-----BEGIN PGP SIGNED MESSAGE----- > On analysis of the code of the Slammer worm it is apparent that my code was > used as its template. > > It uses the same addresses as my code in terms of the import address entries > for GetProcAddress() and LoadLibraryA() in sqlsort.dll, it uses the same > address in the .data section of sqlsort.dll and uses the same address with > which to overwrite the saved return address on the stack. Further the worm > code uses the same short jump and has 8 NOPs in the same place as my code. > That's where the similarity ends, though. My code spawns a remote shell - > the worm contains none of this. > > It also becomes apparent that whoever authored the worm knew how to write > buffer overflow exploits and would have been capable of doing this without > using my shellcode as a template. Having access to my code probably saved > them around 20 or so minutes - but they still would have been able to do it > without mine. [snip] > Now with that said, and in the light that someone has taken my code and put > portions of it to nefarious purposes, I have to question the benefit of > publishing sample code. How much "good" was acheived by publishing the code Given that you've just pointed out that your sample code probably only 'saved them around 20 or so minutes' then there's no real need for public breast- beating around this - as you've pointed out, your sample code was by and large irrelevant. > But then what about the future? We often forget that our actions online can > have very real consequences in real life - the next big worm could take out > enough critical machines that people are killed. A massive failure of the > emergency services computers such as 911/999 could result in someone's > death - and I don't want to feel that I've contributed to that. Don't worry David, I'm sure youre shellcode isn't about to endanger life as we know it - worm authours who can't be bothered to spend the 20 minutes will just go to the next hit on google for windows shellcode :) > With this in mind I am questioning the benefits of publishing proof of > concept code. I am due to present a paper on the remotely exploitable buffer > overrun in the Microsoft Locator service at Blackhat this February but > should I then also publish the code used to demonstrate the problem? Should > I even be discussing the problem in a public arena? > No - because then our exploits will work longer in the wild and we can break into more boxes. Long live closed-source commercial operating systems and security through obscurity. -----BEGIN PGP SIGNATURE----- Version: Hush 2.2 (Java) Note: This signature can be verified at https://www.hushtools.com/verify wl4EARECAB4FAj45QgQXHGF1dG82ODE4MkBodXNobWFpbC5jb20ACgkQBZyBylmlHvnE VQCfZydqWug0HixRyCdP55sdv/+K5toAoKSqUVg9XQ4bLGu8CVm5B/WvdFjr =uCPN -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Thu Jan 30 2003 - 07:56:54 PST