Exploit development can be an advanced penetration testing skill that takes time to master. Additionally, when on a job, pen testers often don’t have the resources to create a new exploit. Many resort to searching for and using pre-written exploits that have not been tested and must go through the timely effort of quality assurance testing in order to ensure they are secure and effective.
Core Impact users can save time by finding all the up-to-date exploits they need in one place. We provide a robust library of exploits designed to enable pen testers to safely and efficiently conduct successful penetration tests. Witten by our own internal team, you can trust they have been thoroughly tested and validated by our experts.
The universe of vulnerabilities is huge and not all of them represent the same risk for the customers. Vulnerabilities do not all have the same level of criticality. Some may be easily exploitable by a low-level user, while others may not be exploitable at all. To increase the efficiency of the attacks and the quality of the exploits provided, the Core Impact team has developed selection criteria to prioritize its analysis and implementation. We determine which exploits warrant creation based on the following questions:
What are the most critical attacks from the attacker’s perspective?
What new vulnerabilities are more likely to be exploited in real attacks?
What exploits are the most valuable for Core Impact?
Once an exploit is approved, its priority order considers the following variables:
Vulnerability Properties: CVE, disclosure date, access mechanism and privileges needed.
Target Environment Setup: OS, application prevalence, version and special configurations needed.
Value Provided to Core Impact: Customer request, usage in multiple attacks, allows the installation of an agent, etc.
Technical Cost vs. Benefit: An analysis weighing the resources needed to build an exploit with the internal and external knowledge gained in its creation.
Each one of these variables has a different weight and provides a ranking of the potential exploits to be developed. Following those criteria, the top of the list would contain, for example, a vulnerability on Windows (most popular OS) that can be exploited remotely, without authentication and that provides super user privileges.
Correspondingly, a vulnerability on an application that is rarely installed, needs special configurations, and requires User Interaction, would be at the bottom.
Stay Informed of New Core Certified Exploits
Subscribe to receive regular email updates on new exploits available for Core Impact
Browse the Core Certified Exploit Library
We provide pen testers with real-time updates for a wide range of exploits for different platforms, operating systems, and applications.
Search our continuously growing library to discover an exploit that will allow you to gain and retain access on the target host or application.
Title
Description
Date Added
CVE Link
Exploit Platform
Exploit Type
Product Name
Nagios XI monitoringwizard SQL Injection Vulnerability Exploit
This exploit leverages the CVE-2024-24401 and CVE-2024-24402 vulnerabilities in Nagios XI to fully compromise the system and gain total remote control. The monitoringwizard.php component of Nagios XI version 2024R1.01 is vulnerable to a critical SQL Injection, identified as CVE-2024-24401. Initially, the exploit targets this component, performing an SQL Injection to extract the administrator key (admin key). Before proceeding, it authenticates using an existing user, regardless of their privilege level, ensuring access to the system for subsequent stages.
Microsoft Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability Exploit (CVE-2024-30090)
The Kernel Streaming WOW Thunk Service module (ksthunk.sys) present in Microsoft Windows is vulnerable to a double-fetch, which can result in arbitrary memory decrement. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges. The steps performed by the exploit are: Get kernel address of nt!SeDebugPrivilege Create a new thread to win the race condition Trigger the double-fetch three times and overwrite nt!SeDebugPrivilege Create a new process running the agent as SYSTEM
Palo Alto Networks OS WebApp Remote Code Execution Exploit
An authentication bypass in Palo Alto Networks PAN-OS software(CVE-2024-0012) enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions. A privilege escalation vulnerability in Palo Alto Networks PAN-OS software(CVE-2024-9474) allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges. This module exploits these two vulnerabilities CVE-2024-0012 and CVE-2024-9474 in order to deploy an agent.
Exploits / OS Command Injection / Known Vulnerabilities
Impact
Palo Alto Networks OS Remote Code Execution Exploit
An authentication bypass in Palo Alto Networks PAN-OS software(CVE-2024-0012) enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions. A privilege escalation vulnerability in Palo Alto Networks PAN-OS software(CVE-2024-9474) allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges. This module exploits these two vulnerabilities CVE-2024-0012 and CVE-2024-9474 in order to deploy an agent.
