Note: I am the owner and original developer of Erebus Framework. Any videos or claims stating otherwise are fake. The tool is still under active development.
— 0xAdham
888888 88""Yb 888888 88""Yb 88 88 .dP"Y8
88__ 88__dP 88__ 88__dP 88 88 Ybo."
88"" 88"Yb 88"" 88""Yb Y8 8P o.Y8b
888888 88 Yb 888888 88oodP YbodP 8bodP
Exploitation Framework — Powered by AI
Erebus is an AI-native offensive security framework built from the ground up. Not a Metasploit wrapper. Not a chatbot that suggests commands. A full exploitation framework where the AI is the operator and you just approve.
Every existing framework — Metasploit, Sliver, Havoc — was built for a human sitting at a terminal typing commands. The human does all the thinking. The tool just executes.
Erebus flips that.
You describe the objective. The AI plans the attack chain, picks the modules, adapts the payloads, and executes with your approval.
erc > ai "get domain admin on 192.168.1.0/24"
[*] Running passive recon...
[*] Detected: Windows Server 2022, SMB signing disabled
[*] Suggested chain: Responder → NTLM relay → secretsdump → DCSync
[*] Confirm execution? [y/n]
GUI Layer (Electron + React)
↓ gRPC
CLI Console — erc > prompt (Go)
↓
Core Engine (Go)
├── Module Registry
├── Session Manager
├── Loot Database (SQLite)
├── Approval Gate
├── MITRE ATT&CK Auto-tagger
└── Report Generator
↓ ↓ gRPC
Module System AI Engine (Python)
├── Web CVE Exploits ├── NL Attack Planner
├── Network CVEs ├── CVE-to-Exploit Pipeline
├── AD Attacks ├── Payload Mutation (WAF/EDR bypass)
├── Privesc └── Auto Report Generator
├── Post-Exploitation
├── Containers
├── Recon
└── Pivot
↓
C2 Teamserver (Go)
└── Protobuf over mTLS / HTTPS / DNS
go run cmd/erebus/main.go
erc > search apache
erc > search CVE-2021-44228
erc > search platform:windows
erc > use exploit/web/CVE-2021-41773
erc > set RHOST 10.10.10.1
erc > set LHOST 10.0.0.1
erc > options
erc > run
erc > sessions -i 1
erc > loot
erc > report generate
erc > workspace new client1
erc > ai " get root on 10.10.10.5" Features: tab completion, command history, color output, shell passthrough, readline support.
Every exploit implements a strict interface — Name, CVE, ATTACKTag, Risk, Platform, Options, Execute. Modules are written in whatever language fits the vulnerability — Go, Python, C, Bash.
Searchable CVE exploit library. Every module targets a real CVE with a real payload.
Module
CVE
Description
Language
exploit/web/CVE-2021-41773CVE-2021-41773
Apache 2.4.49 path traversal + RCE
Python
exploit/web/CVE-2021-42013CVE-2021-42013
Apache 2.4.49-50 bypass
Python
Module
CVE
Description
Language
exploit/web/CVE-2021-44228CVE-2021-44228
Log4Shell RCE
Python
exploit/web/CVE-2022-26134CVE-2022-26134
Confluence RCE
Python
exploit/web/CVE-2022-22965CVE-2022-22965
Spring4Shell RCE
Python
exploit/web/CVE-2023-50164CVE-2023-50164
Apache Struts file upload RCE
Python
Module
CVE
Description
Language
exploit/web/CVE-2024-4577CVE-2024-4577
PHP CGI RCE
Python
exploit/web/CVE-2019-11043CVE-2019-11043
PHP-FPM RCE
Python
Module
CVE
Description
Language
exploit/web/CVE-2018-7600CVE-2018-7600
Drupalgeddon2 RCE
Python
exploit/web/CVE-2024-23897CVE-2024-23897
Jenkins file read + RCE
Python
exploit/web/CVE-2023-7028CVE-2023-7028
GitLab password reset RCE
Python
exploit/web/CVE-2023-34362CVE-2023-34362
MOVEit SQLi
Python
Module
CVE
Description
Language
exploit/web/CVE-2023-4966CVE-2023-4966
Citrix Bleed session token leak
Python
exploit/web/CVE-2022-40684CVE-2022-40684
Fortinet auth bypass
Python
exploit/web/CVE-2024-3400CVE-2024-3400
Palo Alto PAN-OS RCE
Python
exploit/web/CVE-2024-21887CVE-2024-21887
Ivanti Connect Secure RCE
Python
Network Exploits (CVE-Based)
Module
CVE
Description
Language
exploit/network/CVE-2017-0144MS17-010
EternalBlue SMB RCE
Python
exploit/network/CVE-2021-34527CVE-2021-34527
PrintNightmare
