CNIT 127: Exploit Development

37711 Thu 6:10 - 9:00 PM SCIE 200

Spring 2017 Sam Bowne

Schedule · Lecture Notes · Projects · Links · Home Page

Scores

Open Lab Hours for Sci 214


Catalog Description

Learn how to find vulnerabilities and exploit them to gain control of target systems, including Linux, Windows, Mac, and Cisco. This class covers how to write tools, not just how to use them; essential skills for advanced penetration testers and software security professionals.

Advisory: CS 110A or equivalent familiarity with programming

Upon successful completion of this course, the student will be able to:
  1. Read and write basic assembly code routines
  2. Read and write basic C programs
  3. Recognize C constructs in assembly
  4. Find stack overflow vulnerabilities and exploit them
  5. Create local privilege escalation exploits
  6. Understand Linux shellcode and be able to write your own
  7. Understand format string vulnerabilities and exploit them
  8. Understand heap overflows and exploit them
  9. Explain essential Windows features and their weaknesses, including DCOM and DCE-RPC
  10. Understand Windows shells and how to write them
  11. Explain various Windows overflows and exploit them
  12. Evade filters and other Windows defenses
  13. Find vulnerabilities in Mac OS X and exploit them
  14. Find vulnerabilities in Cisco IOS and exploit them

Student Learning Outcomes (measured to guide course improvements)

1. Read and write basic assembly code routines
2. Find stack overflow vulnerabilities and exploit them
3. Evade filters and other Windows defenses

Textbook

"The Shellcoder's Handbook: Discovering and Exploiting Security Holes ", by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte; ASIN: B004P5O38Q Buy from Amazon

Quizzes

The quizzes are multiple-choice, online, and open-book. However, you may not ask other people to help you during the quizzes. You will need to study the textbook chapter before the lecture covering it, and take the quiz before that class. Each quiz is available for one week, up till 8:30 am Saturday. Each quiz has 5 questions, you have ten minutes to take it, and you can make two attempts. If you take the quiz twice, the second score is the one that counts, not necessarily the higher score.

To take quizzes, first claim your RAM ID and then log in to Canvas here:

https://ccsf.instructure.com

Schedule (may be revised)

DateQuizTopic


Thu 1-19  Ch 1: Before you Begin
 


Thu 1-26  Ch 2: Stack overflows on Linux


Thu 2-2  Ch 3: Shellcode


Fri 2-3 Last Day to Add Classes


Thu 2-9 Ch 1 Quiz due before class
Ch 4 Quiz due before class
Proj 0, 1, & 2 due
Ch 4: Introduction to format string bugs


Thu 2-16No Quiz
No Proj Due
Guest Speaker: Jeffrey Carr

Author, 'Inside Cyber Warfare' (O'Reilly Media 2009, 2011)
CEO, Taia Global, Inc.
Founder, Suits and Spooks conference


Thu 2-23 Ch 2 Quiz due before class
Ch 5 Quiz due before class
Proj 3 & 4 due
Ch 5: Introduction to heap overflows


Thu 3-2 Ch 3 Quiz due before class
Ch 6 Quiz due before class
Proj 5 & 6 due
Ch 6: The Wild World of Windows


Thu 3-9 No Quiz due
Proj 7 & 8 due
Lecture 7: Intro to 64-Bit Assembler (Not in book)


Thu 3-16
Proj 8a & 8b due
Ch 8: Windows overflows (Part 1)
 


Thu 3-23
Proj 9 due
Ch 8: Windows overflows (Part 2)
 


Thu 3-30 Holiday - No Class


Thu 4-6 Ch 14 Quiz due before class
Proj 10 & 11 due
Ch 14: Protection Mechanisms


Thu 4-13 Ch 16+17 Quiz due before class
Proj 12 & 13 due
Ch 16: Fault Injection
Ch 17: The Art of Fuzzing


Thu 4-20 Holiday - No Class


Thu 4-27 Ch 18 Quiz due before class
Proj 14 & 15 due
Ch 18: Source Code Auditing


