Results 1 to 5 of 5

Thread: How do you find __YOUR__ zerodays?

  1. #1
    Just burned his ISO
    Join Date
    Jul 2011
    Posts
    10

    Default How do you find __YOUR__ zerodays?

    Hey all,

    I am trying to expand my horizon with exploit development.
    And thus I am wondering how you find your zerodays?
    My methods now are:
    If there is a source code.
    1. I pick a product I frequently use.
    2. I launch cscope to find dangerous functions (memcpy, strcpy, execvl, etc).
    3. For all these functions I back trace the arguments to there origin.
    4. In case the origin is user supplied or otherwise from an source that could be tampered with I write this down.
    5. After all of the functions have been back traced I attach gdb to a binary form and try to malform the buffer the way I require.
    6. I document this and then try to stabilize the exploit.

    In case I do not have the source code, I do the same.
    But using IDA or Radare (Depending if its a win app or a Unix app)

    I know I should fuzz. But often I just cant be asked.
    Just since I don't want to write a specific fuzzer for each application. I never got something out of it and thus I don't find it rewarding.

    What are your ways achieve this?
    I think there are better ways, once I read something about a tracer tool that noticed if a user supplied buffer was allocated on the heap and it reported the size of the buffer etc. I forgot the name of that tool but I think that has some potential.

    Looking forward to hear from you guys.

    Cheers,
    Illiac

  2. #2
    Senior Member
    Join Date
    Jan 2010
    Posts
    140

    Default Re: How do you find __YOUR__ zerodays?

    For network applications I like SPIKE or Sulley for fuzzing. I haven't found a good easy solution to file based exploits but I haven't put too much time into looking either. I find it's pretty rare to have source code unless you are specifically reviewing code for somebody.

  3. #3
    Just burned his ISO
    Join Date
    Jul 2011
    Posts
    10

    Default Re: How do you find __YOUR__ zerodays?

    Alright, I use fusil or spike as well for my fuzzy needs. Although I have noticed (as I already noticed) that it has a poor payoff..
    When I do source code audits its most often for OpenSource software, the funny thing is that I always find my zerodays when they are not acctually zerodays anymore.
    Eg I found a vundl in python... Took me a while to fully exploit it. And then one day that I checked exploit-db.com I saw. MY python exploit by some one else. They were just quicker. Same with the modx cms system. And some others. But hey. its still a good training imho ^^

  4. #4
    Good friend of the forums scottm99's Avatar
    Join Date
    Feb 2010
    Location
    underwater
    Posts
    371

    Default Re: How do you find __YOUR__ zerodays?

    I also use spike for my fuzz needs. Sounds like you have a good method down; I think that will serve as well, or better than, any specific tool. I recall reading an interview article not long ago (don't remember the URL) about HD Moore & his process for security research. That may also be a good place to look.
    If I could figure out how to scuba dive & hack at the same time, there would be nothing I couldn't do...

  5. #5
    Just burned his ISO
    Join Date
    Jul 2011
    Posts
    10

    Default

    Oh, indeed I'll have a look at that and ask my good friend to find this for me ('google').

    Thanks for the reply. =)

    As I can't edit my post yet.

    I found it: http://resources.infosecinstitute.co...rity-research/
    Last edited by bolexxx; 07-18-2011 at 10:26 PM.

Similar Threads

  1. How to find out?
    By mikeolranto in forum OLD Newbie Area
    Replies: 10
    Last Post: 05-12-2009, 10:33 AM
  2. Find handshake: help find password
    By spinmar in forum OLD Wireless
    Replies: 7
    Last Post: 07-03-2008, 10:36 AM
  3. How do I find out if its 64 or 128?
    By Whitecrow in forum OLD Newbie Area
    Replies: 6
    Last Post: 06-08-2008, 04:46 AM
  4. Can't find dll's for Metasploit?
    By Israel213 in forum OLD Newbie Area
    Replies: 3
    Last Post: 04-29-2008, 03:27 AM
  5. can't find HD
    By BBRO72 in forum OLD Newbie Area
    Replies: 5
    Last Post: 03-16-2008, 06:52 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •