01Overview
Exploit PoC & Detection Lab is a purple-team repository that reproduces five publicly disclosed, patched vulnerabilities and techniques so blue teams can prove their detections actually fire. Every pack is self-contained and follows one hard rule set: benign by default (a PoC only ever writes a proof file or prints the run-as identity), impactful actions gated behind clearly-labeled off-by-default switches, and every exploit shipped alongside the detection content needed to catch it.
The catalog spans four CVEs and one ATT&CK technique across a deliberate spread of attack surfaces: a Windows AD DS / Network Configuration Operators local privilege escalation to SYSTEM (CVE-2025-21293), two unauthenticated RCEs that were mass-exploited in the wild and added to CISA KEV — WSUS .NET deserialization (CVE-2025-59287) and SAP NetWeaver Visual Composer file-upload (CVE-2025-31324) — an LSASS credential-dump technique via the signed LOLBin comsvcs.dll (T1003.001), and a safe, non-destructive assessment kit for a wormable HTTP.sys kernel RCE (CVE-2026-47291).
What makes it notable is the discipline. The HTTP.sys pack deliberately ships no weaponized exploit — because firing a kernel heap overflow BSODs the host and no public root-cause exists — and instead gives a definitive patched/vulnerable verdict from the MSRC-documented MaxRequestBytes condition. The SAP pack's benign JSP probe proves arbitrary-Java RCE without dropping a usable command shell, and even ships a YARA rule for its own probe so defenders can tell an authorized test from a real attacker. It's a reference for how to publish offensive research responsibly.
The audience is detection engineers, SOC teams, red/purple teamers, and researchers who want to validate coverage in an isolated, snapshotted lab. Each pack documents the vuln (CVSS, affected/patched versions, root cause), the exact run and cleanup steps, remediation guidance, and Sigma/YARA/Suricata/KQL/Sysmon detections mapped to MITRE ATT&CK.
02Key Capabilities
Five curated exploit/technique packs
Four disclosed CVEs plus one ATT&CK technique, each a self-contained, isolated directory that is runnable and cleanable on its own with no cross-pack dependencies.
Benign-by-default payloads
Default payloads only prove execution (write a proof file or print the run-as identity); genuinely impactful actions like spawning a SYSTEM shell or adding an admin are compile-time/runtime switches that ship OFF.
Detection paired with every exploit
No pack is complete without Sigma, and most add YARA, Suricata, KQL hunting queries, and Sysmon config so defenders can validate the full telemetry-to-alert pipeline.
Safe assessment over weaponization
For the wormable HTTP.sys kernel RCE, the repo ships a non-destructive checker (patch state, MaxRequestBytes config, exposure) instead of a BSOD-inducing overflow, giving a definitive verdict at zero risk to the target.
Gated, self-cleaning red-team drivers
The SAP and WSUS drivers default to dry-run/probe, gate the actual upload behind --confirm, track dropped artifacts in state files, and provide reliable --cleanup and self-destruct so tests leave no residue.
Detection-first credential-access lab
The LSASS/comsvcs pack exists to generate telemetry: a dry-run-by-default trigger whose robust detection keys on any process opening lsass.exe with a dump access mask (Sysmon EID 10), not a brittle string match.
Reproducible lab provisioning
Packs include setup/cleanup scripts (create the Network Configuration Operators lab user, install the WSUS role) to stand up a vulnerable target and tear it down safely.
Before/after patch demonstration
Each README documents the exact fix (KB / SAP Note / registry ACL change) and how to verify it, so a pack doubles as a patch-efficacy and remediation-validation exercise.
MITRE ATT&CK-mapped Sigma
Sigma rules carry attack.* tags spanning eight techniques (T1546, T1068, T1190, T1505.003, T1059.001/003, T1003.001, T1218.011) for coverage tracking; the primary rule in each pack is tagged (6 of the 10 rules).
Authoritative references per pack
Every README cites NVD, MSRC/vendor advisories, CISA KEV, and original research so findings are auditable and grounded, not hand-waved.
