The Exploit Laboratory

ARM-X and a brand new IoT CTF challenge

2019-10-25T22:52:00.001+05:30

A few days ago, I released the ARM-X Firmware Emulation Framework. My goal was to get as close to having an IoT virtual machine as possible. ARM-X has several applications. I wrote it to emulate and pentest IoT devices and use it to teach exploit development in my ARM IoT Exploit Laboratory training. ARM-X can also be used for fuzzing IoT targets and for hosting IoT CTF challenges!

ARM-X Preview VM

I released a preview VM of ARM-X along with the code on October 23 2019. The image is a VMWare virtual machine using Alpine Linux as the host OS, simply because I cannot tolerate systemd. The preview release of ARM-X comes preloaded with two emulated IoT devices:

DVAR - The Damn Vulnerable ARM Router, which was initially released as TinysploitARM
Trivision 227WF IP Camera

ARM-X CTF Challenge #1

The Trivision IP Camera has some serious vulnerabilities in it, as expected. There are three vulnerabilities that we know of so far. And perhaps more, lurking in the shadows. The first working exploit and write-up shall win a special Ringzer0 “Box of 0-days” from me!

Over the next few days, I shall be dropping hints on how to debug using gdb and gdbserver with ARM-X, using dynamic analysis tools such as strace and ltrace and more. Follow @therealsaumil for updates.

DVAR ROP Challenge - Bonus Round Unlocked!

2018-03-01T10:39:00.000+05:30

DVAR ROP Challenge - Bonus Round Unlocked!

THE ARM IoT EXPLOIT LABORATORY

I promised to announce the DVAR Bonus Challenge when I first released the Damn Vulnerable ARM Router.

I was waiting for a successful completion of the first stack overflow exercise before I announced the bonus challenge.

@JatanKRaval provided the first working solution, and so here goes - bonus round unlocked!

Part 2 of the DVAR challenge is to exploit a stack overflow in "/usr/bin/lightsrv" the traffic signal lights server. lightsrv is automatically started on boot, and listens on port 8080.

Your task is:

Find the buffer overflow vector for lightsrv
Crash the program and get pc=0x41414140
Work your way through building a proper ROP chain (XN is enabled!)
Get a working shell!

Hints:

exploitlab-DVAR:~# ps
PID USER VSZ STAT COMMAND
    :    :    : :    :
245 root 656 S    /usr/bin/miniweb
246 root 640 S    /usr/bin/lightsrv <------- [TARGET]
292 root 1016 S    -ash
321 root 1012 R    ps

exploitlab-DVAR:~# cat /proc/$(pidof lightsrv)/maps
00010000-00012000 r-xp 00000000 08:00 512   /usr/bin/lightsrv
00022000-00023000 rw-p 00002000 08:00 512   /usr/bin/lightsrv
40000000-40064000 r-xp 00000000 08:00 185   /lib/libc.so
40064000-40065000 r-xp 00000000 00:00 0     [sigpage]
40073000-40074000 r--p 00063000 08:00 185   /lib/libc.so
40074000-40075000 rw-p 00064000 08:00 185   /lib/libc.so
40075000-40077000 rw-p 00000000 00:00 0
40078000-40089000 r-xp 00000000 08:00 2791 /lib/libgcc_s.so.1
40089000-4008a000 rw-p 00009000 08:00 2791 /lib/libgcc_s.so.1
befdf000-bf000000 rw-p 00000000 00:00 0     [stack]
ffff0000-ffff1000 r-xp 00000000 00:00 0     [vectors]

If you haven't played with DVAR yet, download it from here:
http://blog.exploitlab.net/2018/01/dvar-damn-vulnerable-arm-router.html

UPCOMING ARM IoT EXPLOIT LABORATORY TRAINING

Cansecwest Vancouver 2019 (4 day) March 16-19

https://cansecwest.com/dojos/2019/exploitlab.html

Hack In The Box Amsterdam HITB2019AMS (3 day) May 6,7,8

https://conference.hitb.org/hitbsecconf2019ams/sessions/3-day-training-1-the-arm-exploit-laboratory/

Have fun with DVAR-ROP!

