• MS11-003 Microsoft Internet Explorer CSS Recursive Import Use After Free
    Disclosure Date: 2010-11-29
    First seen: 2020-04-26
    exploit/windows/browser/ms11_003_ie_css_import
    This module exploits a memory corruption vulnerability within Microsoft\'s HTML engine (mshtml). When parsing an HTML page containing a recursive CSS import, a C++ object is deleted and later reused. This leads to arbitrary code execution. This exploit utilizes a combination of heap spraying and the .NET 2.0 'mscorie.dll' module to bypass DEP and ASLR. This module does not opt-in to ASLR. As such, this module should be reliable on all Windows versions with .NET 2.0.50727 installed. Authors: - passerby - d0c_s4vage - jduck <jduck@metasploit.com>
  • MS10-087 Microsoft Word RTF pFragments Stack Buffer Overflow (File Format)
    Disclosure Date: 2010-11-09
    First seen: 2020-04-26
    exploit/windows/fileformat/ms10_087_rtf_pfragments_bof
    This module exploits a stack-based buffer overflow in the handling of the 'pFragments' shape property within the Microsoft Word RTF parser. All versions of Microsoft Office 2010, 2007, 2003, and XP prior to the release of the MS10-087 bulletin are vulnerable. This module does not attempt to exploit the vulnerability via Microsoft Outlook. The Microsoft Word RTF parser was only used by default in versions of Microsoft Word itself prior to Office 2007. With the release of Office 2007, Microsoft began using the Word RTF parser, by default, to handle rich-text messages within Outlook as well. It was possible to configure Outlook 2003 and earlier to use the Microsoft Word engine too, but it was not a default setting. It appears as though Microsoft Office 2000 is not vulnerable. It is unlikely that Microsoft will confirm or deny this since Office 2000 has reached its support cycle end-of-life. Authors: - wushi of team509 - unknown - jduck <jduck@metasploit.com> - DJ Manila Ice, Vesh, CA
  • MS10-090 Microsoft Internet Explorer CSS SetUserClip Memory Corruption
    Disclosure Date: 2010-11-03
    First seen: 2020-04-26
    exploit/windows/browser/ms10_090_ie_css_clip
    This module exploits a memory corruption vulnerability within Microsoft's HTML engine (mshtml). When parsing an HTML page containing a specially crafted CSS tag, memory corruption occurs that can lead arbitrary code execution. It seems like Microsoft code inadvertently increments a vtable pointer to point to an unaligned address within the vtable's function pointers. This leads to the program counter being set to the address determined by the address "[vtable+0x30+1]". The particular address depends on the exact version of the mshtml library in use. Since the address depends on the version of mshtml, some versions may not be exploitable. Specifically, those ending up with a program counter value within another module, in kernel space, or just not able to be reached with various memory spraying techniques. Also, since the address is not controllable, it is unlikely to be possible to use ROP to bypass non-executable memory protections. Authors: - unknown - Yuange - Matteo Memelli - jduck <jduck@metasploit.com>
  • Microsoft IIS 6.0 ASP Stack Exhaustion Denial of Service
    Disclosure Date: 2010-09-14
    First seen: 2020-04-26
    auxiliary/dos/windows/http/ms10_065_ii6_asp_dos
    The vulnerability allows remote unauthenticated attackers to force the IIS server to become unresponsive until the IIS service is restarted manually by the administrator. Required is that Active Server Pages are hosted by the IIS and that an ASP script reads out a Post Form value. Authors: - Heyder Andrade <heyder@alligatorteam.org> - Leandro Oliveira <leadro@alligatorteam.org>
  • MS10-061 Microsoft Print Spooler Service Impersonation Vulnerability
    Disclosure Date: 2010-09-14
    First seen: 2020-04-26
    exploit/windows/smb/ms10_061_spoolss
