This module exploits a stack-based buffer overflow vulnerability in the waHTTP.exe (SAP DB Web Server) component included with the SAP DB. The exploit is triggered by sending an unauthenticated, specially crafted HTTP request to the default port 9999/TCP.
This vulnerability allows remote attackers to execute arbitrary code on installations of Sami FTP Server, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a boundary error within the authentication process. This can be exploited to cause a stack-based buffer overflow by sending an overly long, specially-crafted password to the affected server and waiting for the administrator of Sami FTP Server to set focus on the GUI of the program in order to deploy an agent.
This module exploits a remote stack-based buffer overflow in the Safenet IKE Service (included in several VPN clients) by sending a specially crafted packet to UDP port 62514.
This module exploits a stack-based buffer overflow vulnerability in the Windows RSH application (rshd.exe). The module sends a specially crafted packet to port 514/tcp and installs an agent if successful.
This module exploits a stack-based buffer overflow in the Windows Routing and Remote Access Service. Since the service is hosted inside svchost.exe, a failed exploit attempt can cause other system services to fail as well. A valid username and password is required to exploit this flaw.
Ricoh DC's DL-10 SR10 FTP Server is prone to a buffer-overflow vulnerability when handling data through the USER command. This can be exploited by supplying a long string of data to the affected command. In order to trigger the vulnerability, the log file of the application must not be empty. The vulnerable version of SR10.exe file is 1.0.0.520
This exploit simulates a RealVNC client and establishes a connection with a Real VNC server without using a password. After that, it opens a console, writes the exploit and executes it in ntsd.exe
This module exploits a buffer overflow vulnerability in RealServer 8.0 when constructing error messages. After successful exploitation an agent will be installed.
This module exploits an array overflow vulnerability in RealServers and Helix Servers 8.0 and higher. The bug is present in the code for accessing RealServer's registry (or configuration options), in the constructor for the class ServRegKey (at least in the open source version of Helix Server). The bug occurs when a string is splitted in several substrings, using '.' as separator. A pointer to each substring is added to an array with space to hold only 1024 pointers, thus, if a string with more than 1024 dots is fed to this function, the array will be overflown, and, in our case, the return address will be overwritten with a pointer to one of the substrings. There may be several ways of reaching this vulnerable code, however we are using the publicly known way to reach it: using the View Source plugging. Once a request is issued for an URL ending in ".smi" the View Source plugging is used, it then calls the registry routine to check the configuration of the request URL, and in doing so, it feeds the vulnerable function with user's supplied string. Older versions (for example RealServer 7.0) are vulnerable, but not exploitable with this same technique (if they are exploitable at all), as the buffer where the pointers are stored is dynamically allocated in the heap. After successful exploitation an agent will be installed.
This module exploits a remote stack-based buffer overflow vulnerability in AgentX++, as distributed with Helix Server, by sending multiple blocks of data to the port 705/TCP. Authentication is not required to exploit this vulnerability.