This class will primarily focus on Win32 exploit development, but there will be basic exercises in Windows x64 bit, x86 Linux, and ARM platforms. Student will gain hands on experience finding vulnerabilities, writing working exploits from scratch, and porting public exploit code to meet your needs. We will start with the basics of stack based buffer overflows and study saved return pointer and structured exception handler overwrites in depth. We will look at methods for dealing with space issues such as egghunting and relative jumps. We will also cover dealing with character set limitations such as Unicode conversions and alphanumeric shellcode. We will also look at writing shellcode manually in assembly. Then we will move onto bypassing more advanced anti-exploitation measures such as stack cookies, ASLR, DEP, etc. In addition to writing exploits from scratch we will look at public exploit code and porting it to fit our environment’s needs. We will also look at writing Metasploit modules and porting our exploits into Metasploit.
Hands-on labs will be covered, exploiting real vulnerable programs. The course is structured such that we will work through an exercise covering a new concept together followed by a similar exercise where students will work independently. No previous programming or exploitation experience is required. Exploit skeletons will be provided for each exercise allowing students to focus on the attack string rather than programming syntax. Students will become familiar with using the tools of the trade such as Immunity Debugger, Mona.py, Wingdb, and gdb.
Outline:
• Memory theory/stack based buffer overflow basics/assembly basics
• Saved return pointer overwrites
• SEH overwrites
• Fuzzing
• Writing Metasploit Modules
• Stack cookies
• Shellcoding
• Size limitations (relative jumps, egghunters, etc.)
• Character set limitations and corruption (custom encoding, venetian shellcode, etc.)
• Backdooring executables
• ASLR
• DEP
• Bug hunters and aspiring bughunters interested in expanding their skills in memory corruption
• Red teams, Pentesters, auditors, etc. who want to be able to use their own exploits or make adjustments when an out of the box exploit isn't working
• Anyone with a passion for learning and an interest in exploit development
• Familiarity with using Windows and the Linux command line
• No prior programming/scripting is required, but basic Python knowledge is helpful
• No assembly programing background is required, but knowledge of basic ASM commands is helpful
Students should bring:
• A laptop with enough RAM and CPU power to run 2 virtual machines at once.
• A Vmware product (Fusion, Player, Workstation). Trial versions are fine. The handout virtual machines have not been built for Virtual Box or other platforms.
• Kali Linux virtual machine from kali.org
• At least 15 gigs of hard drive space for virtual machine handouts
• Windows XP SP3 (unpatched) and Windows 7 SP1 (patched) virtual machines in Vmware. Tools and exploitable software will be provided in class. Trial versions are fine as long as they do not expire during the course.
• Linux and ARM virtual machines will be provided.
Target virtual machines with vulnerable software
• Slides
• Lab guide
• Exploit skeletons
• Additional exercises for after class practice
Georgia Weidman is a penetration tester, security researcher, and trainer. She holds a Master of Science degree in computer science, secure software engineering, and information security as well as holding CISSP, CEH, NIST 4011, and OSCP certifications. Her work in the field of smartphone exploitation has been featured in print and on television internationally. She has presented her research at conferences around the world including Shmoocon, Blackhat, Hack in the Box, and Derbycon. Georgia has delivered highly technical security training for conferences, schools, and corporate clients to excellent reviews. Building on her experience, Georgia recently founded Bulb Security LLC , a security consulting firm specializing in security assessments/penetration testing, security training, and research/development. She was awarded a DARPA Cyber Fast Track grant to continue her work in mobile device security culminating in the release of the open source project the Smartphone Pentest Framework (SPF). She is the author of Penetration Testing: A Hands-on Introduction to Hacking from No Starch Press.