Advanced Software Exploitation
Learn how to discover and exploit software vulnerabilities.
■ Practical software vulnerability discovery.
■ Cutting-edge network protocol and file format fuzzing.
■ Binary analysis techniques and vulnerable patterns identification.
■ Advanced usage of the Grinder Framework, PyKd, and IDA Python.
■ In-depth study of modern Windows mitigation bypasses.
■ State of the art techniques for exploit development.
Formerly known as the Advanced Vulnerability Discovery and Exploit Development course, the Ptrace Security’s Advanced Software Exploitation course offers security professionals an opportunity to test and develop their skills like never before. During this class, attendees will be provided with the latest techniques and tools to discover vulnerabilities and use them to develop reliable exploits for a wide range of software including complex Windows applications, interpreted languages, Web browsers, and critical Microsoft services.
In the first half of the course, attendees will use reverse engineering, source code auditing, and fuzz testing to attack a wide variety of applications (many of which are critical for a successful penetration test) and then use the latest exploitation techniques available today to develop a reliable exploit for Windows 7, Windows 8.1 and Windows 10.
In the second half of the course, the focus will shift from classic to advanced exploitation techniques. Attendees will learn how to escape from the Java sandbox, how to circumvent ASLR without pointer leaks, how to use precise heap spraying and how to bypass the Enhanced Mitigation Experience Toolkit (EMET).
By the end of this course, attendees will have a clear idea of how to find and exploit software vulnerabilities on modern Windows machines.
Welcome!
Introduction
Course Overview
How to use this course
Setting up the lab
Important Information
Before we begin...
Module Objectives
Overview
Vulnerability discovery and exploit development
Vulnerability classes and common exploitation techniques
Fundamentals Quiz
Stack buffer overflows
Anatomy of a stack buffer overflow vulnerability
Exploiting stack buffer overflows
Stack Buffer Overflows Quiz
Exercises
Structured Exception Handler (SEH) based exploits
Windows structured exception handling
Exception handling implementation
Structured Exception Handler Overwrite Vulnerabilities
Exploiting a SEH overwrite in RealPlayer
SEH Overwrites Quiz
Exercises
Module Objectives
Overview
Fuzz Testing
Types of Fuzzing
Fuzzer classification
Random based fuzzers
Mutation based fuzzers
Generation based fuzzers
Model-based fuzzers
Fuzzing Quiz
File format fuzzing
The Peach fuzzer
M3U file format
Create an M3U fuzzer
File Format Fuzzing Quiz
Exercises
Module Objectives
Overview
Network protocol analysis
Network protocol fuzzing
Fuzzing the ActFax RAW server
Fuzzing Network Protocols Quiz
Exercises
Data Execution Prevention (DEP)
Default DEP modes
Return-oriented programming (ROP)
Crafting an exploit for the ActFax RAW server
Return Oriented Programming Quiz
Exercises
Module Objectives
Overview
The Grinder fuzzing framework
Anatomy of Firefox memory leak vulnerability
Attacking Web Browsers Quiz
Exercises
Finding and saving dangling pointers
Hacking the JavaScript Engine to create custom objects
Using a custom JavaScript object to get code execution
Bypassing ASLR and DEP
Exploiting Memory Leaks Quiz
Exercises
Module Objectives
Overview
Introduction to binary diffing
Microsoft patches
Types of patches
Download Microsoft patches
Binary diffing Microsoft patches
Discover vulnerabilities using Microsoft patch analysis
Crafting the initial proof of concept
Crafting the initial proof of concept
Learning more about an unknown vulnerability using dynamic analysis
Patch Diffing Quiz
Exercises
Module Objectives
Overview
The Java architecture
Java sandbox architecture
Type confusion vulnerabilities
Finding type confusion vulnerabilities
Java Applet java.util.concurrent type confusion
Type Confusion Vulnerabilities Quiz
Exercises
The Java sandbox in action
Escaping the Java sandbox
Java Sandbox Quiz
Exercises
Enhanced Mitigation Experience Toolkit (EMET) overview
EMET mitigations
Data Execution Prevention (DEP) security mitigation
Weaknesses and limitations of the Data Execution Prevention (DEP) security mitigation
Structured Execution Handling Overwrite Protection (SEHOP) security mitigation
Weaknesses and limitations of the Structured Execution Handling Overwrite Protection (SEHOP) security mitigation
Heapspray Allocation security mitigation
Weaknesses and limitations of the Heapspray Allocation security mitigation
NULL Page security mitigation
Weaknesses and limitations of the NULL Page security mitigation
Mandatory Address Space Layout Randomization (ASLR) security mitigation
Weaknesses and limitations of the Mandatory Address Space Layout Randomization (ASLR) security mitigation
Export Address Table Filtering (EAF) security mitigation
Weaknesses and limitations of the Export Address Table Filtering (EAF) security mitigation
Export Address Table Filtering (EAF+) security mitigation
Weaknesses and limitations of the Export Address Table Filtering (EAF+) security mitigation
Bottom Up ASLR security mitigation
Weaknesses and limitations of the Bottom Up ASLR security mitigation
Return Oriented Programming (ROP) security mitigations
Return Oriented Programming (ROP) security mitigation - Load Library Checks
Weaknesses and limitations of the Return Oriented Programming (ROP) security mitigation - Load Library Checks
Return Oriented Programming (ROP) security mitigation - Memory Protection Checks
Weaknesses and limitations of the Return Oriented Programming (ROP) security mitigation - Memory Protection Checks
Return Oriented Programming (ROP) security mitigation - Caller Checks
Weaknesses and limitations of the Return Oriented Programming (ROP) security mitigation - Caller Checks
Return Oriented Programming (ROP) security mitigation - Simulate Execution Flow
Weaknesses and limitations of the Return Oriented Programming (ROP) security mitigation - Simulate Execution Flow
Return Oriented Programming (ROP) security mitigation - Stack Pivot
Weaknesses and limitations of the Return Oriented Programming (ROP) security mitigation - Stack Pivot
Bypassing EMET
Enhanced Mitigation Experience Toolkit Quiz
More resources for you
Congrats! Here's what's next...
Before you go...
Attendees should be familiar with C/C++, Python, and the x86/x64 assembly language, as well as have a basic knowledge and understanding of popular software vulnerabilities (e.g. stack buffer overflows, format strings, etc.).
■ Laptop with at least forty (40) GB of free hard drive space and eight (8) GB of RAM.
■ Latest Oracle VM VirtualBox and VirtualBox Extension Pack installed.
■ A working version of IDA Pro 6.8+ (or IDA Pro Evaluation Version).
CHF1,389.00
Regular price