DVAR - Damn Vulnerable ARM Router

2018-01-13T19:01:00.001+05:30

Damn Vulnerable ARM Router (DVAR)

THE ARM IoT EXPLOIT LABORATORY

DVAR is an emulated Linux based ARM router running a vulnerable web server that you can sharpen your ARM stack overflow skills with.

DVAR runs in the tinysploitARM VMWare VM under a fully emulated QEMU ARM router image.

Simply extract the ZIP file and launch the VM via tinysploitARM.vmx. After starting up, the VM's IP address and default URL shall be displayed on the console. Using your host computer's browser, navigate to the URL and follow the instructions and clues. The virtual network adapter is set to NAT mode.

Your goal is to write a working stack overflow exploit for the web server running on the DVAR tinysploitARM target. DVAR also includes a bonus challenge, follow @therealsaumil on Twitter for the bonus challenge announcement.

Download URL: exploitlab_DVAR_tinysploitARM.zip - 47.4MB VMWare Image
SHA256: bc6eb66b7f5c0c71ca418c809213eb452e3fbf90654856ebb0591e164d634e2b

DVAR started as an optional preparatory exercise for the ARM IoT Exploit Lab.

UPCOMING ARM IoT EXPLOIT LABORATORY TRAINING

Cansecwest Vancouver 2019 (4 day) March 16-19

https://cansecwest.com/dojos/2019/exploitlab.html

Hack In The Box Amsterdam HITB2019AMS (3 day) May 6,7,8

https://conference.hitb.org/hitbsecconf2019ams/sessions/3-day-training-1-the-arm-exploit-laboratory/

Saumil Shah
@therealsaumil

What is common between...

2017-09-26T22:46:00.001+05:30

..the ARM IoT Exploit Laboratory and the Christmas Markets in Vienna?

The ARM IoT Exploit Lab comes to Vienna for the first time! 3 days of ARM assembly, shellcode, ROP chains, Firmware analysis, ASLR bypass and owning ARM Routers and ARM IP Cameras!

Check @deepsec's blog post for more details and registration.

http://blog.deepsec.net/deepsec-2017-training-arm-iot-exploit-laboratory/

Remember, it is a 3 day training - and starts before all the other trainings at DEEPSEC2017 this year.

pc=0x44444444 - The ARM Exploit Lab returns to 44CON

2017-06-27T22:09:00.000+05:30

The ARM Exploit Lab returns to 44CON for a second year, this time with a focus on exploiting ARM/Linux IoT devices.

This year, I shall be teaching a 3 day class starting with the basics of ARM Assembly, writing ARM shellcode, remote exploits, ARM ROP chains and concluding with a grand "from firmware to shell" hack of an ARM WiFi router and an ARM IP Camera. On actual hardware!

And as a bonus, I will be joined by co-instructor @Fox0x01, who has put together a much needed tutorial on ARM Assembly Basics!

If you are in London in September, there's no reason why you shouldn't be at 44CON! See you there.

Class link: https://44con.com/44con-training/saumil-shah-the-arm-iot-exploit-laboratory/

ARM IoT Exploit Lab debuts at Blackhat USA 2017

2017-06-27T21:43:00.000+05:30

After a decade of teaching x86 binary exploitation at Blackhat, we are pleased to debut the ARM IoT Exploit Laboratory at Blackhat USA 2017! We are teaching two classes back to back.

The weekend class "ARM IoT Exploit Lab: Intro" is an introduction to ARM exploit development covering ARM assembly, ARM shellcode from scratch and putting together a remote exploit targeting a Linux image running on an ARM system.

This is followed by the "ARM IoT Exploit Lab: Advanced" class, focusing on overcoming exploit mitigation technology such as XN (DEP) and ASLR on ARM, extracting and analysing IoT firmware and exploiting IoT binaries. We shall be building ARM ROP chains and putting together a fully working remote exploit targeting an ARM based IP Camera as well as an ARM based WiFi router - "from firmware to shell". Oh yes, we will be trying the attacks against REAL HARDWARE, not just emulators!

