Cesar Cerrudo, CEO of security consultancy Argeniss - who’s written some seriously interesting papers including a recent one on Windows local shellcode injection, has just released a new version of his Argeniss Ultimate 0day Exploits Pack which run on the Canvas platform from Immunity Security. Canvas is LGPL; both are commercial software which come with complete source code.

Argeniss’ Professional version costs $2500 for five seats, which includes three months of updates (they come monthly, also with complete source code) and email support. Additional quarters of updates and support (you can drop in and out at will) cost $1,200. Now, while this is technically open source, there are usage limitations: it’s specifically for penetration testing and evaluation in a narrowly defined range, and you must sign a non-disclosure agreement and agreee not to reverse engineer it. An advanced version pre-releases zero day exploits prior to release in the monthly update cycle.

The current pack includes several pre and post auth zero-day exploits against Oracle Database Server ver 9i R1, R2 and 10g R1 and R2, plus Microsoft SQL Server, Exchange, Windows 2000 SP4 and others.

Gleg, Ltd also sells a zero-day exploit pack for Canvas, with zero-day exploits against Lotus Domino, Samba, Eufora, MySql, Solaris and others, but it appears to be a non-open source license. It costs $10,100 for the pack and three months of updates and support; additional quarters are $2,500.