No announcement yet.

Exploit Development for Beginners

This is a sticky topic.
  • Filter
  • Time
  • Show
Clear All
new posts

  • Exploit Development for Beginners

    Exploit Development for Beginners

    Learn how to take control of Windows and Linux servers running vulnerable software, in a hands-on CTF-style workshop. We begin with easy command injections and SQL injections, and proceed through binary exploits incuding buffer overflows on the stack and the heap, format string vulnerabilities, and race conditions.

    After this workshop, you will understand how memory is used by software, and why computers are so easily tricked into executing bytes as code that entered the system as data.

    We will exploit 32-bit and 64-bit Intel systems, and also ARM-based systems. We will examine modern Windows defenses in detail and learn how to defeat them, including ASLR, DEP, stack cookies, and SEHOP.

    Previous experience with C and assembly language is helpful but not required. Participants will need a laptop that can run VMware or VirtualBox virtual machines.

    All materials and challenges are freely available at, and will remain available after the workshop ends.

    Sam Bowne is an instructor at City College San Francisco, and has been teaching hacking and security classes for ten years. He has presented talks and workshops at Defcon, HOPE, RSA, BSidesLV, BSidesSF, and many other conferences. He has a CISSP and a PhD and is a DEF CON Black Badge co-winner.

    Elizabeth Biddlecome is a consultant and a part-time instructor at City College San Francisco, delivering technical training and mentorship to students and professionals. She leverages her enthusiasm for architecture, security, and code to design and implement comprehensive information security solutions for business needs. Elizabeth enjoys wielding everything from soldering irons to scripting languages in cybersecurity competitions, hackathons, and CTFs.

    Detailed Outline:

    The workshop is structured as a series of challenges, with a live CTF-style scoreboard. We will demonstrate and explain each challenge, and then help particpants through them. Each challenge has an easy portion with complete instructions, so beginners can succeed, and harder tasks to challenge advanced participants.

    All materials, including the running CTF scoreboard, are in the public domain and will remain available after the workshop for the participants to use.


    I: Why are exploits possible?

    A: The fundamental problem
    1. Data and code use the same bytes
    2. Code is processed by distinct modules
    3. A module passes data on to another modules, losing context
    4. Developers make inaccurate assumptions about data structure
    5. Attackers send input which is accepted as data, but misunderstood by later modules and executed as code

    B: Command Injection
    1. User input used to construct a command line
    2. Router network test pages
    3. Injecting bash commands with a semicolon
    4. Injecting PowerShell commands on a vulnerable Windows web server form
    5. ImageMagick exploitation with injected commands in a crafted malicious image
    6. Exploiting Kubernetes severs with a malicious Web request including injected commands

    C: SQL Injection
    1. User input included in a SQL command
    2. PHP operating correctly sends the command to a SQL server
    3. The SQL server operates correctly and executes the command
    4. Crafted code steals data
    5. Uploading a PHP shell to gain unlimited remote code execution

    D: How programs use memory
    1. Memory segments: text, stack, and heap
    2. Registers
    3. The Jasmin x86 emulator
    4. Writing simple assembly code and stepping through it

    E: Compiling C code on Linux
    1. Using gcc to compile programs
    2. Using objdump and gcc to examine the compiled code
    3. Recognizing C constructs in assembly: loops, branches, library calls, and function calls
    4. Data storage: stack, heap, .data section, strings, and null terminators
    5. Stack frames, function prologue and epilogue

    F: Stack overflows on Linux
    1. Buffer overflow to change EIP and redirect execution within a program
    2. Using a debugger and breakpoints to understand the overflow
    3. Injecting shellcode
    4. Turning off stack protections for this portion of the course
    5. Using a NOP sled
    6. Creating shellcode with msfvenom
    7. Types of shellcode: bind shell, reverse shell, metasploit
    8. The complete process of exploit development:
    a. Fuzzing to find a crash
    b. Analyzing the crash in a debugger to find the root cause
    c. Sending a nonrepeating pattern of characters to target the EIP
    d. Testing all bytes to identify bad characters
    e. Generating an encoded payload without bad characters
    f. Sending a complete exploit against a target in a debugger
    g. Adjusting the exploit to work outside the debugger