Thu 5-4No Quiz
Proj 16 due
Last Class: Hopper Debugger
Thu 5-11 Class Cancelled for CyberSecureGov in Washington, DC
Thu 5-18  Final Exam

Lectures

Policy
Student Agreement
Printable Schedule

Introduction to Exploitation: Linux on x86

Ch 1: Before you Begin · KEY · PDF
Ch 2: Stack overflows on Linux · KEY · PDF
Ch 3: Shellcode · KEY · PDF
Ch 4: Introduction to format string bugs (rev. 2-9-17) · KEY · PDF
Ch 5: Introduction to heap overflows · KEY · PDF

Windows

Ch 6: The Wild World of Windows · KEY · PDF
Lecture 7: Intro to 64-Bit Assembler (Not in book) · KEY · PDF

We'll skip Ch 7: Windows shellcode

Ch 8: Windows overflows (Part 1) · KEY · PDF
Ch 8: Windows overflows (Part 2) · KEY · PDF

We'll skip chapters 9 through 13

Ch 14: Protection Mechanisms · KEY · PDF

Vulnerability Discovery

We'll skip chapter 15

Ch 16: Fault Injection and 17: The Art of Fuzzing · KEY · PDF
Ch 18: Source Code Auditing · KEY · PDF


Slides below this line are being updated


Exploiting Windows: Introduction
Buffer Overflow Defenses


Projects

Downloading the Virtual Machines

Proj 0: Using Jasmin to run x86 Assembly Code (15 pts.)

If you don't want the drawing of a partially undressed woman on the splash screen, use this version of Jasmin:

Download politically correct Jasmin without the cheescake

Kali 2016.2 PIE Problem: Use -no-pie

Proj 1: Linux Buffer Overflow With Command Injection (10 pts. + 15 pts. extra credit)
Proj 2: Linux Buffer Overflow Without Shellcode (20 pts.)
Proj 3: Linux Buffer Overflow With Shellcode (20 pts.)
Proj 4: Remote Linux Buffer Overflow With Listening Shell (20 pts.)
Proj 5: Using nasm, ld, and objdump (10 pts.)
Proj 6: Exploiting a Format String Vulnerability (20 pts.)
Proj 7: Very Simple Heap Overflow (10 pts.)
Proj 8: Heap Overflow via Data Overwrite (10 pts.)
Proj 8a: Simple EXE Hacking with Immunity (15 pts.)
Proj 8b: EXE With Trojan Code in a New Section (15 pts.) (Rev. 3-18-17)
Proj 9: Exploiting "Vulnerable Server" on Windows (25 pts.)
Proj 10: Exploiting Easy RM to MP3 Converter on Windows with ASLR (20 pts.) (rev. 4-6-17)
Proj 11: Defeating DEP with ROP (20 pts.)
Proj 12: Intro to 64-bit Assembler (15 pts.) (rev. 3-9-17)
Proj 13: 64-Bit Buffer Overflow Exploit (15 pts.)
Proj 14: Heap Spray (15 pts.)

Warning: Project 15 takes a long time!

Proj 15: SEH-Based Stack Overflow Exploit (25 pts.) (Revised 3-23-17)

Project 16: Fuzzing with Spike (15 pts.)

Extra Credit Projects

Proj 1x: Assembly Code Challenges (30 points)
Proj 2x: Linux Buffer Overflow Without Shellcode Challenges (25 pts.)
Proj 3x: Embedded Security CTF (Up to 25 pts.)
Proj 4x: Linux Buffer Overflow With Shellcode Challenges (30 pts.)
Proj 5x: Linux Buffer Overflow With Canary (25 pts.)
Proj 6x: Remote Shell via Format String Exploit (20 pts.)
Proj 7x: Introduction to Hopper (20 pts.) (rev. 3-9-17)
Proj 8x: Remote Shell via Heap Overflow (20 pts.)
Proj 9x: Understanding PE Files and ASLR on Windows (15 pts.)

