Course Description

This course is about memory corruptions attacks manually and automatically. Students will study differents applications and how they operate; learn, study, and exploit cutting edge application vulnerabilities; understand automated vulnerability analysis tools; learn the state-of-the-art in memory corruptions automated vulnerability analysis tools; and develop a novel automated vulnerability analysis tool. We will also cover how to use these techniques legally and ethically.

The first half of the course will focus on understanding low level applications and how to exploit applications, and these topics will be reinforced with practical, hands-on. The second half of the course will focus on the state-of-the-art in automated vulnerability analysis of applications via reading and presenting research papers.

Prerequisites

This course will be insane, and students are expected to learn the necessary technologies. Students will expected to already understand networking and the TCP/IP stack. Students with strong skills in C/C++, x86 assembly and at least one scripting language (Python, Ruby, Javascript, etc.)

To benefit from this course you need to know and be comfortable with x86 assembly. This is not negotiable! Hint: I did this syllabus using windows 7 x86 enterprise , and Windows 10 Home Single Language 64-bit

Course Topic

1. Basic Reverse engineering
2. Software Vulnerability Review
   • Buffer OverFlow
   • Format String Bug
   • Integer OverFlow
3. Classic Technique Review
   • Writing RET Based Buffer OverFlow Exploits
     • Buffer OverFlow
     • more ways to place shellcode
     • Bad chars
     • Real Application Attack
       • Seattle Lab Mail (SLmail) 5.5
       • R 3.4.4 - Buffer Overflow
4. Win32 ShellCode
   • Making Win32 ShellCode
   • msfvenom
5. About Defence Technique
   • GS(Stack Guard / Stack Cookie)
   • SafeSEH(SEH Handler Validation Check)
   • DEP(Data Execution Prevension)
   • ASLR(Address Space Layout Randomization)
   • SEHOP(Structured Error Handling Overwrite Protection)
6. SEH(Structured Error Handling)
   • SEH(Structured Error Handling)?
   • Immunity Debugger
   • Wingdb
   • Debugging Stack View On The SEH Chain
   • The need for a POP POP RET instruction sequence
7. Writing SEH Based Buffer OverFlow Exploits
   • SEH Handler OverWrite
   • Debugging GS Option Enable
   • Check SafeSEH
   • Real Application Attack
     • DVD X Player 5.5 Pro
     • R 3.4.4 - Buffer Overflow (SEH)
8. Egghunting
   • Egghunting?
   • Real Application Attack
     • Easy File Sharing Web Server 7.2
     • Eureka Email Client 2.2q
9. ASLR(Address space layout randomization)
   • Real Application Attack
     • ANI vulnerability
     • Real Application Attack
       • Abusing non-ASLR enabled libraries
       • Partial EIP overwrite
10. SAFESEH
    • Real Application Attack
      • FormatFactory 3.0.1
11. ROP(Return Oriented Programming)
    • ROP(Return Oriented Programming)?
    • Practical Return Oriented Programming
    • Flowing Going To ROP
      • RET Based
      • SEH Based
    • Real Application Attack
      • RET Based ROP
        • VUPlayer 2.49
        • vulnserver
        • R 3.4.4
      • SEH Based ROP
        • R 3.4.4
        • Quickzip 5.1.8.1
12. Defeat Exploit Mitigations
13. Heap Exploitation
    • Heap Overflow
14. EMET(Enhanced Mitigation Experience Toolkit) 5.2 / WDEG(Windows Defender Exploit Guard)
    • EMET 5.2?
    • bypassing EMET
    • WDEG
      • WDEG?
      • Mitigations for the Masses: From EMET to Windows Defender Exploit Guard