.

Exploits => reverse engineering => bug findings Where to begin?

<<

millwalll

Post Tue Sep 20, 2011 5:50 am

Exploits => reverse engineering => bug findings Where to begin?

Hi all,

I am after some advice, I would like to learn more about finding bugs and using this to make exploits. I am very new to this sort of area and not sure best place to start. Are there any good website or books that take you from complete newbie to a intermediate level or beyond?

thanks 
<<

idr0p

Newbie
Newbie

Posts: 49

Joined: Fri Jun 17, 2011 8:46 pm

Post Tue Sep 20, 2011 6:27 am

Re: Exploits => reverse engineering => bug findings Where to begin?

GCIA GCIH GPEN GWAPT
Up Next: CISA CISSP
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Tue Sep 20, 2011 7:52 am

Re: Exploits => reverse engineering => bug findings Where to begin?

There are a few angles to think about when finding bugs. You can fuzz apps to find bugs, you can do manual code review (which is likely not possible unless you have the code) or you can do reverse engineering.

For fuzzing, the Sutton book is great http://www.amazon.com/Fuzzing-Brute-For ... 906&sr=8-1

For RE, you can start with this book http://www.amazon.com/Reversing-Secrets ... 939&sr=1-1

RE is hard, fuzzing is not nearly as hard. Once you find the bug, then you need to figure out if its exploitable and write an exploit for it. OSCE is great for this!

The Malware Analysts Cookbook is more for learning about how to deal with and analyze malware. Not necessarily finding 0 days.
<<

millwalll

Post Tue Sep 20, 2011 10:09 am

Re: Exploits => reverse engineering => bug findings Where to begin?

Thanks for the links what best OS to use ? also what good tools to use I know the books would recommend some tools but would like to try have play before I get the books :) thanks
<<

mambru

Jr. Member
Jr. Member

Posts: 98

Joined: Wed Jun 03, 2009 3:11 pm

Post Tue Sep 20, 2011 10:12 am

Re: Exploits => reverse engineering => bug findings Where to begin?

both idr0p and cd1zz have given very good recommendations. If you follow the RE path, sooner or later you'll want to start using IDA Pro, the next book is awesome to learn about it

http://www.amazon.com/IDA-Pro-Book-Unofficial-Disassembler/dp/1593272898/ref=sr_1_1?ie=UTF8&qid=1316531493&sr=8-1
<<

TheXero

User avatar

Full Member
Full Member

Posts: 112

Joined: Tue Dec 07, 2010 12:24 pm

Post Tue Sep 20, 2011 10:18 am

Re: Exploits => reverse engineering => bug findings Where to begin?

I have gotten the "Hacking: The art of exploitation" which is a really good book, however that was after I started developing my own exploits.

Initally I looked at null threats blog which really got me hooked on exploit development except I didn't use metasploit, but rather started learning some python and recreating an exploit from scratch from the exploit db using the concept he shows in the videos.

That was all in the lead up to starting pwb which has a good section on exploit development, but as I'd done it before some people said I was at an advantage.
Last edited by TheXero on Tue Sep 20, 2011 10:19 am, edited 1 time in total.
<<

mambru

Jr. Member
Jr. Member

Posts: 98

Joined: Wed Jun 03, 2009 3:11 pm

Post Tue Sep 20, 2011 10:21 am

Re: Exploits => reverse engineering => bug findings Where to begin?

Thanks for the links what best OS to use ? also what good tools to use I know the books would recommend some tools but would like to try have play before I get the books Smiley thanks


The OS will depend on what SW you try to find the bugs, you can find good tools both for Win and Linux (I'm sure also for OS X, but I don't have any experience there), for example, regarding debuggers on Linux you have gdb, while on Win you have Windbg (you'll want to start with Immunity Debugger or OllyDbg though). Regarding other fuzzers, it will depend once again on what kind of SW you're fuzzing. So there's no an all-fit-one tool.
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Tue Sep 20, 2011 10:23 am

Re: Exploits => reverse engineering => bug findings Where to begin?

In this case, different from your last post....when you're debugging or RE an application for Windows, you'll likely be using Windows as your OS. I think its possible to do cross debugging but I have zero experience with that.

I always use a windows box to debug windows apps with Immunity debugger. Corelan has a tremendous plugin called mona.py that can really speed up exploit development, especially if you want to create metasploit modules. I think IDA has a Linux version but I'm not sure. Mambru has more RE experience than I do and can give you better advice on that.
<<

millwalll

Post Wed Sep 21, 2011 3:29 am

Re: Exploits => reverse engineering => bug findings Where to begin?

Thanks I think most of my stuff will be done on windows as I have 14 year working on windows boxes and only about 2 or 3 with linux.
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Wed Sep 21, 2011 10:55 am

Re: Exploits => reverse engineering => bug findings Where to begin?

