CVEsPoCs.md

CVEs and PoCs Resources

Genereal

Some CVEs PoCs repos on github or internet.

• First, see: Awesome CVE PoC by qazbnm456.
• To search (without PoCs): cve-search you can use it off-line too.
• This is a nice Wrapper:vFeed.
• Automated Generation of Proofs of Vulnerability with S2E
• SecurityExploits: This repository contains proof-of-concept exploits developed by the Semmle Security Research Team. We always disclose security vulnerabilities responsibly, so this repository only contains exploits for vulnerabilities which have already been fixed and publicly disclosed.

Linux

• Spectre : CVE-2017-5753,CVE-2017-5715
• Dirty Cow: CVE-2016-5195 Others
• "Root" via dirtyc0w privilege escalation exploit
• Huge Dirty Cow: CVE-2017-1000405
• SMEP,SMAP and Chrome Sandbox: CVE-2017-5123
• SambaCry: CVE-2017-7494
• The Stack Clash: CVE-2017-1000364
• GoAhead web server: CVE-2017-17562
• New bypass and protection techniques for ASLR on Linux
• Linux ASLR integer overflow: Reducing stack entropy by four: CVE-2015-1593
• Ubuntu CVES: CVE-2017-16995, netfilter, CVE-2013-1763
• Linux Kernel Version 4.14 - 4.4 (Ubuntu && Debian): CVE-2017-16995
• Meltdown/Spectre: Understanding Spectre and Meltdown Vulnerability
• Linux Kernel TCP implementation vulnerable to Denial of Service: CVE-2018-5390
• Linux Kernel Vulnerability Can Lead to Privilege Escalation: Analyzing CVE-2017-1000112. repo: kernel-exploits: A bunch of proof-of-concept exploits for the Linux kernel.
• Malicious Command Execution via bash-completion: CVE-2018-7738
• An integer overflow flaw was found in the Linux kernel's create_elf_tables() function: CVE-2018-14634
• This repo records all the vulnerabilities of linux software I have reproduced in my local workspace
• linux-kernel-exploitation: A bunch of links related to Linux kernel exploitation
• Linux Privilege Escalation – Using apt-get/apt/dpkg to abuse sudo “NOPASSWD” misconfiguration
• System Down: A systemd-journald exploit. Combined Exploitation of CVE-2018-16865 and CVE-2018-16866
• mario_baslr: PoC for breaking hypervisor ASLR using branch target buffer collisions.
• waitid: CVE-2017-5123

Solaris

• Kernel Level Privilege Escalation in Oracle Solaris: CVE-2018-2892

Windows

• Office: CVE-2017-0199
• WebDAV: CVE-2017-11882
• WSDL Parser: CVE-2017-8759
  • MS .NET: CVE-2017-8759
  • WPAD/PAC: aPAColypse now
  • Meltdown/Spectre:CVE-2017-5754,CVE-2017-5715
  • Packager OLE: CVE-2018-0802
  • Integer Overflow: Integer Overflow
  • Hardcore corruption of my execve() vulnerability in WSL: CVE-2018-0743
  • Privilege Escalation Vulnerability in Windows Standard Collector Service: CVE-2018-0952
  • Exploit Published for Windows Task Scheduler Zero-Day. poc
  • PowerPool malware exploits ALPC LPE zero-day vulnerability
  • You can't contain me! :: Analyzing and Exploiting an Elevation of Privilege Vulnerability in Docker for Windows: CVE-2018-15514
• Invoke-WMILM: This is a PoC script for various methods to acheive authenticated remote code execution via WMI, without (at least directly) using the Win32_Process class. The type of technique is determined by the "Type" parameter.
• Use-after-free (UAF) vulnerability: CVE-2018-8373
• Microsoft Edge RCE: CVE-2018-8495
• Device Guard/CLM bypass using MSFT_ScriptResource: CVE-2018–8212
• A PoC function to corrupt the g_amsiContext global variable in clr.dll in .NET Framework Early Access build 3694
• windows-kernel-exploits: windows-kernel-exploits Windows平台提权漏洞集合
• docx-embeddedhtml-injection: This PowerShell script exploits a known vulnerability in Word 2016 documents with embedded online videos by injecting HTML code into a docx file, replacing the values of all pre-existing embeddedHtml tags.
• Root Cause of the Kernel Privilege Escalation Vulnerabilities: CVE-2019-0808
• DACL Permissions Overwrite Privilege Escalation: CVE-2019-0841
• Scanner PoC for RDP RCE vuln: CVE-2019-0708
• Exploiting the Windows Task Scheduler Through: CVE-2019-1069
• cve-2019-0708-scan
• More Than a Penetration Test: CVE-2019–1082.
• Out-Of-Bounds Read\Write: CVE-2019-1164