    This module exploits the RPC service impersonation vulnerability detailed in Microsoft Bulletin MS10-061. By making a specific DCE RPC request to the StartDocPrinter procedure, an attacker can impersonate the Printer Spooler service to create a file. The working directory at the time is %SystemRoot%\system32. An attacker can specify any file name, including directory traversal or full paths. By sending WritePrinter requests, an attacker can fully control the content of the created file. In order to gain code execution, this module writes to a directory used by Windows Management Instrumentation (WMI) to deploy applications. This directory (Wbem\Mof) is periodically scanned and any new .mof files are processed automatically. This is the same technique employed by the Stuxnet code found in the wild. Authors: - jduck <jduck@metasploit.com> - hdm <x@hdm.io>
  • Windows Escalate Task Scheduler XML Privilege Escalation
    Disclosure Date: 2010-09-13
    First seen: 2020-04-26
    exploit/windows/local/ms10_092_schelevator
    This module exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet. When processing task files, the Windows Task Scheduler only uses a CRC32 checksum to validate that the file has not been tampered with. Also, In a default configuration, normal users can read and write the task files that they have created. By modifying the task file and creating a CRC32 collision, an attacker can execute arbitrary commands with SYSTEM privileges. NOTE: Thanks to webDEViL for the information about disable/enable. Authors: - jduck <jduck@metasploit.com>
  • Microsoft Windows Shell LNK Code Execution
    Disclosure Date: 2010-07-16
    First seen: 2020-04-26
    exploit/windows/smb/ms10_046_shortcut_icon_dllloader
    This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK) that contain an icon resource pointing to a malicious DLL. This creates an SMB resource to provide the payload inside a DLL, and generates a LNK file which must be sent to the target. Authors: - hdm <x@hdm.io> - jduck <jduck@metasploit.com> - B_H
  • Microsoft Windows Shell LNK Code Execution
    Disclosure Date: 2010-07-16
    First seen: 2020-04-26
    exploit/windows/browser/ms10_046_shortcut_icon_dllloader
    This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK) that contain an icon resource pointing to a malicious DLL. This module creates a WebDAV service that can be used to run an arbitrary payload when accessed as a UNC path. Authors: - hdm <x@hdm.io> - jduck <jduck@metasploit.com> - B_H
  • Microsoft Help Center XSS and Command Execution
    Disclosure Date: 2010-06-09
    First seen: 2020-04-26
    exploit/windows/browser/ms10_042_helpctr_xss_cmd_exec
    Help and Support Center is the default application provided to access online documentation for Microsoft Windows. Microsoft supports accessing help documents directly via URLs by installing a protocol handler for the scheme "hcp". Due to an error in validation of input to hcp:// combined with a local cross site scripting vulnerability and a specialized mechanism to launch the XSS trigger, arbitrary command execution can be achieved. On IE7 on XP SP2 or SP3, code execution is automatic. If WMP9 is installed, it can be used to launch the exploit automatically. If IE8 and WMP11, either can be used to launch the attack, but both pop dialog boxes asking the user if execution should continue. This exploit detects if non-intrusive mechanisms are available and will use one if possible. In the case of both IE8 and WMP11, the exploit defaults to using an iframe on IE8, but is configurable by setting the DIALOGMECH option to "none" or "player". This module creates a WebDAV service from which the payload is copied to the victim machine. Authors: - Tavis Ormandy - natron <natron@metasploit.com>
  • MS11-038 Microsoft Office Excel Malformed OBJ Record Handling Overflow
    Disclosure Date: 2010-06-08
    First seen: 2020-04-26
    exploit/windows/fileformat/ms10_038_excel_obj_bof
    This module exploits a vulnerability found in Excel 2002 of Microsoft Office XP. By supplying a .xls file with a malformed OBJ (recType 0x5D) record an attacker can get the control of the execution flow. This results in arbitrary code execution under the context of the user. Authors: - Nicolas Joly - Shahin Ramezany <shahin@abysssec.com> - juan vazquez <juan.vazquez@metasploit.com>
  • Outlook ATTACH_BY_REF_RESOLVE File Execution
