This course will introduce students to the art and science of exploit development. Core concepts involving debuggers, stack based overflows, disassemblers and some defence mitigation will be taught in a largely practical delivery style. Instruction will commence with an overview of foundational theory concepts, and will then quickly dive into the intricacies of modern x86 CPUs. Mitigations such as DEP and ASLR will be investigated, and students will have the opportunity to demonstrate their new skills in an extended capstone exercise on the final day.
- Topics covered include:Core exploitation theory
- Stack based overflows on Linux and Windows
- Heap overflows (limited scope)
- Tool use
- Shellcode generation and modification
- Introduction to mitigations
- Mitigation bypass (limited scope)
- Capstone practical exercise
*Note: this course is a foundational course and will not teach 64 bit exploitation or advanced protection bypass techniques.
On completion of this course, participants should be able to:
- Develop and implement basic exploitation strategies.
- Exploit stack-based overflows in Windows and Linux in the absence of strong mitigation controls.
- Use Structured Exception Handling (SEH) to exploit Windows stack-based overflows.
- Write basic ROP exploits to bypass DEP.
- Use tools such as gdb, Immunity Debugger, IDAPro, objdump, readelf, to perform static and dynamic analysis of simple binaries.
Course Day Breakdown
Core Exploitation Theory
The session starts with an overview of the history of models of computation and the different types of CPU architecture. We’ll then move onto Program Representation and The Stack. Shellcoding Tips and exercises will be covered during the lab session.
Turing Model of Computation, x64/x86 Architectures, Compilation/Decompilation, Endianess, Stack Frames, Calling Conventions.
Stack based Overflows on Linux and Windows
Day 2 covers Buffer Overflows for Linux and Windows environments. We’ll then move onto executable binary formats, sharing code, linking shared libraries and stack cookies through lecture and lab components.
Executable Formats, Memory Layout, Buffer Overflows, Shellcoding – Bad Characters, Exploiting GOT, RELRO, Stack Cookies.
Introduction to Mitigations
The session will introduce the concepts of Structured Exception Handling (SEH), Data Execution Prevention (DEP) and Return Oriented Programming (ROP). Labs will cover writing remote exploits using SEH and enabling DEP as a mitigation defeated with ROP.
SEH Exploitation, Mitigations, Protections, Return-to-libc, ROP Gadgets, ROP Chain.
Day 4 & Day 5
ASLR & Heap Overflows
Today’s session lectures will discuss Address Space Layout Randomisation and heap Overflows. Students will run through a number of practical exercises including forcing and leveraging an info leak, understanding Heap Chunks, Allocations and writing exploits to learn more about Heap and how to control it.
ASLR, Heap Overflows, ASLR Bypasses, Non-rebased Modules, Info Leak, Stack Characteristics, Heap Characteristics, Operations, Management, Fragmentation, Managers and Integrity.
Who Should Attend
- Novice exploit developers
- Penetration testers
- Software architects
What You Will Receive
- Comprehensive set of course notes.
- UNSW Canberra certificate of attendance.
- Morning tea, lunch and afternoon tea.
NICE Framework Mapping
This course maps to the following NICE Framework KSAs (Knowledge, Skills & Abilities):
K0070: Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).
K0177: Knowledge of cyber attack stages (e.g., reconnaissance, scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks).
K0440: Knowledge of host-based security products and how those products affect exploitation and reduce vulnerability.
K0530: Knowledge of security hardware and software options, including the network artifacts they induce and their effects on exploitation.
K0560: Knowledge of the basic structure, architecture, and design of modern communication networks.
S0001: Skill in conducting vulnerability scans and recognizing vulnerabilities in security systems.
S0073: Skill in using virtual machines. (e.g., Microsoft Hyper-V, VMWare vSphere, Citrix XenDesktop/Server, Amazon Elastic Compute Cloud, etc.).
A0044: Ability to apply programming language structures (e.g., source code review) and logic.
A0093: Ability to identify/describe techniques/methods for conducting technical exploitation of the target.
What is the NICE Framework?
The National Initiative for Cybersecurity Education (NICE) Cyber Security Workforce Framework developed by the National Institute of Standards and Technology (NIST) establishes a taxonomy and common lexicon that describes cyber security work and job roles.
To find out more about the NICE Framework, go to: https://niccs.us-cert.gov/workforce-development/cyber-security-workforce-framework
UNSW Canberra Cyber
UNSW Canberra Cyber is a unique, cutting-edge, interdisciplinary research and teaching centre, working to develop the next generation of cyber security experts and leaders.
The centre is based in Canberra at the Australian Defence Force Academy and provides professional, undergraduate and post graduate education in cyber security. Our air-gapped, state of the art cyber range offers a secure environment where we deliver a number of technical and highly specialised learning opportunities.
Our courses are designed to give the next generation of cyber security professionals the skill sets needed to thrive in the industry. We can also create bespoke professional education programs tailored to your organisation's needs.
Contact us at firstname.lastname@example.org to discuss how.
Further Informationcyber@adfa.edu.au W: www.unsw.adfa.edu.au/cyber
No dates? Or unable to attend dates shown? Submit an Expression of Interest below to be notified of upcoming courses.