compiled exploits illegal?

[fl34bit3]

Hmm. I havent been around in a dogs age. I was amused by the plug though haha. Anyways. There really isnt too much to do with illegality of compiled exploits. I mean arent uncompiled correct ones just as bad. Sure they take a bit more to get working but once they work they can be used for the same amount of damage.

Granted if you cripple it then its better. Anyways As it has been mentioned before. It really all does come down to whoever is viewing and downloading from those sites.

PeacE
-BoB

[pooh sun tzu]

Ethical reasons set aside, because I could honestly care less, let's bring common sense into the picture:

You are going to download and run an executable compiled by someone else for security penetration? That's just asking for them to add an rm -rf / (or format /q C within the code (and not in the source file) to teach the morons who run precompiled executable exploits on the net a lesson.

[The Grunt]

Originally posted here by pooh sun tzu

You are going to download and run an executable compiled by someone else for security penetration? That's just asking for them to add an rm -rf / (or format /q C within the code (and not in the source file) to teach the morons who run precompiled executable exploits on the net a lesson.

Hmmm... Sounds interesting and fun.. I might have to try that some time I can see the look on their 12 year old faces already . Do you think they would fall for it? I could create my own version of subseven, it will do the code format /q C: at startup 7 times!

[dynagnosis]

In my opinion, what you are suggesting is worse then anything I've seen posted here so far (and as a senior member I hope to god you're joking) and on par with writing viruses and distributing them.

Ethics and morals can never be 'set aside.'

I understand where you are coming from but you have no way of targeting script kiddies [and even if you did, it's still wrong] when doing something like that you're just doing a blanket attack against anyone that downloads the exploit. Some of you MUST understand the 'educational prupopses' and know its not a bunch of BS. I have some tutorials written on coding and compiling exploits and they are on their way.... Tutorials on the useage IDA, hailstorm, and other black-box testing utilities are coming as well. I am in discussion with the authors of 'Exploiting software: How to break code' in regards to using some of their content.

My point is the 'educational purposes' stance is not just a 'way out of trouble'. The whole point of the site is to educate those willing to stick around and learn. Provide tools and infomation to make it fun and easy, and "lessons" to provide some sort of direction. Some of you DO get that.. I see it in the webtraffic logs. People are coming to the 'Tutorials' section [some of which are republished from here with authors concent - thanks guys! ] and reading! I'm thrilled to see 25% of the visitors stay for an hour... you're reading! You're really reading! hehe

It is unfortunate - and my own fault, that you've seen the site now and not after completion because it is not my intention to create a 'script kiddie' download site.

[hobbdebub]

I am with pooh on this one. On the net you might as well throw ethics and morals out the window in most cases. Nobody follows the rules when they want to do something malicious to your computer.Wait...what rules? Just like in life, I mean if you are mugged do expect the person to give you a chance to pull out pepperspray or the like? No. It is a common sense thing. Providing the code is one thing but providing precompiled exploits is just asking for trouble. Just a thought.

[pooh sun tzu]

Okay, I'll bite.

In my opinion, what you are suggesting is worse then anything I've seen posted here so far (and as a senior member I hope to god you're joking) and on par with writing viruses and distributing them.

No, I was not joking. And the reason I "Set aside" the ethics discussion was because it had already been covered multiple times in the entire thread, obviously. There was no reason to repeat it.

Ethics and morals can never be 'set aside.'

Agreed. But that doesn't mean I'm going to post something that repeats what the previous four posters have said.

I understand where you are coming from but you have no way of targeting script kiddies when doing something like that you're just doing a blanket attack against anyone that downloads the exploit. Some of you MUST understand the 'educational prupopses' and know its not a bunch of BS. I have some tutorials written on coding and compiling exploits and they are on their way.... Tutorials on the useage IDA, hailstorm, and other black-box testing utilities are coming as well. I am in discussion with the authors of 'Exploiting software: How to break code' in regards to using some of their content.

