Exploits
Exploits and proof-of-concept code from the team at Hacker House.
Filename | Description |
---|---|
AirWatchMDMJailbreakBypass.txt | Bypass jailbreak detection on mobile device management AirWatch for IOS |
adobe-psp.tgz | Adobe CoolType SING Table "uniqueName" Stack Buffer Overflow PSP bypass (metasploit) |
aix53l-libc.c | AIX 5.3L libc locale environment handling local root exploit |
aix53l-lquerypv.c | AIX 5.3L /usr/sbin/lquerypv local root privilege escalation |
amanda-amstar.txt | Advanced Maryland Automatic Network Disk Archiver local root privilege escalation exploit |
amanda-backup.txt | Advanced Maryland Automatic Network Disk Archiver local root privilege escalation exploit |
applejack.c | PonyOS 3.0 & below tty ioctl() kernel local root exploit |
asus_B1M_projector_root.png | ASUS B1M projector remote root command injection (unpatchable) |
BTCPE.txt | British Telecom Huawei UART root access weakness |
charybdis.tgz | Firefox & IE exploits implant dropper for Windows & Linux |
cisco-asa-sslbypass.py | Cisco ASA 8.x & below VPN SSL module Clientless URL-list control bypass |
cisco-XSS-wget-me.txt | Cisco IOS 11.x web interface XSS vulnerability |
cmd_gpbypass.exe | cmd.exe patched to run even when disabled via Group Policy |
cpg15x-dirtraversal.txt | Coppermine 1.5.44 & below directory traversal vulnerability |
cve-2003-0001.py | CVE-2003-0001.py Etherleak information leak exploit, silently fixed in Cisco ASA PSIRT-0669464365 |
CVE-2012-4681.tgz | Oracle Java SE 7 Update 6 & below remote polymorphic exploit (evades PSP) |
CVE-2014-0160.py | Heartbleed mass-scanning proof-of-concept tool |
cve-2016-1531.sh | Exim 4.84-3 local root exploit |
cve-2019-10149.py | Exim between 4.87 & 4.91 local root exploit |
CVE-2020-0601.xdb | XCA database of private keys for trusted CA exploit CVE-2020-0601 |
CVE-2020-3950.tgz | EvilOSX trojan exploit plugin for CVE-2020-3950 VMware Fusion 11.5.2 & below local root |
d3_decimator.txt | SedSystems D3 decimator multiple vulnerabilities allow for remote root |
dllpack.tgz | MS15-051 / MS15-010 exploits with reflective DLL loading support (hacked from public code) |
drupal-CVE-2014-3660.py | Drupal XXE libxml2 Services exploit |
dtappgather-poc.sh | dtappgather local root exploit proof-of-concept (EXTREMEPARR) |
fluttershy.py | PonyOS 4.0 runtime linker local root exploit |
FreeBSD-pftp-dirtraversal.txt | Peters Anonymous FTP on FreeBSD directory traversal vulnerability |
getlogin.c | Tru64 V5.1B & below getlogin() kernel information leak |
gionight.py | GIO Linux embedded remote root exploit |
gns3super-osx.sh | GNS-3 OS-X local root exploit |
goodnight.c | Linux kernel 2.6.37 & below denial-of-service exploit CVE-2010-4165 |
heartbleed-bin | static bin heartbleed exploit (fun trivia, Large Hadron Collider tested with this code) |
heartbleed.c | Heartbleed exploit using OpenSSL to encrypt the exploit for stealth |
heartbleed-keyscan.py | RSA prime factorization exploit for use with heartbleed |
hfirixwfcmd.sh | SGI IRIX <= 6.5.22 WebForce post-auth Remote Command Injection |
hfsunsshdx.tgz | SunSSH Solaris 10-11.0 x86 libpam remote root exploit CVE-2020-14871 |
hpwhytry.py | HP XPe embedded devices remote command execution exploit |
iis_search.pl | IIS WebDAV & Indexing service directory traversal attack |
inetutils-telnet.txt | Multiple BSD based telnet implementations vulnerable to memory corruption. |
iPwn.tgz | IOS default root user "alpine" exploit to harvest data via SSH |
irix-captest.c | SGI IRIX <= 6.5.22 capability hijacking "eip" proof-of-concept (SGI XFS) |
irix-ftpd-ls.txt | SGI IRIX <= 6.5.22 ftpd "/bin/ls" root privilege escalation |
