What are your opinions on compiled exploits on web sites? Is it illegal to compile and provide them for download (i.e. this site or is it just bad taste?
Printable View
What are your opinions on compiled exploits on web sites? Is it illegal to compile and provide them for download (i.e. this site or is it just bad taste?
I won't speak towards the legality of posting them, but more towards the morality of posting them. Why would you want to help every Tom, Dick & Script Kiddie launch exploits? Now I know you can preach up and down that you have no control over what other people do with these exploits, but again, just by making them available, that IMHO makes you not that much different from a Script Kiddie.
My 2 cents mate.
If you publish a exploit as a "proof-of-concept", but make it harmless, i cant see a problem.
You can see some at malware.com.
However, in some countries (i think in France) is considered illegal.
but where you saw that on the site you have mencioned?
There is a 'members section' when you sign up under the files section... it's been a bit wacky today and been up and down... the forums have been changing too it looks like its a work in progress...
there were a bunch of exploit up though ... the exploit was compiled into an EXE and the .c source was also provided...
I grabbed them all right away :)
Well, that's an interesting question:
Basically "legality/illegality" depends on the laws of your own country. Morality is another matter.Quote:
What are your opinions on compiled exploits on web sites? Is it illegal to compile and provide them for download
I get quite a few examples of "compiled executables"............errrrrrrr.......... "unexploded bombs".........generally not a good idea to post them in the open forums though..........PM them until you get to be an addict or a senior.
No disrespect to yourself, but we try not to give skiddies ammunition, I am sure that you can appreciate my reservations, and those of fellow members.
Good luck
good point nihil. As i mencioned, i just a matter of PoC or be an *******. Nowadays its hard to try to show to community a breach without attract a bunch of teenagers without life.Quote:
No disrespect to yourself, but we try not to give skiddies ammunition, I am sure that you can appreciate my reservations, and those of fellow members.
To my knowledge this would not be illegal in the US unless the exploit is a way to get around a copy protection, in which case the DMCA might be violated. Bullshit law, but it's on the books. As for the moral side I would have check into the site a little more. If it's turn key exploits to cause DoS attacks then I would say it's in bad taste to give out a compiled version.
I've confirmed they are in the files section.. there were 13 of them posted but it seems only 3 are there right now... also the d/l counters were reset so it looks like its a 'work in progress'. I had to join with a valid email in order to download...
there are actual tutorials and stuff there as well... step by step 'penetration testing' ..it looks like the site is more geared toward people with an intrest in network security rather then hacker script kiddie types.
my apoligies if I've offended any of the senior members of the site... if a mod sees fit and wants to delete this post I understand --though i do think its on topic :)
(PS I've verified one of the exploits in my lab so at least im not d/ling viruses hehe)
cheers
Jer
what is wrong with a "step by step" penetration test? i use to read those to test my configurations.....
its a problem of audience, not the content.
If its for security guys, this must be stated cleary on the site, and appropriate actions must be taken against "bad guys" (=ban). Otherwise, "good guys" will think that is a "wannabe site"
cacosapo,
agreed.. thats why I said "...it seems it geared more toward the security professional then script kiddies..."
We'll just have to see what goes on at the site and what is and isn't allowed I suppose.
in anycase.. I'm sticking around to check it out... forums seems dead though hehe
Yes mate, that is exactly the problem...................our friend has made 4 posts..............you have made lots, and I have made a few more :DQuote:
its a problem of audience, not the content
We have to accept that we might have some irresponsible people around here............hey we have hundreds of anonymous guests, just lurking (are you there Roger? :cool: )
So my argument is that although we are a security site, we have to be just a little cautious?
Cheers
I have to agree with the majority: I'd much rather post defense, defensive strategies/countermeasures, and downloads that would help secure and help a system rather than help the worldwide skiddie's cause and wreak havoc.
Congratulations Jeremy, you have succeeded in avoiding the "evil glare" of some of the most suspicious old bastiges on AO...... you da man.....