macOS/iOS

• RootPiper: Demo/PoC Tester
  • Mac Privacy: Sandboxed Mac apps can record your screen at any time without you knowing by Felix Krause
• ROPLevel6 Writeup
• Escaping the sandbox by misleading bluetoothd:CVE-2018-4087
• Reexport symbols for Mach-O and ELF.
• Jailbreak for iOS 10.x 64bit devices without KTRR
• MS Office 2016 for Mac Privilege Escalation via a Legacy Package: CVE-2018–8412
• blanket: Mach port replacement vulnerability in launchd on iOS 11.2.6 leading to sandbox escape, privilege escalation, and codesigning bypass (CVE-2018-4280)
• brokentooth: POC for CVE-2018-4327
• Kernel RCE caused by buffer overflow in Apple's ICMP packet-handling code: CVE-2018-4407
• Offensive testing to make Dropbox (and the world) a safer place
• WebKit-RegEx-Exploit: Safari 12.1.1
• Chaos iOS: < 12.1.2 PoC by @S0rryMyBad since he posted it as a photo rather than a source code. Also cleaned up.
• powerd exploit : Sandbox escape to root for Apple iOS < 12.2 on A11 devices
• iMessage: The Many Possibilities of CVE-2019-8646 poc
• PoC tool for setting nonce without triggering KPP/KTRR/PAC. (requires tfp0)

Android

• Please Stop Naming Vulnerabilities: Exploring 6 Previously Unknown Remote Kernel Bugs Affecting Android Phones

Java

• Spring Data Commons: CVE-2018-1273

Apache Struts

• How to find 5 RCEs in Apache Struts with Semmle QL: CVE-2018-11776
• Semmle Discovers Critical Remote Code Execution Vulnerability in Apache Struts: CVE-2018-11776, docker Poc, other poc
• Apache Struts Vulnerability POC Code Found on GitHub
• struts-pwn: An exploit for Apache Struts CVE-2018-11776

BMC

• HPE iLO4: CVE-2017-12542

x86

• Spectre: CVE-2017-5753,CVE-2017-5715
• Meltdown: CVE-2017-5754
• Cyberus: Meltdown
• L1 Terminal Fault: CVE-2018-3615/CVE-2018-3620/CVE-2018-3646/INTEL-SA-00161

ARM

• ARM exploitation for IoT – Episode 3
• Multiple vulnerabilities found in Wireless IP Camera: CVE-2017-8224, CVE-2017-8222, CVE-2017-8225, CVE-2017-8223, CVE-2017-8221
• DoubleDoor, IoT Botnet bypasses firewall as well as modem security using two backdoor exploits: CVE-2015–7755 and CVE-2016–10401
• i.MX7 M4 Atomic Cache Bug
• MikroTik Firewall & NAT Bypass

VirtualBox

• From Compiler Optimization to Code Execution - VirtualBox VM Escape: CVE-2018-2844. poc
• VirtualBox 3D PoCs & exploits
• Multiple Vulnerabilities on Kerui Endoscope Camera
• virtualbox_e1000_0day: VirtualBox E1000 Guest-to-Host Escape

PHP

• PHPMailer: CVE-2016-10033
• PHP PrestaShop 1.6.x Privilege Escalation: CVE-2018-13784
• phpLdapAdmin multiple vulns: phpldapadmin remote exploit and vulnerable container.
• imagecolormatch() OOB Heap Write exploit: CVE-2019-6977
• vBulletin: 2019_vbulletin_0day_info.txt