irix-mediarecorder.txt | SGI IRIX <= 6.5.22 CAP_SCHED_MGT "mediarecorder" privilege escalation |
irix-onyx-syssgi.c | SGI IRIX <= 6.5.5 syssgi() Onyx IP19/IP21/IP25 kernel information leak exploit |
irix-rldx.sh | SGI IRIX <= 6.4.x run-time linker file creation exploit |
irix-runpriv-cap.png | SGI IRIX <= 6.5.x screenshot showing "capabilities" exploit via runpriv |
irix-setsockopt.c | SGI IRIX <= 6.5.22 kernel mbuf corruption due to integer signedness comparison |
irix-syssgi-panic.c | SGI IRIX <= 6.5.22 syssgi() SGI_ENUMASHS null ptr kernel panic |
irix-tapex.c | SGI IRIX <= 6.5.22 "tsdaemon" root arbitrary file creation exploit |
irssi-irc-fuzzer.pl | irssi plugin IRC client fuzzing tool |
jackrabbit.tgz | RedStar OS 3.0 Naenara browser exploit |
jdwp-exploit.txt | Java JDWP exploitation for remote code execution |
Kronos.tgz | Java Signed Applet exploit and web management tool |
lbreakout-exploit.c | lbreakout2 PoC exploit for ARM (drops privileges) |
leehseinloong.cpp | Sudoku2 exploit written for Lee Hsien Loong. (.sg PM) |
linux-ia32.c | Linux Kernel 2.6.32 ia32entry emulation x86_64 exploit |
lotus_exp.py | Lotus Domino IMAP4 Server Release 6.5.4 win2k remote exploit |
mikrotik-jailbreak.txt | Mikrotik 6.40 & below "telnet" jailbreak exploit |
mirc-DoS-Script.ini | Mirc 6.12 & 6.11 denial-of-service IRC script |
mobileiron0day.txt | MobileIron Virtual Smartphone Platform local root exploit |
MobileIronBypass.tgz | MobileIron mobile device management jailbreak detection bypass |
mulftpdos.zip | Serv-U / G6 / WarFTPD denial-of-service exploit in asm |
neogeox.txt | NeoGeo Gold X games console jailbreak via UART root shell |
NetBSD-sa-2016-003-howto-abuse-cpp.png | NetBSD 6.1.5 calendar local root exploit PoC |
openbsd-0day-cve-2018-14665.sh | OpenBSD 6.4 Xorg local root exploit |
prdelka-vs-AEP-smartgate.c | AEP Smartgate V4.3B arbitrary file download exploit |
prdelka-vs-APPLE-chpass.sh | OS-X 10.6.3 & below chpass arbitrary file creation exploit |
prdelka-vs-APPLE-ptracepanic.c | OS-X 10.6.1 & below ptrace() mutex handling kernel panic |
prdelka-vs-BSD-ptrace.tar.gz | NetBSD 2.1 ptrace() local root exploit |
prdelka-vs-CISCO-httpdos.zip | Cisco IOS 12.2 & below HTTP denial-of-service exploit |
prdelka-vs-CISCO-vpnftp.c | Cisco VPN Concentrator 3000 FTP remote exploit |
prdelka-vs-GNU-adabas2.txt | Adabas D 13.01 SQL injection & directory traversal |
prdelka-vs-GNU-adabas.c | Adabas D 13.01 local root exploit Linux |
prdelka-vs-GNU-chpasswd.c | SquirrelMail 3.1 Change_passwd plugin & below local root exploit |
prdelka-vs-GNU-citadel.tar.gz | Citadel SMTP 7.10 & below remote code execution exploit |
prdelka-vs-GNU-exim.c | Exim 4.43-r2 & below host_aton() local root exploit (Linux) |
prdelka-vs-GNU-lpr.c | Slackware 1.01 stack overflow local root exploit (Linux) |
prdelka-vs-GNU-mbsebbs.c | mbse-bbs 0.70.0 & below local root exploit (Linux) |
prdelka-vs-GNU-peercast.c | PeerCast v0.1216 remote root exploit (linux) |
prdelka-vs-GNU-sudo.c | sudo 1.6.8p9 race condition local root exploit (Linux) |
prdelka-vs-GNU-tin.c | Slackware 1.01 local root exploit (Linux) |
prdelka-vs-HPUX-libc.c | HP-UX 11.11 & below libc local root exploit (hppa) |
prdelka-vs-HPUX-swask.c | HP-UX 11.11 & below swask format string local root exploit (hppa) |
prdelka-vs-HPUX-swmodify.c | HP-UX 11.11 & below swmodify local root exploit (hppa) |
prdelka-vs-HPUX-swpackage.c | HP-UX 11.11 & below swpackage local root exploit (hppa) |
prdelka-vs-http-fuzz.tar.gz | HTTP fuzzing tool & example Savant 3.1 vulnerability |
prdelka-vs-LINUS-fchown.tar | Linux kernel 2.4.x/2.6.6 & below fchown() file ownership exploit |
prdelka-vs-MISC-massftp.tar.gz | Mass scanning ftp exploiter tool |