Now do me a favor..... Quit hawking your site!!!!!! ;)
Quote:
Originally posted here by Tiger Shark
Congratulations Jeremy, you have succeeded in avoiding the "evil glare" of some of the most suspicious old bastiges on AO...... you da man.....
Now do me a favor..... Quit hawking your site!!!!!! ;)
Who you calling OLD! ;)
Nihil for a start...... :D
Well in the US unless Attorney Gen John Ashcroft has made freedom of speech
against the law or to design something that may do harm
to a computer in a proof of concept... I would personally
say it is legal.... It is like drawing a gun or making a gun that
works is ok unless you kill someone with it... then it is not ok.
Common sense or personal ethics has to come into play on that.
Remember that since 9/11 some laws in the US that have been
put in place may not make muster as far as the "US Constitution"
but I would not want to be made the example or be the one who
is made the scape goat.
TigerShark,
Done! ;)
It wasnt a *total* promo gig though... i mean.. we got a good conversation going here... I suppose I also am sort of interested in if the site is going to be attacked leagally ;)... and most of all - I want to hear from the credible members of this site to hear what they would think of seeing pre-compiled exploits on a site... the post wasn't *that bad* now was it?
cheers,
jeremy
Tiger: /me is wondering if you are referring to me and nihil ;)
Yeah that sure does get annoying sometimes.Quote:
Quit hawking your site!!!!!!
<LOL>
Dyn:
It was the best social engineering of AO I have seen since I have been here.... It certainly gave me a giggle.... Everyone responding without thought to who they were responding to and the site that was linked to.... I was really surprised how far you got it to go, kudos to you.... Course, the rest of them should be ashamed.... Most others would have been chewed up and spat out by post two..... But they just clicked and went with no regard from what I can see..... ;) Nice work.
As to the subject.... Yeah, precompiled code available for download to any Tom, Dick or Harry is an issue with me. If I'm a secadmin who wants to use exploits against my own network then, being a secadmin, I should be able to work out how to compile them for myself, or I shouldn't be a secadmin really, should I?
OTOH, if I'm an unskilled, untalented little *cough* tosser that wants to wreak havoc on some poor unsuspecting admin's, (note: not secadmin), without the common sense and basic ability to be able to spend the time and effort to learn how to adjust and compile an exploit why would you want to further my criminal career by providing a "plug and pray" solution to my lazyness?
In short.... if you want your site to become a place where "professionals" hang out then providing pre-complied binaries doesn't seem to fit the target audience, if you know what I mean....
Good luck
Sometimes exploit code will have small mistakes in it, put in by the author on purpose. They're things that someone with coding experience can fix, but the compile errors will scare away any script kiddie who doesn't know ****.
This will at least keep out most of the kids. The dangerous ones are the ones who know their stuff..
Just thought I'd add this to the conversation. Carry on :)
Hmm. I havent been around in a dogs age. I was amused by the plug though haha. Anyways. There really isnt too much to do with illegality of compiled exploits. I mean arent uncompiled correct ones just as bad. Sure they take a bit more to get working but once they work they can be used for the same amount of damage.
Granted if you cripple it then its better. Anyways As it has been mentioned before. It really all does come down to whoever is viewing and downloading from those sites.
PeacE
-BoB
Ethical reasons set aside, because I could honestly care less, let's bring common sense into the picture:
You are going to download and run an executable compiled by someone else for security penetration? That's just asking for them to add an rm -rf / (or format /q C:) within the code (and not in the source file) to teach the morons who run precompiled executable exploits on the net a lesson.
Hmmm... Sounds interesting and fun.. I might have to try that some time ;) I can see the look on their 12 year old faces already :D. Do you think they would fall for it? I could create my own version of subseven, it will do the code format /q C: at startup 7 times!Quote:
Originally posted here by pooh sun tzu
You are going to download and run an executable compiled by someone else for security penetration? That's just asking for them to add an rm -rf / (or format /q C:) within the code (and not in the source file) to teach the morons who run precompiled executable exploits on the net a lesson.
