Skip to content

Metasploit

These are the exploit modules I developed that are part of Metasploit:

Exploit modules

exploit/linux/http/cfme_manageiq_evm_upload_exec

This module exploits a path traversal vulnerability in the "linuxpkgs" action of "agent" controller of the Red Hat CloudForms Management Engine 5.1 (ManageIQ Enterprise Virtualization Manager 5.0 and earlier). It uploads a fake controller to the controllers directory of the Rails application with the encoded payload as an action and sends a request to this action to execute the payload. Optionally, it can also upload a routing file containing a route to the action. (Which is not necessary, since the application already contains a general default route.)

cfme_manageiq_evm_upload_exec.rb · View on Rapid7 Database

exploit/linux/http/foreman_openstack_satellite_code_exec

This module exploits a code injection vulnerability in the 'create' action of 'bookmarks' controller of Foreman and Red Hat OpenStack/Satellite (Foreman 1.2.0-RC1 and earlier).

foreman_openstack_satellite_code_exec.rb · View on Rapid7 Database

exploit/aix/rpc_ttdbserverd_realpath

This module exploits a buffer overflow vulnerability in _tt_internal_realpath function of the ToolTalk database server (rpc.ttdbserverd).

rpc_ttdbserverd_realpath.rb · View on Rapid7 Database

exploit/linux/samba/lsa_transnames_heap

This module triggers a heap overflow in the LSA RPC service of the Samba daemon. This module uses the TALLOC chunk overwrite method (credit Ramon and Adriano), which only works with Samba versions 3.0.21-3.0.24. Additionally, this module will not work when the Samba "log level" parameter is higher than "2".

lsa_transnames_heap.rb · View on Rapid7 Database

exploit/solaris/sunrpc/sadmind_adm_build_path

This module exploits a buffer overflow vulnerability in adm_build_path() function of sadmind daemon. The distributed system administration daemon (sadmind) is the daemon used by Solstice AdminSuite applications to perform distributed system administration operations. The sadmind daemon is started automatically by the inetd daemon whenever a request to invoke an operation is received. The sadmind daemon process continues to run for 15 minutes after the last request is completed, unless a different idle-time is specified with the -i command line option. The sadmind daemon may be started independently from the command line, for example, at system boot time. In this case, the -i option has no effect; sadmind continues to run, even if there are no active requests.

sadmind_adm_build_path.rb · View on Rapid7 Database

exploit/windows/misc/ib_svc_attach

This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted service attach request.

ib_svc_attach.rb · View on Rapid7 Database

exploit/windows/misc/ib_isc_create_database

This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted create request.

ib_isc_create_database.rb · View on Rapid7 Database

exploit/windows/misc/ib_isc_attach_database

This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted attach request.

ib_isc_attach_database.rb · View on Rapid7 Database

exploit/windows/misc/fb_svc_attach

This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted service attach request.

fb_svc_attach.rb · View on Rapid7 Database

exploit/windows/misc/fb_isc_create_database

This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted create request.

fb_isc_create_database.rb · View on Rapid7 Database

exploit/windows/misc/fb_isc_attach_database

This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted create request.

fb_isc_attach_database.rb · View on Rapid7 Database

exploit/linux/misc/ib_pwd_db_aliased

This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted attach request.

ib_pwd_db_aliased.rb · View on Rapid7 Database

exploit/linux/misc/ib_open_marker_file

This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted attach request.

ib_open_marker_file.rb · View on Rapid7 Database

exploit/linux/misc/ib_jrd8_create_database

This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted create request.

ib_jrd8_create_database.rb · View on Rapid7 Database

exploit/linux/misc/ib_inet_connect

This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted service attach request.

ib_inet_connect.rb · View on Rapid7 Database

exploit/solaris/samba/lsa_transnames_heap

This module triggers a heap overflow in the LSA RPC service of the Samba daemon. This module uses the TALLOC chunk overwrite method (credit Ramon and Adriano), which only works with Samba versions 3.0.21-3.0.24. Additionally, this module will not work when the Samba "log level" parameter is higher than "2".

lsa_transnames_heap.rb · View on Rapid7 Database

exploit/osx/samba/lsa_transnames_heap

This module triggers a heap overflow in the LSA RPC service of the Samba daemon. This module uses the szone_free() to overwrite the size() or free() pointer in initial_malloc_zones structure.

lsa_transnames_heap.rb · View on Rapid7 Database