Maybe I'm just living too closely to this world but, Dave you already answered your own question. Why slave over nOP sleds and guessing at just the right memory addresses and hoping a system doesn't crash when you can walk right in through the web app and take what you want, or worse, implant yourself
I think organizations have "figured out" how to lock down ports after nearly three decades of security people preaching, and since there are much easier ways in...well hell why bother? So in the end I believe the answer is a mixture of risk/reward shift from attacking services and towards readily open applications, and some combination of "black hats keeping their cool 0day secret", too many script kids, and apathy. Raf / Wh1t3Rabbit On Jun 14, 2011, at 7:57 PM, "Anton Chuvakin" <[email protected]> wrote: >> And you find yourself asking: Now how can that possibly be the case? > > Anybody want to bet whether the bugs died OR the disclosure? :-) > > -- > Dr. Anton Chuvakin > Blog: http://www.securitywarrior.org > _______________________________________________ > Dailydave mailing list > [email protected] > https://lists.immunityinc.com/mailman/listinfo/dailydave _______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
