This module exploits a vulnerability in the CA BrightStor Agent for Microsoft SQL Server. This vulnerability was discovered by cybertronic[at]gmx.net. It allows an attacker to execute arbitrary code by sending a specially crafted packet to the vulnerable service.
This module exploits one of the multiple stack buffer overflows in Computer Associates BrightStor HSM. By sending a specially crafted request, an attacker could overflow the buffer and execute arbitrary code.
This module exploits a heap overflow in Computer Associates BrightStor ARCserve Backup 11.5. By sending a specially crafted RPC request, an attacker could overflow the buffer and execute arbitrary code.
There exists an unauthenticated buffer overflow vulnerability in the POP3 server of Seattle Lab Mail 5.5 when sending a password with excessive length. Successful exploitation should not crash either the service or the server; however, after initial use the port cannot be reused for successive exploitation until the service has been restarted. The overflow appears to occur in the debugging/error reporting section of the slmail.exe executable, and there are multiple offsets that will lead to successful exploitation. This exploit uses 2606, the offset that creates the smallest overall payload. The other offset is 4654. The return address is overwritten with a 'jmp esp' call from the application library SLMFC.DLL found in %SYSTEM%system32. This return address works against all version of Windows and service packs.
This module executes an arbitrary payload on a Microsoft SQL Server by using the 'xp_cmdshell' stored procedure. Currently, three delivery methods are supported. First, the original method uses Windows 'debug.com'. File size restrictions are avoidied by incorporating the debug bypass method presented by SecureStat at Defcon 17. Since this method invokes ntvdm, it is not available on x86_64 systems. A second method takes advantage of the Command Stager subsystem. This allows using various techniques, such as using a TFTP server, to send the executable. By default the Command Stager uses 'wcsript.exe' to generate the executable on the target. Finally, ReL1K's latest method utilizes PowerShell to transmit and recreate the payload on the target. NOTE: This module will leave a payload executable on the target system when the attack is finished.
This is an exploit for the SQL Server 2000 resolution service buffer overflow. This overflow is triggered by sending a udp packet to port 1434 which starts with 0x04 and is followed by long string terminating with a colon and a number. This module should work against any vulnerable SQL Server 2000 or MSDE install (pre-SP3).
This module exploits a stack buffer overflow in EMC AlphaStor 3.1. By sending a specially crafted message, an attacker may be able to execute arbitrary code.
This module will execute an arbitrary payload against any system infected with the Arugizer trojan horse. This backdoor was shipped with the software package accompanying the Energizer Duo USB battery charger.
This module exploits a stack buffer overflow in Xlink Omni-NFS Server 5.2 When sending a specially crafted nfs packet, an attacker may be able to execute arbitrary code.
This module exploits a stack buffer overflow in the NetGear WG111v2 wireless device driver. This stack buffer overflow allows remote code execution in kernel mode. The stack buffer overflow is triggered when a 802.11 Beacon frame is received that contains more than 1100 bytes worth of information elements.
Services By CQR