Proj 12x: 64-bit Assembler Challenges (25 pts.)

Proj 19x: Source Code Analysis with cppcheck (10 pts.)

Proj 22x: Student Presentation (Usually 15 pts.)

Cultural Enrichment

How to view someones IP address and connection speed with TRACER T! - YouTube

I Pwned Your Server - YouTube

Links

Links for Chapter Lectures

Ch 1a: Anatomy of a Program in Memory - Excellent explanation from 2009
Ch 1b: assembly - difference between 'or eax,eax' and 'test eax,eax'

Ch 2a: Smashing the Stack for Fun and Profit by Aleph One
Ch 2b: Assembly Programming Tutorial
Ch 2c: GDB Command Reference - set disassembly-flavor command
Ch 2d: GDB Tutorial

Ch 3b: What's the difference of the Userland vs the Kernel?
Ch 3c: Protection ring - Wikipedia
Ch 3d: The GNU C Library: glibc
Ch 3e: linux - What is the difference between exit() and exit_group()
Ch 3f: Two excellent syscall examples with explanations
Ch 3g: c - Linux system call table or cheetsheet in assembly language - Stack Overflow
Ch 3h: NASM Tutorial
Ch 3i: Shellcode in C - What does this mean? - Stack Overflow
Ch 3k: C code to test shellcode, simpler than that in the textbook
Ch 3l: execve(2): execute program - Linux man page

Ch 4a: Format String Exploitation-Tutorial By Saif El-Sherel
Ch 4b: Exploiting Format String Vulnerabilities (from 2001)
Ch 4c: Advanced Format String Attacks (Paul Haas, Slides from DEF CON 18)
Ch 4d: Advanced Format String Attacks with demo videos
Ch 4e: Defcon 18 - Advanced format string attacks Paul Haas - YouTube
Ch 4f: Introduction to format string exploits -- with helpful gdb tips
Ch 4g: Ace Stream Media Format String Vulnerability (from 2014)
Ch 4h: Cisco Email Security Appliance Format String Vulnerability (9-9-2015)
Ch 4i: Graphviz Remote Format String Vulnerability, affects Ubuntu (from 2014)
Ch 4j: Polycom - H.323 Format String Vulnerability (from 2013)
Ch 4k: Python RRDtool Module Function Format String Vulnerability (from 2013)
Ch 4l: Broadcom UPnP Stack Format String Vulnerability (from 2013)
Ch 4m: pidgin-otr log_message_cb() Function Format String Vulnerability (from 2012)
Ch 4n: atexit(3) - Linux man page

Ch 5a: A Memory Allocator by Doug Lea
Ch 5b: Understanding the Heap & Exploiting Heap Overflows
Ch 5c: Several Interesting Heap Overflow Example Programs
Ch 5d: Four Excellent Heap Overflow Exercises
Ch 5e: Wonderful Exploit Exercises including VMs and heap overflows
Ch 5f: Dangling Pointer paper from Black Hat 2007
Ch 5g: Working example of a "Dangling Pointers" exploit?
Ch 5h: Dangling Pointers: Vulnerability and Exploitation Basics
Ch 5i: Much ado about NULL: Exploiting a kernel NULL dereference

Ch 6a: theForger's Win32 API Tutorial
Ch 6b: Process Explorer
Ch 6c: Portable Executable - Wikipedia
Ch 6d: PEview (PECOFF file viewer)
Ch 6e: Rebasing Win32 DLLs
Ch 6f: Why is 0x00400000 the default base address for an executable?
Ch 6g: VA (Virtual Adress) & RVA (Relative Virtual Address) - Stack Overflow
Ch 6h: Exploiting the LNK Vulnerability with Metasploit
Ch 6i: Is there any difference between a GUID and a UUID? - Stack Overflow
Ch 6j: Service Control Manager - Wikipedia
Ch 6k: Microsoft RPC Remote Procedure Call and End Point Mapper with Network Traces
Ch 6l: Setting Up Kernel-Mode Debugging over a Network Cable Manually (Windows Debuggers)
Ch 6k: IMMUNITY Debugger
Ch 6l: Operating Systems Development - Portable Executable (PE)

