- sploitus
- exploitarium
- poc
- research
- collection
news
Exploitarium — Consolidated PoC Research Collection
bikini/exploitarium bundles 30 standalone PoC folders — MotW chains, libssh2, FFmpeg, hypervisor escape, and client RCE candidates.
Summary
Exploitarium is a consolidated archive of public proof-of-concept and vulnerability research by the researcher operating as bikini (Discord: ashdfrkl). The GitHub repository now contains 30 self-contained folders — 12 migrated from former standalone repos with byte-identical Git tree verification (96 tracked entries, zero mismatches on 2026-06-23), plus 18 direct entries added through July 1, 2026 — spanning MotW chains, libssh2, FFmpeg, hypervisor escape, federated forum spoofing, and client RCE candidates.
Seven folders landed on 2026-07-01: curl-smtp-expn-recipient-crlf-injection, ladybird-wasm-esm-host-function-rce-poc, libarchive-zip-debuginfod-size-boundary, nextjs-unstable-cache-object-argument-collision, nodebb-activitypub-attributedto-local-uid-spoof-poc, pillow-imagecms-output-mode-oob-poc, and qemu-cxl-type3-mailbox-escape-poc.
The maintainer states fuzzing workflows were AI-assisted with human oversight, while PoC exploit code was hand-written (RustDesk excepted). README formatting is AI-assisted and reviewer-checked. Attribution note: the objdump DLX finding credits 4D4J/objdump-Out-Of-Bounds-write as a stronger prior PoC.
Key Findings
| Finding | Detail |
|---|---|
| Index source | Sploitus exploitarium |
| Upstream repo | bikini/exploitarium |
| PoC count | 30 folders (GitHub HEAD, July 1 2026); Sploitus card README still lists 12 from initial consolidation |
| Research focus | Archive/parser bugs, client trust boundaries, CI/container/hypervisor escapes, Windows LPE primitives |
| Disclosure stance | Open-disclosure research; explicit anti-abuse statement in upstream README |
PoC Index
| Signal article | Folder | Primary impact |
|---|---|---|
| 7-Zip RAR5 MotW/ADS Full-Chain PoC | 7zip-rar5-motw-chain-poc | Attacker-controlled visible file content plus ZoneId=0 on extracted files when Internet-zone archive propagates MotW |
| AnyDesk 9.7.6 Printer Pipe COM Impersonation LPE | anydesk-printer-com-impersonation-poc | Low-privileged local user → AnyDesk service identity (default LocalSystem on service install) |
| c-ares TCP ares_getaddrinfo() UAF Calc PoC | c-ares-tcp-uaf-calc-poc | Controlled code execution in harness linking affected c-ares (not universal app exploit) |
| curl SMTP EXPN Recipient CRLF Command Injection | curl-smtp-expn-recipient-crlf-injection | Authenticated SMTP session sends attacker-injected MAIL/RCPT/DATA transaction from CRLF in recipient operand |
| Docker cp Copy-Out Destination Escape | docker-cp-copyout-destination-escape | Container-controlled file write outside operator-selected host destination when copy-out races |
| Firefox Smart Window Private URL Exfiltration | firefox-smartwindow-private-url-exfil-poc | Private tab/history URLs (queries, tokens, reset links) leak to attacker HTTP endpoint via hidden fetch |
| Floci 1.5.27 API Gateway VTL RCE + IAM Scope Bypass | floci-apigateway-vtl-rce-poc | OS command execution as Floci JVM; IAM deny policies bypassed with iam scope on apigateway routes |
| Flowise 3.1.2 MCP NODE_OPTIONS Case Bypass | flowise-mcp-env-case-bypass-poc | Authenticated Flowise user with MCP config access → code execution in worker context |
| FFmpeg RASC DLTA Heap OOB Write Calc PoC | ffmpeg-rasc-dlta-calc-poc | Heap corruption → hijacked get_buffer2 callback → arbitrary native code execution in decoder process |
| Ghidra 12.1.2 Conditional ACE / TraceRMI RCE Surfaces | ghidra-12-1-2-rce-ace-calc-poc | Conditional local code execution when Swift tool dir configured or untrusted TraceRMI peer; native parser surface via SevenZipJBinding |
| Gitea act_runner container.options Host Namespace Bypass | gitea-act-runner-container-options-poc | Untrusted workflow on shared runner → host PID namespace access and root marker command |
| ImageMagick Ghostscript Delegate Path Hijack | imagemagick-gs-delegate-hijack-poc | Arbitrary code execution as user running convert/magick from hijackable working directory |
| Ladybird WebAssembly ESM Host Function RCE PoC | ladybird-wasm-esm-host-function-rce-poc | Browser-reachable native code execution in WebContent via dangling Wasm FunctionType and memory64 leak chain |
| libarchive ZIP Declared-Size Boundary Bypass via debuginfod | libarchive-zip-debuginfod-size-boundary | Advertised 109-byte ZIP entry streams 4GiB+109; debuginfod indexes and serves hidden ELF sections past metadata boundary |
| libssh2 CVE-2026-55200 Packet Length Integer Wrap | libssh2-cve-2026-55200-poc | Heap corruption / control hijack in SSH client paths using vulnerable transport read |
| libssh2 Publickey List Parser Calc PoCs | libssh2-publickey-list-calc-poc | Remote calc proof via publickey subsystem when vulnerable parser build linked |
| Lunar Client Modrinth Explore RCE Chain | lunar-modrinth-chain-poc | Victim views malicious Modrinth project in Explore → desktop-user code execution without launching Minecraft |
| MyBB 1.8.40 Limited ACP to Full Administrator | mybb-limited-acp-to-admin | Limited ACP user module access → full board administration |
| Next.js unstable_cache Object Argument Cache-Key Collision | nextjs-unstable-cache-object-argument-collision | Request/URLSearchParams/FormData object args collapse cache keys to {} — cross-user bleed with first-writer semantics |
| NodeBB 4.13.2 ActivityPub attributedTo Local UID Spoof | nodebb-activitypub-attributedto-local-uid-spoof-poc | Remote federated actor forges private chat and public posts attributed to local administrator uid |
| nghttpx HTTP/1.1 Upgrade Response Queue Poisoning | nghttp2-nghttpx-upgrade-queue-poison-poc | Cross-client response poisoning; cache confusion; same-origin content injection |
| Nmap IPv6 Extension Header Length Wrap | nmap-ipv6-extlen-wrap-poc | Malformed packet represented as huge UDP payload — downstream scan logic corruption risk |
| objdump DLX Backend OOB Write Calc PoC | objdump-dlx-calc-poc | Local ACE when victim runs objdump on malicious DLX object (not network RCE) |
| OpenVPN Connect Echo Script ACE + PAC Push | openvpn-connect-echo-script-ace-poc | Current-user ACE on disconnect; transient PAC AutoConfigURL via dhcp-option push |
| PHP 8.5.7 StreamBucket SOAP Numeric Cookie RCE | php857-streambucket-soap-rce-rpoc | Remote/locale-dependent RCE in PHP process parsing attacker-controlled SOAP path |
| Pillow 12.3.0 ImageCmsTransform output_mode OOB Write | pillow-imagecms-output-mode-oob-poc | Mutable Python output_mode diverges from LittleCMS C transform — heap OOB write in _imagingcms |
| QEMU CXL Type-3 Mailbox Host Escape PoC | qemu-cxl-type3-mailbox-escape-poc | Guest CXL mailbox bugs forge host MemoryRegionOps → libc system() marker in QEMU process |
| RustDesk Session Downgrade + FileTransfer Scope Bypass | rustdesk-session-permission-pocs | Malicious relay injects control messages; FileTransfer session exceeds intended scope |
| System Informer phsvc Trusted-Host LPE | systeminformer-phsvc-trusted-host-lpe-poc | Medium user → elevated helper context arbitrary process creation when elevated instance live |
| VLC 3.0.23 VP9 Resolution-Change Crash | vlc-vp9-reschange-crash-poc | Denial of service / memory corruption primitive in VP9 resolution change path |
Methodology
Exploitarium entries follow a consistent research pattern:
- Target selection — widely deployed clients, libraries, or infrastructure defaults (7-Zip, libssh2, Gitea Actions, QEMU CXL, OpenVPN Connect).
- Harnessed fuzzing — maintainer reports automated fuzzing with strict harnesses (GPT-5.3 cited) plus manual PoC refinement.
- Marker-only or calc proofs — most Windows/Linux proofs use calculator, marker files, or GDB transcripts rather than weaponized shells.
- Source-traced writeups — each folder ships README tables mapping functions, lines, and preconditions.
- Consolidation — former per-CVE repos merged into one tree with Git blob ID verification.
Attribution & Caveats
- Sploitus aggregation lags GitHub: the indexed card table shows 12 folders from the June 23 consolidation; GitHub HEAD includes 18 additional direct entries through July 1, 2026.
- Several findings are conditional (Ghidra ACE, Lunar Modrinth end-to-end) or harness-local (c-ares UAF, libssh2 harness).
cves.mdin the repo lists CVE-2026-58049–58058 placeholders — not mapped 1:1 to every folder in this index.
Related Signals
- CVE-2026-48908 — SP Page Builder Joomla RCE
- Audiobookshelf auth bypass scanner
- CVE-2026-54806 — WP Activity Log POI
- TLS1.2 Exploit Scripts lab
- Peyara Remote Mouse RCE
- Log4J-PoC collection
- CVE-2026-49772 — Events Calendar SQLi
- Dalfox found-action RCE
- CVE-2026-2002 — Forminator XSS
Mitigation (operators)
- Treat Exploitarium appearance in weekly indexes as bundle circulation signal — prioritize patches for products you run that match folder names.
- Do not assume one CVE per card — enumerate folders relevant to your asset inventory.
- Hunt for PoC IOCs (marker paths, pipe names, default ports) in purple-team baselines, not just malware hashes.