HOPE Eleven: Exploit Development

Proposed Workshop

Abstract

Unexpected input often causes programs to crash. Exploit development is the process of converting such crashes into Remote Code Execution exploits, giving the attacker control of the server. This process can be very simple (code injection) or more complex (injecting binary code).

In this workshop, participants will take over a series of real servers, using these techniques:

SQL Injection with PHP shellcode
Command injection (overflow from one variable to another)
Buffer overflow without shellcode
Buffer overflow with shellcode

Purpose

This workshop helps particpants move beyond using attacks others have developed to understanding how programs work at the binary level and how to exploit their weaknesses. With these techniques, you can find new vulnerabilities and write proof-of-concept attack code to compete in cybercompetitions or earn bug bounties.

Techical Requirements

Participants need a computer with Kali Linux running, either in a virtual machine or locally. Familiarity with C, Python, and assembly code is helpful but not required.

The venue needs to provide Internet access and desks or tables for the participants to use. I will bring a few loaner computers for people who need them.

Posted 2-3-16 by Sam Bowne