What You Will Learn

In this course, you will learn to find software vulnerabilities using a number of tools and techniques, ranging from file format fuzzing to source code auditing, and then craft your own exploits in Python, JavaScript, and Java.

  • Duration
    Approx. 6 months / 6 hrs per week

  • 100% Online
    Learn at your own pace

  • Certificate
    Earn a Certificate upon completion

  • Level
    Intermediate

Course Description

The Advanced Software Exploitation (ASE) course offers security professionals an opportunity to test and develop their skills like never before. During this course, students will learn to identify common vulnerabilities and then use them to develop exploits for a wide range of software applications, including popular Windows applications, interpreted languages, and Web browsers.

In the first half of the course, attendees will use fuzzing, reverse engineering, and source code auditing, to attack a wide variety of applications (e.g. iTunes, Firefox, Vulnserver, etc.) and then use proven exploitation techniques to develop an exploit for one of the VMs (Windows 7, Windows 8.1 and Windows 10).

Then, in the second half of the course, the focus will shift from classic vulnerabilities to more advanced ones. In this section, students will learn how to escape Java sandbox using a type confusion vulnerability, how to circumvent the ASLR without pointer leaks, and how to use precise heap spraying, just to name a few.

By the end of this course, students will know how to find software vulnerabilities using fuzzing, reverse engineering, and source code auditing, and then how to write their own exploits in Python, JavaScript, or Java.

Online Course Material

The Advanced Software Exploitation course is delivered through our modern e-learning platform and it comes with tons of content, including text-based lessons, videos, scripts, configuration files, useful resources, practice quizzes, and dozens of exercises.

Hands-on Lab Exercises

In order to consolidate the concepts taught throughout the ASE course, each lecture is followed by several hands-on lab exercises. To complete these exercises, you will be provided with a number of Windows virtual machines (VMs).

Course Syllabus

  • 1

    Welcome to the course!

    • Welcome!

    • Introduction

    • Course Overview

    • How to use this course

    • Setting up the lab

    • Important Information

    • Before we begin...
  • 2

    Fundamentals: Intro

    • Module Objectives

    • Overview

    • Vulnerability discovery and exploit development

    • Vulnerability classes and common exploitation techniques

    • Fundamentals Quiz
  • 3

    Fundamentals: Stack Buffer Overflow

    • Stack buffer overflows

    • Anatomy of a stack buffer overflow vulnerability

    • Exploiting stack buffer overflows

    • Stack Buffer Overflows Quiz

    • Exercises
  • 4

    Fundamentals: Structured Exception Handler Overwrite

    • Structured Exception Handler (SEH) based exploits

    • Windows structured exception handling

    • Exception handling implementation

    • Structured Exception Handler Overwrite Vulnerabilities

    • Exploiting a SEH overwrite in RealPlayer

    • SEH Overwrites Quiz

    • Exercises
  • 5

    File Format Fuzzing: Intro

    • Module Objectives

    • Overview

    • Fuzz Testing

    • Types of Fuzzing

    • Fuzzer classification

    • Random based fuzzers

    • Mutation based fuzzers

    • Generation based fuzzers

    • Model-based fuzzers

    • Fuzzing Quiz
  • 6

    File Format Fuzzing: The Peach Fuzzer

    • File format fuzzing

    • The Peach fuzzer

    • M3U file format

    • Create an M3U fuzzer

    • File Format Fuzzing Quiz

    • Exercises
  • 7

    Network Protocol Fuzzing: Vulnerability Discovery

    • Module Objectives

    • Overview

    • Network protocol analysis

    • Network protocol fuzzing

    • Fuzzing the ActFax RAW server

    • Fuzzing Network Protocols Quiz

    • Exercises
  • 8

    Network Protocol Fuzzing: Exploitation

    • Data Execution Prevention (DEP)

    • Default DEP modes

    • Return-oriented programming (ROP)

