This Metasploit module exploits a stack overflow in Alt-N MDaemon SMTP server for versions 6.8.5 and earlier. When WorldClient HTTP server is installed (default), a CGI script is provided to accept html FORM based emails and deliver via MDaemon.exe, by writing the CGI output to the Raw Queue. When X-FromCheck is enabled (also default), the temporary form2raw.cgi data is copied by MDaemon.exe and a stack based overflow occurs when an excessively long From field is specified. The RawQueue is processed every 1 minute by default, to a maximum of 60 minutes. Keep this in mind when choosing payloads or setting WfsDelay... You'll need to wait. Furthermore, this exploit uses a direct memory jump into a nopsled (which isn't very reliable). Once the payload is written into the Raw Queue by Form2Raw, MDaemon will continue to crash/execute the payload until the CGI output is manually deleted from the queue in C:\\MDaemon\\RawFiles\\*.raw.
9a7e8845ddbf7fb0e6b7482b9b8e9b1da4f7b29d2b83ac012d206510dc73a91cThis Metasploit module exploits a buffer overflow in Computer Associates BrightStor ARCserve Backup 11.1 - 11.5 SP2. By sending a specially crafted RPC request, an attacker could overflow the buffer and execute arbitrary code.
38992c01beb75cb04dd805a9bcadb1dab7921b19db704a8f59418f9d845fc536This Metasploit module exploits a buffer overflow in the mIRC IRC Client v6.34 and earlier. By enticing a mIRC user to connect to this server module, an excessively long PRIVMSG command can be sent, overwriting the stack. Due to size restrictions, ordinal payloads may be necessary. This Metasploit module is based on the code by SkD.
30d07ff1b1f16f654610067329e7a88dbd7d7e9e8ba0fc52c40272152afc1314This is an exploit for the Phone Book Service /pbserver/pbserver.dll described in MS00-094. By sending an overly long URL argument for phone book updates, it is possible to overwrite the stack. This Metasploit module has only been tested against Windows 2000 SP1.
0e561c8f11c38a6ebd0de7aa176eab37b866399106f3bb7dd08428cdcb0ccc69This Metasploit module exploits a stack overflow in Netcat v1.10 NT. By sending an overly long string we are able to overwrite SEH. The vulnerability exists when netcat is used to bind (-e) an executable to a port in doexec.c. This Metasploit module tested successfully using "c:\\>nc -L -p 31337 -e ftp".
86cb3709aec7d4ad9e7245bc4d2f9a70dc54e270dbc1a38e9c690f7cf760dcb8This Metasploit module exploits the KarjaSoft Sami FTP Server version 2.02 by sending an excessively long USER string. The stack is overwritten when the administrator attempts to view the FTP logs. Therefore, this exploit is passive and requires end-user interaction. Keep this in mind when selecting payloads. When the server is restarted, it will re-execute the exploit until the logfile is manually deleted via the file system.
6cb784d4845ea1b6c196d1d46a851dc0d49ed8612c10d4a74bad8cb59def8b7eThis Metasploit module exploits the FTP server component of the Sasser worm. By sending an overly long PORT command the stack can be overwritten.
5d5c22dfbd84d41c7c21a45e5676f648dbcc83cd3302d47b1a95c27ace3b87f0This Metasploit module exploits a stack overflow in Savant 3.1 Web Server. The service supports a maximum of 10 threads (for a default install). Each exploit attempt generally causes a thread to die whether successful or not. Therefore you only have 10 chances (unless non-default).
1f461383f78f47fe2f00e5abe2ca66139e2cfbaf4d140c81fe32ed074fb9b33bThis Metasploit module exploits a stack overflow in Computer Associates BrightStor ARCserve Backup r11.1 - r11.5. By sending a specially crafted DCERPC request, an attacker could overflow the buffer and execute arbitrary code.
b82183fa2a09d3a5482cc306c364322d40242df99e1e3992dcd5cd3e945a082cThis Metasploit module exploits the ProSysInfo TFTPDWIN threaded TFTP Server. By sending an overly long file name to the tftpd.exe server, the stack can be overwritten.
da334dbdd70713ab5aff350fda0560b9757917bcc711695a97c00417a5ad86e4This Metasploit module exploits a stack overflow in the vcst_eu.dll FileTransfer Module (1.0.0.5) ActiveX control in the Tumbleweed SecureTransport suite. By sending an overly long string to the TransferFile() 'remotefile' function, an attacker may be able to execute arbitrary code.
