Miscellaneous exploit code
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.
AssetExploder Updated wording Oct 28, 2016
CrunchRATPoison Update README.md Nov 24, 2017
DiamondFox Create README.md Sep 30, 2015
DoubtfullyMalignant Fix Issue 1 Properly (reporter - alice-margatroid) Sep 17, 2016
ElasticSearch Update README.md Jul 14, 2015
FreeACS-Pwn Create README.md Apr 11, 2017
Joomblah Fixed accidental wrong version number May 22, 2017
Joomraa Ignore SSL Nov 28, 2016
LotusCMS fuckin dates Apr 27, 2015
TorCT-Shell Create README.md Aug 31, 2016
TotallyNotARCE Create totallynotarce.py Nov 29, 2017
Xanity-Shell Create README.md Aug 31, 2016
deathsize Updated Deathsize exploit with more information Oct 28, 2016
delusions fuckin dates Apr 27, 2015
dloser Update README.md Oct 23, 2017
droppleganger Added 'DroppleGanger' exploit for Dropplets <= 1.6.5 Nov 3, 2016
hydrapwn Create hydrapwn.py Nov 28, 2017
iislap fuckin dates Apr 27, 2015
nmediapwn fuckin dates Apr 27, 2015
phpMoAdmin Update README.md Apr 1, 2015
pisspoorpool Create p2pool-nodestats-lfd.py May 26, 2017
pwnflow fuckin dates Apr 27, 2015
screen2root Update README.md Jan 25, 2017
se0wned fuckin dates Apr 27, 2015
shellshock fuckin dates Apr 27, 2015
suiteracer Update README.md Aug 10, 2015
suiteshell addpr May 20, 2015
tr-06fail Update README.md Nov 22, 2016
unsanitary merge unsanitary Mar 20, 2016
vBullshit Update README.md Nov 14, 2015
wipgpwn Create README.md Jun 30, 2017
wpsh0pwn fuckin dates Apr 27, 2015
README.md Update README.md Oct 23, 2017



Miscellaneous proof of concept exploit code written at Xiphos Research for testing purposes.

Current Exploits (index may be out of date)

  • phpMoAdmin Remote Code Execution (CVE-2015-2208)
  • LotusCMS Remote Code Execution (OSVDB-75095)
  • ElasticSearch Remote Code Execution (CVE-2015-1427)
  • ShellShock (httpd) Remote Code Execution (CVE-2014-6271)
  • IISlap - http.sys Denial of Service/RCE PoC (DoS only). (MS-15-034)
  • se0wned - Seowintech Router diagnostic.cgi remote root
  • WPsh0pwn - Wordpress WPShop eCommerce Shell Upload (WPVDB-7830)
  • nmediapwn - Wordpress N-Media Website Contact Form with File Upload 1.3.4 Shell Upload
  • pwnflow - Wordpress Work the flow file upload 2.5.2 Shell Upload
  • delusions - Wordpress InfusionSoft Gravity Forms Shell Upload (CVE-2014-6446)
  • suiteshell - SuiteCRM Post-Auth Remote Code Execution (CVE-2015-NOTYET)
  • suiteracer - SuiteCRM Post-Auth Remote Code Execution Race Condition (CVE-2015-xxxx)
  • unsanitary - Address Sanitizer + Setuid Binary = Local Root exploit (LD_PRELOAD vector)
  • DiamondFox - DiamondFox Botnet C&C Panel Shell Upload
  • DoubtfullyMalignant - BenignCertain DoS PoC
  • TorCT-Shell - TorCT RAT C&C Panel Shell Upload
  • vBullshit - vBulletin 5.x.x unserialize() Remote Code Execution (CVE-2015-7808)
  • Xanity-Shell - Xanity RAT C&C Panel Shell Upload
  • Joomraa - PoC + upload blacklist bypass (CVE-2016-8869, CVE-2016-8870, CVE-2016-9836)
  • Deathsize - LifeSize Room remote code execution & local root exploit
  • AssetExploder - ManageEngine Asset Explorer remote code execution
  • DroppleGanger - Droppler <= 1.6.5 Auth-Bypass & RCE
  • tr-06fail - TR-064 Misimplementations leading to remote device takeover in ZyXEL Routers
  • screen2root - Screen 4.05.00 (CVE-2017-5618) local privesc
  • FreeACS-Pwn - TR-069 exploit for FreeACS server, disclosed at BSides Edinburgh.
  • Joomblah - Joomla 3.7.0 SQL Injection exploit (CVE-2017-8917)
  • pisspoorpool - Local file inclusion exploit for p2pool status page
  • wipgpwn - Remote Root Exploit for WePresent WiPG-1000,1500,2000 devices
  • dloser - D-Link DNS-320/330/350/x Remote Root Exploit
  • TBA

Infrequently Asked Questions.

  1. Why is there no "leet zerodays" in here?

    Because some of our researchers don't believe in killing bugs prematurely, and the unofficial policy on disclosure is that it is at the sole discretion of the person who finds the bug.

  2. Why don't you just write metasploit modules?

    Reasons, namely, "ruby", amongst other things. Also, other people who are actually getting paid by Rapid7 to do such things can do such things :)

  3. Why are there some old bugs in here?

    The public exploits available for them were unreliable/untrustworthy/rubbish and better ones were called for, or, they are parts of ongoing experiments into various methods to make them more reliable/stealthy/whatever.


See individual exploits for their respective licences.

Bug Reports

We take the quality of our exploit code very seriously. If you find a bug, or an edge case where an exploit fails to succeed against a vulnerable target, do let us know immediately so said situation can be rectified via the bug tracker (issues thing on this repository), or via email/twitter.


There is no changelogs here, as that would be too much effort, just git commits. Exploits may be updated regularly for greater stability, reliability or stealthiness, so check them for updates regularly.