Exploits and proof-of-concept code from the team at Hacker House.
| Filename | Description |
|---|---|
| AirWatchMDMJailbreakBypass.txt | Bypass jailbreak detection on mobile device management AirWatch for IOS |
| adobe-psp.tgz | Adobe CoolType SING Table "uniqueName" Stack Buffer Overflow PSP bypass (metasploit) |
| aix53l-libc.c | AIX 5.3L libc locale environment handling local root exploit |
| aix53l-lquerypv.c | AIX 5.3L /usr/sbin/lquerypv local root privilege escalation |
| amanda-amstar.txt | Advanced Maryland Automatic Network Disk Archiver local root privilege escalation exploit |
| amanda-backup.txt | Advanced Maryland Automatic Network Disk Archiver local root privilege escalation exploit |
| applejack.c | PonyOS 3.0 & below tty ioctl() kernel local root exploit |
| asus_B1M_projector_root.png | ASUS B1M projector remote root command injection (unpatchable) |
| BTCPE.txt | British Telecom Huawei UART root access weakness |
| charybdis.tgz | Firefox & IE exploits implant dropper for Windows & Linux |
| cisco-asa-sslbypass.py | Cisco ASA 8.x & below VPN SSL module Clientless URL-list control bypass |
| cisco-XSS-wget-me.txt | Cisco IOS 11.x web interface XSS vulnerability |
| cmd_gpbypass.exe | cmd.exe patched to run even when disabled via Group Policy |
| cpg15x-dirtraversal.txt | Coppermine 1.5.44 & below directory traversal vulnerability |
| cve-2003-0001.py | CVE-2003-0001.py Etherleak information leak exploit, silently fixed in Cisco ASA PSIRT-0669464365 |
| CVE-2012-4681.tgz | Oracle Java SE 7 Update 6 & below remote polymorphic exploit (evades PSP) |
| CVE-2014-0160.py | Heartbleed mass-scanning proof-of-concept tool |
| cve-2016-1531.sh | Exim 4.84-3 local root exploit |
| cve-2019-10149.py | Exim between 4.87 & 4.91 local root exploit |
| CVE-2020-0601.xdb | XCA database of private keys for trusted CA exploit CVE-2020-0601 |
| CVE-2020-3950.tgz | EvilOSX trojan exploit plugin for CVE-2020-3950 VMware Fusion 11.5.2 & below local root |
| d3_decimator.txt | SedSystems D3 decimator multiple vulnerabilities allow for remote root |
| dllpack.tgz | MS15-051 / MS15-010 exploits with reflective DLL loading support (hacked from public code) |
| drupal-CVE-2014-3660.py | Drupal XXE libxml2 Services exploit |
| dtappgather-poc.sh | dtappgather local root exploit proof-of-concept (EXTREMEPARR) |
| fluttershy.py | PonyOS 4.0 runtime linker local root exploit |
| FreeBSD-pftp-dirtraversal.txt | Peters Anonymous FTP on FreeBSD directory traversal vulnerability |
| getlogin.c | Tru64 V5.1B & below getlogin() kernel information leak |
| gionight.py | GIO Linux embedded remote root exploit |
| gns3super-osx.sh | GNS-3 OS-X local root exploit |
| goodnight.c | Linux kernel 2.6.37 & below denial-of-service exploit CVE-2010-4165 |
| heartbleed-bin | static bin heartbleed exploit (fun trivia, Large Hadron Collider tested with this code) |
| heartbleed.c | Heartbleed exploit using OpenSSL to encrypt the exploit for stealth |
| heartbleed-keyscan.py | RSA prime factorization exploit for use with heartbleed |
| hfirixwfcmd.sh | SGI IRIX <= 6.5.22 WebForce post-auth Remote Command Injection |
| hfsunsshdx.tgz | SunSSH Solaris 10-11.0 x86 libpam remote root exploit CVE-2020-14871 |
| hpwhytry.py | HP XPe embedded devices remote command execution exploit |
| iis_search.pl | IIS WebDAV & Indexing service directory traversal attack |
| inetutils-telnet.txt | Multiple BSD based telnet implementations vulnerable to memory corruption. |
| iPwn.tgz | IOS default root user "alpine" exploit to harvest data via SSH |
| irix-captest.c | SGI IRIX <= 6.5.22 capability hijacking "eip" proof-of-concept (SGI XFS) |
| irix-ftpd-ls.txt | SGI IRIX <= 6.5.22 ftpd "/bin/ls" root privilege escalation |
