Metasploit Exploits Database

[Jesper Sahu]

TheExploit Database is maintained by OffSec, an information security training company that provides various Information Security Certifications as well as high end penetration testing services. The Exploit Database is a non-profit project that is provided as a public service by OffSec.

The Exploit Database is a CVE compliant archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers. Our aim is to serve the most comprehensive collection of exploits gathered through direct submissions, mailing lists, as well as other public sources, and present them in a freely-available and easy-to-navigate database. The Exploit Database is a repository for exploits and proof-of-concepts rather than advisories, making it a valuable resource for those who need actionable data right away.

The Google Hacking Database (GHDB) is a categorized index of Internet search engine queries designed to uncover interesting, and usually sensitive, information made publicly available on the Internet. In most cases, this information was never meant to be made public but due to any number of factors this information was linked in a web document that was crawled by a search engine that subsequently followed that link and indexed the sensitive information.

After nearly a decade of hard work by the community, Johnny turned the GHDB over to OffSec in November 2010, and it is now maintained as an extension of the Exploit Database. Today, the GHDB includes searches for other online search engines such as Bing, and other online repositories like GitHub, producing different, yet equally valuable results.

Now that I have a Metasploit and Oracle demo environment, it is time to see what I can use to exploit an Oracle 11g Release 2 database. I have to tell you, most of the exploits are actually rather old. I was a bit disappointing.

The Metasploit Framework maintains a large exploit database called the Metasploit Exploit Database (MSF-Exploits). This database contains a wide range of known vulnerabilities and associated exploit modules that can be used with Metasploit. These exploits cover various software, operating systems, and network protocols.

The Metasploit Framework allows users to search and leverage these exploits from the database, helping security professionals and researchers to identify vulnerabilities and test the effectiveness of corresponding exploits.

Links provided within MSF-Exploits (Metasploit Framework), can lead to GitHub pages or other websites that host exploitation scripts or contain information directly associated with exploited CVEs. These resources can serve as valuable references for understanding and analyzing specific vulnerabilities, learning about exploit techniques, or accessing patches and mitigations.

However, it is important to note that the accuracy and quality of these GitHub projects or the information presented in those links cannot be guaranteed, so there is a possibility of errors and limited or outdated information.

Technical details for over 180,000 vulnerabilities and 4,000 exploits are available for security professionals and researchers to review. These vulnerabilities are utilized by our vulnerability management tool InsightVM. The exploits are all included in the Metasploit framework and utilized by our penetration testing tool, Metasploit Pro. Our vulnerability and exploit database is updated frequently and contains the most recent security research.

I wrote a little script a few months to fix import a custom module to metasploit. Here's the link

It was impossible reload or update the msf exploits after import a custom module.And it gives me a huge random error related with the stack, but that wasn't possible.

Now, what exploit db really is, is nothing more than a database where the pentestors who write an exploit for a vulnerability upload the source code of the exploit of other pentestors too see. It is maintained by Offensive Security (the force behind Backtrack, Kali, Metasploit Unleashed). The exploit-db.com site itself is pretty easy to navigate, and you can find all sorts of exploits there. Just finding an exploit, however, is not enough, as you need to add it to Metasploit in order to use it.

This module exploits a buffer overflow vulnerability in Adobe Flash Player. The vulnerability occurs in the flash.Display.Shader class, when setting specially crafted data as its bytecode, as exploited in the wild in April 2014. This module has been tested successfully on IE 6 to IE 11 with Flash 11, Flash 12 and Flash 13 over Windows XP SP3, Windows 7 SP1 and Windows 8. (rapid7)

EDIT: Or would you prefer kindly waiting while I make a tutorial about that exact exploit and how to get it working?(shouldn't take a lot of time) Tell me which one of the options seems as the optimal one to you and I'll get to it :D

Hm.. I'm not really sure what the issue is here :/ I'll do some tests and I'll tell you if I find what the problem is and how to fix it in a maximum of 2 hours (kinda busy here, but I hope I'll manage).

You've correctly copied the exploit to metasploit, however the exploit itself contains a certain line of code, which basically tries to interact with a nonexistent file (and consequently a folder) , here is the line:

Make the exploit spit the same error again and watch what directory it points to. (As you can see for you it points to /usr/share/metasploit-framework/data/exploits/hackingteam/msf.swf) So what you need to do is make a directory in /usr/share/metasploit-framework/data/exploits called "hackingteam", enter it, then create an empty file there called msf.swf. Next you need to restart your metasploit (just close the terminal and open a new one) and now once you select your exploit and set the options it's not going to spit any errors at you :D

EDIT: Another way to do it is modify the line of code to use another destination with an existing empty msf.swf file (for example if I were to use a flash_byte_use_after as my preferred folder, I would modify the line like so:

and once again restart metasploit. Also I would love if you could make a local test for the exploit and see if it works correctly as I'm really curious about it but I don't quite have the opportunity right now :D

Weird thing is, in Chrome it connects but doesn't send the SWF, in Firefox there is a wrong flash version (probably already patched), but in Internet Explorer it can't even connect to the server... Guess I'll have to wait for the next great exploit :P

Or maybe someone else might see this and know what to do :D In the meantime if you wish to practice exploits just install some outdated vulnerable app and try to exploit it or set up a "metasploitable" vm :D

LinkedIn and 3rd parties use essential and non-essential cookies to provide, secure, analyze and improve our Services, and to show you relevant ads (including professional and job ads) on and off LinkedIn. Learn more in our Cookie Policy.

Exploit development and analysis are critical components of cybersecurity. These skills allow professionals to understand vulnerabilities, how they can be exploited, and how to protect systems against these exploits. This article delves into the process of developing and analysing exploits using two essential tools: Exploit DB and Metasploit. We will provide an in-depth, step-by-step guide, tailored for technical students and professionals interested in cybersecurity. Additionally, we'll highlight our Diploma in Cyber Security Course, designed to equip you with the necessary skills to excel in this field.

Identifying Vulnerabilities: The first step is to identify a vulnerability. This can be done through manual code review, fuzzing, or using vulnerability databases such as Exploit DB. Understanding the Vulnerability: Once a vulnerability is identified, it's crucial to understand its nature. This involves studying the software's source code, documentation, and understanding how the vulnerability can be triggered. Developing the Exploit: With a clear understanding of the vulnerability, the next step is to develop an exploit. This requires writing code that can manipulate the vulnerability to achieve a desired outcome, such as gaining unauthorized access or executing arbitrary code. Testing the Exploit: After development, the exploit must be tested to ensure it works as intended. This is done in a controlled environment to avoid unintended consequences. Refining the Exploit: Based on the testing results, the exploit may need to be refined to improve its reliability and effectiveness. Documenting the Exploit: Finally, the exploit is documented, detailing how it works and how it can be mitigated or patched.

3a8082e126