[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Publishing exploit code - what is it good for

To: "devnull@xxxxxxxxxxxxxxxxxxxxxx" <devnull@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Publishing exploit code - what is it good for
From: ChayoteMu <chayotemu@xxxxxxxxx>
Date: Fri, 1 Jul 2005 20:51:12 -0700

I'm not too sure if this would help much but from a student standpoint
I understand FAR more about how the security works by knowing how to
break it, which only really works if I have source code and so
full-disclosure exploits. I KNEW what a shellcode and buffer overflow
were for years but I only UNDERSTOOD it after I read "Hacking: The Art
of Exploitation" because it broke it down for me (excellent book BTW).
Now I understand how an overflow exploit works, but don't understand
how a particular one works against a particular program without the
exploit code that I can go over and go "Oh, so that's how it does it."
The idea is that the next generation of security pros (and the current
ones I assume) need the information to be a step ahead by
understanding the tricks used by the exploit, otherwise they're always
playing catch-up to the latest exploit.

On 6/30/05, devnull@xxxxxxxxxxxxxxxxxxxxxx
<devnull@xxxxxxxxxxxxxxxxxxxxxx> wrote:
> [Because of all the broken autoresponders on bugtraq, the header From:
> is a bitbucket.  Use the address in the signature to reach me.]
> 
> >> Quote: " If I speak to an end-user organization and they express
> >> legitimate needs for exploit code, then I'll change my opinion."
> 
> Well, I'm not an end-user organization, but as an end user[%], the
> major benefit I see to full disclosure is that it appears to be close
> to the only thing that has any real success at getting vendors to fix
> bugs.  (In general.  There certainly are vendors that stay on top of
> things without needing the prod of public exploit disclosure.  But they
> are notable by their rarity.)
> 
> [%] "End user" is not the only hat I wear.  It's just the one I'm
>     wearing here.
> 
> /~\ The ASCII                           der Mouse
> \ / Ribbon Campaign
>  X  Against HTML               mouse@xxxxxxxxxxxxxxxxxxxxxx
> / \ Email!           7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B
> 

-- 
"To catch a thief, think like a thief. To catch a master thief, be a
master thief."
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- Re: [Full-disclosure] Publishing exploit code - what is it good for
  - From: devnull

Prev by Date: Re: [Full-disclosure] plz suggest security for DLL functions
Next by Date: [Full-disclosure] Re: In-game /ignore crash in Soldier of Fortune II 1.03
Previous by thread: Re: [Full-disclosure] Publishing exploit code - what is it good for
Next by thread: Re: [Full-disclosure] Publishing exploit code - what is it good for
Index(es):
- Date
- Thread