| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 13 Feb 2009 02:06:59 +0000 From: disco jonny <discojonny@...il.com> To: fuzzing@...testar.linuxbox.org Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Fuzzing for Fun and Profit i kinda skim read the original posting. to the op - nice try, but this is 2009. (el8 put it better than i) the idea is not to break buffers but to take program control. breaking buffers is one method of doing this, but the sea is big. 2009/2/11 T Biehn <tbiehn@...il.com>: > release something that fuzzes web services given a WSDL. OR * Grammer file. > > Run all permutations and branches from all steps, with all possible delays. > Learn if it "supports" your test then drop your test if it doesn't work. kinda, i like this idea, but i dont think it is profitiable unless you are a software company. > > You won't worry about running out of shit to test, and you'll finally > justify the cost of some sweet new hardware to run this on. if you are good enough you can prove that there is no shit left to test. (reread what alan wrote = rehimahn hyp at approx 1024....) > -or- > > Learn how to audit code? this kinda works, but the idea behind fuzzing is that you test the implementation not the spec. doing that (testing the imp. could go on forever unless you start to look at what is happening when you are testing - the halting problem only applies to _every_ program, not this one program.) see one of my millions of previous posts. > > This might be too much CS for you, but if you plug away you might learn > something :.) > > I'm sure you'll get a talking spot and mad whitehat dollars if you do. fuck the money. i know i am failing to see the irony of your comments, but now i am out of nda who gives a fuck? anyway, merry xmas. (john/gadi, please drop the attachment size, i wanna post some shit). > On Wed, Feb 11, 2009 at 12:01 PM, <el8@...hmail.com> wrote: >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Dear tal0n. >> >> when will you do something that hasn't been done and is even >> relevant or practical in 2009? fuzzing sftp and command line >> arguments/env variables... nice and 2000AD "oh but its setuid(0)" >> yeah on your box and the 5 other people who download it to write >> useless papers/exploits to feel like they are smart/doing something >> (hi prdelka). When is the last time a sftpd exploit was useful? >> -----BEGIN PGP SIGNATURE----- >> Charset: UTF8 >> Version: Hush 3.0 >> Note: This signature can be verified at https://www.hushtools.com/verify >> >> wpwEAQMCAAYFAkmTBHwACgkQhtejBzrM32l9fAP+L5pGZYr3uQVaRUNh0hrO91/EjR8j >> Eh/OLWWnhvEneGDwra2YR70R4AV0YDx3/wey/McNmiICu16xRLopvapqVdV2VVS5/1eP >> z6lqWg3Rs+vZQuSEjmblxvhPLgb9dLBRr60qbKPfGPEZKssv3akkxZOmm9no8P1KX8wP >> JU2A26Q= >> =Iy18 >> -----END PGP SIGNATURE----- >> >> -- >> Too many bills? Click here to simplify your life and lower your debt. >> >> http://tagline.hushmail.com/fc/PnY6qxtUbhP9WqQxe5tCHOKDJDbyevAbhO9MFNhCEbIMLazpKKNbq/ >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists