Archive

Metasploit

  • auxiliary/server/openssl_altchainsforgery_mitm_proxy
    This module exploits a logic error in OpenSSL by impersonating the server and sending a specially-crafted chain of certificates, resulting in certain checks on untrusted certificates to be bypassed on the client, allowing it to use a valid leaf certificate as a CA certificate to sign a fake certificate. The SSL/TLS session is then proxied to the server allowing the session to continue normally and application data transmitted between the peers to be saved. The valid leaf certificate must not contain the keyUsage extension or it must have at least the keyCertSign bit set (see X509_check_issued function in crypto/x509v3/v3_purp.c); otherwise; X509_verify_cert fails with X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY. This module requires an active man-in-the-middle attack.

  • auxiliary/server/jsse_skiptls_mitm_proxy
    This module exploits an incomplete internal state distinction in Java Secure Socket Extension (JSSE) by impersonating the server and finishing the handshake before the peers have authenticated themselves and instantiated negotiated security parameters, resulting in a plaintext SSL/TLS session with the client. This plaintext SSL/TLS session is then proxied to the server using a second SSL/TLS session from the proxy to the server (or an alternate fake server) allowing the session to continue normally and plaintext application data transmitted between the peers to be saved. This module requires an active man-in-the-middle attack.

  • auxiliary/server/dhclient_bash_env
    This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets dhclient by responding to DHCP requests with a malicious hostname, domainname, and URL which are then passed to the configuration scripts as environment variables, resulting in code execution.

  • auxiliary/admin/http/katello_satellite_priv_esc
    This module exploits a missing authorization vulnerability in the “update_roles” action of “users” controller of Katello and Red Hat Satellite (Katello 1.5.0-14 and earlier) by changing the specified account to an administrator account.

  • exploit/linux/http/cfme_manageiq_evm_upload_exec
    This module exploits a path traversal vulnerability in the “linuxpkgs” action of “agent” controller of the Red Hat CloudForms Management Engine 5.1 (ManageIQ Enterprise Virtualization Manager 5.0 and earlier). It uploads a fake controller to the controllers directory of the Rails application with the encoded payload as an action and sends a request to this action to execute the payload. Optionally, it can also upload a routing file containing a route to the action. (Which is not necessary, since the application already contains a general default route.)

  • auxiliary/admin/http/cfme_manageiq_evm_pass_reset
    This module exploits a SQL injection vulnerability in the “explorer” action of “miq_policy” controller of the Red Hat CloudForms Management Engine 5.1 (ManageIQ Enterprise Virtualization Manager 5.0 and earlier) by changing the password of the target account to the specified password.

  • auxiliary/admin/http/foreman_openstack_satellite_priv_esc
    This module exploits a mass assignment vulnerability in the ‘create’ action of ‘users’ controller of Foreman and Red Hat OpenStack/Satellite (Foreman 1.2.0-RC1 and earlier) by creating an arbitrary administrator account. For this exploit to work, your account must have ‘create_users’ permission (e.g., Manager role).

  • exploit/linux/http/foreman_openstack_satellite_code_exec
    This module exploits a code injection vulnerability in the ‘create’ action of ‘bookmarks’ controller of Foreman and Red Hat OpenStack/Satellite (Foreman 1.2.0-RC1 and earlier).

  • auxiliary/scanner/snmp/aix_version
    AIX SNMP Scanner Auxiliary Module

  • exploit/aix/rpc_ttdbserverd_realpath
    This module exploits a buffer overflow vulnerability in _tt_internal_realpath function of the ToolTalk database server (rpc.ttdbserverd).

  • payload/aix/ppc/shell_reverse_tcp
    Connect back to attacker and spawn a command shell

  • payload/aix/ppc/shell_find_port
    Spawn a shell on an established connection

  • payload/aix/ppc/shell_bind_tcp
    Listen for a connection and spawn a command shell

  • payload/linux/ppc64/shell_reverse_tcp
    Connect back to attacker and spawn a command shell

  • payload/linux/ppc64/shell_find_port
    Spawn a shell on an established connection

  • payload/linux/ppc64/shell_bind_tcp
    Listen for a connection and spawn a command shell

  • payload/linux/ppc/shell_reverse_tcp
    Connect back to attacker and spawn a command shell

  • payload/linux/ppc/shell_find_port
    Spawn a shell on an established connection

  • payload/linux/ppc/shell_bind_tcp
    Listen for a connection and spawn a command shell

  • exploit/linux/samba/lsa_transnames_heap
    This module triggers a heap overflow in the LSA RPC service of the Samba daemon. This module uses the TALLOC chunk overwrite method (credit Ramon and Adriano), which only works with Samba versions 3.0.21-3.0.24. Additionally, this module will not work when the Samba “log level” parameter is higher than “2”.

