On This Page

Hands-On Exploit Development (Intro)

Georgia Weidman (Bulb Security LLC) | July 30-31



Overview

This class tackles the basics of how memory corruption vulnerabilities work as well as helping you get familiar with the tools of the trade such as gdb, Immunity Debugger, WinDBG, and Mona.py. Using real vulnerable programs in a contained lab environment, this hands-on class will get you up to speed on the basics in preparation for further study in this exciting realm.

We begin with basic memory corruption exploits and progress through different techniques, mitigation bypasses, and limitations. Students will become familiar with memory corruption vulnerabilities such as saved return pointer overwrite, integer overflow, and format string vulnerability. Students will learn the basics of fuzzing to find new vulnerabilities as well as porting public exploits to meet their needs and turning an exploit they write into a Metasploit module.

Rather than rushing through the basic material to get to advanced techniques, this course makes sure students are well versed in dealing with limited memory space, limited character sets, and other issues they will run into as they continue with exploit development.

Who Should Take this Course

Anyone with an interest in exploit development

Student Requirements

  • No previous exploit development experience is required.
  • Basic Linux command line knowledge is helpful.
  • No assembly language or scripting/programming experience is required, but any previous experience in these fields will help.

What Students Should Bring

  • Computer capable of running 2 virtual machines at one (running Kali Linux and Windows 7 VM at once comfortably is a good baseline)
  • Kali Linux Virtual Machine
  • At least 40 gigs of free space for virtual machine handouts

What Students Will Be Provided With

  • Virtual machines with vulnerable programs and tools
  • Additional exercises
  • Exploit Skeletons
  • Lab manual
  • Slides

Trainers

Shevirah founder and CEO Georgia Weidman is a serial entrepreneur, penetration tester, security researcher, speaker, trainer, and author. She holds a MS in computer science as well as holding CISSP, CEH, and OSCP certifications. Her work in the field of smartphone exploitation has been featured internationally in print and on television as well as at conferences around the world. She has provided training at conferences such as Blackhat USA, Brucon, and Security Bsides. Georgia founded Bulb Security LLC, a security consulting firm specializing in security assessments/penetration testing, security training, and research/development. She was awarded a DARPA Cyber Fast Track grant to continue her work in mobile device security culminating in the release of the open source project the Smartphone Pentest Framework (SPF). She founded Shevirah Inc. to create product solutions for assessing and managing the risk of mobile devices in the enterprise and testing the effectiveness of enterprise mobility management solutions and is a graduate of the Mach37 cybersecurity accelerator. She is the author of Penetration Testing: A Hands-On Introduction to Hacking from No Starch Press. She was the recipient of the 2015 Women's Society of CyberJutsu Pentest Ninja award.