This module exploits CVE-2024-5910 to reset the password of the admin. For doing this, it will craft a special request to the endpoint /OS/startup/restore/restoreAdmin.php. After getting the admin password, it will authenticate with the admin credentials and it will exploit CVE-2024-9464 in order to deploy an agent. The exploitation of CVE-2024-9464 consists in crafting a special request to the endpoint /bin/CronJobs.php. As an authenticated user we can abuse this endpoint for inserting commands in the table cronjobs from pandb.
This module exploits CVE-2024-5910 to reset the password of the admin. For doing this, it will craft a special request to the endpoint /OS/startup/restore/restoreAdmin.php. After getting the admin password, it will authenticate with the admin credentials and it will exploit CVE-2024-9464 in order to deploy an agent. The exploitation of CVE-2024-9464 consists in crafting a special request to the endpoint /bin/CronJobs.php. As an authenticated user we can abuse this endpoint for inserting commands in the table cronjobs from pandb.
Exploits / OS Command Injection / Known Vulnerabilities
Impact
Windows Ks Driver KSPROPERTY Privilege Escalation Exploit
The Windows streaming driver (ks.sys) has a design vulnerability which can result in arbitrary memory write. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges. The steps performed by the exploit are: Opens an audio device with read/write access. Gets the memory address of a kernel object associated with a process, to access its details in kernel space. Allocates memory to create a fake RTL_BITMAP structure in user space, which will allow arbitrary memory read/write operations.
CVE-2023-43208 stems from an insecure data deserialization process in Mirth Connect's use of the XStream library, which improperly processes untrusted XML payloads. This deserialization flaw enables us to exploit the system by sending crafted XML requests to execute code remotely on the server.
CVE-2023-43208 stems from an insecure data deserialization process in Mirth Connect's use of the XStream library, which improperly processes untrusted XML payloads. This deserialization flaw enables us to exploit the system by sending crafted XML requests to execute code remotely on the server.
This module chains 2 vulnerabilities to deploy an agent in the target system that will run with NT AUTHORITY\\SYSTEM user privileges. The first vulnerability is an authentication bypass present in the doLogin function of the com.ca.arcserve.edge.app.base.ui.server.EdgeLoginServiceImpl class. The second vulnerability is an authenticated path traversal file upload present in the doPost method of the com.ca.arcserve.edge.app.base.ui.server.servlet.ImportNodeServlet class.
This module chains 2 vulnerabilities to deploy an agent in the target system that will run with NT AUTHORITY\\SYSTEM user privileges. The first vulnerability is an authentication bypass present in the doLogin function of the com.ca.arcserve.edge.app.base.ui.server.EdgeLoginServiceImpl class. The second vulnerability is an authenticated path traversal file upload present in the doPost method of the com.ca.arcserve.edge.app.base.ui.server.servlet.ImportNodeServlet class.
Exploits / Authentication Weakness / Known Vulnerabilities
Impact
Microsoft Windows Telephony Server Use After Free Local Privilege Escalation Exploit
The Windows NT operating system kernel executable (ntoskrnl.exe) present in Microsoft Windows is vulnerable to a race condition, which can result in arbitrary memory write. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges.
Microsoft Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability Exploit
The Kernel Streaming WOW Thunk Service module (ksthunk.sys) present in Microsoft Windows is vulnerable to an out-of-bounds write, which can result in arbitrary memory write. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges.
Linux OpenPrinting cups-browsed Remote Code Execution Exploit
This module chains 4 vulnerabilities to deploy an agent in a Linux target system that will run with the cups-browsed daemon user privileges. The first vulnerability is cups-browsed which binds on UDP INADDR_ANY:631 trusting any packet from any source to trigger a Get-Printer-Attributes IPP request to an attacker controlled URL. The second vulnerability is in libcupsfilters were function cfGetPrinterAttributes5 does not validate or sanitize the IPP attributes returned from an IPP server, providing attacker controlled data to the rest of the CUPS system.
In GeoServer prior to versions 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions.
In GeoServer prior to versions 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions.
