Re: VisualExploit.py

[Isaac Dawson <isaac.dawson () gmail com>]

*groan*, oh come on Dave making it a little tooooooo easy aren't you?
I just invision a four year old with one of those toys where you have
to put the square in the square hole, the sphere in the circle hole,
and the polygon in the polygon hole. I dunno personally if I wanted to
learn about exploitation I would really learn it! Just my thoughts,
but on the other hand it is such a friggen cool idea I can see why
you'd want to make it. (That and it will take a lot of the beginner
pain away). Although I'm some what disgusted with the idea, I'm also
very intrigued. Guess I'll wait and see :).
-Isaac


On Fri, 25 Feb 2005 17:26:42 -0500, Dave Aitel <dave () immunitysec com> wrote:
> So one of the things I'm working on now will probably disgust many of
> you. But I wanted to share it anyways, cause I think it's neat. Lately
> I've been doing a lot of beginner exploit classes. These classes have
> been going well, overall, but since I do it so often, I've been working
> on an otherwise insane idea: A 4th Generation Language for exploit
> creation. This is more properly called a "Visual Language", not to be
> confused with Visual Studio.
>
> Here's a good description of the general catagory.
> http://www.hypernews.org/~liberte/computing/visual.html
>
> Basically, instead of writing in Python, you'll use a Dia-like interface
> to connect blocks of things together and drag other blocks over those
> blocks to create string generators, etc. This will then end up compiling
> down to a Python CANVAS module. I'm putting some nice wizards in to
> guide people through the process of writing exploits as well.
>
> There are a few benefits:
> o Beginners don't need to learn Python while they also learn assembly
> and exploitation and ollydbg all at once - and maybe even old hands will
> play with it for fun or because it's faster for small projects
> o Wizards can enforce good coding practices for exploits - even good
> Python programmers sometimes use str+=str2, which is bad exploit coding
> practice since it changes string size. (Hi Rich)
> o You don't have to learn the CANVAS API to write CANVAS exploits, you
> just have to drag the boxes over the other boxes
> o Visual programming is ideal for plugging into automated exploit
> generation frameworks (click "find the bad bytes" and PDB goes and does
> this)
> o Visual programming is more natural for many aspects of exploit string
> creation - for example, putting jumps into your string is easier if you
> can just drag the arrow to where you want the destination of the jump,
> rather than having to do calculations.Keep in mind that having MOSDEF
> under the covers means you can automatically compensate for bad bytes,
> and do other neat tricks.
>
> But the basic idea is that yes: You'll be able to write a fully
> functioning exploit without any code or programming experience at all.
>
> I'm hoping to demo this at CanSec, but it may not be done by then.
> Either way, I'm interested in everyone's perspectives on it. If there's
> a pyGTK/pyGame guru who wants to remove my pain in exchange for some
> reasonable amount of cash, then that's welcome too. :>
>
> Thanks,
> Dave Aitel
> Immunity, Inc.
>
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> https://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave