SEC760: Advanced Exploit Development for Penetration Testers

6 46 Laptop Vulnerabilities in modern operating systems such as Microsoft Windows 7/8, Server 2012, and
Required
Day Program CPEs the latest Linux distributions are often very complex and subtle. Yet these vulnerabilities could
expose organizations to significant attacks, undermining their defenses when attacked by very
You Will Be Able To skilled adversaries. Few security professionals have the skill set to discover let alone even
• Discover zero-day vulnerabilities in understand at a fundamental level why the vulnerability exists and how to write an exploit to
programs running on fully-patched compromise it. Conversely, attackers must maintain this skill set regardless of the increased
modern operating systems
complexity. SEC760: Advanced Exploit Development for Penetration Testers, the SANS Institute’s
• Create exploits to take advantage only 700-level course, teaches the skills required to reverse-engineer 32- and 64-bit applications,
of vulnerabilities through a detailed
penetration testing process perform remote user application and kernel debugging, analyze patches for one-day exploits,
• Use the advanced features of IDA Pro and and write complex exploits, such as use-after-free attacks, against modern software and
write your own IDC and IDA Python scripts operating systems.
• Perform remote debugging of Linux and
Windows applications Some of the skills you will learn in SEC760 include:
• Understand and exploit Linux heap • How to write modern exploits against the Windows 7/8/10 operating systems
overflows
• How to perform complex attacks such as use-after-free, Kernel exploit techniques, one-day
• Write Return-Oriented Shellcode
exploitation through patch analysis, and other advanced topics
• Perform patch diffing against programs,
libraries, and drivers to find patched • How to utilize a Security Development Lifecycle (SDL) or Secure SDLC, along with Threat
vulnerabilities
Modeling
• Perform Windows heap overflows and use-
after-free attacks • How to effectively utilize various debuggers and plug-ins to improve vulnerability research
• Use precision heap sprays to improve and speed
exploitability
• How to deal with modern exploit mitigation controls aimed at thwarting success and
• Perform Windows Kernel debugging up
through Windows 8 64-bit defeating determination
• Jump into Windows kernel exploitation

Course Author Statement

“As a perpetual student of information security, I am excited to offer SEC760: Advanced Exploit
Writing for Penetration Testers. Exploit development is a hot topic as of late and will continue to
increase in importance moving forward. With all of the modern exploit mitigation controls offered
by operating systems such as Windows 7 and 8, the number of experts with the skills to produce
“SEC760 is a kind of training working exploits is highly limited. More and more companies are looking to hire professionals
with the ability to conduct a Secure-SDLC process, perform threat modeling, determine if
we could not get anywhere
vulnerabilities are exploitable, and carry out security research. This course was written to help
else. It is not a theory, we got
you get into these highly sought-after positions and to teach you cutting-edge tricks to thoroughly
to implement and to exploit evaluate a target, providing you with the skills to improve your exploit development.”
everything we learned.” — Stephen Sims
— Jenny Kitaichit, Intel

Available Live Training

Training Live Events
sans.org/information-security-training/by-location/all
Formats Summit Events
sans.org/cyber-security-summit

Private Training
sans.org/private-training
Section Descriptions

SECTION 1: Threat Modeling, Reversing and SECTION 2: Advanced Linux Exploitation Who Should Attend
Debugging with IDA The ability to progress into more advanced reversing and • Senior network and system
Many penetration testers, incident handlers, developers, exploitation requires an expert-level understanding of penetration testers
and other related professionals lack reverse-engineering basic software vulnerabilities, such as those covered in • Secure application developers (C
and debugging skills. These are different skills than SEC660. Heap overflows serve as a rite of passage into and C++)
reverse-engineering malicious software. As part of the modern exploitation techniques. This section is aimed at
bridging this gap of knowledge in order to inspire thinking • Reverse-engineering professionals
Security Development Lifecycle (SDL) and Secure-SDLC,
developers and exploit writers should have experience in a more abstract manner, necessary for continuing • Senior incident handlers
using IDA Pro to debug and reverse their code when further with the course. Linux can sometimes be an easier • Senior threat analysts
finding bugs or when identifying potential risks after operating system to learn these techniques, serving as a
productive gateway into Windows. • Vulnerability researchers
static code analysis or fuzzing.
TOPICS: Linux Heap Management, Constructs, and • Security researchers
TOPICS: Security Development Lifecycle; Threat Modeling;
Why IDA Is the #1 Tool for Reverse Engineering; IDA Environment; Navigating the Heap; Abusing Macros such
Navigation; IDA Python and the IDA IDC; IDA Plug-ins as unlink() and frontlink(); Function Pointer Overwrites;
and Extensibility; Local Application Debugging with IDA; Format String Exploitation; Abusing Custom Doubly-Linked
Remote Application Debugging with IDA Lists; Defeating Linux Exploit Mitigation Controls; Using IDA
for Linux Application Exploitation; Using Format String Bugs
for ASLR Bypass

