp_cmdshell to upload and execute Metasploit payloads.\n It is necessary to specify the exact point where the SQL injection\n vulnerability happens. For example, given the following injection:\n\n http://www.example.com/show.asp?id=1;exec xp_cmdshell 'dir';--&cat=electrical\n\n you would need to set the following path:\n set GET_PATH /showproduct.asp?id=1;[SQLi];--&cat=foobar\n\n In regard to the payload, unless there is a closed port in the web server,\n you dont want to use any \"bind\" payload, specially on port 80, as you will\n stop reaching the vulnerable web server host. You want a \"reverse\" payload, probably to\n your port 80 or to any other outbound port allowed on the firewall.\n For privileged ports execute Metasploit msfconsole as root.\n\n Currently, three delivery methods are supported.\n\n First, the original method uses Windows 'debug.com'. File size restrictions are\n avoided by incorporating the debug bypass method presented by SecureStat at\n Defcon 17. Since this method invokes ntvdm, it is not available on x64 systems.\n\n A second method takes advantage of the Command Stager subsystem. This allows using\n various techniques, such as using a TFTP server, to send the executable. By default\n the Command Stager uses 'wcsript.exe' to generate the executable on the target.\n\n Finally, ReL1K's latest method utilizes PowerShell to transmit and recreate the\n payload on the target.\n\n NOTE: This module will leave a payload executable on the target system when the\n attack is finished.", "references": [ "CVE-2000-0402", "OSVDB-557", "BID-1281", "CVE-2000-1209", "OSVDB-15757", "BID-4797", "URL-http://www.secforce.co.uk/blog/2011/01/penetration-testing-sql-injection-and-metasploit/" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86, x64", "rport": 80, "targets": [ "Automatic" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/mssql/mssql_payload_sqli.rb", "is_install_path": true, "ref_name": "windows/mssql/mssql_payload_sqli", "check": false }, "exploit_windows/mysql/mysql_mof": { "name": "Oracle MySQL for Microsoft Windows MOF Execution", "full_name": "exploit/windows/mysql/mysql_mof", "rank": 600, "disclosure_date": "2012-12-01", "type": "exploit", "author": [ "kingcope", "sinn3r " ], "description": "This module takes advantage of a file privilege misconfiguration problem\n specifically against Windows MySQL servers (due to the use of a .mof file).\n This may result in arbitrary code execution under the context of SYSTEM.\n This module requires a valid MySQL account on the target machine.", "references": [ "CVE-2012-5613", "OSVDB-88118", "EDB-23083", "URL-http://seclists.org/fulldisclosure/2012/Dec/13" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 3306, "targets": [ "MySQL on Windows prior to Vista" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/mysql/mysql_mof.rb", "is_install_path": true, "ref_name": "windows/mysql/mysql_mof", "check": true }, "exploit_windows/mysql/mysql_start_up": { "name": "Oracle MySQL for Microsoft Windows FILE Privilege Abuse", "full_name": "exploit/windows/mysql/mysql_start_up", "rank": 600, "disclosure_date": "2012-12-01", "type": "exploit", "author": [ "sinn3r ", "Sean Verity " ], "description": "This module takes advantage of a file privilege misconfiguration problem\n specifically against Windows MySQL servers. This module abuses the FILE\n privilege to write a payload to Microsoft's All Users Start Up directory\n which will execute every time a user logs in. The default All Users Start\n Up directory used by the module is present on Windows 7.", "references": [ "CVE-2012-5613", "OSVDB-88118", "EDB-23083", "URL-http://seclists.org/fulldisclosure/2012/Dec/13" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 3306, "targets": [ "MySQL on Windows" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/mysql/mysql_start_up.rb", "is_install_path": true, "ref_name": "windows/mysql/mysql_start_up", "check": true }, "exploit_windows/mysql/mysql_yassl_hello": { "name": "MySQL yaSSL SSL Hello Message Buffer Overflow", "full_name": "exploit/windows/mysql/mysql_yassl_hello", "rank": 200, "disclosure_date": "2008-01-04", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in the yaSSL (1.7.5 and earlier)\n implementation bundled with MySQL <= 6.0. By sending a specially crafted\n Hello packet, an attacker may be able to execute arbitrary code.", "references": [ "CVE-2008-0226", "OSVDB-41195", "BID-27140" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 3306, "targets": [ "MySQL 5.0.45-community-nt", "MySQL 5.1.22-rc-community" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/mysql/mysql_yassl_hello.rb", "is_install_path": true, "ref_name": "windows/mysql/mysql_yassl_hello", "check": false }, "exploit_windows/mysql/scrutinizer_upload_exec": { "name": "Plixer Scrutinizer NetFlow and sFlow Analyzer 9 Default MySQL Credential", "full_name": "exploit/windows/mysql/scrutinizer_upload_exec", "rank": 600, "disclosure_date": "2012-07-27", "type": "exploit", "author": [ "MC ", "Jonathan Claudius", "Tanya Secker", "sinn3r " ], "description": "This exploits an insecure config found in Scrutinizer NetFlow & sFlow Analyzer.\n By default, the software installs a default password in MySQL, and binds the\n service to \"0.0.0.0\". This allows any remote user to login to MySQL, and then\n gain arbitrary remote code execution under the context of 'SYSTEM'. Examples\n of default credentials include: 'scrutinizer:admin', and 'scrutremote:admin'.", "references": [ "CVE-2012-3951", "OSVDB-84317", "URL-http://secunia.com/advisories/50074/", "URL-https://www.trustwave.com/spiderlabs/advisories/TWSL2012-014.txt" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Scrutinizer NetFlow and sFlow Analyzer 9.5.2 or older" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/mysql/scrutinizer_upload_exec.rb", "is_install_path": true, "ref_name": "windows/mysql/scrutinizer_upload_exec", "check": true }, "exploit_windows/nfs/xlink_nfsd": { "name": "Omni-NFS Server Buffer Overflow", "full_name": "exploit/windows/nfs/xlink_nfsd", "rank": 200, "disclosure_date": "2006-11-06", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in Xlink Omni-NFS Server 5.2\n When sending a specially crafted nfs packet, an attacker may be able\n to execute arbitrary code.", "references": [ "CVE-2006-5780", "OSVDB-30224", "BID-20941", "URL-http://www.securityfocus.com/data/vulnerabilities/exploits/omni-nfs-server-5.2-stackoverflow.pm" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 2049, "targets": [ "Windows 2000 SP4 English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/nfs/xlink_nfsd.rb", "is_install_path": true, "ref_name": "windows/nfs/xlink_nfsd", "check": false }, "exploit_windows/nntp/ms05_030_nntp": { "name": "MS05-030 Microsoft Outlook Express NNTP Response Parsing Buffer Overflow", "full_name": "exploit/windows/nntp/ms05_030_nntp", "rank": 300, "disclosure_date": "2005-06-14", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in the news reader of Microsoft\n Outlook Express.", "references": [ "CVE-2005-1213", "OSVDB-17306", "BID-13951", "MSB-MS05-030" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows 2000 English SP0-SP4", "Windows XP English SP0/SP1" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/nntp/ms05_030_nntp.rb", "is_install_path": true, "ref_name": "windows/nntp/ms05_030_nntp", "check": false }, "exploit_windows/novell/file_reporter_fsfui_upload": { "name": "NFR Agent FSFUI Record File Upload RCE", "full_name": "exploit/windows/novell/file_reporter_fsfui_upload", "rank": 500, "disclosure_date": "2012-11-16", "type": "exploit", "author": [ "juan vazquez " ], "description": "NFRAgent.exe, a component of Novell File Reporter (NFR), allows remote attackers to upload\n arbitrary files via a directory traversal while handling requests to /FSF/CMD with\n FSFUI records with UICMD 130. This module has been tested successfully against NFR\n Agent 1.0.4.3 (File Reporter 1.0.2) and NFR Agent 1.0.3.22 (File Reporter 1.0.1).", "references": [ "CVE-2012-4959", "OSVDB-87573", "URL-https://community.rapid7.com/community/metasploit/blog/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 3037, "targets": [ "Automatic" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/novell/file_reporter_fsfui_upload.rb", "is_install_path": true, "ref_name": "windows/novell/file_reporter_fsfui_upload", "check": false }, "exploit_windows/novell/groupwisemessenger_client": { "name": "Novell GroupWise Messenger Client Buffer Overflow", "full_name": "exploit/windows/novell/groupwisemessenger_client", "rank": 300, "disclosure_date": "2008-07-02", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in Novell's GroupWise Messenger Client.\n By sending a specially crafted HTTP response, an attacker may be able to execute\n arbitrary code.", "references": [ "CVE-2008-2703", "OSVDB-46041", "BID-29602", "URL-http://www.infobyte.com.ar/adv/ISR-17.html" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Novell GroupWise Messenger 2.0 Client", "Novell GroupWise Messenger 1.0 Client" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/novell/groupwisemessenger_client.rb", "is_install_path": true, "ref_name": "windows/novell/groupwisemessenger_client", "check": false }, "exploit_windows/novell/netiq_pum_eval": { "name": "NetIQ Privileged User Manager 2.3.1 ldapagnt_eval() Remote Perl Code Execution", "full_name": "exploit/windows/novell/netiq_pum_eval", "rank": 600, "disclosure_date": "2012-11-15", "type": "exploit", "author": [ "rgod", "juan vazquez " ], "description": "This module abuses a lack of authorization in the NetIQ Privileged User Manager\n service (unifid.exe) to execute arbitrary perl code. The problem exists in the\n ldapagnt module. The module has been tested successfully on NetIQ PUM 2.3.1 over\n Windows 2003 SP2, which allows to execute arbitrary code with SYSTEM privileges.", "references": [ "CVE-2012-5932", "OSVDB-87334", "BID-56539", "EDB-22738" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": 443, "targets": [ "Windows 2003 SP2 / NetIQ Privileged User Manager 2.3.1" ], "mod_time": "2018-07-12 17:34:52 +0000", "path": "/modules/exploits/windows/novell/netiq_pum_eval.rb", "is_install_path": true, "ref_name": "windows/novell/netiq_pum_eval", "check": true }, "exploit_windows/novell/nmap_stor": { "name": "Novell NetMail NMAP STOR Buffer Overflow", "full_name": "exploit/windows/novell/nmap_stor", "rank": 200, "disclosure_date": "2006-12-23", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in Novell's Netmail 3.52 NMAP STOR\n verb. By sending an overly long string, an attacker can overwrite the\n buffer and control program execution.", "references": [ "CVE-2006-6424", "OSVDB-31363", "BID-21725" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 689, "targets": [ "Windows 2000 Pro SP4 English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/novell/nmap_stor.rb", "is_install_path": true, "ref_name": "windows/novell/nmap_stor", "check": false }, "exploit_windows/novell/zenworks_desktop_agent": { "name": "Novell ZENworks 6.5 Desktop/Server Management Overflow", "full_name": "exploit/windows/novell/zenworks_desktop_agent", "rank": 400, "disclosure_date": "2005-05-19", "type": "exploit", "author": [ "Unknown" ], "description": "This module exploits a heap overflow in the Novell ZENworks\n Desktop Management agent. This vulnerability was discovered\n by Alex Wheeler.", "references": [ "CVE-2005-1543", "OSVDB-16698", "BID-13678" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP/2000/2003- ZENworks 6.5 Desktop/Server Agent" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/novell/zenworks_desktop_agent.rb", "is_install_path": true, "ref_name": "windows/novell/zenworks_desktop_agent", "check": false }, "exploit_windows/novell/zenworks_preboot_op21_bof": { "name": "Novell ZENworks Configuration Management Preboot Service 0x21 Buffer Overflow", "full_name": "exploit/windows/novell/zenworks_preboot_op21_bof", "rank": 300, "disclosure_date": "2010-03-30", "type": "exploit", "author": [ "Stephen Fewer", "juan vazquez " ], "description": "This module exploits a remote buffer overflow in the ZENworks Configuration\n Management 10 SP2. The vulnerability exists in the Preboot service and can be\n triggered by sending a specially crafted packet with the opcode 0x21\n (PROXY_CMD_FTP_FILE) to port 998/TCP. The module has been successfully tested on\n Novell ZENworks Configuration Management 10 SP2 and Windows Server 2003 SP2\n (DEP bypass).", "references": [ "CVE-2012-2215", "OSVDB-65361", "BID-40486", "ZDI-10-090", "URL-http://www.novell.com/support/kb/doc.php?id=7005572" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 998, "targets": [ "Novell ZENworks Configuration Management 10 SP2 / Windows 2003 SP2" ], "mod_time": "2018-07-12 17:34:52 +0000", "path": "/modules/exploits/windows/novell/zenworks_preboot_op21_bof.rb", "is_install_path": true, "ref_name": "windows/novell/zenworks_preboot_op21_bof", "check": false }, "exploit_windows/novell/zenworks_preboot_op4c_bof": { "name": "Novell ZENworks Configuration Management Preboot Service 0x4c Buffer Overflow", "full_name": "exploit/windows/novell/zenworks_preboot_op4c_bof", "rank": 300, "disclosure_date": "2012-02-22", "type": "exploit", "author": [ "Luigi Auriemma", "juan vazquez " ], "description": "This module exploits a remote buffer overflow in the ZENworks Configuration\n Management. The vulnerability exists in the Preboot service and can be triggered\n by sending a specially crafted packet with the opcode 0x4c\n (PROXY_CMD_PREBOOT_TASK_INFO2) to port 998/TCP. The module has been successfully\n tested on Novell ZENworks Configuration Management 10 SP2 / SP3 and Windows Server\n 2003 SP2 (DEP bypass).", "references": [ "CVE-2011-3176", "OSVDB-80231", "BID-52659", "URL-http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=974" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 998, "targets": [ "Novell ZENworks Configuration Management 10 SP3 / Windows 2003 SP2", "Novell ZENworks Configuration Management 10 SP2 / Windows 2003 SP2" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/novell/zenworks_preboot_op4c_bof.rb", "is_install_path": true, "ref_name": "windows/novell/zenworks_preboot_op4c_bof", "check": false }, "exploit_windows/novell/zenworks_preboot_op6_bof": { "name": "Novell ZENworks Configuration Management Preboot Service 0x06 Buffer Overflow", "full_name": "exploit/windows/novell/zenworks_preboot_op6_bof", "rank": 300, "disclosure_date": "2010-03-30", "type": "exploit", "author": [ "Stephen Fewer", "juan vazquez " ], "description": "This module exploits a remote buffer overflow in the ZENworks Configuration\n Management 10 SP2. The vulnerability exists in the Preboot service and can be\n triggered by sending a specially crafted packet with the opcode 0x06\n (PROXY_CMD_CLEAR_WS) to the 998/TCP port. The module has been successfully tested\n on Novell ZENworks Configuration Management 10 SP2 and Windows Server 2003 SP2\n (DEP bypass).", "references": [ "OSVDB-65361", "BID-40486", "ZDI-10-090", "URL-http://www.novell.com/support/kb/doc.php?id=7005572" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 998, "targets": [ "Novell ZENworks Configuration Management 10 SP2 / Windows 2003 SP2" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/novell/zenworks_preboot_op6_bof.rb", "is_install_path": true, "ref_name": "windows/novell/zenworks_preboot_op6_bof", "check": false }, "exploit_windows/novell/zenworks_preboot_op6c_bof": { "name": "Novell ZENworks Configuration Management Preboot Service 0x6c Buffer Overflow", "full_name": "exploit/windows/novell/zenworks_preboot_op6c_bof", "rank": 300, "disclosure_date": "2012-02-22", "type": "exploit", "author": [ "Luigi Auriemma", "juan vazquez " ], "description": "This module exploits a remote buffer overflow in the ZENworks Configuration\n Management. The vulnerability exists in the Preboot service and can be triggered by\n sending a specially crafted packet with the opcode 0x6c (PROXY_CMD_GET_NEXT_STEP)\n to port 998/TCP. The module has been successfully tested on Novell ZENworks\n Configuration Management 10 SP2 / SP3 and Windows Server 2003 SP2 (DEP bypass).", "references": [ "CVE-2011-3175", "OSVDB-80231", "BID-52659", "URL-http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=973" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 998, "targets": [ "Novell ZENworks Configuration Management 10 SP3 / Windows 2003 SP2", "Novell ZENworks Configuration Management 10 SP2 / Windows 2003 SP2" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/novell/zenworks_preboot_op6c_bof.rb", "is_install_path": true, "ref_name": "windows/novell/zenworks_preboot_op6c_bof", "check": false }, "exploit_windows/oracle/client_system_analyzer_upload": { "name": "Oracle Database Client System Analyzer Arbitrary File Upload", "full_name": "exploit/windows/oracle/client_system_analyzer_upload", "rank": 600, "disclosure_date": "2011-01-18", "type": "exploit", "author": [ "1c239c43f521145fa8385d64a9c32243", "juan vazquez " ], "description": "This module exploits an arbitrary file upload vulnerability on the Client\n Analyzer component as included in Oracle Database 11g, which allows remote\n attackers to upload and execute arbitrary code. This module has been tested\n successfully on Oracle Database 11g 11.2.0.1.0 on Windows 2003 SP2, where execution\n through the Windows Management Instrumentation service has been used.", "references": [ "CVE-2010-3600", "OSVDB-70546", "BID-45883", "ZDI-11-018", "URL-http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 1158, "targets": [ "Oracle Oracle11g 11.2.0.1.0 / Windows 2003 SP2" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/oracle/client_system_analyzer_upload.rb", "is_install_path": true, "ref_name": "windows/oracle/client_system_analyzer_upload", "check": true }, "exploit_windows/oracle/extjob": { "name": "Oracle Job Scheduler Named Pipe Command Execution", "full_name": "exploit/windows/oracle/extjob", "rank": 600, "disclosure_date": "2007-01-01", "type": "exploit", "author": [ "David Litchfield", "juan vazquez ", "sinn3r " ], "description": "This module exploits the Oracle Job Scheduler to execute arbitrary commands. The Job\n Scheduler is implemented via the component extjob.exe which listens on a named pipe\n called \"orcljsex\" and execute arbitrary commands received over this channel via\n CreateProcess(). In order to connect to the Named Pipe remotely, SMB access is required.\n Note that the Job Scheduler is disabled in default installations.", "references": [ "URL-http://www.amazon.com/Oracle-Hackers-Handbook-Hacking-Defending/dp/0470080221" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": 445, "targets": [ "Automatic" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/oracle/extjob.rb", "is_install_path": true, "ref_name": "windows/oracle/extjob", "check": true }, "exploit_windows/oracle/osb_ndmp_auth": { "name": "Oracle Secure Backup NDMP_CONNECT_CLIENT_AUTH Buffer Overflow", "full_name": "exploit/windows/oracle/osb_ndmp_auth", "rank": 400, "disclosure_date": "2009-01-14", "type": "exploit", "author": [ "MC " ], "description": "The module exploits a stack buffer overflow in Oracle Secure Backup.\n When sending a specially crafted NDMP_CONNECT_CLIENT_AUTH packet,\n an attacker may be able to execute arbitrary code.", "references": [ "CVE-2008-5444", "OSVDB-51340", "URL-http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 10000, "targets": [ "Oracle Secure Backup 10.1.0.3 (Windows 2003 SP0/Windows XP SP3)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/oracle/osb_ndmp_auth.rb", "is_install_path": true, "ref_name": "windows/oracle/osb_ndmp_auth", "check": false }, "exploit_windows/oracle/tns_arguments": { "name": "Oracle 8i TNS Listener (ARGUMENTS) Buffer Overflow", "full_name": "exploit/windows/oracle/tns_arguments", "rank": 400, "disclosure_date": "2001-06-28", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in Oracle 8i. When\n sending a specially crafted packet containing an overly long\n ARGUMENTS string to the TNS service, an attacker may be able\n to execute arbitrary code.", "references": [ "CVE-2001-0499", "OSVDB-9427", "BID-2941" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 1521, "targets": [ "Oracle 8.1.7.0.0 Standard Edition (Windows 2000)", "Oracle 8.1.7.0.0 Standard Edition (Windows 2003)" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/oracle/tns_arguments.rb", "is_install_path": true, "ref_name": "windows/oracle/tns_arguments", "check": true }, "exploit_windows/oracle/tns_auth_sesskey": { "name": "Oracle 10gR2 TNS Listener AUTH_SESSKEY Buffer Overflow", "full_name": "exploit/windows/oracle/tns_auth_sesskey", "rank": 500, "disclosure_date": "2009-10-20", "type": "exploit", "author": [ "jduck " ], "description": "This module exploits a stack buffer overflow in Oracle. When\n sending a specially crafted packet containing a long AUTH_SESSKEY value\n to the TNS service, an attacker may be able to execute arbitrary code.", "references": [ "CVE-2009-1979", "OSVDB-59110", "BID-36747", "URL-http://blogs.conus.info/node/28", "URL-http://blogs.conus.info/node/35", "URL-http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2009.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 1521, "targets": [ "Automatic", "Oracle 10.2.0.1.0 Enterprise Edition", "Oracle 10.2.0.4.0 Enterprise Edition" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/oracle/tns_auth_sesskey.rb", "is_install_path": true, "ref_name": "windows/oracle/tns_auth_sesskey", "check": true }, "exploit_windows/oracle/tns_service_name": { "name": "Oracle 8i TNS Listener SERVICE_NAME Buffer Overflow", "full_name": "exploit/windows/oracle/tns_service_name", "rank": 400, "disclosure_date": "2002-05-27", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in Oracle. When\n sending a specially crafted packet containing a long SERVICE_NAME\n to the TNS service, an attacker may be able to execute arbitrary code.", "references": [ "CVE-2002-0965", "OSVDB-5041", "BID-4845", "URL-http://www.oracle.com/technology/deploy/security/pdf/net9_dos_alert.pdf" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 1521, "targets": [ "Oracle 8.1.7.0.0 Standard Edition (Windows 2000)", "Oracle 8.1.7.0.0 Standard Edition (Windows 2003)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/oracle/tns_service_name.rb", "is_install_path": true, "ref_name": "windows/oracle/tns_service_name", "check": true }, "exploit_windows/pop3/seattlelab_pass": { "name": "Seattle Lab Mail 5.5 POP3 Buffer Overflow", "full_name": "exploit/windows/pop3/seattlelab_pass", "rank": 500, "disclosure_date": "2003-05-07", "type": "exploit", "author": [ "stinko " ], "description": "There exists an unauthenticated buffer overflow vulnerability\n in the POP3 server of Seattle Lab Mail 5.5 when sending a password\n with excessive length.\n\n Successful exploitation should not crash either the\n service or the server; however, after initial use the\n port cannot be reused for successive exploitation until\n the service has been restarted. Consider using a command\n execution payload following the bind shell to restart\n the service if you need to reuse the same port.\n\n The overflow appears to occur in the debugging/error reporting\n section of the slmail.exe executable, and there are multiple\n offsets that will lead to successful exploitation. This exploit\n uses 2606, the offset that creates the smallest overall payload.\n The other offset is 4654.\n\n The return address is overwritten with a \"jmp esp\" call from the\n application library SLMFC.DLL found in %SYSTEM%\\system32\\. This\n return address works against all version of Windows and service packs.\n\n The last modification date on the library is dated 06/02/99. Assuming\n that the code where the overflow occurs has not changed in some time,\n prior version of SLMail may also be vulnerable with this exploit. The\n author has not been able to acquire older versions of SLMail for\n testing purposes. Please let us know if you were able to get this\n exploit working against other SLMail versions.", "references": [ "CVE-2003-0264", "OSVDB-11975", "BID-7519" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 110, "targets": [ "Windows NT/2000/XP/2003 (SLMail 5.5)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/pop3/seattlelab_pass.rb", "is_install_path": true, "ref_name": "windows/pop3/seattlelab_pass", "check": false }, "exploit_windows/postgres/postgres_payload": { "name": "PostgreSQL for Microsoft Windows Payload Execution", "full_name": "exploit/windows/postgres/postgres_payload", "rank": 600, "disclosure_date": "2009-04-10", "type": "exploit", "author": [ "Bernardo Damele A. G. ", "todb " ], "description": "On default Microsoft Windows installations of PostgreSQL the postgres\n service account may write to the current directory (which is usually\n \"C:\\Program Files\\PostgreSQL\\\\data\" where is the\n major.minor version of PostgreSQL). UDF DLL's may be sourced from\n there as well.\n\n This module uploads a Windows DLL file via the pg_largeobject method\n of binary injection and creates a UDF (user defined function) from\n that DLL. Because the payload is run from DllMain, it does not need to\n conform to specific Postgres API versions.", "references": [ "URL-http://lab.lonerunners.net/blog/sqli-writing-files-to-disk-under-postgresql" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 5432, "targets": [ "Windows x86", "Windows x64" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/postgres/postgres_payload.rb", "is_install_path": true, "ref_name": "windows/postgres/postgres_payload", "check": true }, "exploit_windows/proxy/bluecoat_winproxy_host": { "name": "Blue Coat WinProxy Host Header Overflow", "full_name": "exploit/windows/proxy/bluecoat_winproxy_host", "rank": 500, "disclosure_date": "2005-01-05", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a buffer overflow in the Blue Coat Systems WinProxy\n service by sending a long port value for the Host header in a HTTP\n request.", "references": [ "CVE-2005-4085", "OSVDB-22238", "BID-16147", "URL-http://www.bluecoat.com/support/knowledge/advisory_host_header_stack_overflow.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "WinProxy <= 6.1 R1a Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/proxy/bluecoat_winproxy_host.rb", "is_install_path": true, "ref_name": "windows/proxy/bluecoat_winproxy_host", "check": false }, "exploit_windows/proxy/ccproxy_telnet_ping": { "name": "CCProxy Telnet Proxy Ping Overflow", "full_name": "exploit/windows/proxy/ccproxy_telnet_ping", "rank": 200, "disclosure_date": "2004-11-11", "type": "exploit", "author": [ "aushack " ], "description": "This module exploits the YoungZSoft CCProxy <= v6.2 suite\n Telnet service. The stack is overwritten when sending an overly\n long address to the 'ping' command.", "references": [ "CVE-2004-2416", "OSVDB-11593", "BID-11666", "EDB-621" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86", "rport": 23, "targets": [ "Automatic", "Windows 2000 Pro All - English", "Windows 2000 Pro All - Italian", "Windows 2000 Pro All - French", "Windows XP SP0/1 - English", "Windows XP SP2 - English" ], "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/exploits/windows/proxy/ccproxy_telnet_ping.rb", "is_install_path": true, "ref_name": "windows/proxy/ccproxy_telnet_ping", "check": true }, "exploit_windows/proxy/proxypro_http_get": { "name": "Proxy-Pro Professional GateKeeper 4.7 GET Request Overflow", "full_name": "exploit/windows/proxy/proxypro_http_get", "rank": 500, "disclosure_date": "2004-02-23", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in Proxy-Pro Professional\n GateKeeper 4.7. By sending a long HTTP GET to the default port\n of 3128, a remote attacker could overflow a buffer and execute\n arbitrary code.", "references": [ "CVE-2004-0326", "OSVDB-4027", "BID-9716" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 3128, "targets": [ "Proxy-Pro GateKeeper 4.7" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/proxy/proxypro_http_get.rb", "is_install_path": true, "ref_name": "windows/proxy/proxypro_http_get", "check": false }, "exploit_windows/proxy/qbik_wingate_wwwproxy": { "name": "Qbik WinGate WWW Proxy Server URL Processing Overflow", "full_name": "exploit/windows/proxy/qbik_wingate_wwwproxy", "rank": 400, "disclosure_date": "2006-06-07", "type": "exploit", "author": [ "aushack " ], "description": "This module exploits a stack buffer overflow in Qbik WinGate version\n 6.1.1.1077 and earlier. By sending malformed HTTP POST URL to the\n HTTP proxy service on port 80, a remote attacker could overflow\n a buffer and execute arbitrary code.", "references": [ "CVE-2006-2926", "OSVDB-26214", "BID-18312" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "WinGate 6.1.1.1077" ], "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/exploits/windows/proxy/qbik_wingate_wwwproxy.rb", "is_install_path": true, "ref_name": "windows/proxy/qbik_wingate_wwwproxy", "check": true }, "exploit_windows/scada/abb_wserver_exec": { "name": "ABB MicroSCADA wserver.exe Remote Code Execution", "full_name": "exploit/windows/scada/abb_wserver_exec", "rank": 600, "disclosure_date": "2013-04-05", "type": "exploit", "author": [ "Brian Gorenc", "juan vazquez " ], "description": "This module exploits a remote stack buffer overflow vulnerability in ABB MicroSCADA. The\n issue is due to the handling of unauthenticated EXECUTE operations on the wserver.exe\n component, which allows arbitrary commands. The component is disabled by default, but\n required when a project uses the SCIL function WORKSTATION_CALL.\n\n This module has been tested successfully on ABB MicroSCADA Pro SYS600 9.3 on\n Windows XP SP3 and Windows 7 SP1.", "references": [ "OSVDB-100324", "ZDI-13-270", "URL-http://www05.abb.com/global/scot/scot229.nsf/veritydisplay/41ccfa8ccd0431e6c1257c1200395574/$file/ABB_SoftwareVulnerabilityHandlingAdvisory_ABB-VU-PSAC-1MRS235805.pdf" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": 12221, "targets": [ "ABB MicroSCADA Pro SYS600 9.3" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/scada/abb_wserver_exec.rb", "is_install_path": true, "ref_name": "windows/scada/abb_wserver_exec", "check": true }, "exploit_windows/scada/advantech_webaccess_dashboard_file_upload": { "name": "Advantech WebAccess Dashboard Viewer uploadImageCommon Arbitrary File Upload", "full_name": "exploit/windows/scada/advantech_webaccess_dashboard_file_upload", "rank": 600, "disclosure_date": "2016-02-05", "type": "exploit", "author": [ "rgod", "Zhou Yu <504137480@qq.com>", "sinn3r " ], "description": "This module exploits an arbitrary file upload vulnerability found in Advantech WebAccess 8.0.\n\n This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations\n of Advantech WebAccess. Authentication is not required to exploit this vulnerability.\n\n The specific flaw exists within the WebAccess Dashboard Viewer. Insufficient validation within\n the uploadImageCommon function in the UploadAjaxAction script allows unauthenticated callers to\n upload arbitrary code (instead of an image) to the server, which will then be executed under the\n high-privilege context of the IIS AppPool.", "references": [ "CVE-2016-0854", "ZDI-16-128", "URL-https://ics-cert.us-cert.gov/advisories/ICSA-16-014-01" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "Advantech WebAccess 8.0" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/scada/advantech_webaccess_dashboard_file_upload.rb", "is_install_path": true, "ref_name": "windows/scada/advantech_webaccess_dashboard_file_upload", "check": true }, "exploit_windows/scada/advantech_webaccess_webvrpcs_bof": { "name": "Advantech WebAccess Webvrpcs Service Opcode 80061 Stack Buffer Overflow", "full_name": "exploit/windows/scada/advantech_webaccess_webvrpcs_bof", "rank": 400, "disclosure_date": "2017-11-02", "type": "exploit", "author": [ "mr_me " ], "description": "This module exploits a stack buffer overflow in Advantech WebAccess 8.2.\n By sending a specially crafted DCERPC request, an attacker could overflow\n the buffer and execute arbitrary code.", "references": [ "ZDI-17-938", "CVE-2017-14016", "URL-https://ics-cert.us-cert.gov/advisories/ICSA-17-306-02" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 4592, "targets": [ "Windows 7 x86 - Advantech WebAccess 8.2-2017.03.31" ], "mod_time": "2017-12-11 23:20:46 +0000", "path": "/modules/exploits/windows/scada/advantech_webaccess_webvrpcs_bof.rb", "is_install_path": true, "ref_name": "windows/scada/advantech_webaccess_webvrpcs_bof", "check": false }, "exploit_windows/scada/citect_scada_odbc": { "name": "CitectSCADA/CitectFacilities ODBC Buffer Overflow", "full_name": "exploit/windows/scada/citect_scada_odbc", "rank": 300, "disclosure_date": "2008-06-11", "type": "exploit", "author": [ "KF ", "aushack " ], "description": "This module exploits a stack buffer overflow in CitectSCADA's ODBC daemon.\n This has only been tested against Citect v5, v6 and v7.", "references": [ "CVE-2008-2639", "BID-29634", "OSVDB-46105", "URL-http://www.coresecurity.com/content/citect-scada-odbc-service-vulnerability", "URL-http://www.auscert.org.au/render.html?it=9433", "URL-http://www.citect.com/documents/news_and_media/pr-citect-address-security.pdf" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 20222, "targets": [ "Automatic", "Citect32.exe v5.21 NT4", "Citect32.exe v5.21 2K/XP", "Citect32.exe v5.41-r0 NT4", "Citect32.exe v5.41-r0 2K/XP", "Citect32.exe v6.0-r0 2K/XP", "CiExceptionMailer.dll v5.42 on XP Sp2 or SP3", "CiExceptionMailer.dll v6.0-r0 on Server 2003 Sp2", "CiExceptionMailer.dll v6.0-r0 on XP Sp2 or SP3", "CiExceptionMailer.dll v6.10 on XP Sp2 or SP3", "CiExceptionMailer.dll v7.0-r0 on XP Sp2 or SP3", "CiExceptionMailer.dll v7.0-r0 on 2003 Server SP1", "CiExceptionMailer.dll v5.50-r0 XP SP2", "CiExceptionMailer.dll v5.50-r0 2003 Server", "Debug" ], "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/exploits/windows/scada/citect_scada_odbc.rb", "is_install_path": true, "ref_name": "windows/scada/citect_scada_odbc", "check": false }, "exploit_windows/scada/codesys_gateway_server_traversal": { "name": "SCADA 3S CoDeSys Gateway Server Directory Traversal", "full_name": "exploit/windows/scada/codesys_gateway_server_traversal", "rank": 600, "disclosure_date": "2013-02-02", "type": "exploit", "author": [ "Enrique Sanchez " ], "description": "This module exploits a directory traversal vulnerability that allows arbitrary\n file creation, which can be used to execute a mof file in order to gain remote\n execution within the SCADA system.", "references": [ "CVE-2012-4705", "OSVDB-90368", "URL-http://ics-cert.us-cert.gov/pdf/ICSA-13-050-01-a.pdf" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 1211, "targets": [ "Windows Universal S3 CoDeSyS < 2.3.9.27" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/scada/codesys_gateway_server_traversal.rb", "is_install_path": true, "ref_name": "windows/scada/codesys_gateway_server_traversal", "check": false }, "exploit_windows/scada/codesys_web_server": { "name": "SCADA 3S CoDeSys CmpWebServer Stack Buffer Overflow", "full_name": "exploit/windows/scada/codesys_web_server", "rank": 300, "disclosure_date": "2011-12-02", "type": "exploit", "author": [ "Luigi Auriemma", "Celil UNUVER", "TecR0c ", "sinn3r ", "Michael Coppola" ], "description": "This module exploits a remote stack buffer overflow vulnerability in\n 3S-Smart Software Solutions product CoDeSys Scada Web Server Version\n 1.1.9.9. This vulnerability affects versions 3.4 SP4 Patch 2 and\n earlier.", "references": [ "CVE-2011-5007", "OSVDB-77387", "URL-http://aluigi.altervista.org/adv/codesys_1-adv.txt", "EDB-18187", "URL-http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-336-01A.pdf", "URL-http://www.us-cert.gov/control_systems/pdf/ICSA-12-006-01.pdf" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 8080, "targets": [ "Automatic", "CoDeSys v2.3 on Windows XP SP3", "CoDeSys v3.4 SP4 Patch 2 on Windows XP SP3" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/scada/codesys_web_server.rb", "is_install_path": true, "ref_name": "windows/scada/codesys_web_server", "check": true }, "exploit_windows/scada/daq_factory_bof": { "name": "DaqFactory HMI NETB Request Overflow", "full_name": "exploit/windows/scada/daq_factory_bof", "rank": 400, "disclosure_date": "2011-09-13", "type": "exploit", "author": [ "Luigi Auriemma", "mr_me " ], "description": "This module exploits a stack buffer overflow in Azeotech's DaqFactory\n product. The specific vulnerability is triggered when sending a specially crafted\n 'NETB' request to port 20034. Exploitation of this vulnerability may take a few\n seconds due to the use of egghunter. This vulnerability was one of the 14\n releases discovered by researcher Luigi Auriemma.", "references": [ "CVE-2011-3492", "OSVDB-75496", "URL-http://aluigi.altervista.org/adv/daqfactory_1-adv.txt", "URL-http://www.us-cert.gov/control_systems/pdf/ICSA-11-264-01.pdf" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 20034, "targets": [ "DAQFactory Pro 5.85 Build 1853 on Windows XP SP3" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/scada/daq_factory_bof.rb", "is_install_path": true, "ref_name": "windows/scada/daq_factory_bof", "check": false }, "exploit_windows/scada/factorylink_csservice": { "name": "Siemens FactoryLink 8 CSService Logging Path Param Buffer Overflow", "full_name": "exploit/windows/scada/factorylink_csservice", "rank": 300, "disclosure_date": "2011-03-25", "type": "exploit", "author": [ "Luigi Auriemma ", "sinn3r " ], "description": "This module exploits a vulnerability found on Siemens FactoryLink 8. The\n vulnerability occurs when CSService.exe processes a CSMSG_ListFiles_REQ message,\n the user-supplied path first gets converted to ANSI format (CodePage 0), and then\n gets handled by a logging routine where proper bounds checking is not done,\n therefore causing a stack-based buffer overflow, and results arbitrary code execution.", "references": [ "OSVDB-72812", "URL-http://aluigi.altervista.org/adv/factorylink_1-adv.txt", "URL-http://www.us-cert.gov/control_systems/pdf/ICSA-11-091-01.pdf" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 7580, "targets": [ "Automatic", "Windows XP SP3", "Windows Server 2003 SP0" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/scada/factorylink_csservice.rb", "is_install_path": true, "ref_name": "windows/scada/factorylink_csservice", "check": false }, "exploit_windows/scada/factorylink_vrn_09": { "name": "Siemens FactoryLink vrn.exe Opcode 9 Buffer Overflow", "full_name": "exploit/windows/scada/factorylink_vrn_09", "rank": 200, "disclosure_date": "2011-03-21", "type": "exploit", "author": [ "Luigi Auriemma", "hal", "MC " ], "description": "This module exploits a stack buffer overflow in FactoryLink 7.5, 7.5 SP2,\n and 8.0.1.703. By sending a specially crafted packet, an attacker may be able to\n execute arbitrary code due to the improper use of a vsprintf() function while\n processing the user-supplied text field. Originally found and posted by\n Luigi Auriemma.", "references": [ "OSVDB-72815", "URL-http://aluigi.altervista.org/adv/factorylink_4-adv.txt", "URL-http://www.us-cert.gov/control_systems/pdf/ICSA-11-091-01.pdf" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 7579, "targets": [ "Automatic", "FactoryLink 7.5", "FactoryLink 7.5 SP2", "FactoryLink 8.0.1.703" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/scada/factorylink_vrn_09.rb", "is_install_path": true, "ref_name": "windows/scada/factorylink_vrn_09", "check": false }, "exploit_windows/scada/ge_proficy_cimplicity_gefebt": { "name": "GE Proficy CIMPLICITY gefebt.exe Remote Code Execution", "full_name": "exploit/windows/scada/ge_proficy_cimplicity_gefebt", "rank": 600, "disclosure_date": "2014-01-23", "type": "exploit", "author": [ "amisto0x07", "Z0mb1E", "juan vazquez " ], "description": "This module abuses the gefebt.exe component in GE Proficy CIMPLICITY, reachable through the\n CIMPLICIY CimWebServer. The vulnerable component allows to execute remote BCL files in\n shared resources. An attacker can abuse this behavior to execute a malicious BCL and\n drop an arbitrary EXE. The last one can be executed remotely through the WebView server.\n This module has been tested successfully in GE Proficy CIMPLICITY 7.5 with the embedded\n CimWebServer. This module starts a WebDAV server to provide the malicious BCL files. If\n the target does not have the WebClient service enabled, an external SMB service is necessary.", "references": [ "CVE-2014-0750", "ZDI-14-015", "URL-http://ics-cert.us-cert.gov/advisories/ICSA-14-023-01" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": 80, "targets": [ "GE Proficy CIMPLICITY 7.5 (embedded CimWebServer)" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/scada/ge_proficy_cimplicity_gefebt.rb", "is_install_path": true, "ref_name": "windows/scada/ge_proficy_cimplicity_gefebt", "check": true }, "exploit_windows/scada/iconics_genbroker": { "name": "Iconics GENESIS32 Integer Overflow Version 9.21.201.01", "full_name": "exploit/windows/scada/iconics_genbroker", "rank": 400, "disclosure_date": "2011-03-21", "type": "exploit", "author": [ "Luigi Auriemma", "Lincoln", "corelanc0d3r " ], "description": "The GenBroker service on port 38080 is affected by three integer overflow\n vulnerabilities while handling opcode 0x4b0, which is caused by abusing the\n the memory allocations needed for the number of elements passed by the client.\n This results unexpected behaviors such as direct registry calls, memory location\n calls, or arbitrary remote code execution. Please note that in order to ensure\n reliability, this exploit will try to open calc (hidden), inject itself into the\n process, and then open up a shell session. Also, DEP bypass is supported.", "references": [ "OSVDB-72817", "URL-http://aluigi.org/adv/genesis_4-adv.txt", "URL-http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-080-02.pdf" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 38080, "targets": [ "Windows XP" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/scada/iconics_genbroker.rb", "is_install_path": true, "ref_name": "windows/scada/iconics_genbroker", "check": false }, "exploit_windows/scada/iconics_webhmi_setactivexguid": { "name": "ICONICS WebHMI ActiveX Buffer Overflow", "full_name": "exploit/windows/scada/iconics_webhmi_setactivexguid", "rank": 400, "disclosure_date": "2011-05-05", "type": "exploit", "author": [ "Scoot Bell ", "Blair Strang ", "sinn3r " ], "description": "This module exploits a vulnerability found in ICONICS WebHMI's ActiveX control.\n By supplying a long string of data to the 'SetActiveXGUID' parameter, GenVersion.dll\n fails to do any proper bounds checking before this input is copied onto the stack,\n which causes a buffer overflow, and results arbitrary code execution under the context\n of the user.", "references": [ "CVE-2011-2089", "OSVDB-72135", "URL-http://www.security-assessment.com/files/documents/advisory/ICONICS_WebHMI.pdf", "EDB-17240", "URL-http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-080-02.pdf" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic", "IE 6/7/8 on Windows XP SP3", "IE 7 on Windows Vista" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/scada/iconics_webhmi_setactivexguid.rb", "is_install_path": true, "ref_name": "windows/scada/iconics_webhmi_setactivexguid", "check": false }, "exploit_windows/scada/igss9_igssdataserver_listall": { "name": "7-Technologies IGSS IGSSdataServer.exe Stack Buffer Overflow", "full_name": "exploit/windows/scada/igss9_igssdataserver_listall", "rank": 400, "disclosure_date": "2011-03-24", "type": "exploit", "author": [ "Luigi Auriemma", "Lincoln", "corelanc0d3r ", "sinn3r " ], "description": "This module exploits a vulnerability in the igssdataserver.exe component of 7-Technologies\n IGSS up to version 9.00.00 b11063. While processing a ListAll command, the application\n fails to do proper bounds checking before copying data into a small buffer on the stack.\n This causes a buffer overflow and allows to overwrite a structured exception handling record\n on the stack, allowing for unauthenticated remote code execution. Also, after the payload\n exits, IGSSdataServer.exe should automatically recover.", "references": [ "CVE-2011-1567", "OSVDB-72353", "URL-http://aluigi.altervista.org/adv/igss_2-adv.txt", "URL-http://www.us-cert.gov/control_systems/pdf/ICSA-11-132-01A.pdf" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 12401, "targets": [ "Windows XP SP3/2003 Server R2 SP2 (DEP Bypass)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/scada/igss9_igssdataserver_listall.rb", "is_install_path": true, "ref_name": "windows/scada/igss9_igssdataserver_listall", "check": false }, "exploit_windows/scada/igss9_igssdataserver_rename": { "name": "7-Technologies IGSS 9 IGSSdataServer .RMS Rename Buffer Overflow", "full_name": "exploit/windows/scada/igss9_igssdataserver_rename", "rank": 300, "disclosure_date": "2011-03-24", "type": "exploit", "author": [ "Luigi Auriemma ", "sinn3r " ], "description": "This module exploits a vulnerability found on 7-Technologies IGSS 9. By supplying\n a long string of data to the 'Rename' (0x02), 'Delete' (0x03), or 'Add' (0x04) command,\n a buffer overflow condition occurs in IGSSdataServer.exe while handing an RMS report,\n which results arbitrary code execution under the context of the user.\n\n The attack is carried out in three stages. The first stage sends the final payload to\n IGSSdataServer.exe, which will remain in memory. The second stage sends the Add command\n so the process can find a valid ID for the Rename command. The last stage then triggers\n the vulnerability with the Rename command, and uses an egghunter to search for the\n shellcode that we sent in stage 1. The use of egghunter appears to be necessary due to\n the small buffer size, which cannot even contain our ROP chain and the final payload.", "references": [ "CVE-2011-1567", "OSVDB-72352", "URL-http://aluigi.altervista.org/adv/igss_5-adv.txt", "URL-http://www.us-cert.gov/control_systems/pdf/ICSA-11-132-01A.pdf" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 12401, "targets": [ "Automatic", "Windows XP SP3", "Windows Server 2003 SP2/R2 SP2" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/scada/igss9_igssdataserver_rename.rb", "is_install_path": true, "ref_name": "windows/scada/igss9_igssdataserver_rename", "check": false }, "exploit_windows/scada/igss9_misc": { "name": "7-Technologies IGSS 9 Data Server/Collector Packet Handling Vulnerabilities", "full_name": "exploit/windows/scada/igss9_misc", "rank": 600, "disclosure_date": "2011-03-24", "type": "exploit", "author": [ "Luigi Auriemma", "sinn3r " ], "description": "This module exploits multiple vulnerabilities found on IGSS 9's Data Server and\n Data Collector services. The initial approach is first by transferring our binary\n with Write packets (opcode 0x0D) via port 12401 (igssdataserver.exe), and then send\n an EXE packet (opcode 0x0A) to port 12397 (dc.exe), which will cause dc.exe to run\n that payload with a CreateProcessA() function as a new thread.", "references": [ "CVE-2011-1565", "CVE-2011-1566", "OSVDB-72354", "OSVDB-72349", "URL-http://aluigi.altervista.org/adv/igss_1-adv.txt", "URL-http://aluigi.altervista.org/adv/igss_8-adv.txt", "URL-http://www.us-cert.gov/control_systems/pdf/ICSA-11-132-01A.pdf" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 0, "targets": [ "Automatic", "Windows XP", "Windows 7", "Windows Server 2003 / R2" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/scada/igss9_misc.rb", "is_install_path": true, "ref_name": "windows/scada/igss9_misc", "check": false }, "exploit_windows/scada/igss_exec_17": { "name": "Interactive Graphical SCADA System Remote Command Injection", "full_name": "exploit/windows/scada/igss_exec_17", "rank": 600, "disclosure_date": "2011-03-21", "type": "exploit", "author": [ "Luigi Auriemma", "MC " ], "description": "This module abuses a directory traversal flaw in Interactive\n Graphical SCADA System v9.00. In conjunction with the traversal\n flaw, if opcode 0x17 is sent to the dc.exe process, an attacker\n may be able to execute arbitrary system commands.", "references": [ "CVE-2011-1566", "OSVDB-72349", "URL-http://aluigi.org/adv/igss_8-adv.txt" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "cmd", "rport": 12397, "targets": [ "Windows" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/scada/igss_exec_17.rb", "is_install_path": true, "ref_name": "windows/scada/igss_exec_17", "check": false }, "exploit_windows/scada/indusoft_webstudio_exec": { "name": "InduSoft Web Studio Arbitrary Upload Remote Code Execution", "full_name": "exploit/windows/scada/indusoft_webstudio_exec", "rank": 600, "disclosure_date": "2011-11-04", "type": "exploit", "author": [ "Luigi Auriemma", "juan vazquez " ], "description": "This module exploits a lack of authentication and authorization on the InduSoft\n Web Studio Remote Agent, that allows a remote attacker to write arbitrary files to\n the filesystem, by abusing the functions provided by the software.\n\n The module uses the Windows Management Instrumentation service to execute an\n arbitrary payload on vulnerable installations of InduSoft Web Studio on Windows pre\n Vista. It has been successfully tested on InduSoft Web Studio 6.1 SP6 over Windows\n XP SP3 and Windows 2003 SP2.", "references": [ "CVE-2011-4051", "OSVDB-77179", "BID-50675", "ZDI-11-330" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 4322, "targets": [ "Windows XP / 2003" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/scada/indusoft_webstudio_exec.rb", "is_install_path": true, "ref_name": "windows/scada/indusoft_webstudio_exec", "check": true }, "exploit_windows/scada/moxa_mdmtool": { "name": "MOXA Device Manager Tool 2.1 Buffer Overflow", "full_name": "exploit/windows/scada/moxa_mdmtool", "rank": 500, "disclosure_date": "2010-10-20", "type": "exploit", "author": [ "Ruben Santamarta", "MC " ], "description": "This module exploits a stack buffer overflow in MOXA MDM Tool 2.1.\n When sending a specially crafted MDMGw (MDM2_Gateway) response, an\n attacker may be able to execute arbitrary code.", "references": [ "CVE-2010-4741", "OSVDB-69027", "URL-http://www.reversemode.com/index.php?option=com_content&task=view&id=70&Itemid=", "URL-http://www.us-cert.gov/control_systems/pdf/ICSA-10-301-01A.pdf" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "MOXA MDM Tool 2.1" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/scada/moxa_mdmtool.rb", "is_install_path": true, "ref_name": "windows/scada/moxa_mdmtool", "check": false }, "exploit_windows/scada/procyon_core_server": { "name": "Procyon Core Server HMI Coreservice.exe Stack Buffer Overflow", "full_name": "exploit/windows/scada/procyon_core_server", "rank": 300, "disclosure_date": "2011-09-08", "type": "exploit", "author": [ "Knud Hojgaard ", "mr_me " ], "description": "This module exploits a vulnerability in the coreservice.exe component of Proycon\n Core Server <= v1.13. While processing a password, the application\n fails to do proper bounds checking before copying data into a small buffer on the stack.\n This causes a buffer overflow and allows to overwrite a structured exception handling\n record on the stack, allowing for unauthenticated remote code execution. Also, after the\n payload exits, Coreservice.exe should automatically recover.", "references": [ "CVE-2011-3322", "OSVDB-75371", "URL-http://www.stratsec.net/Research/Advisories/Procyon-Core-Server-HMI-Remote-Stack-Overflow" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 23, "targets": [ "Windows XP SP3 - No dep bypass" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/scada/procyon_core_server.rb", "is_install_path": true, "ref_name": "windows/scada/procyon_core_server", "check": true }, "exploit_windows/scada/realwin": { "name": "DATAC RealWin SCADA Server Buffer Overflow", "full_name": "exploit/windows/scada/realwin", "rank": 500, "disclosure_date": "2008-09-26", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in DATAC Control\n International RealWin SCADA Server 2.0 (Build 6.0.10.37).\n By sending a specially crafted FC_INFOTAG/SET_CONTROL packet,\n an attacker may be able to execute arbitrary code.", "references": [ "CVE-2008-4322", "OSVDB-48606", "BID-31418" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 910, "targets": [ "Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/scada/realwin.rb", "is_install_path": true, "ref_name": "windows/scada/realwin", "check": false }, "exploit_windows/scada/realwin_on_fc_binfile_a": { "name": "DATAC RealWin SCADA Server 2 On_FC_CONNECT_FCS_a_FILE Buffer Overflow", "full_name": "exploit/windows/scada/realwin_on_fc_binfile_a", "rank": 500, "disclosure_date": "2011-03-21", "type": "exploit", "author": [ "Luigi Auriemma", "MC " ], "description": "This module exploits a vulnerability found in DATAC Control International RealWin\n SCADA Server 2.1 and below. By supplying a specially crafted On_FC_BINFILE_FCS_*FILE\n packet via port 910, RealWin will try to create a file (which would be saved to\n C:\\Program Files\\DATAC\\Real Win\\RW-version\\filename) by first copying the user-\n supplied filename with an inline memcpy routine without proper bounds checking, which\n results a stack-based buffer overflow, allowing arbitrary remote code execution.\n\n Tested version: 2.0 (Build 6.1.8.10)", "references": [ "CVE-2011-1563", "OSVDB-72826", "BID-46937", "URL-http://aluigi.altervista.org/adv/realwin_5-adv.txt", "URL-http://www.us-cert.gov/control_systems/pdf/ICSA-11-110-01.pdf" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 910, "targets": [ "Universal" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/scada/realwin_on_fc_binfile_a.rb", "is_install_path": true, "ref_name": "windows/scada/realwin_on_fc_binfile_a", "check": false }, "exploit_windows/scada/realwin_on_fcs_login": { "name": "RealWin SCADA Server DATAC Login Buffer Overflow", "full_name": "exploit/windows/scada/realwin_on_fcs_login", "rank": 500, "disclosure_date": "2011-03-21", "type": "exploit", "author": [ "Luigi Auriemma", "MC ", "B|H " ], "description": "This module exploits a stack buffer overflow in DATAC Control\n International RealWin SCADA Server 2.1 (Build 6.0.10.10) or\n earlier. By sending a specially crafted On_FC_CONNECT_FCS_LOGIN\n packet containing a long username, an attacker may be able to\n execute arbitrary code.", "references": [ "CVE-2011-1563", "OSVDB-72824", "URL-http://aluigi.altervista.org/adv/realwin_2-adv.txt", "URL-http://www.dataconline.com/software/realwin.php", "URL-http://www.us-cert.gov/control_systems/pdf/ICSA-11-110-01.pdf" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 910, "targets": [ "Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/scada/realwin_on_fcs_login.rb", "is_install_path": true, "ref_name": "windows/scada/realwin_on_fcs_login", "check": false }, "exploit_windows/scada/realwin_scpc_initialize": { "name": "DATAC RealWin SCADA Server SCPC_INITIALIZE Buffer Overflow", "full_name": "exploit/windows/scada/realwin_scpc_initialize", "rank": 500, "disclosure_date": "2010-10-15", "type": "exploit", "author": [ "Luigi Auriemma", "MC " ], "description": "This module exploits a stack buffer overflow in DATAC Control\n International RealWin SCADA Server 2.0 (Build 6.1.8.10).\n By sending a specially crafted packet, an attacker may be able to execute arbitrary code.", "references": [ "OSVDB-68812", "CVE-2010-4142", "URL-http://aluigi.altervista.org/adv/realwin_1-adv.txt", "URL-http://www.us-cert.gov/control_systems/pdf/ICSA-10-313-01.pdf" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 912, "targets": [ "Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/scada/realwin_scpc_initialize.rb", "is_install_path": true, "ref_name": "windows/scada/realwin_scpc_initialize", "check": false }, "exploit_windows/scada/realwin_scpc_initialize_rf": { "name": "DATAC RealWin SCADA Server SCPC_INITIALIZE_RF Buffer Overflow", "full_name": "exploit/windows/scada/realwin_scpc_initialize_rf", "rank": 500, "disclosure_date": "2010-10-15", "type": "exploit", "author": [ "Luigi Auriemma", "MC " ], "description": "This module exploits a stack buffer overflow in DATAC Control\n International RealWin SCADA Server 2.0 (Build 6.1.8.10).\n By sending a specially crafted packet, an attacker may be able to execute arbitrary code.", "references": [ "OSVDB-68812", "CVE-2010-4142", "URL-http://aluigi.altervista.org/adv/realwin_1-adv.txt", "URL-http://www.us-cert.gov/control_systems/pdf/ICSA-10-313-01.pdf" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 912, "targets": [ "Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/scada/realwin_scpc_initialize_rf.rb", "is_install_path": true, "ref_name": "windows/scada/realwin_scpc_initialize_rf", "check": false }, "exploit_windows/scada/realwin_scpc_txtevent": { "name": "DATAC RealWin SCADA Server SCPC_TXTEVENT Buffer Overflow", "full_name": "exploit/windows/scada/realwin_scpc_txtevent", "rank": 500, "disclosure_date": "2010-11-18", "type": "exploit", "author": [ "Luigi Auriemma", "MC " ], "description": "This module exploits a stack buffer overflow in DATAC Control\n International RealWin SCADA Server 2.0 (Build 6.1.8.10).\n By sending a specially crafted packet,\n an attacker may be able to execute arbitrary code.", "references": [ "CVE-2010-4142", "OSVDB-68812" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 912, "targets": [ "Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/scada/realwin_scpc_txtevent.rb", "is_install_path": true, "ref_name": "windows/scada/realwin_scpc_txtevent", "check": false }, "exploit_windows/scada/scadapro_cmdexe": { "name": "Measuresoft ScadaPro Remote Command Execution", "full_name": "exploit/windows/scada/scadapro_cmdexe", "rank": 600, "disclosure_date": "2011-09-16", "type": "exploit", "author": [ "Luigi Auriemma", "mr_me ", "TecR0c " ], "description": "This module allows remote attackers to execute arbitrary commands on the\n affected system by abusing via Directory Traversal attack when using the\n 'xf' command (execute function). An attacker can execute system() from\n msvcrt.dll to upload a backdoor and gain remote code execution. This\n vulnerability affects version 4.0.0 and earlier.", "references": [ "CVE-2011-3497", "OSVDB-75490", "BID-49613", "URL-http://aluigi.altervista.org/adv/scadapro_1-adv.txt", "URL-http://us-cert.gov/control_systems/pdf/ICS-ALERT-11-256-04.pdf", "URL-http://www.measuresoft.net/news/post/Inaccurate-Reports-of-Measuresoft-ScadaPro-400-Vulnerability.aspx" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": 11234, "targets": [ "Automatic" ], "mod_time": "2017-09-13 22:03:34 +0000", "path": "/modules/exploits/windows/scada/scadapro_cmdexe.rb", "is_install_path": true, "ref_name": "windows/scada/scadapro_cmdexe", "check": false }, "exploit_windows/scada/sunway_force_control_netdbsrv": { "name": "Sunway Forcecontrol SNMP NetDBServer.exe Opcode 0x57", "full_name": "exploit/windows/scada/sunway_force_control_netdbsrv", "rank": 500, "disclosure_date": "2011-09-22", "type": "exploit", "author": [ "Luigi Auriemma", "Rinat Ziyayev", "James Fitts " ], "description": "This module exploits a stack based buffer overflow found in the SNMP\n NetDBServer service of Sunway Forcecontrol <= 6.1 sp3. The overflow is\n triggered when sending an overly long string to the listening service\n on port 2001.", "references": [ "OSVDB-75798", "BID-49747", "URL-http://aluigi.altervista.org/adv/forcecontrol_1-adv.txt" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 2001, "targets": [ "Windows" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/scada/sunway_force_control_netdbsrv.rb", "is_install_path": true, "ref_name": "windows/scada/sunway_force_control_netdbsrv", "check": false }, "exploit_windows/scada/winlog_runtime": { "name": "Sielco Sistemi Winlog Buffer Overflow", "full_name": "exploit/windows/scada/winlog_runtime", "rank": 500, "disclosure_date": "2011-01-13", "type": "exploit", "author": [ "Luigi Auriemma", "MC " ], "description": "This module exploits a buffer overflow in Sielco\n Sistem Winlog <= 2.07.00. When sending a specially formatted\n packet to the Runtime.exe service, an attacker may be able to\n execute arbitrary code.", "references": [ "CVE-2011-0517", "OSVDB-70418", "URL-http://aluigi.org/adv/winlog_1-adv.txt", "URL-http://www.us-cert.gov/control_systems/pdf/ICSA-11-017-02.pdf" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 46823, "targets": [ "Winlog Lite 2.07.00" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/scada/winlog_runtime.rb", "is_install_path": true, "ref_name": "windows/scada/winlog_runtime", "check": false }, "exploit_windows/scada/winlog_runtime_2": { "name": "Sielco Sistemi Winlog Buffer Overflow 2.07.14 - 2.07.16", "full_name": "exploit/windows/scada/winlog_runtime_2", "rank": 300, "disclosure_date": "2012-06-04", "type": "exploit", "author": [ "Michael Messner " ], "description": "This module exploits a buffer overflow in Sielco Sistem Winlog <= 2.07.16.\n When sending a specially formatted packet to the Runtime.exe service on port 46824,\n an attacker may be able to execute arbitrary code.", "references": [ "BID-53811", "CVE-2012-3815", "OSVDB-82654", "EDB-18986", "URL-http://www.s3cur1ty.de/m1adv2012-001", "URL-http://www.sielcosistemi.com/en/download/public/winlog_lite.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 46824, "targets": [ "Sielco Sistemi Winlog 2.07.14/2.07.16 - Ceramics Kiln Project", "Sielco Sistemi Winlog 2.07.14 - Automatic Washing System Project" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/scada/winlog_runtime_2.rb", "is_install_path": true, "ref_name": "windows/scada/winlog_runtime_2", "check": false }, "exploit_windows/scada/yokogawa_bkbcopyd_bof": { "name": "Yokogawa CENTUM CS 3000 BKBCopyD.exe Buffer Overflow", "full_name": "exploit/windows/scada/yokogawa_bkbcopyd_bof", "rank": 300, "disclosure_date": "2014-03-10", "type": "exploit", "author": [ "juan vazquez ", "Redsadic " ], "description": "This module exploits a stack based buffer overflow in Yokogawa CENTUM CS 3000. The vulnerability\n exists in the service BKBCopyD.exe when handling specially crafted packets. This module has\n been tested successfully on Yokogawa CENTUM CS 3000 R3.08.50 over Windows XP SP3.", "references": [ "URL-http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf", "URL-https://community.rapid7.com/community/metasploit/blog/2014/03/10/yokogawa-centum-cs3000-vulnerabilities", "CVE-2014-0784" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 20111, "targets": [ "Yokogawa CENTUM CS 3000 R3.08.50 / Windows XP SP3" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/scada/yokogawa_bkbcopyd_bof.rb", "is_install_path": true, "ref_name": "windows/scada/yokogawa_bkbcopyd_bof", "check": true }, "exploit_windows/scada/yokogawa_bkesimmgr_bof": { "name": "Yokogawa CS3000 BKESimmgr.exe Buffer Overflow", "full_name": "exploit/windows/scada/yokogawa_bkesimmgr_bof", "rank": 300, "disclosure_date": "2014-03-10", "type": "exploit", "author": [ "juan vazquez ", "Redsadic " ], "description": "This module exploits an stack based buffer overflow on Yokogawa CS3000. The vulnerability\n exists in the BKESimmgr.exe service when handling specially crafted packets, due to an\n insecure usage of memcpy, using attacker controlled data as the size count. This module\n has been tested successfully in Yokogawa CS3000 R3.08.50 over Windows XP SP3 and Windows\n 2003 SP2.", "references": [ "CVE-2014-0782", "URL-https://community.rapid7.com/community/metasploit/blog/2014/05/09/r7-2013-192-disclosure-yokogawa-centum-cs-3000-vulnerabilities", "URL-http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 34205, "targets": [ "Yokogawa Centum CS3000 R3.08.50 / Windows [ XP SP3 / 2003 SP2 ]" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/scada/yokogawa_bkesimmgr_bof.rb", "is_install_path": true, "ref_name": "windows/scada/yokogawa_bkesimmgr_bof", "check": true }, "exploit_windows/scada/yokogawa_bkfsim_vhfd": { "name": "Yokogawa CS3000 BKFSim_vhfd.exe Buffer Overflow", "full_name": "exploit/windows/scada/yokogawa_bkfsim_vhfd", "rank": 300, "disclosure_date": "2014-05-23", "type": "exploit", "author": [ "Redsadic ", "juan vazquez " ], "description": "This module exploits a stack based buffer overflow on Yokogawa CS3000. The vulnerability\n exists in the service BKFSim_vhfd.exe when using malicious user-controlled data to create\n logs using functions like vsprintf and memcpy in an insecure way. This module has been\n tested successfully on Yokogawa Centum CS3000 R3.08.50 over Windows XP SP3.", "references": [ "CVE-2014-3888", "URL-http://jvn.jp/vu/JVNVU95045914/index.html", "URL-http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0002E.pdf", "URL-https://community.rapid7.com/community/metasploit/blog/2014/07/07/r7-2014-06-disclosure-yokogawa-centum-cs-3000-bkfsimvhfdexe-buffer-overflow" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 20010, "targets": [ "Yokogawa Centum CS3000 R3.08.50 / Windows XP SP3" ], "mod_time": "2017-09-17 16:00:04 +0000", "path": "/modules/exploits/windows/scada/yokogawa_bkfsim_vhfd.rb", "is_install_path": true, "ref_name": "windows/scada/yokogawa_bkfsim_vhfd", "check": false }, "exploit_windows/scada/yokogawa_bkhodeq_bof": { "name": "Yokogawa CENTUM CS 3000 BKHOdeq.exe Buffer Overflow", "full_name": "exploit/windows/scada/yokogawa_bkhodeq_bof", "rank": 200, "disclosure_date": "2014-03-10", "type": "exploit", "author": [ "juan vazquez ", "Redsadic " ], "description": "This module exploits a stack based buffer overflow in Yokogawa CENTUM CS 3000. The vulnerability\n exists in the service BKHOdeq.exe when handling specially crafted packets. This module has\n been tested successfully on Yokogawa CENTUM CS 3000 R3.08.50 over Windows XP SP3 and Windows\n 2003 SP2.", "references": [ "URL-http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf", "URL-https://community.rapid7.com/community/metasploit/blog/2014/03/10/yokogawa-centum-cs3000-vulnerabilities", "CVE-2014-0783" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 20171, "targets": [ "Yokogawa CENTUM CS 3000 R3.08.50 / Windows [ XP SP3 / 2003 SP2 ]" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/scada/yokogawa_bkhodeq_bof.rb", "is_install_path": true, "ref_name": "windows/scada/yokogawa_bkhodeq_bof", "check": true }, "exploit_windows/sip/aim_triton_cseq": { "name": "AIM Triton 1.0.4 CSeq Buffer Overflow", "full_name": "exploit/windows/sip/aim_triton_cseq", "rank": 500, "disclosure_date": "2006-07-10", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a buffer overflow in AOL\\'s AIM\n Triton 1.0.4. By sending an overly long CSeq value,\n a remote attacker could overflow a buffer and execute\n arbitrary code on the system with the privileges of\n the affected application.", "references": [ "CVE-2006-3524", "OSVDB-27122", "BID-18906" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 5061, "targets": [ "AIM Triton 1.0.4 Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/sip/aim_triton_cseq.rb", "is_install_path": true, "ref_name": "windows/sip/aim_triton_cseq", "check": false }, "exploit_windows/sip/sipxezphone_cseq": { "name": "SIPfoundry sipXezPhone 0.35a CSeq Field Overflow", "full_name": "exploit/windows/sip/sipxezphone_cseq", "rank": 500, "disclosure_date": "2006-07-10", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a buffer overflow in SIPfoundry's\n sipXezPhone version 0.35a. By sending an long CSeq header,\n a remote attacker could overflow a buffer and execute\n arbitrary code on the system with the privileges of\n the affected application.", "references": [ "CVE-2006-3524", "OSVDB-27122", "BID-18906" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 5060, "targets": [ "sipXezPhone 0.35a Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/sip/sipxezphone_cseq.rb", "is_install_path": true, "ref_name": "windows/sip/sipxezphone_cseq", "check": false }, "exploit_windows/sip/sipxphone_cseq": { "name": "SIPfoundry sipXphone 2.6.0.27 CSeq Buffer Overflow", "full_name": "exploit/windows/sip/sipxphone_cseq", "rank": 500, "disclosure_date": "2006-07-10", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a buffer overflow in SIPfoundry's\n sipXphone 2.6.0.27. By sending an overly long CSeq value,\n a remote attacker could overflow a buffer and execute\n arbitrary code on the system with the privileges of\n the affected application.", "references": [ "CVE-2006-3524", "OSVDB-27122", "BID-18906" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 5060, "targets": [ "SIPfoundry sipXphone 2.6.0.27 Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/sip/sipxphone_cseq.rb", "is_install_path": true, "ref_name": "windows/sip/sipxphone_cseq", "check": false }, "exploit_windows/smb/generic_smb_dll_injection": { "name": "Generic DLL Injection From Shared Resource", "full_name": "exploit/windows/smb/generic_smb_dll_injection", "rank": 0, "disclosure_date": "2015-03-04", "type": "exploit", "author": [ "Matthew Hall " ], "description": "This is a general-purpose module for exploiting conditions where a DLL can be loaded\n from a specified SMB share. This module serves payloads as DLLs over an SMB service.", "references": [ "CWE-114" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "x86, x64", "rport": null, "targets": [ "Windows x86", "Windows x64" ], "mod_time": "2017-09-17 16:00:04 +0000", "path": "/modules/exploits/windows/smb/generic_smb_dll_injection.rb", "is_install_path": true, "ref_name": "windows/smb/generic_smb_dll_injection", "check": false }, "exploit_windows/smb/group_policy_startup": { "name": "Group Policy Script Execution From Shared Resource", "full_name": "exploit/windows/smb/group_policy_startup", "rank": 0, "disclosure_date": "2015-01-26", "type": "exploit", "author": [ "Sam Bertram ", "juan vazquez " ], "description": "This is a general-purpose module for exploiting systems with Windows Group Policy\n configured to load VBS startup/logon scripts from remote locations. This module runs\n a SMB shared resource that will provide a payload through a VBS file. Startup scripts\n will be executed with SYSTEM privileges, while logon scripts will be executed with the\n user privileges. Have into account which the attacker still needs to redirect the\n target traffic to the fake SMB share to exploit it successfully. Please note in some\n cases, it will take 5 to 10 minutes to receive a session.", "references": [ "URL-http://blog.gdssecurity.com/labs/2015/1/26/badsamba-exploiting-windows-startup-scripts-using-a-maliciou.html", "URL-https://github.com/GDSSecurity/BadSamba" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "x86, x64", "rport": null, "targets": [ "Windows x86", "Windows x64" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/smb/group_policy_startup.rb", "is_install_path": true, "ref_name": "windows/smb/group_policy_startup", "check": false }, "exploit_windows/smb/ipass_pipe_exec": { "name": "IPass Control Pipe Remote Command Execution", "full_name": "exploit/windows/smb/ipass_pipe_exec", "rank": 600, "disclosure_date": "2015-01-21", "type": "exploit", "author": [ "Matthias Kaiser", "h0ng10 " ], "description": "This module exploits a vulnerability in the IPass Client service. This service provides a\n named pipe which can be accessed by the user group BUILTIN\\Users. This pipe can be abused\n to force the service to load a DLL from a SMB share.", "references": [ "CVE-2015-0925", "OSVDB-117423", "BID-72265", "URL-http://codewhitesec.blogspot.de/2015/02/how-i-could-ipass-your-client-security.html" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": 445, "targets": [ "Windows x32", "Windows x64" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/smb/ipass_pipe_exec.rb", "is_install_path": true, "ref_name": "windows/smb/ipass_pipe_exec", "check": true }, "exploit_windows/smb/ms03_049_netapi": { "name": "MS03-049 Microsoft Workstation Service NetAddAlternateComputerName Overflow", "full_name": "exploit/windows/smb/ms03_049_netapi", "rank": 400, "disclosure_date": "2003-11-11", "type": "exploit", "author": [ "hdm " ], "description": "This module exploits a stack buffer overflow in the NetApi32 NetAddAlternateComputerName\n function using the Workstation service in Windows XP.", "references": [ "CVE-2003-0812", "OSVDB-11461", "BID-9011", "MSB-MS03-049" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 445, "targets": [ "Windows XP SP0/SP1" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/smb/ms03_049_netapi.rb", "is_install_path": true, "ref_name": "windows/smb/ms03_049_netapi", "check": false }, "exploit_windows/smb/ms04_007_killbill": { "name": "MS04-007 Microsoft ASN.1 Library Bitstring Heap Overflow", "full_name": "exploit/windows/smb/ms04_007_killbill", "rank": 100, "disclosure_date": "2004-02-10", "type": "exploit", "author": [ "Solar Eclipse " ], "description": "This is an exploit for a previously undisclosed\n vulnerability in the bit string decoding code in the\n Microsoft ASN.1 library. This vulnerability is not related\n to the bit string vulnerability described in eEye advisory\n AD20040210-2. Both vulnerabilities were fixed in the\n MS04-007 patch.\n\n You are only allowed one attempt with this vulnerability. If\n the payload fails to execute, the LSASS system service will\n crash and the target system will automatically reboot itself\n in 60 seconds. If the payload succeeds, the system will no\n longer be able to process authentication requests, denying\n all attempts to login through SMB or at the console. A\n reboot is required to restore proper functioning of an\n exploited system.\n\n This exploit has been successfully tested with the win32/*/reverse_tcp\n payloads, however a few problems were encountered when using the\n equivalent bind payloads. Your mileage may vary.", "references": [ "CVE-2003-0818", "OSVDB-3902", "BID-9633", "MSB-MS04-007" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 445, "targets": [ "Windows 2000 SP2-SP4 + Windows XP SP0-SP1" ], "mod_time": "2017-09-17 16:00:04 +0000", "path": "/modules/exploits/windows/smb/ms04_007_killbill.rb", "is_install_path": true, "ref_name": "windows/smb/ms04_007_killbill", "check": false }, "exploit_windows/smb/ms04_011_lsass": { "name": "MS04-011 Microsoft LSASS Service DsRolerUpgradeDownlevelServer Overflow", "full_name": "exploit/windows/smb/ms04_011_lsass", "rank": 400, "disclosure_date": "2004-04-13", "type": "exploit", "author": [ "hdm " ], "description": "This module exploits a stack buffer overflow in the LSASS service, this vulnerability\n was originally found by eEye. When re-exploiting a Windows XP system, you will need\n need to run this module twice. DCERPC request fragmentation can be performed by setting\n 'FragSize' parameter.", "references": [ "CVE-2003-0533", "OSVDB-5248", "BID-10108", "MSB-MS04-011" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 445, "targets": [ "Automatic Targetting", "Windows 2000 English", "Windows XP English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/smb/ms04_011_lsass.rb", "is_install_path": true, "ref_name": "windows/smb/ms04_011_lsass", "check": false }, "exploit_windows/smb/ms04_031_netdde": { "name": "MS04-031 Microsoft NetDDE Service Overflow", "full_name": "exploit/windows/smb/ms04_031_netdde", "rank": 400, "disclosure_date": "2004-10-12", "type": "exploit", "author": [ "pusscat " ], "description": "This module exploits a stack buffer overflow in the NetDDE service, which is the\n precursor to the DCOM interface. This exploit effects only operating systems\n released prior to Windows XP SP1 (2000 SP4, XP SP0). Despite Microsoft's claim\n that this vulnerability can be exploited without authentication, the NDDEAPI\n pipe is only accessible after successful authentication.", "references": [ "CVE-2004-0206", "OSVDB-10689", "BID-11372", "MSB-MS04-031" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 445, "targets": [ "Windows 2000 SP4" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/smb/ms04_031_netdde.rb", "is_install_path": true, "ref_name": "windows/smb/ms04_031_netdde", "check": false }, "exploit_windows/smb/ms05_039_pnp": { "name": "MS05-039 Microsoft Plug and Play Service Overflow", "full_name": "exploit/windows/smb/ms05_039_pnp", "rank": 400, "disclosure_date": "2005-08-09", "type": "exploit", "author": [ "hdm ", "cazz " ], "description": "This module exploits a stack buffer overflow in the Windows Plug\n and Play service. This vulnerability can be exploited on\n Windows 2000 without a valid user account.\n\n NOTE: Since the PnP service runs inside the service.exe process, a failed\n exploit attempt will cause the system to automatically reboot.", "references": [ "CVE-2005-1983", "OSVDB-18605", "BID-14513", "MSB-MS05-039" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 445, "targets": [ "Windows 2000 SP0-SP4", "Windows 2000 SP4 French", "Windows 2000 SP4 Spanish", "Windows 2000 SP4 English/French/German/Dutch", "Windows 2000 SP0-SP4 German", "Windows 2000 SP0-SP4 Italian", "Windows XP SP1 English", "Windows XP SP2 English (Requires Admin)", "Windows Server 2003 SP0 English (Requires Admin)", "Windows Server 2003 SP1 English (Requires Admin)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/smb/ms05_039_pnp.rb", "is_install_path": true, "ref_name": "windows/smb/ms05_039_pnp", "check": true }, "exploit_windows/smb/ms06_025_rasmans_reg": { "name": "MS06-025 Microsoft RRAS Service RASMAN Registry Overflow", "full_name": "exploit/windows/smb/ms06_025_rasmans_reg", "rank": 400, "disclosure_date": "2006-06-13", "type": "exploit", "author": [ "pusscat ", "hdm " ], "description": "This module exploits a registry-based stack buffer overflow in the Windows Routing\n and Remote Access Service. Since the service is hosted inside svchost.exe,\n a failed exploit attempt can cause other system services to fail as well.\n A valid username and password is required to exploit this flaw on Windows 2000.\n When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'.\n Exploiting this flaw involves two distinct steps - creating the registry key\n and then triggering an overwrite based on a read of this key. Once the key is\n created, it cannot be recreated. This means that for any given system, you\n only get one chance to exploit this flaw. Picking the wrong target will require\n a manual removal of the following registry key before you can try again:\n HKEY_USERS\\.DEFAULT\\Software\\Microsoft\\RAS Phonebook", "references": [ "CVE-2006-2370", "OSVDB-26437", "BID-18325", "MSB-MS06-025" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 445, "targets": [ "Windows 2000 SP4" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/smb/ms06_025_rasmans_reg.rb", "is_install_path": true, "ref_name": "windows/smb/ms06_025_rasmans_reg", "check": false }, "exploit_windows/smb/ms06_025_rras": { "name": "MS06-025 Microsoft RRAS Service Overflow", "full_name": "exploit/windows/smb/ms06_025_rras", "rank": 200, "disclosure_date": "2006-06-13", "type": "exploit", "author": [ "Nicolas Pouvesle ", "hdm " ], "description": "This module exploits a stack buffer overflow in the Windows Routing and Remote\n Access Service. Since the service is hosted inside svchost.exe, a failed\n exploit attempt can cause other system services to fail as well. A valid\n username and password is required to exploit this flaw on Windows 2000.\n When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'.", "references": [ "CVE-2006-2370", "OSVDB-26437", "BID-18325", "MSB-MS06-025" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 445, "targets": [ "Automatic", "Windows 2000 SP4", "Windows XP SP1" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/smb/ms06_025_rras.rb", "is_install_path": true, "ref_name": "windows/smb/ms06_025_rras", "check": false }, "exploit_windows/smb/ms06_040_netapi": { "name": "MS06-040 Microsoft Server Service NetpwPathCanonicalize Overflow", "full_name": "exploit/windows/smb/ms06_040_netapi", "rank": 400, "disclosure_date": "2006-08-08", "type": "exploit", "author": [ "hdm " ], "description": "This module exploits a stack buffer overflow in the NetApi32 CanonicalizePathName() function\n using the NetpwPathCanonicalize RPC call in the Server Service. It is likely that\n other RPC calls could be used to exploit this service. This exploit will result in\n a denial of service on Windows XP SP2 or Windows 2003 SP1. A failed exploit attempt\n will likely result in a complete reboot on Windows 2000 and the termination of all\n SMB-related services on Windows XP. The default target for this exploit should succeed\n on Windows NT 4.0, Windows 2000 SP0-SP4+, Windows XP SP0-SP1 and Windows 2003 SP0.", "references": [ "CVE-2006-3439", "OSVDB-27845", "BID-19409", "MSB-MS06-040" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 445, "targets": [ "(wcscpy) Automatic (NT 4.0, 2000 SP0-SP4, XP SP0-SP1)", "(wcscpy) Windows NT 4.0 / Windows 2000 SP0-SP4", "(wcscpy) Windows XP SP0/SP1", "(stack) Windows XP SP1 English", "(stack) Windows XP SP1 Italian", "(wcscpy) Windows 2003 SP0" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/smb/ms06_040_netapi.rb", "is_install_path": true, "ref_name": "windows/smb/ms06_040_netapi", "check": false }, "exploit_windows/smb/ms06_066_nwapi": { "name": "MS06-066 Microsoft Services nwapi32.dll Module Exploit", "full_name": "exploit/windows/smb/ms06_066_nwapi", "rank": 400, "disclosure_date": "2006-11-14", "type": "exploit", "author": [ "pusscat " ], "description": "This module exploits a stack buffer overflow in the svchost service when the netware\n client service is running. This specific vulnerability is in the nwapi32.dll module.", "references": [ "CVE-2006-4688", "OSVDB-30260", "BID-21023", "MSB-MS06-066" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 445, "targets": [ "Windows XP SP2" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/smb/ms06_066_nwapi.rb", "is_install_path": true, "ref_name": "windows/smb/ms06_066_nwapi", "check": false }, "exploit_windows/smb/ms06_066_nwwks": { "name": "MS06-066 Microsoft Services nwwks.dll Module Exploit", "full_name": "exploit/windows/smb/ms06_066_nwwks", "rank": 400, "disclosure_date": "2006-11-14", "type": "exploit", "author": [ "pusscat " ], "description": "This module exploits a stack buffer overflow in the svchost service, when the netware\n client service is running. This specific vulnerability is in the nwapi32.dll module.", "references": [ "CVE-2006-4688", "OSVDB-30260", "BID-21023", "MSB-MS06-066" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 445, "targets": [ "Windows XP SP2" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/smb/ms06_066_nwwks.rb", "is_install_path": true, "ref_name": "windows/smb/ms06_066_nwwks", "check": false }, "exploit_windows/smb/ms06_070_wkssvc": { "name": "MS06-070 Microsoft Workstation Service NetpManageIPCConnect Overflow", "full_name": "exploit/windows/smb/ms06_070_wkssvc", "rank": 0, "disclosure_date": "2006-11-14", "type": "exploit", "author": [ "jduck " ], "description": "This module exploits a stack buffer overflow in the NetApi32 NetpManageIPCConnect\n function using the Workstation service in Windows 2000 SP4 and Windows XP SP2.