| irix-mediarecorder.txt | SGI IRIX <= 6.5.22 CAP_SCHED_MGT "mediarecorder" privilege escalation |
| irix-onyx-syssgi.c | SGI IRIX <= 6.5.5 syssgi() Onyx IP19/IP21/IP25 kernel information leak exploit |
| irix-rldx.sh | SGI IRIX <= 6.4.x run-time linker file creation exploit |
| irix-runpriv-cap.png | SGI IRIX <= 6.5.x screenshot showing "capabilities" exploit via runpriv |
| irix-setsockopt.c | SGI IRIX <= 6.5.22 kernel mbuf corruption due to integer signedness comparison |
| irix-syssgi-panic.c | SGI IRIX <= 6.5.22 syssgi() SGI_ENUMASHS null ptr kernel panic |
| irix-tapex.c | SGI IRIX <= 6.5.22 "tsdaemon" root arbitrary file creation exploit |
| irssi-irc-fuzzer.pl | irssi plugin IRC client fuzzing tool |
| jackrabbit.tgz | RedStar OS 3.0 Naenara browser exploit |
| jdwp-exploit.txt | Java JDWP exploitation for remote code execution |
| Kronos.tgz | Java Signed Applet exploit and web management tool |
| lbreakout-exploit.c | lbreakout2 PoC exploit for ARM (drops privileges) |
| leehseinloong.cpp | Sudoku2 exploit written for Lee Hsien Loong. (.sg PM) |
| linux-ia32.c | Linux Kernel 2.6.32 ia32entry emulation x86_64 exploit |
| lotus_exp.py | Lotus Domino IMAP4 Server Release 6.5.4 win2k remote exploit |
| mikrotik-jailbreak.txt | Mikrotik 6.40 & below "telnet" jailbreak exploit |
| mirc-DoS-Script.ini | Mirc 6.12 & 6.11 denial-of-service IRC script |
| mobileiron0day.txt | MobileIron Virtual Smartphone Platform local root exploit |
| MobileIronBypass.tgz | MobileIron mobile device management jailbreak detection bypass |
| mulftpdos.zip | Serv-U / G6 / WarFTPD denial-of-service exploit in asm |
| neogeox.txt | NeoGeo Gold X games console jailbreak via UART root shell |
| NetBSD-sa-2016-003-howto-abuse-cpp.png | NetBSD 6.1.5 calendar local root exploit PoC |
| openbsd-0day-cve-2018-14665.sh | OpenBSD 6.4 Xorg local root exploit |
| prdelka-vs-AEP-smartgate.c | AEP Smartgate V4.3B arbitrary file download exploit |
| prdelka-vs-APPLE-chpass.sh | OS-X 10.6.3 & below chpass arbitrary file creation exploit |
| prdelka-vs-APPLE-ptracepanic.c | OS-X 10.6.1 & below ptrace() mutex handling kernel panic |
| prdelka-vs-BSD-ptrace.tar.gz | NetBSD 2.1 ptrace() local root exploit |
| prdelka-vs-CISCO-httpdos.zip | Cisco IOS 12.2 & below HTTP denial-of-service exploit |
| prdelka-vs-CISCO-vpnftp.c | Cisco VPN Concentrator 3000 FTP remote exploit |
| prdelka-vs-GNU-adabas2.txt | Adabas D 13.01 SQL injection & directory traversal |
| prdelka-vs-GNU-adabas.c | Adabas D 13.01 local root exploit Linux |
| prdelka-vs-GNU-chpasswd.c | SquirrelMail 3.1 Change_passwd plugin & below local root exploit |
| prdelka-vs-GNU-citadel.tar.gz | Citadel SMTP 7.10 & below remote code execution exploit |
| prdelka-vs-GNU-exim.c | Exim 4.43-r2 & below host_aton() local root exploit (Linux) |
| prdelka-vs-GNU-lpr.c | Slackware 1.01 stack overflow local root exploit (Linux) |
| prdelka-vs-GNU-mbsebbs.c | mbse-bbs 0.70.0 & below local root exploit (Linux) |
| prdelka-vs-GNU-peercast.c | PeerCast v0.1216 remote root exploit (linux) |
| prdelka-vs-GNU-sudo.c | sudo 1.6.8p9 race condition local root exploit (Linux) |
| prdelka-vs-GNU-tin.c | Slackware 1.01 local root exploit (Linux) |
| prdelka-vs-HPUX-libc.c | HP-UX 11.11 & below libc local root exploit (hppa) |
| prdelka-vs-HPUX-swask.c | HP-UX 11.11 & below swask format string local root exploit (hppa) |
| prdelka-vs-HPUX-swmodify.c | HP-UX 11.11 & below swmodify local root exploit (hppa) |
| prdelka-vs-HPUX-swpackage.c | HP-UX 11.11 & below swpackage local root exploit (hppa) |
| prdelka-vs-http-fuzz.tar.gz | HTTP fuzzing tool & example Savant 3.1 vulnerability |
| prdelka-vs-LINUS-fchown.tar | Linux kernel 2.4.x/2.6.6 & below fchown() file ownership exploit |
| prdelka-vs-MISC-massftp.tar.gz | Mass scanning ftp exploiter tool |