    • Crafting an exploit for the ActFax RAW server

    • Return Oriented Programming Quiz

    • Exercises
  • 9

    Attacking Web Browsers: Vulnerability Discovery

    • Module Objectives

    • Overview

    • The Grinder fuzzing framework

    • Anatomy of Firefox memory leak vulnerability

    • Attacking Web Browsers Quiz

    • Exercises
  • 10

    Attacking Web Browsers: Exploitation

    • Finding and saving dangling pointers

    • Hacking the JavaScript Engine to create custom objects

    • Using a custom JavaScript object to get code execution

    • Bypassing ASLR and DEP

    • Exploiting Memory Leaks Quiz

    • Exercises
  • 11

    Practical Patch Diffing

    • Module Objectives

    • Overview

    • Introduction to binary diffing

    • Microsoft patches

    • Types of patches

    • Download Microsoft patches

    • Binary diffing Microsoft patches

    • Discover vulnerabilities using Microsoft patch analysis

    • Crafting the initial proof of concept

    • Crafting the initial proof of concept

    • Learning more about an unknown vulnerability using dynamic analysis

    • Patch Diffing Quiz

    • Exercises
  • 12

    Exploiting vulnerabilities in the Oracle JVM: Vulnerability Discovery

    • Module Objectives

    • Overview

    • The Java architecture

    • Java sandbox architecture

    • Type confusion vulnerabilities

    • Finding type confusion vulnerabilities

    • Java Applet java.util.concurrent type confusion

    • Type Confusion Vulnerabilities Quiz

    • Exercises
  • 13

    Exploiting vulnerabilities in the Oracle JVM: Exploitation

    • The Java sandbox in action

    • Escaping the Java sandbox

    • Java Sandbox Quiz

    • Exercises
  • 14

    Advanced Windows exploitation

    • Enhanced Mitigation Experience Toolkit (EMET) overview

    • EMET mitigations

    • Data Execution Prevention (DEP) security mitigation

    • Weaknesses and limitations of the Data Execution Prevention (DEP) security mitigation

    • Structured Execution Handling Overwrite Protection (SEHOP) security mitigation

    • Weaknesses and limitations of the Structured Execution Handling Overwrite Protection (SEHOP) security mitigation

    • Heapspray Allocation security mitigation

    • Weaknesses and limitations of the Heapspray Allocation security mitigation

    • NULL Page security mitigation

    • Weaknesses and limitations of the NULL Page security mitigation

    • Mandatory Address Space Layout Randomization (ASLR) security mitigation

    • Weaknesses and limitations of the Mandatory Address Space Layout Randomization (ASLR) security mitigation

    • Export Address Table Filtering (EAF) security mitigation

    • Weaknesses and limitations of the Export Address Table Filtering (EAF) security mitigation

    • Export Address Table Filtering (EAF+) security mitigation

    • Weaknesses and limitations of the Export Address Table Filtering (EAF+) security mitigation

    • Bottom Up ASLR security mitigation

    • Weaknesses and limitations of the Bottom Up ASLR security mitigation

    • Return Oriented Programming (ROP) security mitigations

    • Return Oriented Programming (ROP) security mitigation - Load Library Checks

    • Weaknesses and limitations of the Return Oriented Programming (ROP) security mitigation - Load Library Checks

    • Return Oriented Programming (ROP) security mitigation - Memory Protection Checks

    • Weaknesses and limitations of the Return Oriented Programming (ROP) security mitigation - Memory Protection Checks

    • Return Oriented Programming (ROP) security mitigation - Caller Checks

    • Weaknesses and limitations of the Return Oriented Programming (ROP) security mitigation - Caller Checks

    • Return Oriented Programming (ROP) security mitigation - Simulate Execution Flow

    • Weaknesses and limitations of the Return Oriented Programming (ROP) security mitigation - Simulate Execution Flow

    • Return Oriented Programming (ROP) security mitigation - Stack Pivot

    • Weaknesses and limitations of the Return Oriented Programming (ROP) security mitigation - Stack Pivot

    • Bypassing EMET

    • Enhanced Mitigation Experience Toolkit Quiz
  • 15

    Conclusion

    • More resources for you

    • Congrats! Here's what's next...

    • Before you go...

Prerequisites & Requirements

  • Knowledge and Skills

    Students should be familiar with a high-level programming language (e.g. C/C++, Java, Python, JavaScript, etc.) and be able to read x86/x64 assembly code.

  • Hardware Requirements

    In order to replicate the examples and solve the exercises you need a laptop or computer with at least 40GB of free hard drive space and 8GB of RAM.

  • Software

    Students are required to have the latest VirtualBox and VirtualBox Extension Pack installed, and if possible also a working version of IDA Pro 6.8+ (or IDA Pro Evaluation Version).

Enroll now!