Exploit development can be an advanced penetration testing skill that takes time to master. Additionally, when on a job, pen testers often don’t have the resources to create a new exploit. Many resort to searching for and using pre-written exploits that have not been tested and must go through the timely effort of quality assurance testing in order to ensure they are secure and effective.
Core Impact users can save time by finding all the up-to-date exploits they need in one place. We provide a robust library of exploits designed to enable pen testers to safely and efficiently conduct successful penetration tests. Witten by our own internal team, you can trust they have been thoroughly tested and validated by our experts.
The universe of vulnerabilities is huge and not all of them represent the same risk for the customers. Vulnerabilities do not all have the same level of criticality. Some may be easily exploitable by a low-level user, while others may not be exploitable at all. To increase the efficiency of the attacks and the quality of the exploits provided, the Core Impact team has developed selection criteria to prioritize its analysis and implementation. We determine which exploits warrant creation based on the following questions:
What are the most critical attacks from the attacker’s perspective?
What new vulnerabilities are more likely to be exploited in real attacks?
What exploits are the most valuable for Core Impact?
Once an exploit is approved, its priority order considers the following variables:
Vulnerability Properties: CVE, disclosure date, access mechanism and privileges needed.
Target Environment Setup: OS, application prevalence, version and special configurations needed.
Value Provided to Core Impact: Customer request, usage in multiple attacks, allows the installation of an agent, etc.
Technical Cost vs. Benefit: An analysis weighing the resources needed to build an exploit with the internal and external knowledge gained in its creation.
Each one of these variables has a different weight and provides a ranking of the potential exploits to be developed. Following those criteria, the top of the list would contain, for example, a vulnerability on Windows (most popular OS) that can be exploited remotely, without authentication and that provides super user privileges.
Correspondingly, a vulnerability on an application that is rarely installed, needs special configurations, and requires User Interaction, would be at the bottom.
Stay Informed of New Core Certified Exploits
Subscribe to receive regular email updates on new exploits available for Core Impact
Browse the Core Certified Exploit Library
We provide pen testers with real-time updates for a wide range of exploits for different platforms, operating systems, and applications.
Search our continuously growing library to discover an exploit that will allow you to gain and retain access on the target host or application.
Title
Description
Date Added
CVE Link
Exploit Platform
Exploit Type
Product Name
Wing FTP Server Remote Command Execution Exploit
An attacker can exploit this vulnerability to run remote commands on the target, achieving code execution. The vulnerability stems from how the WingFTP server usernames are processed, allowing attackers to execute arbitrary commands. When the server does not allow anonymous access, successful exploitation of this vulnerability requires valid user credentials (username and password). This exploit performs the following steps: Sends a POST request to loginok.html with the malicious command in the username field. Extracts the session cookie (UID).
A critical vulnerability (CVE-2025-32463) was discovered in Sudo versions 1.9.14 through 1.9.17. The vulnerability allows local users to obtain root access by exploiting the --chroot option, where /etc/nsswitch.conf from a user-controlled directory is used. This exploit creates a temporary directory structure that mimics a normal root environment, uploads a malicious /etc/nsswitch.conf which in turn calls a shared object that escalates privileges, the exploit is triggered when executing sudo with the -R flag pointing to the user controlled directory.
Kibana's api does not sanitize one of its method's parameters allowing for an attacker to specify any file of the target system, this file will be treated as a js and executed
VMware Workspace ONE Access LocalPasswordAuthAdapter Authentication Bypass Vulnerability Exploit
This module connects to the remote host and attempts to determine by sending specially crafted requests, if the target is vulnerable to CVE-2022-22972 based on the inspection of the target's response. If the target is vunerable, the module will output the cookie obtained in the authentication bypass (HZN cookie).
SolarWinds Web Help Desk Hardcoded Credentials Vulnerability Exploit
This vulnerability (CVE-2024-28987) is caused by the presence of hardcoded credentials in the application, allowing unauthenticated attackers to remotely read and modify all help desk ticket details. It enables authentication with a predefined account (helpdeskIntegrationUser/dev-C4F8025E7) Affected versions include SolarWinds Web Help Desk 12.8.3 Hotfix 1 and all previous versions. An attacker exploiting this vulnerability can: - Access the REST API without requiring valid credentials. - Retrieve sensitive information from support tickets.
Samba SMBv1 Out-Of-Bounds Read Information Disclosure Vulnerability Exploit
This module connects to the remote host and attempts to determine by sending specially crafted requests, if the target is vulnerable to CVE-2022-32742 based on the inspection of the target's response.
