is exploit development died?

[drpalpatine]

there are increasing mitigations, nx, aslr etc, programs are being written with memory safe languages
of course exploits still appear out every year but not like it was 20 years before with simple fuzzing
maybe more frequently exploits are found in iot but very difficult in windows, linux, macos

there is basic knowledge with memory level exploitation with me
is it recommend for a such beginners like myself to go deep into this field so as to one day work with advanced area like os kernels, cpu level?
some man say that already those who are with good knowledge and skill will remain in this field and all the lower skilled will go away in future years
you can discuss future of this field, is it worth to start now so one day a guy like me can work with os kernels, cpu etc before the field become very difficult, also write your learning experience and advise for such beginners like myself

 

[runtim3]

as with everything else the threshold for entry only gets higher. I do not see exploit development ever getting irrelevant. You might argue that overflows are harder and there are more protections but there are exploits to be found everywhere. I will say that work in this direction must be paired with something else but then that depends on what way you work. If you work in the black then you cannot sit on your ass and wait to find that $1m exploit. If you work in the white then there is a lot of companies who will happily put you on salary for your services.

 

[sommerdev]

i dont think exploit development is dead in 2022 , you will be find many new exploit in IoT in the future , those kinda exploits will be found and exist in new system and technologies does not matter if there are new protection ,etc etc that means what there will be more trending to IoT exploit in the world but as everyone know exploit will exist for a long time , they will be AI protection , etc etc but exploit development is not dead for a easy reason: programmer makes mistake.

 

[вавилонец]

каждый день находят новые уязвимости, еще не ко всем написаны эксплойты - так что тут каждый "выход" новой уязвимости - ваш $1M

 

[moneyfloww]

Уязвимости будут всегда

 

[drpalpatine]

I will say that work in this direction must be paired with something else but then that depends on what way you work. If you work in the black then you cannot sit on your ass and wait to find that $1m exploit. If you work in the white then there is a lot of companies who will happily put you on salary for your services.

in other areas for example many beginner pentester or malware developer spends his entire time in his specific area --> after study and practice and enough time comes out as one of highly skilled --> but why is this entirely not possible with exploitation
usually exploitation work itself is so deep that experts these days focus mostly on one specific area for example --> webkit, linux kernel, v8 etc and donot have time focus on other than their areas --> also whitehats work in teams with different skills as it requires expertise in many areas which such kind of working together in black hat is not possible
--> lets not talk about white hat because yes there are many more jobs available for application security testers hired by corps to improve their products
i somewhat agree with your opinion on black hat but maybe i ask the question to also find a little motivation to continue study in this field
--> but there is still interest in this field

i dont think exploit development is dead in 2022 , you will be find many new exploit in IoT in the future , those kinda exploits will be found and exist in new system and technologies does not matter if there are new protection ,etc etc that means what there will be more trending to IoT exploit in the world but as everyone know exploit will exist for a long time , they will be AI protection , etc etc but exploit development is not dead for a easy reason: programmer makes mistake.

of course there will be exploits in applications
--> my question is about difficulty to reach higher skilled level and work on kernels, processors etc before the entry point gets even higher as time continues --> which is not as same as it is in other fields of network penetration, malware development etc as many new skilled man appear everytime

каждый день находят новые уязвимости, еще не ко всем написаны эксплойты - так что тут каждый "выход" новой уязвимости - ваш $1M

yes --> such idea of exploitation came because of public exploits giving low quality targets and now there is interest

 

[sommerdev]

in other areas for example many beginner pentester or malware developer spends his entire time in his specific area --> after study and practice and enough time comes out as one of highly skilled --> but why is this entirely not possible with exploitation
usually exploitation work itself is so deep that experts these days focus mostly on one specific area for example --> webkit, linux kernel, v8 etc and donot have time focus on other than their areas --> also whitehats work in teams with different skills as it requires expertise in many areas which such kind of working together in black hat is not possible
--> lets not talk about white hat because yes there are many more jobs available for application security testers hired by corps to improve their products
i somewhat agree with your opinion on black hat but maybe i ask the question to also find a little motivation to continue study in this field
--> but there is still interest in this field


of course there will be exploits in applications
--> my question is about difficulty to reach higher skilled level and work on kernels, processors etc before the entry point gets even higher as time continues --> which is not as same as it is in other fields of network penetration, malware development etc as many new skilled man appear everytime


yes --> such idea of exploitation came because of public exploits giving low quality targets and now there is interest

I dont think so it will be hard for me , I am lerning about kernel exploit and this hard but not impossible, i think if you have basic knowledge in c or c plus plus in this case you will be able to learn anything

 

[drpalpatine]

I dont think so it will be hard for me , I am lerning about kernel exploit and this hard but not impossible, i think if you have basic knowledge in c or c plus plus in this case you will be able to learn anything

studying is not impossible of course --> the entry point to work on exploitation on these systems is very high and increasing and will increase in future
i am asking that if a beginner is studying --> will he reach the skill level to work on such complex applications by crossing the entry point before the entry point moves even farther by the time he reaches there like a mouse game

 

[ccs]

The cyber attacks of the future will be with zero-day exploits, because the security of organizations is increasing, and the group and government that has access to the exploit wins. Therefore exploiting and discovering vulnerabilities is important for both sides, the blue team and the red team. Having said that, I think this world is still alive.
I am also a beginner in this field and this forum has helped a lot.

