Exodus - Vuln-Dev - Master Class
A few weeks ago I had a great pleasure of studying at a week-long training taught by Exodus Intelligence. The Vulnerability Development - Master Class was taught by Aaron Portnoy, Zef Cekaj, and Peter Vreugdenhil. The class had an excellent presentation of two complementary yet unique subjects of vulnerability discovery and exploit development primarily under Windows environment. The instructors are truly masters of their field which was reflected in the great quality and depth of the material.
While it is still fresh in my mind, I would like to share with you some of the notes on the covered subjects, the recommended prerequisites, and tips on how to get the most out of this very intensive training.
NOTE: I have previously taken a subsection of the class, Exodus Intelligence - Bug Hunting 0x65, and was pleasantly surprised just how much the material was improved and expanded.
The Exodus Intelligence - Master Class is an advanced and fast paced class. In order to get the most out of the presented material, you absolutely must have some experience using IDA Pro and WinDbg as well as understanding of basic vulnerability classes and Windows internals. You must also be comfortable navigating the x86 Assembly and developing in Python (and Ruby for one section of the class).
If you want to truly excel in the class, I would highly recommend studying up on IDA Python, WinDbg scripting, and Windows Internals:
Also, I found studying the following articles and whitepapers very helpful in preparation for the class:
- Preventing the Exploitation of Structured Exception Handler (SEH) Overwrites with SEHOP
- Practical Return Oriented Programming
- Jump-Oriented Programming
- Corelan - Root Cause Analysis – Integer Overflows
- Understanding the Low Fragmentation Heap
- Heap Overflows for Humans 104
In order to avoid spoiling the experience, I will concentrate on general subject areas taught in the class instead of revealing the exact software products. You can find a more detailed topics list here.
One of the most unique and amazing aspects of the course was the detailed study of not only the exploitation process of already discovered vulnerabilities, but the vulnerability hunting process itself. I found the vulnerability discovery techniques shared throughout the class simply invaluable. For all of the covered case studies, you are not simply spoon-fed a proof of concept vulnerability left wondering how the heck did someone discover it. Instead you are given just the right knowledge and plenty of guidance necessary to find multiple vulnerabilities in the target application on your own. This was a major confidence booster for me and helped demystify the dark art of bug hunting.
Once you have discovered several vulnerabilities, you will be taught various approaches to triage and exploit them. This was the part where the instructors really showed off their mastery by teaching the students not only the generic approaches to exploit development, but really pushed the envelope of what is exploitable through creative, non-standard approaches to develop reliable exploits under limited resources and most restrictive protection mechanisms (DEP, ASLR, SafeSEH, SEHOP, EMET, etc.). This portion has really reaffirmed my belief that the exploit development is really an art form and each subject must be approached as a unique piece.
A really cool feature of the training is that actual 0days were used as educational targets. Some of the targets were present in all major enterprises, so consider this a small bonus: you will walk away with several working exploits for the vulnerabilities that you have discovered and exploited.
The training coverage of both the vulnerability discovery and exploit development in client applications, network services, viewers, browsers, etc. will leave you well equipped and confident to tackle the majority of targets that you will run across as a vulnerability researcher or penetration tester.
Simply attending the course without actively experimenting, failing, failing again and not giving up, asking questions will not set you on the right path to vulnerability hunting. Even with the course manual spanning hundreds of pages, the amount of knowledge transferred in the form of exercises, demos, etc. during these five days can easily double that. Pay special attention the teachers' approaches to solving exercises, take detailed notes, and don't be afraid to experiment with different solutions or alternative approaches.
During the training do not be discouraged if you get lost. The information taught in this week-long course spans at least a decade of active research in the field. So be sure to raise you hand, ask questions to make sure you can keep up with the material (especially once Peter Vreugdenhil starts melting your brain on the last day =) ).
Immediately after the class start going over the material while it is still fresh. One week per day of class to review, read all of the referenced material, and gain in-depth understanding works best for me. The instructors are pretty quick to respond to any email questions (usually within a day).
As a five day course, Exodus Intelligence - Master Class had to limit the majority of content to target Windows (8, 7, and 2003) and Linux enterprise applications (x86 and x86-64 targets). The course does not cover kernel, mobile, embedded exploitation where each could easily take another week of training.
|Date||September 14th, 2014|
IDA Sploiter is a plugin for Hex-Ray's IDA Pro disassembler designed to enhance IDA's capabilities as an exploit development and vulnerability research tool. Some of the plugin's features include a powerful ROP gadgets search engine, semantic gadget analysis and filtering, interactive ROP chain builder, stack pivot analysis, writable function pointer search, cyclic memory pattern generation and offset analysis, detection of bad characters and memory holes, and many others. Read more.
A solution to the exercise in the Corelan article Root Cause Analysis - Integer Overflows on exploiting integer and heap overflows. The solution illustrates massaging the heap into a vulnerable state by corrupting the Windows front-end allocator and finally exploiting it to gain arbitrary code execution. Read more.
Heap Overflows For Humans is a series of articles by Steven Seeley that explore heap exploitation on Windows. In this article I will go over the exact reasoning and exploitation steps for an exercise created by Steven in the second article of the series. Read more.
Exploit Exercises' Protostar wargame includes a number of carefully prepared exercises to help hone your basic exploitation skills. In this walkthrough I will go over the heap exploitation portion of the wargame. Read more.
All original content on this site is copyright protected and licensed under Creative Commons - Attribution, NonCommercial, ShareAlike 4.0 International.