Vulnerability Analysis & Exploitation
Vulnerability Research & Exploit Discovery
4 min read
After enumeration, you need to identify exploitable vulnerabilities. This lesson covers how to research and find public exploits.
The Exploitation Process
Enumeration Results → Vulnerability Research → Exploit Selection → Modification → Execution
↓ ↓ ↓ ↓ ↓
Service versions Search databases Match version Fix shellcode Gain access
OS information Read advisories Check reliability Update IPs
Searchsploit (Essential Tool)
Searchsploit is a command-line interface to Exploit-DB, containing thousands of exploits.
Basic Usage
# Search for exploits
searchsploit apache 2.4
searchsploit vsftpd
searchsploit windows smb
# Search by CVE
searchsploit CVE-2021-44228
# Exact match
searchsploit -e "Apache 2.4.49"
Useful Flags
| Flag | Purpose | Example |
|---|---|---|
-w |
Show Exploit-DB URL | searchsploit -w vsftpd |
-m |
Copy exploit to current directory | searchsploit -m 49757 |
-x |
Examine/open exploit | searchsploit -x 49757 |
-p |
Show full path | searchsploit -p 49757 |
-t |
Search in title only | searchsploit -t apache |
--exclude |
Exclude terms | searchsploit smb --exclude="dos" |
Practical Workflow
# 1. Search for service vulnerability
searchsploit "OpenSSH 7.2"
# 2. View the exploit
searchsploit -x linux/remote/40136.py
# 3. Copy to working directory
searchsploit -m linux/remote/40136.py
# 4. Examine and modify as needed
nano 40136.py
Online Exploit Databases
Exploit-DB (exploit-db.com)
The primary source for public exploits:
Features:
├── Full exploit code
├── Verified exploits (marked with checkmark)
├── Google Hacking Database
├── Papers and shellcodes
└── Search by: CVE, platform, type, date
GitHub
Many exploits are hosted on GitHub:
# Search GitHub for exploits
# Pattern: CVE-YYYY-XXXXX
# Example searches:
"CVE-2021-44228 exploit"
"MS17-010 python"
"EternalBlue poc"
Other Resources
| Resource | URL | Notes |
|---|---|---|
| Packet Storm | packetstormsecurity.com | Exploits and tools |
| 0day.today | 0day.today | Recent exploits |
| Rapid7 | rapid7.com/db | Metasploit modules |
| NVD | nvd.nist.gov | CVE details |
Evaluating Exploits
Before running any exploit, evaluate it:
Checklist:
□ Does it match the exact version?
□ Is it verified/trusted?
□ What language is it written in?
□ Does it require modification?
□ What does the code actually do?
□ Are there dependencies?
□ Is it a DoS or actual RCE?
Reading Exploit Code
Always read the code before running:
# Look for these sections:
# 1. Target configuration
RHOST = "192.168.1.10" # Change this
RPORT = 445 # Verify port
LHOST = "192.168.1.5" # Your IP
LPORT = 4444 # Your listener port
# 2. Payload/shellcode
# Check if it's correct architecture (x86/x64)
# Check if IP/port needs updating
# 3. Comments and usage
# Read author notes
# Check for requirements
CVE Research
Understanding CVE Format
CVE-2021-44228
│ │ │
│ │ └── Sequence number
│ └── Year discovered/assigned
└── Common Vulnerabilities and Exposures
Research Steps
# 1. Search NVD for details
# nvd.nist.gov/vuln/detail/CVE-XXXX-XXXXX
# 2. Check CVSS score
# Critical (9.0-10.0), High (7.0-8.9), Medium (4.0-6.9), Low (0.1-3.9)
# 3. Read vendor advisory
# Check affected versions
# Look for patches/workarounds
# 4. Search for PoC
searchsploit CVE-2021-44228
# GitHub search
Version Matching
Accurate version matching is critical:
Service Banner: Apache/2.4.49 (Unix)
↓
Search: searchsploit "apache 2.4.49"
↓
Exploit: Apache 2.4.49 - Path Traversal
↓
Verify: Check exploit comments for exact versions
Handling Version Ranges
Exploit states: "Affected: 2.4.0 - 2.4.49"
Target version: 2.4.41
Result: ✓ Target is within affected range
Exploit Types to Know
| Type | Description | Example |
|---|---|---|
| Remote Code Execution | Execute commands remotely | MS17-010 |
| Local Privilege Escalation | Elevate from user to root | DirtyPipe |
| Authentication Bypass | Skip login mechanisms | Default creds |
| Path Traversal | Access files outside webroot | ../../../etc/passwd |
| SQL Injection | Database manipulation | ' OR 1=1-- |
| Command Injection | OS command execution | ; id |
Exploit Modification Tips
Most exploits need modification before use:
# Common modifications needed:
# 1. IP addresses
RHOST = "10.10.10.10" # Target IP
LHOST = "10.10.14.5" # Your IP (tun0)
# 2. Ports
RPORT = 80 # Target port
LPORT = 443 # Your listener port
# 3. Shellcode
# Generate new shellcode with msfvenom
# msfvenom -p linux/x64/shell_reverse_tcp LHOST=x LPORT=y -f python
# 4. Python version
#!/usr/bin/env python3 # Update shebang
# 5. Dependencies
# pip install requests pwntools
Next, we'll cover creating and handling shells for maintaining access. :::