\n\n In order to exploit this vulnerability, you must specify the name of a\n valid Windows DOMAIN. It may be possible to satisfy this condition by using\n a custom DNS and LDAP setup, however that method is not covered here.\n\n Although Windows XP SP2 is vulnerable, Microsoft reports that Administrator\n credentials are required to reach the vulnerable code. Windows XP SP1 only\n requires valid user credentials. Also, testing shows that a machine already\n joined to a domain is not exploitable.", "references": [ "CVE-2006-4691", "OSVDB-30263", "BID-20985", "MSB-MS06-070" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 445, "targets": [ "Automatic Targetting", "Windows 2000 SP4", "Windows XP SP0/SP1" ], "mod_time": "2017-09-17 16:00:04 +0000", "path": "/modules/exploits/windows/smb/ms06_070_wkssvc.rb", "is_install_path": true, "ref_name": "windows/smb/ms06_070_wkssvc", "check": false }, "exploit_windows/smb/ms07_029_msdns_zonename": { "name": "MS07-029 Microsoft DNS RPC Service extractQuotedChar() Overflow (SMB)", "full_name": "exploit/windows/smb/ms07_029_msdns_zonename", "rank": 0, "disclosure_date": "2007-04-12", "type": "exploit", "author": [ "hdm ", "Unknown" ], "description": "This module exploits a stack buffer overflow in the RPC interface\n of the Microsoft DNS service. The vulnerability is triggered\n when a long zone name parameter is supplied that contains\n escaped octal strings. This module is capable of bypassing NX/DEP\n protection on Windows 2003 SP1/SP2. This module exploits the\n RPC service using the \\DNSSERVER pipe available via SMB. This\n pipe requires a valid user account to access, so the SMBUSER\n and SMBPASS options must be specified.", "references": [ "CVE-2007-1748", "OSVDB-34100", "MSB-MS07-029", "URL-http://www.microsoft.com/technet/security/advisory/935964.mspx" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 445, "targets": [ "Automatic (2000 SP0-SP4, 2003 SP0, 2003 SP1-SP2)", "Windows 2000 Server SP0-SP4+ English", "Windows 2000 Server SP0-SP4+ Italian", "Windows 2000 Server SP0-SP4+ French", "Windows 2003 Server SP0 English", "Windows 2003 Server SP0 French", "Windows 2003 Server SP1-SP2 English", "Windows 2003 Server SP1-SP2 French", "Windows 2003 Server SP1-SP2 Spanish", "Windows 2003 Server SP1-SP2 Italian", "Windows 2003 Server SP1-SP2 German" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/smb/ms07_029_msdns_zonename.rb", "is_install_path": true, "ref_name": "windows/smb/ms07_029_msdns_zonename", "check": false }, "exploit_windows/smb/ms08_067_netapi": { "name": "MS08-067 Microsoft Server Service Relative Path Stack Corruption", "full_name": "exploit/windows/smb/ms08_067_netapi", "rank": 500, "disclosure_date": "2008-10-28", "type": "exploit", "author": [ "hdm ", "Brett Moore ", "frank2 ", "jduck " ], "description": "This module exploits a parsing flaw in the path canonicalization code of\n NetAPI32.dll through the Server Service. This module is capable of bypassing\n NX on some operating systems and service packs. The correct target must be\n used to prevent the Server Service (along with a dozen others in the same\n process) from crashing. Windows XP targets seem to handle multiple successful\n exploitation events, but 2003 targets will often crash or hang on subsequent\n attempts. This is just the first version of this module, full support for\n NX bypass on 2003, along with other platforms, is still in development.", "references": [ "CVE-2008-4250", "OSVDB-49243", "MSB-MS08-067", "URL-http://www.rapid7.com/vulndb/lookup/dcerpc-ms-netapi-netpathcanonicalize-dos" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 445, "targets": [ "Automatic Targeting", "Windows 2000 Universal", "Windows XP SP0/SP1 Universal", "Windows 2003 SP0 Universal", "Windows XP SP2 English (AlwaysOn NX)", "Windows XP SP2 English (NX)", "Windows XP SP3 English (AlwaysOn NX)", "Windows XP SP3 English (NX)", "Windows XP SP2 Arabic (NX)", "Windows XP SP2 Chinese - Traditional / Taiwan (NX)", "Windows XP SP2 Chinese - Simplified (NX)", "Windows XP SP2 Chinese - Traditional (NX)", "Windows XP SP2 Czech (NX)", "Windows XP SP2 Danish (NX)", "Windows XP SP2 German (NX)", "Windows XP SP2 Greek (NX)", "Windows XP SP2 Spanish (NX)", "Windows XP SP2 Finnish (NX)", "Windows XP SP2 French (NX)", "Windows XP SP2 Hebrew (NX)", "Windows XP SP2 Hungarian (NX)", "Windows XP SP2 Italian (NX)", "Windows XP SP2 Japanese (NX)", "Windows XP SP2 Korean (NX)", "Windows XP SP2 Dutch (NX)", "Windows XP SP2 Norwegian (NX)", "Windows XP SP2 Polish (NX)", "Windows XP SP2 Portuguese - Brazilian (NX)", "Windows XP SP2 Portuguese (NX)", "Windows XP SP2 Russian (NX)", "Windows XP SP2 Swedish (NX)", "Windows XP SP2 Turkish (NX)", "Windows XP SP3 Arabic (NX)", "Windows XP SP3 Chinese - Traditional / Taiwan (NX)", "Windows XP SP3 Chinese - Simplified (NX)", "Windows XP SP3 Chinese - Traditional (NX)", "Windows XP SP3 Czech (NX)", "Windows XP SP3 Danish (NX)", "Windows XP SP3 German (NX)", "Windows XP SP3 Greek (NX)", "Windows XP SP3 Spanish (NX)", "Windows XP SP3 Finnish (NX)", "Windows XP SP3 French (NX)", "Windows XP SP3 Hebrew (NX)", "Windows XP SP3 Hungarian (NX)", "Windows XP SP3 Italian (NX)", "Windows XP SP3 Japanese (NX)", "Windows XP SP3 Korean (NX)", "Windows XP SP3 Dutch (NX)", "Windows XP SP3 Norwegian (NX)", "Windows XP SP3 Polish (NX)", "Windows XP SP3 Portuguese - Brazilian (NX)", "Windows XP SP3 Portuguese (NX)", "Windows XP SP3 Russian (NX)", "Windows XP SP3 Swedish (NX)", "Windows XP SP3 Turkish (NX)", "Windows 2003 SP1 English (NO NX)", "Windows 2003 SP1 English (NX)", "Windows 2003 SP1 Japanese (NO NX)", "Windows 2003 SP1 Spanish (NO NX)", "Windows 2003 SP1 Spanish (NX)", "Windows 2003 SP1 French (NO NX)", "Windows 2003 SP1 French (NX)", "Windows 2003 SP2 English (NO NX)", "Windows 2003 SP2 English (NX)", "Windows 2003 SP2 German (NO NX)", "Windows 2003 SP2 German (NX)", "Windows 2003 SP2 Portuguese - Brazilian (NX)", "Windows 2003 SP2 Spanish (NO NX)", "Windows 2003 SP2 Spanish (NX)", "Windows 2003 SP2 Japanese (NO NX)", "Windows 2003 SP2 French (NO NX)", "Windows 2003 SP2 French (NX)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/smb/ms08_067_netapi.rb", "is_install_path": true, "ref_name": "windows/smb/ms08_067_netapi", "check": true }, "exploit_windows/smb/ms09_050_smb2_negotiate_func_index": { "name": "MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference", "full_name": "exploit/windows/smb/ms09_050_smb2_negotiate_func_index", "rank": 400, "disclosure_date": "2009-09-07", "type": "exploit", "author": [ "Laurent Gaffie ", "hdm ", "sf " ], "description": "This module exploits an out of bounds function table dereference in the SMB\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista\n without SP1 does not seem affected by this flaw.", "references": [ "MSB-MS09-050", "CVE-2009-3103", "BID-36299", "OSVDB-57799", "URL-http://seclists.org/fulldisclosure/2009/Sep/0039.html", "URL-http://www.microsoft.com/technet/security/Bulletin/MS09-050.mspx" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 445, "targets": [ "Windows Vista SP1/SP2 and Server 2008 (x86)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/smb/ms09_050_smb2_negotiate_func_index.rb", "is_install_path": true, "ref_name": "windows/smb/ms09_050_smb2_negotiate_func_index", "check": false }, "exploit_windows/smb/ms10_046_shortcut_icon_dllloader": { "name": "Microsoft Windows Shell LNK Code Execution", "full_name": "exploit/windows/smb/ms10_046_shortcut_icon_dllloader", "rank": 600, "disclosure_date": "2010-07-16", "type": "exploit", "author": [ "hdm ", "jduck ", "B_H" ], "description": "This module exploits a vulnerability in the handling of Windows\n Shortcut files (.LNK) that contain an icon resource pointing to a\n malicious DLL. This creates an SMB resource to provide the payload\n inside a DLL, and generates a LNK file which must be sent to the\n target.", "references": [ "CVE-2010-2568", "OSVDB-66387", "MSB-MS10-046", "URL-http://www.microsoft.com/technet/security/advisory/2286198.mspx", "URL-https://github.com/rapid7/metasploit-framework/pull/4911" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/smb/ms10_046_shortcut_icon_dllloader.rb", "is_install_path": true, "ref_name": "windows/smb/ms10_046_shortcut_icon_dllloader", "check": false }, "exploit_windows/smb/ms10_061_spoolss": { "name": "MS10-061 Microsoft Print Spooler Service Impersonation Vulnerability", "full_name": "exploit/windows/smb/ms10_061_spoolss", "rank": 600, "disclosure_date": "2010-09-14", "type": "exploit", "author": [ "jduck ", "hdm " ], "description": "This module exploits the RPC service impersonation vulnerability detailed in\n Microsoft Bulletin MS10-061. By making a specific DCE RPC request to the\n StartDocPrinter procedure, an attacker can impersonate the Printer Spooler service\n to create a file. The working directory at the time is %SystemRoot%\\system32.\n An attacker can specify any file name, including directory traversal or full paths.\n By sending WritePrinter requests, an attacker can fully control the content of\n the created file.\n\n In order to gain code execution, this module writes to a directory used by Windows\n Management Instrumentation (WMI) to deploy applications. This directory (Wbem\\Mof)\n is periodically scanned and any new .mof files are processed automatically. This is\n the same technique employed by the Stuxnet code found in the wild.", "references": [ "OSVDB-67988", "CVE-2010-2729", "MSB-MS10-061" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 445, "targets": [ "Windows Universal" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/smb/ms10_061_spoolss.rb", "is_install_path": true, "ref_name": "windows/smb/ms10_061_spoolss", "check": false }, "exploit_windows/smb/ms15_020_shortcut_icon_dllloader": { "name": "Microsoft Windows Shell LNK Code Execution", "full_name": "exploit/windows/smb/ms15_020_shortcut_icon_dllloader", "rank": 600, "disclosure_date": "2015-03-10", "type": "exploit", "author": [ "Michael Heerklotz", "juan vazquez " ], "description": "This module exploits a vulnerability in the MS10-046 patch to abuse (again) the handling\n of Windows Shortcut files (.LNK) that contain an icon resource pointing to a malicious\n DLL. This creates an SMB resource to provide the payload and the trigger, and generates a\n LNK file which must be sent to the target. This module has been tested successfully on\n Windows 2003 SP2 with MS10-046 installed and Windows 2008 SP2 (32 bits) with MS14-027\n installed.", "references": [ "CVE-2015-0096", "MSB-MS15-020", "URL-http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Full-details-on-CVE-2015-0096-and-the-failed-MS10-046-Stuxnet/ba-p/6718459#.VQBOymTF9so", "URL-https://github.com/rapid7/metasploit-framework/pull/4911" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Automatic" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/smb/ms15_020_shortcut_icon_dllloader.rb", "is_install_path": true, "ref_name": "windows/smb/ms15_020_shortcut_icon_dllloader", "check": false }, "exploit_windows/smb/ms17_010_eternalblue": { "name": "MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption", "full_name": "exploit/windows/smb/ms17_010_eternalblue", "rank": 200, "disclosure_date": "2017-03-14", "type": "exploit", "author": [ "Sean Dillon ", "Dylan Davis ", "Equation Group", "Shadow Brokers", "thelightcosine" ], "description": "This module is a port of the Equation Group ETERNALBLUE exploit, part of\n the FuzzBunch toolkit released by Shadow Brokers.\n\n There is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size\n is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a\n DWORD is subtracted into a WORD. The kernel pool is groomed so that overflow\n is well laid-out to overwrite an SMBv1 buffer. Actual RIP hijack is later\n completed in srvnet!SrvNetWskReceiveComplete.\n\n This exploit, like the original may not trigger 100% of the time, and should be\n run continuously until triggered. It seems like the pool will get hot streaks\n and need a cool down period before the shells rain in again.\n\n The module will attempt to use Anonymous login, by default, to authenticate to perform the\n exploit. If the user supplies credentials in the SMBUser, SMBPass, and SMBDomain options it will use\n those instead.\n\n On some systems, this module may cause system instability and crashes, such as a BSOD or\n a reboot. This may be more likely with some payloads.", "references": [ "AKA-ETERNALBLUE", "MSB-MS17-010", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0148", "URL-https://github.com/RiskSense-Ops/MS17-010" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 445, "targets": [ "Windows 7 and Server 2008 R2 (x64) All Service Packs" ], "mod_time": "2018-07-10 11:05:00 +0000", "path": "/modules/exploits/windows/smb/ms17_010_eternalblue.rb", "is_install_path": true, "ref_name": "windows/smb/ms17_010_eternalblue", "check": false }, "exploit_windows/smb/ms17_010_eternalblue_win8": { "name": "MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+", "full_name": "exploit/windows/smb/ms17_010_eternalblue_win8", "rank": 200, "disclosure_date": "2017-03-14", "type": "exploit", "author": [ "Equation Group", "Shadow Brokers", "sleepya", "wvu " ], "description": "EternalBlue exploit for Windows 8, Windows 10, and 2012 by sleepya\n The exploit might FAIL and CRASH a target system (depended on what is overwritten)\n The exploit support only x64 target\n\n Tested on:\n - Windows 2012 R2 x64\n - Windows 8.1 x64\n - Windows 10 Pro Build 10240 x64\n - Windows 10 Enterprise Evaluation Build 10586 x64\n\n\n Default Windows 8 and later installation without additional service info:\n - anonymous is not allowed to access any share (including IPC$)\n - More info: https://support.microsoft.com/en-us/help/3034016/ipc-share-and-null-session-behavior-in-windows\n - tcp port 445 is filtered by firewall\n\n\n Reference:\n - http://blogs.360.cn/360safe/2017/04/17/nsa-eternalblue-smb/\n - \"Bypassing Windows 10 kernel ASLR (remote) by Stefan Le Berre\" https://drive.google.com/file/d/0B3P18M-shbwrNWZTa181ZWRCclk/edit\n\n\n Exploit info:\n - If you do not know how exploit for Windows 7/2008 work. Please read my exploit for Windows 7/2008 at\n https://gist.github.com/worawit/bd04bad3cd231474763b873df081c09a because the trick for exploit is almost the same\n - The exploit use heap of HAL for placing fake struct (address 0xffffffffffd00e00) and shellcode (address 0xffffffffffd01000).\n On Windows 8 and Wndows 2012, the NX bit is set on this memory page. Need to disable it before controlling RIP.\n - The exploit is likely to crash a target when it failed\n - The overflow is happened on nonpaged pool so we need to massage target nonpaged pool.\n - If exploit failed but target does not crash, try increasing 'GroomAllocations' value (at least 5)\n - See the code and comment for exploit detail.\n\n\n Disable NX method:\n - The idea is from \"Bypassing Windows 10 kernel ASLR (remote) by Stefan Le Berre\" (see link in reference)\n - The exploit is also the same but we need to trigger bug twice\n - First trigger, set MDL.MappedSystemVa to target pte address\n - Write '\\x00' to disable the NX flag\n - Second trigger, do the same as Windows 7 exploit\n - From my test, if exploit disable NX successfully, I always get code execution", "references": [ "MSB-MS17-010", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0148", "EDB-42030", "URL-https://github.com/worawit/MS17-010", "AKA-ETERNALBLUE" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x64", "rport": 445, "targets": [ "win x64" ], "mod_time": "2018-07-17 17:34:51 +0000", "path": "/modules/exploits/windows/smb/ms17_010_eternalblue_win8.py", "is_install_path": true, "ref_name": "windows/smb/ms17_010_eternalblue_win8", "check": false }, "exploit_windows/smb/ms17_010_psexec": { "name": "MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution", "full_name": "exploit/windows/smb/ms17_010_psexec", "rank": 300, "disclosure_date": "2017-03-14", "type": "exploit", "author": [ "sleepya", "zerosum0x0", "Shadow Brokers", "Equation Group" ], "description": "This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where\n primitive. This will then be used to overwrite the connection session information with as an\n Administrator session. From there, the normal psexec payload code execution is done.\n\n Exploits a type confusion between Transaction and WriteAndX requests and a race condition in\n Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy\n exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a\n named pipe.", "references": [ "AKA-ETERNALSYNERGY", "AKA-ETERNALROMANCE", "AKA-ETERNALCHAMPION", "AKA-ETERNALBLUE", "MSB-MS17-010", "CVE-2017-0143", "CVE-2017-0146", "CVE-2017-0147", "URL-https://github.com/worawit/MS17-010", "URL-https://hitcon.org/2017/CMT/slide-files/d2_s2_r0.pdf", "URL-https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86, x64", "rport": 445, "targets": [ "Automatic", "PowerShell", "Native upload", "MOF upload" ], "mod_time": "2018-05-14 15:45:20 +0000", "path": "/modules/exploits/windows/smb/ms17_010_psexec.rb", "is_install_path": true, "ref_name": "windows/smb/ms17_010_psexec", "check": false }, "exploit_windows/smb/netidentity_xtierrpcpipe": { "name": "Novell NetIdentity Agent XTIERRPCPIPE Named Pipe Buffer Overflow", "full_name": "exploit/windows/smb/netidentity_xtierrpcpipe", "rank": 500, "disclosure_date": "2009-04-06", "type": "exploit", "author": [ "MC ", "Ruben Santamarta" ], "description": "This module exploits a stack buffer overflow in Novell's NetIdentity Agent. When sending\n a specially crafted string to the 'XTIERRPCPIPE' named pipe, an attacker may be\n able to execute arbitrary code. The success of this module is much greater once the\n service has been restarted.", "references": [ "CVE-2009-1350", "OSVDB-53351", "BID-34400", "URL-http://www.reversemode.com/index.php?option=com_content&task=view&id=62&Itemid=1" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 445, "targets": [ "Windows 2000 / Windows XP / Windows 2003" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/smb/netidentity_xtierrpcpipe.rb", "is_install_path": true, "ref_name": "windows/smb/netidentity_xtierrpcpipe", "check": false }, "exploit_windows/smb/psexec": { "name": "Microsoft Windows Authenticated User Code Execution", "full_name": "exploit/windows/smb/psexec", "rank": 0, "disclosure_date": "1999-01-01", "type": "exploit", "author": [ "hdm ", "Royce Davis ", "RageLtMan " ], "description": "This module uses a valid administrator username and password (or\n password hash) to execute an arbitrary payload. This module is similar\n to the \"psexec\" utility provided by SysInternals. This module is now able\n to clean up after itself. The service created by this tool uses a randomly\n chosen name and description.", "references": [ "CVE-1999-0504", "OSVDB-3106", "URL-http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx", "URL-https://www.optiv.com/blog/owning-computers-without-shell-access", "URL-http://sourceforge.net/projects/smbexec/" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86, x64", "rport": 445, "targets": [ "Automatic", "PowerShell", "Native upload", "MOF upload" ], "mod_time": "2018-07-02 16:07:27 +0000", "path": "/modules/exploits/windows/smb/psexec.rb", "is_install_path": true, "ref_name": "windows/smb/psexec", "check": false }, "exploit_windows/smb/psexec_psh": { "name": "Microsoft Windows Authenticated Powershell Command Execution", "full_name": "exploit/windows/smb/psexec_psh", "rank": 0, "disclosure_date": "1999-01-01", "type": "exploit", "author": [ "Royce @R3dy__ Davis ", "RageLtMan " ], "description": "This module uses a valid administrator username and password to execute a powershell\n payload using a similar technique to the \"psexec\" utility provided by SysInternals. The\n payload is encoded in base64 and executed from the commandline using the -encodedcommand\n flag. Using this method, the payload is never written to disk, and given that each payload\n is unique, is less prone to signature based detection. A persist option is provided to\n execute the payload in a while loop in order to maintain a form of persistence. In the\n event of a sandbox observing PSH execution, a delay and other obfuscation may be added to\n avoid detection. In order to avoid interactive process notifications for the current user,\n the psh payload has been reduced in size and wrapped in a powershell invocation which hides\n the window entirely.", "references": [ "CVE-1999-0504", "OSVDB-3106", "URL-https://www.optiv.com/blog/owning-computers-without-shell-access", "URL-http://sourceforge.net/projects/smbexec/", "URL-http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 445, "targets": [ "Automatic" ], "mod_time": "2018-07-30 12:37:06 +0000", "path": "/modules/exploits/windows/smb/psexec_psh.rb", "is_install_path": true, "ref_name": "windows/smb/psexec_psh", "check": false }, "exploit_windows/smb/smb_delivery": { "name": "SMB Delivery", "full_name": "exploit/windows/smb/smb_delivery", "rank": 600, "disclosure_date": "2016-07-26", "type": "exploit", "author": [ "Andrew Smith", "Russel Van Tuyl" ], "description": "This module serves payloads via an SMB server and provides commands to retrieve\n and execute the generated payloads. Currently supports DLLs and Powershell.", "references": [ "URL-https://github.com/rapid7/metasploit-framework/pull/3074" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "DLL", "PSH" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/smb/smb_delivery.rb", "is_install_path": true, "ref_name": "windows/smb/smb_delivery", "check": false }, "exploit_windows/smb/smb_relay": { "name": "MS08-068 Microsoft Windows SMB Relay Code Execution", "full_name": "exploit/windows/smb/smb_relay", "rank": 600, "disclosure_date": "2001-03-31", "type": "exploit", "author": [ "hdm ", "juan vazquez " ], "description": "This module will relay SMB authentication requests to another\n host, gaining access to an authenticated SMB session if successful.\n If the connecting user is an administrator and network logins are\n allowed to the target machine, this module will execute an arbitrary\n payload. To exploit this, the target system\tmust try to\tauthenticate\n to this module. The easiest way to force a SMB authentication attempt\n is by embedding a UNC path (\\\\SERVER\\SHARE) into a web page or\n email message. When the victim views the web page or email, their\n system will automatically connect to the server specified in the UNC\n share (the IP address of the system running this module) and attempt\n to authenticate. Unfortunately, this\n module is not able to clean up after itself. The service and payload\n file listed in the output will need to be manually removed after access\n has been gained. The service created by this tool uses a randomly chosen\n name and description, so the services list can become cluttered after\n repeated exploitation.\n\n The SMB authentication relay attack was first reported by Sir Dystic on\n March 31st, 2001 at @lanta.con in Atlanta, Georgia.\n\n On November 11th 2008 Microsoft released bulletin MS08-068. This bulletin\n includes a patch which prevents the relaying of challenge keys back to\n the host which issued them, preventing this exploit from working in\n the default configuration. It is still possible to set the SMBHOST\n parameter to a third-party host that the victim is authorized to access,\n but the \"reflection\" attack has been effectively broken.", "references": [ "CVE-2008-4037", "OSVDB-49736", "MSB-MS08-068", "URL-http://blogs.technet.com/swi/archive/2008/11/11/smb-credential-reflection.aspx", "URL-http://en.wikipedia.org/wiki/SMBRelay", "URL-http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "x86, x64", "rport": null, "targets": [ "Automatic" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/smb/smb_relay.rb", "is_install_path": true, "ref_name": "windows/smb/smb_relay", "check": false }, "exploit_windows/smb/timbuktu_plughntcommand_bof": { "name": "Timbuktu PlughNTCommand Named Pipe Buffer Overflow", "full_name": "exploit/windows/smb/timbuktu_plughntcommand_bof", "rank": 500, "disclosure_date": "2009-06-25", "type": "exploit", "author": [ "bannedit " ], "description": "This module exploits a stack based buffer overflow in Timbuktu Pro version <= 8.6.6\n in a pretty novel way.\n\n This exploit requires two connections. The first connection is used to leak stack data\n using the buffer overflow to overwrite the nNumberOfBytesToWrite argument. By supplying\n a large value for this argument it is possible to cause Timbuktu to reply to the initial\n request with leaked stack data. Using this data allows for reliable exploitation of the\n buffer overflow vulnerability.\n\n Props to Infamous41d for helping in finding this exploitation path.\n\n The second connection utilizes the data from the data leak to accurately exploit\n the stack based buffer overflow vulnerability.\n\n TODO:\n hdm suggested using meterpreter's migration capability and restarting the process\n for multishot exploitation.", "references": [ "CVE-2009-1394", "OSVDB-55436", "BID-35496", "URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=809" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 445, "targets": [ "Automatic Targeting" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/smb/timbuktu_plughntcommand_bof.rb", "is_install_path": true, "ref_name": "windows/smb/timbuktu_plughntcommand_bof", "check": false }, "exploit_windows/smtp/mailcarrier_smtp_ehlo": { "name": "TABS MailCarrier v2.51 SMTP EHLO Overflow", "full_name": "exploit/windows/smtp/mailcarrier_smtp_ehlo", "rank": 400, "disclosure_date": "2004-10-26", "type": "exploit", "author": [ "aushack " ], "description": "This module exploits the MailCarrier v2.51 suite SMTP service.\n The stack is overwritten when sending an overly long EHLO command.", "references": [ "CVE-2004-1638", "OSVDB-11174", "BID-11535", "EDB-598" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86", "rport": 25, "targets": [ "Windows 2000 SP0 - XP SP1 - EN/FR/GR", "Windows XP SP2 - EN" ], "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/exploits/windows/smtp/mailcarrier_smtp_ehlo.rb", "is_install_path": true, "ref_name": "windows/smtp/mailcarrier_smtp_ehlo", "check": true }, "exploit_windows/smtp/mercury_cram_md5": { "name": "Mercury Mail SMTP AUTH CRAM-MD5 Buffer Overflow", "full_name": "exploit/windows/smtp/mercury_cram_md5", "rank": 500, "disclosure_date": "2007-08-18", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in Mercury Mail Transport System 4.51.\n By sending a specially crafted argument to the AUTH CRAM-MD5 command, an attacker\n may be able to execute arbitrary code.", "references": [ "CVE-2007-4440", "OSVDB-39669", "BID-25357" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 25, "targets": [ "Mercury Mail Transport System 4.51" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/smtp/mercury_cram_md5.rb", "is_install_path": true, "ref_name": "windows/smtp/mercury_cram_md5", "check": false }, "exploit_windows/smtp/ms03_046_exchange2000_xexch50": { "name": "MS03-046 Exchange 2000 XEXCH50 Heap Overflow", "full_name": "exploit/windows/smtp/ms03_046_exchange2000_xexch50", "rank": 400, "disclosure_date": "2003-10-15", "type": "exploit", "author": [ "hdm ", "aushack " ], "description": "This is an exploit for the Exchange 2000 heap overflow. Due\n to the nature of the vulnerability, this exploit is not very\n reliable. This module has been tested against Exchange 2000\n SP0 and SP3 running a Windows 2000 system patched to SP4. It\n normally takes between one and 100 connection attempts to\n successfully obtain a shell. This exploit is *very* unreliable.", "references": [ "CVE-2003-0714", "BID-8838", "OSVDB-2674", "MSB-MS03-046", "EDB-113" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 25, "targets": [ "Exchange 2000" ], "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/exploits/windows/smtp/ms03_046_exchange2000_xexch50.rb", "is_install_path": true, "ref_name": "windows/smtp/ms03_046_exchange2000_xexch50", "check": true }, "exploit_windows/smtp/njstar_smtp_bof": { "name": "NJStar Communicator 3.00 MiniSMTP Buffer Overflow", "full_name": "exploit/windows/smtp/njstar_smtp_bof", "rank": 300, "disclosure_date": "2011-10-31", "type": "exploit", "author": [ "Dillon Beresford" ], "description": "This module exploits a stack buffer overflow vulnerability in NJStar Communicator\n Version 3.00 MiniSMTP server. The MiniSMTP application can be seen in multiple\n NJStar products, and will continue to run in the background even if the\n software is already shutdown. According to the vendor's testimonials,\n NJStar software is also used by well known companies such as Siemens, NEC,\n Google, Yahoo, eBay; government agencies such as the FBI, Department of\n Justice (HK); as well as a long list of universities such as Yale, Harvard,\n University of Tokyo, etc.", "references": [ "OSVDB-76728", "CVE-2011-4040", "URL-http://www.njstar.com/cms/njstar-communicator", "EDB-18057" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 25, "targets": [ "Windows XP SP2/SP3", "Windows Server 2003 SP0", "Windows Server 2003 SP1/SP2" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/smtp/njstar_smtp_bof.rb", "is_install_path": true, "ref_name": "windows/smtp/njstar_smtp_bof", "check": true }, "exploit_windows/smtp/sysgauge_client_bof": { "name": "SysGauge SMTP Validation Buffer Overflow", "full_name": "exploit/windows/smtp/sysgauge_client_bof", "rank": 300, "disclosure_date": "2017-02-28", "type": "exploit", "author": [ "Chris Higgins", "Peter Baris" ], "description": "This module will setup an SMTP server expecting a connection from SysGauge 1.5.18\n via its SMTP server validation. The module sends a malicious response along in the\n 220 service ready response and exploits the client, resulting in an unprivileged shell.", "references": [ "CVE-2017-6416", "EDB-41479" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows Universal" ], "mod_time": "2018-07-12 17:34:52 +0000", "path": "/modules/exploits/windows/smtp/sysgauge_client_bof.rb", "is_install_path": true, "ref_name": "windows/smtp/sysgauge_client_bof", "check": false }, "exploit_windows/smtp/wmailserver": { "name": "SoftiaCom WMailserver 1.0 Buffer Overflow", "full_name": "exploit/windows/smtp/wmailserver", "rank": 200, "disclosure_date": "2005-07-11", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in SoftiaCom WMailserver 1.0\n (SMTP) via a SEH frame overwrite.", "references": [ "CVE-2005-2287", "OSVDB-17883", "BID-14213" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 25, "targets": [ "Windows 2000 Pro English All", "Windows XP Pro SP0/SP1 English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/smtp/wmailserver.rb", "is_install_path": true, "ref_name": "windows/smtp/wmailserver", "check": false }, "exploit_windows/smtp/ypops_overflow1": { "name": "YPOPS 0.6 Buffer Overflow", "full_name": "exploit/windows/smtp/ypops_overflow1", "rank": 200, "disclosure_date": "2004-09-27", "type": "exploit", "author": [ "acaro " ], "description": "This module exploits a stack buffer overflow in the YPOPS POP3\n service.\n\n This is a classic stack buffer overflow for YPOPS version 0.6.\n Possibly Affected version 0.5, 0.4.5.1, 0.4.5. Eip point to\n jmp ebx opcode in ws_32.dll", "references": [ "CVE-2004-1558", "OSVDB-10367", "BID-11256", "URL-http://www.securiteam.com/windowsntfocus/5GP0M2KE0S.html" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 25, "targets": [ "Automatic", "Windows 2000 SP0 Italian", "Windows 2000 Advanced Server Italian SP4", "Windows 2000 Advanced Server SP3 English", "Windows 2000 SP0 English", "Windows 2000 SP1 English", "Windows 2000 SP2 English", "Windows 2000 SP3 English", "Windows 2000 SP4 English", "Windows XP SP0-SP1 English", "Windows XP SP2 English", "Windows 2003 SP0 English", "Windows 2003 SP1 English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/smtp/ypops_overflow1.rb", "is_install_path": true, "ref_name": "windows/smtp/ypops_overflow1", "check": true }, "exploit_windows/ssh/freeftpd_key_exchange": { "name": "FreeFTPd 1.0.10 Key Exchange Algorithm String Buffer Overflow", "full_name": "exploit/windows/ssh/freeftpd_key_exchange", "rank": 200, "disclosure_date": "2006-05-12", "type": "exploit", "author": [ "riaf " ], "description": "This module exploits a simple stack buffer overflow in FreeFTPd 1.0.10\n This flaw is due to a buffer overflow error when handling a specially\n crafted key exchange algorithm string received from an SSH client.\n This module is based on MC's freesshd_key_exchange exploit.", "references": [ "CVE-2006-2407", "OSVDB-25569", "BID-17958" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 22, "targets": [ "Windows 2000 SP0-SP4 English", "Windows 2000 SP0-SP4 German", "Windows XP SP0-SP1 English", "Windows XP SP2 English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ssh/freeftpd_key_exchange.rb", "is_install_path": true, "ref_name": "windows/ssh/freeftpd_key_exchange", "check": false }, "exploit_windows/ssh/freesshd_authbypass": { "name": "Freesshd Authentication Bypass", "full_name": "exploit/windows/ssh/freesshd_authbypass", "rank": 600, "disclosure_date": "2010-08-11", "type": "exploit", "author": [ "Aris", "kcope", "Daniele Martini " ], "description": "This module exploits a vulnerability found in FreeSSHd <= 1.2.6 to bypass\n authentication. You just need the username (which defaults to root). The exploit\n has been tested with both password and public key authentication.", "references": [ "CVE-2012-6066", "OSVDB-88006", "BID-56785", "URL-http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0012.html", "URL-http://seclists.org/fulldisclosure/2010/Aug/132" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": 22, "targets": [ "Freesshd <= 1.2.6 / Windows (Universal)" ], "mod_time": "2017-08-01 15:41:07 +0000", "path": "/modules/exploits/windows/ssh/freesshd_authbypass.rb", "is_install_path": true, "ref_name": "windows/ssh/freesshd_authbypass", "check": true }, "exploit_windows/ssh/freesshd_key_exchange": { "name": "FreeSSHd 1.0.9 Key Exchange Algorithm String Buffer Overflow", "full_name": "exploit/windows/ssh/freesshd_key_exchange", "rank": 200, "disclosure_date": "2006-05-12", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a simple stack buffer overflow in FreeSSHd 1.0.9.\n This flaw is due to a buffer overflow error when handling a specially\n crafted key exchange algorithm string received from an SSH client.", "references": [ "CVE-2006-2407", "OSVDB-25463", "BID-17958" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 22, "targets": [ "Windows 2000 Pro SP4 English", "Windows XP Pro SP0 English", "Windows XP Pro SP1 English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ssh/freesshd_key_exchange.rb", "is_install_path": true, "ref_name": "windows/ssh/freesshd_key_exchange", "check": false }, "exploit_windows/ssh/putty_msg_debug": { "name": "PuTTY Buffer Overflow", "full_name": "exploit/windows/ssh/putty_msg_debug", "rank": 300, "disclosure_date": "2002-12-16", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a buffer overflow in the PuTTY SSH client that is\n triggered through a validation error in SSH.c. This vulnerability\n affects versions 0.53 and earlier.", "references": [ "CVE-2002-1359", "OSVDB-8044", "URL-http://www.rapid7.com/advisories/R7-0009.html", "BID-6407" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows 2000 SP4 English", "Windows XP SP2 English", "Windows 2003 SP1 English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ssh/putty_msg_debug.rb", "is_install_path": true, "ref_name": "windows/ssh/putty_msg_debug", "check": false }, "exploit_windows/ssh/securecrt_ssh1": { "name": "SecureCRT SSH1 Buffer Overflow", "full_name": "exploit/windows/ssh/securecrt_ssh1", "rank": 200, "disclosure_date": "2002-07-23", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a buffer overflow in SecureCRT <= 4.0\n Beta 2. By sending a vulnerable client an overly long\n SSH1 protocol identifier string, it is possible to execute\n arbitrary code.\n\n This module has only been tested on SecureCRT 3.4.4.", "references": [ "CVE-2002-1059", "OSVDB-4991", "BID-5287" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "SecureCRT.exe (3.4.4)" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ssh/securecrt_ssh1.rb", "is_install_path": true, "ref_name": "windows/ssh/securecrt_ssh1", "check": false }, "exploit_windows/ssh/sysax_ssh_username": { "name": "Sysax 5.53 SSH Username Buffer Overflow", "full_name": "exploit/windows/ssh/sysax_ssh_username", "rank": 300, "disclosure_date": "2012-02-27", "type": "exploit", "author": [ "Craig Freyman", "sinn3r " ], "description": "This module exploits a vulnerability found in Sysax's SSH service. By\n supplying a long username, the SSH server will copy that data on the stack\n without proper bounds checking, therefore allowing remote code execution\n under the context of the user. Please note that previous versions\n (before 5.53) are also affected by this bug.", "references": [ "OSVDB-79689", "URL-http://www.pwnag3.com/2012/02/sysax-multi-server-ssh-username-exploit.html", "EDB-18535" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 22, "targets": [ "Sysax 5.53 on Win XP SP3 / Win2k3 SP0", "Sysax 5.53 on Win2K3 SP1/SP2" ], "mod_time": "2017-08-01 15:41:07 +0000", "path": "/modules/exploits/windows/ssh/sysax_ssh_username.rb", "is_install_path": true, "ref_name": "windows/ssh/sysax_ssh_username", "check": true }, "exploit_windows/ssl/ms04_011_pct": { "name": "MS04-011 Microsoft Private Communications Transport Overflow", "full_name": "exploit/windows/ssl/ms04_011_pct", "rank": 200, "disclosure_date": "2004-04-13", "type": "exploit", "author": [ "hdm " ], "description": "This module exploits a buffer overflow in the Microsoft\n Windows SSL PCT protocol stack. This code is based on Johnny\n Cyberpunk's THC release and has been tested against Windows\n 2000 and Windows XP. To use this module, specify the remote\n port of any SSL service, or the port and protocol of an\n application that uses SSL. The only application protocol\n supported at this time is SMTP. You only have one chance to\n select the correct target, if you are attacking IIS, you may\n want to try one of the other exploits first (WebDAV). If\n WebDAV does not work, this more than likely means that this\n is either Windows 2000 SP4+ or Windows XP (IIS 5.0 vs IIS\n 5.1). Using the wrong target may not result in an immediate\n crash of the remote system.", "references": [ "CVE-2003-0719", "OSVDB-5250", "BID-10116", "MSB-MS04-011" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows 2000 SP4", "Windows 2000 SP3", "Windows 2000 SP2", "Windows 2000 SP1", "Windows 2000 SP0", "Windows XP SP0", "Windows XP SP1" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/ssl/ms04_011_pct.rb", "is_install_path": true, "ref_name": "windows/ssl/ms04_011_pct", "check": false }, "exploit_windows/telnet/gamsoft_telsrv_username": { "name": "GAMSoft TelSrv 1.5 Username Buffer Overflow", "full_name": "exploit/windows/telnet/gamsoft_telsrv_username", "rank": 200, "disclosure_date": "2000-07-17", "type": "exploit", "author": [ "aushack " ], "description": "This module exploits a username sprintf stack buffer overflow in GAMSoft TelSrv 1.5.\n Other versions may also be affected. The service terminates after exploitation,\n so you only get one chance!", "references": [ "CVE-2000-0665", "OSVDB-373", "BID-1478", "URL-http://cdn.simtel.net/pub/simtelnet/win95/inetmisc/telsrv15.zip" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "x86", "rport": 23, "targets": [ "Windows 2000 Pro SP0/4 English REMOTE", "Windows 2000 Pro SP0/4 English LOCAL (debug - 127.0.0.1)", "Windows 2000 Pro SP0/4 English LOCAL (debug - dhcp)" ], "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/exploits/windows/telnet/gamsoft_telsrv_username.rb", "is_install_path": true, "ref_name": "windows/telnet/gamsoft_telsrv_username", "check": true }, "exploit_windows/telnet/goodtech_telnet": { "name": "GoodTech Telnet Server Buffer Overflow", "full_name": "exploit/windows/telnet/goodtech_telnet", "rank": 200, "disclosure_date": "2005-03-15", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in GoodTech Systems Telnet Server\n versions prior to 5.0.7. By sending an overly long string, an attacker can\n overwrite the buffer and control program execution.", "references": [ "CVE-2005-0768", "OSVDB-14806", "BID-12815" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 2380, "targets": [ "Windows 2000 Pro English All", "Windows XP Pro SP0/SP1 English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/telnet/goodtech_telnet.rb", "is_install_path": true, "ref_name": "windows/telnet/goodtech_telnet", "check": false }, "exploit_windows/tftp/attftp_long_filename": { "name": "Allied Telesyn TFTP Server 1.9 Long Filename Overflow", "full_name": "exploit/windows/tftp/attftp_long_filename", "rank": 200, "disclosure_date": "2006-11-27", "type": "exploit", "author": [ "aushack " ], "description": "This module exploits a stack buffer overflow in AT-TFTP v1.9, by sending a\n request (get/write) for an overly long file name.", "references": [ "CVE-2006-6184", "OSVDB-11350", "BID-21320", "EDB-2887" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 69, "targets": [ "Automatic", "Windows NT SP4 English", "Windows 2000 SP0 English", "Windows 2000 SP1 English", "Windows 2000 SP2 English", "Windows 2000 SP3 English", "Windows 2000 SP4 English", "Windows XP SP0/1 English", "Windows XP SP2 English", "Windows XP SP3 English", "Windows Server 2003", "Windows Server 2003 SP2" ], "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/exploits/windows/tftp/attftp_long_filename.rb", "is_install_path": true, "ref_name": "windows/tftp/attftp_long_filename", "check": false }, "exploit_windows/tftp/distinct_tftp_traversal": { "name": "Distinct TFTP 3.10 Writable Directory Traversal Execution", "full_name": "exploit/windows/tftp/distinct_tftp_traversal", "rank": 600, "disclosure_date": "2012-04-08", "type": "exploit", "author": [ "modpr0be", "sinn3r " ], "description": "This module exploits a vulnerability found in Distinct TFTP server. The\n software contains a directory traversal vulnerability that allows a remote\n attacker to write arbitrary file to the file system, which results in\n code execution under the context of 'SYSTEM'.", "references": [ "OSVDB-80984", "EDB-18718", "URL-http://www.spentera.com/advisories/2012/SPN-01-2012.pdf", "CVE-2012-6664" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 69, "targets": [ "Distinct TFTP 3.10 on Windows" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/tftp/distinct_tftp_traversal.rb", "is_install_path": true, "ref_name": "windows/tftp/distinct_tftp_traversal", "check": false }, "exploit_windows/tftp/dlink_long_filename": { "name": "D-Link TFTP 1.0 Long Filename Buffer Overflow", "full_name": "exploit/windows/tftp/dlink_long_filename", "rank": 400, "disclosure_date": "2007-03-12", "type": "exploit", "author": [ "LSO ", "aushack " ], "description": "This module exploits a stack buffer overflow in D-Link TFTP 1.0.\n By sending a request for an overly long file name, an attacker\n could overflow a buffer and execute arbitrary code. For best results,\n use bind payloads with nonx (No NX).", "references": [ "CVE-2007-1435", "OSVDB-33977", "BID-22923" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 69, "targets": [ "Windows 2000 SP4 English", "Windows 2000 SP3 English" ], "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/exploits/windows/tftp/dlink_long_filename.rb", "is_install_path": true, "ref_name": "windows/tftp/dlink_long_filename", "check": false }, "exploit_windows/tftp/futuresoft_transfermode": { "name": "FutureSoft TFTP Server 2000 Transfer-Mode Overflow", "full_name": "exploit/windows/tftp/futuresoft_transfermode", "rank": 200, "disclosure_date": "2005-05-31", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in the FutureSoft TFTP Server\n 2000 product. By sending an overly long transfer-mode string, we were able\n to overwrite both the SEH and the saved EIP. A subsequent write-exception\n that will occur allows the transferring of execution to our shellcode\n via the overwritten SEH. This module has been tested against Windows\n 2000 Professional and for some reason does not seem to work against\n Windows 2000 Server (could not trigger the overflow at all).", "references": [ "CVE-2005-1812", "OSVDB-16954", "BID-13821" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 69, "targets": [ "Automatic", "Windows 2000 Pro English ALL", "Windows XP Pro SP0/SP1 English", "Windows NT SP5/SP6a English", "Windows 2003 Server English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/tftp/futuresoft_transfermode.rb", "is_install_path": true, "ref_name": "windows/tftp/futuresoft_transfermode", "check": false }, "exploit_windows/tftp/netdecision_tftp_traversal": { "name": "NetDecision 4.2 TFTP Writable Directory Traversal Execution", "full_name": "exploit/windows/tftp/netdecision_tftp_traversal", "rank": 600, "disclosure_date": "2009-05-16", "type": "exploit", "author": [ "Rob Kraus", "juan vazquez " ], "description": "This module exploits a vulnerability found in NetDecision 4.2 TFTP server. The\n software contains a directory traversal vulnerability that allows a remote attacker\n to write arbitrary file to the file system, which results in code execution under\n the context of user executing the TFTP Server.", "references": [ "CVE-2009-1730", "OSVDB-54607", "BID-35002" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 69, "targets": [ "NetDecision 4.2 TFTP on Windows XP SP3 / Windows 2003 SP2" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/tftp/netdecision_tftp_traversal.rb", "is_install_path": true, "ref_name": "windows/tftp/netdecision_tftp_traversal", "check": false }, "exploit_windows/tftp/opentftp_error_code": { "name": "OpenTFTP SP 1.4 Error Packet Overflow", "full_name": "exploit/windows/tftp/opentftp_error_code", "rank": 200, "disclosure_date": "2008-07-05", "type": "exploit", "author": [ "tixxDZ", "steponequit" ], "description": "This module exploits a buffer overflow in OpenTFTP Server SP 1.4. The vulnerable\n condition triggers when the TFTP opcode is configured as an error packet, the TFTP\n service will then format the message using a sprintf() function, which causes an\n overflow, therefore allowing remote code execution under the context of SYSTEM.\n\n The offset (to EIP) is specific to how the TFTP was started (as a 'Stand Alone',\n or 'Service'). By default the target is set to 'Service' because that's the default\n configuration during OpenTFTP Server SP 1.4's installation.", "references": [ "CVE-2008-2161", "OSVDB-44904", "BID-29111", "URL-http://downloads.securityfocus.com/vulnerabilities/exploits/29111.pl" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 69, "targets": [ "OpenTFTP 1.4 Service", "OpenTFTP 1.4 Stand Alone" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/tftp/opentftp_error_code.rb", "is_install_path": true, "ref_name": "windows/tftp/opentftp_error_code", "check": false }, "exploit_windows/tftp/quick_tftp_pro_mode": { "name": "Quick FTP Pro 2.1 Transfer-Mode Overflow", "full_name": "exploit/windows/tftp/quick_tftp_pro_mode", "rank": 400, "disclosure_date": "2008-03-27", "type": "exploit", "author": [ "Saint Patrick" ], "description": "This module exploits a stack buffer overflow in the Quick TFTP Pro server\n product. MS Update KB926436 screws up the opcode address being used in oledlg.dll resulting\n in a DoS. This is a port of a sploit by Mati \"muts\" Aharoni.", "references": [ "CVE-2008-1610", "OSVDB-43784", "BID-28459", "URL-http://secunia.com/advisories/29494" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 69, "targets": [ "Windows Server 2000", "Windows XP SP2" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/tftp/quick_tftp_pro_mode.rb", "is_install_path": true, "ref_name": "windows/tftp/quick_tftp_pro_mode", "check": false }, "exploit_windows/tftp/tftpd32_long_filename": { "name": "TFTPD32 Long Filename Buffer Overflow", "full_name": "exploit/windows/tftp/tftpd32_long_filename", "rank": 200, "disclosure_date": "2002-11-19", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in TFTPD32 version 2.21\n and prior. By sending a request for an overly long file name\n to the tftpd32 server, a remote attacker could overflow a buffer and\n execute arbitrary code on the system.", "references": [ "CVE-2002-2226", "OSVDB-45903", "BID-6199" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 69, "targets": [ "Automatic", "Windows NT 4.0 SP6a English", "Windows 2000 Pro SP4 English", "Windows XP Pro SP0 English", "Windows XP Pro SP1 English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/tftp/tftpd32_long_filename.rb", "is_install_path": true, "ref_name": "windows/tftp/tftpd32_long_filename", "check": false }, "exploit_windows/tftp/tftpdwin_long_filename": { "name": "TFTPDWIN v0.4.2 Long Filename Buffer Overflow", "full_name": "exploit/windows/tftp/tftpdwin_long_filename", "rank": 500, "disclosure_date": "2006-09-21", "type": "exploit", "author": [ "aushack " ], "description": "This module exploits the ProSysInfo TFTPDWIN threaded TFTP Server. By sending\n an overly long file name to the tftpd.exe server, the stack can be overwritten.", "references": [ "CVE-2006-4948", "OSVDB-29032", "BID-20131", "EDB-3132" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 69, "targets": [ "Universal - tftpd.exe" ], "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/exploits/windows/tftp/tftpdwin_long_filename.rb", "is_install_path": true, "ref_name": "windows/tftp/tftpdwin_long_filename", "check": false }, "exploit_windows/tftp/tftpserver_wrq_bof": { "name": "TFTP Server for Windows 1.4 ST WRQ Buffer Overflow", "full_name": "exploit/windows/tftp/tftpserver_wrq_bof", "rank": 300, "disclosure_date": "2008-03-26", "type": "exploit", "author": [ "Mati Aharoni", "Datacut" ], "description": "This module exploits a vulnerability found in TFTP Server 1.4 ST. The flaw\n is due to the way TFTP handles the filename parameter extracted from a WRQ request.\n The server will append the user-supplied filename to TFTP server binary's path\n without any bounds checking, and then attempt to check this path with a fopen().\n Since this isn't a valid file path, fopen() returns null, which allows the\n corrupted data to be used in a strcmp() function, causing an access violation.\n\n Since the offset is sensitive to how the TFTP server is launched, you must know\n in advance if your victim machine launched the TFTP as a 'Service' or 'Standalone'\n , and then manually select your target accordingly. A successful attempt will lead\n to remote code execution under the context of SYSTEM if run as a service, or\n the user if run as a standalone. A failed attempt will result a denial-of-service.", "references": [ "CVE-2008-1611", "OSVDB-43785", "BID-18345", "EDB-5314" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 69, "targets": [ "Windows XP SP2/SP3 EN Service Mode", "Windows XP SP2/SP3 EN Standalone Mode", "Windows 7 SP0/SP1 EN x64 Service Mode", "Windows 7 SP0/SP1 EN x64 Standalone Mode", "Windows 7 SP0/SP1 EN x86 Service Mode", "Windows 7 SP0/SP1 EN x86 Standalone Mode" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/tftp/tftpserver_wrq_bof.rb", "is_install_path": true, "ref_name": "windows/tftp/tftpserver_wrq_bof", "check": false }, "exploit_windows/tftp/threectftpsvc_long_mode": { "name": "3CTftpSvc TFTP Long Mode Buffer Overflow", "full_name": "exploit/windows/tftp/threectftpsvc_long_mode", "rank": 500, "disclosure_date": "2006-11-27", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in 3CTftpSvc 2.0.1. By\n sending a specially crafted packet with an overly long mode\n field, a remote attacker could overflow a buffer and execute\n arbitrary code on the system.", "references": [ "CVE-2006-6183", "OSVDB-30758", "BID-21301", "URL-http://secunia.com/advisories/23113/" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 69, "targets": [ "3CTftpSvc 2.0.1" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/tftp/threectftpsvc_long_mode.rb", "is_install_path": true, "ref_name": "windows/tftp/threectftpsvc_long_mode", "check": false }, "exploit_windows/unicenter/cam_log_security": { "name": "CA CAM log_security() Stack Buffer Overflow (Win32)", "full_name": "exploit/windows/unicenter/cam_log_security", "rank": 500, "disclosure_date": "2005-08-22", "type": "exploit", "author": [ "hdm " ], "description": "This module exploits a vulnerability in the CA CAM service\n by passing a long parameter to the log_security() function.\n The CAM service is part of TNG Unicenter. This module has\n been tested on Unicenter v3.1.", "references": [ "CVE-2005-2668", "OSVDB-18916", "BID-14622" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": [ "W2API.DLL TNG 2.3", "Windows 2000 SP0-SP4 English", "Windows XP SP0-SP1 English", "Windows XP SP2 English", "Windows 2003 SP0 English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/unicenter/cam_log_security.rb", "is_install_path": true, "ref_name": "windows/unicenter/cam_log_security", "check": true }, "exploit_windows/vnc/realvnc_client": { "name": "RealVNC 3.3.7 Client Buffer Overflow", "full_name": "exploit/windows/vnc/realvnc_client", "rank": 300, "disclosure_date": "2001-01-29", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a buffer overflow in RealVNC 3.3.7 (vncviewer.exe).", "references": [ "CVE-2001-0167", "OSVDB-6281", "BID-2305" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows 2000 SP4 English", "Windows XP SP2 English", "Windows 2003 SP1 English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/vnc/realvnc_client.rb", "is_install_path": true, "ref_name": "windows/vnc/realvnc_client", "check": false }, "exploit_windows/vnc/ultravnc_client": { "name": "UltraVNC 1.0.1 Client Buffer Overflow", "full_name": "exploit/windows/vnc/ultravnc_client", "rank": 300, "disclosure_date": "2006-04-04", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a buffer overflow in UltraVNC Win32\n Viewer 1.0.1 Release.", "references": [ "CVE-2006-1652", "OSVDB-24456", "BID-17378" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows 2000 SP4 English", "Windows XP SP2 English", "Windows 2003 SP1 English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/vnc/ultravnc_client.rb", "is_install_path": true, "ref_name": "windows/vnc/ultravnc_client", "check": false }, "exploit_windows/vnc/ultravnc_viewer_bof": { "name": "UltraVNC 1.0.2 Client (vncviewer.exe) Buffer Overflow", "full_name": "exploit/windows/vnc/ultravnc_viewer_bof", "rank": 300, "disclosure_date": "2008-02-06", "type": "exploit", "author": [ "noperand" ], "description": "This module exploits a buffer overflow in UltraVNC Viewer 1.0.2 Release.\n\n If a malicious server responds to a client connection indicating a minor\n protocol version of 14 or 16, a 32-bit integer is subsequently read from\n the TCP stream by the client and directly provided as the trusted size for\n further reading from the TCP stream into a 1024-byte character array on\n the stack.", "references": [ "CVE-2008-0610", "OSVDB-42840", "BID-27561" ], "is_server": false, "is_client": true, "platform": "Windows", "arch": "", "rport": null, "targets": [ "Windows XP SP3" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/vnc/ultravnc_viewer_bof.rb", "is_install_path": true, "ref_name": "windows/vnc/ultravnc_viewer_bof", "check": false }, "exploit_windows/vnc/winvnc_http_get": { "name": "WinVNC Web Server GET Overflow", "full_name": "exploit/windows/vnc/winvnc_http_get", "rank": 200, "disclosure_date": "2001-01-29", "type": "exploit", "author": [ "aushack " ], "description": "This module exploits a buffer overflow in the AT&T WinVNC version\n <= v3.3.3r7 web server. When debugging mode with logging is\n enabled (non-default), an overly long GET request can overwrite\n the stack. This exploit does not work well with VNC payloads!", "references": [ "BID-2306", "OSVDB-6280", "CVE-2001-0168" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 5800, "targets": [ "Windows NT4 SP3-6", "Windows 2000 SP1-4", "Windows XP SP0-1" ], "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/exploits/windows/vnc/winvnc_http_get.rb", "is_install_path": true, "ref_name": "windows/vnc/winvnc_http_get", "check": false }, "exploit_windows/vpn/safenet_ike_11": { "name": "SafeNet SoftRemote IKE Service Buffer Overflow", "full_name": "exploit/windows/vpn/safenet_ike_11", "rank": 200, "disclosure_date": "2009-06-01", "type": "exploit", "author": [ "MC " ], "description": "This module exploits a stack buffer overflow in Safenet SoftRemote IKE IreIKE.exe\n service. When sending a specially crafted udp packet to port 62514 an\n attacker may be able to execute arbitrary code. This module has\n been tested with Juniper NetScreen-Remote 10.8.0 (Build 20) using\n windows/meterpreter/reverse_ord_tcp payloads.", "references": [ "CVE-2009-1943", "OSVDB-54831", "BID-35154", "URL-http://reversemode.com/index.php?option=com_content&task=view&id=63&Itemid=1" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 62514, "targets": [ "SafeNet Irelke 10.8.0.20", "SafeNet Irelke 10.8.0.10", "SafeNet Irelke 10.8.3.6" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/vpn/safenet_ike_11.rb", "is_install_path": true, "ref_name": "windows/vpn/safenet_ike_11", "check": false }, "exploit_windows/winrm/winrm_script_exec": { "name": "WinRM Script Exec Remote Code Execution", "full_name": "exploit/windows/winrm/winrm_script_exec", "rank": 0, "disclosure_date": "2012-11-01", "type": "exploit", "author": [ "thelightcosine" ], "description": "This module uses valid credentials to login to the WinRM service\n and execute a payload. It has two available methods for payload\n delivery: Powershell 2.0 and VBS CmdStager.\n\n The module will check if Powershell 2.0 is available, and if so uses\n that method. Otherwise it falls back to the VBS CmdStager which is\n less stealthy.\n\n IMPORTANT: If targeting an x64 system with the Powershell method\n you MUST select an x64 payload. An x86 payload will never return.", "references": [ "URL-http://msdn.microsoft.com/en-us/library/windows/desktop/aa384426(v=vs.85).aspx" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86, x64", "rport": 5985, "targets": [ "Windows" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/winrm/winrm_script_exec.rb", "is_install_path": true, "ref_name": "windows/winrm/winrm_script_exec", "check": false }, "exploit_windows/wins/ms04_045_wins": { "name": "MS04-045 Microsoft WINS Service Memory Overwrite", "full_name": "exploit/windows/wins/ms04_045_wins", "rank": 500, "disclosure_date": "2004-12-14", "type": "exploit", "author": [ "hdm " ], "description": "This module exploits an arbitrary memory write flaw in the\n WINS service. This exploit has been tested against Windows\n 2000 only.", "references": [ "CVE-2004-1080", "OSVDB-12378", "BID-11763", "MSB-MS04-045" ], "is_server": true, "is_client": false, "platform": "Windows", "arch": "", "rport": 42, "targets": [ "Windows 2000 English" ], "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/exploits/windows/wins/ms04_045_wins.rb", "is_install_path": true, "ref_name": "windows/wins/ms04_045_wins", "check": true }, "nop_aarch64/simple": { "name": "Simple", "full_name": "nop/aarch64/simple", "rank": 300, "disclosure_date": null, "type": "nop", "author": [ ], "description": "Simple NOP generator", "references": [ ], "is_server": false, "is_client": false, "platform": "All", "arch": "aarch64", "rport": null, "targets": null, "mod_time": "2017-09-14 18:26:11 +0000", "path": "/modules/nops/aarch64/simple.rb", "is_install_path": true, "ref_name": "aarch64/simple", "check": false }, "nop_armle/simple": { "name": "Simple", "full_name": "nop/armle/simple", "rank": 300, "disclosure_date": null, "type": "nop", "author": [ "hdm " ], "description": "Simple NOP generator", "references": [ ], "is_server": false, "is_client": false, "platform": "All", "arch": "armle", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/nops/armle/simple.rb", "is_install_path": true, "ref_name": "armle/simple", "check": false }, "nop_mipsbe/better": { "name": "Better", "full_name": "nop/mipsbe/better", "rank": 300, "disclosure_date": null, "type": "nop", "author": [ "jm" ], "description": "Better NOP generator", "references": [ ], "is_server": false, "is_client": false, "platform": "All", "arch": "mipsbe", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/nops/mipsbe/better.rb", "is_install_path": true, "ref_name": "mipsbe/better", "check": false }, "nop_php/generic": { "name": "PHP Nop Generator", "full_name": "nop/php/generic", "rank": 300, "disclosure_date": null, "type": "nop", "author": [ "hdm " ], "description": "Generates harmless padding for PHP scripts", "references": [ ], "is_server": false, "is_client": false, "platform": "All", "arch": "php", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/nops/php/generic.rb", "is_install_path": true, "ref_name": "php/generic", "check": false }, "nop_ppc/simple": { "name": "Simple", "full_name": "nop/ppc/simple", "rank": 300, "disclosure_date": null, "type": "nop", "author": [ "hdm " ], "description": "Simple NOP generator", "references": [ ], "is_server": false, "is_client": false, "platform": "All", "arch": "ppc", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/nops/ppc/simple.rb", "is_install_path": true, "ref_name": "ppc/simple", "check": false }, "nop_sparc/random": { "name": "SPARC NOP Generator", "full_name": "nop/sparc/random", "rank": 300, "disclosure_date": null, "type": "nop", "author": [ "vlad902 " ], "description": "SPARC NOP generator", "references": [ ], "is_server": false, "is_client": false, "platform": "All", "arch": "sparc", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/nops/sparc/random.rb", "is_install_path": true, "ref_name": "sparc/random", "check": false }, "nop_tty/generic": { "name": "TTY Nop Generator", "full_name": "nop/tty/generic", "rank": 300, "disclosure_date": null, "type": "nop", "author": [ "hdm " ], "description": "Generates harmless padding for TTY input", "references": [ ], "is_server": false, "is_client": false, "platform": "All", "arch": "tty", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/nops/tty/generic.rb", "is_install_path": true, "ref_name": "tty/generic", "check": false }, "nop_x64/simple": { "name": "Simple", "full_name": "nop/x64/simple", "rank": 300, "disclosure_date": null, "type": "nop", "author": [ "sf " ], "description": "An x64 single/multi byte NOP instruction generator.", "references": [ ], "is_server": false, "is_client": false, "platform": "All", "arch": "x64", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/nops/x64/simple.rb", "is_install_path": true, "ref_name": "x64/simple", "check": false }, "nop_x86/opty2": { "name": "Opty2", "full_name": "nop/x86/opty2", "rank": 300, "disclosure_date": null, "type": "nop", "author": [ "spoonm ", "optyx " ], "description": "Opty2 multi-byte NOP generator", "references": [ ], "is_server": false, "is_client": false, "platform": "All", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/nops/x86/opty2.rb", "is_install_path": true, "ref_name": "x86/opty2", "check": false }, "nop_x86/single_byte": { "name": "Single Byte", "full_name": "nop/x86/single_byte", "rank": 300, "disclosure_date": null, "type": "nop", "author": [ "spoonm " ], "description": "Single-byte NOP generator", "references": [ ], "is_server": false, "is_client": false, "platform": "All", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/nops/x86/single_byte.rb", "is_install_path": true, "ref_name": "x86/single_byte", "check": false }, "payload_aix/ppc/shell_bind_tcp": { "name": "AIX Command Shell, Bind TCP Inline", "full_name": "payload/aix/ppc/shell_bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Ramon de C Valle " ], "description": "Listen for a connection and spawn a command shell", "references": [ ], "is_server": false, "is_client": false, "platform": "AIX", "arch": "ppc", "rport": null, "targets": null, "mod_time": "2018-05-01 04:57:42 +0000", "path": "/modules/payloads/singles/aix/ppc/shell_bind_tcp.rb", "is_install_path": true, "ref_name": "aix/ppc/shell_bind_tcp", "check": false }, "payload_aix/ppc/shell_find_port": { "name": "AIX Command Shell, Find Port Inline", "full_name": "payload/aix/ppc/shell_find_port", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Ramon de C Valle " ], "description": "Spawn a shell on an established connection", "references": [ ], "is_server": false, "is_client": false, "platform": "AIX", "arch": "ppc", "rport": null, "targets": null, "mod_time": "2018-05-01 04:57:42 +0000", "path": "/modules/payloads/singles/aix/ppc/shell_find_port.rb", "is_install_path": true, "ref_name": "aix/ppc/shell_find_port", "check": false }, "payload_aix/ppc/shell_interact": { "name": "AIX execve Shell for inetd", "full_name": "payload/aix/ppc/shell_interact", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "jduck " ], "description": "Simply execve /bin/sh (for inetd programs)", "references": [ ], "is_server": false, "is_client": false, "platform": "AIX", "arch": "ppc", "rport": null, "targets": null, "mod_time": "2018-05-01 04:57:42 +0000", "path": "/modules/payloads/singles/aix/ppc/shell_interact.rb", "is_install_path": true, "ref_name": "aix/ppc/shell_interact", "check": false }, "payload_aix/ppc/shell_reverse_tcp": { "name": "AIX Command Shell, Reverse TCP Inline", "full_name": "payload/aix/ppc/shell_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Ramon de C Valle " ], "description": "Connect back to attacker and spawn a command shell", "references": [ ], "is_server": false, "is_client": false, "platform": "AIX", "arch": "ppc", "rport": null, "targets": null, "mod_time": "2018-05-01 04:57:42 +0000", "path": "/modules/payloads/singles/aix/ppc/shell_reverse_tcp.rb", "is_install_path": true, "ref_name": "aix/ppc/shell_reverse_tcp", "check": false }, "payload_android/meterpreter/reverse_http": { "name": "Android Meterpreter, Android Reverse HTTP Stager", "full_name": "payload/android/meterpreter/reverse_http", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "mihi", "egypt ", "OJ Reeves", "anwarelmakrahy" ], "description": "Run a meterpreter server in Android. Tunnel communication over HTTP", "references": [ ], "is_server": false, "is_client": false, "platform": "Android", "arch": "dalvik", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/android/reverse_http.rb", "is_install_path": true, "ref_name": "android/meterpreter/reverse_http", "check": false }, "payload_android/meterpreter/reverse_https": { "name": "Android Meterpreter, Android Reverse HTTPS Stager", "full_name": "payload/android/meterpreter/reverse_https", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "mihi", "egypt ", "OJ Reeves", "anwarelmakrahy" ], "description": "Run a meterpreter server in Android. Tunnel communication over HTTPS", "references": [ ], "is_server": false, "is_client": false, "platform": "Android", "arch": "dalvik", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/android/reverse_https.rb", "is_install_path": true, "ref_name": "android/meterpreter/reverse_https", "check": false }, "payload_android/meterpreter/reverse_tcp": { "name": "Android Meterpreter, Android Reverse TCP Stager", "full_name": "payload/android/meterpreter/reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "mihi", "egypt ", "OJ Reeves" ], "description": "Run a meterpreter server in Android. Connect back stager", "references": [ ], "is_server": false, "is_client": false, "platform": "Android", "arch": "dalvik", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/android/reverse_tcp.rb", "is_install_path": true, "ref_name": "android/meterpreter/reverse_tcp", "check": false }, "payload_android/meterpreter_reverse_http": { "name": "Android Meterpreter Shell, Reverse HTTP Inline", "full_name": "payload/android/meterpreter_reverse_http", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ ], "description": "Connect back to attacker and spawn a Meterpreter shell", "references": [ ], "is_server": false, "is_client": false, "platform": "Android", "arch": "dalvik", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/android/meterpreter_reverse_http.rb", "is_install_path": true, "ref_name": "android/meterpreter_reverse_http", "check": false }, "payload_android/meterpreter_reverse_https": { "name": "Android Meterpreter Shell, Reverse HTTPS Inline", "full_name": "payload/android/meterpreter_reverse_https", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ ], "description": "Connect back to attacker and spawn a Meterpreter shell", "references": [ ], "is_server": false, "is_client": false, "platform": "Android", "arch": "dalvik", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/android/meterpreter_reverse_https.rb", "is_install_path": true, "ref_name": "android/meterpreter_reverse_https", "check": false }, "payload_android/meterpreter_reverse_tcp": { "name": "Android Meterpreter Shell, Reverse TCP Inline", "full_name": "payload/android/meterpreter_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ ], "description": "Connect back to the attacker and spawn a Meterpreter shell", "references": [ ], "is_server": false, "is_client": false, "platform": "Android", "arch": "dalvik", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/android/meterpreter_reverse_tcp.rb", "is_install_path": true, "ref_name": "android/meterpreter_reverse_tcp", "check": false }, "payload_android/shell/reverse_http": { "name": "Command Shell, Android Reverse HTTP Stager", "full_name": "payload/android/shell/reverse_http", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "mihi", "egypt ", "anwarelmakrahy", "OJ Reeves" ], "description": "Spawn a piped command shell (sh). Tunnel communication over HTTP", "references": [ ], "is_server": false, "is_client": false, "platform": "Android", "arch": "dalvik", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/android/reverse_http.rb", "is_install_path": true, "ref_name": "android/shell/reverse_http", "check": false }, "payload_android/shell/reverse_https": { "name": "Command Shell, Android Reverse HTTPS Stager", "full_name": "payload/android/shell/reverse_https", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "mihi", "egypt ", "anwarelmakrahy", "OJ Reeves" ], "description": "Spawn a piped command shell (sh). Tunnel communication over HTTPS", "references": [ ], "is_server": false, "is_client": false, "platform": "Android", "arch": "dalvik", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/android/reverse_https.rb", "is_install_path": true, "ref_name": "android/shell/reverse_https", "check": false }, "payload_android/shell/reverse_tcp": { "name": "Command Shell, Android Reverse TCP Stager", "full_name": "payload/android/shell/reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "mihi", "egypt " ], "description": "Spawn a piped command shell (sh). Connect back stager", "references": [ ], "is_server": false, "is_client": false, "platform": "Android", "arch": "dalvik", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/android/reverse_tcp.rb", "is_install_path": true, "ref_name": "android/shell/reverse_tcp", "check": false }, "payload_apple_ios/aarch64/meterpreter_reverse_http": { "name": "Apple_iOS Meterpreter, Reverse HTTP Inline", "full_name": "payload/apple_ios/aarch64/meterpreter_reverse_http", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Adam Cammack ", "Brent Cook ", "timwr" ], "description": "Run the Meterpreter / Mettle server payload (stageless)", "references": [ ], "is_server": false, "is_client": false, "platform": "Apple_iOS", "arch": "aarch64", "rport": null, "targets": null, "mod_time": "2018-06-27 17:55:08 +0000", "path": "/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_http.rb", "is_install_path": true, "ref_name": "apple_ios/aarch64/meterpreter_reverse_http", "check": false }, "payload_apple_ios/aarch64/meterpreter_reverse_https": { "name": "Apple_iOS Meterpreter, Reverse HTTPS Inline", "full_name": "payload/apple_ios/aarch64/meterpreter_reverse_https", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Adam Cammack ", "Brent Cook ", "timwr" ], "description": "Run the Meterpreter / Mettle server payload (stageless)", "references": [ ], "is_server": false, "is_client": false, "platform": "Apple_iOS", "arch": "aarch64", "rport": null, "targets": null, "mod_time": "2018-06-27 17:55:08 +0000", "path": "/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_https.rb", "is_install_path": true, "ref_name": "apple_ios/aarch64/meterpreter_reverse_https", "check": false }, "payload_apple_ios/aarch64/meterpreter_reverse_tcp": { "name": "Apple_iOS Meterpreter, Reverse TCP Inline", "full_name": "payload/apple_ios/aarch64/meterpreter_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Adam Cammack ", "Brent Cook ", "timwr" ], "description": "Run the Meterpreter / Mettle server payload (stageless)", "references": [ ], "is_server": false, "is_client": false, "platform": "Apple_iOS", "arch": "aarch64", "rport": null, "targets": null, "mod_time": "2018-06-27 17:55:08 +0000", "path": "/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_tcp.rb", "is_install_path": true, "ref_name": "apple_ios/aarch64/meterpreter_reverse_tcp", "check": false }, "payload_apple_ios/aarch64/shell_reverse_tcp": { "name": "Apple iOS aarch64 Command Shell, Reverse TCP Inline", "full_name": "payload/apple_ios/aarch64/shell_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ ], "description": "Connect back to attacker and spawn a command shell", "references": [ ], "is_server": false, "is_client": false, "platform": "Apple_iOS", "arch": "aarch64", "rport": null, "targets": null, "mod_time": "2017-12-19 15:39:29 +0000", "path": "/modules/payloads/singles/apple_ios/aarch64/shell_reverse_tcp.rb", "is_install_path": true, "ref_name": "apple_ios/aarch64/shell_reverse_tcp", "check": false }, "payload_bsd/sparc/shell_bind_tcp": { "name": "BSD Command Shell, Bind TCP Inline", "full_name": "payload/bsd/sparc/shell_bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "vlad902 " ], "description": "Listen for a connection and spawn a command shell", "references": [ ], "is_server": false, "is_client": false, "platform": "BSD", "arch": "sparc", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/bsd/sparc/shell_bind_tcp.rb", "is_install_path": true, "ref_name": "bsd/sparc/shell_bind_tcp", "check": false }, "payload_bsd/sparc/shell_reverse_tcp": { "name": "BSD Command Shell, Reverse TCP Inline", "full_name": "payload/bsd/sparc/shell_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "vlad902 " ], "description": "Connect back to attacker and spawn a command shell", "references": [ ], "is_server": false, "is_client": false, "platform": "BSD", "arch": "sparc", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/bsd/sparc/shell_reverse_tcp.rb", "is_install_path": true, "ref_name": "bsd/sparc/shell_reverse_tcp", "check": false }, "payload_bsd/x64/exec": { "name": "BSD x64 Execute Command", "full_name": "payload/bsd/x64/exec", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "joev " ], "description": "Execute an arbitrary command", "references": [ ], "is_server": false, "is_client": false, "platform": "BSD", "arch": "x64", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/bsd/x64/exec.rb", "is_install_path": true, "ref_name": "bsd/x64/exec", "check": false }, "payload_bsd/x64/shell_bind_ipv6_tcp": { "name": "BSD x64 Command Shell, Bind TCP Inline (IPv6)", "full_name": "payload/bsd/x64/shell_bind_ipv6_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Balazs Bucsay @xoreipeip " ], "description": "Listen for a connection and spawn a command shell over IPv6", "references": [ ], "is_server": false, "is_client": false, "platform": "BSD", "arch": "x64", "rport": null, "targets": null, "mod_time": "2018-05-01 04:57:42 +0000", "path": "/modules/payloads/singles/bsd/x64/shell_bind_ipv6_tcp.rb", "is_install_path": true, "ref_name": "bsd/x64/shell_bind_ipv6_tcp", "check": false }, "payload_bsd/x64/shell_bind_tcp": { "name": "BSD x64 Shell Bind TCP", "full_name": "payload/bsd/x64/shell_bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "nemo ", "joev " ], "description": "Bind an arbitrary command to an arbitrary port", "references": [ ], "is_server": false, "is_client": false, "platform": "BSD", "arch": "x64", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/bsd/x64/shell_bind_tcp.rb", "is_install_path": true, "ref_name": "bsd/x64/shell_bind_tcp", "check": false }, "payload_bsd/x64/shell_bind_tcp_small": { "name": "BSD x64 Command Shell, Bind TCP Inline", "full_name": "payload/bsd/x64/shell_bind_tcp_small", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Balazs Bucsay @xoreipeip " ], "description": "Listen for a connection and spawn a command shell", "references": [ ], "is_server": false, "is_client": false, "platform": "BSD", "arch": "x64", "rport": null, "targets": null, "mod_time": "2018-05-01 04:57:42 +0000", "path": "/modules/payloads/singles/bsd/x64/shell_bind_tcp_small.rb", "is_install_path": true, "ref_name": "bsd/x64/shell_bind_tcp_small", "check": false }, "payload_bsd/x64/shell_reverse_ipv6_tcp": { "name": "BSD x64 Command Shell, Reverse TCP Inline (IPv6)", "full_name": "payload/bsd/x64/shell_reverse_ipv6_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Balazs Bucsay @xoreipeip " ], "description": "Connect back to attacker and spawn a command shell over IPv6", "references": [ ], "is_server": false, "is_client": false, "platform": "BSD", "arch": "x64", "rport": null, "targets": null, "mod_time": "2018-05-01 04:57:42 +0000", "path": "/modules/payloads/singles/bsd/x64/shell_reverse_ipv6_tcp.rb", "is_install_path": true, "ref_name": "bsd/x64/shell_reverse_ipv6_tcp", "check": false }, "payload_bsd/x64/shell_reverse_tcp": { "name": "BSD x64 Shell Reverse TCP", "full_name": "payload/bsd/x64/shell_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "nemo ", "joev " ], "description": "Connect back to attacker and spawn a command shell", "references": [ ], "is_server": false, "is_client": false, "platform": "BSD", "arch": "x64", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/bsd/x64/shell_reverse_tcp.rb", "is_install_path": true, "ref_name": "bsd/x64/shell_reverse_tcp", "check": false }, "payload_bsd/x64/shell_reverse_tcp_small": { "name": "BSD x64 Command Shell, Reverse TCP Inline", "full_name": "payload/bsd/x64/shell_reverse_tcp_small", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Balazs Bucsay @xoreipeip " ], "description": "Connect back to attacker and spawn a command shell", "references": [ ], "is_server": false, "is_client": false, "platform": "BSD", "arch": "x64", "rport": null, "targets": null, "mod_time": "2018-05-01 04:57:42 +0000", "path": "/modules/payloads/singles/bsd/x64/shell_reverse_tcp_small.rb", "is_install_path": true, "ref_name": "bsd/x64/shell_reverse_tcp_small", "check": false }, "payload_bsd/x86/exec": { "name": "BSD Execute Command", "full_name": "payload/bsd/x86/exec", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "snagg ", "argp ", "joev " ], "description": "Execute an arbitrary command", "references": [ ], "is_server": false, "is_client": false, "platform": "BSD", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/bsd/x86/exec.rb", "is_install_path": true, "ref_name": "bsd/x86/exec", "check": false }, "payload_bsd/x86/metsvc_bind_tcp": { "name": "FreeBSD Meterpreter Service, Bind TCP", "full_name": "payload/bsd/x86/metsvc_bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "hdm " ], "description": "Stub payload for interacting with a Meterpreter Service", "references": [ ], "is_server": false, "is_client": false, "platform": "BSD", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/bsd/x86/metsvc_bind_tcp.rb", "is_install_path": true, "ref_name": "bsd/x86/metsvc_bind_tcp", "check": false }, "payload_bsd/x86/metsvc_reverse_tcp": { "name": "FreeBSD Meterpreter Service, Reverse TCP Inline", "full_name": "payload/bsd/x86/metsvc_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "hdm " ], "description": "Stub payload for interacting with a Meterpreter Service", "references": [ ], "is_server": false, "is_client": false, "platform": "BSD", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/bsd/x86/metsvc_reverse_tcp.rb", "is_install_path": true, "ref_name": "bsd/x86/metsvc_reverse_tcp", "check": false }, "payload_bsd/x86/shell/bind_ipv6_tcp": { "name": "BSD Command Shell, Bind TCP Stager (IPv6)", "full_name": "payload/bsd/x86/shell/bind_ipv6_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "vlad902 ", "hdm " ], "description": "Spawn a command shell (staged). Listen for a connection over IPv6", "references": [ ], "is_server": false, "is_client": false, "platform": "BSD", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/bsd/x86/bind_ipv6_tcp.rb", "is_install_path": true, "ref_name": "bsd/x86/shell/bind_ipv6_tcp", "check": false }, "payload_bsd/x86/shell/bind_tcp": { "name": "BSD Command Shell, Bind TCP Stager", "full_name": "payload/bsd/x86/shell/bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape " ], "description": "Spawn a command shell (staged). Listen for a connection", "references": [ ], "is_server": false, "is_client": false, "platform": "BSD", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/bsd/x86/bind_tcp.rb", "is_install_path": true, "ref_name": "bsd/x86/shell/bind_tcp", "check": false }, "payload_bsd/x86/shell/find_tag": { "name": "BSD Command Shell, Find Tag Stager", "full_name": "payload/bsd/x86/shell/find_tag", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape " ], "description": "Spawn a command shell (staged). Use an established connection", "references": [ ], "is_server": false, "is_client": false, "platform": "BSD", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/bsd/x86/find_tag.rb", "is_install_path": true, "ref_name": "bsd/x86/shell/find_tag", "check": false }, "payload_bsd/x86/shell/reverse_ipv6_tcp": { "name": "BSD Command Shell, Reverse TCP Stager (IPv6)", "full_name": "payload/bsd/x86/shell/reverse_ipv6_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "vlad902 ", "hdm " ], "description": "Spawn a command shell (staged). Connect back to the attacker over IPv6", "references": [ ], "is_server": false, "is_client": false, "platform": "BSD", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/bsd/x86/reverse_ipv6_tcp.rb", "is_install_path": true, "ref_name": "bsd/x86/shell/reverse_ipv6_tcp", "check": false }, "payload_bsd/x86/shell/reverse_tcp": { "name": "BSD Command Shell, Reverse TCP Stager", "full_name": "payload/bsd/x86/shell/reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape " ], "description": "Spawn a command shell (staged). Connect back to the attacker", "references": [ ], "is_server": false, "is_client": false, "platform": "BSD", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/bsd/x86/reverse_tcp.rb", "is_install_path": true, "ref_name": "bsd/x86/shell/reverse_tcp", "check": false }, "payload_bsd/x86/shell_bind_tcp": { "name": "BSD Command Shell, Bind TCP Inline", "full_name": "payload/bsd/x86/shell_bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Ramon de C Valle " ], "description": "Listen for a connection and spawn a command shell", "references": [ ], "is_server": false, "is_client": false, "platform": "BSD", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-05-01 04:57:42 +0000", "path": "/modules/payloads/singles/bsd/x86/shell_bind_tcp.rb", "is_install_path": true, "ref_name": "bsd/x86/shell_bind_tcp", "check": false }, "payload_bsd/x86/shell_bind_tcp_ipv6": { "name": "BSD Command Shell, Bind TCP Inline (IPv6)", "full_name": "payload/bsd/x86/shell_bind_tcp_ipv6", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "vlad902 ", "hdm " ], "description": "Listen for a connection and spawn a command shell over IPv6", "references": [ ], "is_server": false, "is_client": false, "platform": "BSD", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/bsd/x86/shell_bind_tcp_ipv6.rb", "is_install_path": true, "ref_name": "bsd/x86/shell_bind_tcp_ipv6", "check": false }, "payload_bsd/x86/shell_find_port": { "name": "BSD Command Shell, Find Port Inline", "full_name": "payload/bsd/x86/shell_find_port", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Ramon de C Valle " ], "description": "Spawn a shell on an established connection", "references": [ ], "is_server": false, "is_client": false, "platform": "BSD", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-05-01 04:57:42 +0000", "path": "/modules/payloads/singles/bsd/x86/shell_find_port.rb", "is_install_path": true, "ref_name": "bsd/x86/shell_find_port", "check": false }, "payload_bsd/x86/shell_find_tag": { "name": "BSD Command Shell, Find Tag Inline", "full_name": "payload/bsd/x86/shell_find_tag", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape " ], "description": "Spawn a shell on an established connection (proxy/nat safe)", "references": [ ], "is_server": false, "is_client": false, "platform": "BSD", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/bsd/x86/shell_find_tag.rb", "is_install_path": true, "ref_name": "bsd/x86/shell_find_tag", "check": false }, "payload_bsd/x86/shell_reverse_tcp": { "name": "BSD Command Shell, Reverse TCP Inline", "full_name": "payload/bsd/x86/shell_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Ramon de C Valle " ], "description": "Connect back to attacker and spawn a command shell", "references": [ ], "is_server": false, "is_client": false, "platform": "BSD", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-05-01 04:57:42 +0000", "path": "/modules/payloads/singles/bsd/x86/shell_reverse_tcp.rb", "is_install_path": true, "ref_name": "bsd/x86/shell_reverse_tcp", "check": false }, "payload_bsd/x86/shell_reverse_tcp_ipv6": { "name": "BSD Command Shell, Reverse TCP Inline (IPv6)", "full_name": "payload/bsd/x86/shell_reverse_tcp_ipv6", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "vlad902 ", "hdm " ], "description": "Connect back to attacker and spawn a command shell over IPv6", "references": [ ], "is_server": false, "is_client": false, "platform": "BSD", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/bsd/x86/shell_reverse_tcp_ipv6.rb", "is_install_path": true, "ref_name": "bsd/x86/shell_reverse_tcp_ipv6", "check": false }, "payload_bsdi/x86/shell/bind_tcp": { "name": "BSDi Command Shell, Bind TCP Stager", "full_name": "payload/bsdi/x86/shell/bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape " ], "description": "Spawn a command shell (staged). Listen for a connection", "references": [ ], "is_server": false, "is_client": false, "platform": "BSDi", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/bsdi/x86/bind_tcp.rb", "is_install_path": true, "ref_name": "bsdi/x86/shell/bind_tcp", "check": false }, "payload_bsdi/x86/shell/reverse_tcp": { "name": "BSDi Command Shell, Reverse TCP Stager", "full_name": "payload/bsdi/x86/shell/reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape " ], "description": "Spawn a command shell (staged). Connect back to the attacker", "references": [ ], "is_server": false, "is_client": false, "platform": "BSDi", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/bsdi/x86/reverse_tcp.rb", "is_install_path": true, "ref_name": "bsdi/x86/shell/reverse_tcp", "check": false }, "payload_bsdi/x86/shell_bind_tcp": { "name": "BSDi Command Shell, Bind TCP Inline", "full_name": "payload/bsdi/x86/shell_bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "optyx " ], "description": "Listen for a connection and spawn a command shell", "references": [ ], "is_server": false, "is_client": false, "platform": "BSDi", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/bsdi/x86/shell_bind_tcp.rb", "is_install_path": true, "ref_name": "bsdi/x86/shell_bind_tcp", "check": false }, "payload_bsdi/x86/shell_find_port": { "name": "BSDi Command Shell, Find Port Inline", "full_name": "payload/bsdi/x86/shell_find_port", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "optyx " ], "description": "Spawn a shell on an established connection", "references": [ ], "is_server": false, "is_client": false, "platform": "BSDi", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/bsdi/x86/shell_find_port.rb", "is_install_path": true, "ref_name": "bsdi/x86/shell_find_port", "check": false }, "payload_bsdi/x86/shell_reverse_tcp": { "name": "BSDi Command Shell, Reverse TCP Inline", "full_name": "payload/bsdi/x86/shell_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "optyx " ], "description": "Connect back to attacker and spawn a command shell", "references": [ ], "is_server": false, "is_client": false, "platform": "BSDi", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/bsdi/x86/shell_reverse_tcp.rb", "is_install_path": true, "ref_name": "bsdi/x86/shell_reverse_tcp", "check": false }, "payload_cmd/mainframe/apf_privesc_jcl": { "name": "JCL to Escalate Privileges", "full_name": "payload/cmd/mainframe/apf_privesc_jcl", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Bigendian Smalls", "Ayoub" ], "description": "(Elevate privileges for user. Adds\n SYSTEM SPECIAL and BPX.SUPERUSER to user profile. Does this by using\n an unsecured/updateable APF authorized library (APFLIB) and updating\n the user's ACEE using this program/library. Note: This privesc only\n works with z/OS systems using RACF, no other ESM is supported.)", "references": [ ], "is_server": false, "is_client": false, "platform": "Mainframe", "arch": "cmd", "rport": 21, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/cmd/mainframe/apf_privesc_jcl.rb", "is_install_path": true, "ref_name": "cmd/mainframe/apf_privesc_jcl", "check": false }, "payload_cmd/mainframe/bind_shell_jcl": { "name": "Z/OS (MVS) Command Shell, Bind TCP", "full_name": "payload/cmd/mainframe/bind_shell_jcl", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Bigendian Smalls" ], "description": "Provide JCL which creates a bind shell\n This implmentation does not include ebcdic character translation,\n so a client with translation capabilities is required. MSF handles\n this automatically.", "references": [ ], "is_server": false, "is_client": false, "platform": "Mainframe", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2017-09-29 16:52:36 +0000", "path": "/modules/payloads/singles/cmd/mainframe/bind_shell_jcl.rb", "is_install_path": true, "ref_name": "cmd/mainframe/bind_shell_jcl", "check": false }, "payload_cmd/mainframe/generic_jcl": { "name": "Generic JCL Test for Mainframe Exploits", "full_name": "payload/cmd/mainframe/generic_jcl", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Bigendian Smalls" ], "description": "Provide JCL which can be used to submit\n a job to JES2 on z/OS which will exit and return 0. This\n can be used as a template for other JCL based payloads", "references": [ ], "is_server": false, "is_client": false, "platform": "Mainframe", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/cmd/mainframe/generic_jcl.rb", "is_install_path": true, "ref_name": "cmd/mainframe/generic_jcl", "check": false }, "payload_cmd/mainframe/reverse_shell_jcl": { "name": "Z/OS (MVS) Command Shell, Reverse TCP", "full_name": "payload/cmd/mainframe/reverse_shell_jcl", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Bigendian Smalls" ], "description": "Provide JCL which creates a reverse shell\n This implementation does not include ebcdic character translation,\n so a client with translation capabilities is required. MSF handles\n this automatically.", "references": [ ], "is_server": false, "is_client": false, "platform": "Mainframe", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2017-09-29 18:27:29 +0000", "path": "/modules/payloads/singles/cmd/mainframe/reverse_shell_jcl.rb", "is_install_path": true, "ref_name": "cmd/mainframe/reverse_shell_jcl", "check": false }, "payload_cmd/unix/bind_awk": { "name": "Unix Command Shell, Bind TCP (via AWK)", "full_name": "payload/cmd/unix/bind_awk", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "espreto ", "Ulisses Castro " ], "description": "Listen for a connection and spawn a command shell via GNU AWK", "references": [ ], "is_server": false, "is_client": false, "platform": "Unix", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2018-05-16 04:06:58 +0000", "path": "/modules/payloads/singles/cmd/unix/bind_awk.rb", "is_install_path": true, "ref_name": "cmd/unix/bind_awk", "check": false }, "payload_cmd/unix/bind_inetd": { "name": "Unix Command Shell, Bind TCP (inetd)", "full_name": "payload/cmd/unix/bind_inetd", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "hdm " ], "description": "Listen for a connection and spawn a command shell (persistent)", "references": [ ], "is_server": false, "is_client": false, "platform": "Unix", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/cmd/unix/bind_inetd.rb", "is_install_path": true, "ref_name": "cmd/unix/bind_inetd", "check": false }, "payload_cmd/unix/bind_lua": { "name": "Unix Command Shell, Bind TCP (via Lua)", "full_name": "payload/cmd/unix/bind_lua", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "xistence " ], "description": "Listen for a connection and spawn a command shell via Lua", "references": [ ], "is_server": false, "is_client": false, "platform": "Unix", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/cmd/unix/bind_lua.rb", "is_install_path": true, "ref_name": "cmd/unix/bind_lua", "check": false }, "payload_cmd/unix/bind_netcat": { "name": "Unix Command Shell, Bind TCP (via netcat)", "full_name": "payload/cmd/unix/bind_netcat", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "m-1-k-3", "egypt ", "juan vazquez " ], "description": "Listen for a connection and spawn a command shell via netcat", "references": [ ], "is_server": false, "is_client": false, "platform": "Unix", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/cmd/unix/bind_netcat.rb", "is_install_path": true, "ref_name": "cmd/unix/bind_netcat", "check": false }, "payload_cmd/unix/bind_netcat_gaping": { "name": "Unix Command Shell, Bind TCP (via netcat -e)", "full_name": "payload/cmd/unix/bind_netcat_gaping", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "hdm " ], "description": "Listen for a connection and spawn a command shell via netcat", "references": [ ], "is_server": false, "is_client": false, "platform": "Unix", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/cmd/unix/bind_netcat_gaping.rb", "is_install_path": true, "ref_name": "cmd/unix/bind_netcat_gaping", "check": false }, "payload_cmd/unix/bind_netcat_gaping_ipv6": { "name": "Unix Command Shell, Bind TCP (via netcat -e) IPv6", "full_name": "payload/cmd/unix/bind_netcat_gaping_ipv6", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "hdm " ], "description": "Listen for a connection and spawn a command shell via netcat", "references": [ ], "is_server": false, "is_client": false, "platform": "Unix", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/cmd/unix/bind_netcat_gaping_ipv6.rb", "is_install_path": true, "ref_name": "cmd/unix/bind_netcat_gaping_ipv6", "check": false }, "payload_cmd/unix/bind_nodejs": { "name": "Unix Command Shell, Bind TCP (via nodejs)", "full_name": "payload/cmd/unix/bind_nodejs", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "joev " ], "description": "Continually listen for a connection and spawn a command shell via nodejs", "references": [ ], "is_server": false, "is_client": false, "platform": "Unix", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2017-10-11 11:09:28 +0000", "path": "/modules/payloads/singles/cmd/unix/bind_nodejs.rb", "is_install_path": true, "ref_name": "cmd/unix/bind_nodejs", "check": false }, "payload_cmd/unix/bind_perl": { "name": "Unix Command Shell, Bind TCP (via Perl)", "full_name": "payload/cmd/unix/bind_perl", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Samy ", "cazz " ], "description": "Listen for a connection and spawn a command shell via perl", "references": [ ], "is_server": false, "is_client": false, "platform": "Unix", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/cmd/unix/bind_perl.rb", "is_install_path": true, "ref_name": "cmd/unix/bind_perl", "check": false }, "payload_cmd/unix/bind_perl_ipv6": { "name": "Unix Command Shell, Bind TCP (via perl) IPv6", "full_name": "payload/cmd/unix/bind_perl_ipv6", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Samy ", "cazz " ], "description": "Listen for a connection and spawn a command shell via perl", "references": [ ], "is_server": false, "is_client": false, "platform": "Unix", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/cmd/unix/bind_perl_ipv6.rb", "is_install_path": true, "ref_name": "cmd/unix/bind_perl_ipv6", "check": false }, "payload_cmd/unix/bind_r": { "name": "Unix Command Shell, Bind TCP (via R)", "full_name": "payload/cmd/unix/bind_r", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "RageLtMan" ], "description": "Continually listen for a connection and spawn a command shell via R", "references": [ ], "is_server": false, "is_client": false, "platform": "Unix", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2017-08-28 05:30:30 +0000", "path": "/modules/payloads/singles/cmd/unix/bind_r.rb", "is_install_path": true, "ref_name": "cmd/unix/bind_r", "check": false }, "payload_cmd/unix/bind_ruby": { "name": "Unix Command Shell, Bind TCP (via Ruby)", "full_name": "payload/cmd/unix/bind_ruby", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "kris katterjohn " ], "description": "Continually listen for a connection and spawn a command shell via Ruby", "references": [ ], "is_server": false, "is_client": false, "platform": "Unix", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/cmd/unix/bind_ruby.rb", "is_install_path": true, "ref_name": "cmd/unix/bind_ruby", "check": false }, "payload_cmd/unix/bind_ruby_ipv6": { "name": "Unix Command Shell, Bind TCP (via Ruby) IPv6", "full_name": "payload/cmd/unix/bind_ruby_ipv6", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "kris katterjohn " ], "description": "Continually listen for a connection and spawn a command shell via Ruby", "references": [ ], "is_server": false, "is_client": false, "platform": "Unix", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/cmd/unix/bind_ruby_ipv6.rb", "is_install_path": true, "ref_name": "cmd/unix/bind_ruby_ipv6", "check": false }, "payload_cmd/unix/bind_socat_udp": { "name": "Unix Command Shell, Bind UDP (via socat)", "full_name": "payload/cmd/unix/bind_socat_udp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "RageLtMan " ], "description": "Creates an interactive shell via socat", "references": [ ], "is_server": false, "is_client": false, "platform": "Unix", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2018-02-13 14:34:21 +0000", "path": "/modules/payloads/singles/cmd/unix/bind_socat_udp.rb", "is_install_path": true, "ref_name": "cmd/unix/bind_socat_udp", "check": false }, "payload_cmd/unix/bind_stub": { "name": "Unix Command Shell, Bind TCP (stub)", "full_name": "payload/cmd/unix/bind_stub", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "hdm " ], "description": "Listen for a connection and spawn a command shell (stub only, no payload)", "references": [ ], "is_server": false, "is_client": false, "platform": "Unix", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2017-12-28 16:21:37 +0000", "path": "/modules/payloads/singles/cmd/unix/bind_stub.rb", "is_install_path": true, "ref_name": "cmd/unix/bind_stub", "check": false }, "payload_cmd/unix/bind_zsh": { "name": "Unix Command Shell, Bind TCP (via Zsh)", "full_name": "payload/cmd/unix/bind_zsh", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Doug Prostko ", "Wang Yihang " ], "description": "Listen for a connection and spawn a command shell via Zsh. Note: Although Zsh is\n often available, please be aware it isn't usually installed by default.", "references": [ ], "is_server": false, "is_client": false, "platform": "Unix", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2018-05-15 19:42:39 +0000", "path": "/modules/payloads/singles/cmd/unix/bind_zsh.rb", "is_install_path": true, "ref_name": "cmd/unix/bind_zsh", "check": false }, "payload_cmd/unix/generic": { "name": "Unix Command, Generic Command Execution", "full_name": "payload/cmd/unix/generic", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "hdm " ], "description": "Executes the supplied command", "references": [ ], "is_server": false, "is_client": false, "platform": "Unix", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/cmd/unix/generic.rb", "is_install_path": true, "ref_name": "cmd/unix/generic", "check": false }, "payload_cmd/unix/interact": { "name": "Unix Command, Interact with Established Connection", "full_name": "payload/cmd/unix/interact", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "hdm " ], "description": "Interacts with a shell on an established socket connection", "references": [ ], "is_server": false, "is_client": false, "platform": "Unix", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/cmd/unix/interact.rb", "is_install_path": true, "ref_name": "cmd/unix/interact", "check": false }, "payload_cmd/unix/reverse": { "name": "Unix Command Shell, Double Reverse TCP (telnet)", "full_name": "payload/cmd/unix/reverse", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "hdm " ], "description": "Creates an interactive shell through two inbound connections", "references": [ ], "is_server": false, "is_client": false, "platform": "Unix", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/cmd/unix/reverse.rb", "is_install_path": true, "ref_name": "cmd/unix/reverse", "check": false }, "payload_cmd/unix/reverse_awk": { "name": "Unix Command Shell, Reverse TCP (via AWK)", "full_name": "payload/cmd/unix/reverse_awk", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "espreto ", "Ulisses Castro ", "Gabriel Quadros " ], "description": "Creates an interactive shell via GNU AWK", "references": [ ], "is_server": false, "is_client": false, "platform": "Unix", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2018-05-16 04:06:58 +0000", "path": "/modules/payloads/singles/cmd/unix/reverse_awk.rb", "is_install_path": true, "ref_name": "cmd/unix/reverse_awk", "check": false }, "payload_cmd/unix/reverse_bash": { "name": "Unix Command Shell, Reverse TCP (/dev/tcp)", "full_name": "payload/cmd/unix/reverse_bash", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "hdm " ], "description": "Creates an interactive shell via bash's builtin /dev/tcp.\n\n This will not work on circa 2009 and older Debian-based Linux\n distributions (including Ubuntu) because they compile bash\n without the /dev/tcp feature.", "references": [ ], "is_server": false, "is_client": false, "platform": "Unix", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2018-07-10 18:34:21 +0000", "path": "/modules/payloads/singles/cmd/unix/reverse_bash.rb", "is_install_path": true, "ref_name": "cmd/unix/reverse_bash", "check": false }, "payload_cmd/unix/reverse_bash_telnet_ssl": { "name": "Unix Command Shell, Reverse TCP SSL (telnet)", "full_name": "payload/cmd/unix/reverse_bash_telnet_ssl", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "RageLtMan" ], "description": "Creates an interactive shell via mkfifo and telnet.\n This method works on Debian and other systems compiled\n without /dev/tcp support. This module uses the '-z'\n option included on some systems to encrypt using SSL.", "references": [ ], "is_server": false, "is_client": false, "platform": "Unix", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2018-05-15 20:50:30 +0000", "path": "/modules/payloads/singles/cmd/unix/reverse_bash_telnet_ssl.rb", "is_install_path": true, "ref_name": "cmd/unix/reverse_bash_telnet_ssl", "check": false }, "payload_cmd/unix/reverse_ksh": { "name": "Unix Command Shell, Reverse TCP (via Ksh)", "full_name": "payload/cmd/unix/reverse_ksh", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Wang Yihang " ], "description": "Connect back and create a command shell via Ksh. Note: Although Ksh is often\n available, please be aware it isn't usually installed by default.", "references": [ ], "is_server": false, "is_client": false, "platform": "Unix", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2018-05-15 19:56:55 +0000", "path": "/modules/payloads/singles/cmd/unix/reverse_ksh.rb", "is_install_path": true, "ref_name": "cmd/unix/reverse_ksh", "check": false }, "payload_cmd/unix/reverse_lua": { "name": "Unix Command Shell, Reverse TCP (via Lua)", "full_name": "payload/cmd/unix/reverse_lua", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "xistence " ], "description": "Creates an interactive shell via Lua", "references": [ ], "is_server": false, "is_client": false, "platform": "Unix", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/cmd/unix/reverse_lua.rb", "is_install_path": true, "ref_name": "cmd/unix/reverse_lua", "check": false }, "payload_cmd/unix/reverse_ncat_ssl": { "name": "Unix Command Shell, Reverse TCP (via ncat)", "full_name": "payload/cmd/unix/reverse_ncat_ssl", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "C_Sto" ], "description": "Creates an interactive shell via ncat, utilizing ssl mode", "references": [ ], "is_server": false, "is_client": false, "platform": "Unix", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2017-09-17 16:00:04 +0000", "path": "/modules/payloads/singles/cmd/unix/reverse_ncat_ssl.rb", "is_install_path": true, "ref_name": "cmd/unix/reverse_ncat_ssl", "check": false }, "payload_cmd/unix/reverse_netcat": { "name": "Unix Command Shell, Reverse TCP (via netcat)", "full_name": "payload/cmd/unix/reverse_netcat", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "m-1-k-3", "egypt ", "juan vazquez " ], "description": "Creates an interactive shell via netcat", "references": [ ], "is_server": false, "is_client": false, "platform": "Unix", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/cmd/unix/reverse_netcat.rb", "is_install_path": true, "ref_name": "cmd/unix/reverse_netcat", "check": false }, "payload_cmd/unix/reverse_netcat_gaping": { "name": "Unix Command Shell, Reverse TCP (via netcat -e)", "full_name": "payload/cmd/unix/reverse_netcat_gaping", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "hdm " ], "description": "Creates an interactive shell via netcat", "references": [ ], "is_server": false, "is_client": false, "platform": "Unix", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/cmd/unix/reverse_netcat_gaping.rb", "is_install_path": true, "ref_name": "cmd/unix/reverse_netcat_gaping", "check": false }, "payload_cmd/unix/reverse_nodejs": { "name": "Unix Command Shell, Reverse TCP (via nodejs)", "full_name": "payload/cmd/unix/reverse_nodejs", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "joev " ], "description": "Continually listen for a connection and spawn a command shell via nodejs", "references": [ ], "is_server": false, "is_client": false, "platform": "Unix", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2017-11-21 13:53:33 +0000", "path": "/modules/payloads/singles/cmd/unix/reverse_nodejs.rb", "is_install_path": true, "ref_name": "cmd/unix/reverse_nodejs", "check": false }, "payload_cmd/unix/reverse_openssl": { "name": "Unix Command Shell, Double Reverse TCP SSL (openssl)", "full_name": "payload/cmd/unix/reverse_openssl", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "hdm " ], "description": "Creates an interactive shell through two inbound connections", "references": [ ], "is_server": false, "is_client": false, "platform": "Unix", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/cmd/unix/reverse_openssl.rb", "is_install_path": true, "ref_name": "cmd/unix/reverse_openssl", "check": false }, "payload_cmd/unix/reverse_perl": { "name": "Unix Command Shell, Reverse TCP (via Perl)", "full_name": "payload/cmd/unix/reverse_perl", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "cazz " ], "description": "Creates an interactive shell via perl", "references": [ ], "is_server": false, "is_client": false, "platform": "Unix", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/cmd/unix/reverse_perl.rb", "is_install_path": true, "ref_name": "cmd/unix/reverse_perl", "check": false }, "payload_cmd/unix/reverse_perl_ssl": { "name": "Unix Command Shell, Reverse TCP SSL (via perl)", "full_name": "payload/cmd/unix/reverse_perl_ssl", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "RageLtMan" ], "description": "Creates an interactive shell via perl, uses SSL", "references": [ ], "is_server": false, "is_client": false, "platform": "Unix", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/cmd/unix/reverse_perl_ssl.rb", "is_install_path": true, "ref_name": "cmd/unix/reverse_perl_ssl", "check": false }, "payload_cmd/unix/reverse_php_ssl": { "name": "Unix Command Shell, Reverse TCP SSL (via php)", "full_name": "payload/cmd/unix/reverse_php_ssl", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "RageLtMan" ], "description": "Creates an interactive shell via php, uses SSL", "references": [ ], "is_server": false, "is_client": false, "platform": "Unix", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2018-02-19 15:49:46 +0000", "path": "/modules/payloads/singles/cmd/unix/reverse_php_ssl.rb", "is_install_path": true, "ref_name": "cmd/unix/reverse_php_ssl", "check": false }, "payload_cmd/unix/reverse_python": { "name": "Unix Command Shell, Reverse TCP (via Python)", "full_name": "payload/cmd/unix/reverse_python", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Brendan Coles " ], "description": "Connect back and create a command shell via Python", "references": [ ], "is_server": false, "is_client": false, "platform": "Unix", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/cmd/unix/reverse_python.rb", "is_install_path": true, "ref_name": "cmd/unix/reverse_python", "check": false }, "payload_cmd/unix/reverse_python_ssl": { "name": "Unix Command Shell, Reverse TCP SSL (via python)", "full_name": "payload/cmd/unix/reverse_python_ssl", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "RageLtMan" ], "description": "Creates an interactive shell via python, uses SSL, encodes with base64 by design.", "references": [ ], "is_server": false, "is_client": false, "platform": "Unix", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/cmd/unix/reverse_python_ssl.rb", "is_install_path": true, "ref_name": "cmd/unix/reverse_python_ssl", "check": false }, "payload_cmd/unix/reverse_r": { "name": "Unix Command Shell, Reverse TCP (via R)", "full_name": "payload/cmd/unix/reverse_r", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "RageLtMan" ], "description": "Connect back and create a command shell via R", "references": [ ], "is_server": false, "is_client": false, "platform": "Unix", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2017-08-28 05:30:30 +0000", "path": "/modules/payloads/singles/cmd/unix/reverse_r.rb", "is_install_path": true, "ref_name": "cmd/unix/reverse_r", "check": false }, "payload_cmd/unix/reverse_ruby": { "name": "Unix Command Shell, Reverse TCP (via Ruby)", "full_name": "payload/cmd/unix/reverse_ruby", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "kris katterjohn " ], "description": "Connect back and create a command shell via Ruby", "references": [ ], "is_server": false, "is_client": false, "platform": "Unix", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/cmd/unix/reverse_ruby.rb", "is_install_path": true, "ref_name": "cmd/unix/reverse_ruby", "check": false }, "payload_cmd/unix/reverse_ruby_ssl": { "name": "Unix Command Shell, Reverse TCP SSL (via Ruby)", "full_name": "payload/cmd/unix/reverse_ruby_ssl", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "RageLtMan" ], "description": "Connect back and create a command shell via Ruby, uses SSL", "references": [ ], "is_server": false, "is_client": false, "platform": "Unix", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/cmd/unix/reverse_ruby_ssl.rb", "is_install_path": true, "ref_name": "cmd/unix/reverse_ruby_ssl", "check": false }, "payload_cmd/unix/reverse_socat_udp": { "name": "Unix Command Shell, Reverse UDP (via socat)", "full_name": "payload/cmd/unix/reverse_socat_udp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "RageLtMan " ], "description": "Creates an interactive shell via socat", "references": [ ], "is_server": false, "is_client": false, "platform": "Unix", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2018-02-13 14:34:21 +0000", "path": "/modules/payloads/singles/cmd/unix/reverse_socat_udp.rb", "is_install_path": true, "ref_name": "cmd/unix/reverse_socat_udp", "check": false }, "payload_cmd/unix/reverse_ssl_double_telnet": { "name": "Unix Command Shell, Double Reverse TCP SSL (telnet)", "full_name": "payload/cmd/unix/reverse_ssl_double_telnet", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "hdm ", "RageLtMan" ], "description": "Creates an interactive shell through two inbound connections, encrypts using SSL via \"-z\" option", "references": [ ], "is_server": false, "is_client": false, "platform": "Unix", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/cmd/unix/reverse_ssl_double_telnet.rb", "is_install_path": true, "ref_name": "cmd/unix/reverse_ssl_double_telnet", "check": false }, "payload_cmd/unix/reverse_stub": { "name": "Unix Command Shell, Reverse TCP (stub)", "full_name": "payload/cmd/unix/reverse_stub", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "hdm " ], "description": "Creates an interactive shell through an inbound connection (stub only, no payload)", "references": [ ], "is_server": false, "is_client": false, "platform": "Unix", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2017-12-28 16:21:37 +0000", "path": "/modules/payloads/singles/cmd/unix/reverse_stub.rb", "is_install_path": true, "ref_name": "cmd/unix/reverse_stub", "check": false }, "payload_cmd/unix/reverse_zsh": { "name": "Unix Command Shell, Reverse TCP (via Zsh)", "full_name": "payload/cmd/unix/reverse_zsh", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Doug Prostko ", "Wang Yihang " ], "description": "Connect back and create a command shell via Zsh. Note: Although Zsh is often\n available, please be aware it isn't usually installed by default.", "references": [ ], "is_server": false, "is_client": false, "platform": "Unix", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2018-05-15 19:42:39 +0000", "path": "/modules/payloads/singles/cmd/unix/reverse_zsh.rb", "is_install_path": true, "ref_name": "cmd/unix/reverse_zsh", "check": false }, "payload_cmd/windows/adduser": { "name": "Windows Execute net user /ADD CMD", "full_name": "payload/cmd/windows/adduser", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "hdm ", "scriptjunkie", "Chris John Riley" ], "description": "Create a new user and add them to local administration group.\n\n Note: The specified password is checked for common complexity\n requirements to prevent the target machine rejecting the user\n for failing to meet policy requirements.\n\n Complexity check: 8-14 chars (1 UPPER, 1 lower, 1 digit/special)", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/cmd/windows/adduser.rb", "is_install_path": true, "ref_name": "cmd/windows/adduser", "check": false }, "payload_cmd/windows/bind_lua": { "name": "Windows Command Shell, Bind TCP (via Lua)", "full_name": "payload/cmd/windows/bind_lua", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "xistence " ], "description": "Listen for a connection and spawn a command shell via Lua", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/cmd/windows/bind_lua.rb", "is_install_path": true, "ref_name": "cmd/windows/bind_lua", "check": false }, "payload_cmd/windows/bind_perl": { "name": "Windows Command Shell, Bind TCP (via Perl)", "full_name": "payload/cmd/windows/bind_perl", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Samy ", "cazz ", "aushack " ], "description": "Listen for a connection and spawn a command shell via perl (persistent)", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/payloads/singles/cmd/windows/bind_perl.rb", "is_install_path": true, "ref_name": "cmd/windows/bind_perl", "check": false }, "payload_cmd/windows/bind_perl_ipv6": { "name": "Windows Command Shell, Bind TCP (via perl) IPv6", "full_name": "payload/cmd/windows/bind_perl_ipv6", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Samy ", "cazz ", "aushack " ], "description": "Listen for a connection and spawn a command shell via perl (persistent)", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/payloads/singles/cmd/windows/bind_perl_ipv6.rb", "is_install_path": true, "ref_name": "cmd/windows/bind_perl_ipv6", "check": false }, "payload_cmd/windows/bind_ruby": { "name": "Windows Command Shell, Bind TCP (via Ruby)", "full_name": "payload/cmd/windows/bind_ruby", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "kris katterjohn " ], "description": "Continually listen for a connection and spawn a command shell via Ruby", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/cmd/windows/bind_ruby.rb", "is_install_path": true, "ref_name": "cmd/windows/bind_ruby", "check": false }, "payload_cmd/windows/download_eval_vbs": { "name": "Windows Executable Download and Evaluate VBS", "full_name": "payload/cmd/windows/download_eval_vbs", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "scriptjunkie" ], "description": "Downloads a file from an HTTP(S) URL and executes it as a vbs script.\n Use it to stage a vbs encoded payload from a short command line.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/cmd/windows/download_eval_vbs.rb", "is_install_path": true, "ref_name": "cmd/windows/download_eval_vbs", "check": false }, "payload_cmd/windows/download_exec_vbs": { "name": "Windows Executable Download and Execute (via .vbs)", "full_name": "payload/cmd/windows/download_exec_vbs", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "scriptjunkie" ], "description": "Download an EXE from an HTTP(S) URL and execute it", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/cmd/windows/download_exec_vbs.rb", "is_install_path": true, "ref_name": "cmd/windows/download_exec_vbs", "check": false }, "payload_cmd/windows/generic": { "name": "Windows Command, Generic Command Execution", "full_name": "payload/cmd/windows/generic", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "juan vazquez " ], "description": "Executes the supplied command", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/cmd/windows/generic.rb", "is_install_path": true, "ref_name": "cmd/windows/generic", "check": false }, "payload_cmd/windows/powershell_bind_tcp": { "name": "Windows Interactive Powershell Session, Bind TCP", "full_name": "payload/cmd/windows/powershell_bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Ben Turner", "Dave Hardy" ], "description": "Interacts with a powershell session on an established socket connection", "references": [ "URL-https://www.nettitude.co.uk/interactive-powershell-session-via-metasploit/" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/cmd/windows/powershell_bind_tcp.rb", "is_install_path": true, "ref_name": "cmd/windows/powershell_bind_tcp", "check": false }, "payload_cmd/windows/powershell_reverse_tcp": { "name": "Windows Interactive Powershell Session, Reverse TCP", "full_name": "payload/cmd/windows/powershell_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Ben Turner", "Dave Hardy" ], "description": "Interacts with a powershell session on an established socket connection", "references": [ "URL-https://www.nettitude.co.uk/interactive-powershell-session-via-metasploit/" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/cmd/windows/powershell_reverse_tcp.rb", "is_install_path": true, "ref_name": "cmd/windows/powershell_reverse_tcp", "check": false }, "payload_cmd/windows/reverse_lua": { "name": "Windows Command Shell, Reverse TCP (via Lua)", "full_name": "payload/cmd/windows/reverse_lua", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "xistence " ], "description": "Creates an interactive shell via Lua", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/cmd/windows/reverse_lua.rb", "is_install_path": true, "ref_name": "cmd/windows/reverse_lua", "check": false }, "payload_cmd/windows/reverse_perl": { "name": "Windows Command, Double Reverse TCP Connection (via Perl)", "full_name": "payload/cmd/windows/reverse_perl", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "cazz ", "aushack " ], "description": "Creates an interactive shell via perl", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2017-11-09 03:00:24 +0000", "path": "/modules/payloads/singles/cmd/windows/reverse_perl.rb", "is_install_path": true, "ref_name": "cmd/windows/reverse_perl", "check": false }, "payload_cmd/windows/reverse_powershell": { "name": "Windows Command Shell, Reverse TCP (via Powershell)", "full_name": "payload/cmd/windows/reverse_powershell", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Dave Kennedy", "Ben Campbell " ], "description": "Connect back and create a command shell via Powershell", "references": [ "URL-https://github.com/trustedsec/social-engineer-toolkit/blob/master/src/powershell/reverse.powershell" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/cmd/windows/reverse_powershell.rb", "is_install_path": true, "ref_name": "cmd/windows/reverse_powershell", "check": false }, "payload_cmd/windows/reverse_ruby": { "name": "Windows Command Shell, Reverse TCP (via Ruby)", "full_name": "payload/cmd/windows/reverse_ruby", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "kris katterjohn " ], "description": "Connect back and create a command shell via Ruby", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "cmd", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/cmd/windows/reverse_ruby.rb", "is_install_path": true, "ref_name": "cmd/windows/reverse_ruby", "check": false }, "payload_firefox/exec": { "name": "Firefox XPCOM Execute Command", "full_name": "payload/firefox/exec", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "joev " ], "description": "This module runs a shell command on the target OS without touching the disk.\n On Windows, this command will flash the command prompt momentarily.\n This can be avoided by setting WSCRIPT to true, which drops a jscript\n \"launcher\" to disk that hides the prompt.", "references": [ ], "is_server": false, "is_client": false, "platform": "Firefox", "arch": "firefox", "rport": null, "targets": null, "mod_time": "2017-09-17 16:00:04 +0000", "path": "/modules/payloads/singles/firefox/exec.rb", "is_install_path": true, "ref_name": "firefox/exec", "check": false }, "payload_firefox/shell_bind_tcp": { "name": "Command Shell, Bind TCP (via Firefox XPCOM script)", "full_name": "payload/firefox/shell_bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "joev " ], "description": "Creates an interactive shell via Javascript with access to Firefox's XPCOM API", "references": [ ], "is_server": false, "is_client": false, "platform": "Firefox", "arch": "firefox", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/firefox/shell_bind_tcp.rb", "is_install_path": true, "ref_name": "firefox/shell_bind_tcp", "check": false }, "payload_firefox/shell_reverse_tcp": { "name": "Command Shell, Reverse TCP (via Firefox XPCOM script)", "full_name": "payload/firefox/shell_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "joev " ], "description": "Creates an interactive shell via Javascript with access to Firefox's XPCOM API", "references": [ ], "is_server": false, "is_client": false, "platform": "Firefox", "arch": "firefox", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/firefox/shell_reverse_tcp.rb", "is_install_path": true, "ref_name": "firefox/shell_reverse_tcp", "check": false }, "payload_generic/custom": { "name": "Custom Payload", "full_name": "payload/generic/custom", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "scriptjunkie " ], "description": "Use custom string or file as payload. Set either PAYLOADFILE or\n PAYLOADSTR.", "references": [ ], "is_server": false, "is_client": false, "platform": "All", "arch": "x86, x86_64, x64, mips, mipsle, mipsbe, mips64, mips64le, ppc, ppce500v2, ppc64, ppc64le, cbea, cbea64, sparc, sparc64, armle, armbe, aarch64, cmd, php, java, ruby, dalvik, python, nodejs, firefox, zarch, r", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/generic/custom.rb", "is_install_path": true, "ref_name": "generic/custom", "check": false }, "payload_generic/debug_trap": { "name": "Generic x86 Debug Trap", "full_name": "payload/generic/debug_trap", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "robert " ], "description": "Generate a debug trap in the target process", "references": [ ], "is_server": false, "is_client": false, "platform": "BSD,BSDi,Linux,OSX,Solaris,Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/generic/debug_trap.rb", "is_install_path": true, "ref_name": "generic/debug_trap", "check": false }, "payload_generic/shell_bind_tcp": { "name": "Generic Command Shell, Bind TCP Inline", "full_name": "payload/generic/shell_bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape " ], "description": "Listen for a connection and spawn a command shell", "references": [ ], "is_server": false, "is_client": false, "platform": "All", "arch": "x86, x86_64, x64, mips, mipsle, mipsbe, mips64, mips64le, ppc, ppce500v2, ppc64, ppc64le, cbea, cbea64, sparc, sparc64, armle, armbe, aarch64, cmd, php, java, ruby, dalvik, python, nodejs, firefox, zarch, r", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/generic/shell_bind_tcp.rb", "is_install_path": true, "ref_name": "generic/shell_bind_tcp", "check": false }, "payload_generic/shell_reverse_tcp": { "name": "Generic Command Shell, Reverse TCP Inline", "full_name": "payload/generic/shell_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape " ], "description": "Connect back to attacker and spawn a command shell", "references": [ ], "is_server": false, "is_client": false, "platform": "All", "arch": "x86, x86_64, x64, mips, mipsle, mipsbe, mips64, mips64le, ppc, ppce500v2, ppc64, ppc64le, cbea, cbea64, sparc, sparc64, armle, armbe, aarch64, cmd, php, java, ruby, dalvik, python, nodejs, firefox, zarch, r", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/generic/shell_reverse_tcp.rb", "is_install_path": true, "ref_name": "generic/shell_reverse_tcp", "check": false }, "payload_generic/tight_loop": { "name": "Generic x86 Tight Loop", "full_name": "payload/generic/tight_loop", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "jduck " ], "description": "Generate a tight loop in the target process", "references": [ ], "is_server": false, "is_client": false, "platform": "BSD,BSDi,Linux,OSX,Solaris,Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/generic/tight_loop.rb", "is_install_path": true, "ref_name": "generic/tight_loop", "check": false }, "payload_java/jsp_shell_bind_tcp": { "name": "Java JSP Command Shell, Bind TCP Inline", "full_name": "payload/java/jsp_shell_bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf " ], "description": "Listen for a connection and spawn a command shell", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux,OSX,Solaris,Unix,Windows", "arch": "java", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/java/jsp_shell_bind_tcp.rb", "is_install_path": true, "ref_name": "java/jsp_shell_bind_tcp", "check": false }, "payload_java/jsp_shell_reverse_tcp": { "name": "Java JSP Command Shell, Reverse TCP Inline", "full_name": "payload/java/jsp_shell_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf " ], "description": "Connect back to attacker and spawn a command shell", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux,OSX,Solaris,Unix,Windows", "arch": "java", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/java/jsp_shell_reverse_tcp.rb", "is_install_path": true, "ref_name": "java/jsp_shell_reverse_tcp", "check": false }, "payload_java/meterpreter/bind_tcp": { "name": "Java Meterpreter, Java Bind TCP Stager", "full_name": "payload/java/meterpreter/bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "mihi", "egypt ", "OJ Reeves" ], "description": "Run a meterpreter server in Java. Listen for a connection", "references": [ ], "is_server": false, "is_client": false, "platform": "Java", "arch": "java", "rport": null, "targets": null, "mod_time": "2017-11-21 13:53:33 +0000", "path": "/modules/payloads/stagers/java/bind_tcp.rb", "is_install_path": true, "ref_name": "java/meterpreter/bind_tcp", "check": false }, "payload_java/meterpreter/reverse_http": { "name": "Java Meterpreter, Java Reverse HTTP Stager", "full_name": "payload/java/meterpreter/reverse_http", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "mihi", "egypt ", "OJ Reeves", "hdm " ], "description": "Run a meterpreter server in Java. Tunnel communication over HTTP", "references": [ ], "is_server": false, "is_client": false, "platform": "Java", "arch": "java", "rport": null, "targets": null, "mod_time": "2017-11-21 13:53:33 +0000", "path": "/modules/payloads/stagers/java/reverse_http.rb", "is_install_path": true, "ref_name": "java/meterpreter/reverse_http", "check": false }, "payload_java/meterpreter/reverse_https": { "name": "Java Meterpreter, Java Reverse HTTPS Stager", "full_name": "payload/java/meterpreter/reverse_https", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "mihi", "egypt ", "OJ Reeves", "hdm " ], "description": "Run a meterpreter server in Java. Tunnel communication over HTTPS", "references": [ ], "is_server": false, "is_client": false, "platform": "Java", "arch": "java", "rport": null, "targets": null, "mod_time": "2017-11-21 13:53:33 +0000", "path": "/modules/payloads/stagers/java/reverse_https.rb", "is_install_path": true, "ref_name": "java/meterpreter/reverse_https", "check": false }, "payload_java/meterpreter/reverse_tcp": { "name": "Java Meterpreter, Java Reverse TCP Stager", "full_name": "payload/java/meterpreter/reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "mihi", "egypt ", "OJ Reeves" ], "description": "Run a meterpreter server in Java. Connect back stager", "references": [ ], "is_server": false, "is_client": false, "platform": "Java", "arch": "java", "rport": null, "targets": null, "mod_time": "2017-11-21 13:53:33 +0000", "path": "/modules/payloads/stagers/java/reverse_tcp.rb", "is_install_path": true, "ref_name": "java/meterpreter/reverse_tcp", "check": false }, "payload_java/shell/bind_tcp": { "name": "Command Shell, Java Bind TCP Stager", "full_name": "payload/java/shell/bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "mihi", "egypt " ], "description": "Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else). Listen for a connection", "references": [ ], "is_server": false, "is_client": false, "platform": "Java", "arch": "java", "rport": null, "targets": null, "mod_time": "2017-11-21 13:53:33 +0000", "path": "/modules/payloads/stagers/java/bind_tcp.rb", "is_install_path": true, "ref_name": "java/shell/bind_tcp", "check": false }, "payload_java/shell/reverse_tcp": { "name": "Command Shell, Java Reverse TCP Stager", "full_name": "payload/java/shell/reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "mihi", "egypt " ], "description": "Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else). Connect back stager", "references": [ ], "is_server": false, "is_client": false, "platform": "Java", "arch": "java", "rport": null, "targets": null, "mod_time": "2017-11-21 13:53:33 +0000", "path": "/modules/payloads/stagers/java/reverse_tcp.rb", "is_install_path": true, "ref_name": "java/shell/reverse_tcp", "check": false }, "payload_java/shell_reverse_tcp": { "name": "Java Command Shell, Reverse TCP Inline", "full_name": "payload/java/shell_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "mihi", "egypt " ], "description": "Connect back to attacker and spawn a command shell", "references": [ ], "is_server": false, "is_client": false, "platform": "Java", "arch": "java", "rport": null, "targets": null, "mod_time": "2017-11-21 13:53:33 +0000", "path": "/modules/payloads/singles/java/shell_reverse_tcp.rb", "is_install_path": true, "ref_name": "java/shell_reverse_tcp", "check": false }, "payload_linux/aarch64/meterpreter/reverse_tcp": { "name": "Linux Meterpreter, Reverse TCP Stager", "full_name": "payload/linux/aarch64/meterpreter/reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Adam Cammack " ], "description": "Inject the mettle server payload (staged). Connect back to the attacker", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "aarch64", "rport": null, "targets": null, "mod_time": "2017-08-29 10:09:38 +0000", "path": "/modules/payloads/stagers/linux/aarch64/reverse_tcp.rb", "is_install_path": true, "ref_name": "linux/aarch64/meterpreter/reverse_tcp", "check": false }, "payload_linux/aarch64/meterpreter_reverse_http": { "name": "Linux Meterpreter, Reverse HTTP Inline", "full_name": "payload/linux/aarch64/meterpreter_reverse_http", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Adam Cammack ", "Brent Cook ", "timwr" ], "description": "Run the Meterpreter / Mettle server payload (stageless)", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "aarch64", "rport": null, "targets": null, "mod_time": "2018-06-27 17:55:08 +0000", "path": "/modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb", "is_install_path": true, "ref_name": "linux/aarch64/meterpreter_reverse_http", "check": false }, "payload_linux/aarch64/meterpreter_reverse_https": { "name": "Linux Meterpreter, Reverse HTTPS Inline", "full_name": "payload/linux/aarch64/meterpreter_reverse_https", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Adam Cammack ", "Brent Cook ", "timwr" ], "description": "Run the Meterpreter / Mettle server payload (stageless)", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "aarch64", "rport": null, "targets": null, "mod_time": "2018-06-27 17:55:08 +0000", "path": "/modules/payloads/singles/linux/aarch64/meterpreter_reverse_https.rb", "is_install_path": true, "ref_name": "linux/aarch64/meterpreter_reverse_https", "check": false }, "payload_linux/aarch64/meterpreter_reverse_tcp": { "name": "Linux Meterpreter, Reverse TCP Inline", "full_name": "payload/linux/aarch64/meterpreter_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Adam Cammack ", "Brent Cook ", "timwr" ], "description": "Run the Meterpreter / Mettle server payload (stageless)", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "aarch64", "rport": null, "targets": null, "mod_time": "2018-06-27 17:55:08 +0000", "path": "/modules/payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb", "is_install_path": true, "ref_name": "linux/aarch64/meterpreter_reverse_tcp", "check": false }, "payload_linux/aarch64/shell/reverse_tcp": { "name": "Linux dup2 Command Shell, Reverse TCP Stager", "full_name": "payload/linux/aarch64/shell/reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ ], "description": "dup2 socket in x12, then execve. Connect back to the attacker", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "aarch64", "rport": null, "targets": null, "mod_time": "2017-08-29 10:09:38 +0000", "path": "/modules/payloads/stagers/linux/aarch64/reverse_tcp.rb", "is_install_path": true, "ref_name": "linux/aarch64/shell/reverse_tcp", "check": false }, "payload_linux/aarch64/shell_reverse_tcp": { "name": "Linux Command Shell, Reverse TCP Inline", "full_name": "payload/linux/aarch64/shell_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ ], "description": "Connect back to attacker and spawn a command shell", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "aarch64", "rport": null, "targets": null, "mod_time": "2017-08-21 14:42:30 +0000", "path": "/modules/payloads/singles/linux/aarch64/shell_reverse_tcp.rb", "is_install_path": true, "ref_name": "linux/aarch64/shell_reverse_tcp", "check": false }, "payload_linux/armbe/meterpreter_reverse_http": { "name": "Linux Meterpreter, Reverse HTTP Inline", "full_name": "payload/linux/armbe/meterpreter_reverse_http", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Adam Cammack ", "Brent Cook ", "timwr" ], "description": "Run the Meterpreter / Mettle server payload (stageless)", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "armbe", "rport": null, "targets": null, "mod_time": "2018-06-27 17:55:08 +0000", "path": "/modules/payloads/singles/linux/armbe/meterpreter_reverse_http.rb", "is_install_path": true, "ref_name": "linux/armbe/meterpreter_reverse_http", "check": false }, "payload_linux/armbe/meterpreter_reverse_https": { "name": "Linux Meterpreter, Reverse HTTPS Inline", "full_name": "payload/linux/armbe/meterpreter_reverse_https", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Adam Cammack ", "Brent Cook ", "timwr" ], "description": "Run the Meterpreter / Mettle server payload (stageless)", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "armbe", "rport": null, "targets": null, "mod_time": "2018-06-27 17:55:08 +0000", "path": "/modules/payloads/singles/linux/armbe/meterpreter_reverse_https.rb", "is_install_path": true, "ref_name": "linux/armbe/meterpreter_reverse_https", "check": false }, "payload_linux/armbe/meterpreter_reverse_tcp": { "name": "Linux Meterpreter, Reverse TCP Inline", "full_name": "payload/linux/armbe/meterpreter_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Adam Cammack ", "Brent Cook ", "timwr" ], "description": "Run the Meterpreter / Mettle server payload (stageless)", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "armbe", "rport": null, "targets": null, "mod_time": "2018-06-27 17:55:08 +0000", "path": "/modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb", "is_install_path": true, "ref_name": "linux/armbe/meterpreter_reverse_tcp", "check": false }, "payload_linux/armbe/shell_bind_tcp": { "name": "Linux ARM Big Endian Command Shell, Bind TCP Inline", "full_name": "payload/linux/armbe/shell_bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Balazs Bucsay @xoreipeip " ], "description": "Listen for a connection and spawn a command shell", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "armbe", "rport": null, "targets": null, "mod_time": "2018-05-01 04:57:42 +0000", "path": "/modules/payloads/singles/linux/armbe/shell_bind_tcp.rb", "is_install_path": true, "ref_name": "linux/armbe/shell_bind_tcp", "check": false }, "payload_linux/armle/adduser": { "name": "Linux Add User", "full_name": "payload/linux/armle/adduser", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Jonathan Salwan" ], "description": "Create a new user with UID 0", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "armle", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/linux/armle/adduser.rb", "is_install_path": true, "ref_name": "linux/armle/adduser", "check": false }, "payload_linux/armle/exec": { "name": "Linux Execute Command", "full_name": "payload/linux/armle/exec", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Jonathan Salwan" ], "description": "Execute an arbitrary command", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "armle", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/linux/armle/exec.rb", "is_install_path": true, "ref_name": "linux/armle/exec", "check": false }, "payload_linux/armle/meterpreter/bind_tcp": { "name": "Linux Meterpreter, Bind TCP Stager", "full_name": "payload/linux/armle/meterpreter/bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Adam Cammack ", "nemo " ], "description": "Inject the mettle server payload (staged). Listen for a connection", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "armle", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/linux/armle/bind_tcp.rb", "is_install_path": true, "ref_name": "linux/armle/meterpreter/bind_tcp", "check": false }, "payload_linux/armle/meterpreter/reverse_tcp": { "name": "Linux Meterpreter, Reverse TCP Stager", "full_name": "payload/linux/armle/meterpreter/reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Adam Cammack ", "nemo ", "tkmru" ], "description": "Inject the mettle server payload (staged). Connect back to the attacker", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "armle", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/linux/armle/reverse_tcp.rb", "is_install_path": true, "ref_name": "linux/armle/meterpreter/reverse_tcp", "check": false }, "payload_linux/armle/meterpreter_reverse_http": { "name": "Linux Meterpreter, Reverse HTTP Inline", "full_name": "payload/linux/armle/meterpreter_reverse_http", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Adam Cammack ", "Brent Cook ", "timwr" ], "description": "Run the Meterpreter / Mettle server payload (stageless)", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "armle", "rport": null, "targets": null, "mod_time": "2018-06-27 17:55:08 +0000", "path": "/modules/payloads/singles/linux/armle/meterpreter_reverse_http.rb", "is_install_path": true, "ref_name": "linux/armle/meterpreter_reverse_http", "check": false }, "payload_linux/armle/meterpreter_reverse_https": { "name": "Linux Meterpreter, Reverse HTTPS Inline", "full_name": "payload/linux/armle/meterpreter_reverse_https", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Adam Cammack ", "Brent Cook ", "timwr" ], "description": "Run the Meterpreter / Mettle server payload (stageless)", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "armle", "rport": null, "targets": null, "mod_time": "2018-06-27 17:55:08 +0000", "path": "/modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb", "is_install_path": true, "ref_name": "linux/armle/meterpreter_reverse_https", "check": false }, "payload_linux/armle/meterpreter_reverse_tcp": { "name": "Linux Meterpreter, Reverse TCP Inline", "full_name": "payload/linux/armle/meterpreter_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Adam Cammack ", "Brent Cook ", "timwr" ], "description": "Run the Meterpreter / Mettle server payload (stageless)", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "armle", "rport": null, "targets": null, "mod_time": "2018-06-27 17:55:08 +0000", "path": "/modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb", "is_install_path": true, "ref_name": "linux/armle/meterpreter_reverse_tcp", "check": false }, "payload_linux/armle/shell/bind_tcp": { "name": "Linux dup2 Command Shell, Bind TCP Stager", "full_name": "payload/linux/armle/shell/bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "nemo " ], "description": "dup2 socket in r12, then execve. Listen for a connection", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "armle", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/linux/armle/bind_tcp.rb", "is_install_path": true, "ref_name": "linux/armle/shell/bind_tcp", "check": false }, "payload_linux/armle/shell/reverse_tcp": { "name": "Linux dup2 Command Shell, Reverse TCP Stager", "full_name": "payload/linux/armle/shell/reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "nemo ", "tkmru" ], "description": "dup2 socket in r12, then execve. Connect back to the attacker", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "armle", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/linux/armle/reverse_tcp.rb", "is_install_path": true, "ref_name": "linux/armle/shell/reverse_tcp", "check": false }, "payload_linux/armle/shell_bind_tcp": { "name": "Linux Command Shell, Reverse TCP Inline", "full_name": "payload/linux/armle/shell_bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "civ", "hal" ], "description": "Connect to target and spawn a command shell", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "armle", "rport": null, "targets": null, "mod_time": "2017-08-21 12:25:27 +0000", "path": "/modules/payloads/singles/linux/armle/shell_bind_tcp.rb", "is_install_path": true, "ref_name": "linux/armle/shell_bind_tcp", "check": false }, "payload_linux/armle/shell_reverse_tcp": { "name": "Linux Command Shell, Reverse TCP Inline", "full_name": "payload/linux/armle/shell_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "civ" ], "description": "Connect back to attacker and spawn a command shell", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "armle", "rport": null, "targets": null, "mod_time": "2017-08-21 12:25:27 +0000", "path": "/modules/payloads/singles/linux/armle/shell_reverse_tcp.rb", "is_install_path": true, "ref_name": "linux/armle/shell_reverse_tcp", "check": false }, "payload_linux/mips64/meterpreter_reverse_http": { "name": "Linux Meterpreter, Reverse HTTP Inline", "full_name": "payload/linux/mips64/meterpreter_reverse_http", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Adam Cammack ", "Brent Cook ", "timwr" ], "description": "Run the Meterpreter / Mettle server payload (stageless)", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "mips64", "rport": null, "targets": null, "mod_time": "2018-06-27 17:55:08 +0000", "path": "/modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb", "is_install_path": true, "ref_name": "linux/mips64/meterpreter_reverse_http", "check": false }, "payload_linux/mips64/meterpreter_reverse_https": { "name": "Linux Meterpreter, Reverse HTTPS Inline", "full_name": "payload/linux/mips64/meterpreter_reverse_https", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Adam Cammack ", "Brent Cook ", "timwr" ], "description": "Run the Meterpreter / Mettle server payload (stageless)", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "mips64", "rport": null, "targets": null, "mod_time": "2018-06-27 17:55:08 +0000", "path": "/modules/payloads/singles/linux/mips64/meterpreter_reverse_https.rb", "is_install_path": true, "ref_name": "linux/mips64/meterpreter_reverse_https", "check": false }, "payload_linux/mips64/meterpreter_reverse_tcp": { "name": "Linux Meterpreter, Reverse TCP Inline", "full_name": "payload/linux/mips64/meterpreter_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Adam Cammack ", "Brent Cook ", "timwr" ], "description": "Run the Meterpreter / Mettle server payload (stageless)", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "mips64", "rport": null, "targets": null, "mod_time": "2018-06-27 17:55:08 +0000", "path": "/modules/payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb", "is_install_path": true, "ref_name": "linux/mips64/meterpreter_reverse_tcp", "check": false }, "payload_linux/mipsbe/exec": { "name": "Linux Execute Command", "full_name": "payload/linux/mipsbe/exec", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Michael Messner ", "entropy " ], "description": "A very small shellcode for executing commands.\n This module is sometimes helpful for testing purposes.", "references": [ "EDB-17940" ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "mipsbe", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/linux/mipsbe/exec.rb", "is_install_path": true, "ref_name": "linux/mipsbe/exec", "check": false }, "payload_linux/mipsbe/meterpreter/reverse_tcp": { "name": "Linux Meterpreter, Reverse TCP Stager", "full_name": "payload/linux/mipsbe/meterpreter/reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Adam Cammack ", "juan vazquez ", "tkmru" ], "description": "Inject the mettle server payload (staged). Connect back to the attacker", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "mipsbe", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/linux/mipsbe/reverse_tcp.rb", "is_install_path": true, "ref_name": "linux/mipsbe/meterpreter/reverse_tcp", "check": false }, "payload_linux/mipsbe/meterpreter_reverse_http": { "name": "Linux Meterpreter, Reverse HTTP Inline", "full_name": "payload/linux/mipsbe/meterpreter_reverse_http", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Adam Cammack ", "Brent Cook ", "timwr" ], "description": "Run the Meterpreter / Mettle server payload (stageless)", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "mipsbe", "rport": null, "targets": null, "mod_time": "2018-06-27 17:55:08 +0000", "path": "/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb", "is_install_path": true, "ref_name": "linux/mipsbe/meterpreter_reverse_http", "check": false }, "payload_linux/mipsbe/meterpreter_reverse_https": { "name": "Linux Meterpreter, Reverse HTTPS Inline", "full_name": "payload/linux/mipsbe/meterpreter_reverse_https", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Adam Cammack ", "Brent Cook ", "timwr" ], "description": "Run the Meterpreter / Mettle server payload (stageless)", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "mipsbe", "rport": null, "targets": null, "mod_time": "2018-06-27 17:55:08 +0000", "path": "/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb", "is_install_path": true, "ref_name": "linux/mipsbe/meterpreter_reverse_https", "check": false }, "payload_linux/mipsbe/meterpreter_reverse_tcp": { "name": "Linux Meterpreter, Reverse TCP Inline", "full_name": "payload/linux/mipsbe/meterpreter_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Adam Cammack ", "Brent Cook ", "timwr" ], "description": "Run the Meterpreter / Mettle server payload (stageless)", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "mipsbe", "rport": null, "targets": null, "mod_time": "2018-06-27 17:55:08 +0000", "path": "/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb", "is_install_path": true, "ref_name": "linux/mipsbe/meterpreter_reverse_tcp", "check": false }, "payload_linux/mipsbe/reboot": { "name": "Linux Reboot", "full_name": "payload/linux/mipsbe/reboot", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Michael Messner ", "rigan - " ], "description": "A very small shellcode for rebooting the system.\n This payload is sometimes helpful for testing purposes or executing\n other payloads that rely on initial startup procedures.", "references": [ "URL-http://www.shell-storm.org/shellcode/files/shellcode-795.php" ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "mipsbe", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/linux/mipsbe/reboot.rb", "is_install_path": true, "ref_name": "linux/mipsbe/reboot", "check": false }, "payload_linux/mipsbe/shell/reverse_tcp": { "name": "Linux Command Shell, Reverse TCP Stager", "full_name": "payload/linux/mipsbe/shell/reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "juan vazquez ", "tkmru" ], "description": "Spawn a command shell (staged). Connect back to the attacker", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "mipsbe", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/linux/mipsbe/reverse_tcp.rb", "is_install_path": true, "ref_name": "linux/mipsbe/shell/reverse_tcp", "check": false }, "payload_linux/mipsbe/shell_bind_tcp": { "name": "Linux Command Shell, Bind TCP Inline", "full_name": "payload/linux/mipsbe/shell_bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "scut", "vaicebine", "Vlatko Kosturjak", "juan vazquez " ], "description": "Listen for a connection and spawn a command shell", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "mipsbe", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/linux/mipsbe/shell_bind_tcp.rb", "is_install_path": true, "ref_name": "linux/mipsbe/shell_bind_tcp", "check": false }, "payload_linux/mipsbe/shell_reverse_tcp": { "name": "Linux Command Shell, Reverse TCP Inline", "full_name": "payload/linux/mipsbe/shell_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "rigan ", "juan vazquez " ], "description": "Connect back to attacker and spawn a command shell", "references": [ "EDB-18226" ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "mipsbe", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/linux/mipsbe/shell_reverse_tcp.rb", "is_install_path": true, "ref_name": "linux/mipsbe/shell_reverse_tcp", "check": false }, "payload_linux/mipsle/exec": { "name": "Linux Execute Command", "full_name": "payload/linux/mipsle/exec", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Michael Messner ", "entropy " ], "description": "A very small shellcode for executing commands.\n This module is sometimes helpful for testing purposes as well as\n on targets with extremely limited buffer space.", "references": [ "EDB-17940" ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "mipsle", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/linux/mipsle/exec.rb", "is_install_path": true, "ref_name": "linux/mipsle/exec", "check": false }, "payload_linux/mipsle/meterpreter/reverse_tcp": { "name": "Linux Meterpreter, Reverse TCP Stager", "full_name": "payload/linux/mipsle/meterpreter/reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Adam Cammack ", "juan vazquez ", "tkmru" ], "description": "Inject the mettle server payload (staged). Connect back to the attacker", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "mipsle", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/linux/mipsle/reverse_tcp.rb", "is_install_path": true, "ref_name": "linux/mipsle/meterpreter/reverse_tcp", "check": false }, "payload_linux/mipsle/meterpreter_reverse_http": { "name": "Linux Meterpreter, Reverse HTTP Inline", "full_name": "payload/linux/mipsle/meterpreter_reverse_http", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Adam Cammack ", "Brent Cook ", "timwr" ], "description": "Run the Meterpreter / Mettle server payload (stageless)", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "mipsle", "rport": null, "targets": null, "mod_time": "2018-06-27 17:55:08 +0000", "path": "/modules/payloads/singles/linux/mipsle/meterpreter_reverse_http.rb", "is_install_path": true, "ref_name": "linux/mipsle/meterpreter_reverse_http", "check": false }, "payload_linux/mipsle/meterpreter_reverse_https": { "name": "Linux Meterpreter, Reverse HTTPS Inline", "full_name": "payload/linux/mipsle/meterpreter_reverse_https", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Adam Cammack ", "Brent Cook ", "timwr" ], "description": "Run the Meterpreter / Mettle server payload (stageless)", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "mipsle", "rport": null, "targets": null, "mod_time": "2018-06-27 17:55:08 +0000", "path": "/modules/payloads/singles/linux/mipsle/meterpreter_reverse_https.rb", "is_install_path": true, "ref_name": "linux/mipsle/meterpreter_reverse_https", "check": false }, "payload_linux/mipsle/meterpreter_reverse_tcp": { "name": "Linux Meterpreter, Reverse TCP Inline", "full_name": "payload/linux/mipsle/meterpreter_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Adam Cammack ", "Brent Cook ", "timwr" ], "description": "Run the Meterpreter / Mettle server payload (stageless)", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "mipsle", "rport": null, "targets": null, "mod_time": "2018-06-27 17:55:08 +0000", "path": "/modules/payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb", "is_install_path": true, "ref_name": "linux/mipsle/meterpreter_reverse_tcp", "check": false }, "payload_linux/mipsle/reboot": { "name": "Linux Reboot", "full_name": "payload/linux/mipsle/reboot", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Michael Messner ", "rigan - " ], "description": "A very small shellcode for rebooting the system.\n This payload is sometimes helpful for testing purposes.", "references": [ "URL-http://www.shell-storm.org/shellcode/files/shellcode-795.php" ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "mipsle", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/linux/mipsle/reboot.rb", "is_install_path": true, "ref_name": "linux/mipsle/reboot", "check": false }, "payload_linux/mipsle/shell/reverse_tcp": { "name": "Linux Command Shell, Reverse TCP Stager", "full_name": "payload/linux/mipsle/shell/reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "juan vazquez ", "tkmru" ], "description": "Spawn a command shell (staged). Connect back to the attacker", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "mipsle", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/linux/mipsle/reverse_tcp.rb", "is_install_path": true, "ref_name": "linux/mipsle/shell/reverse_tcp", "check": false }, "payload_linux/mipsle/shell_bind_tcp": { "name": "Linux Command Shell, Bind TCP Inline", "full_name": "payload/linux/mipsle/shell_bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "scut", "vaicebine", "Vlatko Kosturjak", "juan vazquez " ], "description": "Listen for a connection and spawn a command shell", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "mipsle", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/linux/mipsle/shell_bind_tcp.rb", "is_install_path": true, "ref_name": "linux/mipsle/shell_bind_tcp", "check": false }, "payload_linux/mipsle/shell_reverse_tcp": { "name": "Linux Command Shell, Reverse TCP Inline", "full_name": "payload/linux/mipsle/shell_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "rigan ", "juan vazquez " ], "description": "Connect back to attacker and spawn a command shell", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "mipsle", "rport": null, "targets": null, "mod_time": "2018-05-01 04:57:42 +0000", "path": "/modules/payloads/singles/linux/mipsle/shell_reverse_tcp.rb", "is_install_path": true, "ref_name": "linux/mipsle/shell_reverse_tcp", "check": false }, "payload_linux/ppc/meterpreter_reverse_http": { "name": "Linux Meterpreter, Reverse HTTP Inline", "full_name": "payload/linux/ppc/meterpreter_reverse_http", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Adam Cammack ", "Brent Cook ", "timwr" ], "description": "Run the Meterpreter / Mettle server payload (stageless)", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "ppc", "rport": null, "targets": null, "mod_time": "2018-06-27 17:55:08 +0000", "path": "/modules/payloads/singles/linux/ppc/meterpreter_reverse_http.rb", "is_install_path": true, "ref_name": "linux/ppc/meterpreter_reverse_http", "check": false }, "payload_linux/ppc/meterpreter_reverse_https": { "name": "Linux Meterpreter, Reverse HTTPS Inline", "full_name": "payload/linux/ppc/meterpreter_reverse_https", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Adam Cammack ", "Brent Cook ", "timwr" ], "description": "Run the Meterpreter / Mettle server payload (stageless)", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "ppc", "rport": null, "targets": null, "mod_time": "2018-06-27 17:55:08 +0000", "path": "/modules/payloads/singles/linux/ppc/meterpreter_reverse_https.rb", "is_install_path": true, "ref_name": "linux/ppc/meterpreter_reverse_https", "check": false }, "payload_linux/ppc/meterpreter_reverse_tcp": { "name": "Linux Meterpreter, Reverse TCP Inline", "full_name": "payload/linux/ppc/meterpreter_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Adam Cammack ", "Brent Cook ", "timwr" ], "description": "Run the Meterpreter / Mettle server payload (stageless)", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "ppc", "rport": null, "targets": null, "mod_time": "2018-06-27 17:55:08 +0000", "path": "/modules/payloads/singles/linux/ppc/meterpreter_reverse_tcp.rb", "is_install_path": true, "ref_name": "linux/ppc/meterpreter_reverse_tcp", "check": false }, "payload_linux/ppc/shell_bind_tcp": { "name": "Linux Command Shell, Bind TCP Inline", "full_name": "payload/linux/ppc/shell_bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Ramon de C Valle " ], "description": "Listen for a connection and spawn a command shell", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "ppc, cbea", "rport": null, "targets": null, "mod_time": "2018-05-01 04:57:42 +0000", "path": "/modules/payloads/singles/linux/ppc/shell_bind_tcp.rb", "is_install_path": true, "ref_name": "linux/ppc/shell_bind_tcp", "check": false }, "payload_linux/ppc/shell_find_port": { "name": "Linux Command Shell, Find Port Inline", "full_name": "payload/linux/ppc/shell_find_port", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Ramon de C Valle " ], "description": "Spawn a shell on an established connection", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "ppc, cbea", "rport": null, "targets": null, "mod_time": "2018-05-01 04:57:42 +0000", "path": "/modules/payloads/singles/linux/ppc/shell_find_port.rb", "is_install_path": true, "ref_name": "linux/ppc/shell_find_port", "check": false }, "payload_linux/ppc/shell_reverse_tcp": { "name": "Linux Command Shell, Reverse TCP Inline", "full_name": "payload/linux/ppc/shell_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Ramon de C Valle " ], "description": "Connect back to attacker and spawn a command shell", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "ppc, cbea", "rport": null, "targets": null, "mod_time": "2018-05-01 04:57:42 +0000", "path": "/modules/payloads/singles/linux/ppc/shell_reverse_tcp.rb", "is_install_path": true, "ref_name": "linux/ppc/shell_reverse_tcp", "check": false }, "payload_linux/ppc64/shell_bind_tcp": { "name": "Linux Command Shell, Bind TCP Inline", "full_name": "payload/linux/ppc64/shell_bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Ramon de C Valle " ], "description": "Listen for a connection and spawn a command shell", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "ppc64, cbea64", "rport": null, "targets": null, "mod_time": "2018-05-01 04:57:42 +0000", "path": "/modules/payloads/singles/linux/ppc64/shell_bind_tcp.rb", "is_install_path": true, "ref_name": "linux/ppc64/shell_bind_tcp", "check": false }, "payload_linux/ppc64/shell_find_port": { "name": "Linux Command Shell, Find Port Inline", "full_name": "payload/linux/ppc64/shell_find_port", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Ramon de C Valle " ], "description": "Spawn a shell on an established connection", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "ppc64, cbea64", "rport": null, "targets": null, "mod_time": "2018-05-01 04:57:42 +0000", "path": "/modules/payloads/singles/linux/ppc64/shell_find_port.rb", "is_install_path": true, "ref_name": "linux/ppc64/shell_find_port", "check": false }, "payload_linux/ppc64/shell_reverse_tcp": { "name": "Linux Command Shell, Reverse TCP Inline", "full_name": "payload/linux/ppc64/shell_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Ramon de C Valle " ], "description": "Connect back to attacker and spawn a command shell", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "ppc64, cbea64", "rport": null, "targets": null, "mod_time": "2018-05-01 04:57:42 +0000", "path": "/modules/payloads/singles/linux/ppc64/shell_reverse_tcp.rb", "is_install_path": true, "ref_name": "linux/ppc64/shell_reverse_tcp", "check": false }, "payload_linux/ppc64le/meterpreter_reverse_http": { "name": "Linux Meterpreter, Reverse HTTP Inline", "full_name": "payload/linux/ppc64le/meterpreter_reverse_http", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Adam Cammack ", "Brent Cook ", "timwr" ], "description": "Run the Meterpreter / Mettle server payload (stageless)", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "ppc64le", "rport": null, "targets": null, "mod_time": "2018-06-27 17:55:08 +0000", "path": "/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_http.rb", "is_install_path": true, "ref_name": "linux/ppc64le/meterpreter_reverse_http", "check": false }, "payload_linux/ppc64le/meterpreter_reverse_https": { "name": "Linux Meterpreter, Reverse HTTPS Inline", "full_name": "payload/linux/ppc64le/meterpreter_reverse_https", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Adam Cammack ", "Brent Cook ", "timwr" ], "description": "Run the Meterpreter / Mettle server payload (stageless)", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "ppc64le", "rport": null, "targets": null, "mod_time": "2018-06-27 17:55:08 +0000", "path": "/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_https.rb", "is_install_path": true, "ref_name": "linux/ppc64le/meterpreter_reverse_https", "check": false }, "payload_linux/ppc64le/meterpreter_reverse_tcp": { "name": "Linux Meterpreter, Reverse TCP Inline", "full_name": "payload/linux/ppc64le/meterpreter_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Adam Cammack ", "Brent Cook ", "timwr" ], "description": "Run the Meterpreter / Mettle server payload (stageless)", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "ppc64le", "rport": null, "targets": null, "mod_time": "2018-06-27 17:55:08 +0000", "path": "/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_tcp.rb", "is_install_path": true, "ref_name": "linux/ppc64le/meterpreter_reverse_tcp", "check": false }, "payload_linux/ppce500v2/meterpreter_reverse_http": { "name": "Linux Meterpreter, Reverse HTTP Inline", "full_name": "payload/linux/ppce500v2/meterpreter_reverse_http", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Adam Cammack ", "Brent Cook ", "timwr" ], "description": "Run the Meterpreter / Mettle server payload (stageless)", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "ppce500v2", "rport": null, "targets": null, "mod_time": "2018-06-27 17:55:08 +0000", "path": "/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_http.rb", "is_install_path": true, "ref_name": "linux/ppce500v2/meterpreter_reverse_http", "check": false }, "payload_linux/ppce500v2/meterpreter_reverse_https": { "name": "Linux Meterpreter, Reverse HTTPS Inline", "full_name": "payload/linux/ppce500v2/meterpreter_reverse_https", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Adam Cammack ", "Brent Cook ", "timwr" ], "description": "Run the Meterpreter / Mettle server payload (stageless)", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "ppce500v2", "rport": null, "targets": null, "mod_time": "2018-06-27 17:55:08 +0000", "path": "/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_https.rb", "is_install_path": true, "ref_name": "linux/ppce500v2/meterpreter_reverse_https", "check": false }, "payload_linux/ppce500v2/meterpreter_reverse_tcp": { "name": "Linux Meterpreter, Reverse TCP Inline", "full_name": "payload/linux/ppce500v2/meterpreter_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Adam Cammack ", "Brent Cook ", "timwr" ], "description": "Run the Meterpreter / Mettle server payload (stageless)", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "ppce500v2", "rport": null, "targets": null, "mod_time": "2018-06-27 17:55:08 +0000", "path": "/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_tcp.rb", "is_install_path": true, "ref_name": "linux/ppce500v2/meterpreter_reverse_tcp", "check": false }, "payload_linux/x64/exec": { "name": "Linux Execute Command", "full_name": "payload/linux/x64/exec", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "ricky" ], "description": "Execute an arbitrary command", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "x64", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/linux/x64/exec.rb", "is_install_path": true, "ref_name": "linux/x64/exec", "check": false }, "payload_linux/x64/meterpreter/bind_tcp": { "name": "Linux Mettle x64, Bind TCP Stager", "full_name": "payload/linux/x64/meterpreter/bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Brent Cook ", "ricky" ], "description": "Inject the mettle server payload (staged). Listen for a connection", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux,Linux", "arch": "x64", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/linux/x64/bind_tcp.rb", "is_install_path": true, "ref_name": "linux/x64/meterpreter/bind_tcp", "check": false }, "payload_linux/x64/meterpreter/reverse_tcp": { "name": "Linux Mettle x64, Reverse TCP Stager", "full_name": "payload/linux/x64/meterpreter/reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Brent Cook ", "ricky", "tkmru" ], "description": "Inject the mettle server payload (staged). Connect back to the attacker", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux,Linux", "arch": "x64", "rport": null, "targets": null, "mod_time": "2018-05-05 16:30:19 +0000", "path": "/modules/payloads/stagers/linux/x64/reverse_tcp.rb", "is_install_path": true, "ref_name": "linux/x64/meterpreter/reverse_tcp", "check": false }, "payload_linux/x64/meterpreter_reverse_http": { "name": "Linux Meterpreter, Reverse HTTP Inline", "full_name": "payload/linux/x64/meterpreter_reverse_http", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Adam Cammack ", "Brent Cook ", "timwr" ], "description": "Run the Meterpreter / Mettle server payload (stageless)", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "x64", "rport": null, "targets": null, "mod_time": "2018-06-27 17:55:08 +0000", "path": "/modules/payloads/singles/linux/x64/meterpreter_reverse_http.rb", "is_install_path": true, "ref_name": "linux/x64/meterpreter_reverse_http", "check": false }, "payload_linux/x64/meterpreter_reverse_https": { "name": "Linux Meterpreter, Reverse HTTPS Inline", "full_name": "payload/linux/x64/meterpreter_reverse_https", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Adam Cammack ", "Brent Cook ", "timwr" ], "description": "Run the Meterpreter / Mettle server payload (stageless)", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "x64", "rport": null, "targets": null, "mod_time": "2018-06-27 17:55:08 +0000", "path": "/modules/payloads/singles/linux/x64/meterpreter_reverse_https.rb", "is_install_path": true, "ref_name": "linux/x64/meterpreter_reverse_https", "check": false }, "payload_linux/x64/meterpreter_reverse_tcp": { "name": "Linux Meterpreter, Reverse TCP Inline", "full_name": "payload/linux/x64/meterpreter_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Adam Cammack ", "Brent Cook ", "timwr" ], "description": "Run the Meterpreter / Mettle server payload (stageless)", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "x64", "rport": null, "targets": null, "mod_time": "2018-06-27 17:55:08 +0000", "path": "/modules/payloads/singles/linux/x64/meterpreter_reverse_tcp.rb", "is_install_path": true, "ref_name": "linux/x64/meterpreter_reverse_tcp", "check": false }, "payload_linux/x64/shell/bind_tcp": { "name": "Linux Command Shell, Bind TCP Stager", "full_name": "payload/linux/x64/shell/bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "ricky" ], "description": "Spawn a command shell (staged). Listen for a connection", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "x64", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/linux/x64/bind_tcp.rb", "is_install_path": true, "ref_name": "linux/x64/shell/bind_tcp", "check": false }, "payload_linux/x64/shell/reverse_tcp": { "name": "Linux Command Shell, Reverse TCP Stager", "full_name": "payload/linux/x64/shell/reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "ricky", "tkmru" ], "description": "Spawn a command shell (staged). Connect back to the attacker", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "x64", "rport": null, "targets": null, "mod_time": "2018-05-05 16:30:19 +0000", "path": "/modules/payloads/stagers/linux/x64/reverse_tcp.rb", "is_install_path": true, "ref_name": "linux/x64/shell/reverse_tcp", "check": false }, "payload_linux/x64/shell_bind_tcp": { "name": "Linux Command Shell, Bind TCP Inline", "full_name": "payload/linux/x64/shell_bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "ricky" ], "description": "Listen for a connection and spawn a command shell", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "x64", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/linux/x64/shell_bind_tcp.rb", "is_install_path": true, "ref_name": "linux/x64/shell_bind_tcp", "check": false }, "payload_linux/x64/shell_bind_tcp_random_port": { "name": "Linux Command Shell, Bind TCP Random Port Inline", "full_name": "payload/linux/x64/shell_bind_tcp_random_port", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Geyslan G. Bem " ], "description": "Listen for a connection in a random port and spawn a command shell.