Metasploit modules that can be used to exploit Microsoft » Windows Xp

This module exploits a stack buffer overflow in the Windows Routing and Remote Access Service. Since the service is hosted inside svchost.exe, a failed exploit attempt can cause other system services to fail as well. A valid username and password is required to exploit this flaw on Windows 2000. When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'. Authors: - Nicolas Pouvesle <nicolas.pouvesle@gmail.com> - hdm <x@hdm.io>

More information

This module exploits a registry-based stack buffer overflow in the Windows Routing and Remote Access Service. Since the service is hosted inside svchost.exe, a failed exploit attempt can cause other system services to fail as well. A valid username and password is required to exploit this flaw on Windows 2000. When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'. Exploiting this flaw involves two distinct steps - creating the registry key and then triggering an overwrite based on a read of this key. Once the key is created, it cannot be recreated. This means that for any given system, you only get one chance to exploit this flaw. Picking the wrong target will require a manual removal of the following registry key before you can try again: HKEY_USERS\.DEFAULT\Software\Microsoft\RAS Phonebook Authors: - pusscat <pusscat@metasploit.com> - hdm <x@hdm.io>

More information

This module exploits a vulnerability in the GDI library included with Windows XP and 2003. This vulnerability uses the 'Escape' metafile function to execute arbitrary code through the SetAbortProc procedure. This module generates a random WMF record stream for each request. Authors: - hdm <x@hdm.io> - san <san@xfocus.org> - O600KO78RUS <O600KO78RUS@unknown.ru>

More information

This module exploits a stack buffer overflow in the Windows Plug and Play service. This vulnerability can be exploited on Windows 2000 without a valid user account. NOTE: Since the PnP service runs inside the service.exe process, a failed exploit attempt will cause the system to automatically reboot. Authors: - hdm <x@hdm.io> - cazz <bmc@shmoo.com>

More information

This module exploits a stack buffer overflow in the RPC interface to the Microsoft Message Queueing service. The offset to the return address changes based on the length of the system hostname, so this must be provided via the 'HNAME' option. Much thanks to snort.org and Jean-Baptiste Marchand's excellent MSRPC website. Authors: - hdm <x@hdm.io>

More information

This module exploits a stack buffer overflow in the NetDDE service, which is the precursor to the DCOM interface. This exploit effects only operating systems released prior to Windows XP SP1 (2000 SP4, XP SP0). Despite Microsoft's claim that this vulnerability can be exploited without authentication, the NDDEAPI pipe is only accessible after successful authentication. Authors: - pusscat <pusscat@metasploit.com>

More information

This module exploits a buffer overflow in the Microsoft Windows SSL PCT protocol stack. This code is based on Johnny Cyberpunk's THC release and has been tested against Windows 2000 and Windows XP. To use this module, specify the remote port of any SSL service, or the port and protocol of an application that uses SSL. The only application protocol supported at this time is SMTP. You only have one chance to select the correct target, if you are attacking IIS, you may want to try one of the other exploits first (WebDAV). If WebDAV does not work, this more than likely means that this is either Windows 2000 SP4+ or Windows XP (IIS 5.0 vs IIS 5.1). Using the wrong target may not result in an immediate crash of the remote system. Authors: - hdm <x@hdm.io>

More information

This module exploits a stack buffer overflow in the LSASS service, this vulnerability was originally found by eEye. When re-exploiting a Windows XP system, you will need need to run this module twice. DCERPC request fragmentation can be performed by setting 'FragSize' parameter. Authors: - hdm <x@hdm.io>

More information

This is an exploit for a previously undisclosed vulnerability in the bit string decoding code in the Microsoft ASN.1 library. This vulnerability is not related to the bit string vulnerability described in eEye advisory AD20040210-2. Both vulnerabilities were fixed in the MS04-007 patch. Windows 2000 SP4 Rollup 1 also patches this vulnerability. You are only allowed one attempt with this vulnerability. If the payload fails to execute, the LSASS system service will crash and the target system will automatically reboot itself in 60 seconds. If the payload succeeds, the system will no longer be able to process authentication requests, denying all attempts to login through SMB or at the console. A reboot is required to restore proper functioning of an exploited system. This exploit has been successfully tested with the win32/*/reverse_tcp payloads, however a few problems were encountered when using the equivalent bind payloads. Your mileage may vary. Authors: - Solar Eclipse <solareclipse@phreedom.org>

More information

This module exploits a stack buffer overflow in the NetApi32 NetAddAlternateComputerName function using the Workstation service in Windows XP. Authors: - hdm <x@hdm.io>

More information

This is an exploit for the chunked encoding buffer overflow described in MS03-051 and originally reported by Brett Moore. This particular modules works against versions of Windows 2000 between SP0 and SP3. Service Pack 4 fixes the issue. Authors: - hdm <x@hdm.io>

More information

This module exploits a stack buffer overflow in the RPCSS service, this vulnerability was originally found by the Last Stage of Delirium research group and has been widely exploited ever since. This module can exploit the English versions of Windows NT 4.0 SP3-6a, Windows 2000, Windows XP, and Windows 2003 all in one request :) Authors: - hdm <x@hdm.io> - spoonm <spoonm@no$email.com> - cazz <bmc@shmoo.com>

More information

This module exploits a kernel based overflow when sending abnormal PPTP Control Data packets to Microsoft Windows 2000 SP0-3 and XP SP0-1 based PPTP RAS servers (Remote Access Services). Kernel memory is overwritten resulting in a BSOD. Code execution may be possible however this module is only a DoS. Authors: - aushack <patrick@osisecurity.com.au>

More information

This module triggers a stack buffer overflow in the Windows Plug and Play service. This vulnerability can be exploited on Windows 2000 without a valid user account. Since the PnP service runs inside the service.exe process, this module will result in a forced reboot on Windows 2000. Obtaining code execution is possible if user-controlled memory can be placed at 0x00000030, 0x0030005C, or 0x005C005C. Authors: - hdm <x@hdm.io>

More information

This module checks a range of hosts for the MS12-020 vulnerability. This does not cause a DoS on the target. Authors: - Royce Davis "R3dy" <rdavis@accuvant.com> - Brandon McCann "zeknox" <bmccann@accuvant.com>

More information

This module exploits a NULL pointer dereference flaw in the SRV.SYS driver of the Windows operating system. This bug was independently discovered by CORE Security and ISS. Authors: - hdm <x@hdm.io>

More information

This module exploits a denial of service flaw in the Microsoft Windows SMB service on versions of Windows prior to the August 2010 Patch Tuesday. To trigger this bug, you must be able to access a share with at least read privileges. That generally means you will need authentication. However, if a system has a guest accessible share, you can trigger it without any authentication. Authors: - Laurent Gaffie <laurent.gaffie@gmail.com> - jduck <jduck@metasploit.com>

More information

This module exploits a denial of service vulnerability in the SRV.SYS driver of the Windows operating system. This module has been tested successfully against Windows Vista. Authors: - j.v.vallejo <j.v.vallejo@gmail.com>

More information