Microsoft Smart App and Mark of the Web bypass tool using LNK stomping
This tool bypasses Mark of the Web and Smart Screen in order to execute blocked files which usually have been downloaded from internet. It involves crafting LNK files that have non-standard target paths or internal structures. When clicked, these LNK files are modified by explorer.exe with the canonical formatting. This modification leads to removal of the MotW label before security checks are performed, this results in the execution of the locked file bypassing the warnings.
Veeam Backup and Replication Blacklist ObjRef NET Deserialization Vulnerability Remote Code Execution Exploit
This module uses a .NET deserialization vulnerability to deploy an agent in Veeam Backup and Replication that will run with the NT AUTHORITY\SYSTEM user privileges. First, the module will register an endpoint in the local webserver that will be used in the attack to send a serialized gadget to the target that will execute system commands to deploy the agent. Finally, it will trigger the vulnerability by crafting a System.Runtime.Remoting.ObjRef .NET class type object and sending it to the /VeeamAuthService .NET remoting endpoint using an external .NET executable.
Microsoft Outlook Moniker Image Tag Information Disclosure Exploit (CVE-2024-38021)
This exploit leverages an Information Disclosure vulnerability in Microsoft Outlook. By sending a mail crafting a malicious path and using the "img src" tag, an attacker can coerce authentication to an untrusted server and steal NTLM hashes. The link points to an SMB server. When the client opens Outlook, if the user is on the trusted list, without clicking, it connects to the SMB server and obtains the NTLM user hashes. In case the user is not on the trusted user list, in order to exploit the vulnerability, the client must click on the attached link.
This module uses a directory traversal vulnerability to deploy an agent in Progress WhatsUp Gold that will run with the IIS APPPOOL\NmConsole user privileges. The module will launch a local webserver that will be used in the attack to send poisoned responses and to upload a webshell to the target. Then it will trigger the vulnerability via the /NmAPI/RecurringReport endpoint. Finally, it will buteforce a webshell name trying to find the one uploaded by the server, that will deploy an agent.
This module exploits an issue in GitLab CE/EE that allows sending reset emails to an unverified email address. In order to takeover the account, the module will exploit the vulnerability adding the attacker's email to the JSON from /users/password endpoint, then it will connect via IMAP to the attacker's email, parse the reset email and change the password.
This module chains together three vulnerabilities to deploy an agent. First, a vulnerability is used to obtain the exact version of Ivanti Connect Secure installed on the system. Next, the module exploits a second vulnerability that allows the attacker to access certain restricted resources without authentication, leveraging a flaw in the SAML component. Finally, the module uses a third vulnerability that enables remote code execution with elevated privileges in the management component, facilitating the injection and execution of the agent.
Microsoft Windows DWMCORE Elevation of Privilege Vulnerability
The vulnerability exists due to a size miscalculation error in a integer division within the Windows DWM Core Library. A local user can trigger a heap-based buffer overflow in CCommandBuffer::Initialize method in dwmcore.dll and execute arbitrary code to install a Core Impact agent with user DWM with Integrity System privileges.This exploit checks if the target is supported and not patched. If the build is greater or equal than 22631.3593 it means the target is patched. Otherwise it proceeds to exploitation.
Magento eCommerce Web Sites CosmicSting and CNEXT Remote Code Execution Exploit
This module chains 2 vulnerabilities to deploy an agent in Magento eCommerce Web Sites that will run with the webserver user privileges. The first vulnerability is an XML External Entity Reference that leverages nested deserialization in Magento's handling of JSON data. This vulnerability allows attackers to manipulate XML input to access arbitrary files on the server. The second vulnerability is a heap buffer overflow in the iconv() function of the GNU C Library. This module will use first vulnerability to download the /proc/self/maps and the libc library.
Magento eCommerce Web Sites CosmicSting and CNEXT Remote Code Execution Webapp Exploit
This module chains 2 vulnerabilities to deploy an agent in Magento eCommerce Web Sites that will run with the webserver user privileges. The first vulnerability is an XML External Entity Reference that leverages nested deserialization in Magento's handling of JSON data. This vulnerability allows attackers to manipulate XML input to access arbitrary files on the server. The second vulnerability is a heap buffer overflow in the iconv() function of the GNU C Library. This module will use first vulnerability to download the /proc/self/maps and the libc library.