SEC710: Advanced Exploit Development
SANS SEC710 is an advanced two-day course on exploit development. Students attending this course should know their way around a debugger and have prior experience exploiting basic stack overflows on both Windows and Linux. Terms such as "jmp esp" and "pop/pop/ret" should be nothing new to you. We will move beyond these attack techniques to explore more advanced topics on heap exploitation, format string attacks, and Microsoft patch reversal and exploitation. We will be taking a real Microsoft security patch, reversing it to model the discovery of an undisclosed vulnerability, and developing a client-side exploit that defeats controls such as Address Space Layout Randomization (ASLR).
Attendees can apply the skills developed in this class to create and customize exploits for penetration tests of homegrown software applications and newly discovered flaws in widespread commercial software. Understanding the process of exploit development can help enterprises analyze their actual business risks better than the ambiguous hypotheticals we often contend with in most traditional vulnerability assessments.
SEC710.1: Day One
Sun Dec 2nd, 2012
9:00 AM - 7:00 PM
Web begin by jumping head first into Linux heap exploitation. Exploiting the heap is often complex and requires the exploit author to think outside the box through abstract concepts. Abusing various heap constructs and identifying function pointers will take up this portion of the day. The day continues with understanding format strings and their purpose. We then progress into discovering format string vulnerabilities and what types of attacks can be performed. This is followed by various format string exercises with the goal of leaking memory and taking control of a process. We then dive into a real-world stack smashing exercise, which requires you to compensate for ASLR and stack canaries in order to write a working exploit.
The evening bootcamp during day one will offer an opportunity to perform additional exploitation exercises to help solidify content learned throughout the day. The bootcamp exercise may change from time-to-time; however, the main focus will be on additional heap exploitation exercises to help those attending have a better understanding of the abstract nature of the heap and the techniques used to perform successful exploitation.
CPE/CMU Credits: 8
- Abusing the unlink() macro on the Linux OS
- Overwriting C and C++ function pointers
- Identifying format string vulnerabilities
- Leaking memory and taking control of a process via a format string exploit
- Advanced Stack Smashing
- Heap Overflows on the Linux OS
SEC710.2: Day Two
Mon Dec 3rd, 2012
9:00 AM - 5:00 PM
We go into Microsoft patch reversal and client-side exploitation on day two. It is well known that attackers download Microsoft patches as soon as they are available on "Patch Tuesday" of each month. Other vendors experience the same problem. The attacker's goal is to reverse engineer the patches to locate the code changes, making it possible to quickly identify the vulnerability. Exploit code is often generated within days, or even hours, after discovery. We will walk through the techniques used to perform reversing and binary diffing against security patches. Once the vulnerability is located, you will walk through debugging and exploit generation of a client-side attack through the use of heap spraying. A secondary technique is also provided in performing a partial return pointer overwrite to defeat the use of ASLR on Windows Vista and 7.
CPE/CMU Credits: 6
You will use VMware to run multiple operating systems when performing class exercises. Linux VMs with all the necessary tools will be provided on a DVD on the first day. You must bring your own Virtual Machine image of Windows XP SP2 and Windows Vista SP0. These images should be base installs with no patches applied. Relative patches will be provided in class. Do not bring Windows XP SP3 as patch reversing exercises will not work properly. If you are unable to locate a copy of Windows Vista SP0, Windows XP SP2 can be used, although you will not be performing some of the more advanced techniques to bypass modern OS controls.
It is advantageous to bring a licensed copy of IDA Pro 5.4 or later. A trial version will be provided in class; however, this version is highly limited and does not work with some plug-ins, nor can you save your work. If you would like to purchase a copy of IDA Pro Standard with a 20% discount prior to, or after class, please contact me at email@example.com for instructions. Named licenses are $539, minus a 20% discount. Tools needed for Windows will be issued in class. Ensure that you have the administrative ability to disable all security software and protection, including antivirus and personal firewalls.
You must have VMware Workstation installed on your system prior to class beginning. You need to use at least VMware Workstation Version 6 to support the VMs that will be distributed in class. If you do not own a licensed copy of VMware, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website. You may also use VMware Player, but you will only be able to run one VM at a time and cannot take snapshots. If you choose to use VMware player, you must use at least version 2.5.1.
Mandatory Laptop Hardware Requirements:
- PIII 1Ghz CPU Minimum / M Series 1.5 GHz or higher is recommended
- DVD/CD Combo Drive
- 1 Gigabyte of RAM minimum, 2 Gigabyte or more is highly recommended
- 40 Gigabyte Hard Drive minimum (HARD DRIVE SIZE IS CRITICAL)
- 30 Gigabytes of Free Space on your Hard Drive
- Download and install WINZIP 11 or higher on your Windows Machine
- Verify that your processor architecture supports your VMware version. Do not wait until the day of class
If you have additional questions about the laptop specifications, please contact firstname.lastname@example.org.
Who Should Attend
- Network and Systems Penetration Testers - SEC710 gives penetration testers the training needed to perform advanced exploit development against known or unknown applications and services. It gives students the expertise to perform complex attacks and develop their own exploits for existing and new frameworks.
- Application Developers - SEC710 teaches developers the ramifications of poor coding. Often, a developer or code reviewer is required to clearly demonstrate the threat and impact of a coding error. SEC710 provides developers with the knowledge to create proof of concept exploit code for complex vulnerabilities and document their findings.
- Incident Handlers - SEC710 gives incident handlers the knowledge needed to understand advanced threats. Performing patch reversal and exploit development can help to determine the impact of vulnerability. The ability to understand advanced attack techniques and analyze exploit code can help a handler identify, detect, and respond to an incident.
- IDS Engineers - SEC710 teaches IDS professionals how to analyze exploit code and identify weaknesses, as well as reverse patches to determine an undisclosed vulnerability. This knowledge can be used to write better IDS signatures and understand the impact of an alert.
This is a fast-paced, advanced course that requires a strong desire to learn more advanced exploit development techniques. The SANS course SEC660 Advanced Penetration Testing, Exploits and Ethical Hacking is highly recommended prior to taking this course. Experience with programming in any language is required. The basics of programming will not be covered in this course. You should be well versed with basic exploitation techniques such as stack overflows on Linux and Windows, using trampolines, and disassembling programs. Familiarity with Linux and Windows is mandatory.
Please contact the author at email@example.com if you have any questions or concerns around pre-requisites. If you are considering the course without first taking SEC660, please check with the author first to determine if this class is right for you.
As a perpetual student of information security, I am excited to offer this course on advanced exploit development. This course complements SEC660 Advanced Penetration Testing, Exploits and Ethical Hacking. The goal of the course is to take students wishing to get into more advanced exploit discovery and writing to the next level. It is a fast-paced two days with the expectation that students are well-versed in stack-based bug discovery and exploitation, as well as the ability to disassemble C code and utilize debuggers. Heap exploitation and patch reversal are hot topics in today's client-side exploits and common attack techniques. This is a fun course for those who are ready! Contact me at firstname.lastname@example.org if you have any questions about the course.