| prdelka-vs-MS-hotmail.txt | Microsoft Hotmail Authentication Bypass vulnerability |
| prdelka-vs-MS-IE-6.0.2800.1106.XPSP1.rar | Internet Explorer 6.0 IFRAME Windows XP exploit |
| prdelka-vs-MS-rshd.tar.gz | Windows RSH daemon 1.8 & below remote exploit |
| prdelka-vs-MS-winzip.c | WinZip 10.0.7245 Win32 & below exploit (the one that angered CERT) |
| prdelka-vs-SCO-enable | SCO OpenServer 5.0.7 enable local root exploit |
| prdelka-vs-SCO-netwarex.c | SCO OpenServer 5.0.7 netware printing local "lp" exploit |
| prdelka-vs-SCO-ptrace.c | SCO Unixware 7.1.3 ptrace() linux kernel emulation local root exploit |
| prdelka-vs-SCO-tcpdos | SCO OpenServer 5.0.7 TCP RST denial-of-service exploit |
| prdelka-vs-SCO-termshx.c | SCO OpenServer 5.0.7 termsh local gid "auth" exploit |
| prdelka-vs-SGI-xrunpriv | SGI IRIX 6.5 runpriv local root exploit |
| prdelka-vs-SUN-sysinfo.c | Solaris 10 sysinfo() local kernel memory information leak |
| prdelka-vs-SUN-telnetd.c | Solaris in.telnetd 8.0 & 7.0 remote exploit (sparc) |
| prdelka-vs-SUN-virtualbox.sh | Sun VirtualBox 3.0.6 local root exploit |
| prdelka-vs-THC-vmap | THC vmap DoS exploit |
| prdelka-vs-UNIX-permissions.tar.gz | UNIX file permissions generic directory exploit |
| r00t2.tgz | Linux kernel 2.6.29 ptrace_attach() ported to ARM for "google phone" |
| rainbowdash.tgz | PonyOS 3.0 & below kernel ELF loader local root exploit |
| rarity.c | PonyOS 3.0 VFS file permissions local root exploit |
| raspbian.txt | Raspbian vulnerabilities for sgid "games" |
| redstar2.0-localroot.png | RedStar OS 2.0 local root privilege escalation exploit |
| redstar3.0-localroot.png | RedStar OS 3.0 local root privilege escalation exploit |
| rshx.c | rsh exploit - inject commands via rsh |
| rsshellshock.py | RedStar OS server BEAM & RSSMON shellshock exploit |
| s7300cpustart.py | Siemens S7-300 PLC CPU start command |
| s7300stop.py | Siemens S7-300 PLC CPU stop command |
| shoryuken.c | Linux kernel 2.6.29 ptrace_attach() local root race condition exploit |
| skyexp.py | Sky 1.5 Sagem F@ST 2504 router infoleak & remote command injection |
| smartmaildos.tgz | Smartmail 10.x pop3 & SMTP denial-of-service exploits (in ASM) |
| sp-email.py | Sharepoint username enumeration exploit |
| spiltmilk.c | Linux kernel 2.6.37-rc1 & below serial_core TIOCGICOUNT information leak exploit |
| ssh-dsa1024-rsa2048-keys-CVE-2008-0166.tgz | Debian SSH insecure 'prng' SSH keys (released during Manchester riots) |
| sun-su-bug.txt | Solaris 10 'su' local NULL pointer vulnerability CVE-2010-3503 |
| telnet_term_0day.py | Multiple BSD-based telnet.c IAC malformed options remote crash |
| trendmicro_IWSVA_shellshock.py | TrendMicro InterScan Web Security Virtul Appliance shellshock exploit |
| UNICOS-cray.txt | Cray UNICOS 9.0 local root vulnerabilities & shellcode PoC |
| vncscan.py | RealVNC auth bypass CVE-2006-2369 scanner |
| vxlgiobye.py | VXL Gio Linux remote command execution exploit |
| w32-fps.txt | Microsoft Frontpage Personal WebServer ver 3.0.2.926 exploit |
| w32-grpconv.txt | Windows XP SP1 grpconv.exe buffer overflow |
| w32-netcat.tgz | "netcat" buffer overflow for Windows 98 exploit |
| w32-netcat.txt | "netcat" buffer overflow for Windows 98 advisory |
| w32-progman.txt | Windows XP "progman" buffer overflow |
| winnuke2011.sh | MS11-083 Win7/Vista/2008 ICMP refCount denial-of-service flaw |
| wysewig.py | Wyse embedded XP remote SYSTEM command execution exploit |
| xclm-exploit.c | Microchip XC local root exploit (Linux) (installed by defcon 26 attendees) |
| zte-emode.txt | ZTE Blade Vantage Z839 Emode.APK android.uid.system LPE exploit |
These files are available under a Attribution-NonCommercial-NoDerivatives 4.0 International license.