Strategic Security, Inc. © http://www.strategicsec.com/

Exploit Development For Mere Mortals

Part 1: Getting Started

Presented By:

Joe McCray

joe@strategicsec.com

http://www.linkedin.com/in/joemccray

http://twitter.com/j0emccray

Strategic Security, Inc. © http://www.strategicsec.com/

Who Is This Talk For?

Who is this for?

• Security Professionals and hobbyists interested in understanding exploit

development

• Security Professionals and hobbyist interested in the fundamentals of writing

exploits

No Geekenese:

• This is NOT a technical, although there will be some technical info – it‟s more

of a getting started guide than anything else

Strategic Security, Inc. © http://www.strategicsec.com/

Things I‟ll Be Covering Today

• What programming languages you need to know?

• What are the best ways to learn these languages?

• What tools do you need?

• Which tools should you start with first?

• What references you use to get started and more importantly what to avoid?

Strategic Security, Inc. © http://www.strategicsec.com/

What Programming Languages Do I Need To Know/Learn?

• An Interpreted Language (Perl, Python, Ruby)

• C

• Assembly

Strategic Security, Inc. © http://www.strategicsec.com/

What Programming Languages Do I Need To Know/Learn?

• If you are new to programming – start with an interpreted language first

• Perl, Python, Ruby

• Youtube is your friend – the best I‟ve seen is from „thenewboston‟

• Python: https://www.youtube.com/watch?v=4Mf0h3HphEA

• Ruby: https://www.youtube.com/watch?v=WJlfVjGt6Hg

• Perl used the be the exploit and tool development language of choice

• Now it‟s Python and Ruby

Strategic Security, Inc. © http://www.strategicsec.com/

What Programming Languages Do I Need To Know/Learn?

• The C Programming Language

• Greg Perry is an amazing teacher of programming languages

• I highly recommend “Absolute Beginner‟s Guide to C”

• Publisher: Sams; 2nd Edition

• ISBN-10: 0672305100

• ISBN-13: 978-0672305108

Strategic Security, Inc. © http://www.strategicsec.com/

Vivek Ramachandran (SecurityTube.net)

@SecurityTube

The Assembly Programming Language

Assembly For Hackers Video Series:

http://www.securitytube.net/groups?operation=view&groupId=5

http://www.securitytube.net/groups?operation=view&groupId=6

What Programming Languages Do I Need To Know/Learn?

Strategic Security, Inc. © http://www.strategicsec.com/

What Tools Do You Need?

•Virtualization Platform (VMWare, VirtualBox, etc)

• Target VMs (XPSP3, Win7, Ubuntu 10)

• Debuggers

• OllyDBG: http://www.ollydbg.de/

• Immunity: http://immunitysec.com/products-immdbg.shtml

• WinDBG: http://www.windbg.org/

• IDA Pro: http://www.hex-rays.com/products/ida/support/download.shtml

• Vulnerable Software

• http://www.oldapps.com/

• http://www.exploit-db.com/

• Exploit Code

• http://www.exploit-db.com/

• http://packetstormsecurity.org/files/tags/exploit/

Strategic Security, Inc. © http://www.strategicsec.com/

Which Tools Should I Start With First?

• For your first few times dealing with simple exploits I‟d recommend OllyDBG

• After that I think you should move to either Immunity or WinDBG

• I would say that IDA Pro should be left for advanced users

Strategic Security, Inc. © http://www.strategicsec.com/

What References Should I Use To Learn ED And Which Should I Avoid?

• If you are BRAND NEW – start with these tutorials:

• http://resources.infosecinstitute.com/debugging-fundamentals-for-exploit-

development/

• http://resources.infosecinstitute.com/seh-exploit/

• If you have a little experience – start with the Corelan.be tutorials

https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/

https://www.corelan.be/index.php/2009/07/23/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-2/

https://www.corelan.be/index.php/2009/07/25/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-3-seh/

https://www.corelan.be/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/

https://www.corelan.be/index.php/2009/08/12/exploit-writing-tutorials-part-4-from-exploit-to-metasploit-the-basics/

https://www.corelan.be/index.php/2009/09/05/exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-

basic-exploit-development/

https://www.corelan.be/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-

aslr/

Strategic Security, Inc. © http://www.strategicsec.com/

What References Should I Use To Learn ED And Which Should I Avoid?

• To break up the monotony I‟d recommend doing some reversing tutorials

• http://tuts4you.com/download.php

• Stay away from the majority of books on Buffer Overflows

• Way too much focus on source code

• Way too much focus classic buffer overflows on old OSs

• Books I would recommend (after you‟ve done the tutorial list earlier) are:

• Art of Exploitation

• Shellcoder‟s Handbook

Strategic Security, Inc. © http://www.strategicsec.com/

What References Should I Use To Learn ED And Which Should I Avoid?

• If you are going to take a class at a security conference:

•Exploit Labs with Saumil Shah

• Corelan Live with Peter Van Eeckhoutte

Strategic Security, Inc. © http://www.strategicsec.com/

Major Resources

Vivek Ramachandran (SecurityTube.net)

@SecurityTube

Assembly For Hackers Video Series:

http://www.securitytube.net/groups?operation=view&groupId=5

http://www.securitytube.net/groups?operation=view&groupId=6

Exploit Development Basics Video Series

http://www.securitytube.net/groups?operation=view&groupId=7

http://www.securitytube.net/groups?operation=view&groupId=4

Strategic Security, Inc. © http://www.strategicsec.com/

Major Resources

Peter Van Eeckhoutte (https://www.corelan.be/)

@corelanc0d3r

Hands-Down Probably The Best Tutorials on the market:https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/

https://www.corelan.be/index.php/2009/07/23/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-2/

https://www.corelan.be/index.php/2009/07/25/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-3-seh/

https://www.corelan.be/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/

https://www.corelan.be/index.php/2009/08/12/exploit-writing-tutorials-part-4-from-exploit-to-metasploit-the-basics/

https://www.corelan.be/index.php/2009/09/05/exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-

basic-exploit-development/

https://www.corelan.be/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-

aslr/

https://www.corelan.be/index.php/2009/11/06/exploit-writing-tutorial-part-7-unicode-from-0x00410041-to-calc/

https://www.corelan.be/index.php/2010/01/09/exploit-writing-tutorial-part-8-win32-egg-hunting/

https://www.corelan.be/index.php/2010/02/25/exploit-writing-tutorial-part-9-introduction-to-win32-shellcoding/

https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/

Strategic Security, Inc. © http://www.strategicsec.com/

Tutorial Lists

Basics:

http://x9090.blogspot.com/2010/03/tutorial-exploit-writting-tutorial-from.html

More All-Encompassing List

https://code.google.com/p/it-sec-catalog/wiki/Exploitation

Strategic Security, Inc. © http://www.strategicsec.com/

Specific Exploit Topics

Basics:

http://x9090.blogspot.com/2010/03/tutorial-exploit-writting-tutorial-from.html

More All-Encompassing List

https://code.google.com/p/it-sec-catalog/wiki/Exploitation

Strategic Security, Inc. © http://www.strategicsec.com/

Contact Me....

Toll Free: 1-866-892-2132

Email: joe@strategicsec.com

Twitter: http://twitter.com/j0emccray

LinkedIn: http://www.linkedin.com/in/joemccray