Exploit development can be an advanced penetration testing skill that takes time to master. Additionally, when on a job, pen testers often don’t have the resources to create a new exploit. Many resort to searching for and using pre-written exploits that have not been tested and must go through the timely effort of quality assurance testing in order to ensure they are secure and effective.
Core Impact users can save time by finding all the up-to-date exploits they need in one place. We provide a robust library of exploits designed to enable pen testers to safely and efficiently conduct successful penetration tests. Witten by our own internal team, you can trust they have been thoroughly tested and validated by our experts.
The universe of vulnerabilities is huge and not all of them represent the same risk for the customers. Vulnerabilities do not all have the same level of criticality. Some may be easily exploitable by a low-level user, while others may not be exploitable at all. To increase the efficiency of the attacks and the quality of the exploits provided, the Core Impact team has developed selection criteria to prioritize its analysis and implementation. We determine which exploits warrant creation based on the following questions:
What are the most critical attacks from the attacker’s perspective?
What new vulnerabilities are more likely to be exploited in real attacks?
What exploits are the most valuable for Core Impact?
Once an exploit is approved, its priority order considers the following variables:
Vulnerability Properties: CVE, disclosure date, access mechanism and privileges needed.
Target Environment Setup: OS, application prevalence, version and special configurations needed.
Value Provided to Core Impact: Customer request, usage in multiple attacks, allows the installation of an agent, etc.
Technical Cost vs. Benefit: An analysis weighing the resources needed to build an exploit with the internal and external knowledge gained in its creation.
Each one of these variables has a different weight and provides a ranking of the potential exploits to be developed. Following those criteria, the top of the list would contain, for example, a vulnerability on Windows (most popular OS) that can be exploited remotely, without authentication and that provides super user privileges.
Correspondingly, a vulnerability on an application that is rarely installed, needs special configurations, and requires User Interaction, would be at the bottom.
Stay Informed of New Core Certified Exploits
Subscribe to receive regular email updates on new exploits available for Core Impact
Browse the Core Certified Exploit Library
We provide pen testers with real-time updates for a wide range of exploits for different platforms, operating systems, and applications.
Search our continuously growing library to discover an exploit that will allow you to gain and retain access on the target host or application.
Title
Description
Date Added
CVE Link
Exploit Platform
Exploit Type
Product Name
Mercury PH Server Module Buffer Overflow Exploit
This module allows remote attackers to execute arbitrary code on vulnerable installations of software utilizing the Mercury Mail Transport System. The vulnerability is caused due to a boundary error within Mercury/32 PH Server Module (mercuryh.dll). This issue is due to a failure of the application to properly bounds check user-supplied data prior to copying it to a fixed size memory buffer. This can be exploited to cause a stack-based buffer overflow via an overly long, specially-crafted argument passed to the affected command. Authentication is not required to exploit this vulnerability.
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Mercury Mail Transport System. The vulnerability is caused due to a boundary error within Mercury/32 SMTP Server Module (mercurys.dll) when processing arguments to the AUTH CRAM-MD5 command. This can be exploited to cause a stack-based buffer overflow via an overly long, specially-crafted argument passed to the affected command.
Microsoft ASP.NET Hash Table Collisions DoS (MS11-100)
This module sends HTTP requests with specially crafted data making the ASP.NET subsystem consume lot of resources. This attack prevents the victim server from processing requests from legitimate clients and probably will make the server non-operational. The PATH parameter must point to a ASP.NET web page, wich they normally have a ".aspx" extension.
Windows tcpip.sys is susceptible to a remote buffer overflow vulnerability. This module exploits the vulnerability and installs an agent on the target machine. This exploit is unreliable as depending on the activity on the target machines some will crash before an agent is installed. The module sends several thousands IP packets in the lapse of a few seconds. If the target doesn't receive most of the packets (due to network congestion or other causes), the exploit will fail. Only some specific kernel versions are supported by this module.
Microsoft Office SharePoint Server 2007 Document Conversions Exploit
This module exploits a directory traversal vulnerability in the Document Conversions Launcher Service service included in the Microsoft Office SharePoint Server 2007 application by sending malformed packets. This module needs the hostname of the Document Conversions Launcher Service. In case the HOSTNAME parameter is left blank, this module first connects to the Document Conversions Load Balance Service to retrieve the hostnames of the registered Document Conversions Launcher Services.
Microsoft Windows HTTP.sys Range Integer Overflow Memory Disclosure Exploit (MS15-034)
The code that handles the 'Range' HTTP header in the HTTP.sys driver in Microsoft Windows, which is used by Internet Information Services (IIS), is prone to an integer overflow vulnerability when processing a specially crafted HTTP request with a very long upper range. This integer overflow vulnerability can be leveraged to generate a memory disclosure condition, in which the HTTP.sys driver will return more data than it should from kernel memory, thus allowing remote unauthenticated attackers to obtain potentially sensitive information from the affected server.
