Advanced Software Exploitation

Learn how to discover and exploit software vulnerabilities.

  • Cutting-Edge Course Material

    The Advanced Software Exploitation course is based on cutting-edge research and real world experience accumulated over the years by our Red Team.

  • Hands-on Lab Exercises

    In order to consolidate the concepts taught throughout the course, each lecture is followed by several hands-on lab exercises.

  • Get the CSED certification!

    The Certified Software Exploit Developer (CSED) certification is the world's most advanced hands on certification for vulnerability researchers and exploit developers.

Highlights

■ Practical software vulnerability discovery.

■ Cutting-edge network protocol and file format fuzzing.

■ Binary analysis techniques and vulnerable patterns identification.

■ Advanced usage of the Grinder Framework, PyKd, and IDA Python.

■ In-depth study of modern Windows mitigation bypasses.

■ State of the art techniques for exploit development.

Course Description

Formerly known as the Advanced Vulnerability Discovery and Exploit Development course, the Ptrace Security’s Advanced Software Exploitation course offers security professionals an opportunity to test and develop their skills like never before. During this class, attendees will be provided with the latest techniques and tools to discover vulnerabilities and use them to develop reliable exploits for a wide range of software including complex Windows applications, interpreted languages, Web browsers, and critical Microsoft services.

In the first half of the course, attendees will use reverse engineering, source code auditing, and fuzz testing to attack a wide variety of applications (many of which are critical for a successful penetration test) and then use the latest exploitation techniques available today to develop a reliable exploit for Windows 7, Windows 8.1 and Windows 10.

In the second half of the course, the focus will shift from classic to advanced exploitation techniques. Attendees will learn how to escape from the Java sandbox, how to circumvent ASLR without pointer leaks, how to use precise heap spraying and how to bypass the Enhanced Mitigation Experience Toolkit (EMET).

By the end of this course, attendees will have a clear idea of how to find and exploit software vulnerabilities on modern Windows machines.

Course curriculum

  • 01

    Welcome to the course!

    • Welcome!

    • Introduction

    • Course Overview

    • How to use this course

    • Setting up the lab

    • Important Information

    • Before we begin...
  • 02

    Fundamentals: Intro

    • Module Objectives

    • Overview

    • Vulnerability discovery and exploit development

    • Vulnerability classes and common exploitation techniques

    • Fundamentals Quiz
  • 03

    Fundamentals: Stack Buffer Overflow

    • Stack buffer overflows

    • Anatomy of a stack buffer overflow vulnerability

    • Exploiting stack buffer overflows

    • Stack Buffer Overflows Quiz

    • Exercises
  • 04

    Fundamentals: Structured Exception Handler Overwrite

    • Structured Exception Handler (SEH) based exploits

    • Windows structured exception handling

    • Exception handling implementation

    • Structured Exception Handler Overwrite Vulnerabilities

    • Exploiting a SEH overwrite in RealPlayer

    • SEH Overwrites Quiz

    • Exercises
  • 05

    File Format Fuzzing: Intro

    • Module Objectives

    • Overview

    • Fuzz Testing

    • Types of Fuzzing

    • Fuzzer classification

    • Random based fuzzers

    • Mutation based fuzzers

    • Generation based fuzzers

    • Model-based fuzzers

    • Fuzzing Quiz
  • 06

    File Format Fuzzing: The Peach Fuzzer

    • File format fuzzing

    • The Peach fuzzer

    • M3U file format

    • Create an M3U fuzzer

    • File Format Fuzzing Quiz

    • Exercises
  • 07

    Network Protocol Fuzzing: Vulnerability Discovery

    • Module Objectives

    • Overview

    • Network protocol analysis

    • Network protocol fuzzing

    • Fuzzing the ActFax RAW server

    • Fuzzing Network Protocols Quiz

    • Exercises
  • 08

    Network Protocol Fuzzing: Exploitation

    • Data Execution Prevention (DEP)

    • Default DEP modes

    • Return-oriented programming (ROP)

