General-purpose security research repository covering browser exploit chain development, post-exploitation techniques, and security assessment tooling. Contains CVE reproduction work across Chrome (V8, Blink, ANGLE, Skia) and Firefox (SpiderMonkey, IPC, WebAssembly), along with fuzzing infrastructure, reverse engineering notes, and a Databricks Apps security assessment delivered as an interactive Streamlit dashboard.
This repository exists to support internal security education and risk awareness. The exploit reproductions, attack chain demonstrations, and assessment tooling are built as red-team exercises to show stakeholders - including non-technical business users - what can go wrong when production systems lack adequate human oversight and governance controls.
All materials are for educational purposes and authorized security testing only. Exploit code is provided to support defensive research, vulnerability reproduction, and security assessment under responsible disclosure. Do not use any code or technique against systems you do not own or have explicit written authorization to test.
Safeguards in place:
- Exploit code targets patched, publicly disclosed CVEs - no zero-days are published here.
- All tool networking is loopback-only (
127.0.0.0/8or Docker bridge), enforced by ContainmentGuard in code - not by convention. - The Docker Compose lab runs on an
internal: truenetwork with no internet gateway. - The beacon's
execcommand is refused outside Docker containers. All other beacon commands are from a hardcoded allowlist. - IDOL persistence demo's
--plantinstalls only a harmless cron heartbeat;--cleanupremoves it. - All research aligns with responsible disclosure practices and vendor coordination.
| CVE | Target | Year | Technique | Level | Path |
|---|---|---|---|---|---|
| CVE-2024-0517 | Chrome V8 Maglev | 2024 | OOB Write | ACE | cves/chrome/2024/CVE-2024-0517/ |
| CVE-2024-1939 | Chrome V8 Wasm S128 | 2024 | Type Confusion | ACE | cves/chrome/2024/CVE-2024-1939/ |
| CVE-2024-5830 | Chrome V8 Object Transitions | 2024 | Type Confusion | ACE | cves/chrome/2024/CVE-2024-5830/ |
| CVE-2025-5959 | Chrome Wasm JSPI | 2025 | Sandbox Escape | ACE | cves/chrome/2025/CVE-2025-5959/ |
| CVE-2025-6558 | Chrome ANGLE WebGL2 | 2025 | UAF | UAF | cves/chrome/2025/CVE-2025-6558/ |
| CVE-2025-13223 | Chrome V8 Property Array | 2025 | Type Confusion | ARW | cves/chrome/2025/CVE-2025-13223/ |
| CVE-2026-2441 | Chrome CSS FontFeatureValuesMap | 2026 | UAF | UAF | cves/chrome/2026/CVE-2026-2441/ |
| CVE-2026-3909 | Chrome Skia Glyph Atlas | 2026 | OOB Write | OOB | cves/chrome/2026/CVE-2026-3909/ |
| CVE-2024-8381 | Firefox SpiderMonkey | 2024 | Type Confusion | Trigger | cves/firefox/2024/CVE-2024-8381/ |
| CVE-2024-9680 | Firefox AnimationTimeline | 2024 | UAF | UAF | cves/firefox/2024/CVE-2024-9680/ |
| CVE-2024-29943 | Firefox JIT Range Analysis | 2024 | BCE | ARW | cves/firefox/2024/CVE-2024-29943/ |
| CVE-2024-29944 | Firefox Privileged JS | 2024 | Sandbox Escape | ACE | cves/firefox/2024/CVE-2024-29944/ |
| CVE-2025-2857 | Firefox IPC | 2025 | Sandbox Escape | Trigger | cves/firefox/2025/CVE-2025-2857/ |
| CVE-2025-4918 | Firefox Promise | 2025 | OOB | OOB | cves/firefox/2025/CVE-2025-4918/ |
| CVE-2025-4919 | Firefox IonMonkey BCE | 2025 | OOB | ARW | cves/firefox/2025/CVE-2025-4919/ |
| CVE-2026-2795 | Firefox Wasm GC | 2026 | UAF | ACE | cves/firefox/2026/CVE-2026-2795/ |
| CVE-2026-2796 | Firefox Wasm JIT | 2026 | Type Confusion | Trigger | cves/firefox/2026/CVE-2026-2796/ |
Level key: ACE = arbitrary code execution, ARW = arbitrary read/write, UAF = use-after-free demonstrated, OOB = out-of-bounds access, Trigger = bug trigger only.