Microsoft Windows Print Spooler Buffer Overflow Exploit (MS09-022)
This module exploits a buffer overflow vulnerability in the EnumeratePrintShares function in the Print Spooler Service in Microsoft Windows to install an agent in the target machine.
Microsoft Windows Print Spooler Service Impersonation Exploit (MS10-061)
This module exploits an impersonation vulnerability on "spoolsv.exe" ( Microsoft Windows Print Spooler ) by first sending a job to the shared printer which overwrites a DLL printer driver with an arbitrary one, and then another job which causes the shared printer to load it and install an agent on the target system.
Microsoft Windows SMB Buffer Underflow Exploit (MS08-063)
This module exploits a Windows kernel remote vulnerability on the srv.sys driver via a malformed SMB packet. It could allow an attacker to connect to a shared folder and send a specially crafted SMB message to an affected system exploiting the target and installing an agent.
Microsoft Windows SMTP Server DNS Response Field Validation DNS Spoofing Vulnerability Exploit (MS10-024)
When the SMTP Client ( this module ) sends an email to "[email protected]", the SMTP Server tries to resolve the IP of "caronte.com" domain. In that moment, the SMTP Server sends a DNS request to the configured DNS Server. This module tries to send a response to the SMTP Server before the configured DNS Server does. As the vulnerable target doesn't check the DNS response "Transaction IDs", if a spoofed response is processed before that a real response the SMTP Server finishes sending an email to a SMTP Server indicated by the spoofed DNS response.
Multiple MicroWorld eScan products are vulnerable to a remote command-execution vulnerability because they fail to properly sanitize user-supplied input. Attackers can exploit this issue to execute arbitrary commands with superuser privileges. Successful attacks will completely compromise affected computers. The issue affects the following products versions prior to 4.1.x: eScan for Linux Desktop, eScan for Linux File Servers, MailScan for Linux Mail servers, WebScan for Linux Proxy Servers.
Linux
Exploits / Remote
Impact
MinaliC Webserver GET Buffer Overflow Exploit
This vulnerability allows remote attackers to execute arbitrary code on a server running MinaliC. The vulnerability is caused due to a boundary error within MinaliC when processing HTTP GET Request. This can be exploited to cause a stack-based buffer overflow via an overly long, specially-crafted argument passed to the affected command. Authentication is not required to exploit this vulnerability.
Windows
Exploits / Remote
Impact
Miniserv Perl Format String Exploit
This module exploits the following vulnerability, as described by the CVE database: "Format string vulnerability in miniserv.pl Perl web server in Webmin before 1.250 and Usermin before 1.180, with syslog logging enabled, allows remote attackers to [...] execute arbitrary code via format string specifiers in the username parameter to the login form, which is ultimately used in a syslog call." The most common TCP ports used by vulnerable programs are 10000 for Webmin and 20000 for Usermin.
MiniShare HTTP GET Request Buffer Overflow Exploit
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of software utilizing MiniShare. The vulnerability is caused due to a boundary error within MiniShare when processing HTTP GET Request. This can be exploited to cause a stack-based buffer overflow via an overly long, specially-crafted argument passed to the affected command. Authentication is not required to exploit this vulnerability.
The mongo::mongoFind method in MongoDB makes use of uninitialized memory. A remote attacker can fill that memory address with controlled data and then call the vulnerable function in order to execute arbitrary code on the affected server.
This module exploits a vulnerability in MongoDB server. An arbitrary value passed as a parameter to the nativeHelper function in MongoDB server allows an attacker to control the execution flows to achieve remote code execution.
A Remote Code Execution (RCE) vulnerability has been found in filter/tex/texed.php. Due to the fact this file does not properly check the input parameters, it is possible to exploit this vulnerability in order to execute arbitrary commands on the target server. In order to exploit this vulnerability register_globals must be enabled (in PHP), magic_quotes must be disabled, and the TeX Notation filter in Moodle must be turned on.
This module exploits a remote buffer overflow in the Motorola Netopia netOctopus SDCS server service. The vulnerability exists within the code responsible for parsing client requests. When reading in a request from the network, a 32-bit integer is read in that specifies the number of bytes that follow. This value is not validated, and is then used to read data into a fixed-size stack buffer. This results in an exploitable stack buffer overflow.
Windows
Exploits / Remote
Impact
Motorola Timbuktu Pro PlughNTCommand Stack Based Buffer Overflow Exploit
This module exploits a remote stack-based buffer overflow in Motorola Timbuktu Pro by sending a long malformed string over the plughNTCommand named pipe.
MSRPC CA ARCserve Backup Command Injection Exploit
CA ARCserve Backup is prone to a command injection vulnerability on the RPC interface that could permit the execution of arbitrary remote code. A remote attacker can exploit this vulnerability to execute arbitrary code and completely compromise the computer.