exploit-latest.md

Latest exploits

Collections

3rd-party lists

• http://www.jamessawyer.co.uk/pub/cve_links.txt
• https://github.com/sobinge/2022-HW-POC
• https://github.com/Ershu1/2021_Hvv
• https://github.com/luck-ying/Library-POC
• https://github.com/White-hua/Apt_t00ls
• Mr-xn/Penetration_Testing_POC - 渗透测试有关的POC、EXP、脚本、提权、小工具等 - 4.2K star
• cckuailong/pocsploit - a lightweight, flexible and novel open source poc verification framework
• trickest/cve - Gather and update all available and newest CVEs with their PoC
• pen4uin/vulnerability-lab - 漏洞研究OA/中间件/框架/路由器 - 无EXP，只是CVE列表
• mudongliang/LinuxFlaw - This repo records all the vulnerabilities of linux software I have reproduced in my local workspace
• zhzyker/exphub - Exphub[漏洞利用脚本库] - 3K star
• houjingyi233/macOS-iOS-system-security - macos/ios exploit writeup
• r0eXpeR/redteam_vul - 红队作战中比较常遇到的一些重点系统漏洞整理
• r0eXpeR/supplier - 主流供应商的一些攻击性漏洞汇总 - VPN比较多
• hhroot/2021_Hvv
• PeiQi0/PeiQi-WIKI-POC - 鹿不在侧，鲸不予游
• coffeehb/Some-PoC-oR-ExP - 各种漏洞poc、Exp的收集或编写
• SandboxEscaper/randomrepo - Repo for random stuff
• 1120362990/vulnerability-list - 在渗透测试中快速检测常见中间件、组件的高危漏洞
• anx1ang/Poc_Pentest
• pedrib/PoC
• Wh0ale/SRC-script - 挖掘src常用脚本
• mai-lang-chai/Middleware-Vulnerability-detection
• jiayy/android_vuln_poc-exp - This project contains pocs and exploits for vulneribilities I found (mostly)
• riskivy: 2020攻防演练弹药库-您有主机上线请注意
• 1N3/Findsploit - Find exploits in local and online databases instantly
• kmkz/exploit
• XiphosResearch/exploits
• r0eXpeR/CVE-2020 - 2020一些漏洞

VMWare

• W01fh4cker/VcenterKit - Vcenter综合渗透利用工具包 | Vcenter Comprehensive Penetration and Exploitation Toolkit

Office

• klezVirus/CVE-2021-40444 - Fully Weaponized Microsoft Office Word RCE Exploit
• houjingyi233/office-exploit-case-study - Collection of office exploit used in the real world recent years with samples and writeup
• 宏观视角下的office漏洞（2010-2018）

DNS

• knqyf263/dnspooq - dnsmasq cache poisoning (CVE-2020-25686, CVE-2020-25684, CVE-2020-25685)

Exchange server

• https://github.com/N1k0la-T/CVE-2023-36745
• FSecureLABS/peas - a Python 2 library and command line application for running commands on an ActiveSync server e.g. Microsoft Exchange.

Iot

• 0xInfection/PewSWITCH - A FreeSWITCH specific scanning and exploitation toolkit for CVE-2021-37624 and CVE-2021-41157
• ezelf/CVE-2018-9995_dvr_credentials - Get DVR Credentials
• pwnhacker0x18/CVE-2019-16920-MassPwn3r - Exploit and Mass Pwn3r for CVE-2019-16920

Browser

• forrest-orr/Exploits - Chains/Hydseven - Crypto3/Hydseven Windows 10 Firefox RCE/Sandbox Escape Exploit Chain
• julienbedard/browsersploit - an advanced browser exploit pack for doing internal and external pentesting, helping gaining access to internal computers
• frustreated/chrome-sbx-db - Case Study of Chrome Sandbox Escape