These are the books I would add, with the IDA book being number 1

Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities
http://www.amazon.com/Art-Software-Secu ... _lmf_tit_8

Rootkits: Subverting the Windows Kernel
http://www.amazon.com/Rootkits-Subverti ... lmf_tit_14

Exploiting Software: How to Break Code
http://www.amazon.com/Exploiting-Softwa ... lmf_tit_12

The Shellcoder's Handbook: Discovering and Exploiting Security Holes
http://www.amazon.com/Shellcoders-Handb ... lmf_tit_13

Fuzzing for Software Security Testing and Quality Assurance
http://www.amazon.com/Fuzzing-Software- ... _lmf_tit_7

Aside from the reading, operating system is only relevant to what you want to find "faults" with. Fuzzing is nothing more than fault injection. You likely would yield little results fuzzing Windows files on a Nix box. There are plenty of tools on Windows systems that can help you: PaiMei, Klocwork Architect, Codenomicon, Protos, etc.

The key to benefitting though is to focus on understanding why an application is behaving in a method that causes it to act outside of the norm. This will include knowing and understanding a lot of machine code (Assembly) as well as understanding debugging. For debugging on Windows I use WinDBG for almost everything. From time to time I may plop in and out of Olly or Immunity Debugger, but WinDBG has been very useful to me.

When I was getting deeper into debugging and figuring things out, I followed Vostokov heavily:

http://www.dumpanalysis.org/blog/index.php/about/
http://www.amazon.com/Crash-Dump-Analysis/dp/B0042ETC7C

There is a lot to know for Windows including literally living on MSDN for months reading up on calls, instructions, etc. This was primarily for Windows mind you. *nix based fuzzing is a bit different because of the variants (Linux, BSD, Solaris, HPUX, QNX, etc). Almost all handle things differently.

Fuzzing involves more than just tools. What's the point of aiming tools to find a crash if you don't know how to capitalize on that crash.

If you heavily want to learn, I suggest you watch for Assured Exploits training by Dino Dai Zovi (http://trailofbits.com/2011/01/11/upcom ... s-in-2011/). I have not taken the OSCE so I am unsure how much you can actually yield with regards to fuzzying.

Another thing to note is OpenRCE.org, http://www.woodmann.com/ are your friends in this arena. In order to understand bugs, you WILL NEED TO understand reverse engineering heavily.
<<

millwalll

Post Wed Sep 21, 2011 12:22 pm

Re: Exploits => reverse engineering => bug findings Where to begin?

WOW! lots great resource that I will be checking out but I am total new to this sort of thing what book would be the best starting places as some I have looked at have assumptions. I know this hard question to answer.

I have some programing language skill's in Java and mainly web based stuff. I have never done any C,C++ or assembly. so I like fish out water I need like idiots guide to exploits as taking this up more of something to learn in my spare time. I just want to start from bottom and get better.

thanks
<<

mambru

Jr. Member
Jr. Member

Posts: 98

Joined: Wed Jun 03, 2009 3:11 pm

Post Wed Sep 21, 2011 1:29 pm

Re: Exploits => reverse engineering => bug findings Where to begin?

I had the chance to attend the Assured Exploitation class by Dino Dai Zovi and Alex Sotirov, and it was awesome, I highly recommend it.

Another great class is Aaron Portnoy's Bug hunting and analysis class. He will give it once again next January. You can check the last edition contents:

http://recon.cx/2011/training3.html
<<

lorddicranius

User avatar

Sr. Member
Sr. Member

Posts: 448

Joined: Thu Mar 03, 2011 3:54 am

Post Thu Sep 22, 2011 12:54 am

Re: Exploits => reverse engineering => bug findings Where to begin?

I thought of this thread when I saw this on twitter...

@thealuc: learn reverse engineering with a free copy of IDA Pro and trainings examples... download it here: bit.ly/oIzLmz
GSEC, eCPPT, Sec+
<<

millwalll

Post Thu Sep 22, 2011 3:13 am

Re: Exploits => reverse engineering => bug findings Where to begin?

Thanks for the links. mambru looks good but I am based in the UK so its pain to get to Canada :P
<<

hurtl0cker

User avatar

Jr. Member
Jr. Member

Posts: 73

Joined: Thu Nov 18, 2010 10:09 am

Location: WWW

Post Sun Sep 25, 2011 1:42 am

Re: Exploits => reverse engineering => bug findings Where to begin?

There is a new book out there
http://www.amazon.com/Bug-Hunters-Diary ... 1593273851

Myne-US laid out a nice road map for any one who are starting their a journey into exploitation from the scratch. Hope it might help

http://myne-us.blogspot.com/2010/08/fro ... -into.html
Last edited by hurtl0cker on Sun Dec 11, 2011 12:31 am, edited 1 time in total.
“Knowing is not enough; we must apply. Willing is not enough: we must do.”
- Bruce Lee

Return to Programming

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software