WingNews logo WingNews
top | item 20651923

(no title)

shellcoder | 6 years ago

Harder than you might think. Who gets to control the server being compromised?

1. The buyer or someone the buyer trusts, then the buyer can log all the network traffic and find the incoming attack traffic and work out the exploit from there.

2. The seller or someone the seller trusts, can backdoor the software to fake it.

3. Someone they both trust, that would require they have some mutual contacts which while possible I wouldn't count on it.

4. A random victim, more possible, but neither party would want to risk prematurely burning the exploit.

And of course there are a ton of exploits that are not remote, all sorts of local privilege escalations, and there are partial exploits that are sold. Like a multistage exploits like say just the exploit to escape a sandbox, or even just an exploit that requires a memory leak could be sold without a memory leak, or just selling the memory leak. Obviously a fully weaponized exploit sells for the most, but there are buyers for stages also.

discuss

order

jakobegger|6 years ago

> Who gets to control the server being compromised?

I was thinking about phones, not servers.

> then the buyer can log all the network traffic and find the incoming attack traffic and work out the exploit from there.

Is it really that easy? I'm not a security researcher, but I imagine that most exploits aren't just a magic byte sequence you send to the victim -- so I assumed that just a single observation of a successful attack is not enough to understand it easily.

shellcoder|6 years ago

> I was thinking about phones, not servers.

that doesn't change things too much, it does introduce some potential difficulties with intercepting certain types of traffic/input to the phone. The question just becomes who controls the hardware being compromised.

> but I imagine that most exploits aren't just a magic byte sequence you send to the victim

Its not, and its not like you can just replay those very same bytes, but its not magic, it all has a meaning and a purpose. While its not easy, you can work out plenty from logs. The entire exploit necessarily is there, things will change, but all the instructions[0] that get injected to do later stages necessarily needs to be sent, or the instructions to generate/cause them.

Its not an easy skill, but its not unheard of.

[0] I'm simplifying a bit to avoid getting into various code execution techniques