Finding the right exploit code

Free stock photo, credit Picjumbo.com

I am often looking for the right exploit code, to test and learn from in a lab setting, adapt and use during a penetration test, or to help determine the risk level of a finding during a risk assessment.

An exploit is a small program, which exploits a specific vulnerability present in a software program. It delivers its payload with a degree of reliability and automation.

This article discusses some of my go-to methods and resources. I’m hoping it will drive home the importance of applying patches and upgrading products that are End of Life.

I confirmed in January 2020 that resources listed in this guide still work, and spent a few hours updating the 2020 Exploit Search Engine.

@securitystreak

About the Author

Andrew Douma is a vendor-neutral IT Security Professional. He performs professional audits, penetration tests, and risk assessments. He designs secure networks and engineers high-assurance systems in the Cloud.

You can connect with him on GoodReads, LinkedIn, Medium, and Twitter.

More stories by Andrew

Buying a professional penetration testing laptop| Evaluating QubesOS as a Penetration Testing Platform | Antivirus in 2017: Why? Which? How? | Penetration Testers’ Guide to Windows 10 Privacy & Security | Full Disk Encryption with VeraCrypt | Hacker to Security Pro! On the Shoulders of #InfoSec Giants | Securing an Android Phone or Tablet (LineageOS) | Password (IN)SANITY: Intelligent Password Policy & Best Practices | Security Architecture Patterns I & Patterns II

Disclaimer

The methods and resources mentioned in this article are not exhaustive. By the time you read this, some may 404 and others joined their ranks.

Be mindful of the laws governing the possession and use of exploits. Many are specific to your jurisdiction.

Never trust exploit code you found on the Internet. You may end up quantum leaping to root — but more likely open a backdoor or rm -rf / your localhost and client’ server.

Compiled exploits can contain anything and the same warning applies when reusing existing payloads. Test all code in a monitored lab environment before you add it to your toolkit.

Vulnerability Details

I often start out researching particular vendors, software products, and specific vulnerabilities. The following sites are useful to get a sense of what is out there:

• CVEDetails.com https://www.cvedetails.com/
• ITSecDB.com http://www.itsecdb.com/

These offer you a better front-end for their various sources, such as Mitre and the U.S. National Vulnerability Database.

CVEDetails allows you to generate custom RSS feeds, list widgets and query their JSON API.

Index, correlate and manage software vulnerabilities using:

• CVE-Search http://cve-search.org/

CVE-Search enables you to do fast local lookups using the web interface or API, reducing potentially sensitive queries sent via the Internet.

Mailing Lists

Discussion of new vulnerabilities takes place in real-time on mailing lists. I expect this will still be true in 2017.

Not all vulnerabilities are always “awarded” a vulnerability ID. In rare cases, what looks like a DoS vulnerability to one researcher — is the foundation for an RCE exploit to another.

Exploit Search Engines

If I am targeting a specific software product, and even version, my next stop is this search engine:

• ExploitSearch.net http://exploitsearch.net/ [DEAD]
• My Custom Google Search

It will scour several exploit databases, frameworks, and exploit-pack vendors for matches.

From the infamous:

• Exploit-DB.com (site, search, github, github binary)
• 0day.today (site, search)
• Shodan.io (site, search)

To the classically famous:

• PacketStormSecurity.com (site, search)
• SecurityFocus.com (site, search)

Their dashboard had a full overview as well as some interesting statistics.

Exploit Sites

Collection databases and sites come and go. Some disappear completely where others remain online as an archive.

At time of writing, ExploitSearch does not index / integrate with:

• Brakertech.com http://brakertech.com/
• CXSecurity.com https://cxsecurity.com/
• ExploitAlert.com http://www.exploitalert.com/
• Iranian Exploit Database http://iedb.ir/ [DEAD]
• RouterPwn.com http://www.routerpwn.com/
• SeeBug.org https://www.seebug.org/
• SecuriTeam.com http://www.securiteam.com/
• SecurityPhresh.com http://securityphresh.com/
• SecurityVulns.com http://securityvulns.com/
• Vulnerability-Lab.com https://www.vulnerability-lab.com/
• Vulners.com https://vulners.com/
• WpVulnDB.com https://wpvulndb.com/
• Zero Day Initiative (published, upcoming)

This is a far from complete list of exploit database sites, researchers’ blogs, vendor advisories, etc.

Premium Exploit Packs

These are sold as standalone toolkits or extensions to existing commercial exploitation tools. Shadier sources are the premium exploitation packs and frameworks.

For this reason, I’ve chosen to only list one example:

• ExploitPack.com (site, listing)

Though a lower quality than those sold on exploit marketplaces, and only available at a price. It will still affect my risk assessment if a ready-made exploit is available.

Niche Exploit Collections

I get a kick out of sites collecting exploits that take on bots, C2 servers, and other malware:

• malSploitBase (github) [STILL MAINTAINED!]
• PwnMalw.re (archive.org)
• ThreatRoast.com (site) [DEAD]

Luigi Auriemma maintained a blog focused on game exploits:

• Aluigi.Altervista.org (archive.org)

There is a persistent effort to collect local privilege escalation exploits:

• Unix-PrivEsc (github)
• Tarantula.by.ru (archive.org)
• LinuxNote.org (archive.org)
• Unix-Privilege-Escalation-Exploits-Pack (github)
• 0xdeadbeaf.info (site)

They are all in different states and levels of completeness.

Exploit Search Tools

Current reigning champion is Pompem (github) [NOT MAINTAINED]

This command-line tool searches some of the sites listed before. CXSecurity, PacketStorm, the U.S. National Vulnerability DB, Vulners, WpvulndbB, 0day.today.

I’ve found findsploit (github) useful as well [STILL MAINTAINED].

It searches Exploit-DB.com, Nmap NSE scripts, and the Metasploit Framework, with the option to continue your search online.

Exploit Suggestion Tools

This class of tools can help you speed up local privilege escalation.

January 2020 Update: following projects are no longer being maintained:

• AutoLocalPrivilegeEscalation (github)
• Linux_Exploit_Suggester.pl (github)
• linuxprivchecker.py (github)
• unix-privesc-check (github)
• windows-exploit-suggester.py (github)
• windows-privesc-check (github)

The RootHelper script combines a few — all of these could use an update.

January 2020 Update: following projects are still maintained/emerged:

• LinEnum (github)
• bitsadmin/wesng — next gen Windows exploit suggester (github)
• mzet-/linux-exploit suggester (github)
• jondonas/linux-exploit-suggester-2 (github)

Conclusion

I’ll likely refer to this article in future discussions.

I hope this article has driven home the importance of applying patches, as well as taking clients/systems/products out of production — once they no longer receive updates. (Internet of Things here we come!)

With basic coding skills anyone should be able to expand on the existing tools or build a better search engine. I will heed xkcd #927 and move along.

ALRIGHT — here is my custom Exploit search engine!

Do you have any advice? Corrections or additions?

Please do not hesitate to reply! Feel free to share your experiences, advice, and questions in private or through the comments section.

Click the ♡ to recommend this article.