03Architecture
The repo is not a single application but a collection of five uniform PoC packs, each following the canonical template defined in CLAUDE.md: a README, a driver, optional payload source, lab provisioning scripts, and a detection/ folder. A pack's driver walks a linear pipeline — setup/register, trigger in the privileged context, check for proof, then clean up — while detection content is authored in parallel so the exploit and its signatures ship together.
04Project Structure
README.mdCatalog of the five packs with severity, type, and highlights, plus the shared usage and safety disclaimer.CLAUDE.mdRepo conventions and hard safety guardrails: authorized-lab-only, benign-by-default, pair-with-detection, never-weaponize.CVE-2025-21293-PoC/AD DS / Network Configuration Operators LPE to SYSTEM via a malicious performance-counter DLL; canonical template pack (driver, C payload, lab, detection).CVE-2025-59287-PoC/WSUS unauthenticated .NET deserialization RCE (CISA KEV); ysoserial-fed AES-CBC SOAP gadget driver plus WSUS install script and Sigma/KQL.CVE-2025-31324-PoC/SAP NetWeaver Visual Composer unauth file-upload RCE (CISA KEV); benign JSP probe, gated upload/cleanup driver, and Sigma/YARA/KQL detection.T1003.001-LSASS-comsvcs-PoC/Detection-first LSASS credential dump via comsvcs.dll; dry-run PowerShell trigger with Sysmon/Sigma/KQL and RunAsPPL/Credential Guard hardening.CVE-2026-47291-PoC/HTTP.sys kernel RCE safe-assessment pack: non-destructive checker (no overflow) plus Sigma/Suricata/KQL crash-and-oversized-request detection.detection/ (per pack)The detection folder in each pack: Sigma rules, Sysmon XML, YARA, Suricata rules, and KQL hunting queries for blue-team validation.LICENSEOpen-source license for the repository..gitignoreIgnore rules that already exclude native build output (*.dll/*.exe/*.obj/*.lib/*.pdb), Python caches, third-party tooling (ysoserial), and secrets/live-target data.05Security Controls
06Technology Stack
- Languages
- Python 3 (drivers + safe checker), PowerShell (lab/trigger scripts), C (x64 perf-counter DLL payload), JSP (SAP probe), Batch (build script)
- Python dependencies
- requests; pycryptodome (WSUS AES-CBC); declared per-pack in requirements.txt
- External tooling
- ysoserial.net for WSUS gadget generation (not bundled); MSVC cl.exe or MinGW-w64 for the native DLL; Sysmon for telemetry
- Detection formats
- Sigma (YAML), YARA, Suricata rules, Microsoft KQL, Sysmon XML
- Target platforms
- Windows 10/11 & Server 2012-2025, WSUS role, SAP NetWeaver AS Java
- CI / tests
- None — a lab/PoC repo (no test harness or CI pipeline); source + build scripts only, no committed build artifacts
07Quick Start
$ CVE-2025-21293: powershell -File .\lab\setup_lab.ps1; cd payload && .\build.bat; then as the low-priv user run python exploit.py --all and check C:\poc-cve-2025-21293\proof_*.txt $ CVE-2025-59287: pip install -r requirements.txt; python exploit.py --target 10.0.0.50 --ysoserial C:\tools\ysoserial.exe (benign proof; confirm on the WSUS server, not the HTTP response) $ CVE-2025-31324: python exploit.py -t sapnw.lab --port 50000 --check (safe probe), then --confirm to upload the benign JSP, then --cleanup to self-destruct the artifact $ T1003.001: .\trigger_lsass_dump.ps1 (dry run), .\trigger_lsass_dump.ps1 -Execute to generate telemetry, then -Cleanup to securely delete the dump $ CVE-2026-47291: python check_cve_2026_47291.py --local for a patch/MaxRequestBytes verdict, and --target 10.0.0.10 for benign http.sys exposure only $ General: stand up an isolated, snapshotted lab target, run the PoC, confirm your detections fire, then clean up and revert the snapshot
08Compliance & Frameworks
Explore Exploit PoC & Detection Lab
Full source, documentation, and deployment guides live on GitHub.