SEC760: A

 dvanced Exploit Development for Penetration Testers

Vulnerabilities in modern operating systems such as Microsoft Windows 7/8/10, Server

6 46 Laptop
2012, and the latest Linux distributions are often very complex and subtle. Yet these
Day Program CPEs Required
vulnerabilities could expose organizations to significant attacks, undermining their
defenses when attacked by very skilled adversaries. Few security professionals have
the skillset to discover let alone even understand at a fundamental level why the
Who Should Attend
vulnerability exists and how to write an exploit to compromise it. Conversely, attackers
▐▐ Senior network and system penetration testers
must maintain this skillset regardless of the increased complexity. SEC760: Advanced
▐▐ Secure application developers (C and C++)
Exploit Development for Penetration Testers, the SANS Institute’s only 700-level course,
▐▐ Reverse-engineering professionals
teaches the skills required to reverse-engineer 32- and 64-bit applications, perform
▐▐ Senior incident handlers
remote user application and kernel debugging, analyze patches for one-day exploits,
▐▐ Senior threat analysts
and write complex exploits, such as use-after-free attacks, against modern software and
▐▐ Vulnerability researchers
operating systems.
▐▐ Security researchers
Some of the skills you will learn in SEC760 include:
You Will Be Able To ▐▐ How to write modern exploits against the Windows 7/8/10 operating systems
▐▐ Discover zero-day vulnerabilities in programs ▐▐ How to perform complex attacks such as use-after-free, Kernel exploit techniques,
running on fully-patched modern operating
systems one-day exploitation through patch analysis, and other advanced topics
▐▐ Create exploits to take advantage of ▐▐ The importance of utilizing a Security Development Lifecycle (SDL) or Secure SDLC,
vulnerabilities through a detailed penetration
testing process
along with Threat Modeling
▐▐ Use the advanced features of IDA Pro and write ▐▐ How to effectively utilize various debuggers and plug-ins to improve vulnerability
your own IDC and IDA Python scripts research and speed
▐▐ Perform remote debugging of Linux and
Windows applications ▐▐ How to deal with modern exploit mitigation controls aimed at thwarting success and
▐▐ Understand and exploit Linux heap overflows defeating determination
▐▐ Write Return-Oriented Shellcode
▐▐ Perform patch diffing against programs,
libraries, and drivers to find patched Course Author Statement
vulnerabilities
▐▐ Perform Windows heap overflows and use-
“As a perpetual student of information security, I am excited to offer SEC760: Advanced
after-free attacks Exploit Writing for Penetration Testers. Exploit development is a hot topic as of late and
▐▐ Use precision heap sprays to improve will continue to increase in importance moving forward. With all of the modern exploit
exploitability mitigation controls offered by operating systems such as Windows 7 and 8, the number
▐▐ Perform Windows Kernel debugging up through of experts with the skills to produce working exploits is highly limited. More and more
Windows 8 64-bit
companies are looking to hire professionals with the ability to conduct a Secure-SDLC
▐▐ Jump into Windows kernel exploitation
process, perform threat modeling, determine if vulnerabilities are exploitable, and carry
out security research. This course was written to help you get into these highly sought-
after positions and to teach you cutting-edge tricks to thoroughly evaluate a target,
providing you with the skills to improve your exploit development.”
-Stephen Sims

“SEC760 is a kind of training we could not get

anywhere else. It is not a theory, we got to
implement and to exploit everything we learned.”
-Jenny Kitaichit, Intel

