Exploit development can be an advanced penetration testing skill that takes time to master. Additionally, when on a job, pen testers often don’t have the resources to create a new exploit. Many resort to searching for and using pre-written exploits that have not been tested and must go through the timely effort of quality assurance testing in order to ensure they are secure and effective.
Core Impact users can save time by finding all the up-to-date exploits they need in one place. We provide a robust library of exploits designed to enable pen testers to safely and efficiently conduct successful penetration tests. Witten by our own internal team, you can trust they have been thoroughly tested and validated by our experts.
The universe of vulnerabilities is huge and not all of them represent the same risk for the customers. Vulnerabilities do not all have the same level of criticality. Some may be easily exploitable by a low-level user, while others may not be exploitable at all. To increase the efficiency of the attacks and the quality of the exploits provided, the Core Impact team has developed selection criteria to prioritize its analysis and implementation. We determine which exploits warrant creation based on the following questions:
What are the most critical attacks from the attacker’s perspective?
What new vulnerabilities are more likely to be exploited in real attacks?
What exploits are the most valuable for Core Impact?
Once an exploit is approved, its priority order considers the following variables:
Vulnerability Properties: CVE, disclosure date, access mechanism and privileges needed.
Target Environment Setup: OS, application prevalence, version and special configurations needed.
Value Provided to Core Impact: Customer request, usage in multiple attacks, allows the installation of an agent, etc.
Technical Cost vs. Benefit: An analysis weighing the resources needed to build an exploit with the internal and external knowledge gained in its creation.
Each one of these variables has a different weight and provides a ranking of the potential exploits to be developed. Following those criteria, the top of the list would contain, for example, a vulnerability on Windows (most popular OS) that can be exploited remotely, without authentication and that provides super user privileges.
Correspondingly, a vulnerability on an application that is rarely installed, needs special configurations, and requires User Interaction, would be at the bottom.
Stay Informed of New Core Certified Exploits
Subscribe to receive regular email updates on new exploits available for Core Impact
Browse the Core Certified Exploit Library
We provide pen testers with real-time updates for a wide range of exploits for different platforms, operating systems, and applications.
Search our continuously growing library to discover an exploit that will allow you to gain and retain access on the target host or application.
Title
Description
Date Added
CVE Link
Exploit Platform
Exploit Type
Product Name
OpenBSD setitimer() exploit
In the kernel code for the setitimer() system call the 'which' parameter (which is a signed integer) is validated with the mistaken assumption that the value cannot be negative. Passing a negative value for this parameter results in writing into an array indexed with the 'which' parameter and overwriting memory outside the array. This exploit overwrites the current credential structure of the current process to set the user id to 0 (root) then launches a new agent.
Oracle VirtualBox 3D Acceleration Virtual Machine Escape Exploit
The code that implements 3D acceleration for OpenGL graphics in Oracle VirtualBox is prone to multiple memory corruption vulnerabilities. An attacker running code within a Windows Guest OS can exploit these vulnerabilities in order to escape from the virtual machine and execute arbitrary code on the Host OS.
Oracle VirtualBox Guest Additions Arbitrary Write Local Privilege Escalation Exploit
The Oracle VirtualBox Guest Additions Driver (VBoxGuest.sys) present in Oracle VirtualBox is vulnerable to an arbitrary pointer overwrite. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges by sending a specially crafted IOCTL (0x22A040) to the vulnerable driver within the Windows Guest OS.
The VBoxSF.sys driver is a component of VirtualBox Guest Additions, which is in charge of providing the 'Shared Folders' feature offered by Oracle VirtualBox. This driver doesn't properly validate a pointer when handling the IOCTL_MRX_VBOX_DELCONN IoControl. This allows an unprivileged user in a Windows Guest OS with VirtualBox Guest Additions installed to gain SYSTEM privileges within the Guest OS. Note that this vulnerability can be exploited on Windows Guest operating systems with the Guest Additions installed, even when the 'Shared Folders' feature is not being used.
The PAM MOTD module in Ubuntu does not correctly handle path permissions when creating user file stamps. A local attacker can exploit this to gain root privileges.
Panda Global Protection AppFlt.sys Privilege Escalation Exploit
This module exploits a privilege escalation vulnerability in the AppFlt.sys driver of Panda Global Protection. The vulnerable driver trusts some values passed from user mode via IOCTL 0x06660E1C, which can be leveraged to corrupt memory in the kernel address space. This vulnerability allows unprivileged local users to execute code with SYSTEM privileges.
