EXPLOIT DEVELOPMENT AND FUZZING
Schedule
February 5, 2008 to February 8, 2008
Location:
Tokyo JAPAN
Course Fee:
JPY498,850(tax inclusive)
Max Capacity:
20 attendees
Course Style:
Exercise Driven
Language: English & Japanese
Course Instructor
Dave Aitel:
Dave is the founder and CTO of Immunity. Prior to starting Immunity Dave was a security consultant with @stake and a research scientist with the United States National Security Agency. Dave's background lies in Linux and Unix security research. His focus changed to Windows exploitation after founding Immunity, and in more recent years has expanded to include web applications and engine development for CANVAS such as MOSDEF, the engine's C compiler. Dave is the author of several books, including the popular Shellcoder's Handbook, and he has spoken on security issues at many of the world's leading security conferences. Dave has taught many private and public security training classes internationally. He continues to write CANVAS exploits and conduct security research while leading the technical team at Immunity.
COURSE AGENDA
Nowadays Information Technology Security has two aspects. While most corporations tend to stress the defensive one, only a few initiate themselves to its offensive aspect, conferring them an unquestionable advantage. Being able to find flaws in programs and exploit them to take control over a target computer are core capabilities of a security professional. Immunity, Inc., a market leader in exploits solutions, will share its experience in the domain during a 4 day course. Immunity, Inc. will provide an introduction to the tools and methodologies used in the development of offensive tools and vulnerability finding. Attendees are expected to obtain an understanding of
the following:
-Terminology of offensive security
-Understanding of stakes
-Fundamentals of x86 assembly
-Basics of shellcoding
-Basics of debugging under Windows
-Basics of exploit creation under Windows
-Effective use of Immunity Debugger for exploit creation
-Creation of a new CANVAS module
-Effective writing of a CANVAS exploit
-Reliable exploitation of stack overflows
-Client side problematics
-Basic knowledge of heap overflows
-Advanced exploitation tricks
-New protections introduced and XP SP2 and above: DEP, SafeSEH, ASLR
-Concepts and basics of fuzzing
-Vulnerability finding thanks to network fuzzing
-Basics of reverse engineering
-Basics of vulnerability finding thanks to binary analysis
The attendees will test and apply all those techniques in a lab environment, effectively compromising virtual machines under the guidance of Immunity, Inc. researchers.
Who Should Attend the Class
-Security Engineers
-Security Professionals
-Network Engineers
-Military
-Law Enforcement
Prerequisites
Knowledge
Each attendee is expected to have basic knowledge in Programming, preferably Python, as well as basic knowledge in Networking and Information Technology Security. Basic assembly knowledge can help, but is not required.
Hardware
Each attendee will be given a laptop running a recent version of Linux or Windows. Each laptop will have VMware installed, or an equivalent virtualization software, as well as two guest OSes installed:
-a Windows 2000 Workstation SP4
-a Windows XP Professional or Home SP2
Course Syllabus
Day 1: Basics
Introduction: Immunity, Inc. instructors will introduce themselves as well as the company. Attendees will introduce themselves, and underline an aspect of the class they are particularly interested in.
Knowing the basics: Immunity, Inc. instructors will go over the various terms that will be used during the class as well as the concepts involved. The state of the art of exploitation will be presented, through various real-life examples. We will introduce Python briefly, and go over x86 assembly basics.
CANVAS framework: We will introduce the CANVAS framework, Immunity, Inc. market leading tool for penetration testing and exploit development. We will present VisualSploit, as visual tool for exploit creation, the CANVAS
structure and functionalities. We will explain how is organized a basic CANVAS
exploit.
Immunity Debugger: An introduction to Windows debugging will be given thanks to Immunity Debugger, Immunity, Inc. debugger aimed at exploit development. We will also cover the extended features it offers to ease exploitation.
Stack overflows: A first hands-on class will be held before the end of the first day so that attendees can practice newly acquired knowledge. Attendees will attack a specially built network service using a CANVAS module and make it crash. They will debug the target in order to achieve code execution.
Day 2: Simple Exploit Development
Advanced stack overflows: We will go over most of the problems that can appear when exploiting a stack overflow and how to overcome them. Those include
characters filtering, shellcode corruption, access violation exceptions, exception handler overwriting, size limitations.
Shellcoding: With attendees having a better understanding about what is going
on, a focus will be given to shellcodes and payloads. We will cover the various shellcodes available in CANVAS, the tricks used on Windows platforms, the ways they can be encoded.
Stack overflows: More practical exercises will be carried out by the attendees, using this time real life software. Attendees are expected to apply the technics learnt the previous day as well as in the morning to achieve remote code execution. Some problems are expected to arise during the exercises and interactive discussions will occur to understand how to solve them.
Day 3: Advanced Exploit Development
Heap overflows: Immunity, Inc. instructors will introduce the logic behind
heap overflows and how they can be exploited on Windows plateforms. Some practical exercise will be carried out against a vulnerable service.
Exploit reliability: Reliability being a common issue in publicly available exploits, some time will be spent explaining how one can make an exploit work against a larger variety of targets, including different versions of Windows and different localizations. The case study of MS06-040 will be analyzed to
present a very specific but reliable way of writing a portable exploit.
Protection measures: Microsoft has implemented some protections in the latest versions of its compilers and operating systems in order to reduce the exploitability of bugs. We will discuss mechanisms such as stack cookies, non-executable pages, safe exception handling, heap cookie, safe unlink, and how to overcome them. Attendees will work on a practical example of a stack overflow on a DEP protected system and will be guided to code execution.
Day 4: Vulnerability Finding
Introduction to fuzzing: Immunity, Inc. will discuss network protocols and
introduce the concept of fuzzing. The concepts presented will be extended to file formats and file fuzzing. A methodology to effective fuzzing will be presented.
Fuzzing with Spike: Immunity, Inc. fuzzer Spike will be presented. Attendees will download real life shareware and use existing scripts to attack them inside virtual machines. Attendees will be encouraged to develop their own
scripts in order to find new flaws,
Fuzzing with SpikeProxy: While Spike is mostly oriented to network protocols fuzzing, SpikeProxy offers and easy way to fuzz web applications. Attendees
will have the opportunity to test the fuzzer against some web content.
Binary analysis: With their current state of assembly knowledge, attendees
will be presented with reverse engineering aiming to vulnerability finding.
Potentially vulnerable Windows API and primitives will be presented as well as scripting for Immunity Debugger to automate the process of analysis. Examples of previously discovered bugs will be given.
To attend:
mail: seminar@cyberdefense.jp
phone: +81-3-5786-7330(call Mr.SAKAI or Mr.IINUMA)