Class links:
https://www.blackhat.com/us-17/training/arm-iot-exploit-laboratory-intro.html
https://www.blackhat.com/us-17/training/arm-iot-exploit-laboratory-advanced.html

One more thing, my friend @Fox0x01 has put together a wonderful series of tutorials on ARM Assembly Basics. I highly recommend it for students who are already registered or thinking of signing up for the ARM IoT Exploit Laboratory.

See you in Vegas, 18th year in a row!

The ARM ExploitLab goes to 44CON London 2016

2016-08-16T11:51:00.000+05:30

With the weight of the Internet shifting to ARM based devices (mobile and IoT), ARM exploit development is becoming an increasingly important skill necessary for practitioners of offensive information security.

We debuted the ARM Exploit Laboratory at CanSecWest 2016, followed by SyScan and at HITB2016AMS. And as before, we bring all awesome trainings to 44CON as well! This year, we shall be offering a special 3 day ARM exploit development training at 44CON London 2016.

We shall be covering core ARM exploit development concepts from the ground up, featuring:

ARM Assembly Language
How Functions work on ARM
Stack Overflows on ARM
ARM Shellcode
Defeating XN on ARM
ARM Return Oriented Programming
Defeating ASLR on ARM
Case study - from firmware to ownership - exploiting an ARM router

44CON is less than a month away, so for those interested in signing up for the class, head over to 44CON's Training Registration page.

See you in London next month!
-- Saumil

Blackhat 2016 Exploit Lab - Pre-Class Tutorials + Crackme's

2016-06-05T20:48:00.000+05:30

Our Blackhat USA 2016 Exploit Lab Black Belt and Master classes are filling up fast. If you're taking our classes (or considering them), here is some introductory material - tutorials to refresh your core concepts and a couple of crackme's to try your hands at exploit writing.

Tutorials+Challenge VM for Black Belt

Operating Systems - A Primer
How Functions Work
Introduction to Debuggers
TinySPLOIT - warm up on stack overflows (30MB download)

Tutorials+Challenge VM for Lab Master

Dive Into ROP
TinySPLOIT2 - warm up on ROP techniques (78MB download)

It is not mandatory to solve the challenges, but if you are really itching to get your hands dirty with exploit development, then go for it!

If you have not yet registered for the classes, here are the registration pages:

-- Saumil Shah @therealsaumil

There's an Intel on every desktop, but an ARM in every pocket

2016-06-02T18:45:00.000+05:30

The Exploit Lab enters its 11th year in 2016! This year, we debuted the ARM Exploit Lab training at CanSecWest, SyScan and most recently HITB2016AMS. The response has been fantastic, with HITB2016AMS and the upcoming class at RECON 2016 Montreal completely sold out.

July/August 2016 - BLACKHAT USA

This year, we are still teaching our advanced x86/x64 Exploit Lab classes at Blackhat USA 2016 with our BLACK BELT and MASTER classes. The early bird pricing has closed, and the classes are filling up steadily.

July 30, 31 - Exploit Lab Black Belt - browser exploits, Use-after-free, DEP, ASLR, ROP
August 1, 2 - Exploit Lab Master - advanced ROP, Infoleak, 64-bit exploitation

September 2016 - 44CON UK

We have a 3-day version of the ARM Exploit Lab at 44CON, featuring a primer on ARM Assembly language, writing ARM Shellcode and culminating with bypassing XN with ARM ROP. Register at 44CON's Training Page.

TinySPLOIT2 - Exploit development exercises for ROP

2015-07-20T10:26:00.000+05:30

The Exploit Laboratory at Blackhat USA 2015 has stepped up one level. We shall be teaching our "Black Belt" class on the weekend of August 1,2 featuring advanced topics such as DEP bypass using Return Oriented Programming and an in-depth look at Use-After-Free exploits. This shall be followed by our newest offering on August 3,4 - "The Exploit Lab: Master" class. The Master class is an uber-advanced class. Students directly attending the Master class are expected to be proficient with ROP, Use-After-Free exploitation, heap spraying and debugging techniques.

