How do you find __YOUR__ zerodays?

Hey all,

I am trying to expand my horizon with exploit development.
And thus I am wondering how you find your zerodays?
My methods now are:
If there is a source code.
1. I pick a product I frequently use.
2. I launch cscope to find dangerous functions (memcpy, strcpy, execvl, etc).
3. For all these functions I back trace the arguments to there origin.
4. In case the origin is user supplied or otherwise from an source that could be tampered with I write this down.
5. After all of the functions have been back traced I attach gdb to a binary form and try to malform the buffer the way I require.
6. I document this and then try to stabilize the exploit.

In case I do not have the source code, I do the same.
But using IDA or Radare (Depending if its a win app or a Unix app)

I know I should fuzz. But often I just cant be asked.
Just since I don't want to write a specific fuzzer for each application. I never got something out of it and thus I don't find it rewarding.

What are your ways achieve this?
I think there are better ways, once I read something about a tracer tool that noticed if a user supplied buffer was allocated on the heap and it reported the size of the buffer etc. I forgot the name of that tool but I think that has some potential.

Looking forward to hear from you guys.

Cheers,
Illiac

For network applications I like SPIKE or Sulley for fuzzing. I haven't found a good easy solution to file based exploits but I haven't put too much time into looking either. I find it's pretty rare to have source code unless you are specifically reviewing code for somebody.

Alright, I use fusil or spike as well for my fuzzy needs. Although I have noticed (as I already noticed) that it has a poor payoff..
When I do source code audits its most often for OpenSource software, the funny thing is that I always find my zerodays when they are not acctually zerodays anymore.
Eg I found a vundl in python... Took me a while to fully exploit it. And then one day that I checked exploit-db.com I saw. MY python exploit by some one else. They were just quicker. Same with the modx cms system. And some others. But hey. its still a good training imho ^^

I also use spike for my fuzz needs. Sounds like you have a good method down; I think that will serve as well, or better than, any specific tool. I recall reading an interview article not long ago (don't remember the URL) about HD Moore & his process for security research. That may also be a good place to look.

Oh, indeed I'll have a look at that and ask my good friend to find this for me ('google').

Thanks for the reply. =)

As I can't edit my post yet.

I found it: http://resources.infosecinstitute.co...rity-research/