foobat_private wrote: > > But security companies dont need some 0day script to exploit a > vulnerability, they just need to know about the vulnerabilities. From reading the pen-test mailing list I've got the impression that many penetration testers have their own collection of proprietary exploit code. Either because there's no public exploit code for a vulnerability at all or because the code available isn't sophisticated enough / only works under certain conditions (e.g. it's for Linux when you need it for BSD). They need the exploits because they want to penetrate into the LAN of their clients and look for other vulnerable systems. Imagine a company which does nothing but coding exploits. Their exploits will all have the same structure, will be scriptable and you can get them in different flavors (e.g. one that phones home, one that uses a http tunnel,...). Say it takes them 24 hours after the bug is made public till they can provide perfect exploit code. Why should any pen-testing company employ someone for exploit coding if it's cheaper to just buy the finished exploit code? The entire process is inherent to capitalism. People specialize in what they can do best and sell it. As long as someone is willing to pay for it there'll be someone selling it. just my 2 cents Markus
This archive was generated by hypermail 2b30 : Sun Oct 21 2001 - 16:50:36 PDT