README.md

Exploits

Exploits and proof-of-concept code from the team at Hacker House.

Filename Description AirWatchMDMJailbreakBypass.txt Bypass jailbreak detection on mobile device management AirWatch for IOS AIX-0days.txt AIX 4.2 local root vulnerabilities amanda-amstar.txt Advanced Maryland Automatic Network Disk Archiver local root privilege escalation exploit amanda-backup.txt Advanced Maryland Automatic Network Disk Archiver local root privilege escalation exploit applejack.c PonyOS 3.0 & below tty ioctl() kernel local root exploit asus_B1M_projector_root.png ASUS B1M projector remote root command injection (unpatchable) BTCPE.txt British Telecom Huawei UART root access weakness charybdis.tgz Firefox & IE exploits implant dropper for Windows & Linux cisco-asa-sslbypass.py Cisco ASA 8.x & below VPN SSL module Clientless URL-list control bypass cisco-XSS-wget-me.txt Cisco IOS 11.x web interface XSS vulnerability cmd_gpbypass.exe cmd.exe patched to run even when disabled via Group Policy cpg15x-dirtraversal.txt Coppermine 1.5.44 & below directory traversal vulnerability cve-2003-0001.py CVE-2003-0001.py Etherleak information leak exploit, silently fixed in Cisco ASA PSIRT-0669464365 CVE-2012-4681.tgz Oracle Java SE 7 Update 6 & below remote polymorphic exploit (evades PSP) CVE-2014-0160.py Heartbleed mass-scanning proof-of-concept tool cve-2016-1531.sh Exim 4.84-3 local root exploit d3_decimator.txt SedSystems D3 decimator multiple vulnerabilities allow for remote root dllpack.tgz MS15-051 / MS15-010 exploits with reflective DLL loading support (hacked from public code) drupal-CVE-2014-3660.py Drupal XXE libxml2 Services exploit dtappgather-poc.sh dtappgather local root exploit proof-of-concept (EXTREMEPARR) fluttershy.py PonyOS 4.0 runtime linker local root exploit FreeBSD-pftp-dirtraversal.txt Peters Anonymous FTP on FreeBSD directory traversal vulnerability getlogin.c Tru64 V5.1B & below getlogin() kernel information leak gionight.py GIO Linux embedded remote root exploit gns3super-osx.sh GNS-3 OS-X local root exploit goodnight.c Linux kernel 2.6.37 & below denial-of-service exploit CVE-2010-4165 heartbleed-bin static bin heartbleed exploit (fun trivia, Large Hadron Collider tested with this code) heartbleed.c Heartbleed exploit using OpenSSL to encrypt the exploit for stealth heartbleed-keyscan.py RSA prime factorization exploit for use with heartbleed hpwhytry.py HP XPe embedded devices remote command execution exploit iis_search.pl IIS WebDAV & Indexing service directory traversal attack inetutils-telnet.txt Multiple BSD based telnet implementations vulnerable to memory corruption. iPwn.tgz IOS default root user "alpine" exploit to harvest data via SSH irix-onyx-syssgi.c SGI IRIX <= 6.5.5 syssgi() Onyx IP19/IP21/IP25 kernel information leak exploit irix-rldx.sh SGI IRIX <= 6.4.x run-time linker file creation exploit irix-syssgi-panic.c SGI IRIX <= 6.5.22 syssgi() SGI_ENUMASHS null ptr kernel panic irssi-irc-fuzzer.pl irssi plugin IRC client fuzzing tool jackrabbit.tgz RedStar OS 3.0 Naenara browser exploit jdwp-exploit.txt Java JDWP exploitation for remote code execution Kronos.tgz Java Signed Applet exploit and web management tool lbreakout-exploit.c lbreakout2 PoC exploit for ARM (drops privileges) leehseinloong.cpp Sudoku2 exploit written for Lee Hsien Loong. (.sg PM) linux-ia32.c Linux Kernel 2.6.32 ia32entry emulation x86_64 exploit lotus_exp.py Lotus Domino IMAP4 Server Release 6.5.4 win2k remote exploit mikrotik-jailbreak.txt Mikrotik 6.40 & below "telnet" jailbreak exploit mirc-DoS-Script.ini Mirc 6.12 & 6.11 denial-of-service IRC script mobileiron0day.txt MobileIron Virtual Smartphone Platform local root exploit MobileIronBypass.tgz MobileIron mobile device management jailbreak detection bypass mulftpdos.zip Serv-U / G6 / WarFTPD denial-of-service exploit in asm neogeox.txt NeoGeo Gold X games console jailbreak via UART root shell NetBSD-sa-2016-003-howto-abuse-cpp.png NetBSD 6.1.5 calendar local root exploit PoC openbsd-0day-cve-2018-14665.sh OpenBSD 6.4 Xorg local root exploit prdelka-vs-AEP-smartgate.c AEP Smartgate V4.3B arbitrary file download exploit prdelka-vs-APPLE-chpass.sh OS-X 10.6.3 & below chpass arbitrary file creation exploit prdelka-vs-APPLE-ptracepanic.c OS-X 10.6.1 & below ptrace() mutex handling kernel panic prdelka-vs-BSD-ptrace.tar.gz NetBSD 2.1 ptrace() local root exploit prdelka-vs-CISCO-httpdos.zip Cisco IOS 12.2 & below HTTP denial-of-service exploit prdelka-vs-CISCO-vpnftp.c Cisco VPN Concentrator 3000 FTP remote exploit prdelka-vs-GNU-adabas2.txt Adabas D 13.01 SQL injection & directory traversal