Some of them start by reverse engineering the target application. Some just go and try the easy ways, one of which is to go and surf the Web!
You may say, "What?? Surfing the Web for a zero-day?"
Well, the idea is this: the attacker knows that when developers have a problem, they post it on forums, asking for help.
Some of them complain that the browser crashes when they do this or that. Another case will be "kids" who post code on how to "crash" something. Most of those kids or developers don't realize that the problem they have may be a security issue.
But, guess what. The attacker knows, and he loves it!
Let's see an example of how an attacker took a forum posting and made a working exploit.
A forum member by the name of "Caveman" posted this code on a gaming forum. He claimed that he succeeded in "crashing" someone's computer with the posted script.
Can you see it?
Yep, the attacker sprayed the browser heap with his shellcode, and used the width="9999999" height="9999999" vulnerability that he may saw on the gaming forum to trigger a heap corruption in the browser, trying to redirect execution to the shellcode and to *own* the machine.
Not just to "crash" it!
In our case, I wondered what the shellcode did. So, I wrote a quick C program with the shellcode.
When the payload executed, I noticed that my system was listening to port 28876.
So, now I wondered, what is it listening to? So, I telnet to that port, and, bingo! I got a shell to my system!
Security Researcher: Moti Joseph