• In this section, all information is provided for informational purposes only!

ZERO-DAY Private Cloud & Kernel Exploit Portfolio — Hypervisor Escapes, Container Breakouts, Priv-Esc Chains

ZeroPort

Verified seller
Trusted Middleman
Exploit Developer
Exploit Scripter
Shell Coder
Software Vendor
Tool Seller
Trusted
Elite
Zero Day Hunter
Exploit Tester
Joined
Dec 25, 2020
Messages
11,673
Reaction score
9,238
Escrow Deals
1273
Total Purchases
$ 46258
Total TradeVolume
$ 1754152
Deposit
$ 72500
ZERO-DAY Private Cloud & Kernel Exploit Portfolio — Hypervisor Escapes, Container Breakouts, Priv-Esc Chains
Direct-Source Vendor | One-Shot Access | No Mirrors | Escrow on Request



Why You’re Here

Tools are for script kids.
We provide the holes they don’t know exist.


Our catalogue contains exclusively non-public, privately researched Zero-Days with working PoC or fully weaponised deploy-kits. Every vector is live-tested against current builds and shipped with step-by-step docs or a live session walkthrough.


We sell access, not PDFs.
What’s on the Table
Focus Areas:


  1. Cloud & Virtualisation
    • AWS / Azure / GCP privilege pivot (instance-wide or account-wide)
    • VMware ESXi / vCenter remote code execution & datastore exfil
    • Hyper-V & KVM guest-to-host escapes (ring-0 shell)
    • Terraform backend takeover (state-file injection)
  2. Containerisation & Orchestration
    • Docker daemon socket abuse → root on host
    • Kubernetes (RBAC bypass → cluster-admin)
    • Istio side-car escape → east-west traffic sniff
    • CI/CD runners (GitLab, GitHub Actions) sandbox breakouts
  3. Kernel & Driver Chains
    • Linux (5.15 → 6.6) LPE via BPF & io_uring race
    • Windows 11 / Server 2022 token swap (SYSTEM in <1 s)
    • macOS 14 root via EndpointSecurity double-free
    • Signed driver abuse for EDR kill & kernel implant
  4. Enterprise SaaS & SSO
    • Okta SCIM mis-sync → shadow admin
    • AzureAD device code hijack (MFA-less)
    • Atlassian Confluence OGNL RCE (pre-patch)
    • ServiceNow MID-server reverse tunnel


Pricing Matrix


SeverityScopeStarting Price
Local Priv-Esc (single host)read/write$4 000
Lateral / Cross-Tenantmulti-host$9 000
Hypervisor Escape / Cloud Rootfull execute$18 000
Chain Packs (2-3 linked vulns)turn-keyPOA

Price flexes with: patch ETA, blast radius & exclusivity window.



Purchase Terms


• One client per exploit variant — no mass resale
• Delivery: PoC repo + compile guide or live shell via tmux session
• Optional “we-run-it-for-you” model (access-as-a-service)
• Strict NDAs; leaks void all future business



Accepted Coins
BTC | XMR | USDT (ERC-20 / TRC-20)
Fiat/PayPal? Not happening.
Escrow available via vetted forum middlemen.



Contact Channels
Telegram (end-to-end): @RobbertCash
XMPP/OMEMO: czdrops@exploit.im
Forum PM: slower, but monitored
PGP key provided on kick-off.



Why Work with Us
Research done in-house — zero re-brokered leaks
Live demo before coin moves
Weekly inventory refresh; patched items pulled instantly
Client vetting keeps lifespan long — we sell longevity, not hype



Spotlight Inventory (1-slot each)


[VMWARE][vSphere 8] — vCenter SOAP deserialisation → root on all ESXi — $14 000
[AWS][IAM] — Lambda ENTITLEMENT chain → Org-root STS token (PoC + SDK) — $22 000
[LINUX][6.6] — BPF/out-of-bounds → kernel R/W, SELinux bypass — $6 500
[K8S][1.29] — ValidatingWebhook logic gap → cluster-admin via “dry-run” — $9 800
[WINDOWS][11 23H2] — win32k callback race → SYSTEM from Low, bypass WinDef — $7 200



Final Notes
No recycled CVEs — everything under active embargo
We cap sales to max 1–2 buyers per vuln chain
No “free scans,” no screenshot teasers, no tire-kickers


Post vetting questions below or DM for the full slate.
Professionals only. Tourists will be ignored.
 

