Overview

The Exploit Laboratory Black Belt is a new and advanced class continuing from where The Exploit Laboratory left off. This class is for those curious to dig deeper into the art and craft of software exploitation. The Black Belt class begins with a quick overview of concepts covered in The Exploit Laboratory, namely stack overflows, abusing exception handlers, heap overflows, memory overwrites, and other core concepts. The class then moves to deeper vulnerabilities such as integer overflows and format string bugs. We shall then focus on topics which involve breaking exploit prevention techniques like non executable stack, DEP, ASLR, etc. The Black Belt class also features an introduction to kernel exploitation, post exploitation techniques like return to libc, advanced heap spraying, return oriented programming and JIT spraying.

The Exploit Laboratory Black Belt requires a lot of hands on work. Lab examples used in this class cover Unix (Linux and Mac OS X) and Microsoft Windows platforms, featuring popular third party applications and products instead of simulated lab exercises.

As with the popular Exploit Laboratory, all topics are delivered in a down-to-earth, learn-by-example methodology. The same trainers who brought you The Exploit Laboratory for over four years have been working hard in putting together advanced material based on past feedback.

The Exploit Laboratory Black Belt is an advanced class. It is not recommended for those who have no prior experience with writing exploits, however, you may choose to combine this class with The Exploit Laboratory in succession over the course of 4 days.

Learning Objectives:

* Quick overview of stack overflows and memory overwrites
* Advanced debugging techniques
* Defeating non-executable stack by return-to-libc techniques
* Bypassing DEP
* Bypassing ASLR
* Return Oriented Programming (ROP)
* Advanced browser exploitation
* JIT spraying techniques
* PDF exploits
* Kernel exploitation
* Integer overflows (time permitting)

This class is for you if:

* You’re left wanting after completing The Exploit Laboratory
* You have already written basic exploits and are adept at operating system concepts
* You’re not afraid of debuggers
* You are one of the ever curious I-want-more-breakage kind!

Prerequisites:

* You must be familiar with debuggers, and know how to use gdb and WinDBG
* You must know how stack overflows work
* You must be familiar with OS concepts, process memory maps, how the stack works and how the heap works.

Hardware Requirements:

* A working laptop (no Netbooks)
* Intel Core 2 Duo x86 hardware (or superior) required
* 2GB RAM required, at a minimum, 4GB preferred, and anywhere in between shall be tolerated
* Wired or Wireless network card
* 12 GB free Hard disk space

Operating Systems (one of the following):

* Windows XP SP2/SP3 or Windows 7
* Administrator access MANDATORY
* Ability to disable Anti-virus / Anti-spyware programs
* Ability to disable Windows Firewall or personal firewalls
* Active Perl 5.8 or above from activestate.com
* An SSH client, such as PuTTY
* Firefox browser

OR

* Linux kernel 2.4 or 2.6
* Kernel 2.4 or 2.6 required
* Root access mandatory
* Ability to use an X-windows based GUI environment
* Perl 5.8 should be available
* SSH should be available

NOTE: If your laptop is a locked-down company issued laptop, please make sure you have VMWare Workstation or VMWare Player installed by your administrator before you come to class. You may register for this class together with The Exploit Laboratory 5.0 as a 4 day course.

About the trainers
Saumil Shah

Saumil continues to lead the efforts in e-commerce security research and product development at Net-Square. His focus is on researching vulnerabilities with various e-commerce and web based application systems, system architecture for Net-Square’s tools and products, and developing short term training programmes. Saumil also provides information security consulting services to Net-Square clients, specializing in ethical hacking and security architecture. He holds a designation of Certified Information Systems Security Professional. Saumil has had more than nine years experience with system administration, network architecture, integrating heterogenous platforms, and information security and has perfomed numerous ethical hacking exercises for many significant companies in the IT area. Saumil is a regular speaker and trainer at security conferences such as BlackHat, RSA, etc.

Previously, Saumil was the Director of Indian operations for Foundstone Inc, where he was instrumental in developing their web application security assessment methodology, the web assessment component of FoundScan – Foundstone’s Managed Security Services software and was instrumental in pioneering Foundstone’s Ultimate Web Hacking training class.

Prior to joining Foundstone, Saumil was a senior consultant with Ernst & Young, where he was responsible for the company’s ethical hacking and security architecture solutions. Saumil has also worked at the Indian Institute of Management, Ahmedabad, as a research assistant and is currently a visiting faculty member there.

Saumil graduated from Purdue University with a master’s degree in computer science and a strong research background in operating systems, networking, infomation security, and cryptography. At Purdue, he was a research assistant in the COAST (Computer Operations, Audit and Security Technology) laboratory. He got his undergraduate degree in computer engineering from Gujarat University, India. Saumil is a co-author of “Web Hacking: Attacks and Defense” (Addison Wesley, 2002) and is the author of “The Anti-Virus Book” (Tata McGraw-Hill, 1996)

SK Chong

S.K. (CISSP) is a security consultant from SCAN Associates. His job allows him to play with all kinds of hacking tools in his penentration testing. Most often, he needs to modify and/or enhance these tools before it can be used for legal penetration testing against banks, ISP and goverment agencies. These experiences help him wrote a few security whitepapers on SQL Injection, Buffer Overflow, Shellcode and Windows Kernel stuff, including one of which published in Phrack E-zine #62. His researches was presented in Blackhat (Singapore) 2003, HITBSecConf2003 – Malaysia, RuxC0n2004 (Australia), XCon2004 (China) and many other security conferences.