.

Discovering and writing zero-day exploits?

<<

Quote

Newbie
Newbie

Posts: 5

Joined: Sun Jul 24, 2011 7:14 am

Post Tue Jul 26, 2011 1:59 pm

Discovering and writing zero-day exploits?

What are some good resources for learning how to discover a zero-day vulnerability and write an exploit for it? I've got a book that covers an introduction to shellcoding, that I think usually called setreuid, but I was wondering if there was any more complex shellcode out there, and if it was necessary, and what the mechanics are of actually finding a flaw myself and writing the kind of script Metasploit uses.
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Tue Jul 26, 2011 4:05 pm

Re: Discovering and writing zero-day exploits?

You've got a number of topics going on here. Lets clarify so I can give you an answer.

To discover 0 days, you need to find a vulnerability in a piece of software. This can be done via fuzzing, source code review, or reverse engineering. There are a bazillion ways to fuzz. Reverse engineering is an art, and it's hard to do. Source code review only works if you obviously have the source code. For the last 6 months, I've been fuzzing the crap out of FTP servers. Since this is a clear text protocol, I just wrote a fuzzer in python and it's very straight forward. You could also use Spike or Sully, which are full blown fuzzing frameworks. Pick up a book on fuzzing, it will open your eyes. This is probably the most common way to find bugs in software.

Shellcoding is just a way of executing instructions directly in memory. This is separate from the vulnerability. Typically, you'd find a vulnerability and then use shellcode to manipulate the program the way you want after you have controlled EIP or SEH. For example, we'd use it to run a shell, connect back to an attacker, jump around memory, use ROP gadgets etc. Creating shellcode like you're talking about, is probably more than what you want to do at this point. Metasploit has tried and true shellcode that even works with encoding. I would just start with that.

To give you a real easy introduction into this, go get a copy of FreeFloat FTP server. This is the biggest PoS software I've seen in awhile. Almost every command is vulnerable to a basic buffer overflow. Try not to look at any of the exploits I wrote, or anyone else on this software. Try to find them on your own by fuzzing the app, finding a vulnerability and then creating an exploit to take advantage of that vuln. If anyone is interested in Buffer Overflows, start with this app!

Does that help?
<<

Quote

Newbie
Newbie

Posts: 5

Joined: Sun Jul 24, 2011 7:14 am

Post Tue Jul 26, 2011 4:36 pm

Re: Discovering and writing zero-day exploits?

Yes, this helps a bit. Can you recommend a good book on fuzzing?
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Tue Jul 26, 2011 4:38 pm

Re: Discovering and writing zero-day exploits?

I have the Sutton book. It's pretty good:

http://www.amazon.com/Fuzzing-Brute-For ... 257&sr=8-1
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Wed Jul 27, 2011 11:42 am

Re: Discovering and writing zero-day exploits?

If you're looking for 0days in Web Applications, you pretty much need to know the language used if you want to go deep, otherwise you can fuzz all the user-input and hope an error is returned but in some cases, a lot of conditions may have to be present for a vulnerability to become visible and possibly exploitable.

You can read more about finding vulnerabilities in PHP scripts by SirGod here:
http://forum.intern0t.net/offensive-gui ... irgod.html
I'm an InterN0T'er
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Wed Jul 27, 2011 11:51 am

Re: Discovering and writing zero-day exploits?

Here's my recommendations on books and sites:

"Fuzzing for Software Security Testing and Quality Assurance" - Charlie Miller, Jared DeMott, Ari Takanen (de-facto must have)
"Fuzzing: Brute Force Vulnerability Discovery" - Pedram Amini, Michael Sutton, Adam Greene (must have)
"Reversing: Secrets of Reverse Engineering" - Eldad Eilam
"The IDA Pro Book" - Chris Eagle

OpenRCE - http://www.openrce.org/articles/

As for tools, usual suspects, IDA, Olly, Immunity Debugger however, I also suggest learning WinDBG as best as possible. Finding bugs via way of fuzzing is difficult if you don't understand programming (assembly to a good degree) nor the operating system and the protocols. For Microsoft, I suggest MSDN become your friend.

Return to Malware

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software