 

[tokyoghoul]

studying is not impossible of course --> the entry point to work on exploitation on these systems is very high and increasing and will increase in future
i am asking that if a beginner is studying --> will he reach the skill level to work on such complex applications by crossing the entry point before the entry point moves even farther by the time he reaches there like a mouse game

No doubt that it get harder than was before, but speed of the new entry point is on the industry. learning speed is on the learner. I have been trying to learn but not get the time, depends on how much effort you want to give. hope you get the success.

 

[runtim3]

in other areas for example many beginner pentester or malware developer spends his entire time in his specific area --> after study and practice and enough time comes out as one of highly skilled --> but why is this entirely not possible with exploitation
usually exploitation work itself is so deep that experts these days focus mostly on one specific area for example --> webkit, linux kernel, v8 etc and donot have time focus on other than their areas --> also whitehats work in teams with different skills as it requires expertise in many areas which such kind of working together in black hat is not possible
--> lets not talk about white hat because yes there are many more jobs available for application security testers hired by corps to improve their products
i somewhat agree with your opinion on black hat but maybe i ask the question to also find a little motivation to continue study in this field
--> but there is still interest in this field


of course there will be exploits in applications
--> my question is about difficulty to reach higher skilled level and work on kernels, processors etc before the entry point gets even higher as time continues --> which is not as same as it is in other fields of network penetration, malware development etc as many new skilled man appear everytime


yes --> such idea of exploitation came because of public exploits giving low quality targets and now there is interest

In my opinion the answer to your questions is simple. With fields such as pentesting and malware development it is enough sometimes to simply build upon accepted fundamentals i.e there is a level of abstraction and one does not need to break everything into the smallest pieces to understand. Let us take an example like SQL injection, it is enough to know how it works and how to identify entry points but you need not concern yourself with how the payload sent is interpreted in the servers memory. That right there is the difference. When digging for exploits you must seek to understand how every aspect of the service works , from the user level, past the OS level right down to how it is implemented in memory and how the 1s and 0s are drafted. It is expected that as the years go by the complexities of these systems/services increase hence more backtracking to do. The experts you refer to in this case are those who have hungrily torn down a particular service/system and understand how it functions from the ground up but there is also a lot of work for people with broader scope especially in the areas of developing exploits for already known vulnerabilities.

 

[Sa1ntJohn]

Люди за компами главная уязвимость человечества)

 

[Th30C0der]

Is it dead no ofc but does it decrease yes knowledge in vulnerability and exploiting these vulnerabilities in companies are increased?
also, old school developers (hackers) who have the knowledge in writing the exploit are decreased.

If you interested to learn exploit development there are few courses you can stell find it on google most of them are payed

 

[hvb]

Новая 0-day для устройств от Apple продается в дарквебе за 2,5 млн евро

в дарквебе продают новую уязвимость нулевого дня для устройств от Apple. Сообщения появились всего через несколько дней после того, как Apple публично сообщила о CVE-2022-32893. По словам исследователей, новая уязвимость строится вокруг уже исправленной CVE-2022-32893 и продается за 2,5 миллиона евро.

 

[varwar]

Если коротко, то не умер/умирает.

 

[PapaMario]

It will not die, it transforms , its always more harder and nowadays it seems its a competition because of the Bounty programs. It seems that FUzzing for fun , was kept int he past.

 

[basileusapoleiaoff]

In English:

Do you think that the development exploit will die due to the new programming languages with "Memory-Safety". I saw on the internet that people wanted to rewrite the Linux kernel in Rust, and that Microsoft 365 was rewritten in Rust. I see more and more people trying to move to memory-safe programming languages. In addition, many people turn to chatGPT for programming, this tool has concepts for programming in a secure manner. Even if for the moment nothing is certain, in 10 years or even 5 years what will binary exploitation look like? Will there still be buffer overflows for example? I have a lot of questions about this area of cybersecurity. Plus I have the impression that the new generation of "hackers" is less creative than before because of AI and automated shit tools like Metasploit. Everyone in this new generation wants to become a "hacker" without knowing how to program or even how memory works. On the forums I see more and more posts like "How to be a hacker with nmap?" "How to be a hacker with Kali Linux". I'm starting to wonder if our business wouldn't be dying with all this.

In Russia

Вы думаете, что эксплойт разработки умрет из-за новых языков программирования с «Безопасностью памяти». Я видел в Интернете, что люди хотели переписать ядро Linux на Rust, и что Microsoft 365 был переписан на Rust. Я вижу, что все больше и больше людей пытаются перейти на языки программирования, безопасные для памяти. Кроме того, многие люди обращаются к ChatGPT для программирования, в этом инструменте есть концепции безопасного программирования. Даже если на данный момент нет ничего определенного, как будет выглядеть эксплуатация двоичных файлов через 10 или даже 5 лет? Будет ли, например, по-прежнему происходить переполнение буфера? У меня много вопросов по поводу этой области кибербезопасности. Плюс у меня сложилось впечатление, что новое поколение «хакеров» менее креативно, чем раньше, из-за искусственного интеллекта и автоматизированных инструментов, таких как Metasploit. Каждый в этом новом поколении хочет стать «хакером», не зная, как программировать или даже как работает память. На форумах я вижу все больше сообщений типа «Как стать хакером с помощью nmap?» «Как стать хакером с Kali Linux». Я начинаю задаваться вопросом, не погибнет ли наш бизнес из-за всего этого.

 

[DoomSlayer2002]

 

[Dread Pirate Roberts]

вне зависимости от используемых языков, логические ошибки будут всегда, SQL-i, LFI, RCE никуда не денутся хоть с Rust, хоть с Lisp.
особенно при использовании кода, сгенерированного нейросетью.

 

[varwar]

Мир не крутится вокруг memocry corruption багов.