To put your ROP skills to the test, we present TinySPLOIT2 - a compact Linux virtual machine featuring three exploit writing challenges, each progressively more difficult. Getting a shell now requires the use of Return Oriented Programming, some proficiency with GDB debugging, ELF binary analysis and some clever innovation.

TinySPLOIT2 is a 350MB VMware image (78MB zipped) and can be downloaded here. SHA256 checksum: 57f6faa605426addcdb46cde976941e89e7317cc05165e93cc8cda42d697dca8

You can be up and running with TinySPLOIT2 in a matter of minutes. Boot up the VM, follow the instructions on its web page, write an exploit and get a shell. You will then need to capture the flag to enter rounds 2 and 3. Good luck and have fun ROP chaining!

The older TinySPLOIT virtual machine can still be found here.

Blackhat Training prices go up on the 24th of July, so if you are thinking of registering for the courses, now's the time. See you in Las Vegas in a few weeks!

Stegosploit Was Never An Exploit - My Paper, Toolkit And Thoughts

2015-06-27T01:46:00.002+05:30

This blog is generally reserved for updates on The Exploit Laboratory, but I shall borrow it for one "guest post" on my latest exploit delivery technique - Stegosploit.

I have been working on browser exploit delivery using steganographic techniques since the past 5 years. I have spoken about some of these techniques at several conferences around the world. This past year, I had a few breakthroughs combining steganography with file format polyglots. The goal of Stegosploit was to demonstrate my motto: "A good exploit is one that is delivered in style". I demonstrated this technique at Hack In The Box 2015 Amsterdam, on 28th May 2015. I "painted" an exploit on the face of my good friend Kevin McPeake, as a demonstration of browser exploit delivery via images. In my slide deck, I made it very clear that Stegosploit was not an exploit (although it has a cute logo associated with it). Slide 7.

I presented private demonstrations to reporters from iDigitalTimes and Vice Motherboard, who did a very thorough job in fact checking and representing the research as accurately as possible in a media article.

And then, something happened. Reddit and Twitter exploded with several scathing commentaries on my work. The backlash was caused by commenters who were not present during my presentation, nor had seen any demo or even bothered to research into the technical details that I presented. Instead, these were just conjectures and inferences derived from my older presentations at SyScan 2015 and HITB 2013 - techniques that are at best described as precursors to what Stegosploit actually is.

Rather than speculate on the merits or demerits of the technique and competency of my work and research, I leave you to read this detailed paper about Stegosploit in Issue 0x08 of PoC||GTFO, the only befitting journal for publishing research of this kind!

Along with the paper, I have also released the Stegosploit v0.2 toolkit, which is packaged as a PNG image within the issue itself. It is an interesting exercise to extract the tools, and for those of you who do, it gives you a better appreciation of this kind of research. Hint: "unzip pocorgtfo08.pdf".

Oliver Söhlke published a very well written interview in Vulnerability Magazine clarifying my position and purpose of Stegosploit, while documenting the effects of Stegosploit on evading detection.

In the end, I do want to publicly appreciate the fact that the author of the article published in The Medium was honest enough to revise his mistake.

I am looking forward to his new article on the topic.

My parting piece of advice to those interested in analyzing or dissecting an an infosec research topic - when in doubt, please ask the researcher, instead of kicking off a troll-fest. We would be happy to help you with your fact checking and correct any mistaken assumptions. We play nice.

Exploit Lab Announcements for 2015 - CanSecWest and SyScan

2015-02-04T15:54:00.001+05:30

The Exploit Laboratory returns to CanSecWest for 2015 with two courses:

Exploit Lab: Advanced Browser Exploitation and

Exploit Lab: Master

Advanced Browser Exploitation focuses on browser and PDF exploits on modern operating systems where students shall also learn about bypassing exploit mitigation technologies like DEP and ASLR. Special attention shall be given to Return Oriented Programming (ROP chains) and Use-After-Free (UAF) bugs. The class shall feature in-depth heap debugging for analysing and exploiting Use-After-Free bugs.

The Master class is an ideal extension to the Advanced Browser Exploitation class, or for students with previous exploit development training who wish to take their skills to present day competitiveness. Topics covered in the Master class include advanced ROP chains, an in-depth analysis of infoleak bugs, one-byte memory overwrite ownage, heap spraying on modern Javascript engines, server side heap spraying, kernel exploits, using ROP in kernel exploits and an introduction to 64-bit exploitation.

And now for SyScan. Sad, but true, this shall be the last SyScan in Singapore. And for the finale, we shall be featuring our brand new Black Box Bug Hunting and Vulnerability Discovery class as a 4-day training programme. Black Box Bug Hunting complements the Exploit Laboratory training offering by taking students through the art and craft of instrumented fuzzing to find bugs in everyday software.

The class follows a hands-on workshop style where the emphasis is on "learn by doing" with exercises and real world fuzzing scenarios. In addition to fuzzing, we shall spend an equal amount of time in analyzing crash dumps, determining exploitability, and root cause analysis through reverse engineering.

This is a class and conference you don't want to miss!

@therealsaumil

Black Box Bug Hunting - Introduction to Vulnerability Discovery and Exploit Development

2014-10-30T00:27:00.002+05:30

Our brand new training class "Black Box Bug Hunting - Introduction to Vulnerability Discovery and Exploit Development" debuts at the Blackhat Trainings in Potomac, Maryland. Black Box Bug Hunting complements the Exploit Laboratory training offering by taking students through the art and craft of instrumented fuzzing to find bugs in everyday software.

Blackhat Trainings is the perfect platform to launch this 4-day intense training programme. The class follows a hands-on workshop style where the emphasis is on "learn by doing" and shall be taught to a smaller group of students. The emphasis is more on exercises and real world fuzzing scenarios. In addition to fuzzing, we shall spend an equal amount of time in analyzing crash dumps, determining exploitability, and root cause analysis through reverse engineering. For more details, read up the class description.

All essential concepts will be taught in class. However should you wish to come better prepared, we shall be posting new tutorials shortly. If you are curious about bug hunting and vulnerability discovery, this class is not one to be missed!

Oh, and one last thing. Early bird pricing ends on October 31.

Saumil Shah
@therealsaumil

Exploit Lab announcements - 44CON, Ruxcon/Breakpoint, Blackhat Europe, Blackhat East Coast Trainings

2014-08-26T10:54:00.000+05:30

Presenting our training calendar for the remainder of 2014. The Exploit Laboratory trainings have been confirmed at the following events worldwide:

September 9,10: 44CON, London (Advanced)

October 6,7: RUXCON, Melbourne Australia (Intro/Intermediate)

October 14,15: Blackhat Europe, Amsterdam (Advanced)

And last but not the least, we have an all new class focusing on bug hunting and fuzzing!

"Black Box Bug Hunting - An Introduction to Vulnerability Discovery and Exploit Development" debuts at the Blackhat East Coast Trainings, Maryland, USA from December 8-11. This is a 4-day class focused more on the art and craft of bug hunting, fuzzing, reverse engineering, crash dump analysis and performing root cause analysis of exploitability.

A detailed announcement shall follow shortly.

The Advanced Exploit Laboratory returns to 44CON

2014-08-09T11:04:00.000+05:30

With the dust settling after Blackhat USA 2014, we are getting ready for another round of advanced exploit development training at 44CON next month.

The Advanced Exploit Laboratory at 44CON shall focus on the latest topics in exploit development - with special attention to Use-After-Free bugs, Information Leaks, Return Oriented Programming and dynamic ROP chains. The Advanced Exploit Laboratory is indeed a fast-paced class, intended for participants who already have basic exploit development experience and want to take their skills to today's cutting edge topics.

