Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

Zero day exploits


Good Day All,

I am curious. What advice can any of you give with regards to finding a zero day exploit in a program? I have some ideas but I would like to hear suggestions to see how they match mine (i.e. if i am on the right track) and how can I improve. I eagerly await responses.

Regards


Huitzilopochtli's Avatar
....
10 9

By "program" are you referring solely to standalone .exe's ?


rex_mundi's Avatar
☆ Lucifer ☆
3,110 12

Dropped you a PM thumbs up


Rocket_Face's Avatar
Member
0 0

I know what a zero day is, but has anyone here on HBH ever found one for real, or have most of them been discovered by now, so they're rarer and harder to find ?


Futility's Avatar
:(
80 122

Rocket_Face wrote: I know what a zero day is, but has anyone here on HBH ever found one for real, or have most of them been discovered by now, so they're rarer and harder to find ? Yes and no and yes. There's tons of software that exists and while most of the big stuff tends to have a pretty high bar for exploitation, a looooooot of the smaller stuff is still silly easy to beat up on. If you want to play on easy mode, I suggest getting your hands on some routers or other startup IoT devices and party like it's 1990 again


gobzi's Avatar
Member
10 0

I had a lowish a few months ago in an Oracle banking app, where employees could retrieve the hashed password of other employees. Our customer submitted the finding to Oracle, but we haven't retested the app since then so I don't know if it's being patched :(


Huitzilopochtli's Avatar
....
10 9

There's tons of software that exists and most of the big stuff tends to have a pretty high bar for exploitation
Futility is bang on with that one.

Most of the low level exploits and security holes in high profile software are gone, so there's not much hope of discovering an XSS alert in a google search, as a billion other n00bs have already been there before you, pasting in every XSS payload from the past 20 years, trying to make an alert box pop up that says  "Mr_Cheese was here."

The more advanced vulnerabilities though are still around, as the vast majority of them require you to actually know what you're fucking doing in order to exploit them.

Exploits resulting in remote shells/command execution or remote code execution are complicated, time consuming and hard to pull off https://www.evonide.com/how-we-broke-php-hacked-pornhub-and-earned-20000-dollar/ but the rewards are good, and less people have been there before you, so the odds are way better of finding existing vulnerabilities in these areas.


Futility's Avatar
:(
80 122

Futility wrote: There's tons of software that exists and most of the big stuff tends to have a pretty high bar for exploitation

So I wanted to perhaps be a little bit more clear. When I said most and tends to, I was speaking very generally. There are still huuuuuge big-name products that are owned, used, and run on a daily basis by people and companies the world-over that are still vulnerable to the silliest of things. See symantec, for instance. In the web realm, this Magento bug always piques my interest (despite being a couple years old). In terms of XSS, not even google is safe.

My point is, just because something is big doesn't mean it's necessarily safe and everything could use another person looking over it and if I implied that, I definitely didn't mean to. Just keep hunting!

  • Futility

rex_mundi's Avatar
☆ Lucifer ☆
3,110 12

<kung-fu> I had a whole bunch in php-fusion a good few years back, there were SQL injection points in loads of .php files where user-supplied data was being sent via POST to stripinput() and validated by a regex. A fucking unanchored regex.

One of the biggest mistakes made when using regex patterns is leaving them unanchored. Anchors determine the span of a patterns match against an input string. The ‘^‘ anchor matches the beginning of  a line. The ‘$‘ anchor matches the end of a line.

Anyone who uses regexes as part of a security or input validation filter should know that if the pattern is left unanchored,  it will search through the entire input string looking for a match.

Thanks to this schoolboy error, sticking our injection anywhere in a string containing valid data will now bypass the regex checks.

The unanchored regex was used in submit, create, reset, search, members, comments, ratings and messages.php, as well as in a couple of files in the forum. All of the injection vulnerabilities were totally blind, so data had to be extracted via time delays using MySql's sleèp() function. </kung-fu>

Happy Days.


Rocket_Face's Avatar
Member
0 0

You need to have a LFI vulnerability to read php source code .


Huitzilopochtli's Avatar
....
10 9

Great post Rocket man, you know your LFI's. +1


Rocket_Face's Avatar
Member
0 0

Thanks dude ! I think I've proved once and for all that I'm not just an idiot.


gobzi's Avatar
Member
10 0

Rocket_Face wrote: Thanks dude ! I think I've proved once and for all that I'm not just an idiot.

kek


Rocket_Face's Avatar
Member
0 0

Thanks for the retweet bro. I appreciate it. thumbs up