Skip to content

Unrealisedd/exploitarium

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

97 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

https://discord.gg/WytKH65ZR join up for research, help, documentation, and more useful information for those interested.

News/Contact

Credit for the objdump finding goes to someone who beat me to it (and has a better PoC): https://github.com/4D4J/objdump-Out-Of-Bounds-write

New drops today ;) Biggest thing yet (DELAYED, I PROMISE THE WAIT WILL BE WORTH IT! After this, you guys will usually get one new PoC a day)

I've also noticed a surprising amount of "security researchers" aren't able to adjust the PoC to work in their environment. I will broaden the PoCs for those select few...

If you wish to collaborate/discuss with me, contact me on discord @ashdfrkl

Sharing this repo keeps me motivated to continue dropping my findings for you all.

Exploitarium

A consolidated archive of my public proof-of-concept and vulnerability research writeups.

Most folders contain one of my former standalone PoC repos, preserved with its original README and tracked files. New research entries are added directly here as self-contained folders.

Contributed Research (by Unrealisedd)

The following entries were contributed via PR:

Folder Description
openvpn-UAF-BYOVD ovpn-dco-win kernel driver CNG key UAF + crash PoC
storsvc-dll-hijack-lpe StorSvc LoadLibraryW("SprintCSP.dll") without LOAD_LIBRARY_SEARCH_SYSTEM32
dam-sys-kernel-bugs dam.sys: 3 kernel bugs from standard user (BSOD + confused deputy + Defender freeze)
seb-service-auth-bypass-lpe Safe Exam Browser SYSTEM service auth bypass → RCE as SYSTEM via log injection
defender-signature-lock-bypass CVE-2026-45498 patch bypass: FILE_SHARE_READ locks Defender signatures
discord Discord Desktop RCE attack paths
wazuh Wazuh stack BOF + SCA DoS
nextcloud XXE file read/SSRF + SSRF protection bypass
n8n-ssrf-via-oauth2 SSRF via OAuth2 callback in n8n
fluentbit-infinite-dos Fluent Bit collectd parser unauth DoS loop
librenms-RCE-chain LibreNMS SSTI to RCE chain
overwolf-updater-lpe-poc Overwolf Updater forged Authenticode cert + insecure service DACL → SYSTEM LPE
spacedesk-service-lpe-poc spacedesk service Everyone full-control DACL → SYSTEM in 3 commands
woodpecker-yaml-cr-injection Woodpecker CI pipeline RCE via \r YAML injection bypass
retroarch-chd-map-heap-overflow RetroArch libchdr integer overflow → heap OOB write on 32-bit
defender-ntlm-coercion-poc Windows Defender NTLM coercion: standard user forces SYSTEM credential leak via UNC scan