\n Use nmap to discover the open port: 'nmap -sS target -p-'.", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "x64", "rport": null, "targets": null, "mod_time": "2018-05-01 04:57:42 +0000", "path": "/modules/payloads/singles/linux/x64/shell_bind_tcp_random_port.rb", "is_install_path": true, "ref_name": "linux/x64/shell_bind_tcp_random_port", "check": false }, "payload_linux/x64/shell_find_port": { "name": "Linux Command Shell, Find Port Inline", "full_name": "payload/linux/x64/shell_find_port", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "mak" ], "description": "Spawn a shell on an established connection", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "x64", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/linux/x64/shell_find_port.rb", "is_install_path": true, "ref_name": "linux/x64/shell_find_port", "check": false }, "payload_linux/x64/shell_reverse_tcp": { "name": "Linux Command Shell, Reverse TCP Inline", "full_name": "payload/linux/x64/shell_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "ricky" ], "description": "Connect back to attacker and spawn a command shell", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "x64", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/linux/x64/shell_reverse_tcp.rb", "is_install_path": true, "ref_name": "linux/x64/shell_reverse_tcp", "check": false }, "payload_linux/x86/adduser": { "name": "Linux Add User", "full_name": "payload/linux/x86/adduser", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "vlad902 ", "spoonm " ], "description": "Create a new user with UID 0", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/linux/x86/adduser.rb", "is_install_path": true, "ref_name": "linux/x86/adduser", "check": false }, "payload_linux/x86/chmod": { "name": "Linux Chmod", "full_name": "payload/linux/x86/chmod", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "kris katterjohn " ], "description": "Runs chmod on specified file with specified mode", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/linux/x86/chmod.rb", "is_install_path": true, "ref_name": "linux/x86/chmod", "check": false }, "payload_linux/x86/exec": { "name": "Linux Execute Command", "full_name": "payload/linux/x86/exec", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "vlad902 " ], "description": "Execute an arbitrary command", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/linux/x86/exec.rb", "is_install_path": true, "ref_name": "linux/x86/exec", "check": false }, "payload_linux/x86/meterpreter/bind_ipv6_tcp": { "name": "Linux Mettle x86, Bind IPv6 TCP Stager (Linux x86)", "full_name": "payload/linux/x86/meterpreter/bind_ipv6_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "William Webb ", "kris katterjohn ", "egypt " ], "description": "Inject the mettle server payload (staged). Listen for an IPv6 connection (Linux x86)", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux,Linux", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/linux/x86/bind_ipv6_tcp.rb", "is_install_path": true, "ref_name": "linux/x86/meterpreter/bind_ipv6_tcp", "check": false }, "payload_linux/x86/meterpreter/bind_ipv6_tcp_uuid": { "name": "Linux Mettle x86, Bind IPv6 TCP Stager with UUID Support (Linux x86)", "full_name": "payload/linux/x86/meterpreter/bind_ipv6_tcp_uuid", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "William Webb ", "kris katterjohn ", "egypt ", "OJ Reeves" ], "description": "Inject the mettle server payload (staged). Listen for an IPv6 connection with UUID Support (Linux x86)", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux,Linux", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/linux/x86/bind_ipv6_tcp_uuid.rb", "is_install_path": true, "ref_name": "linux/x86/meterpreter/bind_ipv6_tcp_uuid", "check": false }, "payload_linux/x86/meterpreter/bind_nonx_tcp": { "name": "Linux Mettle x86, Bind TCP Stager", "full_name": "payload/linux/x86/meterpreter/bind_nonx_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "William Webb ", "skape " ], "description": "Inject the mettle server payload (staged). Listen for a connection", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux,Linux", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/linux/x86/bind_nonx_tcp.rb", "is_install_path": true, "ref_name": "linux/x86/meterpreter/bind_nonx_tcp", "check": false }, "payload_linux/x86/meterpreter/bind_tcp": { "name": "Linux Mettle x86, Bind TCP Stager (Linux x86)", "full_name": "payload/linux/x86/meterpreter/bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "William Webb ", "skape ", "egypt " ], "description": "Inject the mettle server payload (staged). Listen for a connection (Linux x86)", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux,Linux", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/linux/x86/bind_tcp.rb", "is_install_path": true, "ref_name": "linux/x86/meterpreter/bind_tcp", "check": false }, "payload_linux/x86/meterpreter/bind_tcp_uuid": { "name": "Linux Mettle x86, Bind TCP Stager with UUID Support (Linux x86)", "full_name": "payload/linux/x86/meterpreter/bind_tcp_uuid", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "William Webb ", "skape ", "egypt ", "OJ Reeves" ], "description": "Inject the mettle server payload (staged). Listen for a connection with UUID Support (Linux x86)", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux,Linux", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/linux/x86/bind_tcp_uuid.rb", "is_install_path": true, "ref_name": "linux/x86/meterpreter/bind_tcp_uuid", "check": false }, "payload_linux/x86/meterpreter/find_tag": { "name": "Linux Mettle x86, Find Tag Stager", "full_name": "payload/linux/x86/meterpreter/find_tag", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "William Webb ", "skape " ], "description": "Inject the mettle server payload (staged). Use an established connection", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux,Linux", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/linux/x86/find_tag.rb", "is_install_path": true, "ref_name": "linux/x86/meterpreter/find_tag", "check": false }, "payload_linux/x86/meterpreter/reverse_ipv6_tcp": { "name": "Linux Mettle x86, Reverse TCP Stager (IPv6)", "full_name": "payload/linux/x86/meterpreter/reverse_ipv6_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "William Webb ", "kris katterjohn " ], "description": "Inject the mettle server payload (staged). Connect back to attacker over IPv6", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux,Linux", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/linux/x86/reverse_ipv6_tcp.rb", "is_install_path": true, "ref_name": "linux/x86/meterpreter/reverse_ipv6_tcp", "check": false }, "payload_linux/x86/meterpreter/reverse_nonx_tcp": { "name": "Linux Mettle x86, Reverse TCP Stager", "full_name": "payload/linux/x86/meterpreter/reverse_nonx_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "William Webb ", "skape " ], "description": "Inject the mettle server payload (staged). Connect back to the attacker", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux,Linux", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/linux/x86/reverse_nonx_tcp.rb", "is_install_path": true, "ref_name": "linux/x86/meterpreter/reverse_nonx_tcp", "check": false }, "payload_linux/x86/meterpreter/reverse_tcp": { "name": "Linux Mettle x86, Reverse TCP Stager", "full_name": "payload/linux/x86/meterpreter/reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "William Webb ", "skape ", "egypt ", "tkmru" ], "description": "Inject the mettle server payload (staged). Connect back to the attacker", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux,Linux", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-08-15 08:02:51 +0000", "path": "/modules/payloads/stagers/linux/x86/reverse_tcp.rb", "is_install_path": true, "ref_name": "linux/x86/meterpreter/reverse_tcp", "check": false }, "payload_linux/x86/meterpreter/reverse_tcp_uuid": { "name": "Linux Mettle x86, Reverse TCP Stager", "full_name": "payload/linux/x86/meterpreter/reverse_tcp_uuid", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "William Webb ", "skape ", "egypt ", "OJ Reeves" ], "description": "Inject the mettle server payload (staged). Connect back to the attacker", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux,Linux", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-08-15 08:02:51 +0000", "path": "/modules/payloads/stagers/linux/x86/reverse_tcp_uuid.rb", "is_install_path": true, "ref_name": "linux/x86/meterpreter/reverse_tcp_uuid", "check": false }, "payload_linux/x86/meterpreter_reverse_http": { "name": "Linux Meterpreter, Reverse HTTP Inline", "full_name": "payload/linux/x86/meterpreter_reverse_http", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Adam Cammack ", "Brent Cook ", "timwr" ], "description": "Run the Meterpreter / Mettle server payload (stageless)", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-06-27 17:55:08 +0000", "path": "/modules/payloads/singles/linux/x86/meterpreter_reverse_http.rb", "is_install_path": true, "ref_name": "linux/x86/meterpreter_reverse_http", "check": false }, "payload_linux/x86/meterpreter_reverse_https": { "name": "Linux Meterpreter, Reverse HTTPS Inline", "full_name": "payload/linux/x86/meterpreter_reverse_https", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Adam Cammack ", "Brent Cook ", "timwr" ], "description": "Run the Meterpreter / Mettle server payload (stageless)", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-06-27 17:55:08 +0000", "path": "/modules/payloads/singles/linux/x86/meterpreter_reverse_https.rb", "is_install_path": true, "ref_name": "linux/x86/meterpreter_reverse_https", "check": false }, "payload_linux/x86/meterpreter_reverse_tcp": { "name": "Linux Meterpreter, Reverse TCP Inline", "full_name": "payload/linux/x86/meterpreter_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Adam Cammack ", "Brent Cook ", "timwr" ], "description": "Run the Meterpreter / Mettle server payload (stageless)", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-06-27 17:55:08 +0000", "path": "/modules/payloads/singles/linux/x86/meterpreter_reverse_tcp.rb", "is_install_path": true, "ref_name": "linux/x86/meterpreter_reverse_tcp", "check": false }, "payload_linux/x86/metsvc_bind_tcp": { "name": "Linux Meterpreter Service, Bind TCP", "full_name": "payload/linux/x86/metsvc_bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "hdm " ], "description": "Stub payload for interacting with a Meterpreter Service", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/linux/x86/metsvc_bind_tcp.rb", "is_install_path": true, "ref_name": "linux/x86/metsvc_bind_tcp", "check": false }, "payload_linux/x86/metsvc_reverse_tcp": { "name": "Linux Meterpreter Service, Reverse TCP Inline", "full_name": "payload/linux/x86/metsvc_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "hdm " ], "description": "Stub payload for interacting with a Meterpreter Service", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/linux/x86/metsvc_reverse_tcp.rb", "is_install_path": true, "ref_name": "linux/x86/metsvc_reverse_tcp", "check": false }, "payload_linux/x86/read_file": { "name": "Linux Read File", "full_name": "payload/linux/x86/read_file", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "hal" ], "description": "Read up to 4096 bytes from the local file system and write it back out to the specified file descriptor", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/linux/x86/read_file.rb", "is_install_path": true, "ref_name": "linux/x86/read_file", "check": false }, "payload_linux/x86/shell/bind_ipv6_tcp": { "name": "Linux Command Shell, Bind IPv6 TCP Stager (Linux x86)", "full_name": "payload/linux/x86/shell/bind_ipv6_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "kris katterjohn ", "egypt " ], "description": "Spawn a command shell (staged). Listen for an IPv6 connection (Linux x86)", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/linux/x86/bind_ipv6_tcp.rb", "is_install_path": true, "ref_name": "linux/x86/shell/bind_ipv6_tcp", "check": false }, "payload_linux/x86/shell/bind_ipv6_tcp_uuid": { "name": "Linux Command Shell, Bind IPv6 TCP Stager with UUID Support (Linux x86)", "full_name": "payload/linux/x86/shell/bind_ipv6_tcp_uuid", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "kris katterjohn ", "egypt ", "OJ Reeves" ], "description": "Spawn a command shell (staged). Listen for an IPv6 connection with UUID Support (Linux x86)", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/linux/x86/bind_ipv6_tcp_uuid.rb", "is_install_path": true, "ref_name": "linux/x86/shell/bind_ipv6_tcp_uuid", "check": false }, "payload_linux/x86/shell/bind_nonx_tcp": { "name": "Linux Command Shell, Bind TCP Stager", "full_name": "payload/linux/x86/shell/bind_nonx_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape " ], "description": "Spawn a command shell (staged). Listen for a connection", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/linux/x86/bind_nonx_tcp.rb", "is_install_path": true, "ref_name": "linux/x86/shell/bind_nonx_tcp", "check": false }, "payload_linux/x86/shell/bind_tcp": { "name": "Linux Command Shell, Bind TCP Stager (Linux x86)", "full_name": "payload/linux/x86/shell/bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "egypt " ], "description": "Spawn a command shell (staged). Listen for a connection (Linux x86)", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/linux/x86/bind_tcp.rb", "is_install_path": true, "ref_name": "linux/x86/shell/bind_tcp", "check": false }, "payload_linux/x86/shell/bind_tcp_uuid": { "name": "Linux Command Shell, Bind TCP Stager with UUID Support (Linux x86)", "full_name": "payload/linux/x86/shell/bind_tcp_uuid", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "egypt ", "OJ Reeves" ], "description": "Spawn a command shell (staged). Listen for a connection with UUID Support (Linux x86)", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/linux/x86/bind_tcp_uuid.rb", "is_install_path": true, "ref_name": "linux/x86/shell/bind_tcp_uuid", "check": false }, "payload_linux/x86/shell/find_tag": { "name": "Linux Command Shell, Find Tag Stager", "full_name": "payload/linux/x86/shell/find_tag", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape " ], "description": "Spawn a command shell (staged). Use an established connection", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/linux/x86/find_tag.rb", "is_install_path": true, "ref_name": "linux/x86/shell/find_tag", "check": false }, "payload_linux/x86/shell/reverse_ipv6_tcp": { "name": "Linux Command Shell, Reverse TCP Stager (IPv6)", "full_name": "payload/linux/x86/shell/reverse_ipv6_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "kris katterjohn " ], "description": "Spawn a command shell (staged). Connect back to attacker over IPv6", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/linux/x86/reverse_ipv6_tcp.rb", "is_install_path": true, "ref_name": "linux/x86/shell/reverse_ipv6_tcp", "check": false }, "payload_linux/x86/shell/reverse_nonx_tcp": { "name": "Linux Command Shell, Reverse TCP Stager", "full_name": "payload/linux/x86/shell/reverse_nonx_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape " ], "description": "Spawn a command shell (staged). Connect back to the attacker", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/linux/x86/reverse_nonx_tcp.rb", "is_install_path": true, "ref_name": "linux/x86/shell/reverse_nonx_tcp", "check": false }, "payload_linux/x86/shell/reverse_tcp": { "name": "Linux Command Shell, Reverse TCP Stager", "full_name": "payload/linux/x86/shell/reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "egypt ", "tkmru" ], "description": "Spawn a command shell (staged). Connect back to the attacker", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-08-15 08:02:51 +0000", "path": "/modules/payloads/stagers/linux/x86/reverse_tcp.rb", "is_install_path": true, "ref_name": "linux/x86/shell/reverse_tcp", "check": false }, "payload_linux/x86/shell/reverse_tcp_uuid": { "name": "Linux Command Shell, Reverse TCP Stager", "full_name": "payload/linux/x86/shell/reverse_tcp_uuid", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "egypt ", "OJ Reeves" ], "description": "Spawn a command shell (staged). Connect back to the attacker", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-08-15 08:02:51 +0000", "path": "/modules/payloads/stagers/linux/x86/reverse_tcp_uuid.rb", "is_install_path": true, "ref_name": "linux/x86/shell/reverse_tcp_uuid", "check": false }, "payload_linux/x86/shell_bind_ipv6_tcp": { "name": "Linux Command Shell, Bind TCP Inline (IPv6)", "full_name": "payload/linux/x86/shell_bind_ipv6_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "kris katterjohn " ], "description": "Listen for a connection over IPv6 and spawn a command shell", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/linux/x86/shell_bind_ipv6_tcp.rb", "is_install_path": true, "ref_name": "linux/x86/shell_bind_ipv6_tcp", "check": false }, "payload_linux/x86/shell_bind_tcp": { "name": "Linux Command Shell, Bind TCP Inline", "full_name": "payload/linux/x86/shell_bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Ramon de C Valle " ], "description": "Listen for a connection and spawn a command shell", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-05-01 04:57:42 +0000", "path": "/modules/payloads/singles/linux/x86/shell_bind_tcp.rb", "is_install_path": true, "ref_name": "linux/x86/shell_bind_tcp", "check": false }, "payload_linux/x86/shell_bind_tcp_random_port": { "name": "Linux Command Shell, Bind TCP Random Port Inline", "full_name": "payload/linux/x86/shell_bind_tcp_random_port", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Geyslan G. Bem " ], "description": "Listen for a connection in a random port and spawn a command shell.\n Use nmap to discover the open port: 'nmap -sS target -p-'.", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-05-01 04:57:42 +0000", "path": "/modules/payloads/singles/linux/x86/shell_bind_tcp_random_port.rb", "is_install_path": true, "ref_name": "linux/x86/shell_bind_tcp_random_port", "check": false }, "payload_linux/x86/shell_find_port": { "name": "Linux Command Shell, Find Port Inline", "full_name": "payload/linux/x86/shell_find_port", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Ramon de C Valle " ], "description": "Spawn a shell on an established connection", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-05-01 04:57:42 +0000", "path": "/modules/payloads/singles/linux/x86/shell_find_port.rb", "is_install_path": true, "ref_name": "linux/x86/shell_find_port", "check": false }, "payload_linux/x86/shell_find_tag": { "name": "Linux Command Shell, Find Tag Inline", "full_name": "payload/linux/x86/shell_find_tag", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape " ], "description": "Spawn a shell on an established connection (proxy/nat safe)", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/linux/x86/shell_find_tag.rb", "is_install_path": true, "ref_name": "linux/x86/shell_find_tag", "check": false }, "payload_linux/x86/shell_reverse_tcp": { "name": "Linux Command Shell, Reverse TCP Inline", "full_name": "payload/linux/x86/shell_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Ramon de C Valle ", "joev " ], "description": "Connect back to attacker and spawn a command shell", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-05-01 04:57:42 +0000", "path": "/modules/payloads/singles/linux/x86/shell_reverse_tcp.rb", "is_install_path": true, "ref_name": "linux/x86/shell_reverse_tcp", "check": false }, "payload_linux/x86/shell_reverse_tcp_ipv6": { "name": "Linux Command Shell, Reverse TCP Inline (IPv6)", "full_name": "payload/linux/x86/shell_reverse_tcp_ipv6", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Matteo Malvica " ], "description": "Connect back to attacker and spawn a command shell over IPv6", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-07-23 13:38:25 +0000", "path": "/modules/payloads/singles/linux/x86/shell_reverse_tcp_ipv6.rb", "is_install_path": true, "ref_name": "linux/x86/shell_reverse_tcp_ipv6", "check": false }, "payload_linux/zarch/meterpreter_reverse_http": { "name": "Linux Meterpreter, Reverse HTTP Inline", "full_name": "payload/linux/zarch/meterpreter_reverse_http", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Adam Cammack ", "Brent Cook ", "timwr" ], "description": "Run the Meterpreter / Mettle server payload (stageless)", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "zarch", "rport": null, "targets": null, "mod_time": "2018-06-27 17:55:08 +0000", "path": "/modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb", "is_install_path": true, "ref_name": "linux/zarch/meterpreter_reverse_http", "check": false }, "payload_linux/zarch/meterpreter_reverse_https": { "name": "Linux Meterpreter, Reverse HTTPS Inline", "full_name": "payload/linux/zarch/meterpreter_reverse_https", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Adam Cammack ", "Brent Cook ", "timwr" ], "description": "Run the Meterpreter / Mettle server payload (stageless)", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "zarch", "rport": null, "targets": null, "mod_time": "2018-06-27 17:55:08 +0000", "path": "/modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb", "is_install_path": true, "ref_name": "linux/zarch/meterpreter_reverse_https", "check": false }, "payload_linux/zarch/meterpreter_reverse_tcp": { "name": "Linux Meterpreter, Reverse TCP Inline", "full_name": "payload/linux/zarch/meterpreter_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Adam Cammack ", "Brent Cook ", "timwr" ], "description": "Run the Meterpreter / Mettle server payload (stageless)", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "zarch", "rport": null, "targets": null, "mod_time": "2018-06-27 17:55:08 +0000", "path": "/modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb", "is_install_path": true, "ref_name": "linux/zarch/meterpreter_reverse_tcp", "check": false }, "payload_mainframe/shell_reverse_tcp": { "name": "Z/OS (MVS) Command Shell, Reverse TCP Inline", "full_name": "payload/mainframe/shell_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Bigendian Smalls" ], "description": "Listen for a connection and spawn a command shell.\n This implementation does not include ebcdic character translation,\n so a client with translation capabilities is required. MSF handles\n this automatically.", "references": [ ], "is_server": false, "is_client": false, "platform": "Mainframe", "arch": "zarch", "rport": null, "targets": null, "mod_time": "2017-09-17 16:00:04 +0000", "path": "/modules/payloads/singles/mainframe/shell_reverse_tcp.rb", "is_install_path": true, "ref_name": "mainframe/shell_reverse_tcp", "check": false }, "payload_multi/meterpreter/reverse_http": { "name": "Architecture-Independent Meterpreter Stage, Reverse HTTP Stager (Mulitple Architectures)", "full_name": "payload/multi/meterpreter/reverse_http", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "OJ Reeves" ], "description": "Handle Meterpreter sessions regardless of the target arch/platform. Tunnel communication over HTTP", "references": [ ], "is_server": false, "is_client": false, "platform": "Multi", "arch": "x86, x86_64, x64, mips, mipsle, mipsbe, mips64, mips64le, ppc, ppce500v2, ppc64, ppc64le, cbea, cbea64, sparc, sparc64, armle, armbe, aarch64, cmd, php, tty, java, ruby, dalvik, python, nodejs, firefox, zarch, r", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/multi/reverse_http.rb", "is_install_path": true, "ref_name": "multi/meterpreter/reverse_http", "check": false }, "payload_multi/meterpreter/reverse_https": { "name": "Architecture-Independent Meterpreter Stage, Reverse HTTPS Stager (Mulitple Architectures)", "full_name": "payload/multi/meterpreter/reverse_https", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "OJ Reeves" ], "description": "Handle Meterpreter sessions regardless of the target arch/platform. Tunnel communication over HTTPS", "references": [ ], "is_server": false, "is_client": false, "platform": "Multi", "arch": "x86, x86_64, x64, mips, mipsle, mipsbe, mips64, mips64le, ppc, ppce500v2, ppc64, ppc64le, cbea, cbea64, sparc, sparc64, armle, armbe, aarch64, cmd, php, tty, java, ruby, dalvik, python, nodejs, firefox, zarch, r", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/multi/reverse_https.rb", "is_install_path": true, "ref_name": "multi/meterpreter/reverse_https", "check": false }, "payload_netware/shell/reverse_tcp": { "name": "NetWare Command Shell, Reverse TCP Stager", "full_name": "payload/netware/shell/reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "toto" ], "description": "Connect to the NetWare console (staged). Connect back to the attacker", "references": [ ], "is_server": false, "is_client": false, "platform": "Netware", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/netware/reverse_tcp.rb", "is_install_path": true, "ref_name": "netware/shell/reverse_tcp", "check": false }, "payload_nodejs/shell_bind_tcp": { "name": "Command Shell, Bind TCP (via nodejs)", "full_name": "payload/nodejs/shell_bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "joev " ], "description": "Creates an interactive shell via nodejs", "references": [ ], "is_server": false, "is_client": false, "platform": "NodeJS", "arch": "nodejs", "rport": null, "targets": null, "mod_time": "2017-10-11 11:09:28 +0000", "path": "/modules/payloads/singles/nodejs/shell_bind_tcp.rb", "is_install_path": true, "ref_name": "nodejs/shell_bind_tcp", "check": false }, "payload_nodejs/shell_reverse_tcp": { "name": "Command Shell, Reverse TCP (via nodejs)", "full_name": "payload/nodejs/shell_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "RageLtMan", "joev " ], "description": "Creates an interactive shell via nodejs", "references": [ ], "is_server": false, "is_client": false, "platform": "NodeJS", "arch": "nodejs", "rport": null, "targets": null, "mod_time": "2017-11-21 13:53:33 +0000", "path": "/modules/payloads/singles/nodejs/shell_reverse_tcp.rb", "is_install_path": true, "ref_name": "nodejs/shell_reverse_tcp", "check": false }, "payload_nodejs/shell_reverse_tcp_ssl": { "name": "Command Shell, Reverse TCP SSL (via nodejs)", "full_name": "payload/nodejs/shell_reverse_tcp_ssl", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "RageLtMan", "joev " ], "description": "Creates an interactive shell via nodejs, uses SSL", "references": [ ], "is_server": false, "is_client": false, "platform": "NodeJS", "arch": "nodejs", "rport": null, "targets": null, "mod_time": "2017-11-21 13:53:33 +0000", "path": "/modules/payloads/singles/nodejs/shell_reverse_tcp_ssl.rb", "is_install_path": true, "ref_name": "nodejs/shell_reverse_tcp_ssl", "check": false }, "payload_osx/armle/execute/bind_tcp": { "name": "OS X Write and Execute Binary, Bind TCP Stager", "full_name": "payload/osx/armle/execute/bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "hdm " ], "description": "Spawn a command shell (staged). Listen for a connection", "references": [ ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "armle", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/osx/armle/bind_tcp.rb", "is_install_path": true, "ref_name": "osx/armle/execute/bind_tcp", "check": false }, "payload_osx/armle/execute/reverse_tcp": { "name": "OS X Write and Execute Binary, Reverse TCP Stager", "full_name": "payload/osx/armle/execute/reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "hdm " ], "description": "Spawn a command shell (staged). Connect back to the attacker", "references": [ ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "armle", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/osx/armle/reverse_tcp.rb", "is_install_path": true, "ref_name": "osx/armle/execute/reverse_tcp", "check": false }, "payload_osx/armle/shell/bind_tcp": { "name": "OS X Command Shell, Bind TCP Stager", "full_name": "payload/osx/armle/shell/bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "hdm " ], "description": "Spawn a command shell (staged). Listen for a connection", "references": [ ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "armle", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/osx/armle/bind_tcp.rb", "is_install_path": true, "ref_name": "osx/armle/shell/bind_tcp", "check": false }, "payload_osx/armle/shell/reverse_tcp": { "name": "OS X Command Shell, Reverse TCP Stager", "full_name": "payload/osx/armle/shell/reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "hdm " ], "description": "Spawn a command shell (staged). Connect back to the attacker", "references": [ ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "armle", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/osx/armle/reverse_tcp.rb", "is_install_path": true, "ref_name": "osx/armle/shell/reverse_tcp", "check": false }, "payload_osx/armle/shell_bind_tcp": { "name": "Apple iOS Command Shell, Bind TCP Inline", "full_name": "payload/osx/armle/shell_bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "hdm " ], "description": "Listen for a connection and spawn a command shell", "references": [ ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "armle", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/osx/armle/shell_bind_tcp.rb", "is_install_path": true, "ref_name": "osx/armle/shell_bind_tcp", "check": false }, "payload_osx/armle/shell_reverse_tcp": { "name": "Apple iOS Command Shell, Reverse TCP Inline", "full_name": "payload/osx/armle/shell_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "hdm " ], "description": "Connect back to attacker and spawn a command shell", "references": [ ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "armle", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/osx/armle/shell_reverse_tcp.rb", "is_install_path": true, "ref_name": "osx/armle/shell_reverse_tcp", "check": false }, "payload_osx/armle/vibrate": { "name": "Apple iOS iPhone Vibrate", "full_name": "payload/osx/armle/vibrate", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "hdm " ], "description": "Causes the iPhone to vibrate, only works when the AudioToolkit library has been loaded.\n Based on work by Charlie Miller .", "references": [ ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "armle", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/osx/armle/vibrate.rb", "is_install_path": true, "ref_name": "osx/armle/vibrate", "check": false }, "payload_osx/ppc/shell/bind_tcp": { "name": "OS X Command Shell, Bind TCP Stager", "full_name": "payload/osx/ppc/shell/bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "hdm " ], "description": "Spawn a command shell (staged). Listen for a connection", "references": [ ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "ppc", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/osx/ppc/bind_tcp.rb", "is_install_path": true, "ref_name": "osx/ppc/shell/bind_tcp", "check": false }, "payload_osx/ppc/shell/find_tag": { "name": "OS X Command Shell, Find Tag Stager", "full_name": "payload/osx/ppc/shell/find_tag", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "hdm " ], "description": "Spawn a command shell (staged). Use an established connection", "references": [ ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "ppc", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/osx/ppc/find_tag.rb", "is_install_path": true, "ref_name": "osx/ppc/shell/find_tag", "check": false }, "payload_osx/ppc/shell/reverse_tcp": { "name": "OS X Command Shell, Reverse TCP Stager", "full_name": "payload/osx/ppc/shell/reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "hdm " ], "description": "Spawn a command shell (staged). Connect back to the attacker", "references": [ ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "ppc", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/osx/ppc/reverse_tcp.rb", "is_install_path": true, "ref_name": "osx/ppc/shell/reverse_tcp", "check": false }, "payload_osx/ppc/shell_bind_tcp": { "name": "OS X Command Shell, Bind TCP Inline", "full_name": "payload/osx/ppc/shell_bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "hdm " ], "description": "Listen for a connection and spawn a command shell", "references": [ ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "ppc", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/osx/ppc/shell_bind_tcp.rb", "is_install_path": true, "ref_name": "osx/ppc/shell_bind_tcp", "check": false }, "payload_osx/ppc/shell_reverse_tcp": { "name": "OS X Command Shell, Reverse TCP Inline", "full_name": "payload/osx/ppc/shell_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "hdm " ], "description": "Connect back to attacker and spawn a command shell", "references": [ ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "ppc", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/osx/ppc/shell_reverse_tcp.rb", "is_install_path": true, "ref_name": "osx/ppc/shell_reverse_tcp", "check": false }, "payload_osx/x64/dupandexecve/bind_tcp": { "name": "OS X dup2 Command Shell, Bind TCP Stager", "full_name": "payload/osx/x64/dupandexecve/bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "nemo", "nemo " ], "description": "dup2 socket in edi, then execve. Listen, read length, read buffer, execute", "references": [ ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "x64", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/osx/x64/bind_tcp.rb", "is_install_path": true, "ref_name": "osx/x64/dupandexecve/bind_tcp", "check": false }, "payload_osx/x64/dupandexecve/reverse_tcp": { "name": "OS X dup2 Command Shell, Reverse TCP Stager", "full_name": "payload/osx/x64/dupandexecve/reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "nemo", "nemo " ], "description": "dup2 socket in edi, then execve. Connect, read length, read buffer, execute", "references": [ ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "x64", "rport": null, "targets": null, "mod_time": "2018-01-10 15:06:08 +0000", "path": "/modules/payloads/stagers/osx/x64/reverse_tcp.rb", "is_install_path": true, "ref_name": "osx/x64/dupandexecve/reverse_tcp", "check": false }, "payload_osx/x64/exec": { "name": "OS X x64 Execute Command", "full_name": "payload/osx/x64/exec", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "argp ", "joev " ], "description": "Execute an arbitrary command", "references": [ ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "x64", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/osx/x64/exec.rb", "is_install_path": true, "ref_name": "osx/x64/exec", "check": false }, "payload_osx/x64/meterpreter/bind_tcp": { "name": "OSX Meterpreter, Bind TCP Stager", "full_name": "payload/osx/x64/meterpreter/bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "parchedmind", "nologic", "timwr", "nemo " ], "description": "Inject the mettle server payload (staged). Listen, read length, read buffer, execute", "references": [ "URL-https://github.com/CylanceVulnResearch/osx_runbin", "URL-https://github.com/nologic/shellcc" ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "x64", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/osx/x64/bind_tcp.rb", "is_install_path": true, "ref_name": "osx/x64/meterpreter/bind_tcp", "check": false }, "payload_osx/x64/meterpreter/reverse_tcp": { "name": "OSX Meterpreter, Reverse TCP Stager", "full_name": "payload/osx/x64/meterpreter/reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "parchedmind", "nologic", "timwr", "nemo " ], "description": "Inject the mettle server payload (staged). Connect, read length, read buffer, execute", "references": [ "URL-https://github.com/CylanceVulnResearch/osx_runbin", "URL-https://github.com/nologic/shellcc" ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "x64", "rport": null, "targets": null, "mod_time": "2018-01-10 15:06:08 +0000", "path": "/modules/payloads/stagers/osx/x64/reverse_tcp.rb", "is_install_path": true, "ref_name": "osx/x64/meterpreter/reverse_tcp", "check": false }, "payload_osx/x64/meterpreter_reverse_http": { "name": "OSX Meterpreter, Reverse HTTP Inline", "full_name": "payload/osx/x64/meterpreter_reverse_http", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Adam Cammack ", "Brent Cook ", "timwr" ], "description": "Run the Meterpreter / Mettle server payload (stageless)", "references": [ ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "x64", "rport": null, "targets": null, "mod_time": "2018-06-27 17:55:08 +0000", "path": "/modules/payloads/singles/osx/x64/meterpreter_reverse_http.rb", "is_install_path": true, "ref_name": "osx/x64/meterpreter_reverse_http", "check": false }, "payload_osx/x64/meterpreter_reverse_https": { "name": "OSX Meterpreter, Reverse HTTPS Inline", "full_name": "payload/osx/x64/meterpreter_reverse_https", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Adam Cammack ", "Brent Cook ", "timwr" ], "description": "Run the Meterpreter / Mettle server payload (stageless)", "references": [ ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "x64", "rport": null, "targets": null, "mod_time": "2018-06-27 17:55:08 +0000", "path": "/modules/payloads/singles/osx/x64/meterpreter_reverse_https.rb", "is_install_path": true, "ref_name": "osx/x64/meterpreter_reverse_https", "check": false }, "payload_osx/x64/meterpreter_reverse_tcp": { "name": "OSX Meterpreter, Reverse TCP Inline", "full_name": "payload/osx/x64/meterpreter_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Adam Cammack ", "Brent Cook ", "timwr" ], "description": "Run the Meterpreter / Mettle server payload (stageless)", "references": [ ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "x64", "rport": null, "targets": null, "mod_time": "2018-06-27 17:55:08 +0000", "path": "/modules/payloads/singles/osx/x64/meterpreter_reverse_tcp.rb", "is_install_path": true, "ref_name": "osx/x64/meterpreter_reverse_tcp", "check": false }, "payload_osx/x64/say": { "name": "OS X x64 say Shellcode", "full_name": "payload/osx/x64/say", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "nemo " ], "description": "Say an arbitrary string outloud using Mac OS X text2speech", "references": [ ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "x64", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/osx/x64/say.rb", "is_install_path": true, "ref_name": "osx/x64/say", "check": false }, "payload_osx/x64/shell_bind_tcp": { "name": "OS X x64 Shell Bind TCP", "full_name": "payload/osx/x64/shell_bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "nemo " ], "description": "Bind an arbitrary command to an arbitrary port", "references": [ ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "x64", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/osx/x64/shell_bind_tcp.rb", "is_install_path": true, "ref_name": "osx/x64/shell_bind_tcp", "check": false }, "payload_osx/x64/shell_find_tag": { "name": "OSX Command Shell, Find Tag Inline", "full_name": "payload/osx/x64/shell_find_tag", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "nemo " ], "description": "Spawn a shell on an established connection (proxy/nat safe)", "references": [ ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "x64", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/osx/x64/shell_find_tag.rb", "is_install_path": true, "ref_name": "osx/x64/shell_find_tag", "check": false }, "payload_osx/x64/shell_reverse_tcp": { "name": "OS X x64 Shell Reverse TCP", "full_name": "payload/osx/x64/shell_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "nemo " ], "description": "Connect back to attacker and spawn a command shell", "references": [ ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "x64", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/osx/x64/shell_reverse_tcp.rb", "is_install_path": true, "ref_name": "osx/x64/shell_reverse_tcp", "check": false }, "payload_osx/x86/bundleinject/bind_tcp": { "name": "Mac OS X Inject Mach-O Bundle, Bind TCP Stager", "full_name": "payload/osx/x86/bundleinject/bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "ddz " ], "description": "Inject a custom Mach-O bundle into the exploited process. Listen, read length, read buffer, execute", "references": [ ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/osx/x86/bind_tcp.rb", "is_install_path": true, "ref_name": "osx/x86/bundleinject/bind_tcp", "check": false }, "payload_osx/x86/bundleinject/reverse_tcp": { "name": "Mac OS X Inject Mach-O Bundle, Reverse TCP Stager", "full_name": "payload/osx/x86/bundleinject/reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "ddz " ], "description": "Inject a custom Mach-O bundle into the exploited process. Connect, read length, read buffer, execute", "references": [ ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/osx/x86/reverse_tcp.rb", "is_install_path": true, "ref_name": "osx/x86/bundleinject/reverse_tcp", "check": false }, "payload_osx/x86/exec": { "name": "OS X Execute Command", "full_name": "payload/osx/x86/exec", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "snagg ", "argp ", "joev " ], "description": "Execute an arbitrary command", "references": [ ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/osx/x86/exec.rb", "is_install_path": true, "ref_name": "osx/x86/exec", "check": false }, "payload_osx/x86/isight/bind_tcp": { "name": "Mac OS X x86 iSight Photo Capture, Bind TCP Stager", "full_name": "payload/osx/x86/isight/bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "ddz " ], "description": "Inject a Mach-O bundle to capture a photo from the iSight (staged). Listen, read length, read buffer, execute", "references": [ ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/osx/x86/bind_tcp.rb", "is_install_path": true, "ref_name": "osx/x86/isight/bind_tcp", "check": false }, "payload_osx/x86/isight/reverse_tcp": { "name": "Mac OS X x86 iSight Photo Capture, Reverse TCP Stager", "full_name": "payload/osx/x86/isight/reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "ddz " ], "description": "Inject a Mach-O bundle to capture a photo from the iSight (staged). Connect, read length, read buffer, execute", "references": [ ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/osx/x86/reverse_tcp.rb", "is_install_path": true, "ref_name": "osx/x86/isight/reverse_tcp", "check": false }, "payload_osx/x86/shell_bind_tcp": { "name": "OS X Command Shell, Bind TCP Inline", "full_name": "payload/osx/x86/shell_bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Ramon de C Valle " ], "description": "Listen for a connection and spawn a command shell", "references": [ ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-05-01 04:57:42 +0000", "path": "/modules/payloads/singles/osx/x86/shell_bind_tcp.rb", "is_install_path": true, "ref_name": "osx/x86/shell_bind_tcp", "check": false }, "payload_osx/x86/shell_find_port": { "name": "OS X Command Shell, Find Port Inline", "full_name": "payload/osx/x86/shell_find_port", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Ramon de C Valle " ], "description": "Spawn a shell on an established connection", "references": [ ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-05-01 04:57:42 +0000", "path": "/modules/payloads/singles/osx/x86/shell_find_port.rb", "is_install_path": true, "ref_name": "osx/x86/shell_find_port", "check": false }, "payload_osx/x86/shell_reverse_tcp": { "name": "OS X Command Shell, Reverse TCP Inline", "full_name": "payload/osx/x86/shell_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Ramon de C Valle " ], "description": "Connect back to attacker and spawn a command shell", "references": [ ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-05-01 04:57:42 +0000", "path": "/modules/payloads/singles/osx/x86/shell_reverse_tcp.rb", "is_install_path": true, "ref_name": "osx/x86/shell_reverse_tcp", "check": false }, "payload_osx/x86/vforkshell/bind_tcp": { "name": "OS X (vfork) Command Shell, Bind TCP Stager", "full_name": "payload/osx/x86/vforkshell/bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "ddz " ], "description": "Call vfork() if necessary and spawn a command shell (staged). Listen, read length, read buffer, execute", "references": [ ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/osx/x86/bind_tcp.rb", "is_install_path": true, "ref_name": "osx/x86/vforkshell/bind_tcp", "check": false }, "payload_osx/x86/vforkshell/reverse_tcp": { "name": "OS X (vfork) Command Shell, Reverse TCP Stager", "full_name": "payload/osx/x86/vforkshell/reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "ddz " ], "description": "Call vfork() if necessary and spawn a command shell (staged). Connect, read length, read buffer, execute", "references": [ ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/osx/x86/reverse_tcp.rb", "is_install_path": true, "ref_name": "osx/x86/vforkshell/reverse_tcp", "check": false }, "payload_osx/x86/vforkshell_bind_tcp": { "name": "OS X (vfork) Command Shell, Bind TCP Inline", "full_name": "payload/osx/x86/vforkshell_bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "ddz " ], "description": "Listen for a connection, vfork if necessary, and spawn a command shell", "references": [ ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/osx/x86/vforkshell_bind_tcp.rb", "is_install_path": true, "ref_name": "osx/x86/vforkshell_bind_tcp", "check": false }, "payload_osx/x86/vforkshell_reverse_tcp": { "name": "OS X (vfork) Command Shell, Reverse TCP Inline", "full_name": "payload/osx/x86/vforkshell_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "ddz " ], "description": "Connect back to attacker, vfork if necessary, and spawn a command shell", "references": [ ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/osx/x86/vforkshell_reverse_tcp.rb", "is_install_path": true, "ref_name": "osx/x86/vforkshell_reverse_tcp", "check": false }, "payload_php/bind_perl": { "name": "PHP Command Shell, Bind TCP (via Perl)", "full_name": "payload/php/bind_perl", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Samy ", "cazz " ], "description": "Listen for a connection and spawn a command shell via perl (persistent)", "references": [ ], "is_server": false, "is_client": false, "platform": "PHP", "arch": "php", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/php/bind_perl.rb", "is_install_path": true, "ref_name": "php/bind_perl", "check": false }, "payload_php/bind_perl_ipv6": { "name": "PHP Command Shell, Bind TCP (via perl) IPv6", "full_name": "payload/php/bind_perl_ipv6", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Samy ", "cazz " ], "description": "Listen for a connection and spawn a command shell via perl (persistent) over IPv6", "references": [ ], "is_server": false, "is_client": false, "platform": "PHP", "arch": "php", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/php/bind_perl_ipv6.rb", "is_install_path": true, "ref_name": "php/bind_perl_ipv6", "check": false }, "payload_php/bind_php": { "name": "PHP Command Shell, Bind TCP (via PHP)", "full_name": "payload/php/bind_php", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "egypt ", "diaul " ], "description": "Listen for a connection and spawn a command shell via php", "references": [ ], "is_server": false, "is_client": false, "platform": "PHP", "arch": "php", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/php/bind_php.rb", "is_install_path": true, "ref_name": "php/bind_php", "check": false }, "payload_php/bind_php_ipv6": { "name": "PHP Command Shell, Bind TCP (via php) IPv6", "full_name": "payload/php/bind_php_ipv6", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "egypt ", "diaul " ], "description": "Listen for a connection and spawn a command shell via php (IPv6)", "references": [ ], "is_server": false, "is_client": false, "platform": "PHP", "arch": "php", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/php/bind_php_ipv6.rb", "is_install_path": true, "ref_name": "php/bind_php_ipv6", "check": false }, "payload_php/download_exec": { "name": "PHP Executable Download and Execute", "full_name": "payload/php/download_exec", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "egypt " ], "description": "Download an EXE from an HTTP URL and execute it", "references": [ ], "is_server": false, "is_client": false, "platform": "PHP", "arch": "php", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/php/download_exec.rb", "is_install_path": true, "ref_name": "php/download_exec", "check": false }, "payload_php/exec": { "name": "PHP Execute Command ", "full_name": "payload/php/exec", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "egypt " ], "description": "Execute a single system command", "references": [ ], "is_server": false, "is_client": false, "platform": "PHP", "arch": "php", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/php/exec.rb", "is_install_path": true, "ref_name": "php/exec", "check": false }, "payload_php/meterpreter/bind_tcp": { "name": "PHP Meterpreter, Bind TCP Stager", "full_name": "payload/php/meterpreter/bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "egypt " ], "description": "Run a meterpreter server in PHP. Listen for a connection", "references": [ ], "is_server": false, "is_client": false, "platform": "PHP", "arch": "php", "rport": null, "targets": null, "mod_time": "2017-09-12 19:23:31 +0000", "path": "/modules/payloads/stagers/php/bind_tcp.rb", "is_install_path": true, "ref_name": "php/meterpreter/bind_tcp", "check": false }, "payload_php/meterpreter/bind_tcp_ipv6": { "name": "PHP Meterpreter, Bind TCP Stager IPv6", "full_name": "payload/php/meterpreter/bind_tcp_ipv6", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "egypt " ], "description": "Run a meterpreter server in PHP. Listen for a connection over IPv6", "references": [ ], "is_server": false, "is_client": false, "platform": "PHP", "arch": "php", "rport": null, "targets": null, "mod_time": "2017-09-12 19:23:31 +0000", "path": "/modules/payloads/stagers/php/bind_tcp_ipv6.rb", "is_install_path": true, "ref_name": "php/meterpreter/bind_tcp_ipv6", "check": false }, "payload_php/meterpreter/bind_tcp_ipv6_uuid": { "name": "PHP Meterpreter, Bind TCP Stager IPv6 with UUID Support", "full_name": "payload/php/meterpreter/bind_tcp_ipv6_uuid", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "egypt ", "OJ Reeves" ], "description": "Run a meterpreter server in PHP. Listen for a connection over IPv6 with UUID Support", "references": [ ], "is_server": false, "is_client": false, "platform": "PHP", "arch": "php", "rport": null, "targets": null, "mod_time": "2017-09-12 19:23:31 +0000", "path": "/modules/payloads/stagers/php/bind_tcp_ipv6_uuid.rb", "is_install_path": true, "ref_name": "php/meterpreter/bind_tcp_ipv6_uuid", "check": false }, "payload_php/meterpreter/bind_tcp_uuid": { "name": "PHP Meterpreter, Bind TCP Stager with UUID Support", "full_name": "payload/php/meterpreter/bind_tcp_uuid", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "egypt ", "OJ Reeves" ], "description": "Run a meterpreter server in PHP. Listen for a connection with UUID Support", "references": [ ], "is_server": false, "is_client": false, "platform": "PHP", "arch": "php", "rport": null, "targets": null, "mod_time": "2017-09-12 19:23:31 +0000", "path": "/modules/payloads/stagers/php/bind_tcp_uuid.rb", "is_install_path": true, "ref_name": "php/meterpreter/bind_tcp_uuid", "check": false }, "payload_php/meterpreter/reverse_tcp": { "name": "PHP Meterpreter, PHP Reverse TCP Stager", "full_name": "payload/php/meterpreter/reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "egypt " ], "description": "Run a meterpreter server in PHP. Reverse PHP connect back stager with checks for disabled functions", "references": [ ], "is_server": false, "is_client": false, "platform": "PHP", "arch": "php", "rport": null, "targets": null, "mod_time": "2017-09-12 19:23:31 +0000", "path": "/modules/payloads/stagers/php/reverse_tcp.rb", "is_install_path": true, "ref_name": "php/meterpreter/reverse_tcp", "check": false }, "payload_php/meterpreter/reverse_tcp_uuid": { "name": "PHP Meterpreter, PHP Reverse TCP Stager", "full_name": "payload/php/meterpreter/reverse_tcp_uuid", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "egypt ", "OJ Reeves" ], "description": "Run a meterpreter server in PHP. Reverse PHP connect back stager with checks for disabled functions", "references": [ ], "is_server": false, "is_client": false, "platform": "PHP", "arch": "php", "rport": null, "targets": null, "mod_time": "2017-09-12 19:23:31 +0000", "path": "/modules/payloads/stagers/php/reverse_tcp_uuid.rb", "is_install_path": true, "ref_name": "php/meterpreter/reverse_tcp_uuid", "check": false }, "payload_php/meterpreter_reverse_tcp": { "name": "PHP Meterpreter, Reverse TCP Inline", "full_name": "payload/php/meterpreter_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "egypt " ], "description": "Connect back to attacker and spawn a Meterpreter server (PHP)", "references": [ ], "is_server": false, "is_client": false, "platform": "PHP", "arch": "php", "rport": null, "targets": null, "mod_time": "2018-03-07 18:48:10 +0000", "path": "/modules/payloads/singles/php/meterpreter_reverse_tcp.rb", "is_install_path": true, "ref_name": "php/meterpreter_reverse_tcp", "check": false }, "payload_php/reverse_perl": { "name": "PHP Command, Double Reverse TCP Connection (via Perl)", "full_name": "payload/php/reverse_perl", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "cazz " ], "description": "Creates an interactive shell via perl", "references": [ ], "is_server": false, "is_client": false, "platform": "PHP", "arch": "php", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/php/reverse_perl.rb", "is_install_path": true, "ref_name": "php/reverse_perl", "check": false }, "payload_php/reverse_php": { "name": "PHP Command Shell, Reverse TCP (via PHP)", "full_name": "payload/php/reverse_php", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "egypt " ], "description": "Reverse PHP connect back shell with checks for disabled functions", "references": [ ], "is_server": false, "is_client": false, "platform": "PHP", "arch": "php", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/php/reverse_php.rb", "is_install_path": true, "ref_name": "php/reverse_php", "check": false }, "payload_php/shell_findsock": { "name": "PHP Command Shell, Find Sock", "full_name": "payload/php/shell_findsock", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "egypt " ], "description": "Spawn a shell on the established connection to\n the webserver. Unfortunately, this payload\n can leave conspicuous evil-looking entries in the\n apache error logs, so it is probably a good idea\n to use a bind or reverse shell unless firewalls\n prevent them from working. The issue this\n payload takes advantage of (CLOEXEC flag not set\n on sockets) appears to have been patched on the\n Ubuntu version of Apache and may not work on\n other Debian-based distributions. Only tested on\n Apache but it might work on other web servers\n that leak file descriptors to child processes.", "references": [ ], "is_server": false, "is_client": false, "platform": "PHP", "arch": "php", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/php/shell_findsock.rb", "is_install_path": true, "ref_name": "php/shell_findsock", "check": false }, "payload_python/meterpreter/bind_tcp": { "name": "Python Meterpreter, Python Bind TCP Stager", "full_name": "payload/python/meterpreter/bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Spencer McIntyre" ], "description": "Run a meterpreter server in Python (2.5-2.7 & 3.1-3.6). Listen for a connection", "references": [ ], "is_server": false, "is_client": false, "platform": "Python", "arch": "python", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/python/bind_tcp.rb", "is_install_path": true, "ref_name": "python/meterpreter/bind_tcp", "check": false }, "payload_python/meterpreter/bind_tcp_uuid": { "name": "Python Meterpreter, Python Bind TCP Stager with UUID Support", "full_name": "payload/python/meterpreter/bind_tcp_uuid", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Spencer McIntyre", "OJ Reeves" ], "description": "Run a meterpreter server in Python (2.5-2.7 & 3.1-3.6). Listen for a connection with UUID Support", "references": [ ], "is_server": false, "is_client": false, "platform": "Python", "arch": "python", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/python/bind_tcp_uuid.rb", "is_install_path": true, "ref_name": "python/meterpreter/bind_tcp_uuid", "check": false }, "payload_python/meterpreter/reverse_http": { "name": "Python Meterpreter, Python Reverse HTTP Stager", "full_name": "payload/python/meterpreter/reverse_http", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Spencer McIntyre" ], "description": "Run a meterpreter server in Python (2.5-2.7 & 3.1-3.6). Tunnel communication over HTTP", "references": [ ], "is_server": false, "is_client": false, "platform": "Python", "arch": "python", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/python/reverse_http.rb", "is_install_path": true, "ref_name": "python/meterpreter/reverse_http", "check": false }, "payload_python/meterpreter/reverse_https": { "name": "Python Meterpreter, Python Reverse HTTPS Stager", "full_name": "payload/python/meterpreter/reverse_https", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Spencer McIntyre" ], "description": "Run a meterpreter server in Python (2.5-2.7 & 3.1-3.6). Tunnel communication over HTTP using SSL", "references": [ ], "is_server": false, "is_client": false, "platform": "Python", "arch": "python", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/python/reverse_https.rb", "is_install_path": true, "ref_name": "python/meterpreter/reverse_https", "check": false }, "payload_python/meterpreter/reverse_tcp": { "name": "Python Meterpreter, Python Reverse TCP Stager", "full_name": "payload/python/meterpreter/reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Spencer McIntyre" ], "description": "Run a meterpreter server in Python (2.5-2.7 & 3.1-3.6). Connect back to the attacker", "references": [ ], "is_server": false, "is_client": false, "platform": "Python", "arch": "python", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/python/reverse_tcp.rb", "is_install_path": true, "ref_name": "python/meterpreter/reverse_tcp", "check": false }, "payload_python/meterpreter/reverse_tcp_ssl": { "name": "Python Meterpreter, Python Reverse TCP SSL Stager", "full_name": "payload/python/meterpreter/reverse_tcp_ssl", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Spencer McIntyre", "Ben Campbell ", "RageLtMan" ], "description": "Run a meterpreter server in Python (2.5-2.7 & 3.1-3.6). Reverse Python connect back stager using SSL", "references": [ ], "is_server": false, "is_client": false, "platform": "Python", "arch": "python", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/python/reverse_tcp_ssl.rb", "is_install_path": true, "ref_name": "python/meterpreter/reverse_tcp_ssl", "check": false }, "payload_python/meterpreter/reverse_tcp_uuid": { "name": "Python Meterpreter, Python Reverse TCP Stager with UUID Support", "full_name": "payload/python/meterpreter/reverse_tcp_uuid", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Spencer McIntyre", "OJ Reeves" ], "description": "Run a meterpreter server in Python (2.5-2.7 & 3.1-3.6). Connect back to the attacker with UUID Support", "references": [ ], "is_server": false, "is_client": false, "platform": "Python", "arch": "python", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/python/reverse_tcp_uuid.rb", "is_install_path": true, "ref_name": "python/meterpreter/reverse_tcp_uuid", "check": false }, "payload_python/meterpreter_bind_tcp": { "name": "Python Meterpreter Shell, Bind TCP Inline", "full_name": "payload/python/meterpreter_bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Spencer McIntyre" ], "description": "Connect to the victim and spawn a Meterpreter shell", "references": [ ], "is_server": false, "is_client": false, "platform": "Python", "arch": "python", "rport": null, "targets": null, "mod_time": "2018-04-27 14:18:54 +0000", "path": "/modules/payloads/singles/python/meterpreter_bind_tcp.rb", "is_install_path": true, "ref_name": "python/meterpreter_bind_tcp", "check": false }, "payload_python/meterpreter_reverse_http": { "name": "Python Meterpreter Shell, Reverse HTTP Inline", "full_name": "payload/python/meterpreter_reverse_http", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Spencer McIntyre" ], "description": "Connect back to the attacker and spawn a Meterpreter shell", "references": [ ], "is_server": false, "is_client": false, "platform": "Python", "arch": "python", "rport": null, "targets": null, "mod_time": "2018-04-27 14:18:54 +0000", "path": "/modules/payloads/singles/python/meterpreter_reverse_http.rb", "is_install_path": true, "ref_name": "python/meterpreter_reverse_http", "check": false }, "payload_python/meterpreter_reverse_https": { "name": "Python Meterpreter Shell, Reverse HTTPS Inline", "full_name": "payload/python/meterpreter_reverse_https", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Spencer McIntyre" ], "description": "Connect back to the attacker and spawn a Meterpreter shell", "references": [ ], "is_server": false, "is_client": false, "platform": "Python", "arch": "python", "rport": null, "targets": null, "mod_time": "2018-04-27 14:18:54 +0000", "path": "/modules/payloads/singles/python/meterpreter_reverse_https.rb", "is_install_path": true, "ref_name": "python/meterpreter_reverse_https", "check": false }, "payload_python/meterpreter_reverse_tcp": { "name": "Python Meterpreter Shell, Reverse TCP Inline", "full_name": "payload/python/meterpreter_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Spencer McIntyre" ], "description": "Connect back to the attacker and spawn a Meterpreter shell", "references": [ ], "is_server": false, "is_client": false, "platform": "Python", "arch": "python", "rport": null, "targets": null, "mod_time": "2018-04-27 14:18:54 +0000", "path": "/modules/payloads/singles/python/meterpreter_reverse_tcp.rb", "is_install_path": true, "ref_name": "python/meterpreter_reverse_tcp", "check": false }, "payload_python/shell_bind_tcp": { "name": "Command Shell, Bind TCP (via python)", "full_name": "payload/python/shell_bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "mumbai" ], "description": "Creates an interactive shell via python, encodes with base64 by design", "references": [ ], "is_server": false, "is_client": false, "platform": "Python", "arch": "python", "rport": null, "targets": null, "mod_time": "2017-10-23 23:04:02 +0000", "path": "/modules/payloads/singles/python/shell_bind_tcp.rb", "is_install_path": true, "ref_name": "python/shell_bind_tcp", "check": false }, "payload_python/shell_reverse_tcp": { "name": "Command Shell, Reverse TCP (via python)", "full_name": "payload/python/shell_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Ben Campbell " ], "description": "Creates an interactive shell via python, encodes with base64 by design. Compatible with Python 2.3.3", "references": [ ], "is_server": false, "is_client": false, "platform": "Python", "arch": "python", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/python/shell_reverse_tcp.rb", "is_install_path": true, "ref_name": "python/shell_reverse_tcp", "check": false }, "payload_python/shell_reverse_tcp_ssl": { "name": "Command Shell, Reverse TCP SSL (via python)", "full_name": "payload/python/shell_reverse_tcp_ssl", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "RageLtMan" ], "description": "Creates an interactive shell via python, uses SSL, encodes with base64 by design.", "references": [ ], "is_server": false, "is_client": false, "platform": "Python", "arch": "python", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/python/shell_reverse_tcp_ssl.rb", "is_install_path": true, "ref_name": "python/shell_reverse_tcp_ssl", "check": false }, "payload_python/shell_reverse_udp": { "name": "Command Shell, Reverse UDP (via python)", "full_name": "payload/python/shell_reverse_udp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "RageLtMan " ], "description": "Creates an interactive shell via python, encodes with base64 by design. Compatible with Python 2.3.3", "references": [ ], "is_server": false, "is_client": false, "platform": "Python", "arch": "python", "rport": null, "targets": null, "mod_time": "2018-02-13 13:33:36 +0000", "path": "/modules/payloads/singles/python/shell_reverse_udp.rb", "is_install_path": true, "ref_name": "python/shell_reverse_udp", "check": false }, "payload_r/shell_bind_tcp": { "name": "R Command Shell, Bind TCP", "full_name": "payload/r/shell_bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "RageLtMan" ], "description": "Continually listen for a connection and spawn a command shell via R", "references": [ ], "is_server": false, "is_client": false, "platform": "R", "arch": "r", "rport": null, "targets": null, "mod_time": "2017-08-28 05:30:30 +0000", "path": "/modules/payloads/singles/r/shell_bind_tcp.rb", "is_install_path": true, "ref_name": "r/shell_bind_tcp", "check": false }, "payload_r/shell_reverse_tcp": { "name": "R Command Shell, Reverse TCP", "full_name": "payload/r/shell_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "RageLtMan" ], "description": "Connect back and create a command shell via R", "references": [ ], "is_server": false, "is_client": false, "platform": "R", "arch": "r", "rport": null, "targets": null, "mod_time": "2017-08-28 05:30:30 +0000", "path": "/modules/payloads/singles/r/shell_reverse_tcp.rb", "is_install_path": true, "ref_name": "r/shell_reverse_tcp", "check": false }, "payload_ruby/shell_bind_tcp": { "name": "Ruby Command Shell, Bind TCP", "full_name": "payload/ruby/shell_bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "kris katterjohn ", "hdm " ], "description": "Continually listen for a connection and spawn a command shell via Ruby", "references": [ ], "is_server": false, "is_client": false, "platform": "Ruby", "arch": "ruby", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/ruby/shell_bind_tcp.rb", "is_install_path": true, "ref_name": "ruby/shell_bind_tcp", "check": false }, "payload_ruby/shell_bind_tcp_ipv6": { "name": "Ruby Command Shell, Bind TCP IPv6", "full_name": "payload/ruby/shell_bind_tcp_ipv6", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "kris katterjohn ", "hdm " ], "description": "Continually listen for a connection and spawn a command shell via Ruby", "references": [ ], "is_server": false, "is_client": false, "platform": "Ruby", "arch": "ruby", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/ruby/shell_bind_tcp_ipv6.rb", "is_install_path": true, "ref_name": "ruby/shell_bind_tcp_ipv6", "check": false }, "payload_ruby/shell_reverse_tcp": { "name": "Ruby Command Shell, Reverse TCP", "full_name": "payload/ruby/shell_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "kris katterjohn ", "hdm " ], "description": "Connect back and create a command shell via Ruby", "references": [ ], "is_server": false, "is_client": false, "platform": "Ruby", "arch": "ruby", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/ruby/shell_reverse_tcp.rb", "is_install_path": true, "ref_name": "ruby/shell_reverse_tcp", "check": false }, "payload_ruby/shell_reverse_tcp_ssl": { "name": "Ruby Command Shell, Reverse TCP SSL", "full_name": "payload/ruby/shell_reverse_tcp_ssl", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "RageLtMan" ], "description": "Connect back and create a command shell via Ruby, uses SSL", "references": [ ], "is_server": false, "is_client": false, "platform": "Ruby", "arch": "ruby", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/ruby/shell_reverse_tcp_ssl.rb", "is_install_path": true, "ref_name": "ruby/shell_reverse_tcp_ssl", "check": false }, "payload_solaris/sparc/shell_bind_tcp": { "name": "Solaris Command Shell, Bind TCP Inline", "full_name": "payload/solaris/sparc/shell_bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "vlad902 " ], "description": "Listen for a connection and spawn a command shell", "references": [ ], "is_server": false, "is_client": false, "platform": "Solaris", "arch": "sparc", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/solaris/sparc/shell_bind_tcp.rb", "is_install_path": true, "ref_name": "solaris/sparc/shell_bind_tcp", "check": false }, "payload_solaris/sparc/shell_find_port": { "name": "Solaris Command Shell, Find Port Inline", "full_name": "payload/solaris/sparc/shell_find_port", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "vlad902 " ], "description": "Spawn a shell on an established connection", "references": [ ], "is_server": false, "is_client": false, "platform": "Solaris", "arch": "sparc", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/solaris/sparc/shell_find_port.rb", "is_install_path": true, "ref_name": "solaris/sparc/shell_find_port", "check": false }, "payload_solaris/sparc/shell_reverse_tcp": { "name": "Solaris Command Shell, Reverse TCP Inline", "full_name": "payload/solaris/sparc/shell_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "vlad902 " ], "description": "Connect back to attacker and spawn a command shell", "references": [ ], "is_server": false, "is_client": false, "platform": "Solaris", "arch": "sparc", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/solaris/sparc/shell_reverse_tcp.rb", "is_install_path": true, "ref_name": "solaris/sparc/shell_reverse_tcp", "check": false }, "payload_solaris/x86/shell_bind_tcp": { "name": "Solaris Command Shell, Bind TCP Inline", "full_name": "payload/solaris/x86/shell_bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Ramon de C Valle " ], "description": "Listen for a connection and spawn a command shell", "references": [ ], "is_server": false, "is_client": false, "platform": "Solaris", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-05-01 04:57:42 +0000", "path": "/modules/payloads/singles/solaris/x86/shell_bind_tcp.rb", "is_install_path": true, "ref_name": "solaris/x86/shell_bind_tcp", "check": false }, "payload_solaris/x86/shell_find_port": { "name": "Solaris Command Shell, Find Port Inline", "full_name": "payload/solaris/x86/shell_find_port", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Ramon de C Valle " ], "description": "Spawn a shell on an established connection", "references": [ ], "is_server": false, "is_client": false, "platform": "Solaris", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-05-01 04:57:42 +0000", "path": "/modules/payloads/singles/solaris/x86/shell_find_port.rb", "is_install_path": true, "ref_name": "solaris/x86/shell_find_port", "check": false }, "payload_solaris/x86/shell_reverse_tcp": { "name": "Solaris Command Shell, Reverse TCP Inline", "full_name": "payload/solaris/x86/shell_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Ramon de C Valle " ], "description": "Connect back to attacker and spawn a command shell", "references": [ ], "is_server": false, "is_client": false, "platform": "Solaris", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-05-01 04:57:42 +0000", "path": "/modules/payloads/singles/solaris/x86/shell_reverse_tcp.rb", "is_install_path": true, "ref_name": "solaris/x86/shell_reverse_tcp", "check": false }, "payload_tty/unix/interact": { "name": "Unix TTY, Interact with Established Connection", "full_name": "payload/tty/unix/interact", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "hdm " ], "description": "Interacts with a TTY on an established socket connection", "references": [ ], "is_server": false, "is_client": false, "platform": "Unix", "arch": "tty", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/tty/unix/interact.rb", "is_install_path": true, "ref_name": "tty/unix/interact", "check": false }, "payload_windows/adduser": { "name": "Windows Execute net user /ADD", "full_name": "payload/windows/adduser", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "hdm ", "Chris John Riley", "vlad902 ", "sf " ], "description": "Create a new user and add them to local administration group.\n\n Note: The specified password is checked for common complexity\n requirements to prevent the target machine rejecting the user\n for failing to meet policy requirements.