The following exploits are written based on past security advisories or proof-of-concepts or inherent weaknesses in softwares/operating systems.
- KNet Web Server Buffer Overflow Exploit (SEH)
This exploit takes advantage of KNet web server buffer overflow vulnerability and attempts to gain SHELL access on target host. See demo
- zFTP Server "stat/cwd" Remote Denial-of-Service
The module exploits the zFTP Server (version 2011-04-13 08:59 and lower) vulnerable to Remote Denial-of-Service in handling STAT and CWD commands with overly large buffer.
- Windows Gather AutoLogin User Credential Extractor
This module extracts the plain-text Windows user login password in Registry. It exploits a Windows feature that Windows (2000 to current 2008 R2) allows a user or third-party Windows Utility tools to configure User AutoLogin via plain-text password insertion in (Alt)DefaultPassword field in the registry location - HKLM\Software\Microsoft\Windows NT\WinLogon. This is readable by all users.
- HP JetDirect PJL Query Execution [Final Metasplot module]
This module acts as a HP printer PJL (Printer Job Language) query tool that allows you to submit your own PJL commands. Valid PJL commands are required to get successful response. See the reference section for PJL reference guides from HP.
- HP JetDirect PJL Interface Universal Path Traversal
This module exploits path traveresal issue in possibly all HP network-enabled printer series, especially those which enable Printer Job Language (aka PJL) command interface through the default JetDirect port 9100. With the decade-old dot-dot-slash payloads, the entire printer file system can be accessed or modified.
- Microsoft IIS FTP Server <= 7.0 LIST Stack Exhaustion Denial of Service
This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the "FTP Publishing" service must be configured as "manual" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.
- TYPSoft FTP Server 1.1 RETR Denial of Service