SECTION 3: Patch Diffing, One-Day Exploits, and Return-Oriented Shellcode

Attackers often download patches as soon as they are distributed by vendors such as Microsoft in order to find newly
patched vulnerabilities. Vulnerabilities are usually disclosed privately, or even discovered in-house, allowing the vendor to
more silently patch the vulnerability. This also allows the vendor to release limited or even no details at all about a patched
vulnerability. Attackers are well aware of this and quickly work to find the patched vulnerability in order to take control of
unpatched systems. This technique is also used by incident handlers, IDS administrators and vendors, vulnerability and
penetration testing framework companies, government entities, and others. You will use the material covered in this section
to identify bugs patched by vendors and take them through to exploitation.
TOPICS: The Microsoft Patch Management Process and Patch Tuesday; Obtaining Patches and Patch Extraction; Binary
Diffing with BinDiff, patchdiff2, turbodiff, and DarunGrim4; Visualizing Code Changes and Identifying Fixes; Reversing 32-bit
and 64-bit Applications and Modules; Triggering Patched Vulnerabilities; Writing One-Day Exploits; Handling Modern Exploit
Mitigation Controls; Using ROP to Compiled Shellcode on the Fly (Return-Oriented Shellcode)

SECTION 4: Windows Kernel Debugging and SECTION 5: Windows Heap Overflows and “SEC760 is the challenge
Exploitation Client-Side Exploitation
I am looking for. It will
The Windows Kernel is very complex and intimidating. The focus of this section is primarily on Windows browser
This course section aims to help you understand the and client-side exploitation. You will learn to analyze C++ be overwhelming, but
Windows Kernel and the various exploit mitigations vftable overflows, one of the most common mechanisms
added into recent versions. You will perform Kernel used to compromise a modern Windows system. Many
well worth it.”
debugging on various versions of the Windows OS, such of these vulnerabilities are discovered in the browser, so — William Stott, Raytheon
as Windows 7 and 8, and learn to deal with its inherent browser techniques will also be taught, including modern
complexities. Exercises will be performed to analyze heap spraying to deal with Internet Explorer 8/9/10 and
vulnerabilities, look at exploitation techniques, and get a other browsers such as FireFox and Chrome. You will work
working exploit. towards writing exploits in the Use-After-Free/Dangling
TOPICS: Understanding the Windows Kernel; Navigating Pointer vulnerability class.
the Windows Kernel; Modern Kernel Protections; TOPICS: Windows Heap Management, Constructs, and
Debugging the Windows 7/8 Kernels and Drivers; WinDbg; Environment; Understanding the Low Fragmentation
Analyzing Kernel Vulnerabilities and Kernel Vulnerability Heap (LFH); Browser-based and Client-side Exploitation;
Types; Kernel Exploitation Techniques; Token Stealing and Remedial Heap Spraying; Understanding C++ vftable/vtable
HAL Dispatch Table Overwrites Behavior; Modern Heap Spraying to Determine Address
Predictability; Use-after-free Attacks and Dangling Pointers;
Using Custom Flash Objects to Bypass ASLR; Defeating
SECTION 6: Capture-the-Flag Challenge ASLR, DEP, and Other Common Exploit Mitigation Controls
Section 6 will feature a Capture-the-Flag event with
different types of challenges taken from material taught
throughout the week.