APPLICATION:
win32.gif:Serv-U 4.x FTP Overflow:THCservu.exe:application%5Cftp%5Cservu%5CTHCservu.exe:6,RHOST,RPORT%2121,USER,PASS,DIR%21%21(\upload),ID:THCservu v0.1 - Servu 4.x sample exploit for the paper. Practical SEH exploitation - by Johnny Cyberpunk (jcyberpunk%40thc.org).
Target ID
0 - Windows 2000 Server english all service packs.
1 - Windows 2000 Professional german.
2 - Windows XP SP1 german
win32.gif:Microsoft IIS 5.0 Media Services MS03-022 Overflow:iis-media.exe:application%5Cwebserver%5Ciis%5Ciis-media.exe:2,RHOST,RPORT:Coded by tomychen%40tomydan.net. Binds a shell to port 99
win32.gif:Microsoft IIS 5.0 FrontPage fp30reg.dll Chunked MS03-051 Overflow:fp.exe:application%5Cwebserver%5Ciis%5Cfp.exe:2,RHOST,RPORT:Frontpage fp30reg.dll Overflow Exploit (MS03-051) ver 0.1. Coded by Adik < netmaniac [at] hotmail.KG >
win32.gif:Microsoft IIS 5.0 Printer Overflow:jill-win32.exe:application%5Cwebserver%5Ciis%5Cjill-win32.exe:4,RHOST,RPORT,LHOST,LPORT:Coded by dark spyrit / beavuh labs.
win32.gif:Microsoft IIS 5.0 WebDAV ntdll.dll MS03-007 Overflow (ReverseShell):webdav-brute.pl:application%5Cwebserver%5Ciis%5Cwebdav-brute.pl:3,RHOST,LHOST,LPORT:Coded by Alon Swartz (Loni), v0.2. Updated coro%27s wb.exe and bruteforces return address using pre-defined values. If not successful, it does a straight forward bruteforce (1-255). Inorder for this exploit to work with the Exploitation Framework, the path to the exploittree has been hardcoded (quick fix). If your path is different, please update it in the sourcecode. Drive D, Data\tools\SF\ExploitTree\application\webserver\iis\
win32.gif:Microsoft IIS 5.0 WebDAV ntdll.dll MS03-007 Overflow (BindShell):webdav-majik.exe:application%5Cwebserver%5Ciis%5Cwebdav-majik.exe:1,RHOST:Remote Exploit for IIS 5.0 WebDAV by Xnuxer. Will bind a shell to hardcoded port 31337
win32.gif:Microsoft IIS 5.0 SSL PCT MS04-011 Overflow:THCIISSLame.exe:application\webserver\iis\THCIISSLame.exe:3,RHOST!! (eg. www.victim.com),LHOST,LPORT:THCIISSLame v0.2 - IIS 5.0 SSL remote root exploit tested on Windows 2000 Server german\english SP4 by Johnny Cyberpunk (jcyberpunk@thc.org)
Note, No need to listen with netcat
linux.gif:Apache OpenSSL remote exploit:openssl-too-open.exe:application%5Cwebserver%5Capache%5Copenssl-too-open.exe:5,ARCH!-a 0x00,RPORT!-p 443,CONX!-c 30,MCONX!-m 50,RHOST:OpenSSL remote exploit by Solar Eclipse .
-a target architecture (default is 0x00)
-p SSL port (default is 443)
-c open N apache connections before sending the shellcode (default is 30)
-m maximum number of open connections (default is 50)
Supported architectures -
0x00 - Gentoo (apache-1.3.24-r2)
0x01 - Debian Woody GNU/Linux 3.0 (apache-1.3.26-1)
0x02 - Slackware 7.0 (apache-1.3.26)
0x03 - Slackware 8.1-stable (apache-1.3.26)
0x04 - RedHat Linux 6.0 (apache-1.3.6-7)
0x05 - RedHat Linux 6.1 (apache-1.3.9-4)
0x06 - RedHat Linux 6.2 (apache-1.3.12-2)
0x07 - RedHat Linux 7.0 (apache-1.3.12-25)
0x08 - RedHat Linux 7.1 (apache-1.3.19-5)
0x09 - RedHat Linux 7.2 (apache-1.3.20-16)
0x0a - Redhat Linux 7.2 (apache-1.3.26 w/PHP)
0x0b - RedHat Linux 7.3 (apache-1.3.23-11)
0x0c - SuSE Linux 7.0 (apache-1.3.12)
0x0d - SuSE Linux 7.1 (apache-1.3.17)
0x0e - SuSE Linux 7.2 (apache-1.3.19)
0x0f - SuSE Linux 7.3 (apache-1.3.20)
0x10 - SuSE Linux 8.0 (apache-1.3.23-137)
0x11 - SuSE Linux 8.0 (apache-1.3.23)
0x12 - Mandrake Linux 7.1 (apache-1.3.14-2)
0x13 - Mandrake Linux 8.0 (apache-1.3.19-3)
0x14 - Mandrake Linux 8.1 (apache-1.3.20-3)
0x15 - Mandrake Linux 8.2 (apache-1.3.23-4)
SYSTEM:
win32.gif:Microsoft LSASS MSO4-011 Overflow:HOD-ms04011-lsasrv-expl.exe:system%5Cmicrosoft%5Cremote%5CHOD-ms04011-lsasrv-expl.exe:5,ID,RHOST,LPORT,LHOST,OPTIONS:MS04011 Lsasrv.dll RPC buffer overflow remote exploit v0.1. Coded by houseofdabus.
TargetID-
0 [0x01004600] WinXP Professional [universal] lsass.exe
1 [0x7515123c] Win2k Professional [universal] netrap.dll
2 [0x751c123c] Win2k Advanced Server [SP4] netrap.dll
Options-
Detect remote OS, -t
Windows 5.1 - WinXP
Windows 5.0 - Win2k
win32.gif:Microsoft DCOM RPC MS03-026 Overflow:dcom.exe:system\microsoft\remote\dcom.exe:2,ID,RHOST:Original code by FlashSky and Benjurry. Rewritten by HDM (hdm [at] metasploit.com).TargetID - 0 Windows 2000 SP0 (english) 1 Windows 2000 SP1 (english) 2 Windows 2000 SP2 (english) 3 Windows 2000 SP3 (english) 4 Windows 2000 SP4 (english) 5 Windows XP SP0 (english) 6 Windows XP SP1 (english)
NETWORK:
cisco.gif:Cisco IOS HTTP Bug:ios-w3-vul.exe:network\cisco\ios-w3-vul.exe:2,RHOST,FETCH:Written by bashis . This code scanning a Cisco router/switch for vulnerability, and as an option fetching the configuration, without any authentication, of the router/switch if vulnerability is found. Almost ALL Cisco IOS based products with IOS Version later then 11.3, with HTTP server enabled and using no TACACS%2B or Radius authentication.
CONTRIBUTER:Full Name,nick_on_sec4est,e@mail.com