Dreamteamwow

Crypto Mixer
Joined
Sep 12, 2021
Messages
6,238
Reaction score
1,422
Escrow Deals
42
Total Purchases
$ 21920
Total TradeVolume
$ 13670
Deposit
$ 4000
We acquired the AWS IAM Lambda entitlement chain. PoC was provided in a clean Repo with Terraform scripts and Boto3 helpers. After a 40-min screenshare we pivoted from a sandbox account to full Org-root in under 90 seconds. Documentation covered rollback and CloudTrail noise reduction—exactly what our client’s purple team requested. Escrow released same day. Five stars.
 

Takiziacazuro

Reverse Engineer
Payload Architect
Joined
Dec 20, 2022
Messages
7,231
Reaction score
5,412
Escrow Deals
15
Total Purchases
$ 16815
Total TradeVolume
$ 20342
Deposit
$ 6000
Purchased the vCenter SOAP deserialisation vector. Delivery included a ready-to-run Docker image plus Go source. Root access on three production ESXi 8 boxes achieved during internal test window with zero alarms on vRealize logs. Vendor supplied an optional patch diff so we could help the blue team close it post-assessment. Professional and efficient.
 

BlackNodeSec

Malware Coder
Joined
May 24, 2018
Messages
1,932
Reaction score
7,281
Escrow Deals
38
Total Purchases
$ 10300
Total TradeVolume
$ 19458
Deposit
$ 3110
Needed cluster-admin on EKS 1.28 for red-team simulation. The ValidatingWebhook ‘dry-run’ gap worked flawlessly; RBAC escalation completed in one API call. We also bought the C2 implant add-on—comes with encrypted side-car. Support responded in under 5 min when we hit a JSON encoding issue. Worth every USDT.
 

DeltaForse

Elite
Joined
Oct 6, 2020
Messages
9,235
Reaction score
1,386
Escrow Deals
92
Total Purchases
$ 15000
Total TradeVolume
$ 7610
Deposit
$ 10000
Grabbed the Linux 6.6 BPF OOB chain. Source included detailed offsets for Ubuntu, Debian, and custom Oracle kernels. Compile-and-go, rings-to-root in 0.6 s on our Xeon test bench. Clean exit routine avoids dmesg noise—nice touch. Clearly in-house research, not repo-scraped junk.
 

Codexshell

Cryptographer
Joined
Jun 19, 2019
Messages
6,121
Reaction score
3,211
Escrow Deals
24
Total Purchases
$ 5200
Total TradeVolume
$ 9175
Deposit
$ 2200
We licensed the Okta SCIM mis-sync bug for two high-profile audits. Shadow admin creation is silent; no event fired in System Log. Live demo via tmux convinced our legal team to green-light payment within ten minutes. NDA process straightforward, no fluff.
 

OceanPlaza

Firewall Slayer
Joined
Nov 16, 2023
Messages
8,298
Reaction score
4,216
Escrow Deals
96
Total Purchases
$ 12812
Total TradeVolume
$ 9035
Deposit
$ 1317
The win32k callback race exploit popped SYSTEM on fully-patched Windows 11 23H2 with Defender active. Comes bundled with a signed driver loader for EDR evasion-didn’t trip any Canary tokens. Turnaround from order to working shell: ~3 hours. Seller kept me updated the whole time
 

Gabiel

Security Auditor
Joined
Sep 30, 2021
Messages
3,181
Reaction score
821
Escrow Deals
6
Total Purchases
$ 5255
Total TradeVolume
$ 11250
Deposit
$ 4100
Bought the Docker socket abuse kit. Single liner mounts host FS in container, privilege escalate to root, tested on Debian 12 & CentOS Stream. PoC includes cleanup scripts to delete audit logs. Communication via XMPP/OMEMO was smooth; GPG key rotated weekly—good OPSEC.
 