An authentication bypass vulnerability in Progress OpenEdge allows unauthenticated remote attackers to authenticate in the target application as NT AUTHORITY/SYSTEM. The vulnerability is present in the native system library auth.dll, and is reached via the authorizeUser function. This module performs the vulnerability verification by creating an instance of the com.progress.chimera.adminserver.AdminContext class via the com.progress.chimera.adminserver.IAdminServer interface. All requests to target will be made using Java RMI requests.
An unmarshal reflection vulnerability in GlobalProtect feature of Palo Alto Networks PAN-OS software allows unauthenticated remote attackers to create empty arbitrary directories and files in the operating system. If device telemetry is enabled, then remote OS command injection is possible via the dt_curl python module. This module performs the vulnerability verification in three steps. The first step, does a control check using a random filename against the /images directory. Since this file shouldn't exist in the target webapp, the webserver will return a 404 HTTP code.
This module connects to the remote domain controller host and attempts to determine by requesting a specially crafted packet, if the target is vulnerable to CVE-2020-1472 based on the inspection of the target's response.
IBM DB2 Web Query for IBM i Log4shell Vulnerability Exploit
This module connects to the remote host and attempts to determine by sending specially crafted requests, if the target is vulnerable to CVE-2021-44228 based on the inspection of the target's response.
Fortra GoAnywhere MFT InitialAccountSetup Direct Request Vulnerability Exploit
This module connects to the remote host and attempts to determine by sending specially crafted requests, if the target is vulnerable or not to CVE-2024-0204 based on the inspection of the target's response. If the target is vulnerable, the module will create a new admin user in the target system using the provided credentials. If no credentials are provided, it will generate a random one. Also, the new admin credentials will be added as an identity.
This module connects to the remote host and attempts to determine by sending specially crafted requests, if the target is vulnerable to CVE-2023-27997. The detection of the vulnerability is probabilistic. The module does ~400 requests trigguering the heap overflow in a special way that it doesn't corrupt anything used in memory and another ~400 requests without doing the overflow. Then it calculates the mean of each group and does a Welch's T-Test. It could be the case that the result of the test is not reliable. In that case, the module is going to repeat the process.
This module connects to a remote target via any exposed DCE RPC endpoints and fingerprints them to determine if the machine appears to be compromised by the Conficker worm. The module is able to detect B, C and D variants of the worm.
This module connects to the remote host and attempts to determine by sending specially crafted requests, if the target is vulnerable to CVE-2023-20198 based on the inspection of the target's response. If the target is vulnerable, the module will create a new local administrator user in the target system using the provided credentials. Also, the new credentials will be added as an identity.
Atlassian Questions for Confluence Hardcoded Credentials Vulnerability Exploit
This module connects to the remote host and attempts to determine by sending specially crafted requests, if the target is vulnerable to CVE-2022-26138 based on the inspection of the target's response. If the target is vunerable, the module will output the cookie obtained in the authentication process.
This module uses a SQL injection vulnerability in Fortinet FortiWeb to deploy an agent in the appliance that will run with root user privileges. The vulnerability is reached via the /api/fabric/device/status endpoint. The module will first check if the target is vulnerable using the previous endpoint with a generic payload. Then, it will use the vulnerability to upload and write a webshell in disk that will allow the execution of OS commands to deploy an agent.
Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4.
Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre
This module allow to set a short name 8.3 of a file when you don't have write privileges to the directory where the file is located.The vulnerability exists due to NtfsSetShortNameInfo does not properly impose security restrictions in NTFS Set Short Name, which leads to security restrictions bypass and privilege escalation. SETTING THE STAGE.
Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system. It must be executed on an agent with root privileges only for linux system.
Windows ZIP extraction bug (CVE-2022-41049) lets attackers craft ZIP files, which evade warnings on attempts to execute packaged files, even if ZIP file was downloaded from the Internet. The "Mark Of The Web" is not transferred from the Zipped File into the Unzipped File if the target is vulnerable.
This module executes a program designed to check for a buffer overflow in glibc's getaddrinfo function. Multiple stack-based buffer overflows in the send_dg and send_vc functions in the libresolv library in the GNU C Library allow remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted DNS response that triggers a call to the getaddrinfo function with the AF_UNSPEC or AF_INET6 address family.
This module executes a program designed to test a buffer overflow in glibc's __nss_hostname_digits_dots function. The function is used by the gethostbyname*() functions family used for name resolution. Under some circumstances, the use of those functions when the vulnerable underlying function is present, may lead to remote code execution, privilege escalation, or information disclosure.