Advanced Exploit Development
This course looks at exploit development on x86 and x64 platforms. Students will write shellcode and exploits targeting these platforms on both Linux and Windows. During the course participants will learn and apply techniques to bypass or weaken a range of security controls such as Stack Cookies, Data Execution Protection (DEP/NX) and Address Space Layout Randomisation (ASLR).
Topics covered include:
- Stack based overflows on Linux and Windows
- SEH Exploitation
- DEP and ROP
- Heap overflows
By the end of the course, students will be able to formulate exploitation strategies and begin to understand the core theory concepts which underpin the art and science of modern exploit development. Course alumni will be well placed to contribute as part of high end penetration testing teams, security engineers and architects, and secure coding professionals.
Affiliated course: Introduction to Exploit Development
On completion of this course, participants should be able to:
- Develop and implement exploitation strategies for use on endpoints.
- Understand modern vulnerabilities at a technical level.
- Fuzz target programs and understand the role of code review to discover and evaluate unknown bugs.
- Analyse vulnerabilities and exploits through the proficient use of industry standard tools, and report on impact, mitigation effectiveness and root cause.
- Understand the inter-related nature of exploit mitigation controls in a modern endpoint and be able to identify weak points in the overall system of mitigations.
Course Day Breakdown
Computation, CPU Architecture, The Stack & Buffer Overflows
The session starts with an overview of the history of models of computation and the different types of CPU architecture. We’ll then move onto a comprehensive look at The Stack and binary operations. Students will participate in practical shellcoding and stack & BO exercises.
Shellcoding, x64/x86 Architectures, Stack Frames, Calling Conventions, Buffer Overflows, Memory Layout, Shellcode – Bad Characters.
Linux and Windows Exploitation
Day 2 continues with buffer overflow labs for Linux and Windows environments. We’ll then move onto executable binary formats, sharing code, linking shared libraries and stack cookies through lecture and lab components.
Loading Executables, Executable Formats, Memory Layout, PE & ELF File Formats, Exploiting GOT, RELRO, Stack Cookies.
Structured Exception Handling (SEH)
The session will introduce the concepts of Structured Exception Handling (SEH), Data Execution Prevention (DEP) and Return Oriented Programming (ROP). Labs will cover writing remote exploits using SEH and enabling DEP as a mitigation defeated with ROP.
SEH Exploitation, Mitigations, Protections, Return-to-libc, ROP Gadgets, ROP Chain.
ASLR & Heap Overflows
Today’s session lectures will discuss Address Space Layout Randomisation and heap Overflows. Students will run through a number practical exercises included forcing and leveraging an info leak, understanding Heap Chunks, Allocations and writing exploits to learn more about Heap and how to control it.
ASLR, Heap Overflows, ASLR Bypasses, Non-rebased Modules, Info Leak, Stack Characteristics, Heap Characteristics, Operations, Management, Fragmentation, Managers and Integrity.
Use After Free (UAF) & Vulnerability Discovery
Day 5 will cover the concepts of UAF and Vulnerability Discovery. Students will be able to put their newly acquired skills and knowledge into practice with a day of practical hands on exercises involving Code Review, Static Analysis and Fuzzing.
Heap Responsibilities, Pointer Validity, Free Lists, Heap Grooming/Spraying, UAF Case Studies, Code Review, Surface Attacks, Input Validation.
Who Should Attend
- Exploit developers wanting to learn how to overcome mitigations (such as stack cookies and DEP).
- Pentesters wanting to improve their exploit development skills.
- Experienced software engineers.
What You Will Receive
- Comprehensive set of course notes.
- UNSW Canberra certificate of attendance.
- Morning tea, lunch and afternoon tea.
NICE Framework Mapping
This course maps to the following NICE Framework KSAs (Knowledge, Skills & Abilities):
K0070: Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).
K0332: Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services.
K0362: Knowledge of attack methods and techniques (DDoS, brute force, spoofing, etc).
K0397: Knowledge of concepts for operating systems (e.g., Linux, Unix).
K0417: Knowledge of data communications terminology (e.g., networking protocols, Ethernet, IP, encryption, optical devices, removable media).
K0447: Knowledge of how to collect, view, and identify essential information on targets of interest from metadata (e.g., email, http).
K0487: Knowledge of network security (e.g., encryption, firewalls, authentication, honey pots, perimeter protection).
S0001: Skill in conducting vulnerability scans and recognising vulnerabilities in security systems.
S0025: Skill in detecting host and network based intrusions via intrusion detection technologies (e.g., Snort).
S0044: Skill in mimicking threat behaviors.
S0264: Skill in recognising technical information that may be used for leads to enable remote operations (data includes users, passwords, email addresses, IP ranges of the target, frequency in DNI behavior, mail servers, domain servers, SMTP header information).
S0269: Skill in researching vulnerabilities and exploits utilised in traffic.
A0001: Ability to identify systemic security issues based on the analysis of vulnerability and configuration data.
A0044: Ability to apply programming language structures (e.g., source code review) and logic.
A0092: Ability to identify/describe target vulnerability.
A0093: Ability to identify/describe techniques/methods for conducting technical exploitation of the target.
What is the NICE Framework?
The National Initiative for Cybersecurity Education (NICE) Cyber Security Workforce Framework developed by the National Institute of Standards and Technology (NIST) establishes a taxonomy and common lexicon that describes cyber security work and job roles.
To find out more about the NICE Framework, go to: https://niccs.us-cert.gov/workforce-development/cyber-security-workforce-framework
UNSW Canberra Cyber
UNSW Canberra Cyber is a unique, cutting-edge, interdisciplinary research and teaching centre, working to develop the next generation of cyber security experts and leaders.
The centre is based in Canberra at the Australian Defence Force Academy and provides professional, undergraduate and post graduate education in cyber security. Our air-gapped, state of the art cyber range offers a secure environment where we deliver a number of technical and highly specialised learning opportunities.
Our courses are designed to give the next generation of cyber security professionals the skill sets needed to thrive in the industry. We can also create bespoke professional education programs tailored to your organisation's needs.
Contact us at firstname.lastname@example.org to discuss how.
Further Informationcyber@adfa.edu.au W: www.unsw.adfa.edu.au/cyber
No dates? Or unable to attend dates shown? Submit an Expression of Interest below to be notified of upcoming courses.