-
FreeBSD Intel SYSRET Privilege Escalation
Disclosure Date: 2012-06-12First seen: 2020-04-26exploit/freebsd/local/intel_sysret_priv_escThis module exploits a vulnerability in the FreeBSD kernel, when running on 64-bit Intel processors. By design, 64-bit processors following the X86-64 specification will trigger a general protection fault (GPF) when executing a SYSRET instruction with a non-canonical address in the RCX register. However, Intel processors check for a non-canonical address prior to dropping privileges, causing a GPF in privileged mode. As a result, the current userland RSP stack pointer is restored and executed, resulting in privileged code execution. This module has been tested successfully on: FreeBSD 8.3-RELEASE (amd64); and FreeBSD 9.0-RELEASE (amd64). Authors: - Rafal Wojtczuk - John Baldwin - iZsh - bcoles <bcoles@gmail.com> -
Sun Solaris Telnet Remote Authentication Bypass Vulnerability
Disclosure Date: 2007-02-12First seen: 2020-04-26exploit/solaris/telnet/fuserThis module exploits the argument injection vulnerability in the telnet daemon (in.telnetd) of Solaris 10 and 11. Authors: - MC <mc@metasploit.com> -
Sendmail SMTP Address prescan Memory Corruption
Disclosure Date: 2003-09-17First seen: 2020-04-26auxiliary/dos/smtp/sendmail_prescanThis is a proof of concept denial of service module for Sendmail versions 8.12.8 and earlier. The vulnerability is within the prescan() method when parsing SMTP headers. Due to the prescan function, only 0x5c and 0x00 bytes can be used, limiting the likelihood for arbitrary code execution. Authors: - aushack <patrick@osisecurity.com.au> -
Samba trans2open Overflow (*BSD x86)
Disclosure Date: 2003-04-07First seen: 2020-04-26exploit/freebsd/samba/trans2openThis exploits the buffer overflow found in Samba versions 2.2.0 to 2.2.8. This particular module is capable of exploiting the flaw on x86 Linux systems that do not have the noexec stack option set. Authors: - hdm <x@hdm.io> - jduck <jduck@metasploit.com> -
Samba trans2open Overflow (Linux x86)
Disclosure Date: 2003-04-07First seen: 2020-04-26exploit/linux/samba/trans2openThis exploits the buffer overflow found in Samba versions 2.2.0 to 2.2.8. This particular module is capable of exploiting the flaw on x86 Linux systems that do not have the noexec stack option set. NOTE: Some older versions of RedHat do not seem to be vulnerable since they apparently do not allow anonymous access to IPC. Authors: - hdm <x@hdm.io> - jduck <jduck@metasploit.com> -
Samba trans2open Overflow (Solaris SPARC)
Disclosure Date: 2003-04-07First seen: 2020-04-26exploit/solaris/samba/trans2openThis exploits the buffer overflow found in Samba versions 2.2.0 to 2.2.8. This particular module is capable of exploiting the flaw on Solaris SPARC systems that do not have the noexec stack option set. Big thanks to MC and valsmith for resolving a problem with the beta version of this module. Authors: - hdm <x@hdm.io> - jduck <jduck@metasploit.com> -
Samba trans2open Overflow (Mac OS X PPC)
Disclosure Date: 2003-04-07First seen: 2020-04-26exploit/osx/samba/trans2openThis exploits the buffer overflow found in Samba versions 2.2.0 to 2.2.8. This particular module is capable of exploiting the bug on Mac OS X PowerPC systems. Authors: - hdm <x@hdm.io> - jduck <jduck@metasploit.com> -
Solaris KCMS + TTDB Arbitrary File Read
Disclosure Date: 2003-01-22First seen: 2020-04-26auxiliary/admin/sunrpc/solaris_kcms_readfileThis module targets a directory traversal vulnerability in the kcms_server component from the Kodak Color Management System. By utilizing the ToolTalk Database Server\'s TT_ISBUILD procedure, an attacker can bypass existing directory traversal validation and read arbitrary files. Vulnerable systems include Solaris 2.5 - 9 SPARC and x86. Both kcms_server and rpc.ttdbserverd must be running on the target host. Authors: - vlad902 <vlad902@gmail.com> - jduck <jduck@metasploit.com> -
Solaris in.telnetd TTYPROMPT Buffer Overflow
