SEC710: Advanced Exploit Development
SANS SEC710 is an advanced two-day course on exploit development. Students attending this course should know their way around a debugger and have prior experience exploiting basic stack overflows on both Windows and Linux. Terms such as "jmp esp" and "pop/pop/ret" should be nothing new to you. We will move beyond these attack techniques to explore more advanced topics on heap exploitation, format string attacks, and Microsoft patch reversal and exploitation. We will be taking a real Microsoft security patch, reversing it to model the discovery of an undisclosed vulnerability, and developing a client-side exploit that defeats controls such as Address Space Layout Randomization (ASLR).
Attendees can apply the skills developed in this class to create and customize exploits for penetration tests of homegrown software applications and newly discovered flaws in widespread commercial software. Understanding the process of exploit development can help enterprises analyze their actual business risks better than the ambiguous hypotheticals we often contend with in most traditional vulnerability assessments.
|SEC710.1: Day One||James Shewmaker||
Sun Dec 2nd, 2012
9:00 AM - 7:00 PM
Web begin by jumping head first into Linux heap exploitation. Exploiting the heap is often complex and requires the exploit author to think outside the box through abstract concepts. Abusing various heap constructs and identifying function pointers will take up this portion of the day. The day continues with understanding format strings and their purpose. We then progress into discovering format string vulnerabilities and what types of attacks can be performed. This is followed by various format string exercises with the goal of leaking memory and taking control of a process. We then dive into a real-world stack smashing exercise, which requires you to compensate for ASLR and stack canaries in order to write a working exploit.
The evening bootcamp during day one will offer an opportunity to perform additional exploitation exercises to help solidify content learned throughout the day. The bootcamp exercise may change from time-to-time; however, the main focus will be on additional heap exploitation exercises to help those attending have a better understanding of the abstract nature of the heap and the techniques used to perform successful exploitation.
CPE/CMU Credits: 8
|SEC710.2: Day Two||James Shewmaker||
Mon Dec 3rd, 2012
9:00 AM - 5:00 PM
We go into Microsoft patch reversal and client-side exploitation on day two. It is well known that attackers download Microsoft patches as soon as they are available on "Patch Tuesday" of each month. Other vendors experience the same problem. The attacker's goal is to reverse engineer the patches to locate the code changes, making it possible to quickly identify the vulnerability. Exploit code is often generated within days, or even hours, after discovery. We will walk through the techniques used to perform reversing and binary diffing against security patches. Once the vulnerability is located, you will walk through debugging and exploit generation of a client-side attack through the use of heap spraying. A secondary technique is also provided in performing a partial return pointer overwrite to defeat the use of ASLR on Windows Vista and 7.
CPE/CMU Credits: 6
You will use VMware to run multiple operating systems when performing class exercises. Linux VMs with all the necessary tools will be provided on a DVD on the first day. You must bring your own Virtual Machine image of Windows XP SP2 and Windows Vista SP0. These images should be base installs with no patches applied. Relative patches will be provided in class. Do not bring Windows XP SP3 as patch reversing exercises will not work properly. If you are unable to locate a copy of Windows Vista SP0, Windows XP SP2 can be used, although you will not be performing some of the more advanced techniques to bypass modern OS controls.
It is advantageous to bring a licensed copy of IDA Pro 5.4 or later. A trial version will be provided in class; however, this version is highly limited and does not work with some plug-ins, nor can you save your work. If you would like to purchase a copy of IDA Pro Standard with a 20% discount prior to, or after class, please contact me at firstname.lastname@example.org for instructions. Named licenses are $539, minus a 20% discount. Tools needed for Windows will be issued in class. Ensure that you have the administrative ability to disable all security software and protection, including antivirus and personal firewalls.
You must have VMware Workstation installed on your system prior to class beginning. You need to use at least VMware Workstation Version 6 to support the VMs that will be distributed in class. If you do not own a licensed copy of VMware, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website. You may also use VMware Player, but you will only be able to run one VM at a time and cannot take snapshots. If you choose to use VMware player, you must use at least version 2.5.1.
Mandatory Laptop Hardware Requirements:
If you have additional questions about the laptop specifications, please contact email@example.com.
|Who Should Attend|
This is a fast-paced, advanced course that requires a strong desire to learn more advanced exploit development techniques. The SANS course SEC660 Advanced Penetration Testing, Exploits and Ethical Hacking is highly recommended prior to taking this course. Experience with programming in any language is required. The basics of programming will not be covered in this course. You should be well versed with basic exploitation techniques such as stack overflows on Linux and Windows, using trampolines, and disassembling programs. Familiarity with Linux and Windows is mandatory.
Please contact the author at firstname.lastname@example.org if you have any questions or concerns around pre-requisites. If you are considering the course without first taking SEC660, please check with the author first to determine if this class is right for you.