prdelka-vs-MS-hotmail.txt | Microsoft Hotmail Authentication Bypass vulnerability |
prdelka-vs-MS-IE-6.0.2800.1106.XPSP1.rar | Internet Explorer 6.0 IFRAME Windows XP exploit |
prdelka-vs-MS-rshd.tar.gz | Windows RSH daemon 1.8 & below remote exploit |
prdelka-vs-MS-winzip.c | WinZip 10.0.7245 Win32 & below exploit (the one that angered CERT) |
prdelka-vs-SCO-enable | SCO OpenServer 5.0.7 enable local root exploit |
prdelka-vs-SCO-netwarex.c | SCO OpenServer 5.0.7 netware printing local "lp" exploit |
prdelka-vs-SCO-ptrace.c | SCO Unixware 7.1.3 ptrace() linux kernel emulation local root exploit |
prdelka-vs-SCO-tcpdos | SCO OpenServer 5.0.7 TCP RST denial-of-service exploit |
prdelka-vs-SCO-termshx.c | SCO OpenServer 5.0.7 termsh local gid "auth" exploit |
prdelka-vs-SGI-xrunpriv | SGI IRIX 6.5 runpriv local root exploit |
prdelka-vs-SUN-sysinfo.c | Solaris 10 sysinfo() local kernel memory information leak |
prdelka-vs-SUN-telnetd.c | Solaris in.telnetd 8.0 & 7.0 remote exploit (sparc) |
prdelka-vs-SUN-virtualbox.sh | Sun VirtualBox 3.0.6 local root exploit |
prdelka-vs-THC-vmap | THC vmap DoS exploit |
prdelka-vs-UNIX-permissions.tar.gz | UNIX file permissions generic directory exploit |
r00t2.tgz | Linux kernel 2.6.29 ptrace_attach() ported to ARM for "google phone" |
rainbowdash.tgz | PonyOS 3.0 & below kernel ELF loader local root exploit |
rarity.c | PonyOS 3.0 VFS file permissions local root exploit |
raspbian.txt | Raspbian vulnerabilities for sgid "games" |
redstar2.0-localroot.png | RedStar OS 2.0 local root privilege escalation exploit |
redstar3.0-localroot.png | RedStar OS 3.0 local root privilege escalation exploit |
rshx.c | rsh exploit - inject commands via rsh |
rsshellshock.py | RedStar OS server BEAM & RSSMON shellshock exploit |
s7300cpustart.py | Siemens S7-300 PLC CPU start command |
s7300stop.py | Siemens S7-300 PLC CPU stop command |
shoryuken.c | Linux kernel 2.6.29 ptrace_attach() local root race condition exploit |
skyexp.py | Sky 1.5 Sagem F@ST 2504 router infoleak & remote command injection |
smartmaildos.tgz | Smartmail 10.x pop3 & SMTP denial-of-service exploits (in ASM) |
sp-email.py | Sharepoint username enumeration exploit |
spiltmilk.c | Linux kernel 2.6.37-rc1 & below serial_core TIOCGICOUNT information leak exploit |
ssh-dsa1024-rsa2048-keys-CVE-2008-0166.tgz | Debian SSH insecure 'prng' SSH keys (released during Manchester riots) |
sun-su-bug.txt | Solaris 10 'su' local NULL pointer vulnerability CVE-2010-3503 |
telnet_term_0day.py | Multiple BSD-based telnet.c IAC malformed options remote crash |
trendmicro_IWSVA_shellshock.py | TrendMicro InterScan Web Security Virtul Appliance shellshock exploit |
UNICOS-cray.txt | Cray UNICOS 9.0 local root vulnerabilities & shellcode PoC |
vncscan.py | RealVNC auth bypass CVE-2006-2369 scanner |
vxlgiobye.py | VXL Gio Linux remote command execution exploit |
w32-fps.txt | Microsoft Frontpage Personal WebServer ver 3.0.2.926 exploit |
w32-grpconv.txt | Windows XP SP1 grpconv.exe buffer overflow |
w32-netcat.tgz | "netcat" buffer overflow for Windows 98 exploit |
w32-netcat.txt | "netcat" buffer overflow for Windows 98 advisory |
w32-progman.txt | Windows XP "progman" buffer overflow |
winnuke2011.sh | MS11-083 Win7/Vista/2008 ICMP refCount denial-of-service flaw |
wysewig.py | Wyse embedded XP remote SYSTEM command execution exploit |
xclm-exploit.c | Microchip XC local root exploit (Linux) (installed by defcon 26 attendees) |
zte-emode.txt | ZTE Blade Vantage Z839 Emode.APK android.uid.system LPE exploit |
These files are available under a Attribution-NonCommercial-NoDerivatives 4.0 International license.