Exploit development can be an advanced penetration testing skill that takes time to master. Additionally, when on a job, pen testers often don’t have the resources to create a new exploit. Many resort to searching for and using pre-written exploits that have not been tested and must go through the timely effort of quality assurance testing in order to ensure they are secure and effective.
Core Impact users can save time by finding all the up-to-date exploits they need in one place. We provide a robust library of exploits designed to enable pen testers to safely and efficiently conduct successful penetration tests. Witten by our own internal team, you can trust they have been thoroughly tested and validated by our experts.
The universe of vulnerabilities is huge and not all of them represent the same risk for the customers. Vulnerabilities do not all have the same level of criticality. Some may be easily exploitable by a low-level user, while others may not be exploitable at all. To increase the efficiency of the attacks and the quality of the exploits provided, the Core Impact team has developed selection criteria to prioritize its analysis and implementation. We determine which exploits warrant creation based on the following questions:
What are the most critical attacks from the attacker’s perspective?
What new vulnerabilities are more likely to be exploited in real attacks?
What exploits are the most valuable for Core Impact?
Once an exploit is approved, its priority order considers the following variables:
Vulnerability Properties: CVE, disclosure date, access mechanism and privileges needed.
Target Environment Setup: OS, application prevalence, version and special configurations needed.
Value Provided to Core Impact: Customer request, usage in multiple attacks, allows the installation of an agent, etc.
Technical Cost vs. Benefit: An analysis weighing the resources needed to build an exploit with the internal and external knowledge gained in its creation.
Each one of these variables has a different weight and provides a ranking of the potential exploits to be developed. Following those criteria, the top of the list would contain, for example, a vulnerability on Windows (most popular OS) that can be exploited remotely, without authentication and that provides super user privileges.
Correspondingly, a vulnerability on an application that is rarely installed, needs special configurations, and requires User Interaction, would be at the bottom.
Stay Informed of New Core Certified Exploits
Subscribe to receive regular email updates on new exploits available for Core Impact
Browse the Core Certified Exploit Library
We provide pen testers with real-time updates for a wide range of exploits for different platforms, operating systems, and applications.
Search our continuously growing library to discover an exploit that will allow you to gain and retain access on the target host or application.
Title
Description
Date Added
CVE Link
Exploit Platform
Exploit Type
Product Name
FortiClient Weak IOCTL mdare Driver Local Privilege Escalation Exploit
FortiClient is prone to a privilege-escalation vulnerability that affects mdare64_48.sys, mdare32_48.sys, mdare32_52.sys, mdare64_52.sys and Fortishield.sys drivers. All these drivers expose an API to manage processes and the windows registry, for instance, the IOCTL 0x2220c8 of the mdareXX_XX.sys driver returns a full privileged handle to a given process PID. In particular, this same function is replicated inside Fortishield.sys. Attackers can leverage this issue to execute arbitrary code with elevated privileges in the context of any selected process.
IBM Tivoli Storage Manager FastBack Server GetJobByUserFriendlyString Exploit
This module exploits a buffer overflow vulnerability in the FastBack server service (FastBackServer.exe) of the IBM Tivoli Storage Manager. The exploit triggers a stack-based buffer overflow by sending a pre-authentication specially crafted packet to port 11460/TCP of the vulnerable system and installs an agent if successful.
Microsoft Windows OLE Package Manager Code Execution Exploit (MS14-064)
This module exploits a vulnerability in the Windows Packager COM object (packager.dll). This module runs a web server waiting for vulnerable clients to connect to it. When the client connects, it will try to install an agent by exploiting the previous vulnerability.
Solarwinds FSM is vulnerable to an authentication bypass in userlogin.jsp that allows attacker to upload an agent via a weekness in the username atribute in settings-new.jsp allowing us to install an agent.
Usermin is vulnerable to an arbitrary command execution in the email signature configuration due to a lack of sanitization on the signature file parameter.
Microsoft Windows Win32k ClientCopyImage Privilege Escalation Exploit(MS15-051)
An elevation of privilege vulnerability exists when the Win32k.sys kernel-mode driver improperly handles objects in memory. The vulnerability exists in the Windows OS process of creating windows for applications. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. This module exploits the previous vulnerability to deploy an agent that runs with SYSTEM privileges.
Microsoft Windows Group Policy Remote Code Execution Vulnerability Exploit (MS15-011)
When a Windows computer is joined to any domain, usually, the "gpt.ini" file is downloaded by this from the Domain Controller server. If this file has a new number version, it means that there are new policies to download. When new policies are present, the client downloads the 'gpttmpl.inf' file and applies the policies contained by this. Using a "Man In The Middle" attack, this module intercepts the communication explained before and installs an agent running as 'system' user.