\n\n Complexity check: 8-14 chars (1 UPPER, 1 lower, 1 digit/special)", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/windows/adduser.rb", "is_install_path": true, "ref_name": "windows/adduser", "check": false }, "payload_windows/dllinject/bind_hidden_ipknock_tcp": { "name": "Reflective DLL Injection, Hidden Bind Ipknock TCP Stager", "full_name": "payload/windows/dllinject/bind_hidden_ipknock_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "hdm ", "skape ", "Borja Merino " ], "description": "Inject a DLL via a reflective loader. Listen for a connection. First, the port will need to be knocked from\n the IP defined in KHOST. This IP will work as an authentication method\n (you can spoof it with tools like hping). After that you could get your\n shellcode from any IP. The socket will appear as \"closed,\" thus helping to\n hide the shellcode", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb", "is_install_path": true, "ref_name": "windows/dllinject/bind_hidden_ipknock_tcp", "check": false }, "payload_windows/dllinject/bind_hidden_tcp": { "name": "Reflective DLL Injection, Hidden Bind TCP Stager", "full_name": "payload/windows/dllinject/bind_hidden_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "hdm ", "skape ", "Borja Merino " ], "description": "Inject a DLL via a reflective loader. Listen for a connection from a hidden port and spawn a command shell to the allowed host.", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb", "is_install_path": true, "ref_name": "windows/dllinject/bind_hidden_tcp", "check": false }, "payload_windows/dllinject/bind_ipv6_tcp": { "name": "Reflective DLL Injection, Bind IPv6 TCP Stager (Windows x86)", "full_name": "payload/windows/dllinject/bind_ipv6_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "hdm ", "skape " ], "description": "Inject a DLL via a reflective loader. Listen for an IPv6 connection (Windows x86)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp.rb", "is_install_path": true, "ref_name": "windows/dllinject/bind_ipv6_tcp", "check": false }, "payload_windows/dllinject/bind_ipv6_tcp_uuid": { "name": "Reflective DLL Injection, Bind IPv6 TCP Stager with UUID Support (Windows x86)", "full_name": "payload/windows/dllinject/bind_ipv6_tcp_uuid", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "hdm ", "skape ", "OJ Reeves" ], "description": "Inject a DLL via a reflective loader. Listen for an IPv6 connection with UUID Support (Windows x86)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb", "is_install_path": true, "ref_name": "windows/dllinject/bind_ipv6_tcp_uuid", "check": false }, "payload_windows/dllinject/bind_named_pipe": { "name": "Reflective DLL Injection, Windows x86 Bind Named Pipe Stager", "full_name": "payload/windows/dllinject/bind_named_pipe", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "UserExistsError" ], "description": "Inject a DLL via a reflective loader. Listen for a pipe connection (Windows x86)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-02-27 19:24:51 +0000", "path": "/modules/payloads/stagers/windows/bind_named_pipe.rb", "is_install_path": true, "ref_name": "windows/dllinject/bind_named_pipe", "check": false }, "payload_windows/dllinject/bind_nonx_tcp": { "name": "Reflective DLL Injection, Bind TCP Stager (No NX or Win7)", "full_name": "payload/windows/dllinject/bind_nonx_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "vlad902 " ], "description": "Inject a DLL via a reflective loader. Listen for a connection (No NX)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_nonx_tcp.rb", "is_install_path": true, "ref_name": "windows/dllinject/bind_nonx_tcp", "check": false }, "payload_windows/dllinject/bind_tcp": { "name": "Reflective DLL Injection, Bind TCP Stager (Windows x86)", "full_name": "payload/windows/dllinject/bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "hdm ", "skape " ], "description": "Inject a DLL via a reflective loader. Listen for a connection (Windows x86)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_tcp.rb", "is_install_path": true, "ref_name": "windows/dllinject/bind_tcp", "check": false }, "payload_windows/dllinject/bind_tcp_rc4": { "name": "Reflective DLL Injection, Bind TCP Stager (RC4 Stage Encryption, Metasm)", "full_name": "payload/windows/dllinject/bind_tcp_rc4", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "hdm ", "skape ", "mihi", "RageLtMan" ], "description": "Inject a DLL via a reflective loader. Listen for a connection", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_tcp_rc4.rb", "is_install_path": true, "ref_name": "windows/dllinject/bind_tcp_rc4", "check": false }, "payload_windows/dllinject/bind_tcp_uuid": { "name": "Reflective DLL Injection, Bind TCP Stager with UUID Support (Windows x86)", "full_name": "payload/windows/dllinject/bind_tcp_uuid", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "hdm ", "OJ Reeves" ], "description": "Inject a DLL via a reflective loader. Listen for a connection with UUID Support (Windows x86)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_tcp_uuid.rb", "is_install_path": true, "ref_name": "windows/dllinject/bind_tcp_uuid", "check": false }, "payload_windows/dllinject/find_tag": { "name": "Reflective DLL Injection, Find Tag Ordinal Stager", "full_name": "payload/windows/dllinject/find_tag", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "skape " ], "description": "Inject a DLL via a reflective loader. Use an established connection", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/findtag_ord.rb", "is_install_path": true, "ref_name": "windows/dllinject/find_tag", "check": false }, "payload_windows/dllinject/reverse_hop_http": { "name": "Reflective DLL Injection, Reverse Hop HTTP/HTTPS Stager", "full_name": "payload/windows/dllinject/reverse_hop_http", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "scriptjunkie ", "bannedit ", "hdm " ], "description": "Inject a DLL via a reflective loader. \n Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload\n data/hop/hop.php to the PHP server you wish to use as a hop.", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_hop_http.rb", "is_install_path": true, "ref_name": "windows/dllinject/reverse_hop_http", "check": false }, "payload_windows/dllinject/reverse_http": { "name": "Reflective DLL Injection, Windows Reverse HTTP Stager (wininet)", "full_name": "payload/windows/dllinject/reverse_http", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "hdm " ], "description": "Inject a DLL via a reflective loader. Tunnel communication over HTTP (Windows wininet)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-11-21 13:53:33 +0000", "path": "/modules/payloads/stagers/windows/reverse_http.rb", "is_install_path": true, "ref_name": "windows/dllinject/reverse_http", "check": false }, "payload_windows/dllinject/reverse_http_proxy_pstore": { "name": "Reflective DLL Injection, Reverse HTTP Stager Proxy", "full_name": "payload/windows/dllinject/reverse_http_proxy_pstore", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "hdm " ], "description": "Inject a DLL via a reflective loader. Tunnel communication over HTTP", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_http_proxy_pstore.rb", "is_install_path": true, "ref_name": "windows/dllinject/reverse_http_proxy_pstore", "check": false }, "payload_windows/dllinject/reverse_ipv6_tcp": { "name": "Reflective DLL Injection, Reverse TCP Stager (IPv6)", "full_name": "payload/windows/dllinject/reverse_ipv6_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "hdm ", "skape " ], "description": "Inject a DLL via a reflective loader. Connect back to the attacker over IPv6", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb", "is_install_path": true, "ref_name": "windows/dllinject/reverse_ipv6_tcp", "check": false }, "payload_windows/dllinject/reverse_nonx_tcp": { "name": "Reflective DLL Injection, Reverse TCP Stager (No NX or Win7)", "full_name": "payload/windows/dllinject/reverse_nonx_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "vlad902 " ], "description": "Inject a DLL via a reflective loader. Connect back to the attacker (No NX)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_nonx_tcp.rb", "is_install_path": true, "ref_name": "windows/dllinject/reverse_nonx_tcp", "check": false }, "payload_windows/dllinject/reverse_ord_tcp": { "name": "Reflective DLL Injection, Reverse Ordinal TCP Stager (No NX or Win7)", "full_name": "payload/windows/dllinject/reverse_ord_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "spoonm " ], "description": "Inject a DLL via a reflective loader. Connect back to the attacker", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_ord_tcp.rb", "is_install_path": true, "ref_name": "windows/dllinject/reverse_ord_tcp", "check": false }, "payload_windows/dllinject/reverse_tcp": { "name": "Reflective DLL Injection, Reverse TCP Stager", "full_name": "payload/windows/dllinject/reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "hdm ", "skape " ], "description": "Inject a DLL via a reflective loader. Connect back to the attacker", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-02-15 15:10:26 +0000", "path": "/modules/payloads/stagers/windows/reverse_tcp.rb", "is_install_path": true, "ref_name": "windows/dllinject/reverse_tcp", "check": false }, "payload_windows/dllinject/reverse_tcp_allports": { "name": "Reflective DLL Injection, Reverse All-Port TCP Stager", "full_name": "payload/windows/dllinject/reverse_tcp_allports", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "hdm ", "skape " ], "description": "Inject a DLL via a reflective loader. Try to connect back to the attacker, on all possible ports (1-65535, slowly)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_tcp_allports.rb", "is_install_path": true, "ref_name": "windows/dllinject/reverse_tcp_allports", "check": false }, "payload_windows/dllinject/reverse_tcp_dns": { "name": "Reflective DLL Injection, Reverse TCP Stager (DNS)", "full_name": "payload/windows/dllinject/reverse_tcp_dns", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "hdm ", "skape ", "RageLtMan" ], "description": "Inject a DLL via a reflective loader. Connect back to the attacker", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_tcp_dns.rb", "is_install_path": true, "ref_name": "windows/dllinject/reverse_tcp_dns", "check": false }, "payload_windows/dllinject/reverse_tcp_rc4": { "name": "Reflective DLL Injection, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", "full_name": "payload/windows/dllinject/reverse_tcp_rc4", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "hdm ", "skape ", "mihi", "RageLtMan" ], "description": "Inject a DLL via a reflective loader. Connect back to the attacker", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-02-15 15:10:26 +0000", "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4.rb", "is_install_path": true, "ref_name": "windows/dllinject/reverse_tcp_rc4", "check": false }, "payload_windows/dllinject/reverse_tcp_rc4_dns": { "name": "Reflective DLL Injection, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", "full_name": "payload/windows/dllinject/reverse_tcp_rc4_dns", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "hdm ", "skape ", "mihi", "RageLtMan" ], "description": "Inject a DLL via a reflective loader. Connect back to the attacker", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb", "is_install_path": true, "ref_name": "windows/dllinject/reverse_tcp_rc4_dns", "check": false }, "payload_windows/dllinject/reverse_tcp_uuid": { "name": "Reflective DLL Injection, Reverse TCP Stager with UUID Support", "full_name": "payload/windows/dllinject/reverse_tcp_uuid", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "hdm ", "OJ Reeves" ], "description": "Inject a DLL via a reflective loader. Connect back to the attacker with UUID Support", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-02-15 15:10:26 +0000", "path": "/modules/payloads/stagers/windows/reverse_tcp_uuid.rb", "is_install_path": true, "ref_name": "windows/dllinject/reverse_tcp_uuid", "check": false }, "payload_windows/dllinject/reverse_udp": { "name": "Reflective DLL Injection, Reverse UDP Stager with UUID Support", "full_name": "payload/windows/dllinject/reverse_udp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "RageLtMan " ], "description": "Inject a DLL via a reflective loader. Connect back to the attacker with UUID Support", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-02-13 14:34:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_udp.rb", "is_install_path": true, "ref_name": "windows/dllinject/reverse_udp", "check": false }, "payload_windows/dllinject/reverse_winhttp": { "name": "Reflective DLL Injection, Windows Reverse HTTP Stager (winhttp)", "full_name": "payload/windows/dllinject/reverse_winhttp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "hdm ", "Borja Merino " ], "description": "Inject a DLL via a reflective loader. Tunnel communication over HTTP (Windows winhttp)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-11-21 13:53:33 +0000", "path": "/modules/payloads/stagers/windows/reverse_winhttp.rb", "is_install_path": true, "ref_name": "windows/dllinject/reverse_winhttp", "check": false }, "payload_windows/dns_txt_query_exec": { "name": "DNS TXT Record Payload Download and Execution", "full_name": "payload/windows/dns_txt_query_exec", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "corelanc0d3r " ], "description": "Performs a TXT query against a series of DNS record(s) and executes the returned payload", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/windows/dns_txt_query_exec.rb", "is_install_path": true, "ref_name": "windows/dns_txt_query_exec", "check": false }, "payload_windows/download_exec": { "name": "Windows Executable Download (http,https,ftp) and Execute", "full_name": "payload/windows/download_exec", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "corelanc0d3r " ], "description": "Download an EXE from an HTTP(S)/FTP URL and execute it", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/windows/download_exec.rb", "is_install_path": true, "ref_name": "windows/download_exec", "check": false }, "payload_windows/exec": { "name": "Windows Execute Command", "full_name": "payload/windows/exec", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "vlad902 ", "sf " ], "description": "Execute an arbitrary command", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/windows/exec.rb", "is_install_path": true, "ref_name": "windows/exec", "check": false }, "payload_windows/format_all_drives": { "name": "Windows Drive Formatter", "full_name": "payload/windows/format_all_drives", "rank": 0, "disclosure_date": null, "type": "payload", "author": [ "Ashfaq Ansari ", "Ruei-Min Jiang " ], "description": "This payload formats all mounted disks in Windows (aka ShellcodeOfDeath).\n\n After formatting, this payload sets the volume label to the string specified in\n the VOLUMELABEL option. If the code is unable to access a drive for any reason,\n it skips the drive and proceeds to the next volume.", "references": [ "URL-http://hacksys.vfreaks.com/research/shellcode-of-death.html", "URL-https://github.com/hacksysteam/ShellcodeOfDeath" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/windows/format_all_drives.rb", "is_install_path": true, "ref_name": "windows/format_all_drives", "check": false }, "payload_windows/loadlibrary": { "name": "Windows LoadLibrary Path", "full_name": "payload/windows/loadlibrary", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "hdm " ], "description": "Load an arbitrary library path", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/windows/loadlibrary.rb", "is_install_path": true, "ref_name": "windows/loadlibrary", "check": false }, "payload_windows/messagebox": { "name": "Windows MessageBox", "full_name": "payload/windows/messagebox", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "corelanc0d3r ", "jduck " ], "description": "Spawns a dialog via MessageBox using a customizable title, text & icon", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/windows/messagebox.rb", "is_install_path": true, "ref_name": "windows/messagebox", "check": false }, "payload_windows/meterpreter/bind_hidden_ipknock_tcp": { "name": "Windows Meterpreter (Reflective Injection), Hidden Bind Ipknock TCP Stager", "full_name": "payload/windows/meterpreter/bind_hidden_ipknock_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "sf ", "OJ Reeves", "hdm ", "Borja Merino " ], "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection. First, the port will need to be knocked from\n the IP defined in KHOST. This IP will work as an authentication method\n (you can spoof it with tools like hping). After that you could get your\n shellcode from any IP. The socket will appear as \"closed,\" thus helping to\n hide the shellcode", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb", "is_install_path": true, "ref_name": "windows/meterpreter/bind_hidden_ipknock_tcp", "check": false }, "payload_windows/meterpreter/bind_hidden_tcp": { "name": "Windows Meterpreter (Reflective Injection), Hidden Bind TCP Stager", "full_name": "payload/windows/meterpreter/bind_hidden_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "sf ", "OJ Reeves", "hdm ", "Borja Merino " ], "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection from a hidden port and spawn a command shell to the allowed host.", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb", "is_install_path": true, "ref_name": "windows/meterpreter/bind_hidden_tcp", "check": false }, "payload_windows/meterpreter/bind_ipv6_tcp": { "name": "Windows Meterpreter (Reflective Injection), Bind IPv6 TCP Stager (Windows x86)", "full_name": "payload/windows/meterpreter/bind_ipv6_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "sf ", "OJ Reeves", "hdm " ], "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for an IPv6 connection (Windows x86)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp.rb", "is_install_path": true, "ref_name": "windows/meterpreter/bind_ipv6_tcp", "check": false }, "payload_windows/meterpreter/bind_ipv6_tcp_uuid": { "name": "Windows Meterpreter (Reflective Injection), Bind IPv6 TCP Stager with UUID Support (Windows x86)", "full_name": "payload/windows/meterpreter/bind_ipv6_tcp_uuid", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "sf ", "OJ Reeves", "hdm " ], "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for an IPv6 connection with UUID Support (Windows x86)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb", "is_install_path": true, "ref_name": "windows/meterpreter/bind_ipv6_tcp_uuid", "check": false }, "payload_windows/meterpreter/bind_named_pipe": { "name": "Windows Meterpreter (Reflective Injection), Windows x86 Bind Named Pipe Stager", "full_name": "payload/windows/meterpreter/bind_named_pipe", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "sf ", "OJ Reeves", "UserExistsError" ], "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a pipe connection (Windows x86)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-02-27 19:24:51 +0000", "path": "/modules/payloads/stagers/windows/bind_named_pipe.rb", "is_install_path": true, "ref_name": "windows/meterpreter/bind_named_pipe", "check": false }, "payload_windows/meterpreter/bind_nonx_tcp": { "name": "Windows Meterpreter (Reflective Injection), Bind TCP Stager (No NX or Win7)", "full_name": "payload/windows/meterpreter/bind_nonx_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "sf ", "OJ Reeves", "vlad902 " ], "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection (No NX)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_nonx_tcp.rb", "is_install_path": true, "ref_name": "windows/meterpreter/bind_nonx_tcp", "check": false }, "payload_windows/meterpreter/bind_tcp": { "name": "Windows Meterpreter (Reflective Injection), Bind TCP Stager (Windows x86)", "full_name": "payload/windows/meterpreter/bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "sf ", "OJ Reeves", "hdm " ], "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection (Windows x86)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_tcp.rb", "is_install_path": true, "ref_name": "windows/meterpreter/bind_tcp", "check": false }, "payload_windows/meterpreter/bind_tcp_rc4": { "name": "Windows Meterpreter (Reflective Injection), Bind TCP Stager (RC4 Stage Encryption, Metasm)", "full_name": "payload/windows/meterpreter/bind_tcp_rc4", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "sf ", "OJ Reeves", "hdm ", "mihi", "RageLtMan" ], "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_tcp_rc4.rb", "is_install_path": true, "ref_name": "windows/meterpreter/bind_tcp_rc4", "check": false }, "payload_windows/meterpreter/bind_tcp_uuid": { "name": "Windows Meterpreter (Reflective Injection), Bind TCP Stager with UUID Support (Windows x86)", "full_name": "payload/windows/meterpreter/bind_tcp_uuid", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "sf ", "OJ Reeves", "hdm " ], "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection with UUID Support (Windows x86)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_tcp_uuid.rb", "is_install_path": true, "ref_name": "windows/meterpreter/bind_tcp_uuid", "check": false }, "payload_windows/meterpreter/find_tag": { "name": "Windows Meterpreter (Reflective Injection), Find Tag Ordinal Stager", "full_name": "payload/windows/meterpreter/find_tag", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "sf ", "OJ Reeves" ], "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Use an established connection", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/findtag_ord.rb", "is_install_path": true, "ref_name": "windows/meterpreter/find_tag", "check": false }, "payload_windows/meterpreter/reverse_hop_http": { "name": "Windows Meterpreter (Reflective Injection), Reverse Hop HTTP/HTTPS Stager", "full_name": "payload/windows/meterpreter/reverse_hop_http", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "sf ", "OJ Reeves", "scriptjunkie ", "bannedit ", "hdm " ], "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). \n Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload\n data/hop/hop.php to the PHP server you wish to use as a hop.", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_hop_http.rb", "is_install_path": true, "ref_name": "windows/meterpreter/reverse_hop_http", "check": false }, "payload_windows/meterpreter/reverse_http": { "name": "Windows Meterpreter (Reflective Injection), Windows Reverse HTTP Stager (wininet)", "full_name": "payload/windows/meterpreter/reverse_http", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "sf ", "OJ Reeves", "hdm " ], "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTP (Windows wininet)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-11-21 13:53:33 +0000", "path": "/modules/payloads/stagers/windows/reverse_http.rb", "is_install_path": true, "ref_name": "windows/meterpreter/reverse_http", "check": false }, "payload_windows/meterpreter/reverse_http_proxy_pstore": { "name": "Windows Meterpreter (Reflective Injection), Reverse HTTP Stager Proxy", "full_name": "payload/windows/meterpreter/reverse_http_proxy_pstore", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "sf ", "OJ Reeves", "hdm " ], "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTP", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_http_proxy_pstore.rb", "is_install_path": true, "ref_name": "windows/meterpreter/reverse_http_proxy_pstore", "check": false }, "payload_windows/meterpreter/reverse_https": { "name": "Windows Meterpreter (Reflective Injection), Windows Reverse HTTPS Stager (wininet)", "full_name": "payload/windows/meterpreter/reverse_https", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "sf ", "OJ Reeves", "hdm " ], "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTPS (Windows wininet)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-11-21 13:53:33 +0000", "path": "/modules/payloads/stagers/windows/reverse_https.rb", "is_install_path": true, "ref_name": "windows/meterpreter/reverse_https", "check": false }, "payload_windows/meterpreter/reverse_https_proxy": { "name": "Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager with Support for Custom Proxy", "full_name": "payload/windows/meterpreter/reverse_https_proxy", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "sf ", "OJ Reeves", "hdm ", "corelanc0d3r ", "amaloteaux " ], "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTP using SSL with custom proxy support", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-11-21 13:53:33 +0000", "path": "/modules/payloads/stagers/windows/reverse_https_proxy.rb", "is_install_path": true, "ref_name": "windows/meterpreter/reverse_https_proxy", "check": false }, "payload_windows/meterpreter/reverse_ipv6_tcp": { "name": "Windows Meterpreter (Reflective Injection), Reverse TCP Stager (IPv6)", "full_name": "payload/windows/meterpreter/reverse_ipv6_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "sf ", "OJ Reeves", "hdm " ], "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker over IPv6", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb", "is_install_path": true, "ref_name": "windows/meterpreter/reverse_ipv6_tcp", "check": false }, "payload_windows/meterpreter/reverse_named_pipe": { "name": "Windows Meterpreter (Reflective Injection), Windows x86 Reverse Named Pipe (SMB) Stager", "full_name": "payload/windows/meterpreter/reverse_named_pipe", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "sf ", "OJ Reeves" ], "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker via a named pipe pivot", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-09-01 03:49:00 +0000", "path": "/modules/payloads/stagers/windows/reverse_named_pipe.rb", "is_install_path": true, "ref_name": "windows/meterpreter/reverse_named_pipe", "check": false }, "payload_windows/meterpreter/reverse_nonx_tcp": { "name": "Windows Meterpreter (Reflective Injection), Reverse TCP Stager (No NX or Win7)", "full_name": "payload/windows/meterpreter/reverse_nonx_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "sf ", "OJ Reeves", "vlad902 " ], "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker (No NX)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_nonx_tcp.rb", "is_install_path": true, "ref_name": "windows/meterpreter/reverse_nonx_tcp", "check": false }, "payload_windows/meterpreter/reverse_ord_tcp": { "name": "Windows Meterpreter (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)", "full_name": "payload/windows/meterpreter/reverse_ord_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "sf ", "OJ Reeves", "spoonm " ], "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_ord_tcp.rb", "is_install_path": true, "ref_name": "windows/meterpreter/reverse_ord_tcp", "check": false }, "payload_windows/meterpreter/reverse_tcp": { "name": "Windows Meterpreter (Reflective Injection), Reverse TCP Stager", "full_name": "payload/windows/meterpreter/reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "sf ", "OJ Reeves", "hdm " ], "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-02-15 15:10:26 +0000", "path": "/modules/payloads/stagers/windows/reverse_tcp.rb", "is_install_path": true, "ref_name": "windows/meterpreter/reverse_tcp", "check": false }, "payload_windows/meterpreter/reverse_tcp_allports": { "name": "Windows Meterpreter (Reflective Injection), Reverse All-Port TCP Stager", "full_name": "payload/windows/meterpreter/reverse_tcp_allports", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "sf ", "OJ Reeves", "hdm " ], "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_tcp_allports.rb", "is_install_path": true, "ref_name": "windows/meterpreter/reverse_tcp_allports", "check": false }, "payload_windows/meterpreter/reverse_tcp_dns": { "name": "Windows Meterpreter (Reflective Injection), Reverse TCP Stager (DNS)", "full_name": "payload/windows/meterpreter/reverse_tcp_dns", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "sf ", "OJ Reeves", "hdm ", "RageLtMan" ], "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_tcp_dns.rb", "is_install_path": true, "ref_name": "windows/meterpreter/reverse_tcp_dns", "check": false }, "payload_windows/meterpreter/reverse_tcp_rc4": { "name": "Windows Meterpreter (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)", "full_name": "payload/windows/meterpreter/reverse_tcp_rc4", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "sf ", "OJ Reeves", "hdm ", "mihi", "RageLtMan" ], "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-02-15 15:10:26 +0000", "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4.rb", "is_install_path": true, "ref_name": "windows/meterpreter/reverse_tcp_rc4", "check": false }, "payload_windows/meterpreter/reverse_tcp_rc4_dns": { "name": "Windows Meterpreter (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", "full_name": "payload/windows/meterpreter/reverse_tcp_rc4_dns", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "sf ", "OJ Reeves", "hdm ", "mihi", "RageLtMan" ], "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb", "is_install_path": true, "ref_name": "windows/meterpreter/reverse_tcp_rc4_dns", "check": false }, "payload_windows/meterpreter/reverse_tcp_uuid": { "name": "Windows Meterpreter (Reflective Injection), Reverse TCP Stager with UUID Support", "full_name": "payload/windows/meterpreter/reverse_tcp_uuid", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "sf ", "OJ Reeves", "hdm " ], "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker with UUID Support", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-02-15 15:10:26 +0000", "path": "/modules/payloads/stagers/windows/reverse_tcp_uuid.rb", "is_install_path": true, "ref_name": "windows/meterpreter/reverse_tcp_uuid", "check": false }, "payload_windows/meterpreter/reverse_udp": { "name": "Windows Meterpreter (Reflective Injection), Reverse UDP Stager with UUID Support", "full_name": "payload/windows/meterpreter/reverse_udp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "sf ", "OJ Reeves", "RageLtMan " ], "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker with UUID Support", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-02-13 14:34:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_udp.rb", "is_install_path": true, "ref_name": "windows/meterpreter/reverse_udp", "check": false }, "payload_windows/meterpreter/reverse_winhttp": { "name": "Windows Meterpreter (Reflective Injection), Windows Reverse HTTP Stager (winhttp)", "full_name": "payload/windows/meterpreter/reverse_winhttp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "sf ", "OJ Reeves", "hdm ", "Borja Merino " ], "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTP (Windows winhttp)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-11-21 13:53:33 +0000", "path": "/modules/payloads/stagers/windows/reverse_winhttp.rb", "is_install_path": true, "ref_name": "windows/meterpreter/reverse_winhttp", "check": false }, "payload_windows/meterpreter/reverse_winhttps": { "name": "Windows Meterpreter (Reflective Injection), Windows Reverse HTTPS Stager (winhttp)", "full_name": "payload/windows/meterpreter/reverse_winhttps", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "sf ", "OJ Reeves", "hdm ", "Borja Merino " ], "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTPS (Windows winhttp)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-11-21 13:53:33 +0000", "path": "/modules/payloads/stagers/windows/reverse_winhttps.rb", "is_install_path": true, "ref_name": "windows/meterpreter/reverse_winhttps", "check": false }, "payload_windows/meterpreter_bind_named_pipe": { "name": "Windows Meterpreter Shell, Bind Named Pipe Inline", "full_name": "payload/windows/meterpreter_bind_named_pipe", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "UserExistsError", "sf ", "OJ Reeves" ], "description": "Connect to victim and spawn a Meterpreter shell", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-02-11 18:56:50 +0000", "path": "/modules/payloads/singles/windows/meterpreter_bind_named_pipe.rb", "is_install_path": true, "ref_name": "windows/meterpreter_bind_named_pipe", "check": false }, "payload_windows/meterpreter_bind_tcp": { "name": "Windows Meterpreter Shell, Bind TCP Inline", "full_name": "payload/windows/meterpreter_bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "OJ Reeves", "sf " ], "description": "Connect to victim and spawn a Meterpreter shell", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-11-21 13:53:33 +0000", "path": "/modules/payloads/singles/windows/meterpreter_bind_tcp.rb", "is_install_path": true, "ref_name": "windows/meterpreter_bind_tcp", "check": false }, "payload_windows/meterpreter_reverse_http": { "name": "Windows Meterpreter Shell, Reverse HTTP Inline", "full_name": "payload/windows/meterpreter_reverse_http", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "OJ Reeves", "sf " ], "description": "Connect back to attacker and spawn a Meterpreter shell", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-11-21 13:53:33 +0000", "path": "/modules/payloads/singles/windows/meterpreter_reverse_http.rb", "is_install_path": true, "ref_name": "windows/meterpreter_reverse_http", "check": false }, "payload_windows/meterpreter_reverse_https": { "name": "Windows Meterpreter Shell, Reverse HTTPS Inline", "full_name": "payload/windows/meterpreter_reverse_https", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "OJ Reeves", "sf " ], "description": "Connect back to attacker and spawn a Meterpreter shell", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-11-21 13:53:33 +0000", "path": "/modules/payloads/singles/windows/meterpreter_reverse_https.rb", "is_install_path": true, "ref_name": "windows/meterpreter_reverse_https", "check": false }, "payload_windows/meterpreter_reverse_ipv6_tcp": { "name": "Windows Meterpreter Shell, Reverse TCP Inline (IPv6)", "full_name": "payload/windows/meterpreter_reverse_ipv6_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "OJ Reeves", "sf " ], "description": "Connect back to attacker and spawn a Meterpreter shell", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-11-21 13:53:33 +0000", "path": "/modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb", "is_install_path": true, "ref_name": "windows/meterpreter_reverse_ipv6_tcp", "check": false }, "payload_windows/meterpreter_reverse_tcp": { "name": "Windows Meterpreter Shell, Reverse TCP Inline", "full_name": "payload/windows/meterpreter_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "OJ Reeves", "sf " ], "description": "Connect back to attacker and spawn a Meterpreter shell", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-11-21 13:53:33 +0000", "path": "/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb", "is_install_path": true, "ref_name": "windows/meterpreter_reverse_tcp", "check": false }, "payload_windows/metsvc_bind_tcp": { "name": "Windows Meterpreter Service, Bind TCP", "full_name": "payload/windows/metsvc_bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "hdm " ], "description": "Stub payload for interacting with a Meterpreter Service", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/windows/metsvc_bind_tcp.rb", "is_install_path": true, "ref_name": "windows/metsvc_bind_tcp", "check": false }, "payload_windows/metsvc_reverse_tcp": { "name": "Windows Meterpreter Service, Reverse TCP Inline", "full_name": "payload/windows/metsvc_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "hdm " ], "description": "Stub payload for interacting with a Meterpreter Service", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/windows/metsvc_reverse_tcp.rb", "is_install_path": true, "ref_name": "windows/metsvc_reverse_tcp", "check": false }, "payload_windows/patchupdllinject/bind_hidden_ipknock_tcp": { "name": "Windows Inject DLL, Hidden Bind Ipknock TCP Stager", "full_name": "payload/windows/patchupdllinject/bind_hidden_ipknock_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "jt ", "skape ", "hdm ", "sf ", "Borja Merino " ], "description": "Inject a custom DLL into the exploited process. Listen for a connection. First, the port will need to be knocked from\n the IP defined in KHOST. This IP will work as an authentication method\n (you can spoof it with tools like hping). After that you could get your\n shellcode from any IP. The socket will appear as \"closed,\" thus helping to\n hide the shellcode", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb", "is_install_path": true, "ref_name": "windows/patchupdllinject/bind_hidden_ipknock_tcp", "check": false }, "payload_windows/patchupdllinject/bind_hidden_tcp": { "name": "Windows Inject DLL, Hidden Bind TCP Stager", "full_name": "payload/windows/patchupdllinject/bind_hidden_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "jt ", "skape ", "hdm ", "sf ", "Borja Merino " ], "description": "Inject a custom DLL into the exploited process. Listen for a connection from a hidden port and spawn a command shell to the allowed host.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb", "is_install_path": true, "ref_name": "windows/patchupdllinject/bind_hidden_tcp", "check": false }, "payload_windows/patchupdllinject/bind_ipv6_tcp": { "name": "Windows Inject DLL, Bind IPv6 TCP Stager (Windows x86)", "full_name": "payload/windows/patchupdllinject/bind_ipv6_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "jt ", "skape ", "hdm ", "sf " ], "description": "Inject a custom DLL into the exploited process. Listen for an IPv6 connection (Windows x86)", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp.rb", "is_install_path": true, "ref_name": "windows/patchupdllinject/bind_ipv6_tcp", "check": false }, "payload_windows/patchupdllinject/bind_ipv6_tcp_uuid": { "name": "Windows Inject DLL, Bind IPv6 TCP Stager with UUID Support (Windows x86)", "full_name": "payload/windows/patchupdllinject/bind_ipv6_tcp_uuid", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "jt ", "skape ", "hdm ", "sf ", "OJ Reeves" ], "description": "Inject a custom DLL into the exploited process. Listen for an IPv6 connection with UUID Support (Windows x86)", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb", "is_install_path": true, "ref_name": "windows/patchupdllinject/bind_ipv6_tcp_uuid", "check": false }, "payload_windows/patchupdllinject/bind_named_pipe": { "name": "Windows Inject DLL, Windows x86 Bind Named Pipe Stager", "full_name": "payload/windows/patchupdllinject/bind_named_pipe", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "jt ", "skape ", "UserExistsError" ], "description": "Inject a custom DLL into the exploited process. Listen for a pipe connection (Windows x86)", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-02-27 19:24:51 +0000", "path": "/modules/payloads/stagers/windows/bind_named_pipe.rb", "is_install_path": true, "ref_name": "windows/patchupdllinject/bind_named_pipe", "check": false }, "payload_windows/patchupdllinject/bind_nonx_tcp": { "name": "Windows Inject DLL, Bind TCP Stager (No NX or Win7)", "full_name": "payload/windows/patchupdllinject/bind_nonx_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "jt ", "skape ", "vlad902 " ], "description": "Inject a custom DLL into the exploited process. Listen for a connection (No NX)", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_nonx_tcp.rb", "is_install_path": true, "ref_name": "windows/patchupdllinject/bind_nonx_tcp", "check": false }, "payload_windows/patchupdllinject/bind_tcp": { "name": "Windows Inject DLL, Bind TCP Stager (Windows x86)", "full_name": "payload/windows/patchupdllinject/bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "jt ", "skape ", "hdm ", "sf " ], "description": "Inject a custom DLL into the exploited process. Listen for a connection (Windows x86)", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_tcp.rb", "is_install_path": true, "ref_name": "windows/patchupdllinject/bind_tcp", "check": false }, "payload_windows/patchupdllinject/bind_tcp_rc4": { "name": "Windows Inject DLL, Bind TCP Stager (RC4 Stage Encryption, Metasm)", "full_name": "payload/windows/patchupdllinject/bind_tcp_rc4", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "jt ", "skape ", "hdm ", "sf ", "mihi", "RageLtMan" ], "description": "Inject a custom DLL into the exploited process. Listen for a connection", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_tcp_rc4.rb", "is_install_path": true, "ref_name": "windows/patchupdllinject/bind_tcp_rc4", "check": false }, "payload_windows/patchupdllinject/bind_tcp_uuid": { "name": "Windows Inject DLL, Bind TCP Stager with UUID Support (Windows x86)", "full_name": "payload/windows/patchupdllinject/bind_tcp_uuid", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "jt ", "skape ", "hdm ", "OJ Reeves" ], "description": "Inject a custom DLL into the exploited process. Listen for a connection with UUID Support (Windows x86)", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_tcp_uuid.rb", "is_install_path": true, "ref_name": "windows/patchupdllinject/bind_tcp_uuid", "check": false }, "payload_windows/patchupdllinject/find_tag": { "name": "Windows Inject DLL, Find Tag Ordinal Stager", "full_name": "payload/windows/patchupdllinject/find_tag", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "jt ", "skape " ], "description": "Inject a custom DLL into the exploited process. Use an established connection", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/findtag_ord.rb", "is_install_path": true, "ref_name": "windows/patchupdllinject/find_tag", "check": false }, "payload_windows/patchupdllinject/reverse_ipv6_tcp": { "name": "Windows Inject DLL, Reverse TCP Stager (IPv6)", "full_name": "payload/windows/patchupdllinject/reverse_ipv6_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "jt ", "skape ", "hdm ", "sf " ], "description": "Inject a custom DLL into the exploited process. Connect back to the attacker over IPv6", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb", "is_install_path": true, "ref_name": "windows/patchupdllinject/reverse_ipv6_tcp", "check": false }, "payload_windows/patchupdllinject/reverse_nonx_tcp": { "name": "Windows Inject DLL, Reverse TCP Stager (No NX or Win7)", "full_name": "payload/windows/patchupdllinject/reverse_nonx_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "jt ", "skape ", "vlad902 " ], "description": "Inject a custom DLL into the exploited process. Connect back to the attacker (No NX)", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_nonx_tcp.rb", "is_install_path": true, "ref_name": "windows/patchupdllinject/reverse_nonx_tcp", "check": false }, "payload_windows/patchupdllinject/reverse_ord_tcp": { "name": "Windows Inject DLL, Reverse Ordinal TCP Stager (No NX or Win7)", "full_name": "payload/windows/patchupdllinject/reverse_ord_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "jt ", "skape ", "spoonm " ], "description": "Inject a custom DLL into the exploited process. Connect back to the attacker", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_ord_tcp.rb", "is_install_path": true, "ref_name": "windows/patchupdllinject/reverse_ord_tcp", "check": false }, "payload_windows/patchupdllinject/reverse_tcp": { "name": "Windows Inject DLL, Reverse TCP Stager", "full_name": "payload/windows/patchupdllinject/reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "jt ", "skape ", "hdm ", "sf " ], "description": "Inject a custom DLL into the exploited process. Connect back to the attacker", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-02-15 15:10:26 +0000", "path": "/modules/payloads/stagers/windows/reverse_tcp.rb", "is_install_path": true, "ref_name": "windows/patchupdllinject/reverse_tcp", "check": false }, "payload_windows/patchupdllinject/reverse_tcp_allports": { "name": "Windows Inject DLL, Reverse All-Port TCP Stager", "full_name": "payload/windows/patchupdllinject/reverse_tcp_allports", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "jt ", "skape ", "hdm ", "sf " ], "description": "Inject a custom DLL into the exploited process. Try to connect back to the attacker, on all possible ports (1-65535, slowly)", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_tcp_allports.rb", "is_install_path": true, "ref_name": "windows/patchupdllinject/reverse_tcp_allports", "check": false }, "payload_windows/patchupdllinject/reverse_tcp_dns": { "name": "Windows Inject DLL, Reverse TCP Stager (DNS)", "full_name": "payload/windows/patchupdllinject/reverse_tcp_dns", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "jt ", "skape ", "hdm ", "sf ", "RageLtMan" ], "description": "Inject a custom DLL into the exploited process. Connect back to the attacker", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_tcp_dns.rb", "is_install_path": true, "ref_name": "windows/patchupdllinject/reverse_tcp_dns", "check": false }, "payload_windows/patchupdllinject/reverse_tcp_rc4": { "name": "Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", "full_name": "payload/windows/patchupdllinject/reverse_tcp_rc4", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "jt ", "skape ", "hdm ", "sf ", "mihi", "RageLtMan" ], "description": "Inject a custom DLL into the exploited process. Connect back to the attacker", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-02-15 15:10:26 +0000", "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4.rb", "is_install_path": true, "ref_name": "windows/patchupdllinject/reverse_tcp_rc4", "check": false }, "payload_windows/patchupdllinject/reverse_tcp_rc4_dns": { "name": "Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", "full_name": "payload/windows/patchupdllinject/reverse_tcp_rc4_dns", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "jt ", "skape ", "hdm ", "sf ", "mihi", "RageLtMan" ], "description": "Inject a custom DLL into the exploited process. Connect back to the attacker", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb", "is_install_path": true, "ref_name": "windows/patchupdllinject/reverse_tcp_rc4_dns", "check": false }, "payload_windows/patchupdllinject/reverse_tcp_uuid": { "name": "Windows Inject DLL, Reverse TCP Stager with UUID Support", "full_name": "payload/windows/patchupdllinject/reverse_tcp_uuid", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "jt ", "skape ", "hdm ", "OJ Reeves" ], "description": "Inject a custom DLL into the exploited process. Connect back to the attacker with UUID Support", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-02-15 15:10:26 +0000", "path": "/modules/payloads/stagers/windows/reverse_tcp_uuid.rb", "is_install_path": true, "ref_name": "windows/patchupdllinject/reverse_tcp_uuid", "check": false }, "payload_windows/patchupdllinject/reverse_udp": { "name": "Windows Inject DLL, Reverse UDP Stager with UUID Support", "full_name": "payload/windows/patchupdllinject/reverse_udp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "jt ", "skape ", "RageLtMan " ], "description": "Inject a custom DLL into the exploited process. Connect back to the attacker with UUID Support", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-02-13 14:34:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_udp.rb", "is_install_path": true, "ref_name": "windows/patchupdllinject/reverse_udp", "check": false }, "payload_windows/patchupmeterpreter/bind_hidden_ipknock_tcp": { "name": "Windows Meterpreter (skape/jt Injection), Hidden Bind Ipknock TCP Stager", "full_name": "payload/windows/patchupmeterpreter/bind_hidden_ipknock_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "jt ", "hdm ", "sf ", "Borja Merino " ], "description": "Inject the meterpreter server DLL (staged). Listen for a connection. First, the port will need to be knocked from\n the IP defined in KHOST. This IP will work as an authentication method\n (you can spoof it with tools like hping). After that you could get your\n shellcode from any IP. The socket will appear as \"closed,\" thus helping to\n hide the shellcode", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb", "is_install_path": true, "ref_name": "windows/patchupmeterpreter/bind_hidden_ipknock_tcp", "check": false }, "payload_windows/patchupmeterpreter/bind_hidden_tcp": { "name": "Windows Meterpreter (skape/jt Injection), Hidden Bind TCP Stager", "full_name": "payload/windows/patchupmeterpreter/bind_hidden_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "jt ", "hdm ", "sf ", "Borja Merino " ], "description": "Inject the meterpreter server DLL (staged). Listen for a connection from a hidden port and spawn a command shell to the allowed host.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb", "is_install_path": true, "ref_name": "windows/patchupmeterpreter/bind_hidden_tcp", "check": false }, "payload_windows/patchupmeterpreter/bind_ipv6_tcp": { "name": "Windows Meterpreter (skape/jt Injection), Bind IPv6 TCP Stager (Windows x86)", "full_name": "payload/windows/patchupmeterpreter/bind_ipv6_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "jt ", "hdm ", "sf " ], "description": "Inject the meterpreter server DLL (staged). Listen for an IPv6 connection (Windows x86)", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp.rb", "is_install_path": true, "ref_name": "windows/patchupmeterpreter/bind_ipv6_tcp", "check": false }, "payload_windows/patchupmeterpreter/bind_ipv6_tcp_uuid": { "name": "Windows Meterpreter (skape/jt Injection), Bind IPv6 TCP Stager with UUID Support (Windows x86)", "full_name": "payload/windows/patchupmeterpreter/bind_ipv6_tcp_uuid", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "jt ", "hdm ", "sf ", "OJ Reeves" ], "description": "Inject the meterpreter server DLL (staged). Listen for an IPv6 connection with UUID Support (Windows x86)", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb", "is_install_path": true, "ref_name": "windows/patchupmeterpreter/bind_ipv6_tcp_uuid", "check": false }, "payload_windows/patchupmeterpreter/bind_named_pipe": { "name": "Windows Meterpreter (skape/jt Injection), Windows x86 Bind Named Pipe Stager", "full_name": "payload/windows/patchupmeterpreter/bind_named_pipe", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "jt ", "UserExistsError" ], "description": "Inject the meterpreter server DLL (staged). Listen for a pipe connection (Windows x86)", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-02-27 19:24:51 +0000", "path": "/modules/payloads/stagers/windows/bind_named_pipe.rb", "is_install_path": true, "ref_name": "windows/patchupmeterpreter/bind_named_pipe", "check": false }, "payload_windows/patchupmeterpreter/bind_nonx_tcp": { "name": "Windows Meterpreter (skape/jt Injection), Bind TCP Stager (No NX or Win7)", "full_name": "payload/windows/patchupmeterpreter/bind_nonx_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "jt ", "vlad902 " ], "description": "Inject the meterpreter server DLL (staged). Listen for a connection (No NX)", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_nonx_tcp.rb", "is_install_path": true, "ref_name": "windows/patchupmeterpreter/bind_nonx_tcp", "check": false }, "payload_windows/patchupmeterpreter/bind_tcp": { "name": "Windows Meterpreter (skape/jt Injection), Bind TCP Stager (Windows x86)", "full_name": "payload/windows/patchupmeterpreter/bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "jt ", "hdm ", "sf " ], "description": "Inject the meterpreter server DLL (staged). Listen for a connection (Windows x86)", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_tcp.rb", "is_install_path": true, "ref_name": "windows/patchupmeterpreter/bind_tcp", "check": false }, "payload_windows/patchupmeterpreter/bind_tcp_rc4": { "name": "Windows Meterpreter (skape/jt Injection), Bind TCP Stager (RC4 Stage Encryption, Metasm)", "full_name": "payload/windows/patchupmeterpreter/bind_tcp_rc4", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "jt ", "hdm ", "sf ", "mihi", "RageLtMan" ], "description": "Inject the meterpreter server DLL (staged). Listen for a connection", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_tcp_rc4.rb", "is_install_path": true, "ref_name": "windows/patchupmeterpreter/bind_tcp_rc4", "check": false }, "payload_windows/patchupmeterpreter/bind_tcp_uuid": { "name": "Windows Meterpreter (skape/jt Injection), Bind TCP Stager with UUID Support (Windows x86)", "full_name": "payload/windows/patchupmeterpreter/bind_tcp_uuid", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "jt ", "hdm ", "OJ Reeves" ], "description": "Inject the meterpreter server DLL (staged). Listen for a connection with UUID Support (Windows x86)", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_tcp_uuid.rb", "is_install_path": true, "ref_name": "windows/patchupmeterpreter/bind_tcp_uuid", "check": false }, "payload_windows/patchupmeterpreter/find_tag": { "name": "Windows Meterpreter (skape/jt Injection), Find Tag Ordinal Stager", "full_name": "payload/windows/patchupmeterpreter/find_tag", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "jt " ], "description": "Inject the meterpreter server DLL (staged). Use an established connection", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/findtag_ord.rb", "is_install_path": true, "ref_name": "windows/patchupmeterpreter/find_tag", "check": false }, "payload_windows/patchupmeterpreter/reverse_ipv6_tcp": { "name": "Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (IPv6)", "full_name": "payload/windows/patchupmeterpreter/reverse_ipv6_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "jt ", "hdm ", "sf " ], "description": "Inject the meterpreter server DLL (staged). Connect back to the attacker over IPv6", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb", "is_install_path": true, "ref_name": "windows/patchupmeterpreter/reverse_ipv6_tcp", "check": false }, "payload_windows/patchupmeterpreter/reverse_nonx_tcp": { "name": "Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (No NX or Win7)", "full_name": "payload/windows/patchupmeterpreter/reverse_nonx_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "jt ", "vlad902 " ], "description": "Inject the meterpreter server DLL (staged). Connect back to the attacker (No NX)", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_nonx_tcp.rb", "is_install_path": true, "ref_name": "windows/patchupmeterpreter/reverse_nonx_tcp", "check": false }, "payload_windows/patchupmeterpreter/reverse_ord_tcp": { "name": "Windows Meterpreter (skape/jt Injection), Reverse Ordinal TCP Stager (No NX or Win7)", "full_name": "payload/windows/patchupmeterpreter/reverse_ord_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "jt ", "spoonm " ], "description": "Inject the meterpreter server DLL (staged). Connect back to the attacker", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_ord_tcp.rb", "is_install_path": true, "ref_name": "windows/patchupmeterpreter/reverse_ord_tcp", "check": false }, "payload_windows/patchupmeterpreter/reverse_tcp": { "name": "Windows Meterpreter (skape/jt Injection), Reverse TCP Stager", "full_name": "payload/windows/patchupmeterpreter/reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "jt ", "hdm ", "sf " ], "description": "Inject the meterpreter server DLL (staged). Connect back to the attacker", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-02-15 15:10:26 +0000", "path": "/modules/payloads/stagers/windows/reverse_tcp.rb", "is_install_path": true, "ref_name": "windows/patchupmeterpreter/reverse_tcp", "check": false }, "payload_windows/patchupmeterpreter/reverse_tcp_allports": { "name": "Windows Meterpreter (skape/jt Injection), Reverse All-Port TCP Stager", "full_name": "payload/windows/patchupmeterpreter/reverse_tcp_allports", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "jt ", "hdm ", "sf " ], "description": "Inject the meterpreter server DLL (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly)", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_tcp_allports.rb", "is_install_path": true, "ref_name": "windows/patchupmeterpreter/reverse_tcp_allports", "check": false }, "payload_windows/patchupmeterpreter/reverse_tcp_dns": { "name": "Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (DNS)", "full_name": "payload/windows/patchupmeterpreter/reverse_tcp_dns", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "jt ", "hdm ", "sf ", "RageLtMan" ], "description": "Inject the meterpreter server DLL (staged). Connect back to the attacker", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_tcp_dns.rb", "is_install_path": true, "ref_name": "windows/patchupmeterpreter/reverse_tcp_dns", "check": false }, "payload_windows/patchupmeterpreter/reverse_tcp_rc4": { "name": "Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)", "full_name": "payload/windows/patchupmeterpreter/reverse_tcp_rc4", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "jt ", "hdm ", "sf ", "mihi", "RageLtMan" ], "description": "Inject the meterpreter server DLL (staged). Connect back to the attacker", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-02-15 15:10:26 +0000", "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4.rb", "is_install_path": true, "ref_name": "windows/patchupmeterpreter/reverse_tcp_rc4", "check": false }, "payload_windows/patchupmeterpreter/reverse_tcp_rc4_dns": { "name": "Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", "full_name": "payload/windows/patchupmeterpreter/reverse_tcp_rc4_dns", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "jt ", "hdm ", "sf ", "mihi", "RageLtMan" ], "description": "Inject the meterpreter server DLL (staged). Connect back to the attacker", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb", "is_install_path": true, "ref_name": "windows/patchupmeterpreter/reverse_tcp_rc4_dns", "check": false }, "payload_windows/patchupmeterpreter/reverse_tcp_uuid": { "name": "Windows Meterpreter (skape/jt Injection), Reverse TCP Stager with UUID Support", "full_name": "payload/windows/patchupmeterpreter/reverse_tcp_uuid", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "jt ", "hdm ", "OJ Reeves" ], "description": "Inject the meterpreter server DLL (staged). Connect back to the attacker with UUID Support", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-02-15 15:10:26 +0000", "path": "/modules/payloads/stagers/windows/reverse_tcp_uuid.rb", "is_install_path": true, "ref_name": "windows/patchupmeterpreter/reverse_tcp_uuid", "check": false }, "payload_windows/patchupmeterpreter/reverse_udp": { "name": "Windows Meterpreter (skape/jt Injection), Reverse UDP Stager with UUID Support", "full_name": "payload/windows/patchupmeterpreter/reverse_udp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "jt ", "RageLtMan " ], "description": "Inject the meterpreter server DLL (staged). Connect back to the attacker with UUID Support", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-02-13 14:34:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_udp.rb", "is_install_path": true, "ref_name": "windows/patchupmeterpreter/reverse_udp", "check": false }, "payload_windows/powershell_bind_tcp": { "name": "Windows Interactive Powershell Session, Bind TCP", "full_name": "payload/windows/powershell_bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Ben Turner", "Dave Hardy", "vlad902 ", "sf " ], "description": "Listen for a connection and spawn an interactive powershell session", "references": [ "URL-https://www.nettitude.co.uk/interactive-powershell-session-via-metasploit/" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-07-19 17:58:45 +0000", "path": "/modules/payloads/singles/windows/powershell_bind_tcp.rb", "is_install_path": true, "ref_name": "windows/powershell_bind_tcp", "check": false }, "payload_windows/powershell_reverse_tcp": { "name": "Windows Interactive Powershell Session, Reverse TCP", "full_name": "payload/windows/powershell_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Ben Turner", "Dave Hardy", "vlad902 ", "sf " ], "description": "Listen for a connection and spawn an interactive powershell session", "references": [ "URL-https://www.nettitude.co.uk/interactive-powershell-session-via-metasploit/" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-07-19 17:58:45 +0000", "path": "/modules/payloads/singles/windows/powershell_reverse_tcp.rb", "is_install_path": true, "ref_name": "windows/powershell_reverse_tcp", "check": false }, "payload_windows/shell/bind_hidden_ipknock_tcp": { "name": "Windows Command Shell, Hidden Bind Ipknock TCP Stager", "full_name": "payload/windows/shell/bind_hidden_ipknock_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "spoonm ", "sf ", "hdm ", "skape ", "Borja Merino " ], "description": "Spawn a piped command shell (staged). Listen for a connection. First, the port will need to be knocked from\n the IP defined in KHOST. This IP will work as an authentication method\n (you can spoof it with tools like hping). After that you could get your\n shellcode from any IP. The socket will appear as \"closed,\" thus helping to\n hide the shellcode", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb", "is_install_path": true, "ref_name": "windows/shell/bind_hidden_ipknock_tcp", "check": false }, "payload_windows/shell/bind_hidden_tcp": { "name": "Windows Command Shell, Hidden Bind TCP Stager", "full_name": "payload/windows/shell/bind_hidden_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "spoonm ", "sf ", "hdm ", "skape ", "Borja Merino " ], "description": "Spawn a piped command shell (staged). Listen for a connection from a hidden port and spawn a command shell to the allowed host.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb", "is_install_path": true, "ref_name": "windows/shell/bind_hidden_tcp", "check": false }, "payload_windows/shell/bind_ipv6_tcp": { "name": "Windows Command Shell, Bind IPv6 TCP Stager (Windows x86)", "full_name": "payload/windows/shell/bind_ipv6_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "spoonm ", "sf ", "hdm ", "skape " ], "description": "Spawn a piped command shell (staged). Listen for an IPv6 connection (Windows x86)", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp.rb", "is_install_path": true, "ref_name": "windows/shell/bind_ipv6_tcp", "check": false }, "payload_windows/shell/bind_ipv6_tcp_uuid": { "name": "Windows Command Shell, Bind IPv6 TCP Stager with UUID Support (Windows x86)", "full_name": "payload/windows/shell/bind_ipv6_tcp_uuid", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "spoonm ", "sf ", "hdm ", "skape ", "OJ Reeves" ], "description": "Spawn a piped command shell (staged). Listen for an IPv6 connection with UUID Support (Windows x86)", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb", "is_install_path": true, "ref_name": "windows/shell/bind_ipv6_tcp_uuid", "check": false }, "payload_windows/shell/bind_named_pipe": { "name": "Windows Command Shell, Windows x86 Bind Named Pipe Stager", "full_name": "payload/windows/shell/bind_named_pipe", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "spoonm ", "sf ", "UserExistsError" ], "description": "Spawn a piped command shell (staged). Listen for a pipe connection (Windows x86)", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-02-27 19:24:51 +0000", "path": "/modules/payloads/stagers/windows/bind_named_pipe.rb", "is_install_path": true, "ref_name": "windows/shell/bind_named_pipe", "check": false }, "payload_windows/shell/bind_nonx_tcp": { "name": "Windows Command Shell, Bind TCP Stager (No NX or Win7)", "full_name": "payload/windows/shell/bind_nonx_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "spoonm ", "sf ", "vlad902 " ], "description": "Spawn a piped command shell (staged). Listen for a connection (No NX)", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_nonx_tcp.rb", "is_install_path": true, "ref_name": "windows/shell/bind_nonx_tcp", "check": false }, "payload_windows/shell/bind_tcp": { "name": "Windows Command Shell, Bind TCP Stager (Windows x86)", "full_name": "payload/windows/shell/bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "spoonm ", "sf ", "hdm ", "skape " ], "description": "Spawn a piped command shell (staged). Listen for a connection (Windows x86)", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_tcp.rb", "is_install_path": true, "ref_name": "windows/shell/bind_tcp", "check": false }, "payload_windows/shell/bind_tcp_rc4": { "name": "Windows Command Shell, Bind TCP Stager (RC4 Stage Encryption, Metasm)", "full_name": "payload/windows/shell/bind_tcp_rc4", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "spoonm ", "sf ", "hdm ", "skape ", "mihi", "RageLtMan" ], "description": "Spawn a piped command shell (staged). Listen for a connection", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_tcp_rc4.rb", "is_install_path": true, "ref_name": "windows/shell/bind_tcp_rc4", "check": false }, "payload_windows/shell/bind_tcp_uuid": { "name": "Windows Command Shell, Bind TCP Stager with UUID Support (Windows x86)", "full_name": "payload/windows/shell/bind_tcp_uuid", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "spoonm ", "sf ", "hdm ", "OJ Reeves" ], "description": "Spawn a piped command shell (staged). Listen for a connection with UUID Support (Windows x86)", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_tcp_uuid.rb", "is_install_path": true, "ref_name": "windows/shell/bind_tcp_uuid", "check": false }, "payload_windows/shell/find_tag": { "name": "Windows Command Shell, Find Tag Ordinal Stager", "full_name": "payload/windows/shell/find_tag", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "spoonm ", "sf ", "skape " ], "description": "Spawn a piped command shell (staged). Use an established connection", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/findtag_ord.rb", "is_install_path": true, "ref_name": "windows/shell/find_tag", "check": false }, "payload_windows/shell/reverse_ipv6_tcp": { "name": "Windows Command Shell, Reverse TCP Stager (IPv6)", "full_name": "payload/windows/shell/reverse_ipv6_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "spoonm ", "sf ", "hdm ", "skape " ], "description": "Spawn a piped command shell (staged). Connect back to the attacker over IPv6", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb", "is_install_path": true, "ref_name": "windows/shell/reverse_ipv6_tcp", "check": false }, "payload_windows/shell/reverse_nonx_tcp": { "name": "Windows Command Shell, Reverse TCP Stager (No NX or Win7)", "full_name": "payload/windows/shell/reverse_nonx_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "spoonm ", "sf ", "vlad902 " ], "description": "Spawn a piped command shell (staged). Connect back to the attacker (No NX)", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_nonx_tcp.rb", "is_install_path": true, "ref_name": "windows/shell/reverse_nonx_tcp", "check": false }, "payload_windows/shell/reverse_ord_tcp": { "name": "Windows Command Shell, Reverse Ordinal TCP Stager (No NX or Win7)", "full_name": "payload/windows/shell/reverse_ord_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "spoonm ", "sf " ], "description": "Spawn a piped command shell (staged). Connect back to the attacker", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_ord_tcp.rb", "is_install_path": true, "ref_name": "windows/shell/reverse_ord_tcp", "check": false }, "payload_windows/shell/reverse_tcp": { "name": "Windows Command Shell, Reverse TCP Stager", "full_name": "payload/windows/shell/reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "spoonm ", "sf ", "hdm ", "skape " ], "description": "Spawn a piped command shell (staged). Connect back to the attacker", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-02-15 15:10:26 +0000", "path": "/modules/payloads/stagers/windows/reverse_tcp.rb", "is_install_path": true, "ref_name": "windows/shell/reverse_tcp", "check": false }, "payload_windows/shell/reverse_tcp_allports": { "name": "Windows Command Shell, Reverse All-Port TCP Stager", "full_name": "payload/windows/shell/reverse_tcp_allports", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "spoonm ", "sf ", "hdm ", "skape " ], "description": "Spawn a piped command shell (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly)", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_tcp_allports.rb", "is_install_path": true, "ref_name": "windows/shell/reverse_tcp_allports", "check": false }, "payload_windows/shell/reverse_tcp_dns": { "name": "Windows Command Shell, Reverse TCP Stager (DNS)", "full_name": "payload/windows/shell/reverse_tcp_dns", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "spoonm ", "sf ", "hdm ", "skape ", "RageLtMan" ], "description": "Spawn a piped command shell (staged). Connect back to the attacker", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_tcp_dns.rb", "is_install_path": true, "ref_name": "windows/shell/reverse_tcp_dns", "check": false }, "payload_windows/shell/reverse_tcp_rc4": { "name": "Windows Command Shell, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", "full_name": "payload/windows/shell/reverse_tcp_rc4", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "spoonm ", "sf ", "hdm ", "skape ", "mihi", "RageLtMan" ], "description": "Spawn a piped command shell (staged). Connect back to the attacker", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-02-15 15:10:26 +0000", "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4.rb", "is_install_path": true, "ref_name": "windows/shell/reverse_tcp_rc4", "check": false }, "payload_windows/shell/reverse_tcp_rc4_dns": { "name": "Windows Command Shell, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", "full_name": "payload/windows/shell/reverse_tcp_rc4_dns", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "spoonm ", "sf ", "hdm ", "skape ", "mihi", "RageLtMan" ], "description": "Spawn a piped command shell (staged). Connect back to the attacker", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb", "is_install_path": true, "ref_name": "windows/shell/reverse_tcp_rc4_dns", "check": false }, "payload_windows/shell/reverse_tcp_uuid": { "name": "Windows Command Shell, Reverse TCP Stager with UUID Support", "full_name": "payload/windows/shell/reverse_tcp_uuid", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "spoonm ", "sf ", "hdm ", "OJ Reeves" ], "description": "Spawn a piped command shell (staged). Connect back to the attacker with UUID Support", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-02-15 15:10:26 +0000", "path": "/modules/payloads/stagers/windows/reverse_tcp_uuid.rb", "is_install_path": true, "ref_name": "windows/shell/reverse_tcp_uuid", "check": false }, "payload_windows/shell/reverse_udp": { "name": "Windows Command Shell, Reverse UDP Stager with UUID Support", "full_name": "payload/windows/shell/reverse_udp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "spoonm ", "sf ", "RageLtMan " ], "description": "Spawn a piped command shell (staged). Connect back to the attacker with UUID Support", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-02-13 14:34:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_udp.rb", "is_install_path": true, "ref_name": "windows/shell/reverse_udp", "check": false }, "payload_windows/shell_bind_tcp": { "name": "Windows Command Shell, Bind TCP Inline", "full_name": "payload/windows/shell_bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "vlad902 ", "sf " ], "description": "Listen for a connection and spawn a command shell", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/windows/shell_bind_tcp.rb", "is_install_path": true, "ref_name": "windows/shell_bind_tcp", "check": false }, "payload_windows/shell_bind_tcp_xpfw": { "name": "Windows Disable Windows ICF, Command Shell, Bind TCP Inline", "full_name": "payload/windows/shell_bind_tcp_xpfw", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Lin0xx " ], "description": "Disable the Windows ICF, then listen for a connection and spawn a command shell", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/windows/shell_bind_tcp_xpfw.rb", "is_install_path": true, "ref_name": "windows/shell_bind_tcp_xpfw", "check": false }, "payload_windows/shell_hidden_bind_tcp": { "name": "Windows Command Shell, Hidden Bind TCP Inline", "full_name": "payload/windows/shell_hidden_bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "vlad902 ", "sd", "Borja Merino " ], "description": "Listen for a connection from certain IP and spawn a command shell.\n The shellcode will reply with a RST packet if the connections is not\n coming from the IP defined in AHOST. This way the port will appear\n as \"closed\" helping us to hide the shellcode.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-09-17 16:00:04 +0000", "path": "/modules/payloads/singles/windows/shell_hidden_bind_tcp.rb", "is_install_path": true, "ref_name": "windows/shell_hidden_bind_tcp", "check": false }, "payload_windows/shell_reverse_tcp": { "name": "Windows Command Shell, Reverse TCP Inline", "full_name": "payload/windows/shell_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "vlad902 ", "sf " ], "description": "Connect back to attacker and spawn a command shell", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/windows/shell_reverse_tcp.rb", "is_install_path": true, "ref_name": "windows/shell_reverse_tcp", "check": false }, "payload_windows/speak_pwned": { "name": "Windows Speech API - Say \"You Got Pwned!\"", "full_name": "payload/windows/speak_pwned", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Berend-Jan \"SkyLined\" Wever " ], "description": "Causes the target to say \"You Got Pwned\" via the Windows Speech API", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/windows/speak_pwned.rb", "is_install_path": true, "ref_name": "windows/speak_pwned", "check": false }, "payload_windows/upexec/bind_hidden_ipknock_tcp": { "name": "Windows Upload/Execute, Hidden Bind Ipknock TCP Stager", "full_name": "payload/windows/upexec/bind_hidden_ipknock_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "vlad902 ", "sf ", "hdm ", "skape ", "Borja Merino " ], "description": "Uploads an executable and runs it (staged). Listen for a connection. First, the port will need to be knocked from\n the IP defined in KHOST. This IP will work as an authentication method\n (you can spoof it with tools like hping). After that you could get your\n shellcode from any IP. The socket will appear as \"closed,\" thus helping to\n hide the shellcode", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb", "is_install_path": true, "ref_name": "windows/upexec/bind_hidden_ipknock_tcp", "check": false }, "payload_windows/upexec/bind_hidden_tcp": { "name": "Windows Upload/Execute, Hidden Bind TCP Stager", "full_name": "payload/windows/upexec/bind_hidden_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "vlad902 ", "sf ", "hdm ", "skape ", "Borja Merino " ], "description": "Uploads an executable and runs it (staged). Listen for a connection from a hidden port and spawn a command shell to the allowed host.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb", "is_install_path": true, "ref_name": "windows/upexec/bind_hidden_tcp", "check": false }, "payload_windows/upexec/bind_ipv6_tcp": { "name": "Windows Upload/Execute, Bind IPv6 TCP Stager (Windows x86)", "full_name": "payload/windows/upexec/bind_ipv6_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "vlad902 ", "sf ", "hdm ", "skape " ], "description": "Uploads an executable and runs it (staged). Listen for an IPv6 connection (Windows x86)", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp.rb", "is_install_path": true, "ref_name": "windows/upexec/bind_ipv6_tcp", "check": false }, "payload_windows/upexec/bind_ipv6_tcp_uuid": { "name": "Windows Upload/Execute, Bind IPv6 TCP Stager with UUID Support (Windows x86)", "full_name": "payload/windows/upexec/bind_ipv6_tcp_uuid", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "vlad902 ", "sf ", "hdm ", "skape ", "OJ Reeves" ], "description": "Uploads an executable and runs it (staged). Listen for an IPv6 connection with UUID Support (Windows x86)", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb", "is_install_path": true, "ref_name": "windows/upexec/bind_ipv6_tcp_uuid", "check": false }, "payload_windows/upexec/bind_named_pipe": { "name": "Windows Upload/Execute, Windows x86 Bind Named Pipe Stager", "full_name": "payload/windows/upexec/bind_named_pipe", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "vlad902 ", "sf ", "UserExistsError" ], "description": "Uploads an executable and runs it (staged). Listen for a pipe connection (Windows x86)", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-02-27 19:24:51 +0000", "path": "/modules/payloads/stagers/windows/bind_named_pipe.rb", "is_install_path": true, "ref_name": "windows/upexec/bind_named_pipe", "check": false }, "payload_windows/upexec/bind_nonx_tcp": { "name": "Windows Upload/Execute, Bind TCP Stager (No NX or Win7)", "full_name": "payload/windows/upexec/bind_nonx_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "vlad902 ", "sf " ], "description": "Uploads an executable and runs it (staged). Listen for a connection (No NX)", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_nonx_tcp.rb", "is_install_path": true, "ref_name": "windows/upexec/bind_nonx_tcp", "check": false }, "payload_windows/upexec/bind_tcp": { "name": "Windows Upload/Execute, Bind TCP Stager (Windows x86)", "full_name": "payload/windows/upexec/bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "vlad902 ", "sf ", "hdm ", "skape " ], "description": "Uploads an executable and runs it (staged). Listen for a connection (Windows x86)", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_tcp.rb", "is_install_path": true, "ref_name": "windows/upexec/bind_tcp", "check": false }, "payload_windows/upexec/bind_tcp_rc4": { "name": "Windows Upload/Execute, Bind TCP Stager (RC4 Stage Encryption, Metasm)", "full_name": "payload/windows/upexec/bind_tcp_rc4", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "vlad902 ", "sf ", "hdm ", "skape ", "mihi", "RageLtMan" ], "description": "Uploads an executable and runs it (staged). Listen for a connection", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_tcp_rc4.rb", "is_install_path": true, "ref_name": "windows/upexec/bind_tcp_rc4", "check": false }, "payload_windows/upexec/bind_tcp_uuid": { "name": "Windows Upload/Execute, Bind TCP Stager with UUID Support (Windows x86)", "full_name": "payload/windows/upexec/bind_tcp_uuid", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "vlad902 ", "sf ", "hdm ", "OJ Reeves" ], "description": "Uploads an executable and runs it (staged). Listen for a connection with UUID Support (Windows x86)", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_tcp_uuid.rb", "is_install_path": true, "ref_name": "windows/upexec/bind_tcp_uuid", "check": false }, "payload_windows/upexec/find_tag": { "name": "Windows Upload/Execute, Find Tag Ordinal Stager", "full_name": "payload/windows/upexec/find_tag", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "vlad902 ", "sf ", "skape " ], "description": "Uploads an executable and runs it (staged). Use an established connection", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/findtag_ord.rb", "is_install_path": true, "ref_name": "windows/upexec/find_tag", "check": false }, "payload_windows/upexec/reverse_ipv6_tcp": { "name": "Windows Upload/Execute, Reverse TCP Stager (IPv6)", "full_name": "payload/windows/upexec/reverse_ipv6_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "vlad902 ", "sf ", "hdm ", "skape " ], "description": "Uploads an executable and runs it (staged). Connect back to the attacker over IPv6", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb", "is_install_path": true, "ref_name": "windows/upexec/reverse_ipv6_tcp", "check": false }, "payload_windows/upexec/reverse_nonx_tcp": { "name": "Windows Upload/Execute, Reverse TCP Stager (No NX or Win7)", "full_name": "payload/windows/upexec/reverse_nonx_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "vlad902 ", "sf " ], "description": "Uploads an executable and runs it (staged). Connect back to the attacker (No NX)", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_nonx_tcp.rb", "is_install_path": true, "ref_name": "windows/upexec/reverse_nonx_tcp", "check": false }, "payload_windows/upexec/reverse_ord_tcp": { "name": "Windows Upload/Execute, Reverse Ordinal TCP Stager (No NX or Win7)", "full_name": "payload/windows/upexec/reverse_ord_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "vlad902 ", "sf ", "spoonm " ], "description": "Uploads an executable and runs it (staged). Connect back to the attacker", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_ord_tcp.rb", "is_install_path": true, "ref_name": "windows/upexec/reverse_ord_tcp", "check": false }, "payload_windows/upexec/reverse_tcp": { "name": "Windows Upload/Execute, Reverse TCP Stager", "full_name": "payload/windows/upexec/reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "vlad902 ", "sf ", "hdm ", "skape " ], "description": "Uploads an executable and runs it (staged). Connect back to the attacker", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-02-15 15:10:26 +0000", "path": "/modules/payloads/stagers/windows/reverse_tcp.rb", "is_install_path": true, "ref_name": "windows/upexec/reverse_tcp", "check": false }, "payload_windows/upexec/reverse_tcp_allports": { "name": "Windows Upload/Execute, Reverse All-Port TCP Stager", "full_name": "payload/windows/upexec/reverse_tcp_allports", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "vlad902 ", "sf ", "hdm ", "skape " ], "description": "Uploads an executable and runs it (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly)", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_tcp_allports.rb", "is_install_path": true, "ref_name": "windows/upexec/reverse_tcp_allports", "check": false }, "payload_windows/upexec/reverse_tcp_dns": { "name": "Windows Upload/Execute, Reverse TCP Stager (DNS)", "full_name": "payload/windows/upexec/reverse_tcp_dns", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "vlad902 ", "sf ", "hdm ", "skape ", "RageLtMan" ], "description": "Uploads an executable and runs it (staged). Connect back to the attacker", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_tcp_dns.rb", "is_install_path": true, "ref_name": "windows/upexec/reverse_tcp_dns", "check": false }, "payload_windows/upexec/reverse_tcp_rc4": { "name": "Windows Upload/Execute, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", "full_name": "payload/windows/upexec/reverse_tcp_rc4", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "vlad902 ", "sf ", "hdm ", "skape ", "mihi", "RageLtMan" ], "description": "Uploads an executable and runs it (staged). Connect back to the attacker", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-02-15 15:10:26 +0000", "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4.rb", "is_install_path": true, "ref_name": "windows/upexec/reverse_tcp_rc4", "check": false }, "payload_windows/upexec/reverse_tcp_rc4_dns": { "name": "Windows Upload/Execute, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", "full_name": "payload/windows/upexec/reverse_tcp_rc4_dns", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "vlad902 ", "sf ", "hdm ", "skape ", "mihi", "RageLtMan" ], "description": "Uploads an executable and runs it (staged). Connect back to the attacker", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb", "is_install_path": true, "ref_name": "windows/upexec/reverse_tcp_rc4_dns", "check": false }, "payload_windows/upexec/reverse_tcp_uuid": { "name": "Windows Upload/Execute, Reverse TCP Stager with UUID Support", "full_name": "payload/windows/upexec/reverse_tcp_uuid", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "vlad902 ", "sf ", "hdm ", "OJ Reeves" ], "description": "Uploads an executable and runs it (staged). Connect back to the attacker with UUID Support", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-02-15 15:10:26 +0000", "path": "/modules/payloads/stagers/windows/reverse_tcp_uuid.rb", "is_install_path": true, "ref_name": "windows/upexec/reverse_tcp_uuid", "check": false }, "payload_windows/upexec/reverse_udp": { "name": "Windows Upload/Execute, Reverse UDP Stager with UUID Support", "full_name": "payload/windows/upexec/reverse_udp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "vlad902 ", "sf ", "RageLtMan " ], "description": "Uploads an executable and runs it (staged). Connect back to the attacker with UUID Support", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-02-13 14:34:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_udp.rb", "is_install_path": true, "ref_name": "windows/upexec/reverse_udp", "check": false }, "payload_windows/vncinject/bind_hidden_ipknock_tcp": { "name": "VNC Server (Reflective Injection), Hidden Bind Ipknock TCP Stager", "full_name": "payload/windows/vncinject/bind_hidden_ipknock_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "hdm ", "skape ", "Borja Merino " ], "description": "Inject a VNC Dll via a reflective loader (staged). Listen for a connection. First, the port will need to be knocked from\n the IP defined in KHOST. This IP will work as an authentication method\n (you can spoof it with tools like hping). After that you could get your\n shellcode from any IP. The socket will appear as \"closed,\" thus helping to\n hide the shellcode", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb", "is_install_path": true, "ref_name": "windows/vncinject/bind_hidden_ipknock_tcp", "check": false }, "payload_windows/vncinject/bind_hidden_tcp": { "name": "VNC Server (Reflective Injection), Hidden Bind TCP Stager", "full_name": "payload/windows/vncinject/bind_hidden_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "hdm ", "skape ", "Borja Merino " ], "description": "Inject a VNC Dll via a reflective loader (staged). Listen for a connection from a hidden port and spawn a command shell to the allowed host.", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb", "is_install_path": true, "ref_name": "windows/vncinject/bind_hidden_tcp", "check": false }, "payload_windows/vncinject/bind_ipv6_tcp": { "name": "VNC Server (Reflective Injection), Bind IPv6 TCP Stager (Windows x86)", "full_name": "payload/windows/vncinject/bind_ipv6_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "hdm ", "skape " ], "description": "Inject a VNC Dll via a reflective loader (staged). Listen for an IPv6 connection (Windows x86)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp.rb", "is_install_path": true, "ref_name": "windows/vncinject/bind_ipv6_tcp", "check": false }, "payload_windows/vncinject/bind_ipv6_tcp_uuid": { "name": "VNC Server (Reflective Injection), Bind IPv6 TCP Stager with UUID Support (Windows x86)", "full_name": "payload/windows/vncinject/bind_ipv6_tcp_uuid", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "hdm ", "skape ", "OJ Reeves" ], "description": "Inject a VNC Dll via a reflective loader (staged). Listen for an IPv6 connection with UUID Support (Windows x86)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb", "is_install_path": true, "ref_name": "windows/vncinject/bind_ipv6_tcp_uuid", "check": false }, "payload_windows/vncinject/bind_named_pipe": { "name": "VNC Server (Reflective Injection), Windows x86 Bind Named Pipe Stager", "full_name": "payload/windows/vncinject/bind_named_pipe", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "UserExistsError" ], "description": "Inject a VNC Dll via a reflective loader (staged). Listen for a pipe connection (Windows x86)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-02-27 19:24:51 +0000", "path": "/modules/payloads/stagers/windows/bind_named_pipe.rb", "is_install_path": true, "ref_name": "windows/vncinject/bind_named_pipe", "check": false }, "payload_windows/vncinject/bind_nonx_tcp": { "name": "VNC Server (Reflective Injection), Bind TCP Stager (No NX or Win7)", "full_name": "payload/windows/vncinject/bind_nonx_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "vlad902 " ], "description": "Inject a VNC Dll via a reflective loader (staged). Listen for a connection (No NX)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_nonx_tcp.rb", "is_install_path": true, "ref_name": "windows/vncinject/bind_nonx_tcp", "check": false }, "payload_windows/vncinject/bind_tcp": { "name": "VNC Server (Reflective Injection), Bind TCP Stager (Windows x86)", "full_name": "payload/windows/vncinject/bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "hdm ", "skape " ], "description": "Inject a VNC Dll via a reflective loader (staged). Listen for a connection (Windows x86)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_tcp.rb", "is_install_path": true, "ref_name": "windows/vncinject/bind_tcp", "check": false }, "payload_windows/vncinject/bind_tcp_rc4": { "name": "VNC Server (Reflective Injection), Bind TCP Stager (RC4 Stage Encryption, Metasm)", "full_name": "payload/windows/vncinject/bind_tcp_rc4", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "hdm ", "skape ", "mihi", "RageLtMan" ], "description": "Inject a VNC Dll via a reflective loader (staged). Listen for a connection", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_tcp_rc4.rb", "is_install_path": true, "ref_name": "windows/vncinject/bind_tcp_rc4", "check": false }, "payload_windows/vncinject/bind_tcp_uuid": { "name": "VNC Server (Reflective Injection), Bind TCP Stager with UUID Support (Windows x86)", "full_name": "payload/windows/vncinject/bind_tcp_uuid", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "hdm ", "OJ Reeves" ], "description": "Inject a VNC Dll via a reflective loader (staged). Listen for a connection with UUID Support (Windows x86)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/bind_tcp_uuid.rb", "is_install_path": true, "ref_name": "windows/vncinject/bind_tcp_uuid", "check": false }, "payload_windows/vncinject/find_tag": { "name": "VNC Server (Reflective Injection), Find Tag Ordinal Stager", "full_name": "payload/windows/vncinject/find_tag", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "skape " ], "description": "Inject a VNC Dll via a reflective loader (staged). Use an established connection", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/findtag_ord.rb", "is_install_path": true, "ref_name": "windows/vncinject/find_tag", "check": false }, "payload_windows/vncinject/reverse_hop_http": { "name": "VNC Server (Reflective Injection), Reverse Hop HTTP/HTTPS Stager", "full_name": "payload/windows/vncinject/reverse_hop_http", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "scriptjunkie ", "bannedit ", "hdm " ], "description": "Inject a VNC Dll via a reflective loader (staged). \n Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload\n data/hop/hop.php to the PHP server you wish to use as a hop.", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_hop_http.rb", "is_install_path": true, "ref_name": "windows/vncinject/reverse_hop_http", "check": false }, "payload_windows/vncinject/reverse_http": { "name": "VNC Server (Reflective Injection), Windows Reverse HTTP Stager (wininet)", "full_name": "payload/windows/vncinject/reverse_http", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "hdm " ], "description": "Inject a VNC Dll via a reflective loader (staged). Tunnel communication over HTTP (Windows wininet)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-11-21 13:53:33 +0000", "path": "/modules/payloads/stagers/windows/reverse_http.rb", "is_install_path": true, "ref_name": "windows/vncinject/reverse_http", "check": false }, "payload_windows/vncinject/reverse_http_proxy_pstore": { "name": "VNC Server (Reflective Injection), Reverse HTTP Stager Proxy", "full_name": "payload/windows/vncinject/reverse_http_proxy_pstore", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "hdm " ], "description": "Inject a VNC Dll via a reflective loader (staged). Tunnel communication over HTTP", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_http_proxy_pstore.rb", "is_install_path": true, "ref_name": "windows/vncinject/reverse_http_proxy_pstore", "check": false }, "payload_windows/vncinject/reverse_ipv6_tcp": { "name": "VNC Server (Reflective Injection), Reverse TCP Stager (IPv6)", "full_name": "payload/windows/vncinject/reverse_ipv6_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "hdm ", "skape " ], "description": "Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker over IPv6", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb", "is_install_path": true, "ref_name": "windows/vncinject/reverse_ipv6_tcp", "check": false }, "payload_windows/vncinject/reverse_nonx_tcp": { "name": "VNC Server (Reflective Injection), Reverse TCP Stager (No NX or Win7)", "full_name": "payload/windows/vncinject/reverse_nonx_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "vlad902 " ], "description": "Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker (No NX)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_nonx_tcp.rb", "is_install_path": true, "ref_name": "windows/vncinject/reverse_nonx_tcp", "check": false }, "payload_windows/vncinject/reverse_ord_tcp": { "name": "VNC Server (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)", "full_name": "payload/windows/vncinject/reverse_ord_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "spoonm " ], "description": "Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_ord_tcp.rb", "is_install_path": true, "ref_name": "windows/vncinject/reverse_ord_tcp", "check": false }, "payload_windows/vncinject/reverse_tcp": { "name": "VNC Server (Reflective Injection), Reverse TCP Stager", "full_name": "payload/windows/vncinject/reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "hdm ", "skape " ], "description": "Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-02-15 15:10:26 +0000", "path": "/modules/payloads/stagers/windows/reverse_tcp.rb", "is_install_path": true, "ref_name": "windows/vncinject/reverse_tcp", "check": false }, "payload_windows/vncinject/reverse_tcp_allports": { "name": "VNC Server (Reflective Injection), Reverse All-Port TCP Stager", "full_name": "payload/windows/vncinject/reverse_tcp_allports", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "hdm ", "skape " ], "description": "Inject a VNC Dll via a reflective loader (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_tcp_allports.rb", "is_install_path": true, "ref_name": "windows/vncinject/reverse_tcp_allports", "check": false }, "payload_windows/vncinject/reverse_tcp_dns": { "name": "VNC Server (Reflective Injection), Reverse TCP Stager (DNS)", "full_name": "payload/windows/vncinject/reverse_tcp_dns", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "hdm ", "skape ", "RageLtMan" ], "description": "Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_tcp_dns.rb", "is_install_path": true, "ref_name": "windows/vncinject/reverse_tcp_dns", "check": false }, "payload_windows/vncinject/reverse_tcp_rc4": { "name": "VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)", "full_name": "payload/windows/vncinject/reverse_tcp_rc4", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "hdm ", "skape ", "mihi", "RageLtMan" ], "description": "Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-02-15 15:10:26 +0000", "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4.rb", "is_install_path": true, "ref_name": "windows/vncinject/reverse_tcp_rc4", "check": false }, "payload_windows/vncinject/reverse_tcp_rc4_dns": { "name": "VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", "full_name": "payload/windows/vncinject/reverse_tcp_rc4_dns", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "hdm ", "skape ", "mihi", "RageLtMan" ], "description": "Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb", "is_install_path": true, "ref_name": "windows/vncinject/reverse_tcp_rc4_dns", "check": false }, "payload_windows/vncinject/reverse_tcp_uuid": { "name": "VNC Server (Reflective Injection), Reverse TCP Stager with UUID Support", "full_name": "payload/windows/vncinject/reverse_tcp_uuid", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "hdm ", "OJ Reeves" ], "description": "Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker with UUID Support", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-02-15 15:10:26 +0000", "path": "/modules/payloads/stagers/windows/reverse_tcp_uuid.rb", "is_install_path": true, "ref_name": "windows/vncinject/reverse_tcp_uuid", "check": false }, "payload_windows/vncinject/reverse_udp": { "name": "VNC Server (Reflective Injection), Reverse UDP Stager with UUID Support", "full_name": "payload/windows/vncinject/reverse_udp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "RageLtMan " ], "description": "Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker with UUID Support", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2018-02-13 14:34:21 +0000", "path": "/modules/payloads/stagers/windows/reverse_udp.rb", "is_install_path": true, "ref_name": "windows/vncinject/reverse_udp", "check": false }, "payload_windows/vncinject/reverse_winhttp": { "name": "VNC Server (Reflective Injection), Windows Reverse HTTP Stager (winhttp)", "full_name": "payload/windows/vncinject/reverse_winhttp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "hdm ", "Borja Merino " ], "description": "Inject a VNC Dll via a reflective loader (staged). Tunnel communication over HTTP (Windows winhttp)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86", "rport": null, "targets": null, "mod_time": "2017-11-21 13:53:33 +0000", "path": "/modules/payloads/stagers/windows/reverse_winhttp.rb", "is_install_path": true, "ref_name": "windows/vncinject/reverse_winhttp", "check": false }, "payload_windows/x64/exec": { "name": "Windows x64 Execute Command", "full_name": "payload/windows/x64/exec", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf " ], "description": "Execute an arbitrary command (Windows x64)", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x64", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/windows/x64/exec.rb", "is_install_path": true, "ref_name": "windows/x64/exec", "check": false }, "payload_windows/x64/loadlibrary": { "name": "Windows x64 LoadLibrary Path", "full_name": "payload/windows/x64/loadlibrary", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "scriptjunkie", "sf " ], "description": "Load an arbitrary x64 library path", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x64", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/windows/x64/loadlibrary.rb", "is_install_path": true, "ref_name": "windows/x64/loadlibrary", "check": false }, "payload_windows/x64/meterpreter/bind_ipv6_tcp": { "name": "Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager", "full_name": "payload/windows/x64/meterpreter/bind_ipv6_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "sf ", "OJ Reeves" ], "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Listen for an IPv6 connection (Windows x64)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x64", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/x64/bind_ipv6_tcp.rb", "is_install_path": true, "ref_name": "windows/x64/meterpreter/bind_ipv6_tcp", "check": false }, "payload_windows/x64/meterpreter/bind_ipv6_tcp_uuid": { "name": "Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager with UUID Support", "full_name": "payload/windows/x64/meterpreter/bind_ipv6_tcp_uuid", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "sf ", "OJ Reeves" ], "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Listen for an IPv6 connection with UUID Support (Windows x64)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x64", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/x64/bind_ipv6_tcp_uuid.rb", "is_install_path": true, "ref_name": "windows/x64/meterpreter/bind_ipv6_tcp_uuid", "check": false }, "payload_windows/x64/meterpreter/bind_named_pipe": { "name": "Windows Meterpreter (Reflective Injection x64), Windows x64 Bind Named Pipe Stager", "full_name": "payload/windows/x64/meterpreter/bind_named_pipe", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "sf ", "OJ Reeves", "UserExistsError" ], "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Listen for a pipe connection (Windows x64)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x64", "rport": null, "targets": null, "mod_time": "2018-02-15 17:37:33 +0000", "path": "/modules/payloads/stagers/windows/x64/bind_named_pipe.rb", "is_install_path": true, "ref_name": "windows/x64/meterpreter/bind_named_pipe", "check": false }, "payload_windows/x64/meterpreter/bind_tcp": { "name": "Windows Meterpreter (Reflective Injection x64), Windows x64 Bind TCP Stager", "full_name": "payload/windows/x64/meterpreter/bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "sf ", "OJ Reeves" ], "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Listen for a connection (Windows x64)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x64", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/x64/bind_tcp.rb", "is_install_path": true, "ref_name": "windows/x64/meterpreter/bind_tcp", "check": false }, "payload_windows/x64/meterpreter/bind_tcp_uuid": { "name": "Windows Meterpreter (Reflective Injection x64), Bind TCP Stager with UUID Support (Windows x64)", "full_name": "payload/windows/x64/meterpreter/bind_tcp_uuid", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "sf ", "OJ Reeves" ], "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Listen for a connection with UUID Support (Windows x64)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x64", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/x64/bind_tcp_uuid.rb", "is_install_path": true, "ref_name": "windows/x64/meterpreter/bind_tcp_uuid", "check": false }, "payload_windows/x64/meterpreter/reverse_http": { "name": "Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet)", "full_name": "payload/windows/x64/meterpreter/reverse_http", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "sf ", "OJ Reeves" ], "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Tunnel communication over HTTP (Windows x64 wininet)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x64", "rport": null, "targets": null, "mod_time": "2018-03-20 11:27:43 +0000", "path": "/modules/payloads/stagers/windows/x64/reverse_http.rb", "is_install_path": true, "ref_name": "windows/x64/meterpreter/reverse_http", "check": false }, "payload_windows/x64/meterpreter/reverse_https": { "name": "Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet)", "full_name": "payload/windows/x64/meterpreter/reverse_https", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "sf ", "OJ Reeves", "hdm ", "agix", "rwincey" ], "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Tunnel communication over HTTP (Windows x64 wininet)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x64", "rport": null, "targets": null, "mod_time": "2018-03-20 11:27:43 +0000", "path": "/modules/payloads/stagers/windows/x64/reverse_https.rb", "is_install_path": true, "ref_name": "windows/x64/meterpreter/reverse_https", "check": false }, "payload_windows/x64/meterpreter/reverse_named_pipe": { "name": "Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse Named Pipe (SMB) Stager", "full_name": "payload/windows/x64/meterpreter/reverse_named_pipe", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "sf ", "OJ Reeves" ], "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Connect back to the attacker via a named pipe pivot", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x64", "rport": null, "targets": null, "mod_time": "2017-09-01 03:49:00 +0000", "path": "/modules/payloads/stagers/windows/x64/reverse_named_pipe.rb", "is_install_path": true, "ref_name": "windows/x64/meterpreter/reverse_named_pipe", "check": false }, "payload_windows/x64/meterpreter/reverse_tcp": { "name": "Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse TCP Stager", "full_name": "payload/windows/x64/meterpreter/reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "sf ", "OJ Reeves" ], "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Connect back to the attacker (Windows x64)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x64", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/x64/reverse_tcp.rb", "is_install_path": true, "ref_name": "windows/x64/meterpreter/reverse_tcp", "check": false }, "payload_windows/x64/meterpreter/reverse_tcp_rc4": { "name": "Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager (RC4 Stage Encryption, Metasm)", "full_name": "payload/windows/x64/meterpreter/reverse_tcp_rc4", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "sf ", "OJ Reeves", "hdm ", "mihi", "max3raza", "RageLtMan" ], "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Connect back to the attacker", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x64", "rport": null, "targets": null, "mod_time": "2018-03-04 17:43:15 +0000", "path": "/modules/payloads/stagers/windows/x64/reverse_tcp_rc4.rb", "is_install_path": true, "ref_name": "windows/x64/meterpreter/reverse_tcp_rc4", "check": false }, "payload_windows/x64/meterpreter/reverse_tcp_uuid": { "name": "Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager with UUID Support (Windows x64)", "full_name": "payload/windows/x64/meterpreter/reverse_tcp_uuid", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "sf ", "OJ Reeves" ], "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Connect back to the attacker with UUID Support (Windows x64)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x64", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/x64/reverse_tcp_uuid.rb", "is_install_path": true, "ref_name": "windows/x64/meterpreter/reverse_tcp_uuid", "check": false }, "payload_windows/x64/meterpreter/reverse_winhttp": { "name": "Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (winhttp)", "full_name": "payload/windows/x64/meterpreter/reverse_winhttp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "sf ", "OJ Reeves" ], "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Tunnel communication over HTTP (Windows x64 winhttp)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x64", "rport": null, "targets": null, "mod_time": "2018-03-20 11:27:43 +0000", "path": "/modules/payloads/stagers/windows/x64/reverse_winhttp.rb", "is_install_path": true, "ref_name": "windows/x64/meterpreter/reverse_winhttp", "check": false }, "payload_windows/x64/meterpreter/reverse_winhttps": { "name": "Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTPS Stager (winhttp)", "full_name": "payload/windows/x64/meterpreter/reverse_winhttps", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "skape ", "sf ", "OJ Reeves" ], "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Tunnel communication over HTTPS (Windows x64 winhttp)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x64", "rport": null, "targets": null, "mod_time": "2018-03-20 11:27:43 +0000", "path": "/modules/payloads/stagers/windows/x64/reverse_winhttps.rb", "is_install_path": true, "ref_name": "windows/x64/meterpreter/reverse_winhttps", "check": false }, "payload_windows/x64/meterpreter_bind_named_pipe": { "name": "Windows Meterpreter Shell, Bind Named Pipe Inline (x64)", "full_name": "payload/windows/x64/meterpreter_bind_named_pipe", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "UserExistsError", "sf ", "OJ Reeves" ], "description": "Connect to victim and spawn a Meterpreter shell", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x64", "rport": null, "targets": null, "mod_time": "2018-02-15 17:37:33 +0000", "path": "/modules/payloads/singles/windows/x64/meterpreter_bind_named_pipe.rb", "is_install_path": true, "ref_name": "windows/x64/meterpreter_bind_named_pipe", "check": false }, "payload_windows/x64/meterpreter_bind_tcp": { "name": "Windows Meterpreter Shell, Bind TCP Inline (x64)", "full_name": "payload/windows/x64/meterpreter_bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "OJ Reeves", "sf " ], "description": "Connect to victim and spawn a Meterpreter shell", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x64", "rport": null, "targets": null, "mod_time": "2018-02-15 17:37:33 +0000", "path": "/modules/payloads/singles/windows/x64/meterpreter_bind_tcp.rb", "is_install_path": true, "ref_name": "windows/x64/meterpreter_bind_tcp", "check": false }, "payload_windows/x64/meterpreter_reverse_http": { "name": "Windows Meterpreter Shell, Reverse HTTP Inline (x64)", "full_name": "payload/windows/x64/meterpreter_reverse_http", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "OJ Reeves", "sf " ], "description": "Connect back to attacker and spawn a Meterpreter shell", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x64", "rport": null, "targets": null, "mod_time": "2018-02-15 17:37:33 +0000", "path": "/modules/payloads/singles/windows/x64/meterpreter_reverse_http.rb", "is_install_path": true, "ref_name": "windows/x64/meterpreter_reverse_http", "check": false }, "payload_windows/x64/meterpreter_reverse_https": { "name": "Windows Meterpreter Shell, Reverse HTTPS Inline (x64)", "full_name": "payload/windows/x64/meterpreter_reverse_https", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "OJ Reeves", "sf " ], "description": "Connect back to attacker and spawn a Meterpreter shell", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x64", "rport": null, "targets": null, "mod_time": "2018-02-15 17:37:33 +0000", "path": "/modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb", "is_install_path": true, "ref_name": "windows/x64/meterpreter_reverse_https", "check": false }, "payload_windows/x64/meterpreter_reverse_ipv6_tcp": { "name": "Windows Meterpreter Shell, Reverse TCP Inline (IPv6) (x64)", "full_name": "payload/windows/x64/meterpreter_reverse_ipv6_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "OJ Reeves", "sf " ], "description": "Connect back to attacker and spawn a Meterpreter shell", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x64", "rport": null, "targets": null, "mod_time": "2018-02-15 17:37:33 +0000", "path": "/modules/payloads/singles/windows/x64/meterpreter_reverse_ipv6_tcp.rb", "is_install_path": true, "ref_name": "windows/x64/meterpreter_reverse_ipv6_tcp", "check": false }, "payload_windows/x64/meterpreter_reverse_tcp": { "name": "Windows Meterpreter Shell, Reverse TCP Inline x64", "full_name": "payload/windows/x64/meterpreter_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "OJ Reeves", "sf " ], "description": "Connect back to attacker and spawn a Meterpreter shell", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x64", "rport": null, "targets": null, "mod_time": "2018-02-15 17:37:33 +0000", "path": "/modules/payloads/singles/windows/x64/meterpreter_reverse_tcp.rb", "is_install_path": true, "ref_name": "windows/x64/meterpreter_reverse_tcp", "check": false }, "payload_windows/x64/powershell_bind_tcp": { "name": "Windows Interactive Powershell Session, Bind TCP", "full_name": "payload/windows/x64/powershell_bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Ben Turner", "Dave Hardy", "sf " ], "description": "Listen for a connection and spawn an interactive powershell session", "references": [ "URL-https://www.nettitude.co.uk/interactive-powershell-session-via-metasploit/" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x64", "rport": null, "targets": null, "mod_time": "2018-07-19 17:58:45 +0000", "path": "/modules/payloads/singles/windows/x64/powershell_bind_tcp.rb", "is_install_path": true, "ref_name": "windows/x64/powershell_bind_tcp", "check": false }, "payload_windows/x64/powershell_reverse_tcp": { "name": "Windows Interactive Powershell Session, Reverse TCP", "full_name": "payload/windows/x64/powershell_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "Ben Turner", "Dave Hardy", "sf " ], "description": "Listen for a connection and spawn an interactive powershell session", "references": [ "URL-https://www.nettitude.co.uk/interactive-powershell-session-via-metasploit/" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x64", "rport": null, "targets": null, "mod_time": "2018-07-19 17:58:45 +0000", "path": "/modules/payloads/singles/windows/x64/powershell_reverse_tcp.rb", "is_install_path": true, "ref_name": "windows/x64/powershell_reverse_tcp", "check": false }, "payload_windows/x64/shell/bind_ipv6_tcp": { "name": "Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager", "full_name": "payload/windows/x64/shell/bind_ipv6_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf " ], "description": "Spawn a piped command shell (Windows x64) (staged). Listen for an IPv6 connection (Windows x64)", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x64", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/x64/bind_ipv6_tcp.rb", "is_install_path": true, "ref_name": "windows/x64/shell/bind_ipv6_tcp", "check": false }, "payload_windows/x64/shell/bind_ipv6_tcp_uuid": { "name": "Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager with UUID Support", "full_name": "payload/windows/x64/shell/bind_ipv6_tcp_uuid", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "OJ Reeves" ], "description": "Spawn a piped command shell (Windows x64) (staged). Listen for an IPv6 connection with UUID Support (Windows x64)", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x64", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/x64/bind_ipv6_tcp_uuid.rb", "is_install_path": true, "ref_name": "windows/x64/shell/bind_ipv6_tcp_uuid", "check": false }, "payload_windows/x64/shell/bind_named_pipe": { "name": "Windows x64 Command Shell, Windows x64 Bind Named Pipe Stager", "full_name": "payload/windows/x64/shell/bind_named_pipe", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "UserExistsError" ], "description": "Spawn a piped command shell (Windows x64) (staged). Listen for a pipe connection (Windows x64)", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x64", "rport": null, "targets": null, "mod_time": "2018-02-15 17:37:33 +0000", "path": "/modules/payloads/stagers/windows/x64/bind_named_pipe.rb", "is_install_path": true, "ref_name": "windows/x64/shell/bind_named_pipe", "check": false }, "payload_windows/x64/shell/bind_tcp": { "name": "Windows x64 Command Shell, Windows x64 Bind TCP Stager", "full_name": "payload/windows/x64/shell/bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf " ], "description": "Spawn a piped command shell (Windows x64) (staged). Listen for a connection (Windows x64)", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x64", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/x64/bind_tcp.rb", "is_install_path": true, "ref_name": "windows/x64/shell/bind_tcp", "check": false }, "payload_windows/x64/shell/bind_tcp_uuid": { "name": "Windows x64 Command Shell, Bind TCP Stager with UUID Support (Windows x64)", "full_name": "payload/windows/x64/shell/bind_tcp_uuid", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "OJ Reeves" ], "description": "Spawn a piped command shell (Windows x64) (staged). Listen for a connection with UUID Support (Windows x64)", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x64", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/x64/bind_tcp_uuid.rb", "is_install_path": true, "ref_name": "windows/x64/shell/bind_tcp_uuid", "check": false }, "payload_windows/x64/shell/reverse_tcp": { "name": "Windows x64 Command Shell, Windows x64 Reverse TCP Stager", "full_name": "payload/windows/x64/shell/reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf " ], "description": "Spawn a piped command shell (Windows x64) (staged). Connect back to the attacker (Windows x64)", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x64", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/x64/reverse_tcp.rb", "is_install_path": true, "ref_name": "windows/x64/shell/reverse_tcp", "check": false }, "payload_windows/x64/shell/reverse_tcp_rc4": { "name": "Windows x64 Command Shell, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", "full_name": "payload/windows/x64/shell/reverse_tcp_rc4", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "hdm ", "skape ", "mihi", "max3raza", "RageLtMan" ], "description": "Spawn a piped command shell (Windows x64) (staged). Connect back to the attacker", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x64", "rport": null, "targets": null, "mod_time": "2018-03-04 17:43:15 +0000", "path": "/modules/payloads/stagers/windows/x64/reverse_tcp_rc4.rb", "is_install_path": true, "ref_name": "windows/x64/shell/reverse_tcp_rc4", "check": false }, "payload_windows/x64/shell/reverse_tcp_uuid": { "name": "Windows x64 Command Shell, Reverse TCP Stager with UUID Support (Windows x64)", "full_name": "payload/windows/x64/shell/reverse_tcp_uuid", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "OJ Reeves" ], "description": "Spawn a piped command shell (Windows x64) (staged). Connect back to the attacker with UUID Support (Windows x64)", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x64", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/x64/reverse_tcp_uuid.rb", "is_install_path": true, "ref_name": "windows/x64/shell/reverse_tcp_uuid", "check": false }, "payload_windows/x64/shell_bind_tcp": { "name": "Windows x64 Command Shell, Bind TCP Inline", "full_name": "payload/windows/x64/shell_bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf " ], "description": "Listen for a connection and spawn a command shell (Windows x64)", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x64", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/windows/x64/shell_bind_tcp.rb", "is_install_path": true, "ref_name": "windows/x64/shell_bind_tcp", "check": false }, "payload_windows/x64/shell_reverse_tcp": { "name": "Windows x64 Command Shell, Reverse TCP Inline", "full_name": "payload/windows/x64/shell_reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf " ], "description": "Connect back to attacker and spawn a command shell (Windows x64)", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x64", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/singles/windows/x64/shell_reverse_tcp.rb", "is_install_path": true, "ref_name": "windows/x64/shell_reverse_tcp", "check": false }, "payload_windows/x64/vncinject/bind_ipv6_tcp": { "name": "Windows x64 VNC Server (Reflective Injection), Windows x64 IPv6 Bind TCP Stager", "full_name": "payload/windows/x64/vncinject/bind_ipv6_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf " ], "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged). Listen for an IPv6 connection (Windows x64)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x64", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/x64/bind_ipv6_tcp.rb", "is_install_path": true, "ref_name": "windows/x64/vncinject/bind_ipv6_tcp", "check": false }, "payload_windows/x64/vncinject/bind_ipv6_tcp_uuid": { "name": "Windows x64 VNC Server (Reflective Injection), Windows x64 IPv6 Bind TCP Stager with UUID Support", "full_name": "payload/windows/x64/vncinject/bind_ipv6_tcp_uuid", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "OJ Reeves" ], "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged). Listen for an IPv6 connection with UUID Support (Windows x64)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x64", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/x64/bind_ipv6_tcp_uuid.rb", "is_install_path": true, "ref_name": "windows/x64/vncinject/bind_ipv6_tcp_uuid", "check": false }, "payload_windows/x64/vncinject/bind_named_pipe": { "name": "Windows x64 VNC Server (Reflective Injection), Windows x64 Bind Named Pipe Stager", "full_name": "payload/windows/x64/vncinject/bind_named_pipe", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "UserExistsError" ], "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged). Listen for a pipe connection (Windows x64)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x64", "rport": null, "targets": null, "mod_time": "2018-02-15 17:37:33 +0000", "path": "/modules/payloads/stagers/windows/x64/bind_named_pipe.rb", "is_install_path": true, "ref_name": "windows/x64/vncinject/bind_named_pipe", "check": false }, "payload_windows/x64/vncinject/bind_tcp": { "name": "Windows x64 VNC Server (Reflective Injection), Windows x64 Bind TCP Stager", "full_name": "payload/windows/x64/vncinject/bind_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf " ], "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged). Listen for a connection (Windows x64)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x64", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/x64/bind_tcp.rb", "is_install_path": true, "ref_name": "windows/x64/vncinject/bind_tcp", "check": false }, "payload_windows/x64/vncinject/bind_tcp_uuid": { "name": "Windows x64 VNC Server (Reflective Injection), Bind TCP Stager with UUID Support (Windows x64)", "full_name": "payload/windows/x64/vncinject/bind_tcp_uuid", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "OJ Reeves" ], "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged). Listen for a connection with UUID Support (Windows x64)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x64", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/x64/bind_tcp_uuid.rb", "is_install_path": true, "ref_name": "windows/x64/vncinject/bind_tcp_uuid", "check": false }, "payload_windows/x64/vncinject/reverse_http": { "name": "Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (wininet)", "full_name": "payload/windows/x64/vncinject/reverse_http", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "OJ Reeves" ], "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged). Tunnel communication over HTTP (Windows x64 wininet)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x64", "rport": null, "targets": null, "mod_time": "2018-03-20 11:27:43 +0000", "path": "/modules/payloads/stagers/windows/x64/reverse_http.rb", "is_install_path": true, "ref_name": "windows/x64/vncinject/reverse_http", "check": false }, "payload_windows/x64/vncinject/reverse_https": { "name": "Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (wininet)", "full_name": "payload/windows/x64/vncinject/reverse_https", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "hdm ", "agix", "rwincey" ], "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged). Tunnel communication over HTTP (Windows x64 wininet)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x64", "rport": null, "targets": null, "mod_time": "2018-03-20 11:27:43 +0000", "path": "/modules/payloads/stagers/windows/x64/reverse_https.rb", "is_install_path": true, "ref_name": "windows/x64/vncinject/reverse_https", "check": false }, "payload_windows/x64/vncinject/reverse_tcp": { "name": "Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse TCP Stager", "full_name": "payload/windows/x64/vncinject/reverse_tcp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf " ], "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged). Connect back to the attacker (Windows x64)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x64", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/x64/reverse_tcp.rb", "is_install_path": true, "ref_name": "windows/x64/vncinject/reverse_tcp", "check": false }, "payload_windows/x64/vncinject/reverse_tcp_rc4": { "name": "Windows x64 VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)", "full_name": "payload/windows/x64/vncinject/reverse_tcp_rc4", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "hdm ", "skape ", "mihi", "max3raza", "RageLtMan" ], "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged). Connect back to the attacker", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x64", "rport": null, "targets": null, "mod_time": "2018-03-04 17:43:15 +0000", "path": "/modules/payloads/stagers/windows/x64/reverse_tcp_rc4.rb", "is_install_path": true, "ref_name": "windows/x64/vncinject/reverse_tcp_rc4", "check": false }, "payload_windows/x64/vncinject/reverse_tcp_uuid": { "name": "Windows x64 VNC Server (Reflective Injection), Reverse TCP Stager with UUID Support (Windows x64)", "full_name": "payload/windows/x64/vncinject/reverse_tcp_uuid", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "OJ Reeves" ], "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged). Connect back to the attacker with UUID Support (Windows x64)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x64", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/payloads/stagers/windows/x64/reverse_tcp_uuid.rb", "is_install_path": true, "ref_name": "windows/x64/vncinject/reverse_tcp_uuid", "check": false }, "payload_windows/x64/vncinject/reverse_winhttp": { "name": "Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (winhttp)", "full_name": "payload/windows/x64/vncinject/reverse_winhttp", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "OJ Reeves" ], "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged). Tunnel communication over HTTP (Windows x64 winhttp)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x64", "rport": null, "targets": null, "mod_time": "2018-03-20 11:27:43 +0000", "path": "/modules/payloads/stagers/windows/x64/reverse_winhttp.rb", "is_install_path": true, "ref_name": "windows/x64/vncinject/reverse_winhttp", "check": false }, "payload_windows/x64/vncinject/reverse_winhttps": { "name": "Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTPS Stager (winhttp)", "full_name": "payload/windows/x64/vncinject/reverse_winhttps", "rank": 300, "disclosure_date": null, "type": "payload", "author": [ "sf ", "OJ Reeves" ], "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged). Tunnel communication over HTTPS (Windows x64 winhttp)", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", "URL-https://github.com/rapid7/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x64", "rport": null, "targets": null, "mod_time": "2018-03-20 11:27:43 +0000", "path": "/modules/payloads/stagers/windows/x64/reverse_winhttps.rb", "is_install_path": true, "ref_name": "windows/x64/vncinject/reverse_winhttps", "check": false }, "post_aix/hashdump": { "name": "AIX Gather Dump Password Hashes", "full_name": "post/aix/hashdump", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "theLightCosine " ], "description": "Post Module to dump the password hashes for all users on an AIX System", "references": [ ], "is_server": false, "is_client": false, "platform": "AIX", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/aix/hashdump.rb", "is_install_path": true, "ref_name": "aix/hashdump", "check": false }, "post_android/capture/screen": { "name": "Android Screen Capture", "full_name": "post/android/capture/screen", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "timwr" ], "description": "This module takes a screenshot of the target phone.", "references": [ ], "is_server": false, "is_client": false, "platform": "Android", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/android/capture/screen.rb", "is_install_path": true, "ref_name": "android/capture/screen", "check": false }, "post_android/gather/wireless_ap": { "name": "Displays wireless SSIDs and PSKs", "full_name": "post/android/gather/wireless_ap", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Auxilus", "timwr" ], "description": "This module displays all wireless AP creds saved on the target device.", "references": [ ], "is_server": false, "is_client": false, "platform": "Android", "arch": "", "rport": null, "targets": null, "mod_time": "2018-05-06 17:37:12 +0000", "path": "/modules/post/android/gather/wireless_ap.rb", "is_install_path": true, "ref_name": "android/gather/wireless_ap", "check": false }, "post_android/manage/remove_lock": { "name": "Android Settings Remove Device Locks (4.0-4.3)", "full_name": "post/android/manage/remove_lock", "rank": 300, "disclosure_date": "2013-10-11", "type": "post", "author": [ "CureSec", "timwr" ], "description": "This module exploits a bug in the Android 4.0 to 4.3 com.android.settings.ChooseLockGeneric class.\n Any unprivileged app can exploit this vulnerability to remove the lockscreen.\n A logic flaw / design error exists in the settings application that allows an Intent from any\n application to clear the screen lock. The user may see that the Settings application has crashed,\n and the phone can then be unlocked by a swipe.\n This vulnerability was patched in Android 4.4.", "references": [ "CVE-2013-6271", "URL-http://blog.curesec.com/article/blog/26.html", "URL-http://www.curesec.com/data/advisories/Curesec-2013-1011.pdf" ], "is_server": false, "is_client": false, "platform": "Android", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/android/manage/remove_lock.rb", "is_install_path": true, "ref_name": "android/manage/remove_lock", "check": false }, "post_android/manage/remove_lock_root": { "name": "Android Root Remove Device Locks (root)", "full_name": "post/android/manage/remove_lock_root", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "timwr" ], "description": "This module uses root privileges to remove the device lock.\n In some cases the original lock method will still be present but any key/gesture will\n unlock the device.", "references": [ ], "is_server": false, "is_client": false, "platform": "Android", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/android/manage/remove_lock_root.rb", "is_install_path": true, "ref_name": "android/manage/remove_lock_root", "check": false }, "post_android/sub_info": { "name": "extracts subscriber info from target device", "full_name": "post/android/sub_info", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Auxilus" ], "description": "This module displays the subscriber info stored on the target phone.\n It uses call service to get values of each transaction code like imei etc.", "references": [ ], "is_server": false, "is_client": false, "platform": "Android", "arch": "", "rport": null, "targets": null, "mod_time": "2018-07-26 16:48:34 +0000", "path": "/modules/post/android/sub_info.rb", "is_install_path": true, "ref_name": "android/sub_info", "check": false }, "post_cisco/gather/enum_cisco": { "name": "Cisco Gather Device General Information", "full_name": "post/cisco/gather/enum_cisco", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Carlos Perez " ], "description": "This module collects a Cisco IOS or NXOS device information and configuration.", "references": [ ], "is_server": false, "is_client": false, "platform": "Cisco", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/cisco/gather/enum_cisco.rb", "is_install_path": true, "ref_name": "cisco/gather/enum_cisco", "check": false }, "post_firefox/gather/cookies": { "name": "Firefox Gather Cookies from Privileged Javascript Shell", "full_name": "post/firefox/gather/cookies", "rank": 300, "disclosure_date": "2014-03-26", "type": "post", "author": [ "joev " ], "description": "This module allows collection of cookies from a Firefox Privileged Javascript Shell.", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/firefox/gather/cookies.rb", "is_install_path": true, "ref_name": "firefox/gather/cookies", "check": false }, "post_firefox/gather/history": { "name": "Firefox Gather History from Privileged Javascript Shell", "full_name": "post/firefox/gather/history", "rank": 300, "disclosure_date": "2014-04-11", "type": "post", "author": [ "joev " ], "description": "This module allows collection of the entire browser history from a Firefox\n Privileged Javascript Shell.", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/firefox/gather/history.rb", "is_install_path": true, "ref_name": "firefox/gather/history", "check": false }, "post_firefox/gather/passwords": { "name": "Firefox Gather Passwords from Privileged Javascript Shell", "full_name": "post/firefox/gather/passwords", "rank": 300, "disclosure_date": "2014-04-11", "type": "post", "author": [ "joev " ], "description": "This module allows collection of passwords from a Firefox Privileged Javascript Shell.", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/firefox/gather/passwords.rb", "is_install_path": true, "ref_name": "firefox/gather/passwords", "check": false }, "post_firefox/gather/xss": { "name": "Firefox XSS", "full_name": "post/firefox/gather/xss", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "joev " ], "description": "This module runs the provided SCRIPT as javascript in the\n origin of the provided URL. It works by navigating to a hidden\n ChromeWindow to the URL, then injecting the SCRIPT with Function().\n The callback \"send(result)\" is used to send data back to the listener.", "references": [ ], "is_server": false, "is_client": false, "platform": "Firefox", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/firefox/gather/xss.rb", "is_install_path": true, "ref_name": "firefox/gather/xss", "check": false }, "post_firefox/manage/webcam_chat": { "name": "Firefox Webcam Chat on Privileged Javascript Shell", "full_name": "post/firefox/manage/webcam_chat", "rank": 300, "disclosure_date": "2014-05-13", "type": "post", "author": [ "joev " ], "description": "This module allows streaming a webcam from a privileged Firefox Javascript shell.", "references": [ "URL-http://www.rapid7.com/db/modules/exploit/firefox/local/exec_shellcode" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/firefox/manage/webcam_chat.rb", "is_install_path": true, "ref_name": "firefox/manage/webcam_chat", "check": false }, "post_hardware/automotive/canprobe": { "name": "Module to Probe Different Data Points in a CAN Packet", "full_name": "post/hardware/automotive/canprobe", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Craig Smith" ], "description": "Scans between two CAN IDs and writes data at each byte position. It will\n either write a set byte value (Default 0xFF) or iterate through all possible values\n of that byte position (takes much longer). Does not check for responses and is\n basically a simple blind fuzzer.", "references": [ ], "is_server": false, "is_client": false, "platform": "Hardware", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/hardware/automotive/canprobe.rb", "is_install_path": true, "ref_name": "hardware/automotive/canprobe", "check": false }, "post_hardware/automotive/getvinfo": { "name": "Get the Vehicle Information Such as the VIN from the Target Module", "full_name": "post/hardware/automotive/getvinfo", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Craig Smith" ], "description": "Post Module to query DTCs, Some common engine info and Vehicle Info.\n It returns such things as engine speed, coolant temp, Diagnostic\n Trouble Codes as well as All info stored by Mode $09 Vehicle Info, VIN, etc", "references": [ ], "is_server": false, "is_client": false, "platform": "Hardware", "arch": "", "rport": null, "targets": null, "mod_time": "2017-09-11 18:20:57 +0000", "path": "/modules/post/hardware/automotive/getvinfo.rb", "is_install_path": true, "ref_name": "hardware/automotive/getvinfo", "check": false }, "post_hardware/automotive/identifymodules": { "name": "Scan CAN Bus for Diagnostic Modules", "full_name": "post/hardware/automotive/identifymodules", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Craig Smith" ], "description": "Post Module to scan the CAN bus for any modules that can respond to UDS DSC queries", "references": [ ], "is_server": false, "is_client": false, "platform": "Hardware", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/hardware/automotive/identifymodules.rb", "is_install_path": true, "ref_name": "hardware/automotive/identifymodules", "check": false }, "post_hardware/automotive/malibu_overheat": { "name": "Sample Module to Flood Temp Gauge on 2006 Malibu", "full_name": "post/hardware/automotive/malibu_overheat", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Craig Smith" ], "description": "Simple sample temp flood for the 2006 Malibu", "references": [ ], "is_server": false, "is_client": false, "platform": "Hardware", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/hardware/automotive/malibu_overheat.rb", "is_install_path": true, "ref_name": "hardware/automotive/malibu_overheat", "check": false }, "post_hardware/automotive/pdt": { "name": "Check For and Prep the Pyrotechnic Devices (Airbags, Battery Clamps, etc.)", "full_name": "post/hardware/automotive/pdt", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Johannes Braun", "Juergen Duerrwang", "Craig Smith" ], "description": "Acting in the role of a Pyrotechnical Device Deployment Tool (PDT), this module\n will first query all Pyrotechnic Control Units (PCUs) in the target vehicle\n to discover how many pyrotechnic devices are present, then attempt to validate\n the security access token using the default simplified algorithm. On success,\n the vehicle will be in a state that is prepped to deploy its pyrotechnic devices\n (e.g. airbags, battery clamps, etc.) via the service routine. (ISO 26021)", "references": [ "CVE-2017-14937", "URL-https://www.researchgate.net/publication/321183727_Security_Evaluation_of_an_Airbag-ECU_by_Reusing_Threat_Modeling_Artefacts" ], "is_server": false, "is_client": false, "platform": "Hardware", "arch": "", "rport": null, "targets": null, "mod_time": "2017-12-17 18:15:49 +0000", "path": "/modules/post/hardware/automotive/pdt.rb", "is_install_path": true, "ref_name": "hardware/automotive/pdt", "check": false }, "post_hardware/rftransceiver/rfpwnon": { "name": "Brute Force AM/OOK (ie: Garage Doors)", "full_name": "post/hardware/rftransceiver/rfpwnon", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Craig Smith" ], "description": "Post Module for HWBridge RFTranscievers. Brute forces AM OOK or raw\n binary signals. This is a port of the rfpwnon tool by Corey Harding.\n (https://github.com/exploitagency/github-rfpwnon/blob/master/rfpwnon.py)", "references": [ ], "is_server": false, "is_client": false, "platform": "Hardware", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/hardware/rftransceiver/rfpwnon.rb", "is_install_path": true, "ref_name": "hardware/rftransceiver/rfpwnon", "check": false }, "post_hardware/rftransceiver/transmitter": { "name": "RF Transceiver Transmitter", "full_name": "post/hardware/rftransceiver/transmitter", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Craig Smith" ], "description": "This module powers an HWBridge-connected radio transceiver,\n effectively transmitting on the frequency set by the FREQ option.\n\n NOTE: Users of this module should be aware of their local laws,\n regulations, and licensing requirements for transmitting on any\n given radio frequency.", "references": [ "URL-https://github.com/AndrewMohawk/RfCatHelpers" ], "is_server": false, "is_client": false, "platform": "Hardware", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/hardware/rftransceiver/transmitter.rb", "is_install_path": true, "ref_name": "hardware/rftransceiver/transmitter", "check": false }, "post_hardware/zigbee/zstumbler": { "name": "Sends Beacons to Scan for Active ZigBee Networks", "full_name": "post/hardware/zigbee/zstumbler", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Craig Smith" ], "description": "Post Module to send beacon signals to the broadcast address while\n channel hopping", "references": [ ], "is_server": false, "is_client": false, "platform": "Hardware", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/hardware/zigbee/zstumbler.rb", "is_install_path": true, "ref_name": "hardware/zigbee/zstumbler", "check": false }, "post_juniper/gather/enum_juniper": { "name": "Juniper Gather Device General Information", "full_name": "post/juniper/gather/enum_juniper", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "h00die" ], "description": "This module collects a Juniper ScreenOS and JunOS device information and configuration.", "references": [ ], "is_server": false, "is_client": false, "platform": "Juniper", "arch": "", "rport": null, "targets": null, "mod_time": "2018-07-30 14:20:01 +0000", "path": "/modules/post/juniper/gather/enum_juniper.rb", "is_install_path": true, "ref_name": "juniper/gather/enum_juniper", "check": false }, "post_linux/busybox/enum_connections": { "name": "BusyBox Enumerate Connections", "full_name": "post/linux/busybox/enum_connections", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Javier Vicente Vallejo" ], "description": "This module will be applied on a session connected to a BusyBox shell. It will\n enumerate the connections established with the router or device executing BusyBox.", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/linux/busybox/enum_connections.rb", "is_install_path": true, "ref_name": "linux/busybox/enum_connections", "check": false }, "post_linux/busybox/enum_hosts": { "name": "BusyBox Enumerate Host Names", "full_name": "post/linux/busybox/enum_hosts", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Javier Vicente Vallejo" ], "description": "This module will be applied on a session connected to a BusyBox shell. It will enumerate\n host names related to the device executing BusyBox.", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/linux/busybox/enum_hosts.rb", "is_install_path": true, "ref_name": "linux/busybox/enum_hosts", "check": false }, "post_linux/busybox/jailbreak": { "name": "BusyBox Jailbreak ", "full_name": "post/linux/busybox/jailbreak", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Javier Vicente Vallejo" ], "description": "This module will send a set of commands to an open session that is connected to a\n BusyBox limited shell (i.e. a router limited shell). It will try different known\n tricks to jailbreak the limited shell and get a full BusyBox shell.", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "", "rport": null, "targets": null, "mod_time": "2017-09-17 16:00:04 +0000", "path": "/modules/post/linux/busybox/jailbreak.rb", "is_install_path": true, "ref_name": "linux/busybox/jailbreak", "check": false }, "post_linux/busybox/ping_net": { "name": "BusyBox Ping Network Enumeration", "full_name": "post/linux/busybox/ping_net", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Javier Vicente Vallejo" ], "description": "This module will be applied on a session connected to a BusyBox shell. It will ping a range\n of IP addresses from the router or device executing BusyBox.", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/linux/busybox/ping_net.rb", "is_install_path": true, "ref_name": "linux/busybox/ping_net", "check": false }, "post_linux/busybox/set_dmz": { "name": "BusyBox DMZ Configuration", "full_name": "post/linux/busybox/set_dmz", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Javier Vicente Vallejo" ], "description": "This module will be applied on a session connected to a BusyBox shell. It allows to manage\n traffic forwarding to a target host through the BusyBox device.", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/linux/busybox/set_dmz.rb", "is_install_path": true, "ref_name": "linux/busybox/set_dmz", "check": false }, "post_linux/busybox/set_dns": { "name": "BusyBox DNS Configuration", "full_name": "post/linux/busybox/set_dns", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Javier Vicente Vallejo" ], "description": "This module will be applied on a session connected to a BusyBox shell. It allows\n to set the DNS server on the device executing BusyBox so it will be sent by the\n DHCP server to network hosts.", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/linux/busybox/set_dns.rb", "is_install_path": true, "ref_name": "linux/busybox/set_dns", "check": false }, "post_linux/busybox/smb_share_root": { "name": "BusyBox SMB Sharing", "full_name": "post/linux/busybox/smb_share_root", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Javier Vicente Vallejo" ], "description": "This module will be applied on a session connected to a BusyBox shell. It will modify\n the SMB configuration of the device executing BusyBox to share the root directory of\n the device.", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/linux/busybox/smb_share_root.rb", "is_install_path": true, "ref_name": "linux/busybox/smb_share_root", "check": false }, "post_linux/busybox/wget_exec": { "name": "BusyBox Download and Execute", "full_name": "post/linux/busybox/wget_exec", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Javier Vicente Vallejo" ], "description": "This module will be applied on a session connected to a BusyBox shell. It will use wget to\n download and execute a file from the device running BusyBox.", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/linux/busybox/wget_exec.rb", "is_install_path": true, "ref_name": "linux/busybox/wget_exec", "check": false }, "post_linux/dos/xen_420_dos": { "name": "Linux DoS Xen 4.2.0 2012-5525", "full_name": "post/linux/dos/xen_420_dos", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Christoph Sendner ", "Aleksandar Milenkoski " ], "description": "This module causes a hypervisor crash in Xen 4.2.0 when invoked from a\n paravirtualized VM, including from dom0. Successfully tested on Debian 7\n 3.2.0-4-amd64 with Xen 4.2.0.", "references": [ "CVE-2012-5525" ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "x64", "rport": null, "targets": null, "mod_time": "2017-09-17 16:00:04 +0000", "path": "/modules/post/linux/dos/xen_420_dos.rb", "is_install_path": true, "ref_name": "linux/dos/xen_420_dos", "check": false }, "post_linux/gather/checkcontainer": { "name": "Linux Gather Container Detection", "full_name": "post/linux/gather/checkcontainer", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "James Otten " ], "description": "This module attempts to determine whether the system is running\n inside of a container and if so, which one. This module supports\n detection of Docker, LXC, and systemd nspawn.", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "", "rport": null, "targets": null, "mod_time": "2017-08-06 00:46:09 +0000", "path": "/modules/post/linux/gather/checkcontainer.rb", "is_install_path": true, "ref_name": "linux/gather/checkcontainer", "check": false }, "post_linux/gather/checkvm": { "name": "Linux Gather Virtual Environment Detection", "full_name": "post/linux/gather/checkvm", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Carlos Perez " ], "description": "This module attempts to determine whether the system is running\n inside of a virtual environment and if so, which one. This\n module supports detection of Hyper-V, VMWare, VirtualBox, Xen,\n and QEMU/KVM.", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "", "rport": null, "targets": null, "mod_time": "2017-08-04 19:12:27 +0000", "path": "/modules/post/linux/gather/checkvm.rb", "is_install_path": true, "ref_name": "linux/gather/checkvm", "check": false }, "post_linux/gather/ecryptfs_creds": { "name": "Gather eCryptfs Metadata", "full_name": "post/linux/gather/ecryptfs_creds", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Dhiru Kholia " ], "description": "This module will collect the contents of all users' .ecrypts directories on\n the targeted machine. Collected \"wrapped-passphrase\" files can be\n cracked with John the Ripper (JtR) to recover \"mount passphrases\".", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/linux/gather/ecryptfs_creds.rb", "is_install_path": true, "ref_name": "linux/gather/ecryptfs_creds", "check": false }, "post_linux/gather/enum_configs": { "name": "Linux Gather Configurations", "full_name": "post/linux/gather/enum_configs", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "ohdae " ], "description": "This module collects configuration files found on commonly installed\n applications and services, such as Apache, MySQL, Samba, Sendmail, etc.\n If a config file is found in its default path, the module will assume\n that is the file we want.", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/linux/gather/enum_configs.rb", "is_install_path": true, "ref_name": "linux/gather/enum_configs", "check": false }, "post_linux/gather/enum_network": { "name": "Linux Gather Network Information", "full_name": "post/linux/gather/enum_network", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "ohdae ", "Stephen Haywood " ], "description": "This module gathers network information from the target system\n IPTables rules, interfaces, wireless information, open and listening\n ports, active network connections, DNS information and SSH information.", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "", "rport": null, "targets": null, "mod_time": "2018-05-30 15:32:04 +0000", "path": "/modules/post/linux/gather/enum_network.rb", "is_install_path": true, "ref_name": "linux/gather/enum_network", "check": false }, "post_linux/gather/enum_protections": { "name": "Linux Gather Protection Enumeration", "full_name": "post/linux/gather/enum_protections", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "ohdae " ], "description": "This module tries to find certain installed applications that can be used\n to prevent, or detect our attacks, which is done by locating certain\n binary locations, and see if they are indeed executables. For example,\n if we are able to run 'snort' as a command, we assume it's one of the files\n we are looking for.\n\n This module is meant to cover various antivirus, rootkits, IDS/IPS,\n firewalls, and other software.", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "", "rport": null, "targets": null, "mod_time": "2018-04-29 06:52:47 +0000", "path": "/modules/post/linux/gather/enum_protections.rb", "is_install_path": true, "ref_name": "linux/gather/enum_protections", "check": false }, "post_linux/gather/enum_psk": { "name": "Linux Gather 802-11-Wireless-Security Credentials", "full_name": "post/linux/gather/enum_psk", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Cenk Kalpakoglu" ], "description": "This module collects 802-11-Wireless-Security credentials such as\n Access-Point name and Pre-Shared-Key from your target CLIENT Linux\n machine using /etc/NetworkManager/system-connections/ files.\n The module gathers NetworkManager's plaintext \"psk\" information.", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/linux/gather/enum_psk.rb", "is_install_path": true, "ref_name": "linux/gather/enum_psk", "check": false }, "post_linux/gather/enum_system": { "name": "Linux Gather System and User Information", "full_name": "post/linux/gather/enum_system", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Carlos Perez ", "Stephen Haywood ", "sinn3r ", "ohdae ", "Roberto Espreto " ], "description": "This module gathers system information. We collect\n installed packages, installed services, mount information,\n user list, user bash history and cron jobs", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/linux/gather/enum_system.rb", "is_install_path": true, "ref_name": "linux/gather/enum_system", "check": false }, "post_linux/gather/enum_users_history": { "name": "Linux Gather User History", "full_name": "post/linux/gather/enum_users_history", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "ohdae " ], "description": "This module gathers the following user-specific information:\n shell history, MySQL history, PostgreSQL history, MongoDB history,\n Vim history, lastlog, and sudoers.", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/linux/gather/enum_users_history.rb", "is_install_path": true, "ref_name": "linux/gather/enum_users_history", "check": false }, "post_linux/gather/enum_xchat": { "name": "Linux Gather XChat Enumeration", "full_name": "post/linux/gather/enum_xchat", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "sinn3r " ], "description": "This module will collect XChat's config files and chat logs from the victim's\n machine. There are three actions you may choose: CONFIGS, CHATS, and ALL. The\n CONFIGS option can be used to collect information such as channel settings,\n channel/server passwords, etc. The CHATS option will simply download all the\n .log files.", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/linux/gather/enum_xchat.rb", "is_install_path": true, "ref_name": "linux/gather/enum_xchat", "check": false }, "post_linux/gather/gnome_commander_creds": { "name": "Linux Gather Gnome-Commander Creds", "full_name": "post/linux/gather/gnome_commander_creds", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "David Bloom" ], "description": "This module collects the clear text passwords stored by\n Gnome-commander, a GUI file explorer for GNOME. Typically, these\n passwords are stored in the user's home directory, at\n ~/.gnome-commander/connections.", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/linux/gather/gnome_commander_creds.rb", "is_install_path": true, "ref_name": "linux/gather/gnome_commander_creds", "check": false }, "post_linux/gather/gnome_keyring_dump": { "name": "Gnome-Keyring Dump", "full_name": "post/linux/gather/gnome_keyring_dump", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Spencer McIntyre" ], "description": "Use libgnome-keyring to extract network passwords for the current user.\n This module does not require root privileges to run.", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/linux/gather/gnome_keyring_dump.rb", "is_install_path": true, "ref_name": "linux/gather/gnome_keyring_dump", "check": false }, "post_linux/gather/hashdump": { "name": "Linux Gather Dump Password Hashes for Linux Systems", "full_name": "post/linux/gather/hashdump", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Carlos Perez " ], "description": "Post Module to dump the password hashes for all users on a Linux System", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "", "rport": null, "targets": null, "mod_time": "2017-08-16 00:56:32 +0000", "path": "/modules/post/linux/gather/hashdump.rb", "is_install_path": true, "ref_name": "linux/gather/hashdump", "check": false }, "post_linux/gather/mount_cifs_creds": { "name": "Linux Gather Saved mount.cifs/mount.smbfs Credentials", "full_name": "post/linux/gather/mount_cifs_creds", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Jon Hart " ], "description": "Post Module to obtain credentials saved for mount.cifs/mount.smbfs in\n /etc/fstab on a Linux system.", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "", "rport": null, "targets": null, "mod_time": "2017-09-29 22:34:38 +0000", "path": "/modules/post/linux/gather/mount_cifs_creds.rb", "is_install_path": true, "ref_name": "linux/gather/mount_cifs_creds", "check": false }, "post_linux/gather/openvpn_credentials": { "name": "OpenVPN Gather Credentials", "full_name": "post/linux/gather/openvpn_credentials", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "rvrsh3ll", "Roberto Soares Espreto " ], "description": "This module grab OpenVPN credentials from a running process\n in Linux.\n\n Note: --auth-nocache must not be set in the OpenVPN command line.", "references": [ "URL-https://gist.github.com/rvrsh3ll/cc93a0e05e4f7145c9eb#file-openvpnscraper-sh" ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/linux/gather/openvpn_credentials.rb", "is_install_path": true, "ref_name": "linux/gather/openvpn_credentials", "check": false }, "post_linux/gather/pptpd_chap_secrets": { "name": "Linux Gather PPTP VPN chap-secrets Credentials", "full_name": "post/linux/gather/pptpd_chap_secrets", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "sinn3r " ], "description": "This module collects PPTP VPN information such as client, server, password,\n and IP from your target server's chap-secrets file.", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "", "rport": null, "targets": null, "mod_time": "2018-06-12 17:11:29 +0000", "path": "/modules/post/linux/gather/pptpd_chap_secrets.rb", "is_install_path": true, "ref_name": "linux/gather/pptpd_chap_secrets", "check": false }, "post_linux/gather/tor_hiddenservices": { "name": "Linux Gather TOR Hidden Services", "full_name": "post/linux/gather/tor_hiddenservices", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Harvey Phillips " ], "description": "This module collects the hostnames name and private keys of\n any TOR Hidden Services running on the target machine. It\n will search for torrc and if found, will parse it for the\n directories of Hidden Services. However, root permissions\n are required to read them as they are owned by the user that\n TOR runs as, usually a separate account.", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "", "rport": null, "targets": null, "mod_time": "2017-06-07 20:08:23 +0000", "path": "/modules/post/linux/gather/tor_hiddenservices.rb", "is_install_path": true, "ref_name": "linux/gather/tor_hiddenservices", "check": false }, "post_linux/manage/download_exec": { "name": "Linux Manage Download and Execute", "full_name": "post/linux/manage/download_exec", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Joshua D. Abraham " ], "description": "This module downloads and runs a file with bash. It first tries to uses curl as\n its HTTP client and then wget if it's not found. Bash found in the PATH is used\n to execute the file.", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/linux/manage/download_exec.rb", "is_install_path": true, "ref_name": "linux/manage/download_exec", "check": false }, "post_linux/manage/sshkey_persistence": { "name": "SSH Key Persistence", "full_name": "post/linux/manage/sshkey_persistence", "rank": 600, "disclosure_date": null, "type": "post", "author": [ "h00die " ], "description": "This module will add an SSH key to a specified user (or all), to allow\n remote login via SSH at any time.", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/linux/manage/sshkey_persistence.rb", "is_install_path": true, "ref_name": "linux/manage/sshkey_persistence", "check": false }, "post_multi/escalate/aws_create_iam_user": { "name": "Create an AWS IAM User", "full_name": "post/multi/escalate/aws_create_iam_user", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Javier Godinez ", "Jon Hart " ], "description": "This module will attempt to create an AWS (Amazon Web Services) IAM\n (Identity and Access Management) user with Admin privileges.", "references": [ "URL-https://github.com/devsecops/bootcamp/raw/master/Week-6/slides/june-DSO-bootcamp-week-six-lesson-three.pdf" ], "is_server": false, "is_client": false, "platform": "Unix", "arch": "", "rport": 443, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/multi/escalate/aws_create_iam_user.rb", "is_install_path": true, "ref_name": "multi/escalate/aws_create_iam_user", "check": false }, "post_multi/escalate/cups_root_file_read": { "name": "CUPS 1.6.1 Root File Read", "full_name": "post/multi/escalate/cups_root_file_read", "rank": 300, "disclosure_date": "2012-11-20", "type": "post", "author": [ "Jann Horn", "joev " ], "description": "This module exploits a vulnerability in CUPS < 1.6.2, an open source printing system.\n CUPS allows members of the lpadmin group to make changes to the cupsd.conf\n configuration, which can specify an Error Log path. When the user visits the\n Error Log page in the web interface, the cupsd daemon (running with setuid root)\n reads the Error Log path and echoes it as plaintext.\n\n This module is known to work on Mac OS X < 10.8.4 and Ubuntu Desktop <= 12.0.4\n as long as the session is in the lpadmin group.\n\n Warning: if the user has set up a custom path to the CUPS error log,\n this module might fail to reset that path correctly. You can specify\n a custom error log path with the ERROR_LOG datastore option.", "references": [ "CVE-2012-5519", "OSVDB-87635", "URL-http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692791" ], "is_server": false, "is_client": false, "platform": "Linux,OSX", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/multi/escalate/cups_root_file_read.rb", "is_install_path": true, "ref_name": "multi/escalate/cups_root_file_read", "check": false }, "post_multi/escalate/metasploit_pcaplog": { "name": "Multi Escalate Metasploit pcap_log Local Privilege Escalation", "full_name": "post/multi/escalate/metasploit_pcaplog", "rank": 0, "disclosure_date": "2012-07-16", "type": "post", "author": [ "0a29406d9794e4f9b30b3c5d6702c708" ], "description": "Metasploit < 4.4 contains a vulnerable 'pcap_log' plugin which, when used with the default settings,\n creates pcap files in /tmp with predictable file names. This exploits this by hard-linking these\n filenames to /etc/passwd, then sending a packet with a privileged user entry contained within.\n This, and all the other packets, are appended to /etc/passwd.\n\n Successful exploitation results in the creation of a new superuser account.\n\n This module requires manual clean-up. Upon success, you should remove /tmp/msf3-session*pcap\n files and truncate /etc/passwd. Note that if this module fails, you can potentially induce\n a permanent DoS on the target by corrupting the /etc/passwd file.", "references": [ "BID-54472", "URL-http://0a29.blogspot.com/2012/07/0a29-12-2-metasploit-pcaplog-plugin.html", "URL-https://community.rapid7.com/docs/DOC-1946" ], "is_server": false, "is_client": false, "platform": "BSD,Linux,Unix", "arch": "", "rport": 2940, "targets": null, "mod_time": "2017-09-30 15:45:52 +0000", "path": "/modules/post/multi/escalate/metasploit_pcaplog.rb", "is_install_path": true, "ref_name": "multi/escalate/metasploit_pcaplog", "check": false }, "post_multi/gather/apple_ios_backup": { "name": "Windows Gather Apple iOS MobileSync Backup File Collection", "full_name": "post/multi/gather/apple_ios_backup", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "hdm ", "bannedit " ], "description": "This module will collect sensitive files from any on-disk iOS device backups", "references": [ ], "is_server": false, "is_client": false, "platform": "OSX,Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/multi/gather/apple_ios_backup.rb", "is_install_path": true, "ref_name": "multi/gather/apple_ios_backup", "check": false }, "post_multi/gather/aws_ec2_instance_metadata": { "name": "Gather AWS EC2 Instance Metadata", "full_name": "post/multi/gather/aws_ec2_instance_metadata", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Jon Hart " ], "description": "This module will attempt to connect to the AWS EC2 instance metadata service\n and crawl and collect all metadata known about the session'd host.", "references": [ "URL-http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html" ], "is_server": false, "is_client": false, "platform": "Unix", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/multi/gather/aws_ec2_instance_metadata.rb", "is_install_path": true, "ref_name": "multi/gather/aws_ec2_instance_metadata", "check": false }, "post_multi/gather/aws_keys": { "name": "UNIX Gather AWS Keys", "full_name": "post/multi/gather/aws_keys", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Jon Hart " ], "description": "This module will attempt to read AWS configuration files\n (.aws/config, .aws//credentials and .s3cfg) for users discovered\n on the session'd system and extract AWS keys from within.", "references": [ "URL-http://s3tools.org/kb/item14.htm", "URL-http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-config-files" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/multi/gather/aws_keys.rb", "is_install_path": true, "ref_name": "multi/gather/aws_keys", "check": false }, "post_multi/gather/check_malware": { "name": "Multi Gather Malware Verifier", "full_name": "post/multi/gather/check_malware", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "sinn3r " ], "description": "This module will check a file for malware on VirusTotal based on the checksum.", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux,OSX,Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/multi/gather/check_malware.rb", "is_install_path": true, "ref_name": "multi/gather/check_malware", "check": false }, "post_multi/gather/dbvis_enum": { "name": "Multi Gather DbVisualizer Connections Settings", "full_name": "post/multi/gather/dbvis_enum", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "David Bloom" ], "description": "DbVisualizer stores the user database configuration in dbvis.xml.\n This module retrieves the connections settings from this file and decrypts the encrypted passwords.", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux,Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/multi/gather/dbvis_enum.rb", "is_install_path": true, "ref_name": "multi/gather/dbvis_enum", "check": false }, "post_multi/gather/dns_bruteforce": { "name": "Multi Gather DNS Forward Lookup Bruteforce", "full_name": "post/multi/gather/dns_bruteforce", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Carlos Perez " ], "description": "Brute force subdomains and hostnames via wordlist.", "references": [ ], "is_server": false, "is_client": false, "platform": "BSD,Linux,OSX,Solaris,Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/multi/gather/dns_bruteforce.rb", "is_install_path": true, "ref_name": "multi/gather/dns_bruteforce", "check": false }, "post_multi/gather/dns_reverse_lookup": { "name": "Multi Gather DNS Reverse Lookup Scan", "full_name": "post/multi/gather/dns_reverse_lookup", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Carlos Perez " ], "description": "Performs DNS reverse lookup using the OS included DNS query command.", "references": [ ], "is_server": false, "is_client": false, "platform": "BSD,Linux,OSX,Solaris,Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/multi/gather/dns_reverse_lookup.rb", "is_install_path": true, "ref_name": "multi/gather/dns_reverse_lookup", "check": false }, "post_multi/gather/dns_srv_lookup": { "name": "Multi Gather DNS Service Record Lookup Scan", "full_name": "post/multi/gather/dns_srv_lookup", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Carlos Perez " ], "description": "Enumerates known SRV Records for a given domain using target host DNS query tool.", "references": [ ], "is_server": false, "is_client": false, "platform": "BSD,Linux,OSX,Solaris,Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-09-17 19:38:43 +0000", "path": "/modules/post/multi/gather/dns_srv_lookup.rb", "is_install_path": true, "ref_name": "multi/gather/dns_srv_lookup", "check": false }, "post_multi/gather/docker_creds": { "name": "Multi Gather Docker Credentials Collection", "full_name": "post/multi/gather/docker_creds", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Flibustier" ], "description": "This module will collect the contents of all users' .docker directories on the targeted\n machine. If the user has already push to docker hub, chances are that the password was\n saved in base64 (default behavior).", "references": [ ], "is_server": false, "is_client": false, "platform": "BSD,Linux,OSX,Unix", "arch": "", "rport": null, "targets": null, "mod_time": "2017-08-25 18:15:24 +0000", "path": "/modules/post/multi/gather/docker_creds.rb", "is_install_path": true, "ref_name": "multi/gather/docker_creds", "check": false }, "post_multi/gather/enum_vbox": { "name": "Multi Gather VirtualBox VM Enumeration", "full_name": "post/multi/gather/enum_vbox", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "theLightCosine " ], "description": "This module will attempt to enumerate any VirtualBox VMs on the target machine.\n Due to the nature of VirtualBox, this module can only enumerate VMs registered\n for the current user, therefore, this module needs to be invoked from a user context.", "references": [ ], "is_server": false, "is_client": false, "platform": "BSD,Linux,OSX,Unix,Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-09-30 15:45:52 +0000", "path": "/modules/post/multi/gather/enum_vbox.rb", "is_install_path": true, "ref_name": "multi/gather/enum_vbox", "check": false }, "post_multi/gather/env": { "name": "Multi Gather Generic Operating System Environment Settings", "full_name": "post/multi/gather/env", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Carlos Perez ", "egypt " ], "description": "This module prints out the operating system environment variables", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux,Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/multi/gather/env.rb", "is_install_path": true, "ref_name": "multi/gather/env", "check": false }, "post_multi/gather/fetchmailrc_creds": { "name": "UNIX Gather .fetchmailrc Credentials", "full_name": "post/multi/gather/fetchmailrc_creds", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Jon Hart " ], "description": "Post Module to obtain credentials saved for IMAP, POP and other mail\n retrieval protocols in fetchmail's .fetchmailrc", "references": [ ], "is_server": false, "is_client": false, "platform": "BSD,Linux,OSX,Unix", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/multi/gather/fetchmailrc_creds.rb", "is_install_path": true, "ref_name": "multi/gather/fetchmailrc_creds", "check": false }, "post_multi/gather/filezilla_client_cred": { "name": "Multi Gather FileZilla FTP Client Credential Collection", "full_name": "post/multi/gather/filezilla_client_cred", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "bannedit ", "Carlos Perez " ], "description": "This module will collect credentials from the FileZilla FTP client if it is installed.", "references": [ ], "is_server": false, "is_client": false, "platform": "BSD,Linux,OSX,Unix,Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/multi/gather/filezilla_client_cred.rb", "is_install_path": true, "ref_name": "multi/gather/filezilla_client_cred", "check": false }, "post_multi/gather/find_vmx": { "name": "Multi Gather VMWare VM Identification", "full_name": "post/multi/gather/find_vmx", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "theLightCosine " ], "description": "This module will attempt to find any VMWare virtual machines stored on the target.", "references": [ ], "is_server": false, "is_client": false, "platform": "BSD,Linux,OSX,Unix,Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/multi/gather/find_vmx.rb", "is_install_path": true, "ref_name": "multi/gather/find_vmx", "check": false }, "post_multi/gather/firefox_creds": { "name": "Multi Gather Firefox Signon Credential Collection", "full_name": "post/multi/gather/firefox_creds", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "bannedit ", "xard4s", "g0tmi1k" ], "description": "This module will collect credentials from the Firefox web browser if it is\n installed on the targeted machine. Additionally, cookies are downloaded. Which\n could potentially yield valid web sessions.\n\n Firefox stores passwords within the signons.sqlite database file. There is also a\n keys3.db file which contains the key for decrypting these passwords. In cases where\n a Master Password has not been set, the passwords can easily be decrypted using\n 3rd party tools or by setting the DECRYPT option to true. Using the latter often\n needs root privileges. Also be warned that if your session dies in the middle of the\n file renaming process, this could leave Firefox in a non working state. If a\n Master Password was used the only option would be to bruteforce.