What are the most common ways vulnerabilities and exploits are found?

[theguy]

I've heard stuff from people using fuzzers (still a little unsure as to how those work), all the way to folks just clicking links that will bring them to admin pages.  I'm not necessarily focusing on webpages.  I'm more so talking about services that may be running on an open port.  How do people find out that they may be able to remotely execute code on a victim machine?

[nozzlechunks]

Um, usually buffer overflow is good method, and is how fuzzers work.

First, you need to have your own copy of the service that your attacking so you can debug it locally and see what your buffer is doing. Otherwise, you really won't get anywhere other than maybe killing the service your attacking.

Once you got that covered: Basically, you find some variable you want to test like USER, PASS, or different commands available to the a service such as FTP's various commands.

Next you throw a ton of digits at it... like 3,000 A's. Basically, you want to make the service choke on the input and die. Once you do that, it's time to change your 3,000 A's into a random string. There are string generation tools in Kali to do this. Why create this string? Cuz now you can you can throw this new buffer at the service and see exactly which bytes in your string are overwriting the "buffer." Iin a debugger, you want to see which exact digits in your string took over the EIP register.

Once you get the EIP register, the hard part begins. You basically have X amount of characters to insert your shell code (the thingy that gives remote code execution) as well as all the stuff you need to do to trick the application into pushing the memory location of that shell code on top of the stack and execute (JMP ESP).

I guess, think about Michelangelo carving David out of marble. Buffer overflows are the same way. You start with a block of A's, but through experimentation, you end up with a new exploit. I'd recommend the OSCP course from Offsec if you want to actually learn how to do this.

[dotszilla]

yeah nozzlechunks pretty much summed it up, but you have to know coding and how it works usually C/C++, and read a couple books about finding exploits in codes like Buffer overflow which is one of many depending what youre messing with, then grab a copy of the version of w.e service is running on the port you want to find a vuln in, then go through the code and try to find a vuln  or a possible one there could be alot of trial and error involved and then write a exploit to take advantage of that vuln..

from my understanding thats how it works, i myself am not up to that level yet, so correct me if wrong...

[isigod]

@nozzlechunks, thanks for the sum up. I have tried this a couple of times but have had no luck, but from your write up I can easily figure out that I have been jumping the gun by throwing my buffers at the eip register at first.
Thanks for the direction. Got to do more reading and digging to understand this more.

[nozzlechunks]

@isigod: np, controlling EIP is where the journey begins. Once you got the debugger open and you own EIP, you'll have to take good notes on where key memory addresses are: beginning of buffer, end of buffer, where in your buffer your shell code is, etc. Basically, use a hex calculator to figure how how many bytes deep you need to go. Remember, you're trying to control registers to push your shell code on top of the stack.

@dotzilla: so TECHNICALLY you don't need to know much coding or any C/C++, but sweet jesus, it's probably helpful. I think the minimum is to know a tiny bit of Python so you can actually point your buffer at something, and then you need to not be afraid of debuggers. I don't think you actually need to know assembly language, other than EIP, ESP, memory addresses, and how shit gets on top of the stack (though one might arguing that is knowing assembly language, LOL). That is, of course, unless you're more advanced than me and are writing your own shellcode instead of just ganking it from ExploitDB. Then again, ExploitDB shellcode will often tip IDS/IPS, but it's not like any of us are throwing this code at anyone, right?? Right??

[dotszilla]

@dotzilla: so TECHNICALLY you don't need to know much coding or any C/C++, but sweet jesus, it's probably helpful. I think the minimum is to know a tiny bit of Python so you can actually point your buffer at something, and then you need to not be afraid of debuggers. I don't think you actually need to know assembly language, other than EIP, ESP, memory addresses, and how shit gets on top of the stack (though one might arguing that is knowing assembly language, LOL). That is, of course, unless you're more advanced than me and are writing your own shellcode instead of just ganking it from ExploitDB. Then again, ExploitDB shellcode will often tip IDS/IPS, but it's not like any of us are throwing this code at anyone, right? ? Right? ?

oh ok, yeah i dont know much about writting exploits, im still learning python and messing with that, but i see youre the guy to go to once i start getting into it lol... anyways i thought you need ed to know C/C++ to read the program you looking to exploit, since most are written in C/C++.. i dont know i might be confusing it with webapp exploits since i tried that before and you need to know a good amount of PHP, to find the RFIs LFIs SQLIs and all the other good stuff lol..