Skip to content

AndrewAltimit/exploits

BranchesTags

Repository files navigation

Security Research & Exploit Development

General-purpose security research repository covering browser exploit chain development, post-exploitation techniques, and security assessment tooling. Contains CVE reproduction work across Chrome and Firefox, along with C2 infrastructure, post-exploitation staging, and security assessment deliverables.

Purpose & Disclaimer

This repository exists to support internal security education and risk awareness. The exploit reproductions, attack chain demonstrations, and assessment tooling are built as red-team exercises to show stakeholders — including non-technical business users — what can go wrong when production systems lack adequate human oversight and governance controls.

All materials are for educational purposes and authorized security testing only. All research was conducted under explicit written authorization. Exploit code is provided to support defensive research, vulnerability reproduction, and security assessment. Do not use any code or technique against systems you do not own or have explicit written authorization to test. See SECURITY.md for the full responsible disclosure policy and containment architecture.

Safeguards in place:

  • All CVEs target already-patched browser versions with publicly available PoC — no zero-days are published here. The contribution is chaining, primitives, and delivery infrastructure.
  • All tool networking is loopback-only (127.0.0.0/8 or Docker bridge), enforced by ContainmentGuard in code — not by convention.
  • The Docker Compose lab runs on an internal: true network with no internet gateway.
  • The beacon's exec command is refused outside Docker containers. All other beacon commands are from a hardcoded allowlist.
  • IDOL persistence demo's --plant installs only a harmless cron heartbeat; --cleanup removes it.
  • The GitHub Pages WASM dashboard runs on simulated data with no live C2 connectivity.

Databricks Apps Assessment

The primary security assessment deliverable is an interactive report evaluating the Databricks Apps platform under production conditions.

  • Report: reports/databricks-apps-assessment/ — Streamlit dashboard covering attack surface, identity chain exploitability, OAuth/OBO token abuse, and detection recommendations.
  • Run it: cd reports/databricks-apps-assessment && pip install -r requirements.txt && streamlit run app.py
  • Audience: C-suite and security leadership. The report frames each finding in business-risk terms alongside the technical demonstration.

Key findings covered in the report:

  • OAuth On-Behalf-Of (OBO) token abuse paths in Databricks Apps
  • Databricks app identity chain and service principal exposure
  • Detection gaps in Databricks audit logs
  • Recommended monitoring, governance, and access control improvements

Contained Lab Environment

A Docker Compose lab provides a fully isolated environment for running tools end-to-end. All services run on an internal Docker network with no internet access.

make lab-up       # Start: C2 server, 2 beacons, exploit server, 2 target apps
make lab-down     # Destroy everything
make lab-status   # Show running services + C2 status
make lab-logs     # Tail all logs
Service Port Description How to start
C2 server 127.0.0.1:8443 Operator API + beacon protocol make lab-up
Exploit server 127.0.0.1:9090 Serves CVE exploits, receives callbacks make lab-up
Target app 1 127.0.0.1:8501 Simulated Databricks Streamlit app make lab-up
Target app 2 127.0.0.1:8502 Second target for lateral movement make lab-up
Mock Entra IdP 127.0.0.1:9100 Device code, token, PRT SSO endpoints make lab-up
Mock IMDS 127.0.0.1:9200 AWS/GCP/Azure metadata service mock make lab-up
LLM copilot app 127.0.0.1:8080 Ollama-backed enterprise copilot (injection target) make lab-llm-up
Mock OIDC issuer 127.0.0.1:9300 GitHub Actions OIDC simulation (WIF abuse) make lab-oidc-up
Mock SAML SP/IdP 127.0.0.1:9400 SAML assertion target (Golden SAML demo) make lab-saml-up
Mock Databricks 127.0.0.1:9500 Databricks Apps OAuth/OBO mock make lab-databricks-up
AD CS lab 192.168.56.10 Windows DC + Enterprise CA (Vagrant, host-only) make lab-adcs-up

Containment: ContainmentGuard (tools/lib/containment.py) enforces loopback-only networking, non-root execution, tmpdir isolation, and Docker environment detection across all tools.