  • payload/linux/x86/shell_reverse_tcp
    Connect back to attacker and spawn a command shell

  • payload/linux/x86/shell_find_port
    Spawn a shell on an established connection

  • exploit/solaris/sunrpc/sadmind_adm_build_path
    This module exploits a buffer overflow vulnerability in adm_build_path() function of sadmind daemon. The distributed system administration daemon (sadmind) is the daemon used by Solstice AdminSuite applications to perform distributed system administration operations. The sadmind daemon is started automatically by the inetd daemon whenever a request to invoke an operation is received. The sadmind daemon process continues to run for 15 minutes after the last request is completed, unless a different idle-time is specified with the -i command line option. The sadmind daemon may be started independently from the command line, for example, at system boot time. In this case, the -i option has no effect; sadmind continues to run, even if there are no active requests.

  • auxiliary/scanner/misc/ib_service_mgr_info
    This module retrieves version of the services manager, version and implementation of the InterBase server from InterBase Services Manager.

  • exploit/windows/misc/ib_svc_attach
    This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted service attach request.

  • exploit/windows/misc/ib_isc_create_database
    This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted create request.

  • exploit/windows/misc/ib_isc_attach_database
    This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted attach request.

  • exploit/windows/misc/fb_svc_attach
    This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted service attach request.

  • exploit/windows/misc/fb_isc_create_database
    This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted create request.

  • exploit/windows/misc/fb_isc_attach_database
    This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted create request.

  • exploit/linux/misc/ib_pwd_db_aliased
    This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted attach request.

  • exploit/linux/misc/ib_open_marker_file
    This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted attach request.

  • exploit/linux/misc/ib_jrd8_create_database
    This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted create request.

  • exploit/linux/misc/ib_inet_connect
    This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted service attach request.

  • payload/linux/x86/shell_bind_tcp
    Listen for a connection and spawn a command shell

  • payload/bsd/x86/shell_reverse_tcp
    Connect back to attacker and spawn a command shell

  • payload/bsd/x86/shell_find_port
    Spawn a shell on an established connection

  • payload/bsd/x86/shell_bind_tcp
    Listen for a connection and spawn a command shell

  • exploit/solaris/samba/lsa_transnames_heap
    This module triggers a heap overflow in the LSA RPC service of the Samba daemon. This module uses the TALLOC chunk overwrite method (credit Ramon and Adriano), which only works with Samba versions 3.0.21-3.0.24. Additionally, this module will not work when the Samba “log level” parameter is higher than “2”.

  • payload/solaris/x86/shell_reverse_tcp
    Connect back to attacker and spawn a command shell

  • payload/solaris/x86/shell_find_port
    Spawn a shell on an established connection

  • payload/solaris/x86/shell_bind_tcp
    Listen for a connection and spawn a command shell

  • payload/osx/x86/shell_reverse_tcp
    Connect back to attacker and spawn a command shell

  • payload/osx/x86/shell_find_port
    Spawn a shell on an established connection

  • exploit/osx/samba/lsa_transnames_heap
    This module triggers a heap overflow in the LSA RPC service of the Samba daemon. This module uses the szone_free() to overwrite the size() or free() pointer in initial_malloc_zones structure.

  • payload/osx/x86/shell_bind_tcp
    Listen for a connection and spawn a command shell

Vulnerabilities

  • CVE-2013-2143
    The users controller in Katello 1.5.0-14 and earlier, and Red Hat Satellite, does not check authorization for the update_roles action, which allows remote authenticated users to gain privileges by setting a user account to an administrator account.

  • CVE-2013-2121
    Eval injection vulnerability in the create method in the Bookmarks controller in Foreman before 1.2.0-RC2 allows remote authenticated users with permissions to create bookmarks to execute arbitrary code via a controller name attribute.

  • CVE-2013-2113
    The create method in app/controllers/users_controller.rb in Foreman before 1.2.0-RC2 allows remote authenticated users with permissions to create or edit other users to gain privileges by (1) changing the admin flag or (2) assigning an arbitrary role.

  • CVE-2013-2068
    Multiple directory traversal vulnerabilities in the AgentController in Red Hat CloudForms Management Engine 2.0 allow remote attackers to create and overwrite arbitrary files via a .. (dot dot) in the filename parameter to the (1) log, (2) upload, or (3) linuxpkgs method.

  • CVE-2013-2050
    SQL injection vulnerability in the miq_policy controller in Red Hat CloudForms 2.0 Management Engine (CFME) 5.1 and ManageIQ Enterprise Virtualization Manager 5.0 and earlier allows remote authenticated users to execute arbitrary SQL commands via the profile[] parameter in an explorer action.

  • CVE-2013-2049
    Red Hat CloudForms 2 Management Engine (CFME) allows remote attackers to conduct session tampering attacks by leveraging use of a static secret_token.rb secret.

  • CVE-2012-0815
    The headerVerifyInfo function in lib/header.c in RPM before 4.9.1.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a negative value in a region offset of a package header, which is not properly handled in a numeric range comparison.

  • CVE-2012-0061
    The headerLoad function in lib/header.c in RPM before 4.9.1.3 does not properly validate region tags, which allows user-assisted remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large region size in a package header.