In my opinion, what you are suggesting is worse then anything I've seen posted here so far (and as a senior member I hope to god you're joking) and on par with writing viruses and distributing them.
Ethics and morals can never be 'set aside.'
I understand where you are coming from but you have no way of targeting script kiddies [and even if you did, it's still wrong] when doing something like that you're just doing a blanket attack against anyone that downloads the exploit. Some of you MUST understand the 'educational prupopses' and know its not a bunch of BS. I have some tutorials written on coding and compiling exploits and they are on their way.... Tutorials on the useage IDA, hailstorm, and other black-box testing utilities are coming as well. I am in discussion with the authors of 'Exploiting software: How to break code' in regards to using some of their content.
My point is the 'educational purposes' stance is not just a 'way out of trouble'. The whole point of the site is to educate those willing to stick around and learn. Provide tools and infomation to make it fun and easy, and "lessons" to provide some sort of direction. Some of you DO get that.. I see it in the webtraffic logs. People are coming to the 'Tutorials' section [some of which are republished from here with authors concent - thanks guys! ;)] and reading! I'm thrilled to see 25% of the visitors stay for an hour... you're reading! You're really reading! hehe
It is unfortunate - and my own fault, that you've seen the site now and not after completion because it is not my intention to create a 'script kiddie' download site.
I am with pooh on this one. On the net you might as well throw ethics and morals out the window in most cases. Nobody follows the rules when they want to do something malicious to your computer.Wait...what rules? Just like in life, I mean if you are mugged do expect the person to give you a chance to pull out pepperspray or the like? No. It is a common sense thing. Providing the code is one thing but providing precompiled exploits is just asking for trouble. Just a thought.
Okay, I'll bite.
No, I was not joking. And the reason I "Set aside" the ethics discussion was because it had already been covered multiple times in the entire thread, obviously. There was no reason to repeat it.Quote:
In my opinion, what you are suggesting is worse then anything I've seen posted here so far (and as a senior member I hope to god you're joking) and on par with writing viruses and distributing them.
Agreed. But that doesn't mean I'm going to post something that repeats what the previous four posters have said.Quote:
Ethics and morals can never be 'set aside.'
What in the name of Tao are you talking about? It was a humorous warning because many of us have seen instances identical to that. Calm down and see that I never said I was going to do that example, but explained that it is quite possible. I don't care who you work with or what you have done, nor how long you have been here. What does matter to me is how you present your opinion. I am completely fine with it being an "educational site" with downloads based upon exploits, but there is a rather large difference between educating someone and merely handing them a shotgun. Proof of Concept does not mean "free to all, don't ask don't tell". I respect that you want to "educate" people on it, but don't think for a second I don't see how it can be misused. You can't ignore it.Quote:
I understand where you are coming from but you have no way of targeting script kiddies when doing something like that you're just doing a blanket attack against anyone that downloads the exploit. Some of you MUST understand the 'educational prupopses' and know its not a bunch of BS. I have some tutorials written on coding and compiling exploits and they are on their way.... Tutorials on the useage IDA, hailstorm, and other black-box testing utilities are coming as well. I am in discussion with the authors of 'Exploiting software: How to break code' in regards to using some of their content.
And that's fine :) Welcome to AO. But don't mistake all of us here for whitehats, because I'm most certainly not. I'm a greyhat by all curiosity means, and thus if I find it funny that people are posting compiled (read: ready to use) and people download them for shits and giggles. This means that I'm 100% about security through curiosity and the betterment of the internet through oldschool hacking means (security testing without permission to fix/improve/safeguard). This also means that the moment someone tries to run a precompiled exploit (or any attack on me for that matter) and I catch them, I burn their fscking OS into the ground.Quote:
My point is the 'educational purposes' stance is not just a 'way out of trouble'. The whole point of the site is to educate those willing to stick around and learn. Provide tools and infomation to make it fun and easy, and "lessons" to provide some sort of direction. Some of you DO get that.. I see it in the webtraffic logs. People are coming to the 'Tutorials' section [some of which are republished from here with authors concent - thanks guys! ] and reading! I'm thrilled to see 25% of the visitors stay for an hour... you're reading! You're really reading! hehe
Instead of posting precompiled binaries (which I would never trust regardless of content, because exploits simply are not precompiled for sane people, even securityfocus and packetstorm knows this), post how to compile something. Teach them compiling methods and the basics of compiling.
