Advanced Vulnerability Discovery and Exploit

PTRACE SECURITY
Information Security Solutions
Advanced Vulnerability Discovery
and Exploit Development
Version 1.5.3
training@ptrace-security.com
https://www.ptrace-security.com
Ptrace Security GmbH
Untermüli 9, 6300 Zug, Switzerland
1/5
PTRACE SECURITY
Information Security Solutions
Course Description
The Advanced Vulnerability Discovery and Exploit Development course offers security professionals an opportunity
to test and develop their skills like never before. During this class, attendees will be provided with the latest
techniques and tools to discover vulnerabilities and use them to develop reliable exploits for a wide range of
software including complex Windows applications, interpreted languages, Web browsers, and critical Microsoft
services.
In the first half of the course, attendees will use reverse engineering, source code auditing, and fuzz testing to attack
a wide variety of applications (many of which are critical for a successful penetration test) and then use the latest
exploitation techniques available today to develop a reliable exploit for Windows 7, Windows 8.1 and Windows 10.
In the second half of the course, the focus will shift from classic to advanced exploitation techniques. Attendees will
learn how to escape from the Java sandbox, how to circumvent ASLR without pointer leaks, how to use precise heap
spraying and how to bypass the Enhanced Mitigation Experience Toolkit (EMET).
By the end of this course, attendees will have a clear idea of how to find and exploit Zero-day (0day) vulnerabilities
on modern Windows machines.
Highlights






Zero-day (0day) vulnerability discovery
Cutting-edge network protocol and file format fuzzing
Binary analysis techniques and vulnerable patterns identification
Advanced usage of the Grinder Framework, PIN, PyKd, and IDA Python
In-depth study of modern Windows mitigation bypasses
State of the art techniques for exploit development
Audience
This course is well suited for penetration testers, vulnerability researchers, exploit developers, malware analysts,
security auditors, digital forensics analysts, and IT professionals who are wishing to dive into vulnerability analysis and
exploit writing.
Price
4'750.00 EUR (5-day Live Training + 1 Certification Attempt)
Course Content
Module 0: The Course

Welcome

Course Overview

Setting up the Lab
training@ptrace-security.com
https://www.ptrace-security.com
Ptrace Security GmbH
Untermüli 9, 6300 Zug, Switzerland
2/5
PTRACE SECURITY
Information Security Solutions
Module 1: Fundamentals



Introduction to bug hunting

The bug hunter’s toolkit

Approaches and methodologies
Microsoft Windows internals

Overview of the system

Process Management

Memory protections
Static and dynamic analysis

Identifying key data structures

Code flow analysis

Scripting disassemblers
Module 2: iTunes (CVE-2012-0677)



Vulnerability discovery

Introduction to fuzz testing

File format fuzzing

The M3U file format
Exploitation

Practical return-oriented programming (ROP)

Bypassing DEP and ASLR on Windows 7

iTunes exploit variant 1

Bypassing DEP and ASLR on Windows 8

iTunes exploit variant 2
Vulnerability remediation
Module 3: ActFax (OSVDB 89944)



Vulnerability discovery

Protocol format reverse engineering

Network protocol fuzzing
Exploitation

ActFax exploit variant 1

ActFax exploit variant 2
Vulnerability remediation
Module 4: Mozilla Firefox (CVE-2011-2371)

Vulnerability discovery

Vulnerable patterns

Practical source code auditing
training@ptrace-security.com
https://www.ptrace-security.com
Ptrace Security GmbH
Untermüli 9, 6300 Zug, Switzerland
3/5
PTRACE SECURITY
Information Security Solutions



Intelligent bug hunting

Fast memory error detection with the Address Sanitizer (ASan)

Development of precise browser fuzzers
Exploitation

Exploiting integer overflows

Firefox exploit variant 1 - with non-ASLR module

Circumventing the ASLR without info leaks

Firefox exploit variant 2 – without non-ASLR module
Vulnerability remediation
Module 5: Microsoft Internet Explorer (CVE-2012-1889)



Vulnerability discovery

Introduction to binary diffing

Bindiff vs. DarunGrim

Microsoft patch analysis
Exploitation

Exploiting uninitialized memory corruptions

Precise heap spraying in Internet Explorer

Microsoft XML Core Services MSXML exploit variant 1 – IE 6

Microsoft XML Core Services MSXML exploit variant 1 – IE 7

Microsoft XML Core Services MSXML exploit variant 1 – IE 8

Microsoft XML Core Services MSXML exploit variant 1 – IE 9
Vulnerability remediation
Module 6: Oracle Java (CVE-2012-0507)



Vulnerability discovery

Introduction to the Java virtual machine

The Java sandbox architecture

Analyzing Java code from the inside

Fuzzing programming languages
Exploitation

Building custom shellcode from scratch

Java exploit variant 1

Escaping the Java sandbox

Java exploit variant 2 - with sandbox escape
Vulnerability remediation
Module 6: Adobe Reader (CVE-2013-0640, CVE-2013-0641)

Vulnerability discovery

The Adobe Portable Document Format (PDF)
training@ptrace-security.com
https://www.ptrace-security.com
Ptrace Security GmbH
Untermüli 9, 6300 Zug, Switzerland
4/5
PTRACE SECURITY
Information Security Solutions

Overview of the Adobe Reader internals

Intelligent fuzzing



The Adobe Reader sandbox
Exploitation


Writing advanced file format fuzzers
Adobe Reader exploit - with sandbox escape
Vulnerability remediation
Module 6: Advanced Windows exploitation

Exploitation mitigations on Windows 7, 8, and 10

Enhanced Mitigation Experience Toolkit (EMET) internals

Bypassing EMET 5.1

State of the art stealth exploitation and process continuation
Prerequisites
Attendees should be familiar with C/C++, Python, and the x86 assembly language, as well as have a basic
knowledge and understanding of popular software vulnerabilities (e.g. stack buffer overflows, format strings, etc.).
Requirements

Laptop with at least forty (40) GB of free hard drive space and four (4) GB of RAM

Latest VMware Player, VMware Workstation, VMware Fusion installed.

A working version of Burp Suite Pro
Trainer
Gianni Gnesa is a security researcher and professional trainer at Ptrace Security GmbH, a Swiss-based company that
offers specialized IT security services to customers worldwide. With several years of experience in vulnerability
research, exploit development, and penetration testing, Gianni is an expert in exposing the vulnerabilities of complex
commercial products and modern network infrastructures. In his spare time, Gianni conducts independent security
research on kernel exploitation and rootkit detection.
Contact Information
For further information, please contact Ptrace Security GmbH at training@ptrace-security.com
training@ptrace-security.com
https://www.ptrace-security.com
Ptrace Security GmbH
Untermüli 9, 6300 Zug, Switzerland
5/5