Disclosure Date: 2002-01-18First seen: 2020-04-26exploit/solaris/telnet/ttypromptThis module uses a buffer overflow in the Solaris 'login' application to bypass authentication in the telnet daemon. Authors: - MC <mc@metasploit.com> - cazz <bmc@shmoo.com> -
System V Derived /bin/login Extraneous Arguments Buffer Overflow
Disclosure Date: 2001-12-12First seen: 2020-04-26exploit/dialup/multi/login/manyargsThis exploit connects to a system's modem over dialup and exploits a buffer overflow vulnerability in it's System V derived /bin/login. The vulnerability is triggered by providing a large number of arguments. Authors: - I)ruid <druid@caughq.org> -
Solaris LPD Command Execution
Disclosure Date: 2001-08-31First seen: 2020-04-26exploit/solaris/lpd/sendmail_execThis module exploits an arbitrary command execution flaw in the in.lpd service shipped with all versions of Sun Solaris up to and including 8.0. This module uses a technique discovered by Dino Dai Zovi to exploit the flaw without needing to know the resolved name of the attacking system. Authors: - hdm <x@hdm.io> - ddz <ddz@theta44.org> -
SSH User Code Execution
Disclosure Date: 1999-01-01First seen: 2020-04-26exploit/multi/ssh/sshexecThis module connects to the target system and executes the necessary commands to run the specified payload via SSH. If a native payload is specified, an appropriate stager will be used. Authors: - Spencer McIntyre - Brandon Knight -
Solaris ypupdated Command Execution
Disclosure Date: 1994-12-12First seen: 2020-04-26exploit/solaris/sunrpc/ypupdated_execThis exploit targets a weakness in the way the ypupdated RPC application uses the command shell when handling a MAP UPDATE request. Extra commands may be launched through this command shell, which runs as root on the remote host, by passing commands in the format '|<command>'. Vulnerable systems include Solaris 2.7, 8, 9, and 10, when ypupdated is started with the '-i' command-line option. Authors: - I)ruid <druid@caughq.org> -
HTTP Options Detection
First seen: 2020-04-26auxiliary/scanner/http/optionsDisplay available HTTP options for each system Authors: - CG <cg@carnal0wnage.com> -
HTTP Cross-Site Tracing Detection
First seen: 2020-04-26auxiliary/scanner/http/traceChecks if the host is vulnerable to Cross-Site Tracing (XST) Authors: - Jay Turla <@shipcod3> - CG <cg@carnal0wnage.com> -
Solaris LPD Arbitrary File Delete
First seen: 2020-04-26auxiliary/dos/solaris/lpd/cascade_deleteThis module uses a vulnerability in the Solaris line printer daemon to delete arbitrary files on an affected system. This can be used to exploit the rpc.walld format string flaw, the missing krb5.conf authentication bypass, or simply delete system files. Tested on Solaris 2.6, 7, 8, 9, and 10. Authors: - hdm <x@hdm.io> - Optyx <optyx@uberhax0r.net> -
D-Link DIR-615H HTTP Login Utility
First seen: 2020-04-26auxiliary/scanner/http/dlink_dir_615h_http_loginThis module attempts to authenticate to different D-Link HTTP management services. It has been tested successfully on D-Link DIR-615 Hardware revision H devices. It is possible that this module also works with other models. Authors: - hdm <x@hdm.io> - Michael Messner <devnull@s3cur1ty.de> -
SNMP Community Login Scanner
First seen: 2020-04-26auxiliary/scanner/snmp/snmp_loginThis module logs in to SNMP devices using common community names. Authors: - hdm <x@hdm.io> -
SNMP Enumeration Module
First seen: 2020-04-26auxiliary/scanner/snmp/snmp_enumThis module allows enumeration of any devices with SNMP protocol support. It supports hardware, software, and network information. The default community used is "public". Authors: - Matteo Cantoni <goony@nothink.org> -
Dell iDRAC Default Login
First seen: 2020-04-26auxiliary/scanner/http/dell_idracThis module attempts to login to a iDRAC webserver instance using default username and password. Tested against Dell Remote Access Controller 6 - Express version 1.50 and 1.85, Controller 7 - Enterprise 2.63.60.62 Controller 8 - Enterprise 2.83.05 Controller 9 - Enterprise 4.40.00.00 Authors: - Cristiano Maruti <cmaruti@gmail.com> - h00die
Please note: Metasploit modules are only matched by CVE numbers.
Visit metasploit web site for more details