0

I've noticed that lots of CVE at www.cvedetails.com do not have publicly available exploits. But they have high scores (ex: score higher than 9). With such a high score, I'd thought exploits would be readily available but it's not the case (not even present in exploitdb).

So how would a hacker, from the description at www.cvedetails.com write exploit code? Do hackers do that?

schroeder
  • 125,553
  • 55
  • 289
  • 326
botanga
  • 447
  • 5
  • 5
  • 2
    This question is incredibly broad. –  Feb 06 '20 at 09:13
  • 1
    How do you think the metasploit exploits are created? – tripleee Feb 06 '20 at 09:19
  • @J.J People tend to say that when they don't want others to anwser. Can you explain what's make it so broad ? If I was ask "How to write a software" I would no say it's broad. Juts to help, I'd say : identify the feature - identify and organize its data in a DBMS - write a GUI representing the features to interact with a backend - write a back end to interact with the GUI and the DBMS. That's a broad (HELPING) answer to a broad question. – botanga Feb 06 '20 at 09:21
  • @tripleee Hahah.... That's is what I'm trying to figure out. Do they spend month on OllyDbg trying to find a vulnerability an write exploits ? – botanga Feb 06 '20 at 09:22
  • 1
    @botanga that's a little like asking "how do you program?" IT's *that* broad. Your example makes tons of assumptions about the kind of programming involved. All your steps are for a very specific type of programming. – schroeder Feb 06 '20 at 09:23
  • At such a high level as you have described, then the CVE details themselves tell an exploit writer how to write it. That's how they do it. – schroeder Feb 06 '20 at 09:25
  • @schroeder Common guyz. I'm trying to figure out this. To the broad question "how do you program" I'd answer broadly like this : "What do you want to program ? Depending on that, you can pick the right language. Ex : You want to program math functions, learn MATLAB. Focus on variables, functions, operators. Then apply those to solve simple challenges like the sum of two number. After you'll know enough to ask a better question " – botanga Feb 06 '20 at 09:28
  • Broad answers don't help broad questions, they just add confusion. –  Feb 06 '20 at 09:28
  • 1
    @botanga that's absolutely correct. So, to write an exploit from CVE details, first you have to understand the details and how to broadly exploit the vulnerability, test for the vulnerability then write code that exploits it. That's it. – schroeder Feb 06 '20 at 09:30
  • @J.J It may help me figure out better the problem and help me come with a more specific question. Don't be like some people here who just ask like the police to avoid answering questions they don't know how to tackle – botanga Feb 06 '20 at 09:30
  • If you are asking how someone who has never written an exploit before, that makes it even broader to answer. A programmer knows what to do. – schroeder Feb 06 '20 at 09:30
  • @schroeder lol You are mean. – botanga Feb 06 '20 at 09:31
  • 1
    @botanga If you are going to take this line of "people wont help me and its their problem nothing wrong with my question" then I really have no desire to attempt to explain anything to you at all. –  Feb 06 '20 at 09:31
  • 1
    no, I'm trying to explain given your expectations. We know how to tackle the question, it would just take a book to answer. – schroeder Feb 06 '20 at 09:32
  • @J.J Aww common I'm know saying YOU. I understand my question may be broad. But I just wish you point me to at least one (01) obvious beginning technical task that is performed so I could latter come with a better specific question – botanga Feb 06 '20 at 09:34
  • @schroeder Hahaha you are cool man. But don't be sarcastic. For instance, after reading the CVE details and googling all its keywords (ex : RCE, buffer overflow)... how do they technically start applying this to a bulnerble binary for instance – botanga Feb 06 '20 at 09:36
  • 2
    @botanga Please don't consider refusal to answer a bad question to be a personal attack. We're under no obligation to answer anything. The community sacrifices their spare time, that they can very much use to do other things, to try to create a knowledgebase of specific questions and answers of InfoSec topics. –  Feb 06 '20 at 09:37
  • 2
    That was not sarcasm. Your question now is basically "how do you exploit various vulnerability classes?" And this is where we direct you to beginner learning resources like a book – schroeder Feb 06 '20 at 09:37

1 Answers1

3

You wanted a broad answer:

  1. Read about the bug
  2. Attempt to understand the bug
  3. Use a fuzzer to find the crash
  4. Attempt to exploit crash
  5. Profit.

Fuzzing is only one method. Please seek additional resources to learn about more methods.

  • How on earth did you post that when the question was closed already?! –  Feb 06 '20 at 09:34
  • Heh :upside_down: –  Feb 06 '20 at 09:34
  • 1
    @MechMK1 if you start an answer before its closed, it will go through – schroeder Feb 06 '20 at 09:36
  • 1
    Ah, but fuzzing is only one approach :) – schroeder Feb 06 '20 at 09:36
  • 1
    @schroeder Then I deleted my answer for nothing. Because there is this big orange bar telling me "This question has been closed - no more answers will be accepted." That sounds quite the opposite. –  Feb 06 '20 at 09:36
  • 3
    @schroeder The more generic answer would be "Analyze the Program -> Find the Bug -> Exploit the Bug -> Profit." –  Feb 06 '20 at 09:37
  • 1
    @schroeder Good point; let me just pull out my bible of exploit development I'll "quickly" write it up word for word here :D –  Feb 06 '20 at 09:37
  • @MechMK1 Yes!!!! You are getting me. How do they Analyze the program ? For instace there is a CVE saying there is a RCE, how do the start ? OllyDbg to fing culprit, and so on.. or what ? – botanga Feb 06 '20 at 09:39
  • 1
    @MechMK1 sounds like a vulnerability JJ exploited :) It actually happens quite often. – schroeder Feb 06 '20 at 09:39
  • 1
    @botanga By looking at it. I really don't know what you are trying to ask. –  Feb 06 '20 at 09:40
  • 1
    @botanga JJ's answer is basically what I said above: they figure it out based on the details. – schroeder Feb 06 '20 at 09:40
  • @MechMK1 Can I PM you. You seem more willing to help. The other two a being bad cop. You are the good one – botanga Feb 06 '20 at 09:45
  • @MechMK1 You've an answered a more broad answer than that : https://security.stackexchange.com/questions/219872/is-exploit-free-software-possible/219873#219873 – botanga Feb 06 '20 at 09:48
  • @botanga No, it was not a broad question. It was actually rather specific, and OP demonstrates their thought process. Also there is no such thing as PMs on Stack Exchange. If you want to learn how exploit development works, there are countless resources on that. –  Feb 06 '20 at 09:51
  • @MechMK1 Could you give me a simple resource so I can have a better idea and ask a better question ? – botanga Feb 06 '20 at 10:36
  • @botanga LiveOverflow is a good YouTube channel explaining the basics of exploit development –  Feb 06 '20 at 12:09
  • @MechMK1 Darn it. I've decided to not watch youtube in 2020. Thanks anyway – botanga Feb 06 '20 at 17:02