QUESTION: Exploit Development & Category Creation


#1

First off, for Devs (@oaktree, @unh0lys0da, @pry0cc): Can we get a category for Exploits/Exploit Development?

Now, main topic, Exploit Development.

BACKGROUND: If you have ever run a vulnerability scan on an application or network, you’ll notice that some scanners will also accompany the vulnerability with a CVE number. If you go over to CVE Details or some other CVE database site you’ll notice that they will give some details as to the nature of the vulnerability (Probably due to vendor change logs or whatever) and whether or not there is a public exploit or 'sploit module available. More often then not, you’ll find that nothing is available, even if it does have a CVSS score of 10.0 (Which is the worst it could be).

QUESTION: Tools exist that will scan an applications binaries, however, any of those worth their salt cost several thousands of dollars PER binary scanned (Or so i’ve been told). My question is, are there any freeware methods of doing the same thing without sitting down and trudging through the source code? Furthermore, what would be the easiest way to acquire an applications binaries?


#2

Let me preface this with, I am not claiming to be an expert, nor have i used said tool I am to mention.

However, let me ask you a question in return before I dive in? Have you used IDA pro, or any debugger for manual analysis? I know you are hoping not to do such, and are looking for an automated method, I am just curious to the skill base in which you are dealing.

Now, with that said. A brief google search reveals that there is a collection of scripts for IDA pro that will do somewhat similar to what you are hoping, in that you perform automated binary analysis for vulnerabilities or misuse of functions in programs that would allow you to exploit them.

BugScam is a collection of scripts for the commercial debugger IDA Pro (http://www.datarescue.com) that will scan a given binary for problematic uses of certain library functions (e.g. strcpy etc) and generate a nice output file (HTML so far, LaTeX soon).

http://www.openrce.org/downloads/details/69/Bugscam

Lacking reviews on sourceforge, as i stated in the premise, i cannot guarantee the quality. But maybe this will get you moving in the right direction.

I will continue research your issue, and post back with further information and options if i happen to discover them. Hope this helps at least a little on your venture.


(Command-Line Ninja) #3

https://0x00sec.org/c/How-to/exploit-development
https://0x00sec.org/c/hacking/exploit-development

All done! :wink:

As for the question, I have no idea. But the easiest way to actually acquire the applications binary, would be to download it from the developers site, or build it from source. Compiled applications/programs == binary.


#4

Any executable / machine code is binary. If there is source code available, there is little point in going trough it, because if you have the source code and now where the vulnerability is, then you can set a break point and go to that point with a debugger (WinDbg, gdb, Immunity) or RE kit (radare2, IDA PRO free). Then you can see what bad input does.
The thing with automated vulnerability scanners is that the developers of the software likely ran it themselves and if they wouldve found it in that manner they would’ve fixed it.
If you want to find your own vulnerabilities you can try fuzzing or static analysis with IDA PRO.
Either way automation requires knowledge of doing it manual.
Free versions, if there are any, have very likely been tested by the developers, unless they’re completely incompetent / retarded.
@dtm What’s your opinion on what I said? You’re more into this than I am.


#5

Pretty much covered it as far as I can see. Never rely on automated tools. You’re either completely in or out, there is no in-between with such a high level of hackery such as vulnerability analysis because there’s too much you need to know and understand about everything.


#6

They usually are. XD

But yeah I kinda figured this would be the response, I know how to do it all manually, I just wanted something to tell me where to look so i dont have to sift through thousands of lines of code.


#7

A proper CVE gives a line number or a function name


#8

LOL, proper he says.