Exploit Development
Red-team reversing
Hi all. I figured I would discuss one of the “hats” that I wear at work.
As products and solutions are developed and slated for release, they must undergo an integrity test. This is what my team does. We receive the program(s), reverse engineer them, run our tools against them, and attempt to bypass their defense mechanisms and exploit the program’s functionality. This is called exploit development, and it is the “red-team” form of reverse engineering.
What
You may be familiar with the term “exploit”. It’s where Metasploit gets its name from, duh. If you’ve ever used Metasploit or have read any of my posts that utilize it, you should know what they are. Exploits are bugs or errors in software that can be capitalized upon for malicious and nefarious purposes which include privilege escalation, DOS, and/or information extraction.
Consider most on-chain cryptocurrency hacks. They occur due to bugs or exploitable functionality within the blockchain or network code. Some examples: [1], [2], [3]. Hackers are pulling in millions of dollars with these exploits.
Exploit development is the act of discovering and leveraging these exploits. You could be a good guy (white/grey hat bug bounty hunter) or a bad guy (black hat H@CK3R) discovering these exploits.
Why
Clearly, nobody wants to be on the receiving end of a hack. It would be pretty bad PR if Solana’s network goes down due to an exploit… again. Therefore, several companies hire a dedicated team to attempt to exploit their software and programs. Think of it like a penetration test but for software. Companies can outsource their integrity tests by hiring contractors and/or by utilizing what are called bug bounties. Bug bounties are rewards for discovering bugs within software provided by a company or group. The price usually increases with severity, reaching up to $10,000 for critical bugs like Remote Code Executions (RCE). HackerOne is one of the more popular means of discovering software that has bug bounties on them.
You should note that not every program you download is so willing to let you try and exploit it. You know that terms of service thing you never read? Sometimes it can state that reverse engineering the program is prohibited. A lot of videogames prohibit this as a method to thwart cheat development. Although, this prohibition may not fly in some European countries’ legislature (like Germany).
How
The thing about these bugs is that you have to find them. How do you find them? You reverse engineer the program, dummy. Odds are, you aren’t going to find code that an intern wrote where he meant to put an && but instead put ||. However, you could find some network code that could be fiddled with before it gets sent out to the server.
Maybe you want to change a few structures before a function is executed. For this you would want to use the knowledge from my Function Hooking Series.
Let’s say you find an exploit or some code that can be exploited. You need to have the knowledge to leverage that exploit. If you don’t know how to use an exploit, then your exploit is useless.
The thing about exploit development is that if you’re good enough to discover one that hasn’t been discovered before, then congratulations, you have discovered your own zero-day. Be proud of yourself. You could either use that zero-day for malicious purposes or tell the software developers about it and hopefully get some dosh for your troubles.
A couple of things you’ll run into if you decide to go into exploit development:
Anti-tamper solutions
I haven’t gone over these yet in the RTMA series, but these are quite the doozy to get around.Detection
Bouncing off of anti-tamper, some software can defend itself. RTMA Part 6 lists a few of these techniques, but those are little baby defense techniques compared to the modern methods seen nowadays. Some software will encrypt itself (seriously!), or you can be prohibited from using the software (get your license revoked or account banned).Staying up to date
New exploits are found every day, and there can be overlap between an exploit in one software solution and another. Remember Log4J? Any Java program that used that logging library was as risk due to that one, singular exploit.
Career
Becoming a vulnerability researcher/developer wasn’t exactly in my roadmap, but I enjoy doing it as a part of my job. Right out of college/entry level is ~$70,000-80,000/yr depending on where you live. More experience = more money. Don’t forget that you can do bug bounties on the side for extra $$$.
This is also a red-team career, assuming you only want to do exploit dev. Red-teaming has a more competitive market contrary to blue-teaming.
A few certifications you can look into, from basic to expert (I cannot vouch for any of these):
If you want to pursue exploit development as a career, more power to you. I hope Some of my posts help and inspire you along your path.
Relatively short post for the holidays. Thanks for reading and have a very Merry Christmas and Happy New Year! 🎅🍪🥛❄️☃️
Go!
-BowTiedCrawfish