If you are joining the Advanced Exploit Laboratory at 44CON and your exploit development skills need a little warm-up, we have just the thing for you! TinySPLOIT is a tiny (30MB) VMware virtual machine running web server vulnerable to a simple stack overflow. You may download TinySPLOIT from here (mirror link). TinySPLOIT can be up and running in a few minutes. You can also read more about TinySPLOIT in our earlier blog post.

In addition to TinySPLOIT, do also check out our tutorials on How Functions Work, and Introduction to Debuggers.

See you next month in London!

TinySPLOIT - Warm-up exercise on Exploit Development

2014-07-25T23:40:00.001+05:30

This year's Exploit Laboratory classes at Blackhat USA 2014 feature completely new content. First, we have retired Windows XP based exploits altogether from our RedTeam class. Our advanced class "The Exploit Laboratory: Black Belt" focuses on ROP, Use-After-Free, Infoleaks and 64-bit exploitation.

The Black Belt class is going to be fast paced, and we mean it! We expect all Black Belt participants to be familiar with the workings of stack overflow exploits, at a minimum.

Enter TinySPLOIT - a compact Linux virtual machine running a vulnerable web server that you can sharpen your stack overflow skills with.

TinySPLOIT is a 30MB VMware image and can be downloaded here. (mirror). SHA256 checksum: 6bd956c86846a21e713c9f5efa7cf286386d2b4aa654a3734b9ce9b6497fa59a

You can be up and running with TinySPLOIT in a matter of minutes. Boot up the VM, follow the instructions on its web page, write an exploit and get a shell! For debugging purposes, the root password is "exploitlab" :)

This shall be my 16th year in a row at Blackhat USA. This year, I shall be joined by the Exploit Lab co-developer and my dear friend S.K. who shall teach a number of new topics including 64-bit exploitation, and Eric Liu, teaching a brand new module on information leakage via 1-byte memory overwrites.

Blackhat Training prices go up on the 26th of July, so if you are thinking of registering for the courses, now's the time. See you in Las Vegas in a week!

The Exploit Lab bids farewell to Win XP

2014-07-03T13:54:00.002+05:30

Times are changing. Desktops all around the world bid a fond farewell to Windows XP in April 2014, and The Exploit Laboratory is no exception.

Exploits based on Windows XP shall not feature in the Exploit Laboratory any more.

After all, it doesn't make sense to learn exploit writing on a dwindling platform, does it?

The course content overhaul for Blackhat USA 2014 is complete. All exploits and examples have been revised. What was advanced content a couple of years ago has now been re-worked into our intermediate level Exploit Laboratory: Red Team class. The Exploit Laboratory: Black Belt class shall focus on present day advanced topics such as Use-After-Free exploits, Information Leaks, Compound Exploits and Dynamic ROP chains.

Our Blackhat 2014 classes are filling up fast. For those of you who have already registered, do browse through the following concepts refresher tutorials:

Exploit Lab 2014 - Cansecwest, SyScan, Recon, Blackhat USA, 44CON

2014-02-26T20:44:00.002+05:30

The Exploit Laboratory classes have been confirmed at the following conferences. This year, we are focusing more on advanced exploit development concepts, especially bypassing exploit mitigation techniques such as DEP and ASLR, Return Oriented Programming, Information Leaks and Dynamic ROP chains, and Use-After-Free bugs.

March 8-11: CanSecWest 2014, Vancouver (Intro, Advanced)

March 31-April 2: SyScan '14, Singapore (3-day Advanced)

June 23-26: Recon 2014, Montreal (Advanced, Über Advanced)

August 2-5: Blackhat USA 2014, Las Vegas (Red Team, Black Belt)

September 9,10: 44CON, London (Advanced)

Don't miss out on early bird registrations!

FREE VMware licenses for Exploit Lab at CanSecWest 2014!