    • Crafting an exploit for the ActFax RAW server

    • Return Oriented Programming Quiz

    • Exercises
  • 09

    Attacking Web Browsers: Vulnerability Discovery

    • Module Objectives

    • Overview

    • The Grinder fuzzing framework

    • Anatomy of Firefox memory leak vulnerability

    • Attacking Web Browsers Quiz

    • Exercises
  • 10

    Attacking Web Browsers: Exploitation

    • Finding and saving dangling pointers

    • Hacking the JavaScript Engine to create custom objects

    • Using a custom JavaScript object to get code execution

    • Bypassing ASLR and DEP

    • Exploiting Memory Leaks Quiz

    • Exercises
  • 11

    Practical Patch Diffing

    • Module Objectives

    • Overview

    • Introduction to binary diffing

    • Microsoft patches

    • Types of patches

    • Download Microsoft patches

    • Binary diffing Microsoft patches

    • Discover vulnerabilities using Microsoft patch analysis

    • Crafting the initial proof of concept

    • Crafting the initial proof of concept

    • Learning more about an unknown vulnerability using dynamic analysis

    • Patch Diffing Quiz

    • Exercises
  • 12

    Exploiting vulnerabilities in the Oracle JVM: Vulnerability Discovery

    • Module Objectives

    • Overview

    • The Java architecture

    • Java sandbox architecture

    • Type confusion vulnerabilities

    • Finding type confusion vulnerabilities

    • Java Applet java.util.concurrent type confusion

    • Type Confusion Vulnerabilities Quiz

    • Exercises
  • 13

    Exploiting vulnerabilities in the Oracle JVM: Exploitation

    • The Java sandbox in action

    • Escaping the Java sandbox

    • Java Sandbox Quiz

    • Exercises
  • 14

    Advanced Windows exploitation

    • Enhanced Mitigation Experience Toolkit (EMET) overview

    • EMET mitigations

    • Data Execution Prevention (DEP) security mitigation

    • Weaknesses and limitations of the Data Execution Prevention (DEP) security mitigation

    • Structured Execution Handling Overwrite Protection (SEHOP) security mitigation

    • Weaknesses and limitations of the Structured Execution Handling Overwrite Protection (SEHOP) security mitigation

    • Heapspray Allocation security mitigation

    • Weaknesses and limitations of the Heapspray Allocation security mitigation

    • NULL Page security mitigation

    • Weaknesses and limitations of the NULL Page security mitigation

    • Mandatory Address Space Layout Randomization (ASLR) security mitigation

    • Weaknesses and limitations of the Mandatory Address Space Layout Randomization (ASLR) security mitigation

    • Export Address Table Filtering (EAF) security mitigation

    • Weaknesses and limitations of the Export Address Table Filtering (EAF) security mitigation

    • Export Address Table Filtering (EAF+) security mitigation

    • Weaknesses and limitations of the Export Address Table Filtering (EAF+) security mitigation

    • Bottom Up ASLR security mitigation

    • Weaknesses and limitations of the Bottom Up ASLR security mitigation

    • Return Oriented Programming (ROP) security mitigations

    • Return Oriented Programming (ROP) security mitigation - Load Library Checks

    • Weaknesses and limitations of the Return Oriented Programming (ROP) security mitigation - Load Library Checks

    • Return Oriented Programming (ROP) security mitigation - Memory Protection Checks

    • Weaknesses and limitations of the Return Oriented Programming (ROP) security mitigation - Memory Protection Checks

    • Return Oriented Programming (ROP) security mitigation - Caller Checks

    • Weaknesses and limitations of the Return Oriented Programming (ROP) security mitigation - Caller Checks

    • Return Oriented Programming (ROP) security mitigation - Simulate Execution Flow

    • Weaknesses and limitations of the Return Oriented Programming (ROP) security mitigation - Simulate Execution Flow

    • Return Oriented Programming (ROP) security mitigation - Stack Pivot

    • Weaknesses and limitations of the Return Oriented Programming (ROP) security mitigation - Stack Pivot

    • Bypassing EMET

    • Enhanced Mitigation Experience Toolkit Quiz
  • 15

    Conclusion

    • More resources for you

    • Congrats! Here's what's next...

    • Before you go...

Prerequisites

Attendees should be familiar with C/C++, Python, and the x86/x64 assembly language, as well as have a basic knowledge and understanding of popular software vulnerabilities (e.g. stack buffer overflows, format strings, etc.).

Requirements

■ Laptop with at least forty (40) GB of free hard drive space and eight (8) GB of RAM.

■ Latest Oracle VM VirtualBox and VirtualBox Extension Pack installed.

■ A working version of IDA Pro 6.8+ (or IDA Pro Evaluation Version).

Course Registration