Tools

C2 & Infrastructure

  • C2 Server & Beacon (tools/c2/) - Modular C2 with 5 pluggable transports (HTTP polling, WebSocket, gRPC, SMB/Unix pipe, DNS-over-HTTPS), dynamic YAML transport profiles with hot-reload, and P2P relay topology. Flask server with session crypto (X25519 + ChaCha20-Poly1305), task dispatch, and operator REST API. Hardcoded command allowlist. Loopback-only, ContainmentGuard-enforced.
  • C2 Transports (tools/c2/transports/) - Transport layer: http_polling/, websocket/, grpc/, passive_smb_pipe/, dns_over_https/. Factory in __init__.py. Each transport ships with Sigma/KQL detection rules.
  • C2 Relay (tools/c2/relay/) - P2P relay node supporting beacon chains of depth ≥2. Topology graph API consumed by the dashboard.
  • Dashboard (tools/dashboard/) - Session management console with multi-transport session view, profile editor, and relay topology graph. Supports --demo and --c2 <url>.

Active Directory & Kerberos

  • AD CS Abuse (tools/ad-cs/) - Complete ESC1–ESC15 exploitation toolkit. Python enumerator (LDAP-based, certipy patterns) + 15 individual exploit modules + chain orchestrator (ESC1 → TGT/PFX → ccache). All lab-domain-gated (corp.lab.local). See make lab-adcs-up.
  • Kerberos Lateral Movement (tools/kerberos/) - S4U2self/S4U2proxy abuse, full RBCD chain with raw security-descriptor construction, NTLM relay analysis (SMB→LDAP cross-protocol, channel-binding bypass), targeted Kerberoasting/AS-REP roasting with hardware-grounded crack-time estimates.

Cloud Identity

  • Cloud Identity Attacks (tools/cloud-identity/) - Workload Identity Federation wildcard-sub abuse, OIDC trust confusion (fork-PR/CodeCov pattern), Golden SAML + Storm-0558-style OIDC token forging, Entra 2026 reality matrix (19 techniques), Databricks OAuth OBO chain abuse. Lab mocks: mock-oidc-issuer (9300), mock-saml (9400), mock-databricks (9500).
  • Entra ID Abuse (tools/entra-abuse/) - Device-code phishing, PRT simulation, token replay, CA bypass. Superseded for modern identity work by cloud-identity/; kept for historical reference.

Evasion (Rust)

  • HW-BP Syscalls (tools/rust/syscalls-hwbp/) - Hardware-breakpoint (DR0–DR3 + VEH) syscall dispatch that bypasses userland EDR hooks without memory modification. Compile-time 5-syscall allowlist. Windows-specific; Linux stub.
  • Modern Sleep Masks (tools/rust/sleep-mask-modern/) - Cronos (fiber + RC4 stack encryption), RustyCronos (pure-Rust stack walking + XOR), HWBP-driven sleep (VEH on NtWaitForSingleObject). Supersedes sleep-mask/ (Ekko/Foliage).
  • Threadless Injection (tools/rust/threadless-inject/) - Module stomping (lab-DLL-only), Phantom DLL hollowing (TxF, with deprecation notice), DLL-notification-callback hijack (TheirHazard pattern).
  • ETW-TI Awareness (tools/rust/etw-ti-aware/) - Passive enumeration of active ETW providers (20 EDR GUIDs), ETW-TI detection, hooked-stub fingerprinting.
  • Call Stack Spoofing (tools/rust/callstack-spoof/) - SilentMoonwalk-pattern CALL RAX gadget finder, unwind-metadata validator, with_spoofed_stack() RAII wrapper. Beacon optional feature callstack-spoof.
  • Patchless AMSI/ETW Bypass (tools/rust/amsi-patchless/) - HWBP (DR0/DR1) arm/disarm, VEH handler sets RAX=0 without modifying AmsiScanBuffer/EtwEventWrite memory.
  • BOF/COFF Loader (tools/rust/bof-loader/) - goblin-based COFF parser, 22-entry symbol allowlist, OutputSandbox capture, VirtualAlloc+RWX+relocation exec on Windows.
  • BYOVD Framework (tools/byovd/) - Pydantic manifest schema (hash-only, no driver files), Microsoft HVCI blocklist checker, orchestration API for arb-read/token-swap/callback-enum. Refuses to run without EXPLOIT_LAB_OFFLINE_VM. See manifest.yml.example.
  • EDR Silencing via Policy (tools/edr-silencing/) - WDAC policy generator/analyzer (deny-by-hash, allow-by-cert, downgrade-to-audit), PPL bypass research + patch timeline, EDR coverage-map enumerator with 11 named gap advisories, kernel callback integrity check.