2014-02-26T19:32:00.002+05:30

Yes you read that right. A big shout-out to the friendly folks at VMware for providing FREE licenses of VMware Fusion and VMware workstation for all Exploit Laboratory students at CanSecWest 2014!

With CanSecWest less than 2 weeks away, there's still time to register for the Introduction to Exploit Development Dojo and the Advanced Exploit Development Dojo.

Those of you who have already registered for CanSecWest's dojos, contact the organizers at secwest14 [at] cansecwest.com to reserve your free VMware licenses.

Exploit Lab Announcements for 2014 - CanSecWest and SyScan

2014-02-11T22:10:00.002+05:30

2013 witnessed many radical changes, and exploit development is no exception. We have been hard at work these past two months making heavy changes to the classes. Based on the positive feedback we received at the Blackhat West Coast Trainings in December, we have made significant updates to the Exploit Laboratory classes for 2014.

Our 2014 line-up begins with two classes at CanSecWest, happening less than a month from now in Vancouver.

March 8,9: The Exploit Laboratory Introductory Dojo
March 10,11: The Advanced Exploit Lab Dojo

CanSecWest Dojos are unique. Small group and a very flexible environment to innovate and improvise as need be, followed by a high energy, high enthusiasm conference. And this year, we have a special guest instructor, Eric Liu, who shall be showing off some really fancy pure ASLR and DEP bypasses brought about from Use-After-Free bugs.

As with last year, we have a combo offering for those who wish to take both classes for a 4-day 0 to PWN overdose of exploit development experience! As usual, seats at the CanSecWest Dojos are limited, so make sure you register soon!

The next class for March is at the SyScan 2014 conference in Singapore. At SyScan, we shall be offering a special 3 day exploit development class featuring intermediate and advanced exploit development techniques.

March 31-April 2: The Exploit Laboratory SyScan '14 Edition

SyScan 2014 is also featuring an epic line up of world class speakers and talks. Be sure not to miss it!

For those of you have taken the Exploit Laboratory classes before, stay tuned for more announcements regarding really advanced content - more advanced than "Advanced". Tell your friends, spread the word, and pop by the conference to say, or have a POP/POP/RET with us!

-- Saumil Shah

Wrapping up 2013: 4 days of Exploit Laboratory in Seattle

2013-09-29T21:59:00.001+05:30

Exploit Development has seen many changes in the past two years. It is time to raise the bar and offer new training to meet the challenges that lie ahead in 2014. After introducing new advanced material at 44CON, we are taking a little breather to prepare for two entirely new courses set to debut at the Blackhat West Coast Trainings in Seattle from December 9-12, 2013.

We shall follow a slightly different pedagogy for the two courses. We shall focus more on learning through exercises and solving complex challenges.

First, we introduce our new "Exploit Laboratory: Red Team" class. This one is an intermediate/advanced level class covering modern day exploit development concepts - vtable overwrites, Use-After-Free bugs, Return Oriented Programming, Advanced Heap Spraying for browsers and PDF readers. The content is modeled after some of our advanced courses that we have taught in the past, except that this one has brand new exploits and a capture-the-flag round where you get to play against other teams, solving challenges on the fly. The CTF round requires you to modify tools and scripts to make things work.

Our second course is brand new. "Exploit Laboratory: Master" continues where the Red Team class leaves off. The Master class consists largely of hands-on exercises. After teaching many advanced classes, a common feedback note is that there isn't enough time for more exercises. The Master class features a number of progressively complex and challenging exploit development exercises. In addition to this, we shall introduce new topics for the first time - exploiting 64-bit applications, server side heap spraying, ROP chains for Linux and advanced compound exploits.

The Master class is designed to be an ideal extension of the Red Team class. The two courses are designed to be taken back-to-back in a 4 day format. Also, the Master class can be taken independently by anyone who has attended any of our Exploit Laboratory classes and want to sharpen their skills further.

We are excited to bring you these new classes. Putting together advanced training material is always fun, and it is as much of a learning exercise for us as it is for students taking the class. We shall be putting up new tutorials to prepare for these classes in the next few weeks.