Adobe Flash Player AS3 ConvolutionFilter Use-After-Free Exploit
This module exploits a Use-After-Free vulnerability in Adobe Flash Player. The specific flaw exists within the processing of AS3 ConvolutionFilter objects. By manipulating the matrix property of a ConvolutionFilter object, an attacker can force a dangling pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process. This vulnerability was one of the 2015's Pwn2Own challenges.
Adobe Flash Player opaqueBackground property Use-After-Free Exploit
This module exploits a Use-After-Free vulnerability in Adobe Flash Player. The specific flaw is in the opaqueBackground property within the setter of the flash.display.DisplayObject class. This vulnerability was found in the HackingTeam's leak on July 2015.
Symantec Endpoint Protection Kernel Pool Overflow Privilege Escalation Exploit
This module exploits a vulnerability in Symantec Endpoint Client when the 0x002224A4 function is invoked with a specially crafted parameter. The IOCTL 0x00222084 handler in the Sysplant.sys device driver in Symantec Endpoint allows local users to overwrite header in kernel pool and execute arbitrary code to obtain system privileges.
Adobe Flash Player ByteArray write method Use-After-Free Exploit
This module exploits a Use-After-Free vulnerability in Adobe Flash Player. The specific flaw exists when the suscriber is not notified if a ByteArray assigned to the ApplicationDomain is freed from an ActionScript worker. By forcing a reallocation by copying more contents than the original capacity to the shared buffer by using the ByteArray::writeBytes method call, the ApplicationDomain pointer is not updated leading to a use-after-free vulnerability. This allows to overwrite different objects like vectors and finally accomplish remote code execution.
Adobe Flash Player FLV Nellymoser Decoding Heap Buffer Overflow Exploit
This module exploits a buffer overflow vulnerability in Adobe Flash Player when parsing malformed FLV objects. Attackers exploiting the vulnerability can corrupt memory and gain remote code execution.
This exploit abuses a persistent cross site scripting vulnerability in Wordpress to install an OS Agent in the server running the Wordpress installation. To do this, it posts a comment with the cross site scripting code for every target selected. The injected code will attempt to install a Wordpress plugin everytime the post comment is rendered, and it will immediately remove itself from the DOM so as to not be visible or execute again until the page containing it is opened again.
Exploits / Cross Site Scripting (XSS) / Known Vulnerabilities
Impact
Zimbra Collaboration Server skin Local File Include Exploit
Zimbra is vulnerable to a Local File Inclusion vulnerability that allows attacker to get LDAP credentials which we may use for upload a JSP file allowing us to install an agent.
The AVG Administration Server is vulnerable to arbitrary configuration settings. Due to insufficient input validation, an attacker can use the StoreServerConfig command (command id 0x27) to set the value of the ClientLibraryName parameter to a UNC path. The provided value can be a path to a network share containing a malicious .dll file. This .dll file will be executed in the context of the AVG Administration Server service which runs as SYSTEM.
Oracle Database Server Core RDBMS component is prone to a remote vulnerability that allows attackers to exploit a stack-based buffer overflow in the EXECUTE procedure of DBMS_AW. Using an overly long parameter in the CDA command with the previous procedure, a stack-based buffer overflow will occur, overwriting the saved return address. This module requires database user credentials with 'Create Session' privilege.
Adobe Flash Player Drawing Fill Shader Memory Corruption Exploit
This module exploits a memory corruption vulnerability in Adobe Flash Player. The specific flaw exists when a Shader is applied as a drawing fill allowing an attacker to take control of a vulnerable machine and execute arbitrary code. This vulnerability was found exploited in the wild on June 2015.
Adobe Flash Player FLV Parsing Memory Corruption Exploit
This module exploits a buffer overflow vulnerability in Adobe Flash Player when parsing malformed FLV objects. Attackers exploiting the vulnerability can corrupt memory and gain remote code execution. This vulnerability has been found exploited in the wild in June 2015 in the Operation Clandestine Wolf campaign.
Git is prone to a vulnerability that may allow attackers to overwrite arbitrary local files This module exploits the condition and installs an Agent when a vulnerable GIT client performs a CLONE to the fake repository created.
GE Proficy CIMPLICITY gefebt Remote Code Execution Exploit
Directory traversal vulnerability in gefebt.exe in the WebView CimWeb components in GE Intelligent Platforms Proficy HMI/SCADA, allows remote attackers to execute arbitrary code via a crafted HTTP request.