L7a: AMD64 Architecture Processor (pdf)
L7b: x64 Architecture - Windows 10 hardware dev
L7c: Introduction to x64 Assembly | Intel Developer Zone
L7d: Behind Windows x64's 44-bit Virtual Memory Addressing Limit
L7e: Windows 8.1 removes the 44-bit limitation (2015)
L7f: X86-64 (AMD64) Tutorial
L7g: AMD CPUID Specification
L7h: Searchable Linux Syscall Table for x86 and x86_64
L7i: Intel® 64 and IA-32 Architectures Software Developer’s Manual
L7j: 64-bit Linux stack smashing tutorial: Part 1
L7k: x86-64 - Wikipedia--AMD 64-bit processors only use 48-bit address space
L7l: Linux/x86_64 execve"/bin/sh"; shellcode 30 bytes
L7m: Writing shellcode for Linux and *BSD - Spawning a shell
L7n: Execve Shellcode 64 bit
L7o: Writing 64-Bit Shellcode - Part 1
L7n: 64 Bits Linux Stack Based Buffer Overflow
L7o: memory management - What and where are the stack and heap? - Stack Overflow

Ch 8a: Win32 Thread Information Block - Wikipedia
Ch 8b: TEB structure (Windows)
Ch 8c: Process Environment Block - Wikipedia
Ch 8d: PEB structure (Windows)
Ch 8e: assembly - What is the "FS" "GS" register intended for? - Stack Overflow
Ch 8f: Preventing the Exploitation of Structured Exception Handler (SEH) Overwrites with SEHOP (2009)
Ch 8h: SEH Based Overflow Exploit Tutorial - InfoSec Resources
Ch 8i: Windows ISV Software Security Defenses (2010)
Ch 8j: Software Defense: mitigating stack corruption vulnerabilities (2014)
Ch 8k: SEHOP per-process opt-in support in Windows 7
Ch 8l: Vista SP1 and Server 2008: Controlling SEHOP security protection
Ch 8m: Reducing the Effective Entropy of GS Cookies (2007)
Ch 8n: HeapCreate function (Windows)
Ch 8o: Heap Overflow: Vulnerability and Heap Internals Explained - InfoSec Resources
Ch 8p: Intercepting Calls to COM Interfaces - CodeProject
Ch 8q: Exploiting Lingering Vulnerabilities in Default COM Objects (pdf, 2011)
Ch 8r: OLE/COM Object Viewer Download
Ch 8s: Active X Exploitation - InfoSec Resources
Ch 8t: HEAP SPRAYING – ACTIVEX CONTROLS UNDER ATTACK -- STEP-BY-STEP INSTRUCTIONS (2013)
Ch 8u: Dranzer | Vulnerability Analysis | The CERT Division
Ch 8v: dranzer download | SourceForge.net
Ch 8w: dzzie/COMRaider on GitHub
Ch 8x: ActiveX vulnerabilities exploitation (from 2010)

Fuzz 1: Failure Observation Engine (FOE) tutorial - YouTube
Fuzz 2: Fuzz Testing for Dummies (2011)
Fuzz 3: Analyze Crashes to Find Security Vulnerabilities in Your Apps
Fuzz 4: VBinDiff - Visual Binary Diff
Fuzz 5: vbindiff(1) - Linux man page
Fuzz 6: An Introduction to Fuzzing: Using fuzzers (SPIKE) to find vulnerabilities - InfoSec Resources
Fuzz 7: Fuzzing with Peach Part 1
Fuzz 8: GlobalSCAPE CuteZIP Stack Buffer Overflow | Rapid7
Fuzz 9: Android Intent Fuzzer
Fuzz 10: Basic Fuzzing Framework (BFF) | Vulnerability Analysis | The CERT Division
Fuzz 11: HOWTO : CERT Basic Fuzzing Framework (BFF) on Ubuntu Desktop 12.04 LTS
Ch 14a: What is linux-gate.so.1?
Ch 14b: Heap overflow using Malloc Maleficarum
Ch 14c: Windows 8 Heap Internals
Ch 14d: RdRand - Wikipedia
Ch 14e: \"We cannot trust\" Intel and Via\'s chip-based crypto, FreeBSD developers say
Fuzz 12: Fuzzer Automation with SPIKE - InfoSec Resources
Fuzz 13: Fuzzing with Spike to Find Overflows
Fuzz 14: [Python] IRC Fuzzer - IRCdFuzz.py
Fuzz 15: american fuzzy lop
Fuzz 16: Bug Hunting Using Fuzzing and Static Analysis
Fuzz 17: Fuzzing Tools in Kali Linux

