Description: The class materials are available at http://www.OpenSecurityTraining.info/Exploits2.html
Follow us on Twitter for class news @OpenSecTraining.
The playlist for this class is here: http://bit.ly/PdeVny
Topics covered in the labs for this class include:
* Exploiting a vanilla Windows stack overflow with no mitigations turned on
* Using WinDbg to analyze our crashes
* Removing bytes from your payload (such as nulls) which would prevent exploitation
* Finding functions to call by walking the Thread Execution Block to find kernel32.dll’s location in memory so we can call functions like LoadLibrary() and GetProcAddress()
* Hashing strings to use for comparison when searching for functions, in order to minimize the size of the payload
* Overwriting Structured Exception Handlers (SEH) as a means to bypass stack cookies (/GS compile option) and bypassing the SafeSEH mitigation
* Overwriting virtual function table function pointers in C++ code as another way around stack cookies
* Using Return Oriented Programming (ROP) to defeat Data Execution Prevention (DEP) aka non-executable (NX) stack
* Using libraries which opt out of Address Space Layout Randomization (ASLR) and SafeSEH to bypass these mitigations
* Using Python to mutationally fuzz the custom, never-before-analyzed, Corey’s Crappy Document Format and Crappy Document Reader in order to find and exploit the numerous bugs within
Tags: OpenSecurityTraining.info , Exploits , Vulnerabilities , software vulnerabilities , buffer overflows , smashing the stack , SEH , structured exception handling , SEHOP , SafeSEH , DEP , Data Execution Prevention , bypassing DEP , ASLR , Address Space Layout Randomization , bypassing ASLR , fuzzing , fuzzer , reverse engineering , Computers , Computer Security , Cyber Security , Technology , Intel , x86 , IA32 , Training , Education , Multi-day-class , Multi-day-training , Classes ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.