Signal

Clean Trader
Joined
Oct 2, 2018
Messages
4,512
Reaction score
1,613
Escrow Deals
43
Total Purchases
$ 7400
Total TradeVolume
$ 15235
Deposit
$ 1200
Leveraged the Confluence OGNL RCE pre patch. Seller limited buyers to two seats; mine was #2. Helped me lock a $40k bounty within 24 hrs. Clear explanation of OGNL filter precedence made tweaking payloads trivial. Money well spent
 

Mr Robins

Hacker
Joined
Sep 4, 2011
Messages
7,322
Reaction score
2,435
Escrow Deals
53
Total Purchases
$ 10150
Total TradeVolume
$ 21355
Deposit
$ 1635
Terraform backend takeover exploit let us overwrite state in remote S3 with versioning disabled/
Documentation had full threat model plus guardrails. Red team gained IAM Admin in demo environment; blue team called it “eye-opening.” Paid 0.12 BTC via escrow; release executed after live proof.
 

Riserayss

Member
Joined
Mar 16, 2018
Messages
1,320
Reaction score
324
Escrow Deals
5
Deposit
$ 2700
Acquired an on-chain flash-loan TX sequence bug (undisclosed DEX). Seller walked us through Brownie scripts; even provided gas-optimised Solidity patch for defence. We netted mid-five-figure profit during a 30-minute window. Only two copies sold—respect for exclusivity.
 

OffWitelogs

Social Engineer
Joined
Feb 14, 2018
Messages
694
Reaction score
110
Escrow Deals
14
Deposit
$ 1420
The MID-server reverse-tunnel vector dropped a bash shell behind corporate firewalls without tripwire alerts.
PoC bundled Java deserial payload generator and a one-click cleanup.
Delivered under 24 hrs. Follow-up Q/A answered in under 2 hrs despite time-zone gap.
 

Marlundofoxster

Firewall Slayer
Exploit Tester
Joined
Feb 12, 2005
Messages
1,822
Reaction score
1,023
Escrow Deals
11
Total Purchases
$ 5850
Total TradeVolume
$ 9380
Deposit
$ 1150
Hyper-V guest-to-host escape operated on Server 2022 Core. Kernel exploit chain stable across nested virt. Seller included PS scripts to auto-disable ETW traces. Procurement team impressed by vendor’s willingness to tweak license for limited one-month engagement.
 

AntoniaMorf

Reverse Engineer
Shell Coder
Joined
Aug 15, 2018
Messages
8,291
Reaction score
6,218
Escrow Deals
30
Total Purchases
$ 32193
Total TradeVolume
$ 17712
Deposit
$ 5000
We tested the payment-gateway callback spoof exploit on a staging Stripe account—successfully forged ‘payment_intent.succeeded’ events. Seller warned about narrow patch window; indeed fixed ~10 days later. Still closed a critical finding for our client. Great ROI at $3k.
 

PopSmoke

White Hat
Zero Day Hunter
Joined
Feb 8, 2017
Messages
10,831
Reaction score
4,121
Escrow Deals
6
Total Purchases
$ 17383
Total TradeVolume
$ 21003
Deposit
$ 4130
Device-code hijack in AzureAD let us bypass MFA across 50+ tenants during targeted engagement. Step-by-step guide included M365 audit trail suppression. Vendor provided immediate hotfix guidance for client post-report, which helped us secure follow-up contract. Professionalism A+.
 

Molly

Dump Dealer
CVV Seller
Joined
Apr 4, 2020
Messages
4,564
Reaction score
1,226
Escrow Deals
22
Total Purchases
$ 7820
Total TradeVolume
$ 20000
Deposit
$ 6170
Used the AWS entitlement chain drop. Delivered with working PoC and SDK walkthrough. Ran in test org without detection. Serious vendor. Will return!
 

ChloeBruce

Exploit Developer
Gray Hat
Joined
Feb 11, 2020
Messages
1,343
Reaction score
6,451
Escrow Deals
72
Total Purchases
$ 15700
Deposit
$ 6130
Picked up the vCenter deserialization chain.
Initial access within 10 mins of deployment. Exactly as described. Clean, precise, and no noise.
 

Mancelo

Malware Coder
Joined
Feb 18, 2023
Messages
1,527
Reaction score
835
Escrow Deals
34
Total TradeVolume
$ 7212
Deposit
$ 3170
Bought a ServiceNow RCE for internal testing. Patch was weeks away. Weaponized in our CI pipeline within 24 hours. Extremely useful.
 
Top