Finding Public Exploits

Original Source: NetSec.ws

There are thousands of exploits out in the wild, even more being traded privately or held back as 0 days. Clearly we want to get access to as many of these resources as we can to maximize the chance of successful exploitation. A warning must be given to anyone downloading exploits. There are several fake exploits out there specifically designed to harm or destroy your computer. Never download exploits from a source and run them without first checking what they do and what commands they will be executing on your system. It’s highly recommended that you decode any encoded values to find what they actually mean. For example this exploit when decoded runs the “rm -rf” command on your system. Saying that, some of the resources outlined here such as exploit-db and security focus can be considered pretty trustworthy.

Exploit-DB
http://www.exploit-db.com/
In my opinion one of the best exploit resources on the web. Maintained by the fantastic guys at Offensive Security it would be the go to place when searching for public exploits.

Searchsploit
The exploit-db collection of exploits is mirrored locally on Kali machines. Using the command searchsploit <search term> you can bring up a listing of exploits. Be aware that the search must be in all lower case.

Metasploit
Metasploit has a range of exploits built in and can be searched with the “search” command. You can also grep the search results with the syntax “grep <grep term> search <search term>”. Filters are also provided to let you narrow down your search specifically to exploits if desired.

SecurityFocus
http://www.securityfocus.com/
Although in my opinion not as comprehensive as exploit-db you still occasionally turn up a working proof of concept at security focus that isn’t mirrored elsewhere. In general a good site to check.

1337Day
http://1337day.com/
I can’t speak for the reliability of the site as I haven’t used it much, however this is another resource when searching for exploits. Semi-0 day (for want of a better term) exploits are sometimes also sold here before eventually leaking out to everyone.

Google
As with most things perhaps your strongest tool. So often with penetration testing you don’t actually know what specific exploit you’re searching for, or if one exists, but rather seeing what is likely to be out there. Many times you’ll run across blogs and researchers putting up relevant snippets of code for exploiting an application you happen to be looking at. I highly recommend researching any applications / services you’re attacking in Google.

Alternatives
That really covers the main methods of finding public exploits. Further useful techniques can be to search places such as http://www.cvedetails.com/ to identify if CVE’s have been identified in the software or if there “should” be exploits out there for the version / application you’re examining. It can also give you handy CVE numbers to focus your search on.