Full Disclosure mailing list archives
RE: Publishing exploit code - what is it good for
From: Marvin Simkin <Marvin.Simkin () asu edu>
Date: Thu, 30 Jun 2005 13:02:43 -0700
While performing penetration testing at the request of a Fortune 500 financial services company, I discovered a vulnerability that, if abused, could have been used to initiate fraudulent funds transfers, stock market transactions, etc. The client was skeptical when told the exploit could occur in a matter of two or three seconds, go unnoticed by the victim, and gain such comprehensive unauthorized access. At the client's request, I wrote a proof-of-concept exploit that demonstrated everything except the final fraudulent action, but made it clear that exposure was only one more tiny step away. The client overcame their skepticism. While this particular exploit was not published, it shows a real-world "end-user organization [with] legitimate needs for exploit code" resulting in greater security for all customers of this organization. Another penetration tester in similar circumstances might be able to use or adapt a published exploit instead of writing a new one from scratch. Marvin Simkin http://simkin.asu.edu/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- RE: Publishing exploit code - what is it good for, (continued)
- RE: Publishing exploit code - what is it good for James C Slora Jr (Jun 30)
- Re: Publishing exploit code - what is it good for Thomas Reinke (Jun 30)
- Re: Publishing exploit code - what is it good for John Madden (Jun 30)
- Re: Publishing exploit code - what is it good for Skip Carter (Jun 30)
- Re: Publishing exploit code - what is it good for Damian Menscher (Jun 30)
- RE: Publishing exploit code - what is it good for Glenn.Everhart (Jun 30)
- Re: Publishing exploit code - what is it good for Joxean Koret (Jun 30)
- RE: Publishing exploit code - what is it good for Matt Huston (Jun 30)
- Re: Publishing exploit code - what is it good for John Horn (Jun 30)
- RE: Publishing exploit code - what is it good for Todd Towles (Jun 30)
- RE: Publishing exploit code - what is it good for Marvin Simkin (Jun 30)
- Re: Publishing exploit code - what is it good for Raghu Chinthoju (Jun 30)
- RE: Publishing exploit code - what is it good for Michael Evanchik (Jun 30)