I am trying to expand my horizon with exploit development.
And thus I am wondering how you find your zerodays?
My methods now are:
If there is a source code.
1. I pick a product I frequently use.
2. I launch cscope to find dangerous functions (memcpy, strcpy, execvl, etc).
3. For all these functions I back trace the arguments to there origin.
4. In case the origin is user supplied or otherwise from an source that could be tampered with I write this down.
5. After all of the functions have been back traced I attach gdb to a binary form and try to malform the buffer the way I require.
6. I document this and then try to stabilize the exploit.
In case I do not have the source code, I do the same.
But using IDA or Radare (Depending if its a win app or a Unix app)
I know I should fuzz. But often I just cant be asked.
Just since I don't want to write a specific fuzzer for each application. I never got something out of it and thus I don't find it rewarding.
What are your ways achieve this?
I think there are better ways, once I read something about a tracer tool that noticed if a user supplied buffer was allocated on the heap and it reported the size of the buffer etc. I forgot the name of that tool but I think that has some potential.
Looking forward to hear from you guys.