Ch 16a: Socket.NoDelay Property

Ch 18a: Cscope Home Page
Ch 18b: Using Cscope on large projects (example: the Linux kernel)
Ch 18c: Exuberant Ctags
Ch 18d: Splint Home Page
Ch 18e: Splint the static C code checker
Ch 18f: OPEN SOURCE STATIC CODE ANALYSIS SECURITY TOOLS
CH 18g: More Tricks For Defeating SSL In Practice
Ch 18h: CVE-2003-0161 -- Sendmail prescan() function vulnerability
Ch 18i: Port 25 (SMTP) - Remote Sendmail Header Processing Vulnerability
Ch 18j: PHP Hash Comparison Weakness A Threat To Websites, Researcher Says
Ch 18k: Dangling pointer - Wikipedia
Ch 18l: How to Create a Secure Login Script in PHP and MySQL - wikiHow

Hopper 1: Use The Debugger with Hopper Disassembler/Decompiler - YouTube
Hopper 2: Tutorial
Hopper 3: Hopper Download
Hopper 4: Linux Installation
Hopper 5: Intro to Hopper - YouTube
Hopper 6: Crackmes | Reverse Engineering Mac OS X
Hopper 7: Linux x86 Program Start Up -- EXCELLENT EXPLANATION

Miscellaneous Links

SmashTheStack Wargaming Network
Great exploit tutorials from 2012 in the WayBack Machine
Exploit Exercises
farlight.org -- useful exploits and shells
Bypassing AV Scanners -- OLLYDBG PROJECT IN HERE
Valgrind Tutorial
Bypassing EMET's EAF with custom shellcode using kernel pointer (from 2011)
Disarming Enhanced Mitigation Experience Toolkit (EMET) v 5.0
Rootkits by Csaba Barta (from 2009)
PSA: don't run 'strings' on untrusted files -- WORTH EXPLOITING
From 0-day to exploit -- Buffer overflow in Belkin N750 (CVE-2014-1635)
Disarming and Bypassing EMET 5.1
BinScope Binary Analyzer -- vulnerability detector
Popular security suites open to attack -- DEP and ASLR Not Enabled
GDB: Debugging stripped binaries
USBPcap -- USE FOR PROJECTS
PBKDF2 - Wikipedia
Installing VMware Tools on Kali Linux
Kali Linux Downloads
IMMUNITY : Download
How to setup Dark Comet RAT (with download and pictures) : hacking
Cython: C-Extensions for Python -- MAKES SMALL EXEs
HT Editor -- powerful binary ELF editor
ntpdc local buffer overflow - Exploit Development example, interesting GDB commands
Seven Resume Strategies for the Long-Term Unemployed
KdExploitMe - Hackable Windows Kernel Driver -- USE FOR PROJECTS
64-bit Linux Return-Oriented Programming
Exploit Exercises -- GOOD FOR PROJECTS
WIRESHARK 1.12.4 and below Access Violation and Memory Corruption PoC
Fuzzing with AFL-Fuzz, a Practical Example ( AFL vs binutils ) -- USEFUL FOR PROJECT
Radare portable reversing framework
Hopper: The OS X and Linux Disassembler -- GOOD FOR PROJECTS
Gdbinit: user-friendly gdb configuration file -- GOOD FOR PROJECTS
Format String Bug Exploration -USEFUL FOR PROJECT
90s-style security flaw puts "millions" of routers at risk -- LOOKS GOOD FOR A PROJECT
Exploit Development Class for Win 7 64-bit -- USEFUL FOR PROJECTS
EDB (Evan's Debugger) -- Like OllyDbg on Linux ty @offsectraining
Sophos AV Bypass - YouTube
New buffer overflow protection in gcc 4.9 -fstack-protector-strong
Old Versions of Kali Linux
