Guide to find 0day exploits

By -

COMPLETE GUIDE TO FIND 0DAY EXPLOITS





Hello my masters and colleagues, first of all I would like to apologize for my absence during the past month, to say that i was busy with some projects and decide to leave the white-side for a while and made some visits on the dark-side(every good COP has a dealer friend),i left null byte last month to learn more and come here to share with you ... I spent almost the whole last month trying to practice my knowledge, and there were moments where the systems were well protected, not that they were impossible to be hacked but hard or complicated, so I decided to start investigating deeply the functioning of these systems to see if I could find flaws instead of simple scans with some tools, I began by analyzing the code of applications in the case of open source , sending abnormal data and more, and in the end most were hacked and still others are in process.

btw gr33tz t0 :Ciuffy ghost_ Phoenix750 f0r the gr3at j0b

INTRODUCTION

According to wikipedia a zero-day (also known as zero-hour or 0-day) vulnerability is an undisclosed and uncorrected computer application vulnerability that could be exploited to adversely affect the computer programs, data, additional computers or a network.1 It is known as a "zero-day" because once a flaw becomes known, the programmer or developer has zero days (before disclosure) to fix it.

If you can find a flaw that the software authores do not know aobut "bingo" you got the gold.

The proccess

1-Responsible disclosure
contact the sellers and give them time to fix(you can set a time limit before you put it public)

2-full disclosure
go public with technical details of the bug without first giving the vendor an opportunity to fix it

As a white-hat you have the obligation to use the responsible disclousure some might give you money while others just greetings, but for black-hat guys some spread the vulnerabilities in some forums, use the vulnerabilities for their own benefits and more, I have personally seen exchanging vulnerabilities between black-hat guys and so on.

HOW TO FIND VULNERABILITIES?

There are a lot of way to find a 0 day vulnerability, i will show you some of the most common ways to do it.

1-Open source or when you have access to the source code

1.1-Manual code review

when you have access to the source code its pretty much easier, what you can do is manual code review depending on which language it was made, here you need some programming skills in order to understand the code and find possible flaws

1.2- static analysis
depending on the plataform which you are working with you can find a tool to automatically analyse the code.
here is a good list of them
https://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis
my reconmendations:
cppcheck
flawfinder
rats
vcg
its always good to combine all of them because they will produce different coverage

2-No access to the source code

2.1-Reverse enginnering

also called back engineering, is the processes of extracting knowledge or design information from anything man-made and re-producing it or reproducing anything based on the extracted information. The process often involves disassembling something and analyzing its components and workings in detail.

2.2-Binary static analysis
tool that i used recently
http://www.veracode.com/products/binary-static-analysis-sast

2.3 fuzzing "do random testing"

fuzzing is the art of inputing unexpected data in order to uncover unexpected behavior, fuzzing is often used to find vulnerabilities..

an example of that are the famous sql injections:
'or''='
ADMIN' OR 1=1#

using one of these tests above as username and password in some weak web forms can bypass the password authentication giving you the power to find a 0day sql injection.

EXAMPLE :
<?php
$ip = getip();
$tablename = $wpdb->prefix."limitlogin";
$tablerows = $wpdb->getresults( "SELECT `loginid`,
`loginip`,`loginattempts`,`attempttime`,`lockedtime` FROM `$tablename`
WHERE `loginip` = '$ip' ORDER BY `loginid` DESC LIMIT 1 " );

function getip(){
if (!empty($SERVER'HTTP_CLIENT_IP')) {
$ip = $SERVER'HTTP_CLIENT_IP';
} elseif (!empty($SERVER'HTTP_X_FORWARDED_FOR')) {
$ip = $SERVER'HTTP_X_FORWARDED_FOR';
} else {
$ip = $SERVER'REMOTE_ADDR';
if($ip=='::1'){
$ip = '127.0.0.1';
}
}
return $ip;
}
?>

as example i will leave here this part of code that contains a vulnerability i know, its php and mysql, i hope you can find a 0 day vulnerability on it and leave it in comments.

for now thats all soon i will be going through all the ways we can find 0 days bugs and specific bugs for specific plataform..keep coming and dont forget to greet me if you find a 0 day vulnerability..

source

If u have any queries... follow my profile and ask me what you want to know.

Comments

Post a Comment

Popular posts from this blog

Keyboard Shortcuts That you must learn

By -
Image
Keyboard Shortcuts That you must learn Getting used to using keyboard exclusively and leaving your mouse behind will make you much efficient at performing any task on window system.Some of the shortcuts that must be known Windows+R=Run menu This is usually followed by cmd=Command Prompt iexplore+"web address"=Internet Explorer compmgmt.msc=Computer Management dhcpmgmt.msc=DHCP Management dnsmgmt.msc=DNS  Management services.msc=Services eventvwr=Event Viewer dsa.msc=Active Directory users and Computers dssite.msc=Active Directory  Sites and Services Windows key + E= Explorer ALT+TAB=Switch between windows ALT,Space,X=Maximize Windows CTRL+SHIFT+ESC=Task Manger Windows key+Break=System Properties Windows key + F= Search Windows key + D=Hide/Display all windows Keep in mind that the "Right Click" key next to the right windows on keyboard.Using the arrows and that key can get just about anything done once you've opened up any prog
Read more

Stay Secured By IP Spoofing In Kali Linux or Ubuntu Using Torsocks

By -
Image
Stay Secured By IP Spoofing In Kali Linux or Ubuntu Using Torsocks torsocks  allows you to use most applications in a safe way with TOR. It ensures that DNS requests are handled safely and explicitly rejects any traffic other than TCP from the application you’re using. In this post we will cover IP spoofing in Kali Linux with torsocks which will allow users to connect to certain services that is banned to them.  torsocks  is an ELF shared library that is loaded before all others. The library overrides every needed Internet communication libc function calls such as connect() or gethostbyname(). This process is transparent to the user and if  torsocks  detects any communication that can’t go through the Tor network such as UDP traffic, for instance, the connection is denied. If, for any reason, there is no way for  torsocks  to provide the Tor anonymity guarantee to your application,  torsocks  will force the application to quit and stop everything.  In this article I will guide
Read more

How To Find Uploaded shell and Passwords By Google dorks (priv8 dorks)

By -
How To Find Uploaded shell and Passwords By Google dorks (priv8 dorks) How To Find Uploaded shell By Google dork (priv8 dorks) Go to Google.com and type these Dorks, and you will got a Lot of uploaded shells in Google serach results !! Dorks for finding shells  inurl:.php "cURL: ON MySQL: ON MSSQL: OFF"  "Shell" filetype:php intext:"uname -a:" "EDT 2010" intitle:"intitle:r57shell" [ phpinfo ] [ php.ini ] [ cpu ] [ mem ] [ users ] [ tmp ] [ delete ] inurl:"c99.php" & intext:Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout inurl:"c100.php" & intext:Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout intitle:"Shell" inurl:".php" & intext:Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update  Dorks for finding Passwords filetype:htpasswd htpasswd intitle:"index of" ".htpasswd" -intitle
Read more