Python
exploit/network/CVE-2020-1472CVE-2020-1472
Zerologon domain takeover
Python
exploit/network/CVE-2021-42278CVE-2021-42278/42287
noPac AD privesc
Python
exploit/network/CVE-2024-6387CVE-2024-6387
regreSSHion OpenSSH RCE
C
Module
CVE
Description
Language
modules/privesc/linux/CVE-2021-4034CVE-2021-4034
PwnKit pkexec LPE
C
modules/privesc/linux/CVE-2022-0847CVE-2022-0847
DirtyPipe
C
modules/privesc/linux/CVE-2023-4911CVE-2023-4911
Looney Tunables glibc LPE
C
modules/privesc/linux/CVE-2016-5195CVE-2016-5195
DirtyCow
C
modules/privesc/linux/suid—
SUID/SGID auto-exploit
Go
modules/privesc/linux/sudo—
Sudo version exploits
Go
modules/privesc/linux/cron—
Cron job hijacking
Bash
modules/privesc/linux/path—
PATH injection
Bash
Module
CVE
Description
Language
modules/privesc/windows/printspoofer—
PrintSpoofer token impersonation
Go
modules/privesc/windows/roguepotato—
RoguePotato / GodPotato
Go
modules/privesc/windows/uac-fodhelper—
UAC bypass FODHELPER
Go
modules/privesc/windows/uac-cmstp—
UAC bypass CMSTP
Go
modules/privesc/windows/byovd—
BYOVD vulnerable driver LPE
Go
modules/privesc/windows/alwaysinstallelevated—
AlwaysInstallElevated MSI abuse
Go
Module
Description
modules/ad/kerberoastLDAP enum + TGS requests + hashcat $krb5tgs$23$ output
modules/ad/asreproastAS-REP roasting
modules/ad/aclACL abuse — WriteDACL, GenericAll, ForceChangePassword
modules/ad/adcsAD CS attacks ESC1-ESC8
modules/ad/dcsyncDCSync domain replication abuse
modules/ad/gpoGPO abuse
modules/ad/bloodhoundAD attack path mapping
Module
Description
modules/post/windows/lsassLSASS credential dump
modules/post/windows/samSAM + SYSTEM hive dump
modules/post/windows/imdsAzure/AWS IMDS credential theft
modules/post/windows/persistRegistry, scheduled tasks, WMI persistence
Module
Description
modules/post/linux/credsBash history, SSH keys, env vars, config files
modules/post/linux/hashdump/etc/shadow dump
modules/post/linux/persistCron, bashrc, systemd persistence
Module
Description
modules/container/dockerDocker socket escape, privileged breakout
modules/container/kubernetesKubelet API enum, service account token theft
modules/container/lxdLXD group privesc
Module
Description
modules/recon/passivecrt.sh, Shodan, GAU, GitHub dorking — zero packets to target
modules/recon/activePort scanning, HTTP probing, subdomain brute force
Module
Description
modules/pivot/ligoloLigolo-ng tunnel setup
modules/pivot/sshSSH port forwarding
modules/pivot/socksSOCKS5 proxy via compromised host
erc > ai "get root on 10.10.10.5"
[*] Detected: Ubuntu 20.04, Apache 2.4.49
[*] CVE-2021-41773 detected — path traversal + RCE
[*] Chain: exploit/web/CVE-2021-41773 → privesc/linux/CVE-2021-4034 → loot
[*] Confirm? [y/n]
Natural language attack planning
CVE-to-exploit pipeline — detect version, pull PoC, adapt, execute
Payload mutation engine — evades WAFs and EDRs in real time
Auto report generator — PDF, Markdown, HTML
SQLite — hashes, credentials, tokens, files. Structured, searchable, tied to engagements, auto-populated into reports.
Protobuf over mTLS / HTTPS / DNS
AI picks best channel based on target environment
Memory-only execution, process injection, BYOVD evasion
AI rotates payload signatures on every build
git clone https://github.com/0xAdham/erebus-framework
cd erebus-framework
go mod tidy
go build ./...
go run cmd/erebus/main.go Requirements: Go 1.23+
Component
Technology
Core engine
Go
CLI console
Go + readline + fatih/color
Exploit modules
Go / Python / C / Bash
AI engine
Python
IPC
gRPC + protobuf
C2
mTLS / HTTPS / DNS
Loot DB
SQLite
GUI (coming)
Electron + React + D3.js
For authorized penetration testing and security research only. Use only on systems you own or have explicit written permission to test.
0xAdham — offensive security researcher, CTF player, builder
Erebus Framework — built brick by brick.