exploits/
├── cves/ # CVE reproductions, organized by target/year/CVE-ID
│ ├── chrome/
│ └── firefox/
├── tools/ # Standalone security tooling
│ ├── lib/ # Shared libraries (ContainmentGuard)
│ ├── rust/ # Rust workspace - compiled target-side tools
│ │ ├── beacon/ # Beacon client binary (ports beacon_client.py)
│ │ ├── containment/ # ContainmentGuard library (ports containment.py)
│ │ └── jitter/ # Jitter algorithm library (ports jitter.py)
│ ├── idol/ # IDOL - lateral movement PoC
│ ├── c2/ # C2 server, beacon client, traffic analysis
│ ├── framework/ # Exploit orchestration framework + exploit server
│ ├── dashboard/ # Session management dashboard (simulated + live)
│ ├── validator/ # Pre-exploitation target validation
│ ├── post-exploit-staging/ # Three-tier staging architecture
│ ├── forensic-analysis/ # Forensic artifact detection
│ ├── fuzzing/ # Fuzzing harnesses and generators
│ └── win-remote/ # Windows remote testing agent
├── docs/ # Research notes, analysis, methodology
│ ├── advisories/
│ ├── analysis/
│ └── methodology/
├── reports/ # Security assessment reports
│ └── databricks-apps-assessment/ # Streamlit dashboard (src/ → build.py → app.py)
├── site/ # GitHub Pages static site
│ └── dashboard/ # WebAssembly-based dashboard build
└── infra/ # Docker images, build scripts
├── docker/ # Dockerfiles for lab services + browser testing
├── lab/ # Lab target apps
└── scripts/
- IDOL (
tools/idol/) - Infectious IDOL (Invisible Deployment Orchestration Layer). 9 scripts covering credential harvest, persistence, lateral movement, C2 beaconing, and polymorphic payloads. Credential harvest and persistence scans run against the real filesystem. Persistence demo supports--plant(installs harmless cron heartbeat) and--cleanup. C2 beacon demo supports--liveto connect to the real C2 server. Tests:python3 -m unittest tools/idol/tests/test_idol.py. - C2 Server & Beacon (
tools/c2/) - Real HTTP-based C2 with analytics-style traffic mimicry protocol. Flask server with session tracking, task dispatch, and operator REST API. Beacon client with real jitter algorithms (uniform, gaussian, exponential). Hardcoded command allowlist (whoami, sysinfo, ls, env, pid, ping, sleep, exec). All traffic loopback-only, enforced by ContainmentGuard. Includes beacon detection analysis and traffic profiles for defensive research. - Rust Target Tools (
tools/rust/) - Compiled Rust ports of target-side tools for deployment without a Python runtime. Includes a beacon client binary (4.7MB, zero dependencies), containment guard library, and jitter algorithm library. Build:cd tools/rust && cargo build --release. The beacon binary is attools/rust/target/release/beacon. 54 tests:cd tools/rust && cargo test. - Exploit Framework (
tools/framework/) - FuzzBunch-style exploit orchestration with YAML module configs, chain builder, and go/no-go gates. Includes an exploit server that serves actual CVE HTML/JS files from the repo, with a callback endpoint for post-exploitation confirmation and C2 integration. Use--exploit-serverto connect to the live exploit server. - Dashboard (
tools/dashboard/) - TURBINE-style session management console. Supports--demofor simulated sessions and--c2 <url>for live mode connected to the real C2 server. Live mode provides real task dispatch, result viewing, and event monitoring. - Validator (
tools/validator/) - Pre-exploitation browser fingerprinting and environment validation (webdriver detection, screen analysis, DevTools detection). - Post-exploit Staging (
tools/post-exploit-staging/) - Three-tier staging architecture: exploit → stager → payload. Reflective JavaScript loader with three loading strategies. - Forensic Analysis (
tools/forensic-analysis/) - Artifact detection, audit gap analysis, and log parsing for incident response research. - Fuzzing (
tools/fuzzing/) - JavaScript fuzzers targeting JIT (GVN, LICM, Range Analysis), IPC, and V8 Turbofan. - win-remote (
tools/win-remote/) - Remote agent for Windows-targeted testing. Requires.envconfiguration (see.env.example).
A Docker Compose lab provides a fully isolated environment for running tools end-to-end. All services run on an internal Docker network with no internet access.
make lab-up # Start: C2 server, 2 beacons, exploit server, 2 target apps
make lab-down # Destroy everything
make lab-status # Show running services + C2 status
make lab-logs # Tail all logsServices:
| Service | Port | Description |
|---|---|---|
| C2 server | 127.0.0.1:8443 |
Operator API + beacon protocol |
| Exploit server | 127.0.0.1:9090 |
Serves CVE exploits, receives callbacks |
| Target app 1 | 127.0.0.1:8501 |
Simulated Databricks Streamlit app |
| Target app 2 | 127.0.0.1:8502 |
Second target for lateral movement |
Containment: ContainmentGuard (tools/lib/containment.py) enforces loopback-only networking, non-root execution, tmpdir isolation, and Docker environment detection across all tools. The exec command in the beacon is refused outside Docker containers.
- Databricks Apps Assessment (
reports/databricks-apps-assessment/) - Interactive Streamlit dashboard demonstrating security concerns in Databricks App deployments. Built fromsrc/fragments viabuild.py.
- Clone the repo and install lab dependencies:
pip install -r requirements-lab.txt - Browse
cves/for specific CVE reproductions. Each CVE directory contains its own README with setup instructions. - See
docs/for research methodology and analysis notes. - For the contained lab:
make lab-up(requires Docker). This starts the C2 server, beacons, exploit server, and target apps. - For the Databricks assessment dashboard:
cd reports/databricks-apps-assessment && pip install -r requirements.txt && streamlit run app.py. - To run tools locally (without Docker):
python3 tools/c2/server.pyin one terminal,python3 tools/c2/beacon/beacon_client.pyin another,python3 tools/dashboard/dashboard_cli.py --c2 http://127.0.0.1:8443in a third.
- Repository: github.com/AndrewAltimit/exploits
- GitHub Pages: andrewaltimit.github.io/exploits
- Live Dashboard: andrewaltimit.github.io/exploits/dashboard - runs in-browser via WebAssembly, no install required