Inside Pedro Ribeiro’s Exploit Arsenal: A Deep Dive into Real-World Vulnerability Research

Hook

One researcher’s GitHub repository contains exploits that were used in Pwn2Own competitions—and he’s been documenting the entire process, from fuzzing to Metasploit integration, with full public disclosure.

Context

Vulnerability research exists in a strange space between academic study and underground markets. Most exploits either disappear into closed-source penetration testing tools, get sold to governments and bug bounty programs, or end up as half-working proof-of-concepts on forums. Pedro Ribeiro’s PoC repository represents a different philosophy: transparent, methodical vulnerability disclosure paired with public exploit code.

The pedrib/PoC repository serves as both a personal vulnerability CV and a comprehensive archive of security research. Starting with initial vulnerability discovery, moving through vendor notification (with a minimum six-month window for vendors to resolve vulnerabilities), and ending with public advisories and exploits, this archive documents the entire lifecycle of security research. The repository’s pedigree.csv file functions as a comprehensive tracker of CVE identifiers, ZDI credits, and Metasploit module integrations—essentially a resume written in vulnerabilities rather than job titles. For researchers and red teamers, it’s a window into how professional security research actually works, from Pwn2Own zero-days to long-term vulnerability hunting in enterprise software.

Technical Insight

The repository’s architecture reflects the structured workflow of professional vulnerability research. At the top level, you’ll find four primary directories: advisories for vulnerability documentation, exploits for weaponized code, fuzzing for CVE-tagged crashes that weren’t fully exploitable, and tools for custom security utilities. This isn’t accidental—it mirrors the natural progression from finding a bug to turning it into a working exploit.

The most valuable artifacts are the Metasploit modules in the exploits/metasploit directory. These modules have been integrated into the official Metasploit Framework, indicating they meet the framework’s standards for functionality and reliability. The Pwn2Own subdirectory contains modules created for or used in Pwn2Own competitions, representing exploit code developed under competitive time constraints. While the README doesn’t include code samples, Metasploit modules written in Ruby follow the framework’s established patterns for target selection, payload delivery, and session management.

The advisories directory demonstrates proper vulnerability documentation. Based on the repository structure, each advisory appears to include vendor information, affected product versions, vulnerability descriptions, and technical details about exploitation vectors. The Pwn2Own subdirectory is particularly illuminating—these advisories detail vulnerabilities discovered specifically for competition use, often representing complex exploitation chains.

The pedigree.csv file serves as a vulnerability portfolio tracking system. This CSV tracks CVE identifiers, ZDI credits, affected products, and links to corresponding advisories and exploits. It’s a data-driven approach to reputation management in security research, providing verifiable evidence of contributions to the security community. For researchers building their own careers, this model offers a blueprint for tracking and presenting vulnerability research.

What separates this repository from typical exploit databases is its integration mindset. Rather than dumping standalone scripts, the repository packages exploits as Metasploit modules, ensuring they work within a larger offensive security framework. The fuzzing directory captures another reality of vulnerability research: not every bug is exploitable, but they’re still worth documenting. These CVE-assigned crashes represent potential security issues that vendors needed to fix, even if weaponization wasn’t feasible within time constraints.

Gotcha

This repository is fundamentally an archive, not an actively maintained toolkit. Exploits target specific software versions, and vendors have patched these vulnerabilities. If you’re expecting plug-and-play tools for current penetration tests, you’ll be disappointed—these exploits are historical artifacts. They’re valuable for understanding exploitation techniques and studying vulnerability patterns, not for running automated attacks against modern systems.

The disclaimer in the README highlights another critical limitation: vendor fix verification. The repository explicitly states that “Agile Information Security relies on information provided by the vendor / product manufacturer when listing fixed versions, products or releases. Agile InfoSec does not verify this information, except when specifically mentioned in the advisory text.” This means the “fixed in version X.Y.Z” information relies entirely on vendor claims. The README further warns that “Unconfirmed vendor fixes might be ineffective, incomplete or easy to bypass.” Researchers using these advisories as references should independently verify patch efficacy rather than trusting vendor-provided information blindly. Additionally, using these exploits against systems you don’t own or have explicit authorization to test is illegal in virtually every jurisdiction. This repository exists for education and authorized security testing, not for unauthorized access. The README makes clear that “Agile InfoSec does not accept any responsibility, financial or otherwise, from any material losses, loss of life or reputational loss as a result of misuse of the information or code contained or mentioned in its advisories.”

Verdict

Use this repository if you’re a security researcher studying real-world exploitation techniques, a penetration tester looking for reference implementations to inform your own exploit development, or a defender trying to understand how attackers weaponize vulnerabilities. The Metasploit modules offer examples of exploit structure that have been accepted into the official framework, the advisories demonstrate thorough vulnerability documentation, and the Pwn2Own materials provide insight into competition-level research. It’s particularly valuable if you’re building your own vulnerability research practice and need a model for organizing disclosure workflows. Skip it if you want actively maintained offensive tools, automated vulnerability scanners, or beginner-friendly tutorials. This is a researcher’s personal archive requiring existing security expertise, understanding of exploit development, and most importantly, a commitment to responsible, authorized use. You won’t find installation guides or quick-start tutorials here—you’ll find a collection of professional security research output that assumes you already know what you’re doing.