LLM & Agent Attacks

  • LLM Attack Tooling (tools/llm-attacks/) - Indirect prompt injection corpus (51 payloads, 7 channels: PDF/DOCX/HTML/email/calendar/image), MCP server abuse (tool poisoning, capability confusion, rug-pull), agent action confusion (filesystem exfil, WebFetch confused-deputy, tool-result spoofing), transcript detector, and eval benchmark harness. All assert_llm_endpoint_is_lab()-gated.

Browser

  • Browser Extension Supply-Chain (tools/browser-ext-attacks/) - MV3 lab extension catalog: cookie theft (chrome.cookies, bypasses HttpOnly), session hijack (webRequest+extraHeaders), form-grab (content-script MutationObserver), DNR redirect abuse. Cyberhaven-pattern update-hijack simulation with benign→malicious diff tool (permission_differ.py, exits 1 on permission expansion). Manifest risk scorer + CDP runtime monitor.
  • Exploit Framework (tools/framework/) - Equation Group–inspired exploit orchestration with YAML module configs, chain builder, and exploit server.
  • Fuzzing (tools/fuzzing/) - JIT (GVN, LICM, Range Analysis), IPC, V8 Turbofan fuzzers.

Legacy / Support

  • IDOL (tools/idol/) - Lateral movement PoC: credential harvest, persistence, C2 beaconing.
  • Rust Target Tools (tools/rust/) - Full Rust workspace: beacon, containment, jitter, crypto, cookie-theft, syscalls (Hell's Gate/Tartarus Gate), sleep-mask (Ekko/Foliage), telemetry-patch, plus v4 crates above. 308+ tests. Build: cd tools/rust && cargo build --release.
  • Post-exploit Staging (tools/post-exploit-staging/) - Three-tier staging architecture: exploit → stager → payload.
  • K8s Post-Exploitation (tools/post-exploit-staging/commands/k8s_recon/) - Pod recon, SA enumeration, mock IMDS theft, cross-namespace pivot.
  • Forensic Analysis (tools/forensic-analysis/) - Artifact detection, audit gap analysis.
  • Validator (tools/validator/) - Pre-exploitation browser fingerprinting.
  • win-remote (tools/win-remote/) - Remote agent for Windows-targeted testing.

CVE Index

17 CVE reproductions across Chrome and Firefox (2024–2026) — click to expand
CVE Target Year Technique Level Path
CVE-2024-0517 Chrome V8 Maglev 2024 OOB Write ACE cves/chrome/2024/CVE-2024-0517/
CVE-2024-1939 Chrome V8 Wasm S128 2024 Type Confusion ACE cves/chrome/2024/CVE-2024-1939/
CVE-2024-5830 Chrome V8 Object Transitions 2024 Type Confusion ACE cves/chrome/2024/CVE-2024-5830/
CVE-2025-5959 Chrome Wasm JSPI 2025 Sandbox Escape ACE cves/chrome/2025/CVE-2025-5959/
CVE-2025-6558 Chrome ANGLE WebGL2 2025 UAF UAF cves/chrome/2025/CVE-2025-6558/
CVE-2025-13223 Chrome V8 Property Array 2025 Type Confusion ARW cves/chrome/2025/CVE-2025-13223/
CVE-2026-2441 Chrome CSS FontFeatureValuesMap 2026 UAF UAF cves/chrome/2026/CVE-2026-2441/
CVE-2026-3909 Chrome Skia Glyph Atlas 2026 OOB Write OOB cves/chrome/2026/CVE-2026-3909/
CVE-2024-8381 Firefox SpiderMonkey 2024 Type Confusion Trigger cves/firefox/2024/CVE-2024-8381/
CVE-2024-9680 Firefox AnimationTimeline 2024 UAF UAF cves/firefox/2024/CVE-2024-9680/
CVE-2024-29943 Firefox JIT Range Analysis 2024 BCE ARW cves/firefox/2024/CVE-2024-29943/
CVE-2024-29944 Firefox Privileged JS 2024 Sandbox Escape ACE cves/firefox/2024/CVE-2024-29944/
CVE-2025-2857 Firefox IPC 2025 Sandbox Escape Trigger cves/firefox/2025/CVE-2025-2857/
CVE-2025-4918 Firefox Promise 2025 OOB OOB cves/firefox/2025/CVE-2025-4918/
CVE-2025-4919 Firefox IonMonkey BCE 2025 OOB ARW cves/firefox/2025/CVE-2025-4919/
CVE-2026-2795 Firefox Wasm GC 2026 UAF ACE cves/firefox/2026/CVE-2026-2795/
CVE-2026-2796 Firefox Wasm JIT 2026 Type Confusion Trigger cves/firefox/2026/CVE-2026-2796/

