• Cutting-Edge Course Material

    The Advanced Software Exploitation course is based on cutting-edge research and real world experience accumulated over the years by our Red Team.

  • Hands-on Lab Exercises

    In order to consolidate the concepts taught throughout the course, each lecture is followed by several hands-on lab exercises.

  • Get the CSED certification!

    The Certified Software Exploit Developer (CSED) certification is the world's most advanced hands on certification for vulnerability researchers and exploit developers.

Course Description

Formerly known as the Advanced Vulnerability Discovery and Exploit Development course, the Ptrace Security’s Advanced Software Exploitation course offers security professionals an opportunity to test and develop their skills like never before. During this class, attendees will be provided with the latest techniques and tools to discover vulnerabilities and use them to develop reliable exploits for a wide range of software including complex Windows applications, interpreted languages, Web browsers, and critical Microsoft services.

In the first half of the course, attendees will use reverse engineering, source code auditing, and fuzz testing to attack a wide variety of applications (many of which are critical for a successful penetration test) and then use the latest exploitation techniques available today to develop a reliable exploit for Windows 7, Windows 8.1 and Windows 10.

In the second half of the course, the focus will shift from classic to advanced exploitation techniques. Attendees will learn how to escape from the Java sandbox, how to circumvent ASLR without pointer leaks, how to use precise heap spraying and how to bypass the Enhanced Mitigation Experience Toolkit (EMET).

By the end of this course, attendees will have a clear idea of how to find and exploit software vulnerabilities on modern Windows machines.

Highlights

■ Practical software vulnerability discovery.

■ Cutting-edge network protocol and file format fuzzing.

■ Binary analysis techniques and vulnerable patterns identification.

■ Advanced usage of the Grinder Framework, PyKd, and IDA Python.

■ In-depth study of modern Windows mitigation bypasses.

■ State of the art techniques for exploit development.


