Offensive Security - Exploits
Welcome to our archive of exploits and offensive security tools. We are making these available to foster non-commercial knowledge sharing among industry peers. All software listed here is property of Subreption LLC and has been developed by its team.
Liability and distribution terms
The tools and software available in this page are distributed under the following terms:
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
By downloading, distributing or using the software you agree to these terms, accepting any and all responsibility and liability in the process.
Non-commercial use rights
This software is made available for educational and proof-of-concept purposes, in a personal and non-commercial setting. Any use or redistribution (including through sites with paid advertisement, sites offering services related to the software or areas of expertise related to it) in commercial activities is strictly forbidden. Contact us if you or your employer intend to offer commercial services or products derived from the software, code, ideas contained in it, or as part of any sort of consulting engagement (including but not limited to penetration testing).
If you are aware of violations of our IP, please contact us. Rewards are offered in exchange for court-admissible proof of such violations (when permissible by law), and we reserve the right to publicly expose individuals or organizations engaging in such behavior.
| Year | Date | Title | Summary |
|---|---|---|---|
| 2021 | 04 Apr | Impromptu Icebreaker: TP-Link Archer AC1750 Remote Root Command Injection Exploit | This exploit abuses a command injection vulnerability (CVE-2020-10886) in a WAN accessible service in TP-Link Archer AC1750 routers, to execute arbitrary commands with administrator/root privileges. The payload is delivered sequentially to avoid detection. A secondary payload is supported to execute Lua code into a second process. |
| 2014 | 16 Feb | Mac OS X Tunnelblick Local Privilege Escalation (via Format String) Exploit | This exploit abuses a format string vulnerability in the Tunnelblick VPN client software for Mac OS X to execute arbitrary code as the root/administrator user. |
| 2009 | 01 Jul | Linux Kernel SCTP FORWARD-TSN Chunk Memory Corruption Remote Exploit | This exploit abuses a vulnerability in net/sctp/sm_statefuns.c in the Stream Control Transmission Protocol (sctp) implementation in the Linux kernel before 2.6.28-git8, affecting the handling of packets with FWD-TSN chunks. It was reported to have ‘an unknown impact’. The vulnerability actually resulted in fully remote pre-authenticated arbitrary code execution with ring-0 (OS kernel level) privileges. |
| 2009 | 01 Feb | Novell eDirectory DHAC1-DHOST Remote Session Hijack | This exploit abuses a vulnerability in the session handler of Novell eDirectory up to 8.8 SP 2, to hijack administrator user sessions. The tokens assigned to user sessions used a sequential algorithm, easily calculated to adjust the exploit. The vulnerability itself existed for many years until a third-party leaked it to Novell (CVE-2009-4655). |
| 2008 | 08 Dec | SharpSeatbelt: Stack-based Buffer Overflow Exploit for the Mac OS X Seatbelt policy compiler | This exploit abuses a vulnerability in the TinyScheme interpreter embedded in Apple Mac OS X’s Seatbelt security policy compiler, achieving fully reliable arbitrary code execution in the context of the compiler process. A novel technique against Scheme interpreters is used in the exploit, as well as a memory manipulation technique leveraging MALLOC_HUGE memory regions. OS X Leopard for desktop and server were both impacted by this vulnerability. |
| 2007 | 19 Dec | Apple QuickTime 7.2/7.3 (OSX/Windows, PPC/x86) - RSTP Response Universal exploit aka multi-multi-quicktime | This exploit abuses a vulnerability in Apple Quicktime’s RTSP response handling to execute arbitrary code against OS X and Windows targets for both PPC and x86 architectures, with automatic detection. |
| 2007 | 29 Nov | Mac OS X mount_smbfs Local Privilege (root) Escalation | This exploit abuses CVE-2007-3876 to escalate privileges in affected OS X installations, gaining root/administrator level access, bypassing NX stack protections. |
| 2007 | 02 Apr | Apple Mac OS X mDNSResponder UPnP IGD Remote Arbitrary Code Execution (as root) Exploit | This exploit abuses a vulnerability in mDNSResponder, exposed to hosts in the same local network, resulting in arbitrary code execution as root. Because the payload is broadcasted, the exploit permits network-wide exploitation, resulting in the compromise of all hosts affected, each one of them phoning back to the exploiting host with an administrator shell. |