[Owasp-delhi] FW: Reg. exploits.

Kamat, Jitesh Jitesh.Kamat at gs.com
Tue Jul 1 15:46:46 EDT 2008

"so I don't think zero days are available even if you pay" 

: -) Jitesh Kamat

... An interesting article discussing the economics of 0-day exploit


The main finding of the article. One or more of the following conditions

- According to the market prices for 0-day exploits, the security risk
from 0-day vulnerabilities is vastly overestimated, 

- According to IT risk models, vulnerabilities are completely
underpriced, or 

- Most 0-day developers lack basic negotiation skills. 

Recent public transactions for exploits (from

Some exploits, $200,000 - $250,000

Significant, reliable exploit, $125,000

Internet Explorer, $60,000 - $120,000

Vista exploit, $50,000

Weaponized exploit, $20,000-$30,000 

ZDI, iDefense purchases, $2,000-$10,000

WMF exploit $4000

Microsoft Excel, $1200

Mozilla, $500

-----Original Message-----
From: owasp-delhi-bounces at lists.owasp.org
[mailto:owasp-delhi-bounces at lists.owasp.org] On Behalf Of Singh, Gunwant
Sent: Tuesday, July 01, 2008 1:21 AM
To: Owasp-delhi at lists.owasp.org
Subject: [Owasp-delhi] FW: Reg. exploits.

Hi Dhruv,


Let me thank you all for such a considerable support and help against my

Coming back to my point as you asked in your last e-mail that how did I
come to know that I am running out of the exploits, I am to say that I
run penetration tests mostly against web applications and servers and I
do have a massive collection of exploits/links since long time so to run
them against those poor company resources. I audit for a US based
company and it is a fact observed by me that in some companies, you will
find many basic vulnerabilities that even you can't expect. For example,
there was a server I did audit a long time back and it was like  you
imagine an attack and that can be possible in that server application -
No restrictions :-) . A few companies have applications/networks that
have all those basic risks already removed before testing on the Level
1. I agree that it can be because of the critical CIA rating. Even for
such companies if I do tests for their network(s) I find some of my
exploits are obsolete. They will work but with legacy networks. These
exploits were perfect at some time but now it seems they may or may not


Also, I agree to the fact that only usage of exploits can't guarantee
you that you have tested all the bits and pieces of a network and
against all the underlying vulnerabilities. One must know the underlying
technology and how it is implemented with the other technologies. One
can break in at any time if he effectively collects information about
the network and use correct things at right time - right?. "Still" I am
sure that exploits are very much indispensable to use against a network
to prepare a PoC. I disagree with your point that utilities like
Metasploit provide you with all major exploitations (I am not sure about
Core Impact). They do have some but not majority of them but whatever
this tool has, is appreciable. You see exploits are the most valuable
piece of code for a security researcher, so not readily available for
the script kiddies out there in the wild - so I don't think zero days
are available even if you pay. 


I will check the links sent by you, thanks a lot for those links.


Thank you all!






From: Soi, Dhruv [mailto:dhruv.soi at owasp.org] 
Sent: Tuesday, July 01, 2008 4:06 AM
To: Singh, Gunwant [OS-IE]; Owasp-delhi at lists.owasp.org
Subject: RE: [Owasp-delhi] Reg. exploits.


Greetings Gunwant,


Good to see you back in action!! As you have already got few good
responses against your query, so I won't reiterate the known theory
here. But I would certainly like to participate in this thread. 


How would you know that you are running out of exploits? Do you see,
there have been numerous vulnerabilities published on the
internet/non-disclosure channels or transferred via
IRC/contacts/pre-published advisories to your knowledge these days, at
fast pace than expected? If you rely on published vulnerabilities, and
if administrators have fixed those vulnerabilities by applying the
patches then you have no option but to wait for administrators to commit
yet another mistake (I am sure, they do care for security
auditors/attackers to have some fun with the company resources :-) ).
Even if not, you would still find numbers of servers on the wild
available, un-patched for MS03/04/05-00X vulnerability and tons of
IIS/Apache servers those are vulnerable to old time attacks. Don't be
surprised if I say that during a recent pen-test assignment, we found
MS02-018 vulnerability in a live web server for some reputed and well
known company (obviously, can't disclose the name of client to avoid
making you jump out of your chair). Seems to be funny, ain't it? But,
welcome to India!!! Lot of effort is still required to make the
community know the risk of hosting vulnerable resources to wild wild web
(www). There are still lots of reputed websites those are running with
information disclosure vulnerability (no exploit needed, hah!), where
the available information is worth few bucks, if not million dollars!!!
I don't run/promote any shop in a Nehru Place though :-)


Network based attacks could vary due to variety of architectures
available today, so gathering good amount of standalone exploits for
every architecture would be a tough job and hence, we can rely on known
tools like metasploit/coreimpact those have almost all (If not all, then
many) variants of known exploit codes with options to inject shell codes
of your choice. Along with this, there are others web resources to
standalone exploits and those have already been mentioned in earlier
replies to your query, there could ofcourse be lot more those you could
hit at. I used to maintain a list of exploit links when I used to work
as a security researcher, but I have not used these links from ages (may
be from past 4yrs) so am not sure how many of those links still work, so
excuse me if none of those work for you. But anyhow, I have pasted those
links next to my signatures. 


For application based exploits, it is already been said that cheat
sheets + fuzzer works far better than relying on collection of exploit
codes. Refer to old HD Moore's style of writing a small fuzzer, where he
could find more than 50 flaws in Internet Explorer :-) (I love Microsoft
for increasing employment for malware/security researchers/attackers.)
Application based attacks are mostly driven due to functional +
technical faults, and can mostly be observed by humans rather than
automated exploit framework/tools. Finding variants for application
based attacks is far easier coz all programmers can't think alike and
can't think of delivering secure code every time coz their companies
teach them for delivering functional code, both for clients and
attackers :-)


Hope helps!


Many Thanks,



DISCLOSURE: All my views are personal and have not been under any
influence/gain/threat by any organization or individual :-) 


Here we go with my old (old could be gold or a trash for you, not sure)











http://www.cyenergy.info <http://www.cyenergy.info/> 


























From: owasp-delhi-bounces at lists.owasp.org
[mailto:owasp-delhi-bounces at lists.owasp.org] On Behalf Of Singh, Gunwant
Sent: Monday, June 30, 2008 4:48 PM
To: Owasp-delhi at lists.owasp.org
Subject: [Owasp-delhi] Reg. exploits.


Hi all,


I am back again with a question. Thank you for your support so far.

While testing, I have come to know that I am running out of exploits.
Since administrators are coming up with latest patches to cover up the
existing vulnerabilities, one must also update his/her exploit
collection w.r.t the vulnerabilities found. I have a collection of some
exploits which are mostly for web servers (IIS, Apache, etc.). Just
wanted to know, what resources you guys use to get the exploits, or you
build your own. I m looking for both network based and application based
exploits. May be if someone wants to share some exploits or links for
any resources. Any feedback will be highly appreciated.



Gunwant Singh


More information about the Owasp-delhi mailing list