Advanced Exploit Development Course Review

Intro

I recently attended the Advanced Exploit Development course offered by the Academy of Computer Education [1] taught by Joe McCray. Already being comfortable with exploit development and not seeing any reviews online for this course, I thought a writeup was in order for anyone who may be interested in taking it. This is a five day bootcamp-style course and, as the tagline says, is hands-on more than presentation oriented. A different subject was covered each day and I will break the review down into these days.
The Environment && Tools

All of the materials are supplied for you in a small classroom setting. A Windows system running Olly debugger (Olly was only used once) is the main operating system. There are three virtualized operating systems running on this system. An older Fedora version of Linux, Windows XP SP3, and Windows 7. All of them 32-bit. Generically, Metasploit is used for shellcode creation and pattern generation/offset discovery. For the Linux system, GDB was used for the debugger. With the virtualized Windows system, Windbg was used (which I enjoyed because it’s the only decent 64-bit debugger for Windows and I haven’t used it much. 64-bit is not covered).

For the actual development, the class teaches development with Python and a few scripts with Perl. Some of the scripts are written in a strange way via sys.stdout and piping it out to netcat. A small few of them are written using sockets. I took it upon myself to write all of the examples in sockets unless it was a local exploit. The students are offered templates in which values must be filled in to continue. This helped to build a mental and digital template for each of the exploit types and something to bring back to understand and follow the methodology.

The instructor was great. He helped all of the students as much as he could with the questions they had. Even when it went off-topic to more advanced or peculiar cases of exploitation. The material we were quick with or mostly knew already was went by quickly and the subjects people were having hard times on were taken with a bit more time. In the end we still completed everything ahead of schedule. I would say Joe is the best instructor I’ve ever had (college is my only real experience as this is only my second training).

Day 1 – We Know Thee Well Stack Overflow

On the first day stack based overflows is extensively covered on both Linux and Windows systems. The instructor first gauged what we know about exploits and our experience so far, so we glossed over the generic example.c of strcpy(buf,argv[1]) and moved right into exploitation of real software. The first two exploits were for Linux and did not have any modern memory defense mechanisms like NX activated. GDB was used to analyze dropped core dumps to see register values and validate exploitability. Three more exploits were covered under the Windows operating system. XP with service pack 3 was used for these. The first exploit was checked, validated, and built with the help of Olly debugger. Windbg was used for the other two.

Exploit Counter: 5

Day 2 – The SEH-A-Thon

The day started with review of the previous day. In the first hour we were to try and finish a stack-based overflow for Windows and one for Linux. After the review, the class jumped into SEH. Joe had several slides explaining the idea and, most importantly, the flow of how it all worked together. The first of mitigations, stack canaries, was also briefly covered. Two SEH-based exploits were covered. The first exploit was instructor-led through the control flow. The second exploit was much trickier and all up to the students to figure out. Here they were thrown into pad size restrictions and bad characters forced to find ways around these issues.

Exploit Counter: 9

Day 3 – The Small Pad (Negative Jumps, Egghunts, and Omelettes)

This was one of my favorite days of the class. First, an exploit for modjk was covered that used an egghunter. Shellcode was placed elsewhere in the payload and the egghunter found it and continued execution. Pros and cons of the egghunter were then discussed before moving on. Then the prior day’s SEH exploit was covered and reviewed with a negative jump back to shellcode technique. A couple styles were covered with the negative jump, back to the beginning of our buffer and precision negative jumping. An interesting technique for fragmented shellcode was also covered. Ndisasm was used to find the mnemonics of the opcods for fragmenting the shellcode and jumping backwards to each fragment. Omelette hunting with fragmented shellcode for an egghunter payload was briefly covered as well.

Although Day 4 was supposed to cover heap spraying, the class was ahead of schedule and heap spraying was covered on the second-half of this day. An ActiveX stack overflow was covered in Firefox and then a use after free for VLC was covered on Windows 7. Both exploits used a generic heap spray to exploit the vulnerabilities. Precision heap spraying was briefly covered, but not used for our exploits.

Exploit Counter: 12

Day 4 – ROP ROP ROP Your Shellcode Gently Down The Pad

ROP wasn’t the only thing covered this day. The class actually started with PDF exploitation. The heap spray technique was used for an exploit in Acrobat Reader 9. After an hour of working on the PDF exploit, we switched over to ROP and stack pivots. The concepts were built with a Linux sample program. A generic strcpy(buf,argv[1]) example was used with the goal of calling a custom function twice with appropriate arguments. This built a foundation of how ROP works. Unfortunately, W^X or actual Linux ROP chains to mprotect() weren’t covered as we switched over to Windows 7 and modern ROP rather quickly. A history lesson was given with software DEP and disabling it with setinformationprocess(). We, thankfully, did not do anything conceptually with historical exploits and instead moved over to virtualalloc() and the popcpy rop style. Multiple ROP sled types and other ASLR bypasses were briefly covered. Stack pivoting was also extensively covered. I think my favorite part was how Joe taught thinking of ROP in terms of ESP instead of EIP.

I would like to specifically add that we did not cover automatic ROP generation with tools like mona. Instead, we were to understand exactly how the ntvirtualalloc ROP chain with the popcpy method worked and how all the instructions worked. Then msfpescan and skyrack was used to search for specific instructions.

Exploit Counter: 13

Day 5 – I See Your ROP And Raise You ROP

The last day was an overview of the ROP techniques again. Windows 7 32-bit and Internet Explorer 8 was used for two browser exploits. A use after free and the very popular Aurora bug. Again, the heap spray technique was covered for these exploits. Heaplib was used for precision spraying, but was not talked about in depth. The ROP used was VirtualAlloc() finding via SharedUserData static locations to get to SystemCallStub. Popular chains from JVM.dll were used for argument stacking.

Exploit Counter: 15

The Conclusion Is…

I honestly thought the course was great. It certainly was not what I expected going into it, but I came out with a different methodology of development. The entire courseware is made to have students go home and have a mental and physical process to go through when writing different exploits with templates to go back and understand the steps taken. My only real gripe was the lack of coverage for Linux exploitation and, even though the courseware says it, no coverage for Mac exploitation.