Windows
Exploits / Local / Privilege Escalation
Impact
Panda Internet Security Binary Planting Privilege Escalation Exploit
This module exploits a privilege escalation vulnerability in Panda Internet Security.
Windows
Exploits / Local / Privilege Escalation
Impact
Panda Internet Security RKPavProc.sys Privilege Escalation Exploit
This module exploits a buffer overflow vulnerability in Panda Internet Security RKPavProc.sys driver when handling a specially crafted IOCTL request. This vulnerability allows unprivileged local users to execute code with SYSTEM privileges.
Windows
Exploits / Local / Privilege Escalation
Impact
PolicyKit pkexec Race Condition Exploit
This module exploits a local race-condition vulnerability in PolicyKit, which allows local users to execute arbitrary code with root privileges.
The internal stack may be overrun using the controls module with a special crafted control sequence. This condition can be exploited by attackers to ultimately execute instructions with the privileges of the ProFTPD process, typically administrator or system. Exploitation requires valid local user, with access to the controls socket. After successful exploitation an agent will be deployed. This agent will inherit the user identity and capabilities of the abused service, usually those of the ftp server.
The PulseAudio reload functionality has an exploitable race condition vulnerability. The executable file pulseaudio is seteuid root, therefore exploiting this bug allows to gain root privileges. This module uploads a binary exploit to the target machine and executes it with different parameters to try to exploit the vulnerability. As race conditions are sensitive to hardware and CPU load changes, this module may fail on some vulnerable machines.
Serv-U FTP versions 3.x, 4.x and 5.x ship with a default administrative account. A local attacker could establish a connection using the administrative authentication credentials and gain elevated privileges on the server.
Exploits a missing verification of the path in the command "sudoedit", provided by the sudo package. This can be exploited to e.g. execute any command as root including a shell, allowing an unprivileged process to elevate privileges to root.
This module creates a new user with root privileges using a vulnerability of the chfn command. After successful exploitation a new agent will be deployed on the target host with root privileges.
This module exploits a vulnerability in Symantec products when the 0x83022323 function is invoked with a specially crafted parameter. The IOCTL 0x83022323 handler in the SYMTDI.SYS device driver in Symantec products allows local users to overwrite memory and execute arbitrary code via malformed Interrupt Request Packet (Irp) parameters to obtain system privileges.
This module exploits a code execution vulnerability in the Veritas Web Server service by sending a specially crafted authentication request to the 14300/TCP port.
This module exploits a code execution vulnerability in the Veritas Web Server service by sending a specially crafted authentication request to the 14300/TCP port, allowing local users to gain elevated privileges.
This module exploits a privilege escalation vulnerability in the tmtdi.sys driver of Trend Micro Titanium Maximum Security and OfficeScan products. The vulnerable driver trusts a dword passed from user mode via IOCTL 0x220404, and interprets it as a function pointer without performing validations. This vulnerability allows unprivileged local users to execute code with SYSTEM privileges.
Windows
Exploits / Local / Privilege Escalation
Impact
Ubuntu 5.10 Password Recovery Escalation Exploit
The Ubuntu 5.10 installer does not properly clear passwords from the installer log file (questions.dat), and leaves the log file with world-readable permissions, which allows local users to gain privileges.
Ubuntu Linux USBCreator D-Bus Service KVMTest Privilege Escalation Exploit
The KVMTest method in the com.ubuntu.USBCreator D-Bus service in Ubuntu Linux can invoke the 'kvm' binary with root privileges using an arbitrary environment provided by an unprivileged user. This flaw can be leveraged by a local unprivileged attacker to gain root privileges. The target system must have the 'kvm' binary in the search path (that usually means that the qemu-kvm package must be installed). Also, the system must have at least 768 Mb of free RAM at the moment the exploit is executed; otherwise the vulnerable service will refuse to run.
The vmx86 kext ioctl handler, part of the VMware Fusion application, allow unprivileged process to initialize function pointers. This module exploits the vulnerability via the 0x802E564A ioctl, obtaining root privileges.
This module takes advantage of this issue to escape the virtualized environment (Guest OS) and install an agent on the on the system that runs it (Host OS). This module searches all user Desktop folders on the host machine and modifies '.lnk' files in each one referencing the '.lnk' file to a new executable program (an agent file). When the user executes this '.lnk' file, an agent is installed and all '.lnk' files are restored to its previous reference.