    Disclosure Date: 2010-06-01
    First seen: 2020-04-26
    exploit/windows/email/ms10_045_outlook_ref_resolve
    It has been discovered that certain e-mail message cause Outlook to create Windows shortcut-like attachments or messages within Outlook. Through specially crafted TNEF streams with certain MAPI attachment properties, it is possible to set a path name to files to be executed. When a user double clicks on such an attachment or message, Outlook will proceed to execute the file that is set by the path name value. These files can be local files, but also file stored remotely for example on a file share. Exploitation is limited by the fact that its is not possible for attackers to supply command line options. Authors: - Yorick Koster <yorick@akitasecurity.nl>
  • Outlook ATTACH_BY_REF_ONLY File Execution
    Disclosure Date: 2010-06-01
    First seen: 2020-04-26
    exploit/windows/email/ms10_045_outlook_ref_only
    It has been discovered that certain e-mail message cause Outlook to create Windows shortcut-like attachments or messages within Outlook. Through specially crafted TNEF streams with certain MAPI attachment properties, it is possible to set a path name to files to be executed. When a user double clicks on such an attachment or message, Outlook will proceed to execute the file that is set by the path name value. These files can be local files, but also files stored remotely (on a file share, for example) can be used. Exploitation is limited by the fact that it is not possible for attackers to supply command line options. Authors: - Yorick Koster <yorick@akitasecurity.nl>
  • Microsoft Office Visio VISIODWG.DLL DXF File Handling Vulnerability
    Disclosure Date: 2010-05-04
    First seen: 2020-04-26
    exploit/windows/fileformat/visio_dxf_bof
    This module exploits a stack based overflow vulnerability in the handling of the DXF files by Microsoft Visio 2002. Revisions prior to the release of the MS bulletin MS10-028 are vulnerable. The overflow occurs when the application is used to import a specially crafted DXF file, while parsing the HEADER section of the DXF file. To trigger the vulnerability an attacker must convince someone to insert a specially crafted DXF file to a new document, go to 'Insert' -> 'CAD Drawing' Authors: - Unknown - Shahin Ramezany <shahin@abysssec.com> - juan vazquez <juan.vazquez@metasploit.com>
  • Windows Media Services ConnectFunnel Stack Buffer Overflow
    Disclosure Date: 2010-04-13
    First seen: 2020-04-26
    exploit/windows/mmsp/ms10_025_wmss_connect_funnel
    This module exploits a stack buffer overflow in the Windows Media Unicast Service version 4.1.0.3930 (NUMS.exe). By sending a specially crafted FunnelConnect request, an attacker can execute arbitrary code under the "NetShowServices" user account. Windows Media Services 4.1 ships with Windows 2000 Server, but is not installed by default. NOTE: This service does NOT restart automatically. Successful, as well as unsuccessful exploitation attempts will kill the service which prevents additional attempts. Authors: - jduck <jduck@metasploit.com>
  • MS10-026 Microsoft MPEG Layer-3 Audio Stack Based Overflow
    Disclosure Date: 2010-04-13
    First seen: 2020-04-26
    exploit/windows/browser/ms10_026_avi_nsamplespersec
    This module exploits a buffer overflow in l3codecx.ax while processing a AVI files with MPEG Layer-3 audio contents. The overflow only allows to overwrite with 0's so the three least significant bytes of EIP saved on stack are overwritten and shellcode is mapped using the .NET DLL memory technique pioneered by Alexander Sotirov and Mark Dowd. Please note on IE 8 targets, your malicious URL must be a trusted site in order to load the .Net control. Authors: - Yamata Li - Shahin Ramezany <shahin@abysssec.com> - juan vazquez <juan.vazquez@metasploit.com> - Jordi Sanchez <jsanchez@0x01000000.org>
  • MS10-018 Microsoft Internet Explorer Tabular Data Control ActiveX Memory Corruption
    Disclosure Date: 2010-03-09
    First seen: 2020-04-26
    exploit/windows/browser/ms10_018_ie_tabular_activex