9e9817e9723fe74518b0f6dd9cbdba9836698f2c7c791efd01d8aeeaa3909001This Metasploit module exploits a buffer overflow in W32Dasm <= v8.93. By creating a malicious file and convincing a user to disassemble the file with a vulnerable version of W32Dasm, the Imports/Exports function is copied to the stack and arbitrary code may be executed locally as the user.
b1a5819d5300021fafb0d2cd7439585a01f7a8de4f04712d0dcb699656fba131This Metasploit module exploits a buffer overflow in the AT&T WinVNC version <= v3.3.3r7 web server. When debugging mode with logging is enabled (non-default), an overly long GET request can overwrite the stack. This exploit does not work well with VNC payloads!
e60e2463612241b5d250ec99282d27dcc0164a4adda748d12edd57defd01c5fcThis Metasploit module exploits a stack overflow in the iMatix Corporation Xitami Web Server. If a malicious user sends an If-Modified-Since header containing an overly long string, it may be possible to execute a payload remotely. Due to size constraints, this module uses the Egghunter technique. You may wish to adjust WfsDelay appropriately.
8670dc144729b546f2f7c3e942e7920a361bac99f06359655848174beb3c468dThis Metasploit module exploits a stack-based buffer overflow in the Zinf Audio Player 2.2.1. An attacker must send the file to victim and the victim must open the file. Alternatively it may be possible to execute code remotely via an embedded PLS file within a browser, when the PLS extension is registered to Zinf. This functionality has not been tested in this module.
ce73f204a7c39ce17aa59a98ab75c05c4e5a425c620c828d042446194e557785The Matt Wright guestbook.pl versions 2.3.1 and below CGI script contains a flaw that may allow arbitrary command execution. The vulnerability requires that HTML posting is enabled in the guestbook.pl script, and that the web server must have the Server-Side Include (SSI) script handler enabled for the '.html' file type. By combining the script weakness with non-default server configuration, it is possible to exploit this vulnerability successfully.
26b2a5cfa6b66f8d6bb54e4789d46d124f024ac705b068c7f1634ce064aeee9bThis Metasploit module exploits an arbitrary command execution vulnerability in the AWStats CGI script. AWStats v6.4 and v6.5 are vulnerable. Perl based payloads are recommended with this module. The vulnerability is only present when AllowToUpdateStatsFromBrowser is enabled in the AWstats configuration file (non-default).
eacfafaff42c9aa135b638a8e9838be33a68a7ed46514068c7b106f69fe2ac10This Metasploit module exploits a flaw in the Clam AntiVirus suite 'clamav-milter' (Sendmail mail filter). Versions prior to 0.92.2 are vulnerable. When implemented with black hole mode enabled, it is possible to execute commands remotely due to an insecure popen call.
043b522739cdc7453582b55c2d84f10b6d62ae02178d5c618b7212a148347eb0This Metasploit module exploits a flaw in the SpamAssassin spamd service by specifying a malicious vpopmail User header, when running with vpopmail and paranoid modes enabled (non-default). Versions prior to 3.1.3 are vulnerable.
eab32845da0d59fc9f4ab3c4fe32f5ea16cbdf7d908c0e6e672c02b104b4425cThis Metasploit module exploits the ContentKeeper Web Appliance. Versions prior to 125.10 are affected. This module exploits a combination of weaknesses to enable remote command execution as the Apache user. Following exploitation it is possible to abuse an insecure PATH call to 'ps' etc in setuid 'benetool' to escalate to root.
629ee439ef17eb790dc0b4ecfd87cba6375f929234dd537ad09b296c1e24dcecThis Metasploit module exploits a stack based buffer overflow in the ntpd and xntpd service. By sending an overly long 'readvar' request it is possible to execute code remotely. As the stack is corrupted, this module uses the Egghunter technique.
009c6a0959755d8609b7f6680a3f93f21f0a42a6559a05ef0c29a657384e5fbdThis Metasploit module allows arbitrary command execution on an ephemeral port opened by Veritas NetBackup, whilst an administrator is authenticated. The port is opened and allows direct console access as root or SYSTEM from any source address.
a9bae98e0bcab8691966ff788261cc6dfa84dda7135a36c18d0e75e0eb5ee9efThis Metasploit module uses a vulnerability in the OpenView Omniback II service to execute arbitrary commands. This vulnerability was discovered by DiGiT and his code was used as the basis for this module.
26c2c37df75303f2969c51dda36bcd7fb1d2c0584d3a1792600f47b04b5512d6This Metasploit module exploits a stack overflow in the Salim Gasmi GLD versions 1.4 and below greylisting daemon for Postfix. By sending an overly long string the stack can be overwritten.
ea6d90f755fe4ab12b60f16218193025e81969e9398ec2a4ad48e9c30e700753This Metasploit module exploits a buffer overflow in the 'LSUB' command of the University of Washington IMAP service. This vulnerability can only be exploited with a valid username and password.
ed074262b944617dd05f31cfbad7fdb4bc44dbc72e181c6afa6bc59ed9e6d14a
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed