RE: Lessons learned writing exploits

[Mike.Ruscher () CSE-CST GC CA]

This is a nice gesture by Core, but the slides are rather brief. Is there
not a white paper or set of notes that might be more useful to the online
audience?

mgr


Mike Ruscher
IT Computer and Network Security Scientist
I2, CSE/CST
mgruscher () cse-cst gc ca
Phone: +1 613 991-8040
ED/C200
http://www.cse-cst.gc.ca

-----Original Message-----
From: Iván Arce [mailto:core.lists.exploit-dev () core-sdi com]
Sent: Wednesday, May 08, 2002 4:12 PM
To: vuln-dev () securityfocus com
Subject: Lessons learned writing exploits


Hello all
Our CanSecWest presentation titled "Lessons learned writing exploits"
is now available at  www.corest.com/presentations/CanSecWest2002.htm

For those that did not attend CanSecWest:
you missed a great conference! be there next year!

Brief on the presentation:
Over the past several months Gerardo Richarte (co-speaker at CSW2002)
was fully dedicated to writing exploit code for our penetration testing
tool,
CORE IMPACT, we were aiming at what we arbitrary termed "Profesional
Grade Exploit Code", that is exploits that are easily maintainable,
portable,
reliable, work on almost all scenarios and fail safe (do not break things
when
they fail). In that process we learned a lot of things about how to write
exploit
code and identified some interesting concepts and approaches.
Our CanSecWest presentation is our initial attempt at reporting this
findings

-ivan

---

"Understanding. A cerebral secretion that enables one having it to know
 a house from a horse by the roof on the house,
 Its nature and laws have been exhaustively expounded by Locke,
 who rode a house, and Kant, who lived in a horse." - Ambrose Bierce

Ivan Arce
CTO
CORE SECURITY TECHNOLOGIES

44 Wall Street - New York, NY 10005
Ph: (212) 461-2345
Fax: (212) 461-2346
http://www.corest.com

PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A

----- Original Message -----
From: Jonathan Bloomquist <core.lists.exploit-dev () core-sdi com>
To: <vuln-dev () securityfocus com>
Cc: <vuln-dev () securityfocus com>
Sent: Wednesday, May 08, 2002 2:09 PM
Subject: Re: Publishing Nimda Logs - Summary


> --- "Deus, Attonbitus" <Thor () HammerofGod com> wrote:
>
> > 4) Jonathan Bloomquist and others actively connect
> > to offenders to send net
> > messages to the console.  Pretty cool.
>
> I should clarify - that script was posted to slashdot
> and I didn't write it.  I don't admin any production
> web servers, just ones I build in my test environments
> so I have not actually run that script.
>
> > Next Step:
> > I will probably proceed with my project, taking into
> > account the
> > suggestions of the posters.  One thing now interests
> > me more...
> > In the vein of JBloomquist's post and another poster
> > who said to
> > reverse-patch the systems, I am willing to peek into
> > Pandora's Box and
> > explore that precise option-
> > Waiting for an attack, and then reverse-patching the
> > box.  Please don't
> > tell me about the legal ramifications- I don't care
> > about that yet.  What I
> > would like to know is if anyone has such an animal,
> > or how one would go
> > about reverse-patching an attacking system-- I can't
> > write that code, but
> > would really like to try it out.
>
> I lean more to the side of shaming the admins into
> fixing them than ignoring them.  However, sending a
> message is one thing, but actually patching their box
> is going a bit too far for me even if it is to help
> them.  Warn 'em, shame 'em, scream at 'em, and mail
> bomb their ISP until they take action, but make each
> site patch themselves.
>
> "If we kill 'em they won't learn nuthin'."
>
>
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Health - your guide to health and wellness
> http://health.yahoo.com


--- for a personal reply use: =?iso-8859-1?Q?Iv=E1n_Arce?=
<ivan.arce () corest com>