What in the name of Tao are you talking about? It was a humorous warning because many of us have seen instances identical to that. Calm down and see that I never said I was going to do that example, but explained that it is quite possible. I don't care who you work with or what you have done, nor how long you have been here. What does matter to me is how you present your opinion. I am completely fine with it being an "educational site" with downloads based upon exploits, but there is a rather large difference between educating someone and merely handing them a shotgun. Proof of Concept does not mean "free to all, don't ask don't tell". I respect that you want to "educate" people on it, but don't think for a second I don't see how it can be misused. You can't ignore it.

My point is the 'educational purposes' stance is not just a 'way out of trouble'. The whole point of the site is to educate those willing to stick around and learn. Provide tools and infomation to make it fun and easy, and "lessons" to provide some sort of direction. Some of you DO get that.. I see it in the webtraffic logs. People are coming to the 'Tutorials' section [some of which are republished from here with authors concent - thanks guys! ] and reading! I'm thrilled to see 25% of the visitors stay for an hour... you're reading! You're really reading! hehe

And that's fine Welcome to AO. But don't mistake all of us here for whitehats, because I'm most certainly not. I'm a greyhat by all curiosity means, and thus if I find it funny that people are posting compiled (read: ready to use) and people download them for shits and giggles. This means that I'm 100% about security through curiosity and the betterment of the internet through oldschool hacking means (security testing without permission to fix/improve/safeguard). This also means that the moment someone tries to run a precompiled exploit (or any attack on me for that matter) and I catch them, I burn their fscking OS into the ground.

Instead of posting precompiled binaries (which I would never trust regardless of content, because exploits simply are not precompiled for sane people, even securityfocus and packetstorm knows this), post how to compile something. Teach them compiling methods and the basics of compiling.

It is unfortunate - and my own fault, that you've seen the site now and not after completion because it is not my intention to create a 'script kiddie' download site.

It looks good so far. Just don't mistake us all for people who are so young that we can't remember that when exploits were released, it wasn't ever working code and binary files certainly weren't going to ever be released for the masses. The first step to lessen the impact of script kiddies was to make their lives more difficult. If you precompile it for them, you've just included the mass amount of people who don't know how to compile and thus wouldn't have been able to run it in the first place.


edit Don't think we are attacking you, demeaning you, insulting your work or project. Seriously, may the Tao bring wisdom and progress upon the path of your project. Just be ready for a difference of opinion on AO, and that it is okay to have one.

[nihil]

I would suggest that Pooh has made some good points in this thread................it is a sort of catch 22 situation, if you post precompiled exploits, people are not going to learn very much are they? they would need to learn how to decompile and analyse the code to see how it worked, and they would need to know their operating system inside out.

On the other hand source code is a temptation to plagiarise and create a "new" variant which will slip through detection software. Of the two I think that this is the lesser evil. After all, anyone with enough knowledge to do that effectively would easily be able to find the source code elsewhere.

This leads me to your comment:

It is unfortunate - and my own fault, that you've seen the site now and not after completion because it is not my intention to create a 'script kiddie' download site.

That is your biggest peril.................that you will create "just another boring, skiddie download site", hell there are enough of those on the net at the moment, so where is the achievement there?

You said:

Ethics and morals can never be 'set aside.'

And I would agree with that, as I am sure many a judge and jury would.

Perhaps you should start of with some unequivocal "commandments"?

1. You must never use anyone else's resources without full permission, preferably in writing.
2. You must never use your own main computer.
3. You must never use a shared computer, unless it is shared solely for this type of research.
4. You must never use a computer that is attached to a network, unless it is a network that you own, and have created specifically for this purpose.
5. You must never use school or college resources for this purpose.
6. When you visit sites and download materials for this purpose you must only use a machine dedicated to that task.
7. You must never encourage, coerce or engineer another person into distributing malware or contravening #1-#6 above.

Remember you are responsible for getting other people into trouble. For example if you supply your retarded kid brother with an Uzi or MP5, the law will not exonerate you when he straffes the schoolyard with it, even for "educational purposes". It would also be morally unacceptable.

A similar argument would hold good for providing someone with the information to make a bomb.

Remember that the people with authority who toss you out of school, confiscate your equipment, fine you, withdraw your privileges, throw you in jail, make you only fit for throwing trash and so on; will NOT be "white hats" or "grey hats"..........................they will be good ol' redneck bastards like me

My message is that you need to be very careful to cover your own a$$. The old "educational purposes" scam has worn thin since 9/11 and the homeland security act?