It looks good so far. Just don't mistake us all for people who are so young that we can't remember that when exploits were released, it wasn't ever working code and binary files certainly weren't going to ever be released for the masses. The first step to lessen the impact of script kiddies was to make their lives more difficult. If you precompile it for them, you've just included the mass amount of people who don't know how to compile and thus wouldn't have been able to run it in the first place.Quote:
It is unfortunate - and my own fault, that you've seen the site now and not after completion because it is not my intention to create a 'script kiddie' download site.
edit Don't think we are attacking you, demeaning you, insulting your work or project. Seriously, may the Tao bring wisdom and progress upon the path of your project. Just be ready for a difference of opinion on AO, and that it is okay to have one.
I would suggest that Pooh has made some good points in this thread................it is a sort of catch 22 situation, if you post precompiled exploits, people are not going to learn very much are they? they would need to learn how to decompile and analyse the code to see how it worked, and they would need to know their operating system inside out.
On the other hand source code is a temptation to plagiarise and create a "new" variant which will slip through detection software. Of the two I think that this is the lesser evil. After all, anyone with enough knowledge to do that effectively would easily be able to find the source code elsewhere.
This leads me to your comment:
That is your biggest peril.................that you will create "just another boring, skiddie download site", hell there are enough of those on the net at the moment, so where is the achievement there?Quote:
It is unfortunate - and my own fault, that you've seen the site now and not after completion because it is not my intention to create a 'script kiddie' download site.
You said:
And I would agree with that, as I am sure many a judge and jury would. ;)Quote:
Ethics and morals can never be 'set aside.'
Perhaps you should start of with some unequivocal "commandments"?
1. You must never use anyone else's resources without full permission, preferably in writing.
2. You must never use your own main computer.
3. You must never use a shared computer, unless it is shared solely for this type of research.
4. You must never use a computer that is attached to a network, unless it is a network that you own, and have created specifically for this purpose.
5. You must never use school or college resources for this purpose.
6. When you visit sites and download materials for this purpose you must only use a machine dedicated to that task.
7. You must never encourage, coerce or engineer another person into distributing malware or contravening #1-#6 above.
Remember you are responsible for getting other people into trouble. For example if you supply your retarded kid brother with an Uzi or MP5, the law will not exonerate you when he straffes the schoolyard with it, even for "educational purposes". It would also be morally unacceptable.
A similar argument would hold good for providing someone with the information to make a bomb.
Remember that the people with authority who toss you out of school, confiscate your equipment, fine you, withdraw your privileges, throw you in jail, make you only fit for throwing trash and so on; will NOT be "white hats" or "grey hats"..........................they will be good ol' redneck bastards like me :D
My message is that you need to be very careful to cover your own a$$. The old "educational purposes" scam has worn thin since 9/11 and the homeland security act?
I suggest that you consider putting a VERY CLEAR mission statement and a prominent set of "commandments" on your site. At the moment I do not think that you are giving a jury cause for "reasonable doubt".
Good luck and take care.
[Emphasis Added]Quote:
Provide tools and infomation to make it fun and easy
Dammit... I should probably go and quit now!!!!! I've spent more than 20 years learning what I know today and you are telling me that it's easy..... Then clearly the IQ tests I have been taking have been adding 100 to my score to make me feel better about myself.... Damn those liberals.... I'm a retard after all..... :mad:
Seriously..... Why does it have to be "easy". Easy, where education is concerned, usually means that it either isn't particularly advanced or wasn't intended to challenge the intellect in the first place.
