0 day vulnerability, how to begin?

[gh0st]

well guys the other day I was wondering about how can person who dont even went to university or dont even studied something related to programation/security would find a 0 day vulnerability? is it hard ? if someone wish to find a 0 day how should he/she start?

[Tsar]

Too vague to be honest, your basically asking "how does one find an exploit that no one else has found", there are tons of different platforms and types of vulnerabilities. Basically you just need to get good and learn as much as you can.

[RawSocket]

A great resource for such a topic..

http://myne-us.blogspot.com/2010/08/from-0x90-to-0x4c454554-journey-into.html

[iMorg]

Well university would have nothing to do with exploitation. Most hackers learned to program and most things they know about computers when they were too young to even be in high school.

Without programming knowledge you are pretty much dead in the water. You cant possibly know how to find a hole in something you dont understand and even if you did how would you go about executing it without knowing how to write something to take advantage of it.

To start finding a 0-Day I would suggest looking at what API and libraries were used to write the target application/system. If the software is closed source you are going to need to have good knowledge in assembly and familiarity with the operating system that it runs on. If the software is open source then all you need is a copy of the source and a text editor.

You should try to emulate the targets operating environment as close as possible when testing an exploit you find.

[Stackprotector]

http://www.securitytube.net/groups?operation=view&groupId=5 ,
And continue on the other series, at the end you will know how to find 0day and other vurns.

[noob]

Code: [Select]

http://www.exploit-db.com/papers/?page=16
Exploit Writing Tutorial Part 1 - Stack Based Overflows
Exploit Code Downloads      Exploit Writing Tutorial Part 2 - Jump to Shellcode    
Exploit Code Downloads      Exploit Writing Tutorial Part 3 - SEH    
Exploit Code Downloads      Exploit Writing Tutorial Part 3b - SEH Based
Exploit Code Downloads      Exploit Writing Tutorial Part 4 - From Exploit to Metasploit the Basics
Exploit Code Downloads      Exploit Writing Tutorial Part 5 - Debugger Modules in Exploit Development
Exploit Code Downloads      Exploit Writing Tutorial Part 6 - Bypassing Stack Cookies, SAFESEH, Hardware DEP and ASLR
Exploit Code Downloads      Exploit Writing Tutorial Part 7 - Unicode, from 0x00410041 to Calc

[gh0st]

@noob: +1 for  that

[I_Learning_I]

Too vague to be honest, your basically asking "how does one find an exploit that no one else has found", there are tons of different platforms and types of vulnerabilities. Basically you just need to get good and learn as much as you can.

Well finding 0Days isn't exactly hard, however someone that has no idea of what his doing wouldn't even consider it an 0Day, therefore being just another unknown bug.
0Days are always a flaw in the programming of the source, could be a function, the language itself, or just the way the coder used the function or coded is tool.
With that being said all you need to find an 0Day it's either focus on something you want to exploit and look at it's  source-code (if it's available) and try to find a vulnerability, or simply fuzz it.
Fuzzing it's (in a basic way) just doing a bruteforce of input and parameter to your target and trying to find something, either a segmentation fault, memory access, anything.

Answering the question how to begin.
First off you should see what kind of 0Day you want and what do you consider an 0Day, some people consider SQLi on a website an 0Day because no one else had found it, others consider only Overflows and Format String Attacks and others consider only new findings as 0Day, like Slowloris when it came out (although it used the SYN Flood technique).
Anyhow from there you'll need to study your target (the language and it's source) for instance, PHP it's an interpreter, so if you can't find a vulnerability that would exploit the website, perhaps you can find something that exploits the interpreter itself, and those are different matters. Exploiting PHP requires PHP knowledge, exploiting the interpreter requires ASM knowledge.

Just like Tsar said , you're being to vague, because you can exploit a program, a library, an API, the language itself, protocols, and it's a very different approach in some cases.
To exploit a program all you need is to fuzz it, send lot of random parameters, until you find some vulnerability that allows you to get a shell.
When exploiting protocols your objective might not be to get a shell but for instance to make a server inaccessible and for that you need to look to the source code and find uncovered options.

[gh0st]

well just wanted to post this seems useful talks about remote code execution exploit over Windows XP 0 ring that thingy named 0 ring its just a thingy which is part of the architecture of the OS nothing too hard to underestand but there are a lot of more technical details too
http://www.eeye.com/eEyeDigitalSecurity/media/ResearchPapers/StepIntoTheRing.pdf?ext=.pdf

and more in: http://www.eeye.com/Resources/Security-Center/Research/Papers