Contents

Folder Source Tracked entries
7zip-rar5-motw-chain-poc bd9533f532c1e4ee6af783b9bb49d1133c600e2c 3
anydesk-printer-com-impersonation-poc 7491303301093b2d40bee9dadf6b38f757ce78e0 4
c-ares-tcp-uaf-calc-poc direct entry, June 24, 2026 7
curl-smtp-expn-recipient-crlf-injection direct entry, July 1, 2026 3
defender-ntlm-coercion-poc direct entry, July 6, 2026 3
discourse-scoped-api-key-preauth-bypass direct entry, July 3, 2026 3
docker-cp-copyout-destination-escape d1367b1381736d7f961ac808ce88d4e24a633adc 5
firefox-smartwindow-private-url-exfil-poc direct entry, June 24, 2026 3
floci-apigateway-vtl-rce-poc direct entry, June 23, 2026 3
flowise-mcp-env-case-bypass-poc ed9fab0086674f1b16467990b33bb9299e93429e 3
ffmpeg-rasc-dlta-calc-poc direct entry, June 26, 2026 7
ghidra-12.1.2-rce-ace-calc-poc 52dee6362990c03c0d753d074c85428824d46368 9
gitea-act-runner-container-options-poc f06d78fb111732f3e7737f4c07e77ef94c4b64bf 4
gogs-admin-csrf-git-hook-rce-poc direct entry, July 1, 2026 3
imagemagick-gs-delegate-hijack-poc 8140e8ee0ed78beaf5e8303a795b70b138f5891b 5
ladybird-wasm-esm-host-function-rce-poc direct entry, July 1, 2026 2
libarchive-zip-debuginfod-size-boundary direct entry, July 1, 2026 6
libssh2-cve-2026-55200-poc direct entry, June 23, 2026 3
libssh2-publickey-list-calc-poc direct entry, June 25, 2026 10
lunar-modrinth-chain-poc ffd02120708b6503f11585858ce3724872f3b7a7 6
mybb-limited-acp-to-admin 1610e0373943c2f6562a99f917d3a3d1fdd9056d 5
nextcloud-federated-share-bearer-token-poc direct entry, July 3, 2026 3
nextjs-unstable-cache-object-argument-collision direct entry, July 1, 2026 3
nodebb-activitypub-attributedto-local-uid-spoof-poc direct entry, July 1, 2026 3
nghttp2-nghttpx-upgrade-queue-poison-poc direct entry, June 26, 2026 3
nmap-ipv6-extlen-wrap-poc direct entry, June 23, 2026 4
objdump-dlx-calc-poc 7df01e4e20c7375a89e8ccf760526c52eb6ad582 41
openvpn-connect-echo-script-ace-poc d2f904d9272d4388c9862131d40e32e072e85e38 8
php857-streambucket-soap-rce-rpoc direct entry, June 26, 2026 6
pillow-imagecms-output-mode-oob-poc direct entry, July 1, 2026 3
postgres-ri-owner-switched-cast-poc direct entry, July 4, 2026 3
qemu-cxl-type3-mailbox-escape-poc direct entry, July 1, 2026 7
redis-vset-duplicate-hnsw-id-rce-poc direct entry, July 3, 2026 3
rustdesk-session-permission-pocs direct entry, June 25, 2026 17
systeminformer-phsvc-trusted-host-lpe-poc direct entry, June 24, 2026 3
vlc-vp9-reschange-crash-poc fae72b82f24d03cf2fb9cb55fbb2e7774f684ff3 3

Consolidation Check

This section applies to the former standalone repositories listed above by commit hash.

The consolidation was checked from fresh GitHub clones on June 23, 2026 before the old standalone repos were removed.

The check compared each former standalone repo's HEAD tree against the matching folder here using Git tree data rather than a loose filesystem diff. For every tracked entry, the check required:

  • the same relative path;
  • the same Git object type;
  • the same tree mode, including executable bits;
  • the same Git blob ID.

Matching Git blob IDs means the tracked file bytes are identical. The check covered 12 repos and 96 tracked entries with zero mismatches.

This repository preserves the contents of those PoCs. Repository-level metadata such as stars, issues, pull requests, releases, and separate Git history remain in the original repository histories.

Direct entries, including c-ares-tcp-uaf-calc-poc, curl-smtp-expn-recipient-crlf-injection, discourse-scoped-api-key-preauth-bypass, ffmpeg-rasc-dlta-calc-poc, firefox-smartwindow-private-url-exfil-poc, floci-apigateway-vtl-rce-poc, gogs-admin-csrf-git-hook-rce-poc, ladybird-wasm-esm-host-function-rce-poc, libarchive-zip-debuginfod-size-boundary, libssh2-cve-2026-55200-poc, libssh2-publickey-list-calc-poc, nextcloud-federated-share-bearer-token-poc, nextjs-unstable-cache-object-argument-collision, nodebb-activitypub-attributedto-local-uid-spoof-poc, nghttp2-nghttpx-upgrade-queue-poison-poc, nmap-ipv6-extlen-wrap-poc, php857-streambucket-soap-rce-rpoc, pillow-imagecms-output-mode-oob-poc, postgres-ri-owner-switched-cast-poc, qemu-cxl-type3-mailbox-escape-poc, redis-vset-duplicate-hnsw-id-rce-poc, rustdesk-session-permission-pocs, and systeminformer-phsvc-trusted-host-lpe-poc, are tracked by this repository's commit history.

ABUSE

Do NOT, under any circumstances, use any material in this repository maliciously. This is good-faith, open-disclosure vulnerability research intended to get more people interested in exploring this area of cybersecurity.

Cybercrime is cringe.

About

A single archive of public exploit PoCs and vulnerability research writeups. At the time I post these, none have been reported. Feel free to report them yourself and take credit for the CVE if handed out lulz. Please do not abuse these. I do this so to allure people into the field, and I've always found this is the most efficient way.

Resources

Stars

14 stars

Watchers

1 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages

  • Python 47.2%
  • C 22.5%
  • JavaScript 8.2%
  • Rust 5.4%
  • HTML 5.1%
  • C# 3.4%
  • Other 8.2%