prdelka-vs-GNU-adabas.c Adabas D 13.01 local root exploit Linux prdelka-vs-GNU-chpasswd.c SquirrelMail 3.1 Change_passwd plugin & below local root exploit prdelka-vs-GNU-citadel.tar.gz Citadel SMTP 7.10 & below remote code execution exploit prdelka-vs-GNU-exim.c Exim 4.43-r2 & below host_aton() local root exploit (Linux) prdelka-vs-GNU-lpr.c Slackware 1.01 stack overflow local root exploit (Linux) prdelka-vs-GNU-mbsebbs.c mbse-bbs 0.70.0 & below local root exploit (Linux) prdelka-vs-GNU-peercast.c PeerCast v0.1216 remote root exploit (linux) prdelka-vs-GNU-sudo.c sudo 1.6.8p9 race condition local root exploit (Linux) prdelka-vs-GNU-tin.c Slackware 1.01 local root exploit (Linux) prdelka-vs-HPUX-libc.c HP-UX 11.11 & below libc local root exploit (hppa) prdelka-vs-HPUX-swask.c HP-UX 11.11 & below swask format string local root exploit (hppa) prdelka-vs-HPUX-swmodify.c HP-UX 11.11 & below swmodify local root exploit (hppa) prdelka-vs-HPUX-swpackage.c HP-UX 11.11 & below swpackage local root exploit (hppa) prdelka-vs-http-fuzz.tar.gz HTTP fuzzing tool & example Savant 3.1 vulnerability prdelka-vs-LINUS-fchown.tar Linux kernel 2.4.x/2.6.6 & below fchown() file ownership exploit prdelka-vs-MISC-massftp.tar.gz Mass scanning ftp exploiter tool prdelka-vs-MS-hotmail.txt Microsoft Hotmail Authentication Bypass vulnerability prdelka-vs-MS-IE-6.0.2800.1106.XPSP1.rar Internet Explorer 6.0 IFRAME Windows XP exploit prdelka-vs-MS-rshd.tar.gz Windows RSH daemon 1.8 & below remote exploit prdelka-vs-MS-winzip.c WinZip 10.0.7245 Win32 & below exploit (the one that angered CERT) prdelka-vs-SCO-enable SCO OpenServer 5.0.7 enable local root exploit prdelka-vs-SCO-netwarex.c SCO OpenServer 5.0.7 netware printing local "lp" exploit prdelka-vs-SCO-ptrace.c SCO Unixware 7.1.3 ptrace() linux kernel emulation local root exploit prdelka-vs-SCO-tcpdos SCO OpenServer 5.0.7 TCP RST denial-of-service exploit prdelka-vs-SCO-termshx.c SCO OpenServer 5.0.7 termsh local gid "auth" exploit prdelka-vs-SGI-xrunpriv SGI IRIX 6.5 runpriv local root exploit prdelka-vs-SUN-sysinfo.c Solaris 10 sysinfo() local kernel memory information leak prdelka-vs-SUN-telnetd.c Solaris in.telnetd 8.0 & 7.0 remote exploit (sparc) prdelka-vs-SUN-virtualbox.sh Sun VirtualBox 3.0.6 local root exploit prdelka-vs-THC-vmap THC vmap DoS exploit prdelka-vs-UNIX-permissions.tar.gz UNIX file permissions generic directory exploit r00t2.tgz Linux kernel 2.6.29 ptrace_attach() ported to ARM for "google phone" rainbowdash.tgz PonyOS 3.0 & below kernel ELF loader local root exploit rarity.c PonyOS 3.0 VFS file permissions local root exploit raspbian.txt Raspbian vulnerabilities for sgid "games" redstar2.0-localroot.png RedStar OS 2.0 local root privilege escalation exploit redstar3.0-localroot.png RedStar OS 3.0 local root privilege escalation exploit rshx.c rsh exploit - inject commands via rsh rsshellshock.py RedStar OS server BEAM & RSSMON shellshock exploit s7300cpustart.py Siemens S7-300 PLC CPU start command s7300stop.py Siemens S7-300 PLC CPU stop command shoryuken.c Linux kernel 2.6.29 ptrace_attach() local root race condition exploit skyexp.py Sky 1.5 Sagem F@ST 2504 router infoleak & remote command injection smartmaildos.tgz Smartmail 10.x pop3 & SMTP denial-of-service exploits (in ASM) sp-email.py Sharepoint username enumeration exploit spiltmilk.c Linux kernel 2.6.37-rc1 & below serial_core TIOCGICOUNT information leak exploit ssh-dsa1024-rsa2048-keys-CVE-2008-0166.tgz Debian SSH insecure 'prng' SSH keys (released during Manchester riots) sun-su-bug.txt Solaris 10 'su' local NULL pointer vulnerability CVE-2010-3503 telnet_term_0day.py Multiple BSD-based telnet.c IAC malformed options remote crash trendmicro_IWSVA_shellshock.py TrendMicro InterScan Web Security Virtul Appliance shellshock exploit UNICOS-cray.txt Cray UNICOS 9.0 local root vulnerabilities & shellcode PoC vncscan.py RealVNC auth bypass CVE-2006-2369 scanner vxlgiobye.py VXL Gio Linux remote command execution exploit w32-fps.txt Microsoft Frontpage Personal WebServer ver 3.0.2.926 exploit w32-grpconv.txt Windows XP SP1 grpconv.exe buffer overflow w32-netcat.tgz "netcat" buffer overflow for Windows 98 exploit w32-netcat.txt "netcat" buffer overflow for Windows 98 advisory w32-progman.txt Windows XP "progman" buffer overflow winnuke2011.sh MS11-083 Win7/Vista/2008 ICMP refCount denial-of-service flaw wysewig.py Wyse embedded XP remote SYSTEM command execution exploit xclm-exploit.c Microchip XC local root exploit (Linux) (installed by defcon 26 attendees)

These files are available under a Attribution-NonCommercial-NoDerivatives 4.0 International license.