Others

• Tenable a lot of Proof of Concepts
• Apache Tomcat: CVE-2017-12617
• Palo Alto Networks firewalls: Palo Alto Networks firewalls remote root code execution CVE-2017-15944
• https://fail0verflow.com/blog/2017/ps4-namedobj-exploit/ and A fully implemented kernel exploit for the PS4 on 4.05FW
• HOW TO HACK A TURNED-OFF COMPUTER, OR RUNNING UNSIGNED CODE IN INTEL ME (CVE-2017-5705, CVE-2017-5706, CVE-2017-5707), github
• Nintendo Switch JailBreak PoC:CVE-2016-4657
• Play with FILE Structure - Yet Another Binary Exploit Technique
• Geovision Inc. IP Camera, with a lot others in this repo
• Zero-day vulnerability in Telegram
• A Telegram bug that disclose phone numbers of any users in public groups
• Bug or Backdoor: Exploiting a Remote Code Execution in ISPConfig by 0x09AL Security blog.
• SSH Exploit written in Python for CVE-2018-15473 with threading and export formats: CVE-2018-15473, analysis
• RICOH MP 2001 Printer Cross Site Scripting ≈ Packet Storm, code, Cross-Site Scripting
• Oracle WebLogic WLS-WSAT Remote Code Execution Exploit: CVE-2017-10271
• Oracle BI, Out of Band XXE Injection Via gopher: CVE-2016-3473
• WebLogic Exploit: CVE-2017-10271
• Talos Vulnerability Deep Dive: Sophos HitmanPro.Alert vulnerability - CVE-2018-3971
• JPEG [JAY-peg], some pocs JPEG PoCs
• Kubernets: CVE-2018-1002105
• QEMU: vga: OOB read access during display update: CVE-2017-13672,
• QEMU VM Escape: CVE-2019-14378
• Exploiting LaTeX with CVE-2018-17407
• GitHub Desktop RCE (OSX)H1-702 2018, poc
• unprivileged users with UID > INT_MAX can successfully execute any systemctl command (#74)
• Authenticated RCE in Polycom Trio 8800, pt.1
• Tenable Research Advisory: Zoom Unauthorized Command Execution - CVE-2018-15715
• Crash Chrome 70 with the SQLite Magellan bug code
• From vulnerability report to a crafted packet using instrumentation: CVE-2018-4013
• PoC for Foxit Reader: CVE-2018-14442
• Social Network Tabs Wordpress Plugin Vulnerability: CVE-2018-20555
• ES File Explorer Open Port Vulnerability: CVE-2019-6447
• Atlassian Jira vulnerable: CVE-2017-9506
• Chrome:
  • CVE-2019-5782
  • CVE-2019-5786: FileReader Exploit
• Google Books X-Hacking
• Ruby on Rails: File Content Disclosure on Rails - CVE-2019-5418
• Libreoffice - Remote Code Execution via Macro/Event execution: CVE-2018-16858
• Signal IDN homograph attack: CVE-2019-9970.
• Grandstream Exploits: Grandstream Exploits
• Apache HTTPD Root Privilege Escalation - CARPE (DIEM): CVE-2019-0211, github
• Say Cheese: Ransomware-ing a DSLR Camera -

'''bash $ echo H4sICH0mqFkAA3BvYwDbweS/W8LxrMCuK8wbZN85bWh494VhFIwUELoKAIJvFIwAAgAA | base64 -d | gunzip > a && qemu-system-i386 -vga cirrus a '''

• Elasticsearch Kibana Console CVE-2018-17246 PoC：

GET /api/console/api_server?sense_version=%40%40SENSE_VERSION&apis=../../../../../../../../../../../etc/passwd

• Web/Javscript/WAF Payload will run in a lot of contexts: Short but lethal. No script tags, thus bypassing a lot of WAF and executes in multiple environments.

javascript:"/*'/*`/*--><html \" onmouseover=/*&lt;svg/*/onload=alert()//>

• Thrangrycat
• Responding to Firefox 0-days in the wild
• Bitbucket 6.1.1 Path Traversal to RCE: CVE-2019-3397

Additions

Please, send pull requests for new additions.

Thanks!