\n\n Useful 3rd party tools:\n + firefox_decrypt (https://github.com/Unode/firefox_decrypt)\n + pswRecovery4Moz (https://github.com/philsmd/pswRecovery4Moz)", "references": [ ], "is_server": false, "is_client": false, "platform": "BSD,Linux,OSX,Unix,Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/multi/gather/firefox_creds.rb", "is_install_path": true, "ref_name": "multi/gather/firefox_creds", "check": false }, "post_multi/gather/gpg_creds": { "name": "Multi Gather GnuPG Credentials Collection", "full_name": "post/multi/gather/gpg_creds", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Dhiru Kholia " ], "description": "This module will collect the contents of all users' .gnupg directories on the targeted\n machine. Password protected secret keyrings can be cracked with John the Ripper (JtR).", "references": [ ], "is_server": false, "is_client": false, "platform": "BSD,Linux,OSX,Unix", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-28 10:16:59 +0000", "path": "/modules/post/multi/gather/gpg_creds.rb", "is_install_path": true, "ref_name": "multi/gather/gpg_creds", "check": false }, "post_multi/gather/irssi_creds": { "name": "Multi Gather IRSSI IRC Password(s)", "full_name": "post/multi/gather/irssi_creds", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Jonathan Claudius " ], "description": "This module grabs IRSSI IRC credentials.", "references": [ ], "is_server": false, "is_client": false, "platform": "BSD,Linux,OSX,Unix", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/multi/gather/irssi_creds.rb", "is_install_path": true, "ref_name": "multi/gather/irssi_creds", "check": false }, "post_multi/gather/jboss_gather": { "name": "Jboss Credential Collector", "full_name": "post/multi/gather/jboss_gather", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Koen Riepe (koen.riepe " ], "description": "This module can be used to extract the Jboss admin passwords for version 4,5 and 6.", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux,Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/multi/gather/jboss_gather.rb", "is_install_path": true, "ref_name": "multi/gather/jboss_gather", "check": false }, "post_multi/gather/jenkins_gather": { "name": "Jenkins Credential Collector", "full_name": "post/multi/gather/jenkins_gather", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "thesubtlety" ], "description": "This module can be used to extract saved Jenkins credentials, user\n tokens, SSH keys, and secrets. Interesting files will be stored in\n loot along with combined csv output.", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux,Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2018-07-05 14:33:51 +0000", "path": "/modules/post/multi/gather/jenkins_gather.rb", "is_install_path": true, "ref_name": "multi/gather/jenkins_gather", "check": false }, "post_multi/gather/lastpass_creds": { "name": "LastPass Vault Decryptor", "full_name": "post/multi/gather/lastpass_creds", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Alberto Garcia Illera ", "Martin Vigo ", "Jon Hart " ], "description": "This module extracts and decrypts LastPass master login accounts and passwords,\n encryption keys, 2FA tokens and all the vault passwords", "references": [ "URL-http://www.martinvigo.com/even-the-lastpass-will-be-stolen-deal-with-it" ], "is_server": false, "is_client": false, "platform": "Linux,OSX,Unix,Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-09-30 15:45:52 +0000", "path": "/modules/post/multi/gather/lastpass_creds.rb", "is_install_path": true, "ref_name": "multi/gather/lastpass_creds", "check": false }, "post_multi/gather/maven_creds": { "name": "Multi Gather Maven Credentials Collection", "full_name": "post/multi/gather/maven_creds", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "elenoir" ], "description": "This module will collect the contents of all users settings.xml on the targeted\n machine.", "references": [ ], "is_server": false, "is_client": false, "platform": "BSD,Linux,OSX,Unix,Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-08-26 17:52:11 +0000", "path": "/modules/post/multi/gather/maven_creds.rb", "is_install_path": true, "ref_name": "multi/gather/maven_creds", "check": false }, "post_multi/gather/multi_command": { "name": "Multi Gather Run Shell Command Resource File", "full_name": "post/multi/gather/multi_command", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Carlos Perez " ], "description": "This module will read shell commands from a resource file and\n execute the commands in the specified Meterpreter or shell session.", "references": [ ], "is_server": false, "is_client": false, "platform": "BSD,Linux,OSX,Unix,Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/multi/gather/multi_command.rb", "is_install_path": true, "ref_name": "multi/gather/multi_command", "check": false }, "post_multi/gather/netrc_creds": { "name": "UNIX Gather .netrc Credentials", "full_name": "post/multi/gather/netrc_creds", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Jon Hart " ], "description": "Post Module to obtain credentials saved for FTP and other services in .netrc", "references": [ ], "is_server": false, "is_client": false, "platform": "BSD,Linux,OSX,Unix", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/multi/gather/netrc_creds.rb", "is_install_path": true, "ref_name": "multi/gather/netrc_creds", "check": false }, "post_multi/gather/pgpass_creds": { "name": "Multi Gather pgpass Credentials", "full_name": "post/multi/gather/pgpass_creds", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Zach Grace " ], "description": "This module will collect the contents of all users' .pgpass or pgpass.conf\n file and parse them for credentials.", "references": [ ], "is_server": false, "is_client": false, "platform": "BSD,Linux,OSX,Unix,Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/multi/gather/pgpass_creds.rb", "is_install_path": true, "ref_name": "multi/gather/pgpass_creds", "check": false }, "post_multi/gather/pidgin_cred": { "name": "Multi Gather Pidgin Instant Messenger Credential Collection", "full_name": "post/multi/gather/pidgin_cred", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "bannedit ", "Carlos Perez " ], "description": "This module will collect credentials from the Pidgin IM client if it is installed.", "references": [ ], "is_server": false, "is_client": false, "platform": "BSD,Linux,OSX,Unix,Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/multi/gather/pidgin_cred.rb", "is_install_path": true, "ref_name": "multi/gather/pidgin_cred", "check": false }, "post_multi/gather/ping_sweep": { "name": "Multi Gather Ping Sweep", "full_name": "post/multi/gather/ping_sweep", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Carlos Perez " ], "description": "Performs IPv4 ping sweep using the OS included ping command.", "references": [ ], "is_server": false, "is_client": false, "platform": "BSD,Linux,OSX,Solaris,Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/multi/gather/ping_sweep.rb", "is_install_path": true, "ref_name": "multi/gather/ping_sweep", "check": false }, "post_multi/gather/remmina_creds": { "name": "UNIX Gather Remmina Credentials", "full_name": "post/multi/gather/remmina_creds", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Jon Hart " ], "description": "Post module to obtain credentials saved for RDP and VNC from Remmina's configuration files.\n These are encrypted with 3DES using a 256-bit key generated by Remmina which is (by design)\n stored in (relatively) plain text in a file that must be properly protected.", "references": [ ], "is_server": false, "is_client": false, "platform": "BSD,Linux,OSX,Unix", "arch": "", "rport": null, "targets": null, "mod_time": "2017-09-30 15:45:52 +0000", "path": "/modules/post/multi/gather/remmina_creds.rb", "is_install_path": true, "ref_name": "multi/gather/remmina_creds", "check": false }, "post_multi/gather/resolve_hosts": { "name": "Multi Gather Resolve Hosts", "full_name": "post/multi/gather/resolve_hosts", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Ben Campbell " ], "description": "Resolves hostnames to either IPv4 or IPv6 addresses from the perspective of the remote host.", "references": [ ], "is_server": false, "is_client": false, "platform": "Python,Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/multi/gather/resolve_hosts.rb", "is_install_path": true, "ref_name": "multi/gather/resolve_hosts", "check": false }, "post_multi/gather/rsyncd_creds": { "name": "UNIX Gather RSYNC Credentials", "full_name": "post/multi/gather/rsyncd_creds", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Jon Hart " ], "description": "Post Module to obtain credentials saved for RSYNC in various locations", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/multi/gather/rsyncd_creds.rb", "is_install_path": true, "ref_name": "multi/gather/rsyncd_creds", "check": false }, "post_multi/gather/rubygems_api_key": { "name": "Multi Gather RubyGems API Key", "full_name": "post/multi/gather/rubygems_api_key", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Jonathan Claudius ", "Brandon Myers " ], "description": "This module obtains a user's RubyGems API key from ~/.gem/credentials.", "references": [ ], "is_server": false, "is_client": false, "platform": "BSD,Linux,OSX,Unix", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/multi/gather/rubygems_api_key.rb", "is_install_path": true, "ref_name": "multi/gather/rubygems_api_key", "check": false }, "post_multi/gather/run_console_rc_file": { "name": "Multi Gather Run Console Resource File", "full_name": "post/multi/gather/run_console_rc_file", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Carlos Perez " ], "description": "This module will read console commands from a resource file and\n execute the commands in the specified Meterpreter session.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/multi/gather/run_console_rc_file.rb", "is_install_path": true, "ref_name": "multi/gather/run_console_rc_file", "check": false }, "post_multi/gather/skype_enum": { "name": "Multi Gather Skype User Data Enumeration", "full_name": "post/multi/gather/skype_enum", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Carlos Perez " ], "description": "This module will enumerate Skype account settings, contact list, call history, chat logs,\n file transfer history, and voicemail logs, saving all the data to CSV files for analysis.", "references": [ ], "is_server": false, "is_client": false, "platform": "OSX,Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/multi/gather/skype_enum.rb", "is_install_path": true, "ref_name": "multi/gather/skype_enum", "check": false }, "post_multi/gather/ssh_creds": { "name": "Multi Gather OpenSSH PKI Credentials Collection", "full_name": "post/multi/gather/ssh_creds", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Jim Halfpenny" ], "description": "This module will collect the contents of all users' .ssh directories on the targeted\n machine. Additionally, known_hosts and authorized_keys and any other files are also\n downloaded. This module is largely based on firefox_creds.rb.", "references": [ ], "is_server": false, "is_client": false, "platform": "BSD,Linux,OSX,Unix", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/multi/gather/ssh_creds.rb", "is_install_path": true, "ref_name": "multi/gather/ssh_creds", "check": false }, "post_multi/gather/thunderbird_creds": { "name": "Multi Gather Mozilla Thunderbird Signon Credential Collection", "full_name": "post/multi/gather/thunderbird_creds", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "sinn3r " ], "description": "This module will collect credentials from Mozilla Thunderbird by downloading\n the necessary files such as 'signons.sqlite', 'key3.db', and 'cert8.db' for\n offline decryption with third party tools.\n\n If necessary, you may also set the PARSE option to true to parse the sqlite\n file, which contains sensitive information such as the encrypted username/password.\n However, this feature is not enabled by default, because it requires SQLITE3 gem\n to be installed on your machine.", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux,OSX,Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-09-17 16:00:04 +0000", "path": "/modules/post/multi/gather/thunderbird_creds.rb", "is_install_path": true, "ref_name": "multi/gather/thunderbird_creds", "check": false }, "post_multi/gather/tomcat_gather": { "name": "Gather Tomcat Credentials", "full_name": "post/multi/gather/tomcat_gather", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Koen Riepe " ], "description": "This module will attempt to collect credentials from Tomcat services running on the machine.", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux,Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/multi/gather/tomcat_gather.rb", "is_install_path": true, "ref_name": "multi/gather/tomcat_gather", "check": false }, "post_multi/gather/wlan_geolocate": { "name": "Multiplatform WLAN Enumeration and Geolocation", "full_name": "post/multi/gather/wlan_geolocate", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Tom Sellers " ], "description": "Enumerate wireless networks visible to the target device.\n Optionally geolocate the target by gathering local wireless networks and\n performing a lookup against Google APIs.", "references": [ ], "is_server": false, "is_client": false, "platform": "BSD,Linux,OSX,Solaris,Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-10-01 19:49:32 +0000", "path": "/modules/post/multi/gather/wlan_geolocate.rb", "is_install_path": true, "ref_name": "multi/gather/wlan_geolocate", "check": false }, "post_multi/general/close": { "name": "Multi Generic Operating System Session Close", "full_name": "post/multi/general/close", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "hdm " ], "description": "This module closes the specified session. This can be useful as a finisher for automation tasks", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux,OSX,Unix,Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/multi/general/close.rb", "is_install_path": true, "ref_name": "multi/general/close", "check": false }, "post_multi/general/execute": { "name": "Multi Generic Operating System Session Command Execution", "full_name": "post/multi/general/execute", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "hdm " ], "description": "This module executes an arbitrary command line", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux,OSX,Unix,Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/multi/general/execute.rb", "is_install_path": true, "ref_name": "multi/general/execute", "check": false }, "post_multi/general/wall": { "name": "Write Messages to Users", "full_name": "post/multi/general/wall", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Jon Hart " ], "description": "This module utilizes the wall(1) or write(1) utilities, as appropriate,\n to send messages to users on the target system.", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux,OSX,Unix", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/multi/general/wall.rb", "is_install_path": true, "ref_name": "multi/general/wall", "check": false }, "post_multi/manage/autoroute": { "name": "Multi Manage Network Route via Meterpreter Session", "full_name": "post/multi/manage/autoroute", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "todb ", "Josh Hale \"sn0wfa11\" " ], "description": "This module manages session routing via an existing\n Meterpreter session. It enables other modules to 'pivot' through a\n compromised host when connecting to the named NETWORK and SUBMASK.\n Autoadd will search a session for valid subnets from the routing table\n and interface list then add routes to them. Default will add a default\n route so that all TCP/IP traffic not specified in the MSF routing table\n will be routed through the session when pivoting. See documentation for more\n 'info -d' and click 'Knowledge Base'", "references": [ ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/multi/manage/autoroute.rb", "is_install_path": true, "ref_name": "multi/manage/autoroute", "check": false }, "post_multi/manage/dbvis_add_db_admin": { "name": "Multi Manage DbVisualizer Add Db Admin", "full_name": "post/multi/manage/dbvis_add_db_admin", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "David Bloom" ], "description": "Dbvisulaizer offers a command line functionality to execute SQL pre-configured databases\n (With GUI). The remote database can be accessed from the command line without the need\n to authenticate, which can be abused to create an administrator in the database with the\n proper database permissions. Note: This module currently only supports MySQL.", "references": [ "URL-http://youtu.be/0LCLRVHX1vA" ], "is_server": false, "is_client": false, "platform": "Linux,Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/multi/manage/dbvis_add_db_admin.rb", "is_install_path": true, "ref_name": "multi/manage/dbvis_add_db_admin", "check": false }, "post_multi/manage/dbvis_query": { "name": "Multi Manage DbVisualizer Query", "full_name": "post/multi/manage/dbvis_query", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "David Bloom" ], "description": "Dbvisulaizer offers a command line functionality to execute SQL pre-configured databases\n (With GUI). The remote database can be accessed from the command line without the need\n to authenticate, and this module abuses this functionality to query and will store the\n results.\n\n Please note: backslash quotes and your (stacked or not) queries should\n end with a semicolon.", "references": [ "URL-http://youtu.be/0LCLRVHX1vA" ], "is_server": false, "is_client": false, "platform": "Linux,Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/multi/manage/dbvis_query.rb", "is_install_path": true, "ref_name": "multi/manage/dbvis_query", "check": false }, "post_multi/manage/hsts_eraser": { "name": "Web browsers HSTS entries eraser", "full_name": "post/multi/manage/hsts_eraser", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Sheila A. Berta (UnaPibaGeek)" ], "description": "This module removes the HSTS database of the following tools and web browsers: Mozilla Firefox,\n Google Chrome, Opera, Safari and wget.", "references": [ "URL-http://blog.en.elevenpaths.com/2017/12/breaking-out-hsts-and-hpkp-on-firefox.html", "URL-https://www.blackhat.com/docs/eu-17/materials/eu-17-Berta-Breaking-Out-HSTS-And-HPKP-On-Firefox-IE-Edge-And-Possibly-Chrome.pdf" ], "is_server": false, "is_client": false, "platform": "Linux,OSX,Unix,Windows", "arch": "x86, x64", "rport": null, "targets": null, "mod_time": "2018-02-03 02:18:30 +0000", "path": "/modules/post/multi/manage/hsts_eraser.rb", "is_install_path": true, "ref_name": "multi/manage/hsts_eraser", "check": false }, "post_multi/manage/multi_post": { "name": "Multi Manage Post Module Macro Execution", "full_name": "post/multi/manage/multi_post", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "carlos_perez " ], "description": "This module will execute a list of modules given in a macro file in the format\n of against the select session checking for compatibility\n of the module against the sessions and validation of the options provided.", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux,OSX,Solaris,Unix,Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/multi/manage/multi_post.rb", "is_install_path": true, "ref_name": "multi/manage/multi_post", "check": false }, "post_multi/manage/open": { "name": "Open a file or URL on the target computer", "full_name": "post/multi/manage/open", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Eliott Teissonniere" ], "description": "This module will open any file or URL specified with the URI format on the\n target computer via the embedded commands such as 'open' or 'xdg-open'.", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux,OSX,Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2018-06-21 16:46:15 +0000", "path": "/modules/post/multi/manage/open.rb", "is_install_path": true, "ref_name": "multi/manage/open", "check": false }, "post_multi/manage/play_youtube": { "name": "Multi Manage YouTube Broadcast", "full_name": "post/multi/manage/play_youtube", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "sinn3r " ], "description": "This module will broadcast a YouTube video on specified compromised systems. It will play\n the video in the target machine's native browser in full screen mode. The VID datastore\n option is the \"v\" parameter in a YouTube video's URL.", "references": [ ], "is_server": false, "is_client": false, "platform": "Android,Linux,OSX,Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-08-17 16:46:51 +0000", "path": "/modules/post/multi/manage/play_youtube.rb", "is_install_path": true, "ref_name": "multi/manage/play_youtube", "check": false }, "post_multi/manage/record_mic": { "name": "Multi Manage Record Microphone", "full_name": "post/multi/manage/record_mic", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "sinn3r " ], "description": "This module will enable and record your target's microphone.\n For non-Windows targets, please use Java meterpreter to be\n able to use this feature.", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux,OSX,Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/multi/manage/record_mic.rb", "is_install_path": true, "ref_name": "multi/manage/record_mic", "check": false }, "post_multi/manage/screensaver": { "name": "Multi Manage the screensaver of the target computer", "full_name": "post/multi/manage/screensaver", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Eliott Teissonniere" ], "description": "This module allows you to turn on or off the screensaver of the target computer and also\n lock the current session.", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux,OSX,Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2018-06-21 16:46:00 +0000", "path": "/modules/post/multi/manage/screensaver.rb", "is_install_path": true, "ref_name": "multi/manage/screensaver", "check": false }, "post_multi/manage/set_wallpaper": { "name": "Multi Manage Set Wallpaper", "full_name": "post/multi/manage/set_wallpaper", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "timwr" ], "description": "This module will set the desktop wallpaper background on the specified session.\n The method of setting the wallpaper depends on the platform type.", "references": [ ], "is_server": false, "is_client": false, "platform": "Android,Linux,OSX,Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/multi/manage/set_wallpaper.rb", "is_install_path": true, "ref_name": "multi/manage/set_wallpaper", "check": false }, "post_multi/manage/shell_to_meterpreter": { "name": "Shell to Meterpreter Upgrade", "full_name": "post/multi/manage/shell_to_meterpreter", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Tom Sellers " ], "description": "This module attempts to upgrade a command shell to meterpreter. The shell\n platform is automatically detected and the best version of meterpreter for\n the target is selected. Currently meterpreter/reverse_tcp is used on Windows\n and Linux, with 'python/meterpreter/reverse_tcp' used on all others.", "references": [ ], "is_server": false, "is_client": false, "platform": "BSD,Linux,OSX,Solaris,Unix,Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2018-02-21 02:54:38 +0000", "path": "/modules/post/multi/manage/shell_to_meterpreter.rb", "is_install_path": true, "ref_name": "multi/manage/shell_to_meterpreter", "check": false }, "post_multi/manage/sudo": { "name": "Multiple Linux / Unix Post Sudo Upgrade Shell", "full_name": "post/multi/manage/sudo", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "todb ", "Ryan Baxendale " ], "description": "This module attempts to upgrade a shell account to UID 0 by reusing the\n given password and passing it to sudo. This technique relies on sudo\n versions from 2008 and later which support -A.", "references": [ "URL-http://www.sudo.ws/repos/sudo/file/05780f5f71fd/sudo.h" ], "is_server": false, "is_client": false, "platform": "AIX,Linux,OSX,Solaris,Unix", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/multi/manage/sudo.rb", "is_install_path": true, "ref_name": "multi/manage/sudo", "check": false }, "post_multi/manage/system_session": { "name": "Multi Manage System Remote TCP Shell Session", "full_name": "post/multi/manage/system_session", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Carlos Perez " ], "description": "This module will create a Reverse TCP Shell on the target system\n using the system's own scripting environments installed on the\n target.", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux,OSX,Unix", "arch": "", "rport": null, "targets": null, "mod_time": "2017-09-22 13:38:06 +0000", "path": "/modules/post/multi/manage/system_session.rb", "is_install_path": true, "ref_name": "multi/manage/system_session", "check": false }, "post_multi/manage/upload_exec": { "name": "Upload and Execute", "full_name": "post/multi/manage/upload_exec", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "egypt " ], "description": "Push a file and execute it", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux,OSX,Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2018-07-26 19:29:46 +0000", "path": "/modules/post/multi/manage/upload_exec.rb", "is_install_path": true, "ref_name": "multi/manage/upload_exec", "check": false }, "post_multi/manage/zip": { "name": "Multi Manage File Compressor", "full_name": "post/multi/manage/zip", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "sinn3r " ], "description": "This module zips a file or a directory. On Linux, it uses the zip command.\n On Windows, it will try to use remote target's 7Zip if found. If not, it falls\n back to its Windows Scripting Host.", "references": [ ], "is_server": false, "is_client": false, "platform": "Linux,Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/multi/manage/zip.rb", "is_install_path": true, "ref_name": "multi/manage/zip", "check": false }, "post_multi/recon/local_exploit_suggester": { "name": "Multi Recon Local Exploit Suggester", "full_name": "post/multi/recon/local_exploit_suggester", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "sinn3r ", "Mo" ], "description": "This module suggests local meterpreter exploits that can be used.\n\n The exploits are suggested based on the architecture and platform\n that the user has a shell opened as well as the available exploits\n in meterpreter.\n\n It's important to note that not all local exploits will be fired.\n Exploits are chosen based on these conditions: session type,\n platform, architecture, and required default options.", "references": [ ], "is_server": false, "is_client": false, "platform": "AIX,Android,Apple_iOS,BSD,BSDi,Cisco,Firefox,FreeBSD,HPUX,Hardware,Irix,Java,JavaScript,Juniper,Linux,Mainframe,Multi,NetBSD,Netware,NodeJS,OSX,OpenBSD,PHP,Python,R,Ruby,Solaris,Unix,Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2018-05-05 04:41:58 +0000", "path": "/modules/post/multi/recon/local_exploit_suggester.rb", "is_install_path": true, "ref_name": "multi/recon/local_exploit_suggester", "check": false }, "post_multi/recon/multiport_egress_traffic": { "name": "Generate TCP/UDP Outbound Traffic On Multiple Ports", "full_name": "post/multi/recon/multiport_egress_traffic", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Stuart Morgan " ], "description": "This module generates TCP or UDP traffic across a\n sequence of ports, and is useful for finding firewall\n holes and egress filtering. It only generates traffic\n on the port range you specify. It is up to you to\n run a responder or packet capture tool on a remote\n endpoint to determine which ports are open.", "references": [ ], "is_server": false, "is_client": false, "platform": "BSD,Linux,OSX,Solaris,Unix,Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/multi/recon/multiport_egress_traffic.rb", "is_install_path": true, "ref_name": "multi/recon/multiport_egress_traffic", "check": false }, "post_multi/recon/sudo_commands": { "name": "Sudo Commands", "full_name": "post/multi/recon/sudo_commands", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "bcoles" ], "description": "This module examines the sudoers configuration for the session user\n and lists the commands executable via sudo.\n\n This module also inspects each command and reports potential avenues\n for privileged code execution due to poor file system permissions or\n permitting execution of executables known to be useful for privesc,\n such as utilities designed for file read/write, user modification,\n or execution of arbitrary operating system commands.\n\n Note, you may need to provide the password for the session user.", "references": [ ], "is_server": false, "is_client": false, "platform": "BSD,Linux,OSX,Solaris,Unix", "arch": "", "rport": null, "targets": null, "mod_time": "2018-05-25 04:20:25 +0000", "path": "/modules/post/multi/recon/sudo_commands.rb", "is_install_path": true, "ref_name": "multi/recon/sudo_commands", "check": false }, "post_osx/admin/say": { "name": "OS X Text to Speech Utility", "full_name": "post/osx/admin/say", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "sinn3r " ], "description": "This module will speak whatever is in the 'TEXT' option on the victim machine.", "references": [ "URL-http://www.gabrielserafini.com/blog/2008/08/19/mac-os-x-voices-for-using-with-the-say-command/" ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/osx/admin/say.rb", "is_install_path": true, "ref_name": "osx/admin/say", "check": false }, "post_osx/capture/keylog_recorder": { "name": "OSX Capture Userspace Keylogger", "full_name": "post/osx/capture/keylog_recorder", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "joev " ], "description": "Logs all keyboard events except cmd-keys and GUI password input.\n\n Keylogs are transferred between client/server in chunks\n every SYNCWAIT seconds for reliability.\n\n Works by calling the Carbon GetKeys() hook using the DL lib\n in OSX's system Ruby. The Ruby code is executed in a shell\n command using -e, so the payload never hits the disk.", "references": [ ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "", "rport": null, "targets": null, "mod_time": "2018-04-28 15:56:56 +0000", "path": "/modules/post/osx/capture/keylog_recorder.rb", "is_install_path": true, "ref_name": "osx/capture/keylog_recorder", "check": false }, "post_osx/capture/screen": { "name": "OSX Screen Capture", "full_name": "post/osx/capture/screen", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Peter Toth " ], "description": "This module takes screenshots of target desktop and automatically downloads them.", "references": [ ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/osx/capture/screen.rb", "is_install_path": true, "ref_name": "osx/capture/screen", "check": false }, "post_osx/gather/apfs_encrypted_volume_passwd": { "name": "Mac OS X APFS Encrypted Volume Password Disclosure", "full_name": "post/osx/gather/apfs_encrypted_volume_passwd", "rank": 300, "disclosure_date": "2018-03-21", "type": "post", "author": [ "Sarah Edwards", "cbrnrd" ], "description": "This module exploits a flaw in OSX 10.13 through 10.13.3\n that discloses the passwords of encrypted APFS volumes.\n\n In OSX a normal user can use the 'log' command to view the system\n logs. In OSX 10.13 to 10.13.2 when a user creates an encrypted APFS\n volume the password is visible in plaintext within these logs.", "references": [ "URL-https://thehackernews.com/2018/03/macos-apfs-password.html", "URL-https://www.mac4n6.com/blog/2018/3/21/uh-oh-unified-logs-in-high-sierra-1013-show-plaintext-password-for-apfs-encrypted-external-volumes-via-disk-utilityapp" ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "x86, x86_64, x64, mips, mipsle, mipsbe, mips64, mips64le, ppc, ppce500v2, ppc64, ppc64le, cbea, cbea64, sparc, sparc64, armle, armbe, aarch64, cmd, php, tty, java, ruby, dalvik, python, nodejs, firefox, zarch, r", "rport": null, "targets": null, "mod_time": "2018-04-18 14:22:32 +0000", "path": "/modules/post/osx/gather/apfs_encrypted_volume_passwd.rb", "is_install_path": true, "ref_name": "osx/gather/apfs_encrypted_volume_passwd", "check": true }, "post_osx/gather/autologin_password": { "name": "OSX Gather Autologin Password as Root", "full_name": "post/osx/gather/autologin_password", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "joev " ], "description": "This module will steal the plaintext password of any user on the machine\n with autologin enabled. Root access is required.\n\n When a user has autologin enabled (System Preferences -> Accounts), OSX\n stores their password with an XOR encoding in /private/etc/kcpassword.", "references": [ "URL-http://www.brock-family.org/gavin/perl/kcpassword.html" ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "", "rport": null, "targets": null, "mod_time": "2018-05-22 22:25:39 +0000", "path": "/modules/post/osx/gather/autologin_password.rb", "is_install_path": true, "ref_name": "osx/gather/autologin_password", "check": false }, "post_osx/gather/enum_adium": { "name": "OS X Gather Adium Enumeration", "full_name": "post/osx/gather/enum_adium", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "sinn3r " ], "description": "This module will collect Adium's account plist files and chat logs from the\n victim's machine. There are three different actions you may choose: ACCOUNTS,\n CHATS, and ALL. Note that to use the 'CHATS' action, make sure you set the regex\n 'PATTERN' option in order to look for certain log names (which consists of a\n contact's name, and a timestamp). The current 'PATTERN' option is configured to\n look for any log created on February 2012 as an example. To loot both account\n plists and chat logs, simply set the action to 'ALL'.", "references": [ ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/osx/gather/enum_adium.rb", "is_install_path": true, "ref_name": "osx/gather/enum_adium", "check": false }, "post_osx/gather/enum_airport": { "name": "OS X Gather Airport Wireless Preferences", "full_name": "post/osx/gather/enum_airport", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "sinn3r " ], "description": "This module will download OS X Airport Wireless preferences from the victim\n machine. The preferences file (which is a plist) contains information such as:\n SSID, Channels, Security Type, Password ID, etc.", "references": [ ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/osx/gather/enum_airport.rb", "is_install_path": true, "ref_name": "osx/gather/enum_airport", "check": false }, "post_osx/gather/enum_chicken_vnc_profile": { "name": "OS X Gather Chicken of the VNC Profile", "full_name": "post/osx/gather/enum_chicken_vnc_profile", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "sinn3r " ], "description": "This module will download the \"Chicken of the VNC\" client application's\n profile file,\twhich is used to store other VNC servers' information such\n as the IP and password.", "references": [ ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "", "rport": null, "targets": null, "mod_time": "2017-09-17 16:00:04 +0000", "path": "/modules/post/osx/gather/enum_chicken_vnc_profile.rb", "is_install_path": true, "ref_name": "osx/gather/enum_chicken_vnc_profile", "check": false }, "post_osx/gather/enum_colloquy": { "name": "OS X Gather Colloquy Enumeration", "full_name": "post/osx/gather/enum_colloquy", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "sinn3r " ], "description": "This module will collect Colloquy's info plist file and chat logs from the\n victim's machine. There are three actions you may choose: INFO, CHATS, and\n ALL. Please note that the CHAT action may take a long time depending on the\n victim machine, therefore we suggest to set the regex 'PATTERN' option in order\n to search for certain log names (which consists of the contact's name, and a\n timestamp). The default 'PATTERN' is configured as \"^alien\" as an example\n to search for any chat logs associated with the name \"alien\".", "references": [ ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/osx/gather/enum_colloquy.rb", "is_install_path": true, "ref_name": "osx/gather/enum_colloquy", "check": false }, "post_osx/gather/enum_keychain": { "name": "OS X Gather Keychain Enumeration", "full_name": "post/osx/gather/enum_keychain", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "ipwnstuff ", "joev " ], "description": "This module presents a way to quickly go through the current user's keychains and\n collect data such as email accounts, servers, and other services. Please note:\n when using the GETPASS and GETPASS_AUTO_ACCEPT option, the user may see an authentication\n alert flash briefly on their screen that gets dismissed by a programmatically triggered click.", "references": [ ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "", "rport": null, "targets": null, "mod_time": "2017-09-17 16:00:04 +0000", "path": "/modules/post/osx/gather/enum_keychain.rb", "is_install_path": true, "ref_name": "osx/gather/enum_keychain", "check": false }, "post_osx/gather/enum_messages": { "name": "OS X Gather Messages", "full_name": "post/osx/gather/enum_messages", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Geckom " ], "description": "This module will collect the Messages sqlite3 database files and chat logs\n from the victim's machine. There are four actions you may choose: DBFILE,\n READABLE, LATEST, and ALL. DBFILE and READABLE will retrieve all messages, and\n LATEST will retrieve the last X number of messages (useful with 2FA). Module\n was tested with OS X 10.11 (El Capitan).", "references": [ ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/osx/gather/enum_messages.rb", "is_install_path": true, "ref_name": "osx/gather/enum_messages", "check": false }, "post_osx/gather/enum_osx": { "name": "OS X Gather Mac OS X System Information Enumeration", "full_name": "post/osx/gather/enum_osx", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Carlos Perez " ], "description": "This module gathers basic system information from Mac OS X Tiger, Leopard,\n Snow Leopard and Lion systems.", "references": [ ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "", "rport": null, "targets": null, "mod_time": "2018-05-22 22:25:39 +0000", "path": "/modules/post/osx/gather/enum_osx.rb", "is_install_path": true, "ref_name": "osx/gather/enum_osx", "check": false }, "post_osx/gather/hashdump": { "name": "OS X Gather Mac OS X Password Hash Collector", "full_name": "post/osx/gather/hashdump", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Carlos Perez ", "hammackj ", "joev " ], "description": "This module dumps SHA-1, LM, NT, and SHA-512 Hashes on OSX. Supports\n versions 10.3 to 10.9.", "references": [ ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "", "rport": null, "targets": null, "mod_time": "2018-05-22 22:25:39 +0000", "path": "/modules/post/osx/gather/hashdump.rb", "is_install_path": true, "ref_name": "osx/gather/hashdump", "check": false }, "post_osx/gather/password_prompt_spoof": { "name": "OSX Password Prompt Spoof", "full_name": "post/osx/gather/password_prompt_spoof", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Joff Thyer ", "joev ", "Peter Toth " ], "description": "Presents a password prompt dialog to a logged-in OSX user.", "references": [ "URL-http://blog.packetheader.net/2011/10/fun-with-applescript.html" ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/osx/gather/password_prompt_spoof.rb", "is_install_path": true, "ref_name": "osx/gather/password_prompt_spoof", "check": false }, "post_osx/gather/safari_lastsession": { "name": "OSX Gather Safari LastSession.plist", "full_name": "post/osx/gather/safari_lastsession", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "sinn3r " ], "description": "This module downloads the LastSession.plist file from the target machine.\n LastSession.plist is used by Safari to track active websites in the current session,\n and sometimes contains sensitive information such as usernames and passwords.\n\n This module will first download the original LastSession.plist, and then attempt\n to find the credential for Gmail. The Gmail's last session state may contain the\n user's credential if his/her first login attempt failed (likely due to a typo),\n and then the page got refreshed or another login attempt was made. This also means\n the stolen credential might contain typos.", "references": [ "URL-http://www.securelist.com/en/blog/8168/Loophole_in_Safari" ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "", "rport": null, "targets": null, "mod_time": "2017-09-17 16:00:04 +0000", "path": "/modules/post/osx/gather/safari_lastsession.rb", "is_install_path": true, "ref_name": "osx/gather/safari_lastsession", "check": false }, "post_osx/manage/mount_share": { "name": "OSX Network Share Mounter", "full_name": "post/osx/manage/mount_share", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Peter Toth ", "joev " ], "description": "This module lists saved network shares and tries to connect to them using stored\n credentials. This does not require root privileges.", "references": [ ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/osx/manage/mount_share.rb", "is_install_path": true, "ref_name": "osx/manage/mount_share", "check": false }, "post_osx/manage/record_mic": { "name": "OSX Manage Record Microphone", "full_name": "post/osx/manage/record_mic", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "joev " ], "description": "This module will allow the user to detect (with the LIST action) and\n capture (with the RECORD action) audio inputs on a remote OSX machine.", "references": [ ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/osx/manage/record_mic.rb", "is_install_path": true, "ref_name": "osx/manage/record_mic", "check": false }, "post_osx/manage/vpn": { "name": "OSX VPN Manager", "full_name": "post/osx/manage/vpn", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Peter Toth " ], "description": "This module lists VPN connections and tries to connect to them using stored credentials.", "references": [ ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/osx/manage/vpn.rb", "is_install_path": true, "ref_name": "osx/manage/vpn", "check": false }, "post_osx/manage/webcam": { "name": "OSX Manage Webcam", "full_name": "post/osx/manage/webcam", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "joev " ], "description": "This module will allow the user to detect installed webcams (with\n the LIST action), take a snapshot (with the SNAPSHOT action), or\n record a webcam and mic (with the RECORD action)", "references": [ ], "is_server": false, "is_client": false, "platform": "OSX", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/osx/manage/webcam.rb", "is_install_path": true, "ref_name": "osx/manage/webcam", "check": false }, "post_solaris/gather/checkvm": { "name": "Solaris Gather Virtual Environment Detection", "full_name": "post/solaris/gather/checkvm", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Carlos Perez " ], "description": "This module attempts to determine whether the system is running\n inside of a virtual environment and if so, which one. This\n module supports detection of Solaris Zone, VMWare, VirtualBox, Xen,\n and QEMU/KVM.", "references": [ ], "is_server": false, "is_client": false, "platform": "Solaris", "arch": "", "rport": null, "targets": null, "mod_time": "2017-09-17 16:00:04 +0000", "path": "/modules/post/solaris/gather/checkvm.rb", "is_install_path": true, "ref_name": "solaris/gather/checkvm", "check": false }, "post_solaris/gather/enum_packages": { "name": "Solaris Gather Installed Packages", "full_name": "post/solaris/gather/enum_packages", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Carlos Perez " ], "description": "Post Module to enumerate installed packages on a Solaris System", "references": [ ], "is_server": false, "is_client": false, "platform": "Solaris", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/solaris/gather/enum_packages.rb", "is_install_path": true, "ref_name": "solaris/gather/enum_packages", "check": false }, "post_solaris/gather/enum_services": { "name": "Solaris Gather Configured Services", "full_name": "post/solaris/gather/enum_services", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Carlos Perez " ], "description": "Post Module to enumerate services on a Solaris System", "references": [ ], "is_server": false, "is_client": false, "platform": "Solaris", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/solaris/gather/enum_services.rb", "is_install_path": true, "ref_name": "solaris/gather/enum_services", "check": false }, "post_solaris/gather/hashdump": { "name": "Solaris Gather Dump Password Hashes for Solaris Systems", "full_name": "post/solaris/gather/hashdump", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Carlos Perez " ], "description": "Post Module to dump the password hashes for all users on a Solaris System", "references": [ ], "is_server": false, "is_client": false, "platform": "Solaris", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/solaris/gather/hashdump.rb", "is_install_path": true, "ref_name": "solaris/gather/hashdump", "check": false }, "post_windows/capture/keylog_recorder": { "name": "Windows Capture Keystroke Recorder", "full_name": "post/windows/capture/keylog_recorder", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Carlos Perez ", "Josh Hale " ], "description": "This module can be used to capture keystrokes. To capture keystrokes when the session is running\n as SYSTEM, the MIGRATE option must be enabled and the CAPTURE_TYPE option should be set to one of\n Explorer, Winlogon, or a specific PID. To capture the keystrokes of the interactive user, the\n Explorer option should be used with MIGRATE enabled. Keep in mind that this will demote this session\n to the user's privileges, so it makes sense to create a separate session for this task. The Winlogon\n option will capture the username and password entered into the logon and unlock dialog. The LOCKSCREEN\n option can be combined with the Winlogon CAPTURE_TYPE to for the user to enter their clear-text\n password. It is recommended to run this module as a job, otherwise it will tie up your framework user interface.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/capture/keylog_recorder.rb", "is_install_path": true, "ref_name": "windows/capture/keylog_recorder", "check": false }, "post_windows/capture/lockout_keylogger": { "name": "Windows Capture Winlogon Lockout Credential Keylogger", "full_name": "post/windows/capture/lockout_keylogger", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "mubix ", "cg" ], "description": "This module migrates and logs Microsoft Windows user's passwords via\n Winlogon.exe using idle time and natural system changes to give a\n false sense of security to the user.", "references": [ "URL-http://blog.metasploit.com/2010/12/capturing-windows-logons-with.html" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/capture/lockout_keylogger.rb", "is_install_path": true, "ref_name": "windows/capture/lockout_keylogger", "check": false }, "post_windows/escalate/droplnk": { "name": "Windows Escalate SMB Icon LNK Dropper", "full_name": "post/windows/escalate/droplnk", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "mubix " ], "description": "This module drops a shortcut (LNK file) that has a ICON reference\n existing on the specified remote host, causing SMB and WebDAV\n connections to be initiated from any user that views the shortcut.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/escalate/droplnk.rb", "is_install_path": true, "ref_name": "windows/escalate/droplnk", "check": false }, "post_windows/escalate/getsystem": { "name": "Windows Escalate Get System via Administrator", "full_name": "post/windows/escalate/getsystem", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "hdm " ], "description": "This module uses the builtin 'getsystem' command to escalate\n the current session to the SYSTEM account from an administrator\n user account.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/escalate/getsystem.rb", "is_install_path": true, "ref_name": "windows/escalate/getsystem", "check": false }, "post_windows/escalate/golden_ticket": { "name": "Windows Escalate Golden Ticket", "full_name": "post/windows/escalate/golden_ticket", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Ben Campbell " ], "description": "This module will create a Golden Kerberos Ticket using the Mimikatz Kiwi Extension. If no\n options are applied it will attempt to identify the current domain, the domain administrator\n account, the target domain SID, and retrieve the krbtgt NTLM hash from the database. By default\n the well-known Administrator's groups 512, 513, 518, 519, and 520 will be applied to the ticket.", "references": [ "URL-https://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2018-06-27 15:36:41 +0000", "path": "/modules/post/windows/escalate/golden_ticket.rb", "is_install_path": true, "ref_name": "windows/escalate/golden_ticket", "check": false }, "post_windows/escalate/ms10_073_kbdlayout": { "name": "Windows Escalate NtUserLoadKeyboardLayoutEx Privilege Escalation", "full_name": "post/windows/escalate/ms10_073_kbdlayout", "rank": 300, "disclosure_date": "2010-10-12", "type": "post", "author": [ "Ruben Santamarta", "jduck " ], "description": "This module exploits the keyboard layout vulnerability exploited by Stuxnet. When\n processing specially crafted keyboard layout files (DLLs), the Windows kernel fails\n to validate that an array index is within the bounds of the array. By loading\n a specially crafted keyboard layout, an attacker can execute code in Ring 0.", "references": [ "OSVDB-68552", "CVE-2010-2743", "MSB-MS10-073", "URL-http://www.reversemode.com/index.php?option=com_content&task=view&id=71&Itemid=1", "EDB-15985" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/escalate/ms10_073_kbdlayout.rb", "is_install_path": true, "ref_name": "windows/escalate/ms10_073_kbdlayout", "check": false }, "post_windows/escalate/screen_unlock": { "name": "Windows Escalate Locked Desktop Unlocker", "full_name": "post/windows/escalate/screen_unlock", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "L4teral ", "Metlstorm" ], "description": "This module unlocks a locked Windows desktop by patching\n the respective code inside the LSASS.exe process. This\n patching process can result in the target system hanging or\n even rebooting, so be careful when using this module on\n production systems.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/escalate/screen_unlock.rb", "is_install_path": true, "ref_name": "windows/escalate/screen_unlock", "check": false }, "post_windows/gather/ad_to_sqlite": { "name": "AD Computer, Group and Recursive User Membership to Local SQLite DB", "full_name": "post/windows/gather/ad_to_sqlite", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Stuart Morgan " ], "description": "This module will gather a list of AD groups, identify the users (taking into account recursion)\n and write this to a SQLite database for offline analysis and query using normal SQL syntax.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/ad_to_sqlite.rb", "is_install_path": true, "ref_name": "windows/gather/ad_to_sqlite", "check": false }, "post_windows/gather/arp_scanner": { "name": "Windows Gather ARP Scanner", "full_name": "post/windows/gather/arp_scanner", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Carlos Perez " ], "description": "This Module will perform an ARP scan for a given IP range through a\n Meterpreter Session.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/arp_scanner.rb", "is_install_path": true, "ref_name": "windows/gather/arp_scanner", "check": false }, "post_windows/gather/bitcoin_jacker": { "name": "Windows Gather Bitcoin Wallet", "full_name": "post/windows/gather/bitcoin_jacker", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "illwill ", "todb " ], "description": "This module downloads any Bitcoin wallet files from the target\n system. It currently supports both the classic Satoshi wallet and the\n more recent Armory wallets. Note that Satoshi wallets tend to be\n unencrypted by default, while Armory wallets tend to be encrypted by default.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/bitcoin_jacker.rb", "is_install_path": true, "ref_name": "windows/gather/bitcoin_jacker", "check": false }, "post_windows/gather/bitlocker_fvek": { "name": "Bitlocker Master Key (FVEK) Extraction", "full_name": "post/windows/gather/bitlocker_fvek", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Danil Bazin " ], "description": "This module enumerates ways to decrypt bitlocker volume and if a recovery key is stored locally\n or can be generated, dump the Bitlocker master key (FVEK)", "references": [ "URL-https://github.com/libyal/libbde/blob/master/documentation/BitLocker Drive Encryption (BDE) format.asciidoc", "URL-http://www.hsc.fr/ressources/outils/dislocker/" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/bitlocker_fvek.rb", "is_install_path": true, "ref_name": "windows/gather/bitlocker_fvek", "check": false }, "post_windows/gather/cachedump": { "name": "Windows Gather Credential Cache Dump", "full_name": "post/windows/gather/cachedump", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Maurizio Agazzini ", "mubix " ], "description": "This module uses the registry to extract the stored domain hashes that have been\n cached as a result of a GPO setting. The default setting on Windows is to store\n the last ten successful logins.", "references": [ "URL-http://lab.mediaservice.net/code/cachedump.rb" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/cachedump.rb", "is_install_path": true, "ref_name": "windows/gather/cachedump", "check": false }, "post_windows/gather/checkvm": { "name": "Windows Gather Virtual Environment Detection", "full_name": "post/windows/gather/checkvm", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Carlos Perez ", "Aaron Soto " ], "description": "This module attempts to determine whether the system is running\n inside of a virtual environment and if so, which one. This\n module supports detection of Hyper-V, VMWare, Virtual PC,\n VirtualBox, Xen, and QEMU.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2018-01-17 16:41:21 +0000", "path": "/modules/post/windows/gather/checkvm.rb", "is_install_path": true, "ref_name": "windows/gather/checkvm", "check": false }, "post_windows/gather/credentials/avira_password": { "name": "Windows Gather Avira Password Extraction", "full_name": "post/windows/gather/credentials/avira_password", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Robert Kugler / robertchrk" ], "description": "This module extracts the weakly hashed password\n which is used to protect a Avira Antivirus (<= 15.0.17.273) installation.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/credentials/avira_password.rb", "is_install_path": true, "ref_name": "windows/gather/credentials/avira_password", "check": false }, "post_windows/gather/credentials/bulletproof_ftp": { "name": "Windows Gather BulletProof FTP Client Saved Password Extraction", "full_name": "post/windows/gather/credentials/bulletproof_ftp", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "juan vazquez " ], "description": "This module extracts information from BulletProof FTP Bookmarks files and store\n retrieved credentials in the database.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/credentials/bulletproof_ftp.rb", "is_install_path": true, "ref_name": "windows/gather/credentials/bulletproof_ftp", "check": false }, "post_windows/gather/credentials/coreftp": { "name": "Windows Gather CoreFTP Saved Password Extraction", "full_name": "post/windows/gather/credentials/coreftp", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "theLightCosine " ], "description": "This module extracts saved passwords from the CoreFTP FTP client. These\n passwords are stored in the registry. They are encrypted with AES-128-ECB.\n This module extracts and decrypts these passwords.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/credentials/coreftp.rb", "is_install_path": true, "ref_name": "windows/gather/credentials/coreftp", "check": false }, "post_windows/gather/credentials/credential_collector": { "name": "Windows Gather Credential Collector", "full_name": "post/windows/gather/credentials/credential_collector", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "tebo " ], "description": "This module harvests credentials found on the host and stores them in the database.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/credentials/credential_collector.rb", "is_install_path": true, "ref_name": "windows/gather/credentials/credential_collector", "check": false }, "post_windows/gather/credentials/domain_hashdump": { "name": "Windows Domain Controller Hashdump", "full_name": "post/windows/gather/credentials/domain_hashdump", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "theLightCosine " ], "description": "This module attempts to copy the NTDS.dit database from a live Domain Controller\n and then parse out all of the User Accounts. It saves all of the captured password\n hashes, including historical ones.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-11-15 14:06:36 +0000", "path": "/modules/post/windows/gather/credentials/domain_hashdump.rb", "is_install_path": true, "ref_name": "windows/gather/credentials/domain_hashdump", "check": false }, "post_windows/gather/credentials/dynazip_log": { "name": "Windows Gather DynaZIP Saved Password Extraction", "full_name": "post/windows/gather/credentials/dynazip_log", "rank": 300, "disclosure_date": "2001-03-27", "type": "post", "author": [ "Brendan Coles " ], "description": "This module extracts clear text credentials from dynazip.log.\n The log file contains passwords used to encrypt compressed zip\n files in Microsoft Plus! 98 and Windows Me.", "references": [ "CVE-2001-0152", "MSB-MS01-019", "PACKETSTORM-24543", "URL-https://support.microsoft.com/en-us/kb/265131" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/credentials/dynazip_log.rb", "is_install_path": true, "ref_name": "windows/gather/credentials/dynazip_log", "check": false }, "post_windows/gather/credentials/dyndns": { "name": "Windows Gather DynDNS Client Password Extractor", "full_name": "post/windows/gather/credentials/dyndns", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Shubham Dawra ", "sinn3r " ], "description": "This module extracts the username, password, and hosts for DynDNS version 4.1.8.\n This is done by downloading the config.dyndns file from the victim machine, and then\n automatically decode the password field. The original copy of the config file is also\n saved to disk.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/credentials/dyndns.rb", "is_install_path": true, "ref_name": "windows/gather/credentials/dyndns", "check": false }, "post_windows/gather/credentials/enum_cred_store": { "name": "Windows Gather Credential Store Enumeration and Decryption Module", "full_name": "post/windows/gather/credentials/enum_cred_store", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Kx499" ], "description": "This module will enumerate the Microsoft Credential Store and decrypt the\n credentials. This module can only access credentials created by the user the\n process is running as. It cannot decrypt Domain Network Passwords, but will\n display the username and location.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/credentials/enum_cred_store.rb", "is_install_path": true, "ref_name": "windows/gather/credentials/enum_cred_store", "check": false }, "post_windows/gather/credentials/enum_laps": { "name": "Windows Gather Credentials Local Administrator Password Solution", "full_name": "post/windows/gather/credentials/enum_laps", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Ben Campbell " ], "description": "This module will recover the LAPS (Local Administrator Password Solution) passwords,\n configured in Active Directory, which is usually only accessible by privileged users.\n Note that the local administrator account name is not stored in Active Directory,\n so it is assumed to be 'Administrator' by default.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/credentials/enum_laps.rb", "is_install_path": true, "ref_name": "windows/gather/credentials/enum_laps", "check": false }, "post_windows/gather/credentials/enum_picasa_pwds": { "name": "Windows Gather Google Picasa Password Extractor", "full_name": "post/windows/gather/credentials/enum_picasa_pwds", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Unknown", "Sil3ntDre4m " ], "description": "This module extracts and decrypts the login passwords\n stored by Google Picasa.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/credentials/enum_picasa_pwds.rb", "is_install_path": true, "ref_name": "windows/gather/credentials/enum_picasa_pwds", "check": false }, "post_windows/gather/credentials/epo_sql": { "name": "Windows Gather McAfee ePO 4.6 Config SQL Credentials", "full_name": "post/windows/gather/credentials/epo_sql", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Nathan Einwechter " ], "description": "This module extracts connection details and decrypts the saved password for the\n SQL database in use by a McAfee ePO 4.6 server. The passwords are stored in a\n config file. They are encrypted with AES-128-ECB and a static key.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/credentials/epo_sql.rb", "is_install_path": true, "ref_name": "windows/gather/credentials/epo_sql", "check": false }, "post_windows/gather/credentials/filezilla_server": { "name": "Windows Gather FileZilla FTP Server Credential Collection", "full_name": "post/windows/gather/credentials/filezilla_server", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "bannedit ", "g0tmi1k" ], "description": "This module will collect credentials from the FileZilla FTP server if installed.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/credentials/filezilla_server.rb", "is_install_path": true, "ref_name": "windows/gather/credentials/filezilla_server", "check": false }, "post_windows/gather/credentials/flashfxp": { "name": "Windows Gather FlashFXP Saved Password Extraction", "full_name": "post/windows/gather/credentials/flashfxp", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "theLightCosine " ], "description": "This module extracts weakly encrypted saved FTP Passwords from FlashFXP. It\n finds saved FTP connections in the Sites.dat file.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-09-17 16:00:04 +0000", "path": "/modules/post/windows/gather/credentials/flashfxp.rb", "is_install_path": true, "ref_name": "windows/gather/credentials/flashfxp", "check": false }, "post_windows/gather/credentials/ftpnavigator": { "name": "Windows Gather FTP Navigator Saved Password Extraction", "full_name": "post/windows/gather/credentials/ftpnavigator", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "theLightCosine " ], "description": "This module extracts saved passwords from the FTP Navigator FTP client.\n It will decode the saved passwords and store them in the database.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/credentials/ftpnavigator.rb", "is_install_path": true, "ref_name": "windows/gather/credentials/ftpnavigator", "check": false }, "post_windows/gather/credentials/ftpx": { "name": "Windows Gather FTP Explorer (FTPX) Credential Extraction", "full_name": "post/windows/gather/credentials/ftpx", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Brendan Coles " ], "description": "This module finds saved login credentials for the FTP Explorer (FTPx)\n FTP client for Windows.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/credentials/ftpx.rb", "is_install_path": true, "ref_name": "windows/gather/credentials/ftpx", "check": false }, "post_windows/gather/credentials/gpp": { "name": "Windows Gather Group Policy Preference Saved Passwords", "full_name": "post/windows/gather/credentials/gpp", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Ben Campbell ", "Loic Jaquemet ", "scriptmonkey ", "theLightCosine ", "mubix " ], "description": "This module enumerates the victim machine's domain controller and\n connects to it via SMB. It then looks for Group Policy Preference XML\n files containing local user accounts and passwords and decrypts them\n using Microsofts public AES key.\n\n Cached Group Policy files may be found on end-user devices if the group\n policy object is deleted rather than unlinked.\n\n Tested on WinXP SP3 Client and Win2k8 R2 DC.", "references": [ "URL-http://msdn.microsoft.com/en-us/library/cc232604(v=prot.13)", "URL-http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html", "URL-http://blogs.technet.com/grouppolicy/archive/2009/04/22/passwords-in-group-policy-preferences-updated.aspx", "URL-https://labs.portcullis.co.uk/blog/are-you-considering-using-microsoft-group-policy-preferences-think-again/", "MSB-MS14-025" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/credentials/gpp.rb", "is_install_path": true, "ref_name": "windows/gather/credentials/gpp", "check": false }, "post_windows/gather/credentials/heidisql": { "name": "Windows Gather HeidiSQL Saved Password Extraction", "full_name": "post/windows/gather/credentials/heidisql", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "h0ng10" ], "description": "This module extracts saved passwords from the HeidiSQL client. These\n passwords are stored in the registry. They are encrypted with a custom algorithm.\n This module extracts and decrypts these passwords.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/credentials/heidisql.rb", "is_install_path": true, "ref_name": "windows/gather/credentials/heidisql", "check": false }, "post_windows/gather/credentials/idm": { "name": "Windows Gather Internet Download Manager (IDM) Password Extractor", "full_name": "post/windows/gather/credentials/idm", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "sil3ntdre4m ", "Unknown" ], "description": "This module recovers the saved premium download account passwords from\n Internet Download Manager (IDM). These passwords are stored in an encoded\n format in the registry. This module traverses through these registry entries\n and decodes them. Thanks to the template code of theLightCosine's CoreFTP\n password module.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/credentials/idm.rb", "is_install_path": true, "ref_name": "windows/gather/credentials/idm", "check": false }, "post_windows/gather/credentials/imail": { "name": "Windows Gather IPSwitch iMail User Data Enumeration", "full_name": "post/windows/gather/credentials/imail", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "sinn3r " ], "description": "This module will collect iMail user data such as the username, domain,\n full name, e-mail, and the decoded password. Please note if IMAILUSER is\n specified, the module extracts user data from all the domains found. If\n IMAILDOMAIN is specified, then it will extract all user data under that\n particular category.", "references": [ "EDB-11331" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/credentials/imail.rb", "is_install_path": true, "ref_name": "windows/gather/credentials/imail", "check": false }, "post_windows/gather/credentials/imvu": { "name": "Windows Gather Credentials IMVU Game Client", "full_name": "post/windows/gather/credentials/imvu", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Shubham Dawra " ], "description": "This module extracts account username & password from the IMVU game client\n and stores it as loot.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/credentials/imvu.rb", "is_install_path": true, "ref_name": "windows/gather/credentials/imvu", "check": false }, "post_windows/gather/credentials/mcafee_vse_hashdump": { "name": "McAfee Virus Scan Enterprise Password Hashes Dump", "full_name": "post/windows/gather/credentials/mcafee_vse_hashdump", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Mike Manzotti ", "Maurizio inode Agazzini" ], "description": "This module extracts the password hash from McAfee Virus Scan Enterprise (VSE)\n used to lock down the user interface. Hashcat supports cracking this type of\n hash using hash type sha1($salt.unicode($pass)) (-m 140) and a hex salt\n (--hex-salt) of 01000f000d003300 (unicode \"\\x01\\x0f\\x0d\\x33\"). A dynamic\n format is available for John the Ripper at the referenced URL.", "references": [ "URL-https://www.dionach.com/blog/disabling-mcafee-on-access-scanning" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/credentials/mcafee_vse_hashdump.rb", "is_install_path": true, "ref_name": "windows/gather/credentials/mcafee_vse_hashdump", "check": false }, "post_windows/gather/credentials/mdaemon_cred_collector": { "name": "Windows Gather MDaemonEmailServer Credential Cracking", "full_name": "post/windows/gather/credentials/mdaemon_cred_collector", "rank": 600, "disclosure_date": null, "type": "post", "author": [ "Manuel Nader #AgoraSecurity" ], "description": "Finds and cracks the stored passwords of MDaemon Email Server", "references": [ "BID-4686" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86, x64", "rport": null, "targets": null, "mod_time": "2017-08-20 18:24:41 +0000", "path": "/modules/post/windows/gather/credentials/mdaemon_cred_collector.rb", "is_install_path": true, "ref_name": "windows/gather/credentials/mdaemon_cred_collector", "check": false }, "post_windows/gather/credentials/meebo": { "name": "Windows Gather Meebo Password Extractor", "full_name": "post/windows/gather/credentials/meebo", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Sil3ntDre4m ", "Unknown" ], "description": "This module extracts login account password stored by\n Meebo Notifier, a desktop version of Meebo's Online Messenger.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/credentials/meebo.rb", "is_install_path": true, "ref_name": "windows/gather/credentials/meebo", "check": false }, "post_windows/gather/credentials/mremote": { "name": "Windows Gather mRemote Saved Password Extraction", "full_name": "post/windows/gather/credentials/mremote", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "theLightCosine ", "hdm ", "mubix " ], "description": "This module extracts saved passwords from mRemote. mRemote stores\n connections for RDP, VNC, SSH, Telnet, rlogin and other protocols. It saves\n the passwords in an encrypted format. The module will extract the connection\n info and decrypt the saved passwords.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/credentials/mremote.rb", "is_install_path": true, "ref_name": "windows/gather/credentials/mremote", "check": false }, "post_windows/gather/credentials/mssql_local_hashdump": { "name": "Windows Gather Local SQL Server Hash Dump", "full_name": "post/windows/gather/credentials/mssql_local_hashdump", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Mike Manzotti ", "nullbind" ], "description": "This module extracts the usernames and password\n hashes from an MSSQL server and stores them as loot. It uses the\n same technique in mssql_local_auth_bypass.", "references": [ "URL-https://www.dionach.com/blog/easily-grabbing-microsoft-sql-server-password-hashes" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/credentials/mssql_local_hashdump.rb", "is_install_path": true, "ref_name": "windows/gather/credentials/mssql_local_hashdump", "check": false }, "post_windows/gather/credentials/nimbuzz": { "name": "Windows Gather Nimbuzz Instant Messenger Password Extractor", "full_name": "post/windows/gather/credentials/nimbuzz", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "sil3ntdre4m ", "Unknown" ], "description": "This module extracts the account passwords saved by Nimbuzz Instant\n Messenger in hex format.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/credentials/nimbuzz.rb", "is_install_path": true, "ref_name": "windows/gather/credentials/nimbuzz", "check": false }, "post_windows/gather/credentials/outlook": { "name": "Windows Gather Microsoft Outlook Saved Password Extraction", "full_name": "post/windows/gather/credentials/outlook", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Justin Cacak" ], "description": "This module extracts and decrypts saved Microsoft\n Outlook (versions 2002-2010) passwords from the Windows\n Registry for POP3/IMAP/SMTP/HTTP accounts.\n In order for decryption to be successful, this module must be\n executed under the same privileges as the user which originally\n encrypted the password.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/credentials/outlook.rb", "is_install_path": true, "ref_name": "windows/gather/credentials/outlook", "check": false }, "post_windows/gather/credentials/razer_synapse": { "name": "Windows Gather Razer Synapse Password Extraction", "full_name": "post/windows/gather/credentials/razer_synapse", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Thomas McCarthy \"smilingraccoon\" ", "Matt Howard \"pasv\" ", "Brandon McCann \"zeknox\" " ], "description": "This module will enumerate passwords stored by the Razer Synapse\n client. The encryption key and iv is publicly known. This module\n will not only extract encrypted password but will also decrypt\n password using public key. Affects versions earlier than 1.7.15.", "references": [ "URL-http://www.pentestgeek.com/2013/01/16/hard-coded-encryption-keys-and-more-wordpress-fun/", "URL-https://github.com/pasv/Testing/blob/master/Razer_decode.py" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/credentials/razer_synapse.rb", "is_install_path": true, "ref_name": "windows/gather/credentials/razer_synapse", "check": false }, "post_windows/gather/credentials/razorsql": { "name": "Windows Gather RazorSQL Credentials", "full_name": "post/windows/gather/credentials/razorsql", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Paul Rascagneres ", "sinn3r " ], "description": "This module stores username, password, type, host, port, database (and name)\n collected from profiles.txt of RazorSQL.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/credentials/razorsql.rb", "is_install_path": true, "ref_name": "windows/gather/credentials/razorsql", "check": false }, "post_windows/gather/credentials/rdc_manager_creds": { "name": "Windows Gather Remote Desktop Connection Manager Saved Password Extraction", "full_name": "post/windows/gather/credentials/rdc_manager_creds", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Tom Sellers " ], "description": "This module extracts and decrypts saved Microsoft Remote Desktop\n Connection Manager (RDCMan) passwords the .RDG files of users.\n The module will attempt to find the files configured for all users\n on the target system. Passwords for managed hosts are encrypted by\n default. In order for decryption of these passwords to be successful,\n this module must be executed under the same account as the user which\n originally encrypted the password. Passwords stored in plain text will\n be captured and documented.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/credentials/rdc_manager_creds.rb", "is_install_path": true, "ref_name": "windows/gather/credentials/rdc_manager_creds", "check": false }, "post_windows/gather/credentials/skype": { "name": "Windows Gather Skype Saved Password Hash Extraction", "full_name": "post/windows/gather/credentials/skype", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "mubix ", "hdm " ], "description": "This module finds saved login credentials\n for the Windows Skype client. The hash is in MD5 format\n that uses the username, a static string \"\\nskyper\\n\" and the\n password. The resulting MD5 is stored in the Config.xml file\n for the user after being XOR'd against a key generated by applying\n 2 SHA1 hashes of \"salt\" data which is stored in ProtectedStorage\n using the Windows API CryptProtectData against the MD5", "references": [ "URL-http://www.recon.cx/en/f/vskype-part2.pdf", "URL-http://insecurety.net/?p=427", "URL-https://github.com/skypeopensource/tools" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/credentials/skype.rb", "is_install_path": true, "ref_name": "windows/gather/credentials/skype", "check": false }, "post_windows/gather/credentials/smartermail": { "name": "Windows Gather SmarterMail Password Extraction", "full_name": "post/windows/gather/credentials/smartermail", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Joe Giron", "Brendan Coles ", "sinn3r " ], "description": "This module extracts and decrypts the sysadmin password in the\n SmarterMail 'mailConfig.xml' configuration file. The encryption\n key and IV are publicly known.\n\n This module has been tested successfully on SmarterMail versions\n 10.7.4842 and 11.7.5136.", "references": [ "URL-http://www.gironsec.com/blog/tag/cracking-smartermail/" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/credentials/smartermail.rb", "is_install_path": true, "ref_name": "windows/gather/credentials/smartermail", "check": false }, "post_windows/gather/credentials/smartftp": { "name": "Windows Gather SmartFTP Saved Password Extraction", "full_name": "post/windows/gather/credentials/smartftp", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "theLightCosine " ], "description": "This module finds saved login credentials\n for the SmartFTP FTP client for windows.\n It finds the saved passwords and decrypts\n them.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2018-02-13 15:57:09 +0000", "path": "/modules/post/windows/gather/credentials/smartftp.rb", "is_install_path": true, "ref_name": "windows/gather/credentials/smartftp", "check": false }, "post_windows/gather/credentials/spark_im": { "name": "Windows Gather Spark IM Password Extraction", "full_name": "post/windows/gather/credentials/spark_im", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Brandon McCann \"zeknox\" ", "Thomas McCarthy \"smilingraccoon\" " ], "description": "This module will enumerate passwords stored by the Spark IM client.\n The encryption key is publicly known. This module will not only extract encrypted\n password but will also decrypt password using public key.", "references": [ "URL-http://adamcaudill.com/2012/07/27/decrypting-spark-saved-passwords/" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/credentials/spark_im.rb", "is_install_path": true, "ref_name": "windows/gather/credentials/spark_im", "check": false }, "post_windows/gather/credentials/sso": { "name": "Windows Single Sign On Credential Collector (Mimikatz)", "full_name": "post/windows/gather/credentials/sso", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Ben Campbell " ], "description": "This module will collect cleartext Single Sign On credentials from the Local\n Security Authority using the Mimikatz extension. Blank passwords will not be stored\n in the database.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/credentials/sso.rb", "is_install_path": true, "ref_name": "windows/gather/credentials/sso", "check": false }, "post_windows/gather/credentials/steam": { "name": "Windows Gather Steam Client Session Collector.", "full_name": "post/windows/gather/credentials/steam", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Nikolai Rusakov " ], "description": "This module will collect Steam session information from an\n account set to autologin.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/credentials/steam.rb", "is_install_path": true, "ref_name": "windows/gather/credentials/steam", "check": false }, "post_windows/gather/credentials/tortoisesvn": { "name": "Windows Gather TortoiseSVN Saved Password Extraction", "full_name": "post/windows/gather/credentials/tortoisesvn", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Justin Cacak" ], "description": "This module extracts and decrypts saved TortoiseSVN passwords. In\n order for decryption to be successful this module must be executed\n under the same privileges as the user which originally encrypted the\n password.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/credentials/tortoisesvn.rb", "is_install_path": true, "ref_name": "windows/gather/credentials/tortoisesvn", "check": false }, "post_windows/gather/credentials/total_commander": { "name": "Windows Gather Total Commander Saved Password Extraction", "full_name": "post/windows/gather/credentials/total_commander", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "theLightCosine " ], "description": "This module extracts weakly encrypted saved FTP Passwords from Total Commander.\n It finds saved FTP connections in the wcx_ftp.ini file.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/credentials/total_commander.rb", "is_install_path": true, "ref_name": "windows/gather/credentials/total_commander", "check": false }, "post_windows/gather/credentials/trillian": { "name": "Windows Gather Trillian Password Extractor", "full_name": "post/windows/gather/credentials/trillian", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Sil3ntDre4m ", "Unknown" ], "description": "This module extracts account password from Trillian & Trillian Astra\n v4.x-5.x instant messenger.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/credentials/trillian.rb", "is_install_path": true, "ref_name": "windows/gather/credentials/trillian", "check": false }, "post_windows/gather/credentials/vnc": { "name": "Windows Gather VNC Password Extraction", "full_name": "post/windows/gather/credentials/vnc", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Kurt Grutzmacher ", "mubix " ], "description": "This module extract DES encrypted passwords in known VNC locations", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/credentials/vnc.rb", "is_install_path": true, "ref_name": "windows/gather/credentials/vnc", "check": false }, "post_windows/gather/credentials/windows_autologin": { "name": "Windows Gather AutoLogin User Credential Extractor", "full_name": "post/windows/gather/credentials/windows_autologin", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Myo Soe" ], "description": "This module extracts the plain-text Windows user login password in Registry.\n It exploits a Windows feature that Windows (2000 to 2008 R2) allows a\n user or third-party Windows Utility tools to configure User AutoLogin via\n plain-text password insertion in (Alt)DefaultPassword field in the registry\n location - HKLM\\Software\\Microsoft\\Windows NT\\WinLogon. This is readable\n by all users.", "references": [ "URL-http://support.microsoft.com/kb/315231", "URL-http://core.yehg.net/lab/#tools.exploits" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/credentials/windows_autologin.rb", "is_install_path": true, "ref_name": "windows/gather/credentials/windows_autologin", "check": false }, "post_windows/gather/credentials/winscp": { "name": "Windows Gather WinSCP Saved Password Extraction", "full_name": "post/windows/gather/credentials/winscp", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "theLightCosine " ], "description": "This module extracts weakly encrypted saved passwords from\n WinSCP. It searches for saved sessions in the Windows Registry\n and the WinSCP.ini file. It cannot decrypt passwords if a master\n password is used.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/credentials/winscp.rb", "is_install_path": true, "ref_name": "windows/gather/credentials/winscp", "check": false }, "post_windows/gather/credentials/wsftp_client": { "name": "Windows Gather WS_FTP Saved Password Extraction", "full_name": "post/windows/gather/credentials/wsftp_client", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "theLightCosine " ], "description": "This module extracts weakly encrypted saved FTP Passwords\n from WS_FTP. It finds saved FTP connections in the ws_ftp.ini file.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/credentials/wsftp_client.rb", "is_install_path": true, "ref_name": "windows/gather/credentials/wsftp_client", "check": false }, "post_windows/gather/dnscache_dump": { "name": "Windows Gather DNS Cache", "full_name": "post/windows/gather/dnscache_dump", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Borja Merino " ], "description": "This module displays the records stored in the DNS cache.