Desktop apps

• klinix5/blog-stuff - 目前是一堆AV的漏洞，主要是junction point问题
• ray-cp/browser_pwn - browser pwn, main work now
• dzonerzy/acunetix_0day - Acunetix 0day RCE
• Fplyth0ner-Combie/Bug-Project-Framework - 漏洞利用框架模块分享仓库
• SouhailHammou/Panda-Antivirus-LPE - The exploit for Panda AV LPE
• v-p-b/kaspy_toolz - 卡巴IPC提权
• Ridter/acefile - rar漏洞
• govolution/avepoc - some pocs for antivirus evasion
• tyranid/ExploitRemotingService - A tool to exploit .NET Remoting Services vulnerable to CVE-2014-1806 or CVE-2014-4149. It only works on Windows although some aspects might work in Mono on nix

Firewall

• seclist.org: SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7

Linux general

• lrh2000/CVE-2023-2002 - Linux Bluetooth - Run arbitrary management commands as an unprivileged user
• momika233/ClamAV_0Day_exploit
• bsauce/kernel_exploit_factory - Linux kernel CVE exploit analysis report and relative debug environment. You don't need to compile Linux kernel and configure your environment anymore
• bcoles/kernel-exploits - Various kernel exploits
• jollheef/lpe - collection of verified Linux kernel exploits

MacOS general

• occamsec: Rotten Apples: MacOS Codesigning Translocation Vulnerability - 复制合法的签名到目标程序，40分钟后签名校验才会失效
• TCC
  • CVE-2021-30798: TCC Bypass Again, Inspired By XCSSET - 替换CFBundleIdentifier实现TCC绕过
  • Zero-Day TCC bypass discovered in XCSSET malware
  • macOS TCC.db Internals
  • https://i.blackhat.com/USA21/Wednesday-Handouts/US-21-Regula-20-Plus-Ways-to-Bypass-Your-macOS-Privacy-Mechanisms.pdf
• Synacktiv/CVE-2018-4193 - Windows Server component RCE, affecting macOS before 10.13.5
• bazad/physmem - Local privilege escalation through macOS 10.12.1 via CVE-2016-1825 or CVE-2016-7617
• A2nkF/macOS-Kernel-Exploit - macOS Kernel Exploit for CVE-????-????
• DimitriFourny/cve-2019-6207 - MacOS kernel memory leak (4 bytes)
• jndok/stfusip - System Integrity Protection (SIP) bypass for OSX 10.11.1 - 10.11.2 - 10.11.3
• hseclists.org: CleanMyMac3 local privilege escalation - XPC PrivilegedHelper提权，测试有效