www.sans.org/SEC760
asiapacific@sans.org
Course Day Descriptions
DAY 1: Threat Modeling, Reversing and DAY 2: Advanced Linux Exploitation DAY 3: Patch Diffing, One-Day Exploits,
Debugging with IDA The ability to progress into more advanced and Return-Oriented Shellcode
Many penetration testers, incident handlers, reversing and exploitation requires an Attackers often download patches as soon
developers, and other related professionals expert-level understanding of basic software as they are distributed by vendors such as
lack reverse-engineering and debugging vulnerabilities, such as those covered in SEC660. Microsoft in order to find newly patched
skills. These are different skills than reverse- Heap overflows serve as a rite of passage into vulnerabilities. Vulnerabilities are usually
engineering malicious software. As part of modern exploitation techniques. This day is disclosed privately, or even discovered in-
the Security Development Lifecycle (SDL) and aimed at bridging this gap of knowledge in order house, allowing the vendor to more silently
Secure-SDLC, developers and exploit writers to inspire thinking in a more abstract manner, patch the vulnerability. This also allows the
should have experience using IDA Pro to debug necessary for continuing further with the course. vendor to release limited or even no details
and reverse their code when finding bugs or Linux can sometimes be an easier operating at all about a patched vulnerability. Attackers
when identifying potential risks after static code system to learn these techniques, serving as a are well aware of this and quickly work to
analysis or fuzzing. productive gateway into Windows. find the patched vulnerability in order to take
Topics: Security Development Lifecycle; Threat Topics: Linux Heap Management, Constructs, control of unpatched systems. This technique
Modeling; Why IDA Is the #1 Tool for Reverse and Environment; Navigating the Heap; Abusing is also performed by incident handlers, IDS
Engineering; IDA Navigation; IDA Python and Macros such as unlink() and frontlink(); Function administrators and vendors, vulnerability and
the IDA IDC; IDA Plug-ins and Extensibility; Pointer Overwrites; Format String Exploitation; penetration testing framework companies,
Local Application Debugging with IDA; Remote Abusing Custom Doubly-Linked Lists; Defeating government entities, and others. You will use
Application Debugging with IDA Linux Exploit Mitigation Controls; Using IDA for the material covered in this day to identify bugs
Linux Application Exploitation; Using Format patched by vendors and take them through to
String Bugs for ASLR Bypass exploitation.
Topics: The Microsoft Patch Management
Process and Patch Tuesday; Obtaining Patches
and Patch Extraction; Binary Diffing with
BinDiff, patchdiff2, turbodiff, and DarunGrim4;
Visualizing Code Changes and Identifying Fixes;
Reversing 32-bit and 64-bit Applications and
Modules; Triggering Patched Vulnerabilities;
Writing One-Day Exploits; Handling Modern
Exploit Mitigation Controls; Using ROP to
Compiled Shellcode on the Fly (Return-
Oriented Shellcode)

DAY 4: Windows Kernel Debugging and DAY 5: Windows Heap Overflows and DAY 6: Capture-the-Flag Challenge
Exploitation Client-Side Exploitation Day 6 will feature a Capture-the-Flag event
The Windows Kernel is very complex and The focus of this section is primarily on with different types of challenges taken from
intimidating. This course day aims to help you Windows browser and client-side exploitation. material taught throughout the week.
understand the Windows Kernel and the various You will learn to analyze C++ vftable overflows,
exploit mitigations added into recent versions. one of the most common mechanisms used
You will perform Kernel debugging on various to compromise a modern Windows system.
versions of the Windows OS, such as Windows Many of these vulnerabilities are discovered in
7 and 8, and learn to deal with its inherent the browser, so browser techniques will also
complexities. Exercises will be performed to be taught, including modern heap spraying to
analyze vulnerabilities, look at exploitation deal with Internet Explorer 8/9/10 and other
techniques, and get a working exploit. browsers such as FireFox and Chrome. You will
Topics: Understanding the Windows Kernel; work towards writing exploits in the Use-After-
Navigating the Windows Kernel; Modern Kernel Free/Dangling Pointer vulnerability class.
Protections; Debugging the Windows 7/8 Topics: Windows Heap Management, Constructs,
Kernels and Drivers; WinDbg; Analyzing Kernel and Environment; Understanding the Low
Vulnerabilities and Kernel Vulnerability Types; Fragmentation Heap (LFH); Browser-based
Kernel Exploitation Techniques; Token Stealing and Client-side Exploitation; Remedial Heap
and HAL Dispatch Table Overwrites Spraying; Understanding C++ vftable/vtable
Behavior; Modern Heap Spraying to Determine
Address Predictability; Use-after-free Attacks
and Dangling Pointers; Using Custom Flash
Objects to Bypass ASLR; Defeating ASLR, DEP, and
Other Common Exploit Mitigation Controls

*Courses are subject to change.