DerbyCon + Corelan Win32 Exploit Dev Bootcamp Day 1 = OMG!

I am having such a killer time at DerbyCon. It has only been a day and I have already met new people and am seeing a lot of familiar faces from last year. I love small cons, mainly this one, because no one seems to have an ego here and everyone is just chill. I highly recommend coming out to DerbyCon if you have a chance. Also, remember to try the Burbon Beer from the Sway lounge, its my fav.

Anyway, the real reason for this post. The Corelan bootcamp is everything I thought it would be. We went from 0-60 in no time. We started at 830am and didn’t finish until Midnight, mostly because everyone in class was dead tired and couldn’t finish the last module of day 1. The first exploit lab has a lot of gotchas that will challenge the way you think; no its not your typical FTP server exploit. He really stressed about all the bad habits we n00bs learn from just doing random tutorials around the interwebs. Its crazy, how many times I have done exploits using ‘NOPS’ and the first thing he says in class is ” NOPS are for lazy a*holes” and then started to explain to us why we shouldn’t use them. However, there is a place and a time where you can use them, but the majority of the time you shouldn’t use them. Troubleshooting your programs is a more efficient way to learning and challenging yourself. I have noticed that the more I am moving into Exploit Dev there are a 1000 ways to skin a cat and now I am trying to soak in all the information. I would say that if you have followed his tutorials  then you should have a good understanding of how basic Stack Based overflows work. However, I would go over the material a few times, and actually attempt to do the higher level stuff (e.g. Heap, SEH, DEP, and ASLR). I would not be scared to take the class, even though it is a difficult class, Corelan does a really good job of explaining the material and making sure you are understanding the fundamentals. Sometimes, we as n00bs, just follow directions and really have no idea why we are doing certain things. Corelan spent a good chunk of day 1 covering the basics before we jumped into labs.

<

p>If you are thinking about taking the the OSCE or the AWE, I would definitely figure out a way to take Corelan’s course first. I already feel a lot more comfortable doing Exploit Dev and working in a debugger. Of course even to sign up for the OSCE I would suggest that you know your way around the debugger, but its nice to know that all my practice is really helping. Again, I would not be scared to take this course if you are just starting out. I think going through the many tutorials on the Net and his tutorials will really give you a great start. However, I would say know python or at least be familiar with it.  My plans are to work through this course material and then jump back into OSCE mode.

Anyway, I am going to grab breakfast and get ready for Day 2 aka “Hell Day 2”.

*Yawns* Why my head hurts

Over the last few weeks I have been doing the Cracking the Perimeter course (aka OSCE) from Offensive Security. The course has been an awesome learning experience and has sparked a passion for exploit development and reverse engineering. Now that my course lab time is over I am left to my own devices before I sit for the practical. I thought I would add some cheat-sheets, nothing that will give the course work away (besides whats on the syllabus)- I want people to suffer as much as I did, but also wanted to provide some helpful hints for other n00bs.

Besides the basics of assembly and according to the Course Syllabus, here are a few cheat-sheets/notes that helped me along the way.

Module 1 Cross-Site Scripting

The course work and labs during the OSCP should prepare you enough for this module.

Module 2 Directory Traversal

Again, the course work and labs during the OSCP should prepare you enough for this module.

Module 3 Backdoor PE

Know your direction flags in assembly (e.g. cld and std) know what they do. Also, know The common FLAGS registers (e.g. EFLAGS and RFLAGS)

Module4 Bypassing AV

Know your assembly jump commands

Module5 Bypassing ASLR

Read and do the tutorial from Corelan along with the Offsec labs.

Module6 Egghunters

Read this and this and this white paper

Module7 TFTP zeroday

Read this

Module8 HP Openview zeroday

Read this

Module9 Gre Sniffing

Hope that you get tftp working on BT5 correctly, then you should have no problem.

I have learned so much during this course and I will continue to add to my knowledge. Probably one of the best courses I have taken in awhile, even more so than the OSCP course. Those who have taken the OSCP course and are thinking about taking the OSCE course I would definitely walk through the Corelan exploit tutorial series along with the Offsec course work, you should have no problem.

Hope you found this helpful!

UPDATE forgot to add this, a collection of assembly primer from the trainers at OpenSecurityTraining.info.