Level key: ACE = arbitrary code execution, ARW = arbitrary read/write, UAF = use-after-free demonstrated, OOB = out-of-bounds access, Trigger = bug trigger only.

Directory Structure

exploits/
├── reports/                        # Security assessment reports
│   └── databricks-apps-assessment/ # Streamlit dashboard (src/ → build.py → app.py)
├── cves/                           # CVE reproductions, organized by target/year/CVE-ID
│   ├── chrome/
│   └── firefox/
├── tools/                          # Standalone security tooling
│   ├── lib/                        # Shared: ContainmentGuard
│   ├── rust/                       # Rust workspace (308+ tests)
│   │   ├── beacon/                 # Beacon client binary
│   │   ├── containment/            # ContainmentGuard (Rust)
│   │   ├── syscalls/               # Hell's Gate + Tartarus Gate
│   │   ├── syscalls-hwbp/          # Hardware-breakpoint syscall dispatch
│   │   ├── sleep-mask/             # Ekko / Foliage
│   │   ├── sleep-mask-modern/      # Cronos / RustyCronos / HWBP sleep
│   │   ├── threadless-inject/      # Module stomping / TxF / DLL-notify
│   │   ├── etw-ti-aware/           # ETW-TI + EDR provider enumeration
│   │   ├── callstack-spoof/        # Call stack spoofing
│   │   ├── amsi-patchless/         # HWBP AMSI/ETW bypass
│   │   ├── bof-loader/             # COFF/BOF executor
│   │   ├── telemetry-patch/        # ETW/AMSI prologue patching
│   │   ├── cookie-theft/           # Chrome app-bound cookie decryption
│   │   └── crypto/                 # Shared crypto primitives
│   ├── c2/                         # Modular C2 server + transports + relay
│   │   ├── transports/             # WebSocket, gRPC, SMB pipe, DoH, HTTP
│   │   ├── relay/                  # P2P relay node + topology graph
│   │   └── profiles/               # Dynamic YAML transport profiles
│   ├── ad-cs/                      # AD CS ESC1–ESC15 exploitation
│   │   ├── enum/                   # LDAP-based template enumerator
│   │   └── exploit/                # esc01/ through esc15/ + chain.py
│   ├── kerberos/                   # Kerberos lateral movement
│   │   ├── s4u/                    # S4U2self / S4U2proxy
│   │   ├── rbcd/                   # RBCD attack chain + ACL scanner
│   │   ├── relay/                  # NTLM relay modernization
│   │   └── roasting/               # Targeted Kerberoasting / AS-REP roasting
│   ├── cloud-identity/             # Modern cloud identity attacks
│   │   ├── wif/                    # Workload Identity Federation abuse
│   │   ├── oidc-trust/             # OIDC trust confusion
│   │   ├── golden-saml/            # Golden SAML + OIDC token forging
│   │   ├── entra-2026/             # Modern Entra reality check
│   │   └── databricks/             # Databricks OAuth OBO chain abuse
│   ├── llm-attacks/                # LLM and agent abuse tooling
│   │   ├── indirect-injection/     # 51-payload corpus + delivery harness
│   │   ├── mcp-abuse/              # MCP server tool poisoning / rug-pull
│   │   ├── agent-confusion/        # Confused-deputy + transcript detector
│   │   └── eval/                   # Injection benchmark harness
│   ├── browser-ext-attacks/        # Browser extension supply-chain
│   │   ├── cookie-theft/           # MV3 chrome.cookies exfil
│   │   ├── session-hijack/         # webRequest header capture
│   │   ├── form-grab/              # Content-script form grabber
│   │   ├── dnr-redirect/           # DeclarativeNetRequest abuse
│   │   ├── update-hijack/          # Mock Web Store + permission differ
│   │   └── eval/                   # Manifest analyzer + CDP runtime monitor