Animated Metasploit Linux Payload in gdb - YouTube
Stack Smashing On A Modern Linux System
Buffer Overflow Vulnerability Lab
VMware Tools installation fails when Easy Install is in progress -- GOOD SOLUTION
Installing VMware Tools in an Ubuntu virtual machine
How to turn OFF (or at least override) syntax highlighting in nano via ~/.nanorc?
Exploit writing tutorial part 11 : Heap Spraying Demystified | Corelan Team
MemGC and Control Flow Guard (May, 2015)
How exploit writers find bugs in Java Machine? - Reverse Engineering Stack Exchange
Mac OS Xploitation (2009)
Modern Binary Exploitation class from RPI
A binary analysis, count me if you can -- VERY USEFUL
picoCTF 2014 Baleful - Solving with Pin -- INTERESTING TECHNIQUE
How to detect a NX stack and other protections against buffer overflows -- VERY USEFUL
ROP for Linux ELF files: finding \'JMP ESP\'
Performing a ret2libc Attack -- USE FOR NEW LINUX PROJECT
How to disable ASLR in linux permanently.
Python multiprocessing.Pool: -- EXCELLENT EXAMPLE
Rooting Freshly -- GOOD EXAMPLE OF PENETRATING A LINUX WEB SERVER
Exploiting memory corruption bugs in PHP Part 3: Popping Remote Shells
Execute Bash Commands Without Spaces with Brace Expansion
x64dbg: An open-source x64/x32 debugger for windows -- ALTERNATIVE TO IDA PRO
gdb bug on 64-bit ubuntu with fix: No module name libstdcxx - Stack Overflow
gdb - debugging with pipe using mkfifio
Fuzzing on MacOS X -- MANY USEFUL TIPS
Carnegie Mellon - Tools - VulWiki
The Ultimate Disassembly Framework -- Capstone
binjitsu/binjitsu: CTF framework and exploit development library
How To Install VMware Workstation 11 On Ubuntu 14.10
Exploitation of mem-corruptions vulns in remote C/C++ programs without source or binary
Artistic Rendering of Exploit Development Process
Blind Return Oriented Programming (BROP)
Linux Assembly Tutorial - Step-by-Step Guide
A fundamental introduction to x86 assembly programming
RIP ROP: Intel's cunning plot to kill stack-hopping exploits at CPU level with "shadow stack" (June, 2016)
Introductory Intel x86: Architecture, Assembly, Applications - YouTube
Assembly Primer for Hackers (Part 1) System Organization Tutorial.mp4 - YouTube
ARM Exploitation: Return Oriented Programming on ARM (on Linux)
How to read arbitrary RAM with format string vulnerability
The best resources for learning exploit development -- MANY GOOD PROJECT IDEAS
Use The Debugger with Hopper Disassembler/Decompiler - YouTube
Over the Wire Narnia Level 2 -) 3 -- GOOD EXTRA CREDIT PROJECT

New Unsorted Links

Ch 6m: RPC Endpoint Mapper in a network trace
Ch 8y: Win32 Thread Information Block - Wikipedia
Ch 8qq: No Loitering: Exploiting Lingering Vulnerabilities in Default COM Objects (paper) | Internet Society
Ch 14f: Windows 10 security overview
Demystifying the Execve Shellcode (Stack Method)
Program exiting after executing int 0x80 instruction when running shellcode
Ch 16b: Flawfinder Home Page

          

Last Updated: 4-27-17 8:16 pm