[Dailydave] Immunity Certified Network Offense Professional
Paul Melson
pmelson at gmail.com
Mon Jul 14 21:48:07 EDT 2008
On Mon, Jul 14, 2008 at 8:18 AM, Thomas Ptacek <tqbf at matasano.com> wrote:
> The problem is, it is not MORE VALUABLE to exploit memory corruption
> flaws than it is to find them. Consider two scenarios:
>
> (1) A shrink-wrap software pen test, for a vendor or a customer ---
> the target is one application. You have 5 days. Unless you think you
> can sweep 500,000 lines of C code clean of vulnerabilities in 40
> hours, an hour spent on exploit dev is an hour not spent finding
> vulnerabilities.
The thing about exploits in pen-testing is that they're not really
necessary for the client or the client's code. They're more for the
vendor of the shrink-wrap software that you're testing. A client
smart enough to pay for a pen-test (as opposed to a vulnerability
assessment) will also be able to understand they should fix their code
when you show them a screenshot of gdb showing EIP = 0x41414141. But
vendors are another story - you've gotta have a highly reliable PoC
exploit before they do anything at all for your client in terms of a
fix. (This is why billing T&M for a pen-test is convenient - you
don't have to ask your client to sign another contract to code the PoC
and sit through the conference calls with the vendor.)
> Plenty of people cheat at writing exploits too.
Cheating at exploit writing is like cheating at running. Except when
you're in competition, nobody cares if you drove a car, so long as you
arrived at the correct destination.
PaulM
More information about the Dailydave
mailing list