Hands-On Exploit Development for Beginners

4-6 PM, Moscone West 2009

Sam Bowne

Workshop Description

Participants will hack into a series of vulnerable servers and get onto Winners boards. Instead of using tools, you will create your own attacks. The easier challenges require nothing but a Web browser: command injection and SQL injection. The harder challenges require a Kali Linux virtual machine and exploit buffer overflows at the binary level.


The first few projects are easy, even for beginners. For the later projects, familiarity with C, Python, and assembly code is helpful but not required.

Equipment Students Will Need to Bring

Participants need a computer with Kali Linux or some other Linux, such as Ubuntu, either in a virtual machine or locally. I will have a few loaner computers for students who don't have a usable computer.

Reference Book

"The Shellcoder's Handbook: Discovering and Exploiting Security Holes ", by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte; ASIN: B004P5O38Q Buy from Amazon



Command Injection Projects
1. Ping Form Winners
2. Buffer Overflow Winners
3. ImageMagick Winners


4. SQL Injection Winners 1
Winners 2
5. Simple EXE Hacking with Immunity
6: EXE With Trojan Code in a New Section
7: Very Simple Heap Overflow


Linux Buffer Overflow Projects
8. Without Shellcode Practice
9. 64-bit Overflow · 64-bit PPT
10. Local Challenges
11. Remote Challenge Winners
12. Dash Shellcode Practice
13. Metasploit Shellcode Practice
14. Metasploit Shellcode Challenges Winners
Entire Exploit Development Course


Real Hacking (key)
Data Breaches: Real and Imaginary (ppt)
Bitcoin (key)
Security at Colleges
NETLAB password insecurity

The lectures are in Keynote and HTML formats.
If you want them in PowerPoint, use the Cloud Convert site.

Other Projects

Basic SQL

CodeCademy SQL Lesson

SQL Injection Attack and Defense

Installing SQLol
SQLi: Attacking with Havij and Defending with Input Filtering
Exploiting SQLi with sqlmap
Fixing MySQL with Parameterized Queries

Games and Cybercompetitions

Password Guessing Games
Bandit Challenges

Revised 2-14-16 3:13 pm