Metasploit mailing list archives
How do you get your exploits?
From: hdm at metasploit.com (H D Moore)
Date: Fri, 14 Sep 2007 08:59:31 -0500
On Friday 14 September 2007 08:51, Mr Gabriel wrote:
To me, the concept, and idea of pen testing, is to find holes *before* some crack fueled script kiddie does - but how can I do this if I don't have the latest exploits to hand?
Most of the "vlad" style exploits you see are client-side or depend on user interaction. Metasploit supports quite a few of these, but there just aren't that many server-side code execution bugs in XP SP2. For the most part, the script kids are using old and well published exploits to wreak their mayhem. The M-PACK kit for example, is based on a handful of known vulnerabilities (metasploit 3 supports most of them).
Which brings me to my second point, the exploits that are included with MS3 - where they created just for MS3, or have they been adapted from exploits found in the wild?
Some of each. It depends who wrote the exploit first. Even when exploits are adapted from an existing program, they tend to be improved after they are ported to the framework (more reliable, less bugs, support for any shellcode, etc). -HD
Current thread:
- How do you get your exploits? Mr Gabriel (Sep 14)
- How do you get your exploits? H D Moore (Sep 14)
- How do you get your exploits? Wayne Ho (Sep 14)
- How do you get your exploits? Patrick Webster (Sep 14)
- How do you get your exploits? Mr Gabriel (Sep 15)
- How do you get your exploits? Wayne Ho (Sep 14)
- How do you get your exploits? Leo Jackson (Sep 14)
- How do you get your exploits? H D Moore (Sep 14)