Re: exploits, good exploits

["John Q Public" <johnqpublic2323 () mailvault com>]

0ddly, I didn't get a copy of the original message in my inbox - but I
have a few things to say about this thread.  First off, if you are
getting your exploits at public distribution sites such as:

 http://packetstormsecurity.nl/exploits20.shtml
 http://www.k-otik.com/exploits/
 http://www.securiteam.com/exploits/
 etc..

then you are already *several* steps behind the curve.  Climbing up the
chain, you will see release points such as exploit authors/groups
websites.  Higher still, you have private exploit distribution networks
such as trading in IRC channels and private mailing lists (I run a
private 0day mailing list myself, less technical than 0daydigest but
more action).  In these cases the way you get involved is if you
contribute something - you need to offer something new.  Beyond the
aforementioned, you pretty much just have the exploit developers
themselves.  My recommendation is learn to find your own bugs and write
your own code.

Though, it's interesting - there are now commercial grade exploits being
offered for sale from companies!

   $995 http://www.immunitysec.com/CANVAS/
 $15000 http://www.coresecurity.com/products/coreimpact/index.php

These packages are similar but include different exploits and framework
so it would be hard to compare the two.  Expect this short list (2) to
grow to dozens in the coming years, including opensource/free versions
I'm sure (but I hope not).

jqp

--- Frank Boldewin <frank.boldewin () gmx de> wrote:
> canvas has some 0day exploits and i think it is worth a buy,
> but another good product is core impact.
> they made a good product full of reliable exploits, for the
> latest bugs in major daemons. it's not very cheap, but worthy
> for that what u might searching for.
>
> cheers,
> frank