I suggest that you consider putting a VERY CLEAR mission statement and a prominent set of "commandments" on your site. At the moment I do not think that you are giving a jury cause for "reasonable doubt".

Good luck and take care.

[Tiger Shark]

Provide tools and infomation to make it fun and easy

[Emphasis Added]

Dammit... I should probably go and quit now!!!!! I've spent more than 20 years learning what I know today and you are telling me that it's easy..... Then clearly the IQ tests I have been taking have been adding 100 to my score to make me feel better about myself.... Damn those liberals.... I'm a retard after all.....

Seriously..... Why does it have to be "easy". Easy, where education is concerned, usually means that it either isn't particularly advanced or wasn't intended to challenge the intellect in the first place.

When you provide me with a precompiled exploit and let me "play" with it what are you actually teaching me? That the exploit works? Well, I already know that otherwise you wouldn't have put it up there would you? You aren't teaching me the intricacies of a buffer overflow and how it works, your just giving me a tool that does it..... Yes, you can start talking about packet dumps, snort rules, closing services or locking down permissions etc. etc. etc. but do you really think that if I am going to actually do stuff like that that I won't be prepared to go through the additional step of finding myself a compiler and running it on the source code?

You won't teach me anything with a precompiled exploit that I don't already know... It works if the target machine is vulnerable..... Well, bugger me..... Security is easy......

I think that chosing to provide this "service" will scare away those people you really seem to want to attract. When you have scared them away you will be left with the dregs of the internet.... Skiddie City....

[dynagnosis]

Wow .. it's going to be an all-time-low for productivity at work today it seems. I love you guys.

Here we go...

nihil~
Not so much a catch22 as a move backwards.. I know what you're getting at though... why the hell did we skip learning about the stack and buffer overflows if were learning about exploits? right? Good question and good point... the only thing I can think of is "it's exciting to exploit a system". (For clarity I am NOT talking about exploiting boxes that are not your own. The system doesn't have to be a top secret government system for it to be fun.) I want people to have fun on my site so that they come back... but I don't want to be irresponsible about it.

I'll do my best to keep the MP5's in the top drawer away from the twitchin` tards... a tard strafing his high school for educational purposes? nice.

After reading your post nihil I've started a Mission Statement, it's in draft right now but I'd like to PM it to you to take a look at when I'm done if you don't mind.





Tiger Shark~
Why can't it be easy? Or at least easier... I'd like to see a new kind of website (would like even more to BE this website). A website with module based learning, hands on tutorials and explanation. A web site that teaches you addition before you jump into calculus. I'm starting to agree that providing compiled exploits to every Tom, Dick, and Harry who drop into the site may be a bad idea... perhaps these exploits could be available for members who have completed various modules, that have been on the site for a certain period of time, or have earned my 'trust'... that’s what happens when you brainstorm with a group of people. New Ideas. That’s the *other* reason I started this thread.

'When I was your age I walked naked through 15 feet of snow to get to school! We never had no goddamn busses!'
It's true, many of the old hats learned through trial and error and through much frustration (and there will still be plenty of that). My 'vision' though is just to provide a path for people to follow and learn. There is certainly a LOT of fun in learning I just aim to accelerate the learning process. I'm trying to figure out the best way to do that. YOU are helping (thanks!).

I say if it isn’t easy it the training wasn’t well designed. It may take a while but it can still be easy to follow and fun to learn. (When you have the drive/motivation/interest)

[Tiger Shark]

Dyna:

My 'vision' though is just to provide a path for people to follow and learn.

Well.... how do I put it?.... I don't believe there is "a path"..... I believe there are numerous paths..... and many of them start at the RFC's.... I don't think it's enough to say "well, this is a way a cracker will try to do X and this is a way you can stop it".... But that's a personal opinion.....

The one thing that you can't teach but that is absolutely required to be successful is imagination. Based on all the knowledge they have the hacker/cracker uses his imagination to find solutions to his problems. The successful secadmin uses his imagination in exactly the same way to fill the holes that are the solutions to his foes problems.....

Hey, good luck man... Yell if you need anything....