What is best methodology for discovery vulnerability and Exploit Development in binary software?

I’m new in Exploit Development and Discovery Vulnerability. I learning some technique by some course and books.I have learned Stack Buffer Overflow and Heap Buffer Overflow and Format Strings and some bypass technique for ASLR,NX,DEP , … .
But I think its only technique and I need a methodology for best performance in discovery vulnerability in binary software.
so,what is best methodology for discovery vulnerability and Exploit Development in binary software?

2 Likes

Well isn’t that the million dollar question

3 Likes

I find this presentation in 2017 :
BalCCon2k17 - m-r Mane Piperevski - Methodology for Vulnerability Research and Exploit Development

if you have other resource share it.

3 Likes

Well, thats not so easy to answer.

One way is the good old source code analysis. A lot of important security issues were found this way. For example the recent sudo bug.

If you’re looking and auditing source code, the easiest way is to simply search for unsecure functions, which exist in all languages. And if you find one, you are basically following the call graph and see where is the input data coming from. Can I somehow influence it etc.

Another way, if you for example, do not have the source code available, is fuzzing. It can often find some good issues. However, the really hard part, most of the time is exploiting it.

The problem with a lot of pwn challenges and educational stuff, is that it is a very “sandboxed” view of things. In the real world it can get way more complicated to write a proper and stable exploit. Finding a buffer overflow or other type of vuln, can be challenging but most of the time its not that hard. The hard part is to exploit it in a way that the application keeps working.

Last but not least, I would say manual testing paired with an attached debugger / disassembler.
Look for user input and any possible way you can provide data. Look at error handling etc.

2 Likes

This is a very common question and one that doesn’t have an easy answer. The problem in even answering this for you is that we can only speculate how much you know, how much is academic vs experienced, etc.

For discovery a lot of work is being done in VR&D, and I tend to see a lot of people at minimum incorporating fuzzing into their efforts. Project zero has a lot of interesting projects and blogs around fuzzing various applications:

I encourage you to look into fuzzing as it’ll help you at least get into more real world exploit development as you have to verify if a crash is of value or even reproducible.

You should also look more into “chaining”. Lots of people have been lucky in finding a vuln but often struggle to turn it into a full “exploit chain”. So if you were lucky enough to find a vuln in let’s say a browser … can you consistently reproduce it, and can you have it escape sandbox or carry out additional functionality?

So fuzzing, and full exploit chain development would be my recommendation if you feel confident enough in the basics.

3 Likes