-- Saumil Shah
@therealsaumil

EIP = 0x44444444: The Exploit Laboratory goes to 44CON!

2013-08-23T17:33:00.001+05:30

Thanks to the wonderful support from 44CON, The Exploit Laboratory finally arrives in London! We have a 2 day advanced class featuring topics such as vtable pointer overwrites, Use-After-Free bugs, defeating DEP using Return Oriented Programming, ASLR bypass and an introduction to exploit development on Android.

Click here for the class description and registration.

This is a compact class and is filling up quite fast. We shall be sending out preparation emails to currently registered students in a week's time.

See you soon in London!

-- Saumil Shah, @therealsaumil

A New Tutorial: Dive Into ROP - Blackhat USA 2013

2013-06-13T04:43:00.002+05:30

Our classes at Blackhat USA 2013 are rapidly filling up. We have a new tutorial for students taking The Exploit Laboratory: Black Belt Edition.

"Dive Into ROP" is a quick look at the core concepts behind Return Oriented Programming. This tutorial is not an essential pre-requisite for our advanced exploit development class, however it would be a good idea to study Ret2LibC before attending Black Belt Edition class.

Students taking the weekend Exploit Laboratory class can also sign up for the weekday advanced Black Belt edition class as a 4-day combo package. We guarantee you won't be disappointed! Meanwhile, here is "Dive Into ROP":

Dive into ROP - a quick introduction to Return Oriented Programming from Saumil Shah

And here are some more Exploit Laboratory Tutorials.

ALL NEW! Exploit Laboratory at Blackhat USA 2013

2013-05-24T18:30:00.000+05:30

Blackhat 2013 is approaching. We have been hard at work overhauling The Exploit Laboratory and Exploit Laboratory: Black Belt classes. This year shall see a 100% overhaul of the course contents for both classes.

With feedback and observations from 6 years and over 40 classes taught worldwide, we have decided to give the classes a complete makeover.

A glimpse of what's new:

ALL NEW EXPLOITS! We are stepping up the game. Special focus shall be given to browser exploits in addition to memory corruption on databases, libraries and web servers.

USE-AFTER-FREE - New material, new methodology, heap tracing madness, in-depth exploitation.

NEW PEDAGOGY - In addition to our much appreciated hands-on style, we shall be handing out "after dark" exercises, meant for those who love to be on the leading edge. These are exercises to challenge your creating and pwnage skills. Those who complete the exercises shall get a special bonus.

ROP, ROP, ROP - Can't say it often enough. Return Oriented Programming is an essential skill required for an exploit to work these days. We have new ROP examples and new ROP recipes. We have "Dynamic ROP", the stuff used for Pwn2Own style exploits. And more.

BlackHat's regular pricing ends on May 31. Do keep in mind that The Exploit Laboratory and Exploit Laboratory: Black Belt can be combined into one 4-day mega exploit development fiesta.

Last but not least, new additions to our crew! Josh Michaels joins our crew along with my other awesome co-stars - S K and Josh Ryder. We promise a great 4 days of training, with 2013 being my 15th consecutive appearance at BlackHat.

Students, Get Ready for Blackhat USA 2013!

2013-05-24T05:06:00.000+05:30

It is the calm before the storm. BlackHat USA 2013 is drawing near and The Exploit Laboratory classes are filling up fast. This blog post is for students who have already registered for the classes. We would like you to brush up on some core concepts before the class, giving you sufficient time to prepare and ask us questions before the exploit development festival begins in Las Vegas!

As a refresher, we have three tutorials for you:

Operating Systems: A Primer

Operating Systems - A Primer from Saumil Shah

How Functions Work

How Functions Work from Saumil Shah

Introduction to Debuggers

Introduction to Debuggers from Saumil Shah

The Exploit Laboratory and Exploit Laboratory: Black Belt are fast paced classes. We want you to ensure that you maximize your learning and pwnage experience and walk away with lots of evil smiles and shells! Next month, we shall be posting new tutorials, so stay tuned!