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/dnscache_dump.rb", "is_install_path": true, "ref_name": "windows/gather/dnscache_dump", "check": false }, "post_windows/gather/dumplinks": { "name": "Windows Gather Dump Recent Files lnk Info", "full_name": "post/windows/gather/dumplinks", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "davehull " ], "description": "The dumplinks module is a modified port of Harlan Carvey's lslnk.pl Perl script.\n This module will parse .lnk files from a user's Recent Documents folder\n and Microsoft Office's Recent Documents folder, if present.\n Windows creates these link files automatically for many common file types.\n The .lnk files contain time stamps, file locations, including share\n names, volume serial numbers, and more.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/dumplinks.rb", "is_install_path": true, "ref_name": "windows/gather/dumplinks", "check": false }, "post_windows/gather/enum_ad_bitlocker": { "name": "Windows Gather Active Directory BitLocker Recovery", "full_name": "post/windows/gather/enum_ad_bitlocker", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Ben Campbell " ], "description": "This module will enumerate BitLocker recovery passwords in the default AD\n directory. This module does require Domain Admin or other delegated privileges.", "references": [ "URL-https://technet.microsoft.com/en-us/library/cc771778%28v=ws.10%29.aspx" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/enum_ad_bitlocker.rb", "is_install_path": true, "ref_name": "windows/gather/enum_ad_bitlocker", "check": false }, "post_windows/gather/enum_ad_computers": { "name": "Windows Gather Active Directory Computers", "full_name": "post/windows/gather/enum_ad_computers", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Ben Campbell " ], "description": "This module will enumerate computers in the default AD directory.\n\n Optional Attributes to use in ATTRIBS:\n objectClass, cn, description, distinguishedName, instanceType, whenCreated,\n whenChanged, uSNCreated, uSNChanged, name, objectGUID,\n userAccountControl, badPwdCount, codePage, countryCode,\n badPasswordTime, lastLogoff, lastLogon, localPolicyFlags,\n pwdLastSet, primaryGroupID, objectSid, accountExpires,\n logonCount, sAMAccountName, sAMAccountType, operatingSystem,\n operatingSystemVersion, operatingSystemServicePack, serverReferenceBL,\n dNSHostName, rIDSetPreferences, servicePrincipalName, objectCategory,\n netbootSCPBL, isCriticalSystemObject, frsComputerReferenceBL,\n lastLogonTimestamp, msDS-SupportedEncryptionTypes\n\n ActiveDirectory has a MAX_SEARCH limit of 1000 by default. Split search up\n if you hit that limit.\n\n Possible filters:\n (objectClass=computer) # All Computers\n (primaryGroupID=516) # All Domain Controllers\n (&(objectCategory=computer)(operatingSystem=*server*)) # All Servers", "references": [ "URL-http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/enum_ad_computers.rb", "is_install_path": true, "ref_name": "windows/gather/enum_ad_computers", "check": false }, "post_windows/gather/enum_ad_groups": { "name": "Windows Gather Active Directory Groups", "full_name": "post/windows/gather/enum_ad_groups", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Stuart Morgan " ], "description": "This module will enumerate AD groups on the specified domain.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/enum_ad_groups.rb", "is_install_path": true, "ref_name": "windows/gather/enum_ad_groups", "check": false }, "post_windows/gather/enum_ad_managedby_groups": { "name": "Windows Gather Active Directory Managed Groups", "full_name": "post/windows/gather/enum_ad_managedby_groups", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Stuart Morgan " ], "description": "This module will enumerate AD groups on the specified domain which are specifically managed.\n It cannot at the moment identify whether the 'Manager can update membership list' option\n option set; if so, it would allow that member to update the contents of that group. This\n could either be used as a persistence mechanism (for example, set your user as the 'Domain\n Admins' group manager) or could be used to detect privilege escalation opportunities\n without having domain admin privileges.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/enum_ad_managedby_groups.rb", "is_install_path": true, "ref_name": "windows/gather/enum_ad_managedby_groups", "check": false }, "post_windows/gather/enum_ad_service_principal_names": { "name": "Windows Gather Active Directory Service Principal Names", "full_name": "post/windows/gather/enum_ad_service_principal_names", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Ben Campbell ", "Scott Sutherland" ], "description": "This module will enumerate servicePrincipalName in the default AD directory\n where the user is a member of the Domain Admins group.", "references": [ "URL-https://www.netspi.com/blog/entryid/214/faster-domain-escalation-using-ldap" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/enum_ad_service_principal_names.rb", "is_install_path": true, "ref_name": "windows/gather/enum_ad_service_principal_names", "check": false }, "post_windows/gather/enum_ad_to_wordlist": { "name": "Windows Active Directory Wordlist Builder", "full_name": "post/windows/gather/enum_ad_to_wordlist", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Thomas Ring" ], "description": "This module will gather information from the default Active Domain (AD) directory\n and use these words to seed a wordlist. By default it enumerates user accounts to\n build the wordlist.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/enum_ad_to_wordlist.rb", "is_install_path": true, "ref_name": "windows/gather/enum_ad_to_wordlist", "check": false }, "post_windows/gather/enum_ad_user_comments": { "name": "Windows Gather Active Directory User Comments", "full_name": "post/windows/gather/enum_ad_user_comments", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Ben Campbell " ], "description": "This module will enumerate user accounts in the default Active Domain (AD) directory which\n contain 'pass' in their description or comment (case-insensitive) by default. In some cases,\n such users have their passwords specified in these fields.", "references": [ "URL-http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/enum_ad_user_comments.rb", "is_install_path": true, "ref_name": "windows/gather/enum_ad_user_comments", "check": false }, "post_windows/gather/enum_ad_users": { "name": "Windows Gather Active Directory Users", "full_name": "post/windows/gather/enum_ad_users", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Ben Campbell ", "Carlos Perez ", "Stuart Morgan " ], "description": "This module will enumerate user accounts in the default Active Domain (AD) directory and stores\n them in the database. If GROUP_MEMBER is set to the DN of a group, this will list the members of\n that group by performing a recursive/nested search (i.e. it will list users who are members of\n groups that are members of groups that are members of groups (etc) which eventually include the\n target group DN.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/enum_ad_users.rb", "is_install_path": true, "ref_name": "windows/gather/enum_ad_users", "check": false }, "post_windows/gather/enum_applications": { "name": "Windows Gather Installed Application Enumeration", "full_name": "post/windows/gather/enum_applications", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Carlos Perez " ], "description": "This module will enumerate all installed applications", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/enum_applications.rb", "is_install_path": true, "ref_name": "windows/gather/enum_applications", "check": false }, "post_windows/gather/enum_artifacts": { "name": "Windows Gather File and Registry Artifacts Enumeration", "full_name": "post/windows/gather/enum_artifacts", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "averagesecurityguy " ], "description": "This module will check the file system and registry for particular artifacts. The\n list of artifacts is read from data/post/enum_artifacts_list.txt or a user specified file. Any\n matches are written to the loot.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/enum_artifacts.rb", "is_install_path": true, "ref_name": "windows/gather/enum_artifacts", "check": false }, "post_windows/gather/enum_av_excluded": { "name": "Windows Antivirus Exclusions Enumeration", "full_name": "post/windows/gather/enum_av_excluded", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Andrew Smith", "Jon Hart " ], "description": "This module will enumerate the file, directory, process and\n extension-based exclusions from supported AV products, which\n currently includes Microsoft Defender, Microsoft Security\n Essentials/Antimalware, and Symantec Endpoint Protection.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/enum_av_excluded.rb", "is_install_path": true, "ref_name": "windows/gather/enum_av_excluded", "check": false }, "post_windows/gather/enum_chrome": { "name": "Windows Gather Google Chrome User Data Enumeration", "full_name": "post/windows/gather/enum_chrome", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Sven Taute", "sinn3r ", "Kx499", "mubix " ], "description": "This module will collect user data from Google Chrome and attempt to decrypt\n sensitive information.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-09-27 07:41:06 +0000", "path": "/modules/post/windows/gather/enum_chrome.rb", "is_install_path": true, "ref_name": "windows/gather/enum_chrome", "check": false }, "post_windows/gather/enum_computers": { "name": "Windows Gather Enumerate Computers", "full_name": "post/windows/gather/enum_computers", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Joshua Abraham " ], "description": "This module will enumerate computers included in the primary Domain.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/enum_computers.rb", "is_install_path": true, "ref_name": "windows/gather/enum_computers", "check": false }, "post_windows/gather/enum_db": { "name": "Windows Gather Database Instance Enumeration", "full_name": "post/windows/gather/enum_db", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Barry Shteiman ", "juan vazquez " ], "description": "This module will enumerate a windows system for installed database instances", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/enum_db.rb", "is_install_path": true, "ref_name": "windows/gather/enum_db", "check": false }, "post_windows/gather/enum_devices": { "name": "Windows Gather Hardware Enumeration", "full_name": "post/windows/gather/enum_devices", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Brandon Perry " ], "description": "Enumerate PCI hardware information from the registry. Please note this script\n will run through registry subkeys such as: 'PCI', 'ACPI', 'ACPI_HAL', 'FDC', 'HID',\n 'HTREE', 'IDE', 'ISAPNP', 'LEGACY'', LPTENUM', 'PCIIDE', 'SCSI', 'STORAGE', 'SW',\n and 'USB'; it will take time to finish. It is recommended to run this module as a\n background job.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/enum_devices.rb", "is_install_path": true, "ref_name": "windows/gather/enum_devices", "check": false }, "post_windows/gather/enum_dirperms": { "name": "Windows Gather Directory Permissions Enumeration", "full_name": "post/windows/gather/enum_dirperms", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Kx499", "Ben Campbell ", "sinn3r " ], "description": "This module enumerates directories and lists the permissions set\n on found directories. Please note: if the PATH option isn't specified,\n then the module will start enumerate whatever is in the target machine's\n %PATH% variable.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/enum_dirperms.rb", "is_install_path": true, "ref_name": "windows/gather/enum_dirperms", "check": false }, "post_windows/gather/enum_domain": { "name": "Windows Gather Enumerate Domain", "full_name": "post/windows/gather/enum_domain", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Joshua Abraham " ], "description": "This module identifies the primary domain via the registry. The registry value used is:\n HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\History\\DCName.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/enum_domain.rb", "is_install_path": true, "ref_name": "windows/gather/enum_domain", "check": false }, "post_windows/gather/enum_domain_group_users": { "name": "Windows Gather Enumerate Domain Group", "full_name": "post/windows/gather/enum_domain_group_users", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Carlos Perez ", "Stephen Haywood " ], "description": "This module extracts user accounts from specified group\n and stores the results in the loot. It will also verify if session\n account is in the group. Data is stored in loot in a format that\n is compatible with the token_hunter plugin. This module should be\n run over as session with domain credentials.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/enum_domain_group_users.rb", "is_install_path": true, "ref_name": "windows/gather/enum_domain_group_users", "check": false }, "post_windows/gather/enum_domain_tokens": { "name": "Windows Gather Enumerate Domain Tokens", "full_name": "post/windows/gather/enum_domain_tokens", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Carlos Perez " ], "description": "This module will enumerate tokens present on a system that are part of the\n domain the target host is part of, will also enumerate users in the local\n Administrators, Users and Backup Operator groups to identify Domain members.\n Processes will be also enumerated and checked if they are running under a\n Domain account, on all checks the accounts, processes and tokens will be\n checked if they are part of the Domain Admin group of the domain the machine\n is a member of.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/enum_domain_tokens.rb", "is_install_path": true, "ref_name": "windows/gather/enum_domain_tokens", "check": false }, "post_windows/gather/enum_domain_users": { "name": "Windows Gather Enumerate Active Domain Users", "full_name": "post/windows/gather/enum_domain_users", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Etienne Stalmans ", "Ben Campbell " ], "description": "This module will enumerate computers included in the primary Domain and attempt\n to list all locations the targeted user has sessions on. If the HOST option is specified\n the module will target only that host. If the HOST is specified and USER is set to nil, all users\n logged into that host will be returned.'", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-09-17 16:00:04 +0000", "path": "/modules/post/windows/gather/enum_domain_users.rb", "is_install_path": true, "ref_name": "windows/gather/enum_domain_users", "check": false }, "post_windows/gather/enum_domains": { "name": "Windows Gather Domain Enumeration", "full_name": "post/windows/gather/enum_domains", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "mubix " ], "description": "This module enumerates currently the domains a host can see and the domain\n controllers for that domain.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/enum_domains.rb", "is_install_path": true, "ref_name": "windows/gather/enum_domains", "check": false }, "post_windows/gather/enum_emet": { "name": "Windows Gather EMET Protected Paths", "full_name": "post/windows/gather/enum_emet", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "vysec " ], "description": "This module will enumerate the EMET protected paths on the target host.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/enum_emet.rb", "is_install_path": true, "ref_name": "windows/gather/enum_emet", "check": false }, "post_windows/gather/enum_files": { "name": "Windows Gather Generic File Collection", "full_name": "post/windows/gather/enum_files", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "3vi1john ", "RageLtMan " ], "description": "This module downloads files recursively based on the FILE_GLOBS option.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/enum_files.rb", "is_install_path": true, "ref_name": "windows/gather/enum_files", "check": false }, "post_windows/gather/enum_hostfile": { "name": "Windows Gather Windows Host File Enumeration", "full_name": "post/windows/gather/enum_hostfile", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "vt " ], "description": "This module returns a list of entries in the target system's hosts file.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/enum_hostfile.rb", "is_install_path": true, "ref_name": "windows/gather/enum_hostfile", "check": false }, "post_windows/gather/enum_ie": { "name": "Windows Gather Internet Explorer User Data Enumeration", "full_name": "post/windows/gather/enum_ie", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Kx499" ], "description": "This module will collect history, cookies, and credentials (from either HTTP\n auth passwords, or saved form passwords found in auto-complete) in\n Internet Explorer. The ability to gather credentials is only supported\n for versions of IE >=7, while history and cookies can be extracted for all\n versions.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/enum_ie.rb", "is_install_path": true, "ref_name": "windows/gather/enum_ie", "check": false }, "post_windows/gather/enum_logged_on_users": { "name": "Windows Gather Logged On User Enumeration (Registry)", "full_name": "post/windows/gather/enum_logged_on_users", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Carlos Perez " ], "description": "This module will enumerate current and recently logged on Windows users", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/enum_logged_on_users.rb", "is_install_path": true, "ref_name": "windows/gather/enum_logged_on_users", "check": false }, "post_windows/gather/enum_ms_product_keys": { "name": "Windows Gather Product Key", "full_name": "post/windows/gather/enum_ms_product_keys", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Brandon Perry " ], "description": "This module will enumerate the OS license key", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2018-02-24 16:06:55 +0000", "path": "/modules/post/windows/gather/enum_ms_product_keys.rb", "is_install_path": true, "ref_name": "windows/gather/enum_ms_product_keys", "check": false }, "post_windows/gather/enum_muicache": { "name": "Windows Gather Enum User MUICache", "full_name": "post/windows/gather/enum_muicache", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "TJ Glad " ], "description": "This module gathers information about the files and file paths that logged on users have\n executed on the system. It also will check if the file still exists on the system. This\n information is gathered by using information stored under the MUICache registry key. If\n the user is logged in when the module is executed it will collect the MUICache entries\n by accessing the registry directly. If the user is not logged in the module will download\n users registry hive NTUSER.DAT/UsrClass.dat from the system and the MUICache contents are\n parsed from the downloaded hive.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/enum_muicache.rb", "is_install_path": true, "ref_name": "windows/gather/enum_muicache", "check": false }, "post_windows/gather/enum_patches": { "name": "Windows Gather Applied Patches", "full_name": "post/windows/gather/enum_patches", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "zeroSteiner ", "mubix " ], "description": "This module will attempt to enumerate which patches are applied to a windows system\n based on the result of the WMI query: SELECT HotFixID FROM Win32_QuickFixEngineering", "references": [ "URL-http://msdn.microsoft.com/en-us/library/aa394391(v=vs.85).aspx" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/enum_patches.rb", "is_install_path": true, "ref_name": "windows/gather/enum_patches", "check": false }, "post_windows/gather/enum_powershell_env": { "name": "Windows Gather Powershell Environment Setting Enumeration", "full_name": "post/windows/gather/enum_powershell_env", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Carlos Perez " ], "description": "This module will enumerate Microsoft Powershell settings", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/enum_powershell_env.rb", "is_install_path": true, "ref_name": "windows/gather/enum_powershell_env", "check": false }, "post_windows/gather/enum_prefetch": { "name": "Windows Gather Prefetch File Information", "full_name": "post/windows/gather/enum_prefetch", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "TJ Glad " ], "description": "This module gathers prefetch file information from WinXP, Win2k3 and Win7 systems\n and current values of related registry keys. From each prefetch file we'll collect\n filetime (converted to utc) of the last execution, file path hash, run count, filename\n and the execution path.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/enum_prefetch.rb", "is_install_path": true, "ref_name": "windows/gather/enum_prefetch", "check": false }, "post_windows/gather/enum_proxy": { "name": "Windows Gather Proxy Setting", "full_name": "post/windows/gather/enum_proxy", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "mubix " ], "description": "This module pulls a user's proxy settings. If neither RHOST or SID\n are set it pulls the current user, else it will pull the user's settings\n specified SID and target host.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/enum_proxy.rb", "is_install_path": true, "ref_name": "windows/gather/enum_proxy", "check": false }, "post_windows/gather/enum_putty_saved_sessions": { "name": "PuTTY Saved Sessions Enumeration Module", "full_name": "post/windows/gather/enum_putty_saved_sessions", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Stuart Morgan " ], "description": "This module will identify whether Pageant (PuTTY Agent) is running and obtain saved session\n information from the registry. PuTTY is very configurable; some users may have configured\n saved sessions which could include a username, private key file to use when authenticating,\n host name etc. If a private key is configured, an attempt will be made to download and store\n it in loot. It will also record the SSH host keys which have been stored. These will be connections that\n the user has previously after accepting the host SSH fingerprint and therefore are of particular\n interest if they are within scope of a penetration test.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/enum_putty_saved_sessions.rb", "is_install_path": true, "ref_name": "windows/gather/enum_putty_saved_sessions", "check": false }, "post_windows/gather/enum_services": { "name": "Windows Gather Service Info Enumeration", "full_name": "post/windows/gather/enum_services", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Keith Faber", "Kx499" ], "description": "This module will query the system for services and display name and\n configuration info for each returned service. It allows you to\n optionally search the credentials, path, or start type for a string\n and only return the results that match. These query operations are\n cumulative and if no query strings are specified, it just returns all\n services. NOTE: If the script hangs, windows firewall is most likely\n on and you did not migrate to a safe process (explorer.exe for\n example).", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/enum_services.rb", "is_install_path": true, "ref_name": "windows/gather/enum_services", "check": false }, "post_windows/gather/enum_shares": { "name": "Windows Gather SMB Share Enumeration via Registry", "full_name": "post/windows/gather/enum_shares", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Carlos Perez " ], "description": "This module will enumerate configured and recently used file shares", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/enum_shares.rb", "is_install_path": true, "ref_name": "windows/gather/enum_shares", "check": false }, "post_windows/gather/enum_snmp": { "name": "Windows Gather SNMP Settings Enumeration (Registry)", "full_name": "post/windows/gather/enum_snmp", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Carlos Perez ", "Tebo " ], "description": "This module will enumerate the SNMP service configuration", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/enum_snmp.rb", "is_install_path": true, "ref_name": "windows/gather/enum_snmp", "check": false }, "post_windows/gather/enum_termserv": { "name": "Windows Gather Terminal Server Client Connection Information Dumper", "full_name": "post/windows/gather/enum_termserv", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "mubix " ], "description": "This module dumps MRU and connection data for RDP sessions", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/enum_termserv.rb", "is_install_path": true, "ref_name": "windows/gather/enum_termserv", "check": false }, "post_windows/gather/enum_tokens": { "name": "Windows Gather Enumerate Domain Admin Tokens (Token Hunter)", "full_name": "post/windows/gather/enum_tokens", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Joshua Abraham " ], "description": "This module will identify systems that have a Domain Admin (delegation) token\n on them. The module will first check if sufficient privileges are present for\n certain actions, and run getprivs for system. If you elevated privs to system,\n the SeAssignPrimaryTokenPrivilege will not be assigned, in that case try\n migrating to another process that is running as system. If no sufficient\n privileges are available, the script will not continue.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/enum_tokens.rb", "is_install_path": true, "ref_name": "windows/gather/enum_tokens", "check": false }, "post_windows/gather/enum_tomcat": { "name": "Windows Gather Apache Tomcat Enumeration", "full_name": "post/windows/gather/enum_tomcat", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Barry Shteiman " ], "description": "This module will collect information from a Windows-based Apache Tomcat. You will get\n information such as: The installation path, Tomcat version, port, web applications,\n users, passwords, roles, etc.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/enum_tomcat.rb", "is_install_path": true, "ref_name": "windows/gather/enum_tomcat", "check": false }, "post_windows/gather/enum_trusted_locations": { "name": "Windows Gather Microsoft Office Trusted Locations", "full_name": "post/windows/gather/enum_trusted_locations", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "vysec " ], "description": "This module will enumerate the Microsoft Office trusted locations on the target host.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/enum_trusted_locations.rb", "is_install_path": true, "ref_name": "windows/gather/enum_trusted_locations", "check": false }, "post_windows/gather/enum_unattend": { "name": "Windows Gather Unattended Answer File Enumeration", "full_name": "post/windows/gather/enum_unattend", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Sean Verity ", "sinn3r ", "Ben Campbell " ], "description": "This module will check the file system for a copy of unattend.xml and/or\n autounattend.xml found in Windows Vista, or newer Windows systems. And then\n extract sensitive information such as usernames and decoded passwords.", "references": [ "URL-http://technet.microsoft.com/en-us/library/ff715801", "URL-http://technet.microsoft.com/en-us/library/cc749415(v=ws.10).aspx", "URL-http://technet.microsoft.com/en-us/library/c026170e-40ef-4191-98dd-0b9835bfa580" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/enum_unattend.rb", "is_install_path": true, "ref_name": "windows/gather/enum_unattend", "check": false }, "post_windows/gather/file_from_raw_ntfs": { "name": "Windows File Gather File from Raw NTFS", "full_name": "post/windows/gather/file_from_raw_ntfs", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Danil Bazin " ], "description": "This module gathers a file using the raw NTFS device, bypassing some Windows restrictions\n such as open file with write lock. Because it avoids the usual file locking issues, it can\n be used to retrieve files such as NTDS.dit.", "references": [ "URL-http://www.amazon.com/System-Forensic-Analysis-Brian-Carrier/dp/0321268172/" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/file_from_raw_ntfs.rb", "is_install_path": true, "ref_name": "windows/gather/file_from_raw_ntfs", "check": false }, "post_windows/gather/forensics/browser_history": { "name": "Windows Gather Skype, Firefox, and Chrome Artifacts", "full_name": "post/windows/gather/forensics/browser_history", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Joshua Harper " ], "description": "Gathers Skype chat logs, Firefox history, and Chrome history data from the target machine.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/forensics/browser_history.rb", "is_install_path": true, "ref_name": "windows/gather/forensics/browser_history", "check": false }, "post_windows/gather/forensics/duqu_check": { "name": "Windows Gather Forensics Duqu Registry Check", "full_name": "post/windows/gather/forensics/duqu_check", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Marcus J. Carey " ], "description": "This module searches for CVE-2011-3402 (Duqu) related registry artifacts.", "references": [ "CVE-2011-3402", "URL-http://r-7.co/w5h7fY" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/forensics/duqu_check.rb", "is_install_path": true, "ref_name": "windows/gather/forensics/duqu_check", "check": false }, "post_windows/gather/forensics/enum_drives": { "name": "Windows Gather Physical Drives and Logical Volumes", "full_name": "post/windows/gather/forensics/enum_drives", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Wesley McGrew " ], "description": "This module will list physical drives and logical volumes", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/forensics/enum_drives.rb", "is_install_path": true, "ref_name": "windows/gather/forensics/enum_drives", "check": false }, "post_windows/gather/forensics/imager": { "name": "Windows Gather Forensic Imaging", "full_name": "post/windows/gather/forensics/imager", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Wesley McGrew " ], "description": "This module will perform byte-for-byte imaging of remote disks and volumes", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/forensics/imager.rb", "is_install_path": true, "ref_name": "windows/gather/forensics/imager", "check": false }, "post_windows/gather/forensics/nbd_server": { "name": "Windows Gather Local NBD Server", "full_name": "post/windows/gather/forensics/nbd_server", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Wesley McGrew " ], "description": "Maps remote disks and logical volumes to a local Network Block Device server.\n Allows for forensic tools to be executed on the remote disk directly.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/forensics/nbd_server.rb", "is_install_path": true, "ref_name": "windows/gather/forensics/nbd_server", "check": false }, "post_windows/gather/forensics/recovery_files": { "name": "Windows Gather Deleted Files Enumeration and Recovering", "full_name": "post/windows/gather/forensics/recovery_files", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Borja Merino " ], "description": "This module lists and attempts to recover deleted files from NTFS file systems. Use\n the FILES option to guide recovery. Leave this option empty to enumerate deleted files in the\n DRIVE. Set FILES to an extension (e.g., \"pdf\") to recover deleted files with that\n extension, or set FILES to a comma separated list of IDs (from enumeration) to\n recover those files. The user must have account file enumeration. Recovery\n may take a long time; use the TIMEOUT option to abort enumeration or recovery by\n extension after a specified period (in seconds).", "references": [ "URL-http://www.youtube.com/watch?v=9yzCf360ujY&hd=1" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/forensics/recovery_files.rb", "is_install_path": true, "ref_name": "windows/gather/forensics/recovery_files", "check": false }, "post_windows/gather/hashdump": { "name": "Windows Gather Local User Account Password Hashes (Registry)", "full_name": "post/windows/gather/hashdump", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "hdm " ], "description": "This module will dump the local user accounts from the SAM database using the registry", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/hashdump.rb", "is_install_path": true, "ref_name": "windows/gather/hashdump", "check": false }, "post_windows/gather/local_admin_search_enum": { "name": "Windows Gather Local Admin Search", "full_name": "post/windows/gather/local_admin_search_enum", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Brandon McCann \"zeknox\" ", "Thomas McCarthy \"smilingraccoon\" ", "Royce Davis \"r3dy\" " ], "description": "This module will identify systems in a given range that the\n supplied domain user (should migrate into a user pid) has administrative\n access to by using the Windows API OpenSCManagerA to establishing a handle\n to the remote host. Additionally it can enumerate logged in users and group\n membership via Windows API NetWkstaUserEnum and NetUserGetGroups.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/local_admin_search_enum.rb", "is_install_path": true, "ref_name": "windows/gather/local_admin_search_enum", "check": true }, "post_windows/gather/lsa_secrets": { "name": "Windows Enumerate LSA Secrets", "full_name": "post/windows/gather/lsa_secrets", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Rob Bathurst " ], "description": "This module will attempt to enumerate the LSA Secrets keys within the registry. The registry value used is:\n HKEY_LOCAL_MACHINE\\Security\\Policy\\Secrets\\. Thanks goes to Maurizio Agazzini and Mubix for decrypt\n code from cachedump.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/lsa_secrets.rb", "is_install_path": true, "ref_name": "windows/gather/lsa_secrets", "check": false }, "post_windows/gather/make_csv_orgchart": { "name": "Generate CSV Organizational Chart Data Using Manager Information", "full_name": "post/windows/gather/make_csv_orgchart", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Stuart Morgan " ], "description": "This module will generate a CSV file containing all users and their managers, which can be\n imported into Visio which will render it.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/make_csv_orgchart.rb", "is_install_path": true, "ref_name": "windows/gather/make_csv_orgchart", "check": false }, "post_windows/gather/memory_grep": { "name": "Windows Gather Process Memory Grep", "full_name": "post/windows/gather/memory_grep", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "bannedit " ], "description": "This module allows for searching the memory space of a process for potentially\n sensitive data. Please note: When the HEAP option is enabled, the module will have\n to migrate to the process you are grepping, and will not migrate back automatically.\n This means that if the user terminates the application after using this module, you\n may lose your session.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-09-17 16:00:04 +0000", "path": "/modules/post/windows/gather/memory_grep.rb", "is_install_path": true, "ref_name": "windows/gather/memory_grep", "check": false }, "post_windows/gather/netlm_downgrade": { "name": "Windows NetLM Downgrade Attack", "full_name": "post/windows/gather/netlm_downgrade", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Brandon McCann \"zeknox\" ", "Thomas McCarthy \"smilingraccoon\" " ], "description": "This module will change a registry value to enable\n the sending of LM challenge hashes and then initiate a SMB connection to\n the SMBHOST datastore. If an SMB server is listening, it will receive the\n NetLM hashes", "references": [ "URL-http://www.fishnetsecurity.com/6labs/blog/post-exploitation-using-netntlm-downgrade-attacks" ], "is_server": false, "is_client": false, "platform": "", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/netlm_downgrade.rb", "is_install_path": true, "ref_name": "windows/gather/netlm_downgrade", "check": false }, "post_windows/gather/ntds_grabber": { "name": "NTDS Grabber", "full_name": "post/windows/gather/ntds_grabber", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Koen Riepe (koen.riepe " ], "description": "This module uses a powershell script to obtain a copy of the ntds,dit SAM and SYSTEM files on a domain controller.\n It compresses all these files in a cabinet file called All.cab.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86, x64", "rport": null, "targets": null, "mod_time": "2018-06-26 08:22:11 +0000", "path": "/modules/post/windows/gather/ntds_grabber.rb", "is_install_path": true, "ref_name": "windows/gather/ntds_grabber", "check": false }, "post_windows/gather/ntds_location": { "name": "Post Windows Gather NTDS.DIT Location", "full_name": "post/windows/gather/ntds_location", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Stuart Morgan " ], "description": "This module will find the location of the NTDS.DIT file (from the Registry),\n check that it exists, and display its location on the screen, which is useful\n if you wish to manually acquire the file using ntdsutil or vss.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/ntds_location.rb", "is_install_path": true, "ref_name": "windows/gather/ntds_location", "check": false }, "post_windows/gather/outlook": { "name": "Windows Gather Outlook Email Messages", "full_name": "post/windows/gather/outlook", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Wesley Neelen " ], "description": "This module allows reading and searching email messages from the local\n Outlook installation using PowerShell. Please note that this module is\n manipulating the victims keyboard/mouse. If a victim is active on the target\n system, he may notice the activities of this module. Tested on Windows 8.1\n x64 with Office 2013.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86, x64", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/outlook.rb", "is_install_path": true, "ref_name": "windows/gather/outlook", "check": false }, "post_windows/gather/phish_windows_credentials": { "name": "Windows Gather User Credentials (phishing)", "full_name": "post/windows/gather/phish_windows_credentials", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Wesley Neelen ", "Matt Nelson" ], "description": "This module is able to perform a phishing attack on the target by popping up a loginprompt.\n When the user fills credentials in the loginprompt, the credentials will be sent to the attacker.\n The module is able to monitor for new processes and popup a loginprompt when a specific process is starting. Tested on Windows 7.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86, x64", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/phish_windows_credentials.rb", "is_install_path": true, "ref_name": "windows/gather/phish_windows_credentials", "check": false }, "post_windows/gather/resolve_sid": { "name": "Windows Gather Local User Account SID Lookup", "full_name": "post/windows/gather/resolve_sid", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "chao-mu" ], "description": "This module prints information about a given SID from the perspective of this session", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/resolve_sid.rb", "is_install_path": true, "ref_name": "windows/gather/resolve_sid", "check": false }, "post_windows/gather/reverse_lookup": { "name": "Windows Gather IP Range Reverse Lookup", "full_name": "post/windows/gather/reverse_lookup", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "mubix " ], "description": "This module uses Railgun, calling the gethostbyaddr function to resolve a hostname\n to an IP.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/reverse_lookup.rb", "is_install_path": true, "ref_name": "windows/gather/reverse_lookup", "check": false }, "post_windows/gather/screen_spy": { "name": "Windows Gather Screen Spy", "full_name": "post/windows/gather/screen_spy", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Roni Bachar ", "bannedit ", "kernelsmith ", "Adrian Kubok" ], "description": "This module will incrementally take desktop screenshots from the host. This\n allows for screen spying which can be useful to determine if there is an active\n user on a machine, or to record the screen for later data extraction.\n\n Note: As of March, 2014, the VIEW_CMD option has been removed in\n favor of the Boolean VIEW_SCREENSHOTS option, which will control if (but\n not how) the collected screenshots will be viewed from the Metasploit\n interface.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2018-06-12 17:11:29 +0000", "path": "/modules/post/windows/gather/screen_spy.rb", "is_install_path": true, "ref_name": "windows/gather/screen_spy", "check": false }, "post_windows/gather/smart_hashdump": { "name": "Windows Gather Local and Domain Controller Account Password Hashes", "full_name": "post/windows/gather/smart_hashdump", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Carlos Perez " ], "description": "This will dump local accounts from the SAM Database. If the target\n host is a Domain Controller, it will dump the Domain Account Database using the proper\n technique depending on privilege level, OS and role of the host.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/smart_hashdump.rb", "is_install_path": true, "ref_name": "windows/gather/smart_hashdump", "check": false }, "post_windows/gather/tcpnetstat": { "name": "Windows Gather TCP Netstat", "full_name": "post/windows/gather/tcpnetstat", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "mubix " ], "description": "This Module lists current TCP sessions", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/tcpnetstat.rb", "is_install_path": true, "ref_name": "windows/gather/tcpnetstat", "check": false }, "post_windows/gather/usb_history": { "name": "Windows Gather USB Drive History", "full_name": "post/windows/gather/usb_history", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "nebulus" ], "description": "This module will enumerate USB Drive history on a target host.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/usb_history.rb", "is_install_path": true, "ref_name": "windows/gather/usb_history", "check": false }, "post_windows/gather/win_privs": { "name": "Windows Gather Privileges Enumeration", "full_name": "post/windows/gather/win_privs", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Merlyn Cousins " ], "description": "This module will print if UAC is enabled, and if the current account is\n ADMIN enabled. It will also print UID, foreground SESSION ID, is SYSTEM status\n and current process PRIVILEGES.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2018-05-19 01:35:19 +0000", "path": "/modules/post/windows/gather/win_privs.rb", "is_install_path": true, "ref_name": "windows/gather/win_privs", "check": false }, "post_windows/gather/wmic_command": { "name": "Windows Gather Run Specified WMIC Command", "full_name": "post/windows/gather/wmic_command", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Carlos Perez " ], "description": "This module will execute a given WMIC command options or read\n WMIC commands options from a resource file and execute the commands in the\n specified Meterpreter session.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/wmic_command.rb", "is_install_path": true, "ref_name": "windows/gather/wmic_command", "check": false }, "post_windows/gather/word_unc_injector": { "name": "Windows Gather Microsoft Office Word UNC Path Injector", "full_name": "post/windows/gather/word_unc_injector", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "SphaZ " ], "description": "This module modifies a remote .docx file that will, upon opening, submit\n stored netNTLM credentials to a remote host. Verified to work with Microsoft\n Word 2003, 2007, 2010, and 2013. In order to get the hashes the\n auxiliary/server/capture/smb module can be used.", "references": [ "URL-http://jedicorp.com/?p=534" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/gather/word_unc_injector.rb", "is_install_path": true, "ref_name": "windows/gather/word_unc_injector", "check": false }, "post_windows/manage/add_user_domain": { "name": "Windows Manage Add User to the Domain and/or to a Domain Group", "full_name": "post/windows/manage/add_user_domain", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Joshua Abraham " ], "description": "This module adds a user to the Domain and/or to a Domain group. It will\n check if sufficient privileges are present for certain actions and run\n getprivs for system. If you elevated privs to system, the\n SeAssignPrimaryTokenPrivilege will not be assigned. You need to migrate to\n a process that is running as system. If you don't have privs, this script\n exits.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-09-17 16:00:04 +0000", "path": "/modules/post/windows/manage/add_user_domain.rb", "is_install_path": true, "ref_name": "windows/manage/add_user_domain", "check": false }, "post_windows/manage/archmigrate": { "name": "Architecture Migrate", "full_name": "post/windows/manage/archmigrate", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Koen Riepe (koen.riepe " ], "description": "This module checks if the meterpreter architecture is the same as the OS architecture and if it's incompatible it spawns a\n new process with the correct architecture and migrates into that process.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "x86, x64", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/manage/archmigrate.rb", "is_install_path": true, "ref_name": "windows/manage/archmigrate", "check": false }, "post_windows/manage/change_password": { "name": "Windows Manage Change Password", "full_name": "post/windows/manage/change_password", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Ben Campbell " ], "description": "This module will attempt to change the password of the targeted account.\n The typical usage is to change a newly created account's password on a\n remote host to avoid the error, 'System error 1907 has occurred,' which\n is caused when the account policy enforces a password change before the\n next login.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/manage/change_password.rb", "is_install_path": true, "ref_name": "windows/manage/change_password", "check": false }, "post_windows/manage/clone_proxy_settings": { "name": "Windows Manage Proxy Setting Cloner", "full_name": "post/windows/manage/clone_proxy_settings", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "mubix " ], "description": "This module copies the proxy settings from the current user to the\n targeted user SID, supports remote hosts as well if remote registry\n is allowed.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/manage/clone_proxy_settings.rb", "is_install_path": true, "ref_name": "windows/manage/clone_proxy_settings", "check": false }, "post_windows/manage/delete_user": { "name": "Windows Manage Local User Account Deletion", "full_name": "post/windows/manage/delete_user", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "chao-mu" ], "description": "This module deletes a local user account from the specified server,\n or the local machine if no server is given.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/manage/delete_user.rb", "is_install_path": true, "ref_name": "windows/manage/delete_user", "check": false }, "post_windows/manage/download_exec": { "name": "Windows Manage Download and/or Execute", "full_name": "post/windows/manage/download_exec", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "RageLtMan" ], "description": "This module will download a file by importing urlmon via railgun.\n The user may also choose to execute the file with arguments via exec_string.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/manage/download_exec.rb", "is_install_path": true, "ref_name": "windows/manage/download_exec", "check": false }, "post_windows/manage/driver_loader": { "name": "Windows Manage Driver Loader", "full_name": "post/windows/manage/driver_loader", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Borja Merino " ], "description": "This module loads a KMD (Kernel Mode Driver) using the Windows Service API.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/manage/driver_loader.rb", "is_install_path": true, "ref_name": "windows/manage/driver_loader", "check": false }, "post_windows/manage/enable_rdp": { "name": "Windows Manage Enable Remote Desktop", "full_name": "post/windows/manage/enable_rdp", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Carlos Perez " ], "description": "This module enables the Remote Desktop Service (RDP). It provides the options to create\n an account and configure it to be a member of the Local Administrators and\n Remote Desktop Users group. It can also forward the target's port 3389/tcp.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-08-21 22:46:30 +0000", "path": "/modules/post/windows/manage/enable_rdp.rb", "is_install_path": true, "ref_name": "windows/manage/enable_rdp", "check": false }, "post_windows/manage/enable_support_account": { "name": "Windows Manage Trojanize Support Account", "full_name": "post/windows/manage/enable_support_account", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "salcho " ], "description": "This module enables alternative access to servers and workstations\n by modifying the support account's properties. It will enable\n the account for remote access as the administrator user while\n taking advantage of some weird behavior in lusrmgr.msc. It will\n check if sufficient privileges are available for registry operations,\n otherwise it exits.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/manage/enable_support_account.rb", "is_install_path": true, "ref_name": "windows/manage/enable_support_account", "check": false }, "post_windows/manage/exec_powershell": { "name": "Windows Powershell Execution Post Module", "full_name": "post/windows/manage/exec_powershell", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Nicholas Nam (nick ", "RageLtMan" ], "description": "This module will execute a powershell script in a meterpreter session.\n The user may also enter text substitutions to be made in memory before execution.\n Setting VERBOSE to true will output both the script prior to execution and the results.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/manage/exec_powershell.rb", "is_install_path": true, "ref_name": "windows/manage/exec_powershell", "check": false }, "post_windows/manage/forward_pageant": { "name": "Forward SSH Agent Requests To Remote Pageant", "full_name": "post/windows/manage/forward_pageant", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Stuart Morgan ", "Ben Campbell " ], "description": "This module forwards SSH agent requests from a local socket to a remote Pageant instance.\n If a target Windows machine is compromised and is running Pageant, this will allow the\n attacker to run normal OpenSSH commands (e.g. ssh-add -l) against the Pageant host which are\n tunneled through the meterpreter session. This could therefore be used to authenticate\n with a remote host using a private key which is loaded into a remote user's Pageant instance,\n without ever having knowledge of the private key itself.\n\n Note that this requires the PageantJacker meterpreter extension, but this will be automatically\n loaded into the remote meterpreter session by this module if it is not already loaded.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-09-17 16:00:04 +0000", "path": "/modules/post/windows/manage/forward_pageant.rb", "is_install_path": true, "ref_name": "windows/manage/forward_pageant", "check": false }, "post_windows/manage/hashcarve": { "name": "Windows Local User Account Hash Carver", "full_name": "post/windows/manage/hashcarve", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "p3nt4" ], "description": "This module will change a local user's password directly in the registry.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/manage/hashcarve.rb", "is_install_path": true, "ref_name": "windows/manage/hashcarve", "check": false }, "post_windows/manage/ie_proxypac": { "name": "Windows Manage Proxy PAC File", "full_name": "post/windows/manage/ie_proxypac", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Borja Merino " ], "description": "This module configures Internet Explorer to use a PAC proxy file. By using the LOCAL_PAC\n option, a PAC file will be created on the victim host. It's also possible to provide a\n remote PAC file (REMOTE_PAC option) by providing the full URL.", "references": [ "URL-https://www.youtube.com/watch?v=YGjIlbBVDqE&hd=1", "URL-http://blog.scriptmonkey.eu/bypassing-group-policy-using-the-windows-registry" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/manage/ie_proxypac.rb", "is_install_path": true, "ref_name": "windows/manage/ie_proxypac", "check": false }, "post_windows/manage/inject_ca": { "name": "Windows Manage Certificate Authority Injection", "full_name": "post/windows/manage/inject_ca", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "vt " ], "description": "This module allows the attacker to insert an arbitrary CA certificate\n into the victim's Trusted Root store.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/manage/inject_ca.rb", "is_install_path": true, "ref_name": "windows/manage/inject_ca", "check": false }, "post_windows/manage/inject_host": { "name": "Windows Manage Hosts File Injection", "full_name": "post/windows/manage/inject_host", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "vt " ], "description": "This module allows the attacker to insert a new entry into the target\n system's hosts file.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2018-06-12 17:11:29 +0000", "path": "/modules/post/windows/manage/inject_host.rb", "is_install_path": true, "ref_name": "windows/manage/inject_host", "check": false }, "post_windows/manage/killav": { "name": "Windows Post Kill Antivirus and Hips", "full_name": "post/windows/manage/killav", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Marc-Andre Meloche (MadmanTM)", "Nikhil Mittal (Samratashok)", "Jerome Athias", "OJ Reeves" ], "description": "This module attempts to locate and terminate any processes that are identified\n as being Antivirus or Host-based IPS related.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/manage/killav.rb", "is_install_path": true, "ref_name": "windows/manage/killav", "check": false }, "post_windows/manage/migrate": { "name": "Windows Manage Process Migration", "full_name": "post/windows/manage/migrate", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Carlos Perez " ], "description": "This module will migrate a Meterpreter session from one process\n to another. A given process PID to migrate to or the module can spawn one and\n migrate to that newly spawned process.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/manage/migrate.rb", "is_install_path": true, "ref_name": "windows/manage/migrate", "check": false }, "post_windows/manage/mssql_local_auth_bypass": { "name": "Windows Manage Local Microsoft SQL Server Authorization Bypass", "full_name": "post/windows/manage/mssql_local_auth_bypass", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Scott Sutherland " ], "description": "When this module is executed, it can be used to add a sysadmin to local\n SQL Server instances. It first attempts to gain LocalSystem privileges\n using the \"getsystem\" escalation methods. If those privileges are not\n sufficient to add a sysadmin, then it will migrate to the SQL Server\n service process associated with the target instance. The sysadmin\n login is added to the local SQL Server using native SQL clients and\n stored procedures. If no instance is specified then the first identified\n instance will be used.\n\n Why is this possible? By default in SQL Server 2k-2k8, LocalSystem\n is assigned syadmin privileges. Microsoft changed the default in\n SQL Server 2012 so that LocalSystem no longer has sysadmin privileges.\n However, this can be overcome by migrating to the SQL Server process.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/manage/mssql_local_auth_bypass.rb", "is_install_path": true, "ref_name": "windows/manage/mssql_local_auth_bypass", "check": false }, "post_windows/manage/multi_meterpreter_inject": { "name": "Windows Manage Inject in Memory Multiple Payloads", "full_name": "post/windows/manage/multi_meterpreter_inject", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Carlos Perez ", "David Kennedy \"ReL1K\" " ], "description": "This module will inject in to several processes a given\n payload and connecting to a given list of IP Addresses.\n The module works with a given lists of IP Addresses and\n process PIDs if no PID is given it will start a the given\n process in the advanced options and inject the selected\n payload in to the memory of the created module.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/manage/multi_meterpreter_inject.rb", "is_install_path": true, "ref_name": "windows/manage/multi_meterpreter_inject", "check": false }, "post_windows/manage/nbd_server": { "name": "Windows Manage Local NBD Server for Remote Disks", "full_name": "post/windows/manage/nbd_server", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Wesley McGrew " ], "description": "Maps remote disks and logical volumes to a local Network Block\n Device server. Allows for forensic tools to be executed on the remote disk directly.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/manage/nbd_server.rb", "is_install_path": true, "ref_name": "windows/manage/nbd_server", "check": false }, "post_windows/manage/payload_inject": { "name": "Windows Manage Memory Payload Injection Module", "full_name": "post/windows/manage/payload_inject", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Carlos Perez ", "David Kennedy \"ReL1K\" " ], "description": "This module will inject into the memory of a process a specified windows payload.\n If a payload or process is not provided one will be created by default\n using a reverse x86 TCP Meterpreter Payload.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/manage/payload_inject.rb", "is_install_path": true, "ref_name": "windows/manage/payload_inject", "check": false }, "post_windows/manage/persistence_exe": { "name": "Windows Manage Persistent EXE Payload Installer", "full_name": "post/windows/manage/persistence_exe", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Merlyn drforbin Cousins " ], "description": "This Module will upload an executable to a remote host and make it Persistent.\n It can be installed as USER, SYSTEM, or SERVICE. USER will start on user login,\n SYSTEM will start on system boot but requires privs. SERVICE will create a new service\n which will start the payload. Again requires privs.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2018-03-26 17:46:18 +0000", "path": "/modules/post/windows/manage/persistence_exe.rb", "is_install_path": true, "ref_name": "windows/manage/persistence_exe", "check": false }, "post_windows/manage/portproxy": { "name": "Windows Manage Set Port Forwarding With PortProxy", "full_name": "post/windows/manage/portproxy", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Borja Merino " ], "description": "This module uses the PortProxy interface from netsh to set up\n port forwarding persistently (even after reboot). PortProxy\n supports TCP IPv4 and IPv6 connections.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/manage/portproxy.rb", "is_install_path": true, "ref_name": "windows/manage/portproxy", "check": false }, "post_windows/manage/powershell/build_net_code": { "name": "Powershell .NET Compiler", "full_name": "post/windows/manage/powershell/build_net_code", "rank": 600, "disclosure_date": "2012-08-14", "type": "post", "author": [ "RageLtMan " ], "description": "This module will build a .NET source file using powershell. The compiler builds\n the executable or library in memory and produces a binary. After compilation the\n PowerShell session can also sign the executable if provided a path the\n a .pfx formatted certificate. Compiler options and a list of assemblies\n required can be configured in the datastore.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-09-27 07:41:06 +0000", "path": "/modules/post/windows/manage/powershell/build_net_code.rb", "is_install_path": true, "ref_name": "windows/manage/powershell/build_net_code", "check": false }, "post_windows/manage/powershell/exec_powershell": { "name": "Windows Manage PowerShell Download and/or Execute", "full_name": "post/windows/manage/powershell/exec_powershell", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Nicholas Nam (nick ", "RageLtMan" ], "description": "This module will download and execute a PowerShell script over a meterpreter session.\n The user may also enter text substitutions to be made in memory before execution.\n Setting VERBOSE to true will output both the script prior to execution and the results.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/manage/powershell/exec_powershell.rb", "is_install_path": true, "ref_name": "windows/manage/powershell/exec_powershell", "check": false }, "post_windows/manage/powershell/load_script": { "name": "Load Scripts Into PowerShell Session", "full_name": "post/windows/manage/powershell/load_script", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Ben Turner benpturner ", "Dave Hardy davehardy20 " ], "description": "This module will download and execute one or more PowerShell script\n s over a present powershell session.\n Setting VERBOSE to true will show the stager results.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/manage/powershell/load_script.rb", "is_install_path": true, "ref_name": "windows/manage/powershell/load_script", "check": false }, "post_windows/manage/pptp_tunnel": { "name": "Windows Manage Remote Point-to-Point Tunneling Protocol", "full_name": "post/windows/manage/pptp_tunnel", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Borja Merino " ], "description": "This module initiates a PPTP connection to a remote machine (VPN server). Once\n the tunnel is created we can use it to force the victim traffic to go through the\n server getting a man in the middle attack. Be sure to allow forwarding and\n masquerading on the VPN server (mitm).", "references": [ "URL-http://www.youtube.com/watch?v=vdppEZjMPCM&hd=1" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/manage/pptp_tunnel.rb", "is_install_path": true, "ref_name": "windows/manage/pptp_tunnel", "check": false }, "post_windows/manage/priv_migrate": { "name": "Windows Manage Privilege Based Process Migration ", "full_name": "post/windows/manage/priv_migrate", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Josh Hale \"sn0wfa11\" ", "theLightCosine " ], "description": "This module will migrate a Meterpreter session based on session privileges.\n It will do everything it can to migrate, including spawning a new User level process.\n For sessions with Admin rights: It will try to migrate into a System level process in the following\n order: ANAME (if specified), services.exe, wininit.exe, svchost.exe, lsm.exe, lsass.exe, and winlogon.exe.\n If all these fail and NOFAIL is set to true, it will fall back to User level migration. For sessions with User level rights:\n It will try to migrate to a user level process, if that fails it will attempt to spawn the process\n then migrate to it. It will attempt the User level processes in the following order:\n NAME (if specified), explorer.exe, then notepad.exe.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-09-17 16:00:04 +0000", "path": "/modules/post/windows/manage/priv_migrate.rb", "is_install_path": true, "ref_name": "windows/manage/priv_migrate", "check": false }, "post_windows/manage/pxeexploit": { "name": "Windows Manage PXE Exploit Server", "full_name": "post/windows/manage/pxeexploit", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "scriptjunkie" ], "description": "This module provides a PXE server, running a DHCP and TFTP server.\n The default configuration loads a linux kernel and initrd into memory that\n reads the hard drive; placing a payload to install metsvc, disable the\n firewall, and add a new user metasploit on any Windows partition seen,\n and add a uid 0 user with username and password metasploit to any linux\n partition seen. The windows user will have the password p@SSw0rd!123456\n (in case of complexity requirements) and will be added to the administrators\n group.\n\n See exploit/windows/misc/pxesploit for a version to deliver a specific payload.\n\n Note: the displayed IP address of a target is the address this DHCP server\n handed out, not the \"normal\" IP address the host uses.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/manage/pxeexploit.rb", "is_install_path": true, "ref_name": "windows/manage/pxeexploit", "check": false }, "post_windows/manage/reflective_dll_inject": { "name": "Windows Manage Reflective DLL Injection Module", "full_name": "post/windows/manage/reflective_dll_inject", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Ben Campbell " ], "description": "This module will inject into the memory of a process a specified Reflective DLL.", "references": [ "URL-https://github.com/stephenfewer/ReflectiveDLLInjection" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/manage/reflective_dll_inject.rb", "is_install_path": true, "ref_name": "windows/manage/reflective_dll_inject", "check": false }, "post_windows/manage/remove_ca": { "name": "Windows Manage Certificate Authority Removal", "full_name": "post/windows/manage/remove_ca", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "vt " ], "description": "This module allows the attacker to remove an arbitrary CA certificate\n from the victim's Trusted Root store.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/manage/remove_ca.rb", "is_install_path": true, "ref_name": "windows/manage/remove_ca", "check": false }, "post_windows/manage/remove_host": { "name": "Windows Manage Host File Entry Removal", "full_name": "post/windows/manage/remove_host", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "vt " ], "description": "This module allows the attacker to remove an entry from the Windows hosts file.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/manage/remove_host.rb", "is_install_path": true, "ref_name": "windows/manage/remove_host", "check": false }, "post_windows/manage/rid_hijack": { "name": "Windows Manage RID Hijacking", "full_name": "post/windows/manage/rid_hijack", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Sebastian Castro " ], "description": "This module will create an entry on the target by modifying some properties\n of an existing account. It will change the account attributes by setting a\n Relative Identifier (RID), which should be owned by one existing\n account on the destination machine.\n\n Taking advantage of some Windows Local Users Management integrity issues,\n this module will allow to authenticate with one known account\n credentials (like GUEST account), and access with the privileges of another\n existing account (like ADMINISTRATOR account), even if the spoofed account is\n disabled.", "references": [ "URL-http://csl.com.co/rid-hijacking/" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2018-04-03 04:57:41 +0000", "path": "/modules/post/windows/manage/rid_hijack.rb", "is_install_path": true, "ref_name": "windows/manage/rid_hijack", "check": false }, "post_windows/manage/rpcapd_start": { "name": "Windows Manage Remote Packet Capture Service Starter", "full_name": "post/windows/manage/rpcapd_start", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Borja Merino " ], "description": "This module enables the Remote Packet Capture System (rpcapd service)\n included in the default installation of Winpcap. The module allows you to set up\n the service in passive or active mode (useful if the client is behind a firewall).\n If authentication is enabled you need a local user account to capture traffic.\n PORT will be used depending of the mode configured.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/manage/rpcapd_start.rb", "is_install_path": true, "ref_name": "windows/manage/rpcapd_start", "check": false }, "post_windows/manage/run_as": { "name": "Windows Manage Run Command As User", "full_name": "post/windows/manage/run_as", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Kx499" ], "description": "This module will login with the specified username/password and execute the\n supplied command as a hidden process. Output is not returned by default, by setting\n CMDOUT to true output will be redirected to a temp file and read back in to\n display. By setting advanced option SETPASS to true, it will reset the users\n password and then execute the command.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2018-04-09 15:27:50 +0000", "path": "/modules/post/windows/manage/run_as.rb", "is_install_path": true, "ref_name": "windows/manage/run_as", "check": false }, "post_windows/manage/run_as_psh": { "name": "Windows 'Run As' Using Powershell", "full_name": "post/windows/manage/run_as_psh", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "p3nt4" ], "description": "This module will start a process as another user using powershell.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/manage/run_as_psh.rb", "is_install_path": true, "ref_name": "windows/manage/run_as_psh", "check": false }, "post_windows/manage/sdel": { "name": "Windows Manage Safe Delete", "full_name": "post/windows/manage/sdel", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Borja Merino " ], "description": "The goal of the module is to hinder the recovery of deleted files by overwriting\n its contents. This could be useful when you need to download some file on the victim\n machine and then delete it without leaving clues about its contents. Note that the script\n does not wipe the free disk space so temporary/sparse/encrypted/compressed files could\n not be overwritten. Note too that MTF entries are not overwritten so very small files\n could stay resident within the stream descriptor.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/manage/sdel.rb", "is_install_path": true, "ref_name": "windows/manage/sdel", "check": false }, "post_windows/manage/sticky_keys": { "name": "Sticky Keys Persistance Module", "full_name": "post/windows/manage/sticky_keys", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "OJ Reeves" ], "description": "This module makes it possible to apply the 'sticky keys' hack to a session with appropriate\n rights. The hack provides a means to get a SYSTEM shell using UI-level interaction at an RDP\n login screen or via a UAC confirmation dialog. The module modifies the Debug registry setting\n for certain executables.\n\n The module options allow for this hack to be applied to:\n\n SETHC (sethc.exe is invoked when SHIFT is pressed 5 times),\n UTILMAN (Utilman.exe is invoked by pressing WINDOWS+U),\n OSK (osk.exe is invoked by pressing WINDOWS+U, then launching the on-screen keyboard), and\n DISP (DisplaySwitch.exe is invoked by pressing WINDOWS+P).\n\n The hack can be added using the ADD action, and removed with the REMOVE action.\n\n Custom payloads and binaries can be run as part of this exploit, but must be manually uploaded\n to the target prior to running the module. By default, a SYSTEM command prompt is installed\n using the registry method if this module is run without modifying any parameters.", "references": [ "URL-https://social.technet.microsoft.com/Forums/windows/en-US/a3968ec9-5824-4bc2-82a2-a37ea88c273a/sticky-keys-exploit", "URL-http://carnal0wnage.attackresearch.com/2012/04/privilege-escalation-via-sticky-keys.html" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/manage/sticky_keys.rb", "is_install_path": true, "ref_name": "windows/manage/sticky_keys", "check": false }, "post_windows/manage/vmdk_mount": { "name": "Windows Manage VMDK Mount Drive", "full_name": "post/windows/manage/vmdk_mount", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Borja Merino " ], "description": "This module mounts a vmdk file (Virtual Machine Disk) on a drive provided by the user by taking advantage\n of the vstor2 device driver (VMware). First, it executes the binary vixDiskMountServer.exe to access the\n device and then it sends certain control code via DeviceIoControl to mount it. Use the write mode with\n extreme care. You should only open a disk file in writable mode if you know for sure that no snapshots\n or clones are linked from the file.", "references": [ "URL-http://www.shelliscoming.com/2017/05/post-exploitation-mounting-vmdk-files.html" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/manage/vmdk_mount.rb", "is_install_path": true, "ref_name": "windows/manage/vmdk_mount", "check": false }, "post_windows/manage/vss_create": { "name": "Windows Manage Create Shadow Copy", "full_name": "post/windows/manage/vss_create", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "theLightCosine " ], "description": "This module will attempt to create a new volume shadow copy.\n This is based on the VSSOwn Script originally posted by\n Tim Tomes and Mark Baggett.\n\n Works on win2k3 and later.", "references": [ "URL-http://pauldotcom.com/2011/11/safely-dumping-hashes-from-liv.html" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/manage/vss_create.rb", "is_install_path": true, "ref_name": "windows/manage/vss_create", "check": false }, "post_windows/manage/vss_list": { "name": "Windows Manage List Shadow Copies", "full_name": "post/windows/manage/vss_list", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "theLightCosine " ], "description": "This module will attempt to list any Volume Shadow Copies\n on the system. This is based on the VSSOwn Script\n originally posted by Tim Tomes and Mark Baggett.\n\n Works on win2k3 and later.", "references": [ "URL-http://pauldotcom.com/2011/11/safely-dumping-hashes-from-liv.html" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/manage/vss_list.rb", "is_install_path": true, "ref_name": "windows/manage/vss_list", "check": false }, "post_windows/manage/vss_mount": { "name": "Windows Manage Mount Shadow Copy", "full_name": "post/windows/manage/vss_mount", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "theLightCosine " ], "description": "This module will attempt to mount a Volume Shadow Copy\n on the system. This is based on the VSSOwn Script\n originally posted by Tim Tomes and Mark Baggett.\n\n Works on win2k3 and later.", "references": [ "URL-http://pauldotcom.com/2011/11/safely-dumping-hashes-from-liv.html" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/manage/vss_mount.rb", "is_install_path": true, "ref_name": "windows/manage/vss_mount", "check": false }, "post_windows/manage/vss_set_storage": { "name": "Windows Manage Set Shadow Copy Storage Space", "full_name": "post/windows/manage/vss_set_storage", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "theLightCosine " ], "description": "This module will attempt to change the amount of space\n for volume shadow copy storage. This is based on the\n VSSOwn Script originally posted by Tim Tomes and\n Mark Baggett.\n\n Works on win2k3 and later.", "references": [ "URL-http://pauldotcom.com/2011/11/safely-dumping-hashes-from-liv.html" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-09-17 16:00:04 +0000", "path": "/modules/post/windows/manage/vss_set_storage.rb", "is_install_path": true, "ref_name": "windows/manage/vss_set_storage", "check": false }, "post_windows/manage/vss_storage": { "name": "Windows Manage Get Shadow Copy Storage Info", "full_name": "post/windows/manage/vss_storage", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "theLightCosine " ], "description": "This module will attempt to get volume shadow copy storage info.\n This is based on the VSSOwn Script originally posted by\n Tim Tomes and Mark Baggett.\n\n Works on win2k3 and later.", "references": [ "URL-http://pauldotcom.com/2011/11/safely-dumping-hashes-from-liv.html" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/manage/vss_storage.rb", "is_install_path": true, "ref_name": "windows/manage/vss_storage", "check": false }, "post_windows/manage/wdigest_caching": { "name": "Windows Post Manage WDigest Credential Caching", "full_name": "post/windows/manage/wdigest_caching", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Kostas Lintovois " ], "description": "On Windows 8/2012 or higher, the Digest Security Provider (WDIGEST) is disabled by default. This module enables/disables\n credential caching by adding/changing the value of the UseLogonCredential DWORD under the WDIGEST provider's Registry key.\n Any subsequent logins will allow mimikatz to recover the plain text passwords from the system's memory.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-09-17 16:00:04 +0000", "path": "/modules/post/windows/manage/wdigest_caching.rb", "is_install_path": true, "ref_name": "windows/manage/wdigest_caching", "check": false }, "post_windows/manage/webcam": { "name": "Windows Manage Webcam", "full_name": "post/windows/manage/webcam", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "sinn3r " ], "description": "This module will allow the user to detect installed webcams (with\n the LIST action) or take a snapshot (with the SNAPSHOT) action.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/manage/webcam.rb", "is_install_path": true, "ref_name": "windows/manage/webcam", "check": false }, "post_windows/recon/computer_browser_discovery": { "name": "Windows Recon Computer Browser Discovery", "full_name": "post/windows/recon/computer_browser_discovery", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "mubix " ], "description": "This module uses railgun to discover hostnames and IPs on the network.\n LTYPE should be set to one of the following values: WK (all workstations), SVR (all servers),\n SQL (all SQL servers), DC (all Domain Controllers), DCBKUP (all Domain Backup Servers),\n NOVELL (all Novell servers), PRINTSVR (all Print Que servers), MASTERBROWSER (all Master Browsers),\n WINDOWS (all Windows hosts), or UNIX (all Unix hosts).", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-09-17 16:00:04 +0000", "path": "/modules/post/windows/recon/computer_browser_discovery.rb", "is_install_path": true, "ref_name": "windows/recon/computer_browser_discovery", "check": false }, "post_windows/recon/outbound_ports": { "name": "Windows Outbound-Filtering Rules", "full_name": "post/windows/recon/outbound_ports", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Borja Merino " ], "description": "This module makes some kind of TCP traceroute to get outbound-filtering rules.\n It will try to make a TCP connection to a certain public IP address (this IP\n does not need to be under your control) using different TTL incremental values.\n This way if you get an answer (ICMP TTL time exceeded packet) from a public IP\n device you can infer that the destination port is allowed. Setting STOP to\n true the module will stop as soon as you reach a public IP (this will generate\n less noise in the network).", "references": [ "URL-http://www.shelliscoming.com/2014/11/getting-outbound-filtering-rules-by.html" ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/recon/outbound_ports.rb", "is_install_path": true, "ref_name": "windows/recon/outbound_ports", "check": false }, "post_windows/recon/resolve_ip": { "name": "Windows Recon Resolve IP", "full_name": "post/windows/recon/resolve_ip", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "mubix " ], "description": "This module reverse resolves a range or IP to a hostname", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/recon/resolve_ip.rb", "is_install_path": true, "ref_name": "windows/recon/resolve_ip", "check": false }, "post_windows/wlan/wlan_bss_list": { "name": "Windows Gather Wireless BSS Info", "full_name": "post/windows/wlan/wlan_bss_list", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "theLightCosine " ], "description": "This module gathers information about the wireless Basic Service Sets\n available to the victim machine.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/wlan/wlan_bss_list.rb", "is_install_path": true, "ref_name": "windows/wlan/wlan_bss_list", "check": false }, "post_windows/wlan/wlan_current_connection": { "name": "Windows Gather Wireless Current Connection Info", "full_name": "post/windows/wlan/wlan_current_connection", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "theLightCosine " ], "description": "This module gathers information about the current connection on each\n wireless lan interface on the target machine.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/wlan/wlan_current_connection.rb", "is_install_path": true, "ref_name": "windows/wlan/wlan_current_connection", "check": false }, "post_windows/wlan/wlan_disconnect": { "name": "Windows Disconnect Wireless Connection", "full_name": "post/windows/wlan/wlan_disconnect", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "theLightCosine " ], "description": "This module disconnects the current wireless network connection\n on the specified interface.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-07-24 06:26:21 +0000", "path": "/modules/post/windows/wlan/wlan_disconnect.rb", "is_install_path": true, "ref_name": "windows/wlan/wlan_disconnect", "check": false }, "post_windows/wlan/wlan_probe_request": { "name": "Windows Send Probe Request Packets", "full_name": "post/windows/wlan/wlan_probe_request", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "Borja Merino " ], "description": "This module send probe requests through the wlan interface.\n The ESSID field will be use to set a custom message.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2018-05-03 11:41:09 +0000", "path": "/modules/post/windows/wlan/wlan_probe_request.rb", "is_install_path": true, "ref_name": "windows/wlan/wlan_probe_request", "check": false }, "post_windows/wlan/wlan_profile": { "name": "Windows Gather Wireless Profile", "full_name": "post/windows/wlan/wlan_profile", "rank": 300, "disclosure_date": null, "type": "post", "author": [ "theLightCosine " ], "description": "This module extracts saved Wireless LAN profiles. It will also try to decrypt\n the network key material. Behavior is slightly different between OS versions\n when it comes to WPA. In Windows Vista/7 we will get the passphrase. In\n Windows XP we will get the PBKDF2 derived key.", "references": [ ], "is_server": false, "is_client": false, "platform": "Windows", "arch": "", "rport": null, "targets": null, "mod_time": "2017-09-17 16:00:04 +0000", "path": "/modules/post/windows/wlan/wlan_profile.rb", "is_install_path": true, "ref_name": "windows/wlan/wlan_profile", "check": false } }