  • CVE-2012-0060
    RPM before 4.9.1.3 does not properly validate region tags, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an invalid region tag in a package header to the (1) headerLoad, (2) rpmReadSignature, or (3) headerVerify function.

  • CVE-2010-0415
    The do_pages_move function in mm/migrate.c in the Linux kernel before 2.6.33-rc7 does not validate node values, which allows local users to read arbitrary kernel memory locations, cause a denial of service (OOPS), and possibly have unspecified other impact by specifying a node that is not part of the kernel’s node set.

  • CVE-2009-2727
    Stack-based buffer overflow in the _tt_internal_realpath function in the ToolTalk library (libtt.a) in IBM AIX 5.2.0, 5.3.0, 5.3.7 through 5.3.10, and 6.1.0 through 6.1.3, when the rpc.ttdbserver daemon is enabled in /etc/inetd.conf, allows remote attackers to execute arbitrary code via a long XDR-encoded ASCII string to remote procedure 15.

  • CVE-2009-2407
    Heap-based buffer overflow in the parse_tag_3_packet function in fs/ecryptfs/keystore.c in the eCryptfs subsystem in the Linux kernel before 2.6.30.4 allows local users to cause a denial of service (system crash) or possibly gain privileges via vectors involving a crafted eCryptfs file, related to a large encrypted key size in a Tag 3 packet.

  • CVE-2009-2406
    Stack-based buffer overflow in the parse_tag_11_packet function in fs/ecryptfs/keystore.c in the eCryptfs subsystem in the Linux kernel before 2.6.30.4 allows local users to cause a denial of service (system crash) or possibly gain privileges via vectors involving a crafted eCryptfs file, related to not ensuring that the key signature length in a Tag 11 packet is compatible with the key signature buffer size.

  • CVE-2008-4556
    Stack-based buffer overflow in the adm_build_path function in sadmind in Sun Solstice AdminSuite on Solaris 8 and 9 allows remote attackers to execute arbitrary code via a crafted request.

  • CVE-2007-5246
    Multiple stack-based buffer overflows in Firebird LI 2.0.0.12748 and 2.0.1.12855, and WI 2.0.0.12748 and 2.0.1.12855, allow remote attackers to execute arbitrary code via (1) a long attach request on TCP port 3050 to the isc_attach_database function or (2) a long create request on TCP port 3050 to the isc_create_database function.

  • CVE-2007-5245
    Multiple stack-based buffer overflows in Firebird LI 1.5.3.4870 and 1.5.4.4910, and WI 1.5.3.4870 and 1.5.4.4910, allow remote attackers to execute arbitrary code via (1) a long service attach request on TCP port 3050 to the SVC_attach function or (2) unspecified vectors involving the INET_connect function.

  • CVE-2007-5244
    Stack-based buffer overflow in Borland InterBase LI 8.0.0.53 through 8.1.0.253 on Linux, and possibly unspecified versions on Solaris, allows remote attackers to execute arbitrary code via a long attach request on TCP port 3050 to the open_marker_file function.

  • CVE-2007-5243
    Multiple stack-based buffer overflows in Borland InterBase LI 8.0.0.53 through 8.1.0.253, and WI 5.1.1.680 through 8.1.0.257, allow remote attackers to execute arbitrary code via (1) a long service attach request on TCP port 3050 to the (a) SVC_attach or (b) INET_connect function, (2) a long create request on TCP port 3050 to the (c) isc_create_database or (d) jrd8_create_database function, (3) a long attach request on TCP port 3050 to the (e) isc_attach_database or (f) PWD_db_aliased function, or unspecified vectors involving the (4) jrd8_attach_database or (5) expand_filename2 function.

  • CVE-2007-4684
    Integer overflow in the kernel in Apple Mac OS X 10.4 through 10.4.10 allows local users to execute arbitrary code via a large num_sels argument to the i386_set_ldt system call.

  • CVE-2007-0430
    The shared_region_map_file_np function in Apple Mac OS X 10.4.8 and earlier kernel allows local users to cause a denial of service (memory corruption) via a large mappingCount value.

  • CVE-2006-4655
    Buffer overflow in the Strcmp function in the XKEYBOARD extension in X Window System X11R6.4 and earlier, as used in SCO UnixWare 7.1.3 and Sun Solaris 8 through 10, allows local users to gain privileges via a long _XKB_CHARSET environment variable value.

  • CVE-2006-4178
    Integer signedness error in the i386_set_ldt call in FreeBSD 5.5, and possibly earlier versions down to 5.2, allows local users to cause a denial of service (crash) via unspecified arguments that use negative signed integers to cause the bzero function to be called with a large length parameter, a different vulnerability than CVE-2006-4172.

  • CVE-2006-4172
    Integer overflow vulnerability in the i386_set_ldt call in FreeBSD 5.5, and possibly earlier versions down to 5.2, allows local users to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2006-4178.