Wow, what a weekend I just had. I just finished the exploit laboratory class with Saumil Shah and S.K. Chong at Black Hat USA 2007. We covered exploit topics like stack and heap overflows on linux and windows systems. At the end of the course, I think we developed ten exploits for various applications.
I loved their teaching format of explaining the exploit concept, then stepping us through a real exploit, and then letting us do one ourselves. A major difference from the ImmunitySec course I took a few years ago was that they told us how to make the application crash in the first place. This saved lots of time and allowed us to focus on how to gain full control of the application, and how to pack our payloads.
One of the techniques that I learned was to use metasploit’s pattern generator and offset finder. This tool is very useful in finding the offset location of an overflow, and it saves tons of time. I was used to doing binary tree analysis which takes lots of time so this new technique was great for me. I’m sure if I used metasploit more I would have known this though. Maybe I should take the Metasploit 3.0 Internals course next time.
On the second day, we moved to more current things like browser exploits. We created an exploit for the ANI bug from a year ago. I accidentally set my payload to return to SEH, and the overflow overwrote SEH, so I created my own denial of service when I loaded the exploit! Then they showed us their version of the LinkedIn Toolbar exploit that they just wrote before the class. The security advisory was only a few days old at the time, so it was interesting to see how people can quickly create a working exploit.
Both of the teachers were very knowledgeable, friendly, and spoke clearly. I would recommend this course for anyone that wants to start getting involved with exploit development.