Windows general

• fortra/CVE-2022-37969 - Windows LPE exploit for CVE-2022-37969
• Wh04m1001/CVE-2023-21752 - PoC for arbitrary file delete vulnerability in Windows Backup service
• binderlabs/DirCreate2System - Weaponizing to get NT SYSTEM for Privileged Directory Creation Bugs with Windows Error Reporting
• L4ys/CVE-2022-21882 - Win32k Elevation of Privilege Vulnerability, For Windows 10 21H2 Only
• klinix5/InstallerFileTakeOver - For your notes, this works in every supporting windows installation. Including Windows 11 and Server 2022 with November 2021 patch
• GossiTheDog/HiveNightmare - Exploit allowing you to read registry hives as non-admin on Windows 10 and 11
  • https://pentestlab.blog/2021/08/16/hivenightmare
• decoder-it/NetworkServiceExploit - POC for NetworkService PrivEsc
• waldo-irc/CVE-2021-21551 - Exploit to SYSTEM for CVE-2021-21551
• forrest-orr/DoubleStar - A personalized/enhanced re-creation of the Darkhotel "Double Star" APT exploit chain with a focus on Windows 8.1 and mixed with some of my own techniques
• chompie1337/SIGRed_RCE_PoC - PoC Remote Code Exection Exploit for CVE-2020-1350, SigRed
• itm4n/Perfusion - Exploit for the RpcEptMapper registry key permissions vulnerability (Windows 7 / 2088R2 / 8 / 2012)，带一个漏洞修复脚本
• 2018年Windows漏洞年度盘点
• jas502n/CVE-2020-17008 - splWOW64 Elevation of Privilege
• ioncodes/CVE-2020-16938 - Bypassing NTFS permissions to read any files as unprivileged user
• Q4n/CVE-2020-1362
• JcQSteven/GhostTunnel - 基于360提出的Ghost Tunnel攻击复现
• WindowsExploits/Exploits - A curated archive of complied and tested public Windows exploits
• itm4n/Ikeext-Privesc - Windows IKEEXT DLL Hijacking Exploit Tool
• zcgonvh/MS16-032 - MS16-032(CVE-2016-0099) for SERVICE ONLY
• danigargu/explodingcan - An implementation of NSA's ExplodingCan exploit in Python
• saaramar/execve_exploit - Hardcore corruption of my execve() vulnerability in WSL
• Microsoft SharePoint 'Limited Access' Permission Bypass
• tevora-threat/eternal_blue_powershell - Port of eternal blue exploits to powershell
• preempt/credssp - A code demonstrating CVE-2018-0886
• mez0cc/MS17-010_WORAWIT - MS17-010: Python and Meterpreter
• Potato
  • tylerdotrar/SigmaPotato - SeImpersonate privilege escalation tool for Windows 8 - 11 and Windows Server 2012 - 2022 with extensive PowerShell and .NET reflection support
  • hackvens/CoercedPotato - From Patate (LOCAL/NETWORK SERVICE) to SYSTEM by abusing SeImpersonatePrivilege on Windows 10, Windows 11 and Server 2022
  • nullbind/GodPotato_CLR - A Custom CLR Assembly for MSSQL of the popular tool GodPotato
  • BeichenDream/GodPotato - 可以在新系统上运行的potato，利用rpcss的问题
  • decoder-it/LocalPotato - Another Local Windows privilege escalation using a new potato technique
  • S3cur3Th1sSh1t/MultiPotato - Another Potato to get SYSTEM via SeImpersonate privileges. The code can be used to integrate your favorite trigger by yourself; You can choose between CreateProcessWithTokenW, CreateProcessAsUserW, CreateUser and BindShell
  • zcgonvh/EfsPotato - Exploit for EfsPotato(MS-EFSR EfsRpcOpenFileRaw with SeImpersonatePrivilege local privalege escalation vulnerability)
  • CCob/SweetPotato - Local Service to SYSTEM privilege escalation from Windows 7 to Windows 10 / Server 2019
  • decoder-it/lonelypotato - Modified version of RottenPotatoNG C++
  • Cn33liz/Tater - a PowerShell implementation of the Hot Potato Windows Privilege Escalation exploit
  • breenmachine/RottenPotatoNG - New version of RottenPotato as a C++ DLL and standalone C++ binary - no need for meterpreter or other tools
  • ohpe/juicy-potato - A sugared version of RottenPotatoNG, with a bit of juice
  • realoriginal/reflectivepotato - MSFRottenPotato built as a Reflective DLL
  • antonioCoco/RoguePotato - Another Windows Local Privilege Escalation from Service Account to System
  • micahvandeusen/GenericPotato - Impersonating authentication over HTTP and/or named pipes
  • antonioCoco/RemotePotato0 - Just another "Won't Fix" Windows Privilege Escalation from User to Domain Admin
  • decoder-it/ADCSCoercePotato - Yet another technique for coercing machine authentication but specific for ADCS server
• USB
  • freebuf: 穿透内网防线|USB自动渗透手法总结 - MS10-046, MS15-020和CVE-2017-8464

Uncategorized

• Would you like some RCE with your Guacamole
• HD421/Monitoring-Systems-Cheat-Sheet - A cheat sheet for pentesters and researchers about vulnerabilities in well-known monitoring systems
• houjingyi233/CPU-vulnerabiility-collections
• McAfee ePO 5.9.1 Registered Executable Local Access Bypass - XFF绕过验证
• llt4l/iCULeak.py - Tool to find and extract credentials from phone configuration files hosted on CUCM