    G: Heap overflows on Linux
    1. Heap usage and structure: linked lists
    2. malloc() and free()
    3. Heap overflow overwriting forward and reverse pointers
    4. free() crashes on an invalid write operation
    5. Attacker gains control of a single write operation
    6. Gaining code execution from a write: targeting the Procedure L:inkage Table (PLT)

    H: Format string vulnerabilities
    1. Reading from the stack: information disclosure
    2. Writing with %n to cause denial of service
    3. Writing to the PLT to gain code execution

    I: Hacking Windows EXEs with Immunity
    1. Running PuTTY in a debugger
    2. Finding stored strings
    3. Modifying code
    4. Saving changes
    5. Adding a new segment with LordPE
    6. Adding Trojan code

    J: Stack overflows on Windows
    1. Complete exploit development process for "vulnerable server"
    2. Exploiting "Easy RM to MP3 Converter"

    K: Understanding Windows defenses
    1. Compiling simple test cases with Visual C++ Build Tools
    2. Viewing security cookie implementation in IDA Pro
    3. Controlling Address Space Layout Randomization (ASLR)
    4. Using Immunity to exploit a buffer overflow without ASLR
    5. Viewing ASLR weaknesses: limited entropy and non-randomized segments

    L: Overcoming Windows defenses

    1. Return-Oriented Programming (ROP) and why it works: the .text section does not randomize
    2. Using trampoline code to find the stack, defeating ASLR
    3. Constructing ROP chains with Mona to make Windows API calls
    4. Defeating Data Execution Prevention (DEP) with ROP chains
    5. Finding unprotected modules with Mona
    6. Using a heap spray to defeat ASLR

    M: Exploiting the Structured Exception Handler (SEH) on Windows
    1. How Windows processes exceptions
    2. Finding an overflow that corrupts the SEH
    3. Using a stack pivot to find injected code
    4. Making a complete exploit with shellcode
    5. Overcoming SEHOP protection

    N: Exploiting 64-Bit Systems
    1. 64-bit addressing: the swindle of 48 bits
    2. 64-bit registers
    3. Writing 64-bit assembly code
    4. Exploiting a buffer overflow on a 64-bit system

    O: Exploiting ARM Systems
    1. ARM assembly code
    2. The different role of registers
    3. Using the Azeria Raspberry Pi emulator
    4. Debugging on ARM
    5. Exploiting a stack overflow on ARM
    PGP key: valid 2020 Jan 15, to 2024 Jan 01 Fingerprint: BC5B CD9A C609 1B6B CD81 9636 D7C6 E96C FE66 156A

  • #2
    我们将从简单的命令行注入和SQL注入开始,然后推进到二进制攻击,包括堆栈和缓冲区溢出,字符串格式漏洞 和竞争条件。在参加了这次的研讨会之后,你讲理解软件是如何使用内存,以及为什么计算机很容易将被欺骗的字 节当作代码来执行。
    我们将攻击32位和64位Intel的系统以及基于ARM的系统。我们将详细研究Windows防御体系, 并学习如何攻破他们,包括ASLR、DEP、堆栈Cookies和SEHOP。我们希望你以前有过C语言和 汇编语言的基础,不过不是必需的。
    参会者需要携带一台可以运行VMware或VirtualBox虚拟机的笔记本参会。所有资料和挑战都可以 在samsclass.info上免费获得,在研讨会结束后也会继续提供。

    Sam Bowne是旧金山城市学院的讲师,十年来一直在教授黑客和安全课程。他曾在DEF CON,HOPE,RSA,BSidesLV,BSidesSF和许多其他会议上发表演讲和研讨会。他拥有 CISSP和博士学位,并且是DEF CON Black Badge的联合获奖者。

    Elizabeth Biddlecome是旧金山城市学院的顾问和兼职讲师,为学生和专业人士提供技术培训和指导。她自己对架 构,安全性和代码有巨大的热情,为业务需求设计和实施全面的信息安全解决方案。Elizabeth喜欢在网 络安全竞赛、黑客马拉松和CTF中使用脚本语言。
    PGP key: valid 2020 Jan 15, to 2024 Jan 01 Fingerprint: BC5B CD9A C609 1B6B CD81 9636 D7C6 E96C FE66 156A