Lessons from the cyber underworld: How to understand software vulnerabilities and exploits like a professional hacker with OWASP ZSC Tool

One of the most challenging aspects of understanding software vulnerabilities is to  comprehend exactly how software is exploited, a skill necessary for any hacker willing to uncover vulnerabilities in software applications. It is a must have ability for security researchers and malware analysts.

Debuggers and shellcode are part of this vocabulary; understanding assembly language, CPU registers, memory addresses and opcodes are on the to-do learning list. You can get easily overwhelmed by the amount of information necessary for absorbing this subject. In addition, the inexperienced will need to dedicate plenty of their [free] time into studying the matter, If they wish to master the dark skills of exploitation.

There are some amazing courses offered by prestigious organizations in this field. None of these trainings are simple or cheap. Whether you choose to take them, accept that you won't be learning to write complex shellcode in a week, or, That you will be able to uncover a security vulnerability in the newest OSX in a matter of days after the training. Patience, Consistency and dedication are essential as part of your continuous learning process.

While a lot of information about exploits is to be found online, and exploit frameworks are available to newbies and security jedis, It is most of the time brief explanations about how to execute an exploit. This is in sharp contrast to fully understanding the creation of custom shellcode, which is an essential skill for understanding exploits.

For this purpose, OWASP ZSC is a tool for those who want to comprehend how exactly shellcode is created and how it works. The OWASP ZSC tool, programmed by OWASP ZSC team, is a Python tool developed with the sole purpose of shellcode generation and script obfuscation. This team of volunteers has been the creator of some exploits available through Offensive Security’s Exploit DB website.

OWASP ZSC encoders are able to generate shell codes with random encodes and allows you to get thousands new dynamic shell codes with the same job in seconds,meaning, that will not get a same code if you use random encodes with same commands, And that is what makes OWASP ZSC one of the best.

The project is developing and the goal is to offer newbies and pro security researchers alike, an alternative for creating shellcode that can be tested with stealthness in mind. Soon, we will be adding some learning chapters and examples in the documentation  to allow security practitioners understand much better how shellcode works and the big role it plays in software vulnerability research and exploitation. Furthermore, we want to extend its capabilities adding some modules for simple obfuscation techniques for learning purposes and integration with other OWASP top tools.

More About OWASP ZSC

Thanks to Johanna Curiel for the PR.