Re: [Full-disclosure] exploit frameworks
From: Dave Aitel (dave_at_immunitysec.com)
Date: 09/30/05
- Previous message: Martin Schulze: "[Full-disclosure] [SECURITY] [DSA 829-1] New mysql packages fix arbitrary code execution"
- In reply to: Bernhard Mueller: "Re: [Full-disclosure] CORE-Impact license bypass"
- Next in thread: fd_at_ew.nsci.us: "Re: [Full-disclosure] CORE-Impact license bypass"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 30 Sep 2005 03:19:51 -0400 To: Bernhard Mueller <research@sec-consult.com>
There's additional value to an exploit framework for many penetration
testing specialists: being able to write exploits faster sometimes makes
it possible to impress clients with a shell, rather than simply showing
them a POC crash. Having good shellcode libraries for various platforms
is a nice side effect of a GUI-hacking-tool that most people don't take
advantage of, but for the experts, can really come in handy. This is
true even within the Immunity team: having everyone able to use the heap
API's Nico creates makes us all better.
Realistically, most people who write exploits have their own library of
tools - but there's always that first time when they think "Hey, I don't
want to write a shellcode decoder for PPC today." and then they use
CANVAS and if it works out, they warm up to having someone else do the
grunt work for them so they can concentrate on exploiting whatever bug
it is they're working on.
Frameworks are just that: things you build on top of. Some people build
0days, and for others, it's automation scripts that are custom to
whatever client they're working on. But it's still down to the actual
skill you bring to the table.
As a side note, having all your exploits in one API makes you able to do
certain transformations on them. I released a presentation delivered at
HITB yesterday here that demonstrates some other advantages relating to
that:
http://www.immunityinc.com/downloads/nematodes.sxi
-dave
Bernhard Mueller wrote:
>
> i agree with this. it's often much easier to find a bug than to exploit
> it (see strange heap overflows and the like), and i also don't have the
> time to spend days on disassembling and looking for attack vectors (and
> i'm sure that other people will have more fun doing just that).
> what i criticize is that *lots* of companies (at least here in my
> vicinity) are selling cheap "vulnerability assessments" which actually
> are nothing more than automated security scans. this leads to the
> customer feeling safe when he's really wide open to attacks. often,
> these people's networks can be rooted in no time.
> sure, you don't have to be uber-31337 to do penetration tests (i'm
> certainly not), but it should definitely go beyond the
> "scan--+--google-for-exploit" approach.
>
> regards,
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Previous message: Martin Schulze: "[Full-disclosure] [SECURITY] [DSA 829-1] New mysql packages fix arbitrary code execution"
- In reply to: Bernhard Mueller: "Re: [Full-disclosure] CORE-Impact license bypass"
- Next in thread: fd_at_ew.nsci.us: "Re: [Full-disclosure] CORE-Impact license bypass"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
