Novell Client for Netware is prone to a buffer overflow vulnerability on the nwspool.dll that could permit the execution of arbitrary remote code. A remote attacker can exploit this vulnerability to execute arbitrary code and completely compromise the computer. This module exploits this vulnerability and installs an agent.

Microsoft Client Service for Netware is prone to a buffer overflow vulnerability that could permit the execution of arbitrary remote code. A remote attacker can exploit this vulnerability to execute arbitrary code and completely compromise the computer. This module exploits this vulnerability and installs an agent.

Microsoft Client Service for Netware is prone to a buffer overflow vulnerability that could permit the execution of arbitrary remote code. A remote attacker can exploit this vulnerability to execute arbitrary code and completely compromise the computer. This module exploits this vulnerability and installs an agent.

This module exploits a buffer overflow in the Message Queuing component of Microsoft Windows allowing remote attackers to execute arbitrary code via a crafted message and installing an agent. This module only works with localagent set as source.

This module exploits a remote command injection in the SNA RPC service included in Microsoft Host Integration Server. A remote attacker can exploit this vulnerability to execute arbitrary code and completely compromise the computer. This module exploits this vulnerability and installs an agent.

The windows Message Queuing Service is prone to a buffer overflow vulnerability on the rpc interface that could permit the execution of arbitrary remote code. A remote attacker can exploit this vulnerability to execute arbitrary code and completely compromise the computer. This module exploits this vulnerability and installs an agent.

This module exploits a stack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows, allows remote attackers to execute arbitrary code via a packet that causes the DsRolerUpgradeDownlevelServer function to create long debug entries for the DCPROMO.LOG log file, as exploited by the Sasser worm. This service is accessible via the TCP port 139 and 445. When the target system is a Windows 2000, the Advanced Parameter DCERPC_MAX_FRAGMENT can't be larger than 4256, otherwise the exploit will not work. For Windows XP boxes, there is no apparent limit in this parameter, in this cases the exploit works even if fragmentation is disabled (-1).

This module exploits a buffer overflow in the RPC Locator service. This service is present by default in Domain Controller computers. After successful exploitation an agent will be installed.

This module exploits a .data based buffer overflow in the function _RegistryInitValues@12 of LLSSRV.EXE (Microsoft's License and Logging Service), to then force a stack-based buffer overflow in the function _LocalServiceListConcurrentLimitSet@0. The exploit doesn't use any hardcoded address, it instead uses DCE-RPC messages to place the agent (and other structures) in the memory of the target service, and then uses other DCE-RPC messages to learn the addresses of this structures. In default installations of Windows 2000 Service Pack 4 (Server and Advanced Servers) the LlsSrv service needs authentication, the same may also be true in non default configurations. In these cases, a valid username and password or username and hashes combination will be needed and should to be entered in the Advanced parameters tab. This service is accessible via the TCP port 139 and 445.

This module exploits a remote heap-based overflow in the Microsoft Windows License Logging Service by sending a specially crafted RPC request.