When you provide me with a precompiled exploit and let me "play" with it what are you actually teaching me? That the exploit works? Well, I already know that otherwise you wouldn't have put it up there would you? You aren't teaching me the intricacies of a buffer overflow and how it works, your just giving me a tool that does it..... Yes, you can start talking about packet dumps, snort rules, closing services or locking down permissions etc. etc. etc. but do you really think that if I am going to actually do stuff like that that I won't be prepared to go through the additional step of finding myself a compiler and running it on the source code?
You won't teach me anything with a precompiled exploit that I don't already know... It works if the target machine is vulnerable..... Well, bugger me..... Security is easy...... ;)
I think that chosing to provide this "service" will scare away those people you really seem to want to attract. When you have scared them away you will be left with the dregs of the internet.... Skiddie City....
Wow .. it's going to be an all-time-low for productivity at work today it seems. I love you guys.
Here we go...
nihil~
Not so much a catch22 as a move backwards.. I know what you're getting at though... why the hell did we skip learning about the stack and buffer overflows if were learning about exploits? right? Good question and good point... the only thing I can think of is "it's exciting to exploit a system". (For clarity I am NOT talking about exploiting boxes that are not your own. The system doesn't have to be a top secret government system for it to be fun.) I want people to have fun on my site so that they come back... but I don't want to be irresponsible about it.
I'll do my best to keep the MP5's in the top drawer away from the twitchin` tards... a tard strafing his high school for educational purposes? nice. :)
After reading your post nihil I've started a Mission Statement, it's in draft right now but I'd like to PM it to you to take a look at when I'm done if you don't mind.
Tiger Shark~
Why can't it be easy? Or at least easier... I'd like to see a new kind of website (would like even more to BE this website). A website with module based learning, hands on tutorials and explanation. A web site that teaches you addition before you jump into calculus. I'm starting to agree that providing compiled exploits to every Tom, Dick, and Harry who drop into the site may be a bad idea... perhaps these exploits could be available for members who have completed various modules, that have been on the site for a certain period of time, or have earned my 'trust'... that’s what happens when you brainstorm with a group of people. New Ideas. That’s the *other* reason I started this thread. ;)
'When I was your age I walked naked through 15 feet of snow to get to school! We never had no goddamn busses!'
It's true, many of the old hats learned through trial and error and through much frustration (and there will still be plenty of that). My 'vision' though is just to provide a path for people to follow and learn. There is certainly a LOT of fun in learning I just aim to accelerate the learning process. I'm trying to figure out the best way to do that. YOU are helping (thanks!).
I say if it isn’t easy it the training wasn’t well designed. It may take a while but it can still be easy to follow and fun to learn. (When you have the drive/motivation/interest)
Dyna:
Well.... how do I put it?.... I don't believe there is "a path"..... I believe there are numerous paths..... and many of them start at the RFC's.... ;) I don't think it's enough to say "well, this is a way a cracker will try to do X and this is a way you can stop it".... But that's a personal opinion.....Quote:
My 'vision' though is just to provide a path for people to follow and learn.
The one thing that you can't teach but that is absolutely required to be successful is imagination. Based on all the knowledge they have the hacker/cracker uses his imagination to find solutions to his problems. The successful secadmin uses his imagination in exactly the same way to fill the holes that are the solutions to his foes problems.....
Hey, good luck man... Yell if you need anything....
I would agree that there is no RIGHT path.. I do think there are wrong paths. Or harder nonsensical ones at least.Quote:
Well.... how do I put it?.... I don't believe there is "a path".....
You can not teach imagination but you can give someone the tools (knowledge). You can't be creative about thinking about hijacking TCP/IP based sessions without knowing all about the protocol suite... and its helpful to know what others are thinking. :)
The site got a lot of attention because of this post (oops?) and I've got a lot of great feedback. I'm going to 'cool it' for a while and get the rest of the site together over the next few weeks. I'll get the module based learning together and I'll send you a PM when its up (if you don't mind) --I'd be interested in getting your feedback.
Cheers!
Jeremy