│   ├── byovd/                      # BYOVD orchestration framework
│   ├── edr-silencing/              # EDR silencing via policy
│   │   ├── wdac-abuse/             # WDAC policy generator / analyzer
│   │   ├── ppl-bypass/             # PPL bypass research + timeline
│   │   ├── blind-spot-enum/        # EDR coverage map + gap advisor
│   │   └── callback-integrity/     # Kernel callback enum + integrity check
│   ├── lateral-movement/           # Lateral movement modules
│   │   ├── rpc-movement/           # DCOM/TSCH/SCMR/WMI via Impacket 0.12
│   │   ├── sccm-abuse/             # SCCM ELEVATE1/ELEVATE2
│   │   ├── azure-arc/              # Azure Arc MSI pivot
│   │   └── exchange-hybrid/        # evoSTS token forging (Storm-0558)
│   ├── browser-native-postex/      # WASM browser post-exploitation
│   │   ├── wasm-payload/           # Rust → WASM (wasm-bindgen)
│   │   └── delivery/               # MV3 ext / service worker / XSS
│   ├── bofs/                       # BOF implementations for bof-loader
│   ├── entra-abuse/                # Device-code phishing, PRT (v3)
│   ├── framework/                  # Exploit orchestration framework
│   ├── dashboard/                  # Session management dashboard
│   ├── post-exploit-staging/       # Three-tier staging architecture
│   ├── forensic-analysis/          # Forensic artifact detection
│   ├── fuzzing/                    # Fuzzing harnesses
│   ├── idol/                       # IDOL lateral movement PoC
│   ├── validator/                  # Pre-exploitation validation
│   └── win-remote/                 # Windows remote agent
├── docs/
│   ├── analysis/                   # Deep-dive technical analysis
│   └── methodology/                # Attacker + defender methodology docs
├── infra/
│   └── lab/
│       ├── ad-cs/                  # Vagrant AD CS lab (DC + CA + workstations)
│       ├── llm-target/             # Ollama + copilot Flask app
│       ├── mock-databricks/        # Mock Databricks Apps OAuth
│       ├── mock-saml/              # Mock SAML SP/IdP
│       ├── mock-entra/             # Mock Entra IdP (device code, token, PRT)
│       ├── mock-imds/              # Mock AWS/GCP/Azure IMDS
│       ├── mock-sccm/              # Mock SCCM management point (port 9600)
│       └── kind-cluster/           # K8s post-ex kind cluster
├── site/                           # GitHub Pages static site
└── cves/                           # CVE reproductions

Getting Started

  1. Clone the repo and install lab dependencies: pip install -r requirements-lab.txt
  2. For the Databricks assessment dashboard: cd reports/databricks-apps-assessment && pip install -r requirements.txt && streamlit run app.py
  3. For the contained lab: make lab-up (requires Docker)
  4. To run tools locally: python3 tools/c2/server.py in one terminal, python3 tools/c2/beacon/beacon_client.py in another
  5. Browse cves/ for specific CVE reproductions. Each CVE directory contains its own README with setup instructions.

Links

About

Security research and exploit development: vulnerability analysis, exploit chain implementation, post-exploitation tradecraft, and defensive assessment tooling. Covers browser engines, persistence mechanisms, credential harvesting, C2 patterns, and AI-accelerated attack automation.

andrewaltimit.github.io/exploits/

Topics

proof-of-concept reverse-engineering post-exploitation cve worm red-team vulnerability-analysis security-research exploit-development ai-security browser-security streamlit credential-harvesting

Resources

Readme

Security policy

Security policy
Activity

Stars

0 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages