Hey, I'm interested in creating exploits from scratch as a bit of a hobby. I'm a software developer and I do a bit of testing and production debugging on a daily basis. So this involves taking memory dumps and slogging through them etc.
I've always been interested in computer security so this seems like a natural fit for me. I'd also like to eventually get a job production debugging and need to work on my unmanaged code debugging (all the stuff thus far has been .net).
I'm looking for some general information on how to approach the creation of an exploit.
I suppose I could write a program with a known bug in it myself and test that, but for the sake of argument lets say I wanted to test QuickTime.
So far what I've done is create a fuzzer that randomly flips bits in a h264 video. My next step is to create a tool to script QuickTime to connect over and over to this service. I may also do the same on the iphone.
What I'd then like to do is record memory snapshots whenever QuickTime crashes, and work backwards from this snapshot in order to try and inject a payload. I was thinking about researching pageheap.exe, and using it to ensure it crashes right at the point of failure. I was also thinking about using ADPlus to capture the actual crash. Then I'd go through the dump with windbg. I'd then be looking at areas of the heap where my crash could be exploitable and try to 'spray' those areas with malicious code.
Of course never having actually done this before I'm sure it's a lot harder than it sounds. Can any of you guys give me some advice on what tools to research, or some tutorials where people have created exploits? Has anyone here done something similar? Did you follow the same basic process (fuzzing, analyzing dumps, spraying heap)?
Thanks for any info.
