Fuzzers[1] as well as reverse engineering tools. For fuzzers there is both the publicly available ones like AFL [2] and custom/closed source ones. It seems to me every zero day author has their own fuzzers or fuzzing frameworks or at least a closed fork of an open source fuzzer. But to me finding the bug is less difficult then turning it into an exploit. Shoot you can still find bugs in modern software by bit flipping, as an example I wrote a fuzzer that opened up random PDF files and flipped some bits at random and then opened them with Preview. it did this about 40,000 times a day and after a couple days I would come back and my mac had kernel panicked. Now turning one of these PDF files that cause kernel panics into an exploit is going to require significantly more effort then writing and running a dumb fuzzer.
wow....that is pretty interesting. how do you write your own fuzzer, seems like that's where the edge comes from? How much more of an effort is it to write an exploit? Is it necessary to build a Proof of Concept or is simply disclosing the vulnerability enough?
If I buy ADA what software/API can I start tinkering with?
What you described seems like so much fun but scared of the writing exploit part. Now that seems really hard especially considering it needs to be fully undetectable for a long time until the buyer gets their return on investment.
Is there a course or resource I can use to begin this path?
I love love poking around with things to see how they work....basically the chase or the process is what I enjoy most and curious to know more.
> wow....that is pretty interesting. how do you write your own fuzzer, seems like that's where the edge comes from? How much more of an effort is it to write an exploit? Is it necessary to build a Proof of Concept or is simply disclosing the vulnerability enough?
Dumb fuzzers can be written in anywhere from a day to a few weeks of work, smart fuzzers can take several years to write, also lots of fuzzers continually evolve over time because they have to. Its the Red queen effect[1], fuzzers keep finding bugs so they have to keep getting better to keep finding harder and harder to find bugs in a target codebase. So I would say an exploit is usually the harder task but some of the things smart fuzzers like SAGE[2] do would be incredibly hard to implement.
> If I buy ADA what software/API can I start tinkering with?
I'm not sure what ADA is. However for testable software I would go for programs that come installed on your operating system of choice. So in my case I was using MacOS at the time so I was targeting MacOS default applications.
> What you described seems like so much fun but scared of the writing exploit part. Now that seems really hard especially considering it needs to be fully undetectable for a long time until the buyer gets their return on investment.
Fuzzer development and exploit development are pretty different tasks. Fuzzer development is basically normal software development, while exploit development at least with security mitigations turned on is an entirely different beast. For example in exploit development your going to need to know x86-64 assembly, as well as general memory layout, how a particular operating system implements ASLR[3] so you can bypass that. As well as bypassing DEP/NX[4] which is often done using ROP[5] and now recently newer techniques[6]. The fuzzer I was describing above was a dumb file mutation fuzzer which can be extremely simple. So first it was a file fuzzer, meaning it fuzzed programs that take files as inputs, stuff like video and music players or in my case pdf files. The mutation part means the fuzzer took existing valid files and added random mutations as opposed to generative fuzzers that build semi valid files from scratch. The dumb part means it didn't do cool stuff like AFL that use a genetic algorithm and probe system to better test code paths in a target program.
> Is there a course or resource I can use to begin this path?
Search fuzzers online until you've seen every/most pages, no joke thats basically what I did theres a few books but most of the info they have can be found online for free. Also make sure to try building a fuzzer or two, go simple at first. As well as using existing opensource fuzzers like AFL, Trinity and syzkaller.
> How did you get into all of this?
I forget how I got into fuzzing but I did try and start a fuzzing company a few years ago, but it turns out its way easier making money doing web development then selling fuzzing software or doing bug bounties for a living.
A good place to start is learning how to poke at some API, and fizzers are a good way to do that. Pick some API that you think is complex (often places with previous bugs still have bugs), find a way to bang on it with all sorts of malformed data until something happens (crash, fault, or such). When you find that, you now have a set of inputs that the API is not sanitized against. Then you can try to disassemble, using tools like IdaPRO (best, but expensive), free reversing tools, kernel debuggers, etc. to get a handle on what is going wrong. At some point you might find the precise error at the assembly level. Then you may try to craft your inputs to bypass checks and affect the underlying system in a way you control. Here there are an astounding number of tricks and ways to bypass various security features, and you will have to read extensively to get a large bag of tricks for this step.
Now you have a decent exploit.
Each of these steps takes learning through just doing it and reading. You'll learn tools for various pieces of the game. But it's doable with decent effort.
what API or software should I start with? Also, @SandboxEscaper mentions logic based exploits vs memory based ones which are disappearing (?), what is she referring to?
also any good resources on starting this journey. I'm very serious about this because it potentially could be a dream job for me.
Start by looking up an exploit that has details published, and recreate it. Do that a few times, and you will begin to understand how it works without the frustration of not finding anything. As you get better you'll both get better at finding things and at dealing with the long periods of not feeling like you're making progress. I suspect there's sites that help you walk through this, and I know I've seen ones that walk you through prepared exploits.
You really just have to start putting in legwork consistently.
What framework do they use to find it? Is it just educated trial and error until you hit something?