Finding the right exploit code
I am often looking for the right exploit code, to test and learn from in a lab setting, adapt and use during a penetration test, or to help determine the risk level of a finding during a risk assessment.
An exploit is a small program, which exploits a specific vulnerability present in a software program. It delivers its payload with a degree of reliability and automation.
This article discusses some of my go-to methods and resources. I’m hoping it will drive home the importance of applying patches and upgrading products that are End of Life. My custom exploit search engine can be found in here.
About the Author
Andrew Douma is a vendor-neutral IT Security Professional. He performs professional audits, penetration tests, and risk assessments. He designs secure networks and engineers high-assurance systems in the Cloud.
More stories by Andrew
Buying a professional penetration testing laptop for 2017 | Evaluating Qubes OS as a Penetration Testing Platform | Antivirus in 2017: Why? Which? How? | Penetration Testers’ Guide to Windows 10 Privacy & Security | Full Disk Encryption with VeraCrypt | Hacker to Security Pro! On the Shoulders of #InfoSec Giants| Securing an Android Phone or Tablet (LineageOS) | Password (IN)SANITY: Intelligent Password Policy & Best Practices
The methods and resources mentioned in this article are not exhaustive. By the time you read this, some may 404 and others joined their ranks.
Be mindful of the laws governing the possession and use of exploits. Many are specific to your jurisdiction.
Never trust exploit code you found on the Internet. You may end up quantum leaping to root — but more likely open a backdoor or rm -rf / your localhost and client’ server.
Compiled exploits can contain anything and the same warning applies when reusing existing payloads. Test all code in a monitored lab environment before you add it to your toolkit.
I often start out researching particular vendors, software products, and specific vulnerabilities. The following sites are useful to get a sense of what is out there:
CVEDetails allows you to generate custom RSS feeds, list widgets and query their JSON API.
Index, correlate and manage software vulnerabilities using:
- CVE-Search http://cve-search.org/
CVE-Search enables you to do fast local lookups using the web interface or API, reducing potentially sensitive queries sent via the Internet.
Not all vulnerabilities are always “awarded” a vulnerability ID. In rare cases, what looks like a DoS vulnerability to one researcher — is the foundation for an RCE exploit to another.
Exploit Search Engines
If I am targeting a specific software product, and even version, my next stop is this search engine:
- ExploitSearch.net http://exploitsearch.net/
It will scour several exploit databases, frameworks, and exploit-pack vendors for matches.
From the infamous:
To the classically famous:
Their dashboard has a full overview as well as some interesting statistics.
Collection databases and sites come and go. Some disappear completely where others remain online as an archive.
At time of writing, ExploitSearch does not index / integrate with:
- Brakertech.com http://brakertech.com/
- CXSecurity.com https://cxsecurity.com/
- ExploitAlert.com http://www.exploitalert.com/
- Iranian Exploit Database http://iedb.ir/
- RouterPwn.com http://www.routerpwn.com/
- SeeBug.org https://www.seebug.org/
- SecuriTeam.com http://www.securiteam.com/
- SecurityPhresh.com http://securityphresh.com/
- SecurityVulns.com http://securityvulns.com/
- Vulnerability-Lab.com https://www.vulnerability-lab.com/
- Vulners.com https://vulners.com/
- WpVulnDB.com https://wpvulndb.com/
- Zero Day Initiative (published, upcoming)
This is a far from complete list of exploit database sites, researchers’ blogs, vendor advisories, etc.
Premium Exploit Packs
These are sold as standalone toolkits or extensions to existing commercial exploitation tools. Shadier sources are the premium exploitation packs and frameworks.
For this reason, I’ve chosen to only list one example:
Though a lower quality than those sold on exploit marketplaces, and only available at a price. It will still affect my risk assessment if a ready-made exploit is available.
Niche Exploit Collections
I get a kick out of sites collecting exploits that take on bots, C2 servers, and other malware:
Luigi Auriemma maintained a blog focused on game exploits:
- Aluigi.Altervista.org (site)
There is a persistent effort to collect local privilege escalation exploits:
- Unix-PrivEsc (github)
- Tarantula.by.ru (archive.org)
- LinuxNote.org (site)
- Unix-Privilege-Escalation-Exploits-Pack (github)
- 0xdeadbeaf.info (site)
They are all in different states and levels of completeness.
Exploit Search Tools
Current reigning champion is Pompem (github).
This command-line tool searches some of the sites listed before. CXSecurity, PacketStorm, the U.S. National Vulnerability DB, Vulners, WpvulndbB, 0day.today.
I’ve found findsploit (github) useful as well.
Exploit Suggestion Tools
This class of tools can help you speed up local privilege escalation.
- AutoLocalPrivilegeEscalation (github) (SEE DISCLAIMER!)
- LinEnum (github)
- Linux_Exploit_Suggester.pl (github)
- linuxprivchecker.py (github)
- unix-privesc-check (github)
- windows-exploit-suggester.py (github)
- windows-privesc-check (github)
The RootHelper script combines a few — all of these could use an update.
I’ll likely refer to this article in future discussions.
I hope this article has driven home the importance of applying patches, as well as taking clients/systems/products out of production — once they no longer receive updates. (Internet of Things here we come!)
With basic coding skills anyone should be able to expand on the existing tools or build a better search engine. I will heed xkcd #927 and move along.
ALRIGHT — here is my custom Exploit search engine!
Do you have any advice? Corrections or additions?
Please do not hesitate to reply! Feel free to share your experiences, advice, and questions in private or through the comments section.
Click the ♡ to recommend this article.