    This module exploits a memory corruption vulnerability in the Internet Explorer Tabular Data ActiveX Control. Microsoft reports that version 5.01 and 6 of Internet Explorer are vulnerable. By specifying a long value as the "DataURL" parameter to this control, it is possible to write a NUL byte outside the bounds of an array. By targeting control flow data on the stack, an attacker can execute arbitrary code. Authors: - Unknown - jduck <jduck@metasploit.com>
  • MS10-018 Microsoft Internet Explorer DHTML Behaviors Use After Free
    Disclosure Date: 2010-03-09
    First seen: 2020-04-26
    exploit/windows/browser/ms10_018_ie_behaviors
    This module exploits a use-after-free vulnerability within the DHTML behaviors functionality of Microsoft Internet Explorer versions 6 and 7. This bug was discovered being used in-the-wild and was previously known as the "iepeers" vulnerability. The name comes from Microsoft's suggested workaround to block access to the iepeers.dll file. According to Nico Waisman, "The bug itself is when trying to persist an object using the setAttribute, which end up calling VariantChangeTypeEx with both the source and the destination being the same variant. So if you send as a variant an IDISPATCH the algorithm will try to do a VariantClear of the destination before using it. This will end up on a call to PlainRelease which deref the reference and clean the object." NOTE: Internet Explorer 8 and Internet Explorer 5 are not affected. Authors: - unknown - Trancer <mtrancer@gmail.com> - Nanika - jduck <jduck@metasploit.com>
  • MS10-022 Microsoft Internet Explorer Winhlp32.exe MsgBox Code Execution
    Disclosure Date: 2010-02-26
    First seen: 2020-04-26
    exploit/windows/browser/ms10_022_ie_vbscript_winhlp32
    This module exploits a code execution vulnerability that occurs when a user presses F1 on MessageBox originated from VBscript within a web page. When the user hits F1, the MessageBox help functionality will attempt to load and use a HLP file from an SMB or WebDAV (if the WebDAV redirector is enabled) server. This particular version of the exploit implements a WebDAV server that will serve HLP file as well as a payload EXE. During testing warnings about the payload EXE being unsigned were witnessed. A future version of this module might use other methods that do not create such a warning. Authors: - Maurycy Prodeus - jduck <jduck@metasploit.com>
  • MS10-004 Microsoft PowerPoint Viewer TextBytesAtom Stack Buffer Overflow
    Disclosure Date: 2010-02-09
    First seen: 2020-04-26
    exploit/windows/fileformat/ms10_004_textbytesatom
    This module exploits a stack buffer overflow vulnerability in the handling of the TextBytesAtom records by Microsoft PowerPoint Viewer. According to Microsoft, the PowerPoint Viewer distributed with Office 2003 SP3 and earlier, as well as Office 2004 for Mac, are vulnerable. NOTE: The vulnerable code path is not reachable on versions of Windows prior to Windows Vista. Authors: - SkD - Snake - jduck <jduck@metasploit.com>
  • MS10-002 Microsoft Internet Explorer Object Memory Use-After-Free
    Disclosure Date: 2010-01-21
    First seen: 2020-04-26
    exploit/windows/browser/ms10_002_ie_object
    This module exploits a vulnerability found in Internet Explorer's mshtml component. Due to the way IE handles objects in memory, it is possible to cause a pointer in CTableRowCellsCollectionCacheItem::GetNext to be used even after it gets freed, therefore allowing remote code execution under the context of the user. This particular vulnerability was also one of 2012's Pwn2Own challenges, and was later explained by Peter Vreugdenhil with exploitation details. Instead of Peter's method, this module uses heap spraying like the 99% to store a specially crafted memory layout before re-using the freed memory. Authors: - Peter Vreugdenhil - juan vazquez <juan.vazquez@metasploit.com> - sinn3r <sinn3r@metasploit.com>
221 metasploit modules found
1 2 3 4 5 6 7 8 9 10 11 12
Please note: Metasploit modules are only matched by CVE numbers. Visit metasploit web site for more details
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!