Full Disclosure mailing list archives
Re: exploit frameworks
From: Dave Aitel <dave () immunitysec com>
Date: Fri, 30 Sep 2005 03:19:51 -0400
There's additional value to an exploit framework for many penetration testing specialists: being able to write exploits faster sometimes makes it possible to impress clients with a shell, rather than simply showing them a POC crash. Having good shellcode libraries for various platforms is a nice side effect of a GUI-hacking-tool that most people don't take advantage of, but for the experts, can really come in handy. This is true even within the Immunity team: having everyone able to use the heap API's Nico creates makes us all better.
Realistically, most people who write exploits have their own library of tools - but there's always that first time when they think "Hey, I don't want to write a shellcode decoder for PPC today." and then they use CANVAS and if it works out, they warm up to having someone else do the grunt work for them so they can concentrate on exploiting whatever bug it is they're working on.
Frameworks are just that: things you build on top of. Some people build 0days, and for others, it's automation scripts that are custom to whatever client they're working on. But it's still down to the actual skill you bring to the table.
As a side note, having all your exploits in one API makes you able to do certain transformations on them. I released a presentation delivered at HITB yesterday here that demonstrates some other advantages relating to that:
http://www.immunityinc.com/downloads/nematodes.sxi -dave Bernhard Mueller wrote:
i agree with this. it's often much easier to find a bug than to exploit_______________________________________________it (see strange heap overflows and the like), and i also don't have the time to spend days on disassembling and looking for attack vectors (and i'm sure that other people will have more fun doing just that). what i criticize is that *lots* of companies (at least here in my vicinity) are selling cheap "vulnerability assessments" which actually are nothing more than automated security scans. this leads to the customer feeling safe when he's really wide open to attacks. often, these people's networks can be rooted in no time. sure, you don't have to be uber-31337 to do penetration tests (i'm certainly not), but it should definitely go beyond the "scan--+--google-for-exploit" approach. regards,
Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: CORE-Impact license bypass, (continued)
- Re: CORE-Impact license bypass c0ntex (Sep 26)
- RE: CORE-Impact license bypass Marc Maiffret (Sep 26)
- Re: CORE-Impact license bypass Exibar (Sep 27)
- Re: CORE-Impact license bypass Bernhard Mueller (Sep 27)
- Re: CORE-Impact license bypass Martin Mkrtchian (Sep 27)
- Re: CORE-Impact license bypass c0ntex (Sep 27)
- Re: CORE-Impact license bypass Andrew Simmons (Sep 27)
- Re: CORE-Impact license bypass Valdis . Kletnieks (Sep 27)
- Re: CORE-Impact license bypass Bernhard Mueller (Sep 28)
- Re: CORE-Impact license bypass sk (Sep 28)
- Re: exploit frameworks Dave Aitel (Sep 30)
- Re: CORE-Impact license bypass Exibar (Sep 27)
- Re: CORE-Impact license bypass fd (Sep 27)
- Re: CORE-Impact license bypass c0ntex (Sep 26)