Corelan Live – Win32 Exploit Development

 

The Corelan Live Bootcamp is a truly unique opportunity to learn both basic & advanced techniques from an experienced exploit developer. During this 3 day course, students will be able to learn all ins and outs about writing reliable exploits for the Win32 platform.  The trainer will share his “notes from the field” and various tips & tricks to become more effective at writing exploits.

We believe it is important to explain the basics of buffer overflows and exploit writing, but this is not “your average” entry level course. In fact, this is one of the finest and most advanced courses you will find on Win32 stack based exploit development.

This hardcore hands-on course will provide students with solid understanding of current Win32 (stack based) exploitation techniques and memory protection bypass techniques.  We make sure the course material is kept updated with current techniques, includes previously undocumented tricks and techniques, and details about research we performed ourselves.  Combined with the way the course is built up, this will turn these 3 days into a truly unique experience.

During the course, we not only share techniques and mechanics, but we also want to make sure you understand why a given technique is used, why something works and why something doesn’t work.

Finally, we offer you post-training support as well.   If you have taken the course and you still have questions, we will help.

 

Why take this course

  • Are you interested in the process of turning an advisory into a working exploit ?
  • Do you want to figure out if a given security patch/hotfix should be applied immediately or not ?
  • Do you want to learn how to read and understand existing exploits ?
  • Have you ever found yourself in a position where you have to change an existing exploit but failed to make it work.
  • Do you want to write reliable exploits and integrate them into Metasploit ?
  • Do you want to know how shellcode works ?
  • Do you have basic knowledge about win32 exploit development already, but want to learn more about some of the more advanced topics listed below (see course overview) ?
  • Did you read the Corelan exploit development tutorials, but still want to take the classes to fully understand and master the concepts ?
  • Do you have other reasons to learn how to write exploits for the Win32 platform ?
  • Are you willing to suffer and bleed a bit, learn fast and not intimidated by debuggers and assembly instructions…
  • …then this course is what you need !

 

Target audience

Pentesters, auditors, network/system administrators, developers, people part of a security department, security enthusiasts, or anyone interested in exploit development.

If you have a strong desire to learn and willing to suffer & bleed, then check out the schedules & register for one of the classes.  If you are interested in organizing the course at a conference or as a private course at your company, send me an e-mail (peter[dot]ve{at}corelan[dot]be)

 

Course overview

 

Module 1 – The x86 environment

  • System Architecture
  • Windows Memory Management
  • Registers
  • Basic Assembly
  • The stack

Module 2 – The exploit developer environment

  • Setting up the exploit developer lab
  • Using debuggers and debugger plugins to gather primitives

Module 3 – Saved Return Pointer Overwrite

  • Functions
  • Saved return pointer overwrites
  • Stack cookies

Module 4 – Abusing Structured Exception Handlers

  • Abusing exception handler overwrites
  • Bypassing Safeseh

Module 5 – Pointer smashing

  • function pointers
  • data/object pointers
  • vtable/virtual functions

Module 6 – Off-by-one and integer overflows

  • Off-by-one
  • integer overflows

Module 7 – Limited buffers

  • Limited buffers, shellcode splitting

Module 8 – Reliability++ & reusability++

  • Finding and avoiding bad characters
  • Creative ways to deal with character set limitations

Module 9 – Fun with Unicode

  • Exploiting Unicode based overflows
  • Writing venetian alignment code
  • Creating and Using venetian shellcode

Module 10 – Heap Spraying Fundamentals

  • Heap behaviour
  • Heap Spraying for Internet Explorer 6 and 7

Module 11 – Egg Hunters

  • Using and tweaking Egg hunters
  • Custom egghunters
  • Using Omelet egghunters
  • Egghunters in a WoW64 environment

Module 12 – Shellcoding

  • Building custom shellcode from scratch
  • Understanding existing shellcode
  • Writing portable shellcode
  • Bypassing Antivirus

Module 13 – Metasploit Exploit Modules

  • Writing exploits for the Metasploit Framework
  • Porting exploits to the Metasploit Framework

Module 14 – ASLR

  • Bypassing ASLR

Module 15 – W^X

  • Bypassing NX/DEP
  • Return Oriented Programming / Code Reuse (ROP) )

Module 16 – Advanced Heap Spraying

  • Heap Feng Shui & heaplib
  • Precise heap spraying for IE8
  • Precise heap spraying in modern browsers (IE9, Firefox 9)

Module 17 – Use After Free

  • Exploiting Use-After-Free conditions

Module 18 – Windows 8

  • Windows 8 Memory Protections and Bypass

 

During the course, students will get the opportunity to work on real vulnerabilities in real applications and use the latest exploitation techniques that work on current Operating Systems.

Make no mistake.  Although this course will explain the basics of exploit development, students will need to be able to transition to more complex theory and exercises quickly. The course has a steep learning curve and will require your full attention and focus.

Keep in mind that this training usually requires 12 intense hours of training per day.  If less time is available, we’ll have to skip a few chapters from the course (Unicode, Shellcode, …).

 

Prerequisites:

Students should

  • be able to read simple C code and simple scripts
  • be familiar with writing basic scripts using python/ruby/…
  • be ready to dive into a debugger and read asm for hours and hours and hours
  • be ready to think out of the box and have a strong desire to learn
  • be fluent with managing Windows / Linux operating system and with using vmware workstation/virtualbox
  • be familiar with metasploit

No prior knowledge of assembly is required, but it will certainly help if you have some basic knowledge :)

 

Tools/Equipment needed:

Unless specified otherwise, students are required to bring the following :

  • A laptop (no netbook) with vmware workstation/virtualbox and enough processing power and RAM (we recommend 4Gb of RAM) to run up to 2 virtual machines at the same time. Make sure your laptop has a screen size of at least 15″.  The use of a 64bit processor and a 64bit operating system on the laptop will make the exercises more realistic.
  • Virtual machines installed, all 32-bit, all English versions, (including guest addition tools) : A clean / fully patched/updated:
  • Windows XP SP3 Professional, with Internet Explorer 7  (not 8, not 9 !)
  • Windows 7 or Windows Server 2008 (Trial versions are fine. Just make sure the OS won’t expire during the training), IE8
  • BackTrack 5 R1 with an up-to-date version of Metasploit
  • Make sure all 3 virtual machines are configured in an VM internal network, and have full access to each other.  Disable all firewalls.
  • Make sure all 3 virtual machines are based on ENGLISH versions of the Operating System.
  • Make sure you can transfer files from your host machine to all 3 Guest (virtual) machines.

If required, you can download fully operational Virtual PC VHD’s of XP / Vista / Windows 7 from the Microsoft website.

All required tools and applications will be provided during the training or will be downloaded from the internet during the training.  You will also receive a detailed slide deck.

You must have full administrator access to all machines. You must be able to install and remove software, and you must be able to disable and/or remove firewall/antivirus/… when necessary.