Course Syllabus

  • 1
    Welcome to the course!
  • 2
    Fundamentals: Intro
  • 3
    Fundamentals: Stack Buffer Overflow
  • 4
    Fundamentals: Structured Exception Handler Overwrite
  • 5
    File Format Fuzzing: Intro
  • 6
    File Format Fuzzing: The Peach Fuzzer
  • 7
    Network Protocol Fuzzing: Vulnerability Discovery
  • 8
    Network Protocol Fuzzing: Exploitation
  • 9
    Attacking Modern Browsers: Vulnerability Discovery
  • 10
    Attacking Modern Browsers: Exploitation
  • 11
    Practical Patch Diffing
  • 12
    Exploiting vulnerabilities in the Oracle JVM: Vulnerability Discovery
  • 13
    Exploiting vulnerabilities in the Oracle JVM: Exploitation
  • 14
    Advanced Windows exploitation
  • 15
    Conclusion
  • Welcome! Introduction Course Overview How to use this course Setting up the lab Important Information Before we begin...
  • Module Objectives Overview Vulnerability discovery and exploit development Vulnerability classes and common exploitation techniques Fundamentals Quiz
  • Stack buffer overflows Anatomy of a stack buffer overflow vulnerability Exploiting stack buffer overflows Stack Buffer Overflows Quiz Exercises
  • Structured Exception Handler (SEH) based exploits Windows structured exception handling Exception handling implementation Structured Exception Handler Overwrite Vulnerabilities Exploiting a SEH overwrite in RealPlayer SEH Overwrites Quiz Exercises
  • Module Objectives Overview Fuzz Testing Types of Fuzzing Fuzzer classification Random based fuzzers Mutation based fuzzers Generation based fuzzers Model-based fuzzers Fuzzing Quiz
  • File format fuzzing The Peach fuzzer M3U file format Create an M3U fuzzer File Format Fuzzing Quiz Exercises
  • Module Objectives Overview Network protocol analysis Network protocol fuzzing Fuzzing the ActFax RAW server Fuzzing Network Protocols Quiz Exercises
  • Data Execution Prevention (DEP) Default DEP modes Return-oriented programming (ROP) Crafting an exploit for the ActFax RAW server Return Oriented Programming Quiz Exercises
  • Module Objectives Overview The Grinder fuzzing framework Anatomy of Firefox memory leak vulnerability Attacking Browsers Quiz Exercises
  • Finding and saving dangling pointers Hacking the JavaScript Engine to create custom objects Using a custom JavaScript object to get code execution Bypassing ASLR and DEP Exploiting Memory Leaks Quiz Exercises
  • Module Objectives Overview Introduction to binary diffing Microsoft patches Types of patches Download Microsoft patches Binary diffing Microsoft patches Discover vulnerabilities using Microsoft patch analysis Crafting the initial proof of concept Crafting the initial proof of concept Learning more about an unknown vulnerability using dynamic analysis Patch Diffing Quiz Exercises
  • Module Objectives Overview The Java architecture Java sandbox architecture Type confusion vulnerabilities Finding type confusion vulnerabilities Java Applet java.util.concurrent type confusion Type Confusion Vulnerabilities Quiz Exercises
  • The Java sandbox in action Escaping the Java sandbox Java Sandbox Quiz Exercises
  • Enhanced Mitigation Experience Toolkit (EMET) overview EMET mitigations Data Execution Prevention (DEP) security mitigation Weaknesses and limitations of the Data Execution Prevention (DEP) security mitigation Structured Execution Handling Overwrite Protection (SEHOP) security mitigation Weaknesses and limitations of the Structured Execution Handling Overwrite Protection (SEHOP) security mitigation Heapspray Allocation security mitigation Weaknesses and limitations of the Heapspray Allocation security mitigation NULL Page security mitigation Weaknesses and limitations of the NULL Page security mitigation Mandatory Address Space Layout Randomization (ASLR) security mitigation Weaknesses and limitations of the Mandatory Address Space Layout Randomization (ASLR) security mitigation Export Address Table Filtering (EAF) security mitigation Weaknesses and limitations of the Export Address Table Filtering (EAF) security mitigation Export Address Table Filtering (EAF+) security mitigation Weaknesses and limitations of the Export Address Table Filtering (EAF+) security mitigation Bottom Up ASLR security mitigation Weaknesses and limitations of the Bottom Up ASLR security mitigation Return Oriented Programming (ROP) security mitigations Return Oriented Programming (ROP) security mitigation - Load Library Checks Weaknesses and limitations of the Return Oriented Programming (ROP) security mitigation - Load Library Checks Return Oriented Programming (ROP) security mitigation - Memory Protection Checks Weaknesses and limitations of the Return Oriented Programming (ROP) security mitigation - Memory Protection Checks Return Oriented Programming (ROP) security mitigation - Caller Checks Weaknesses and limitations of the Return Oriented Programming (ROP) security mitigation - Caller Checks Return Oriented Programming (ROP) security mitigation - Simulate Execution Flow Weaknesses and limitations of the Return Oriented Programming (ROP) security mitigation - Simulate Execution Flow Return Oriented Programming (ROP) security mitigation - Stack Pivot Weaknesses and limitations of the Return Oriented Programming (ROP) security mitigation - Stack Pivot Bypassing EMET Enhanced Mitigation Experience Toolkit Quiz
  • More resources for you Congrats! Here's what's next... Before you go...

Prerequisites

Attendees should be familiar with C/C++, Python, and the x86/x64 assembly language, as well as have a basic knowledge and understanding of popular software vulnerabilities (e.g. stack buffer overflows, format strings, etc.).


Requirements

■ Laptop with at least forty (40) GB of free hard drive space and eight (8) GB of RAM.

■ Latest Oracle VM VirtualBox and VirtualBox Extension Pack installed.

■ A working version of IDA Pro 6.8+ (or IDA Pro Evaluation Version).

Enroll Now!