Tuesday, June 30, 2015

Review of SANS SEC760 - Advanced Exploit Development for Penetration Testers

A little over a week ago I wrapped up taking SANS Advanced Exploit Development for Penetration Testers (SEC760) at SANSFire 2015 in Baltimore, MD. This class is a 6 day long class that covers advanced Linux exploitation, patch-diffing and one day exploits, Windows kernel exploitation, advanced Windows client exploitation, and a variety of other topics. The end of the class, in typical SANS penetration testing class fashion, culminates in a capture the flag (CTF). So far I think this has been the best SANS class that I've taken. Prior to SEC760, I took SEC560, and SEC660 (course review here). The material is extremely technical, relevant, educational, and interesting. The course's author and instructor, Stephen Sims, has really put a lot of time and effort into making this class very challenging yet approachable.

Day 1 - Threat Modeling, Reversing, and Debugging with IDA

Day 1 of the class starts you off with a dive into the world of threat modeling. I'm sure that many people who end up taking SEC760 looking to learn how to advance their exploit writing game aren't exactly interested in talking about threat modeling. I was one of those individuals, but I completely see the value of threat modeling from the stand point that you as an individual can provide an extremely valuable resource to your company when correctly implementing processes like the Microsoft Security Development Lifestyle (SDL). Not to mention, an individual that can provide effective threat modeling stands to make decent money with that skill.

Following the threat modeling, the technical aspects of the class begin to pick up. The rest of the first day is spent on going over the process of reverse engineering binaries and becoming familiar with IDA. For those who haven't used IDA, this day provides you with the opportunity to become familiar with the interface and capabilities of the tool. I should caution, however, that if you've never used IDA, you will not be able to take the first day to learn it. IDA is an extremely complex tool that requires a lot of time to learn. Having experience with other debuggers such as OllyDBG, Immunity, or x64dbg certainly helps (and is expected for this class), but there is no replacement for actual experience.

Day 2 - Advanced Linux Exploitation

Moving on to Day 2 of the course, the class explores advanced exploitation concepts for Linux. The first topic of the day is focused on getting the students more use to heap based exploitation techniques by learning about the original exploitable flaw in the dl-malloc unlink() macro implementation. From here, the day progresses to learning about exploitation examples in custom memory management implementation, function pointer overwrites, and format string vulnerabilities.

I personally would have liked to have seen more Linux exploitation topics, but given the focus on modern exploit development, I understand why Stephen decided to focus more on Windows exploitation for days 3 - 5. To be fair, a lot of the vulnerability and exploit categories taught on days 3 and 5 can be applied to Linux, albeit with some modifications. This opinion is nothing more than a personal bias.

Day 3 - Patch Diffing, One-Day Exploits, and Return Oriented Shellcode

Day 3 starts off with a refresher into ROP based exploit development (a pre-requisite for the class). In these refreshers, you use ROP to disable exploit mitigations. With return oriented shellcode, you learn how to make all of your shellcode execute via a series of ROP gadgets. This has the added benefit of being able to bypass certain exploit mitigations even in instances where common bypass techniques are not available. 

From Day 3 on, Stephen puts a lot of focus on the art of patch diffing. Patch diffing is the process of looking at an original un-patched binary, and comparing the old version with a newly patched version. By using these diffing techniques, it makes it easier for a researcher to pin-point the area within the binary that changed. This is extremely helpful in developing 1-day exploits. For this part of the class, I used a new tool, Diaphora, to perform my diff-analysis. Diaphora worked out great for me. Diaphora is able to perform patch diffs at the control flow graph, assembly, and pseudo-source code levels (if you have the Hex-Rays decompiler plugin). And the best part, Diaphora is free, open source, and actively maintained.

Day 4 - Windows Kernel Debugging and Exploitation

Moving along the Windows exploitation ecosystem, Day 4 focuses purely on Windows kernel debugging and exploitation. I really enjoyed this section of the class. A recommendation I would make for those who are considering taking this class: if you take this class, make your life a little easier and install Windows as your host OS and use VirtualKD by SysProgs to communicate with your target Windows virtual machine. This class has a lot of moving parts and the more you can simplify those pieces, the more time you can spend actually working on the exercises and by consequence, the more you learn.

This is the day when students will become much more familiar with Microsoft's WinDBG. Prior to taking this class, I had never touched WinDBG. Although I found the learning curve rather steep, I came to appreciate the power provided by the debugger. Day 4 culminates in an exercise where you will learn how modern privilege escalation works on Windows via a technique known as token stealing.

Day 5 - Windows Heap Overflows and Client-Side Exploitation

Day 5 of the class zeros in on the area of advanced Windows client side exploitation. After getting a deep dive into the internals of Windows heap management, the entire day is spent learning how to find, identify, confirm, and eventually, exploit modern use-after-free bugs. After going through this day you will be equipped with the knowledge of how to perform modern exploit development on Windows 7 and 8 on applications such as Internet Explorer. Additionally, Stephen goes over the next steps to take when developing exploits for Windows 8.1, exploits that bypass Microsoft's EMET, and exploit tricks that still work with the latest preview version of Windows 10.

I will caution the reader, however, that during my time taking the class, we didn't actually perform any exercises on exploit development for Windows 8.1 or above, and for good reason. Even with the normal class hours of 9am-5pm and the extended boot-camp hours, there simply isn't enough time to go from just learning what a use-after-free exploit is to developing exploits that work on all versions of Windows and making those exploits bypass any new exploit mitigations that may be in place. Overall, Day 5 is where you really begin to have all the pieces from earlier in the week align. I found this day to be the most interesting and I'll definitely be returning to the material in order to ensure I've mastered the techniques presented.

Day 6 - Capture the Flag

For the final day of the class, the class is split into teams to compete against each other in a Jeopardy style CTF. There are 16 challenges with a total of 4000 points up for grabs. I won't go into detail of the challenges themselves, but the competition requires your team to exercise all of the skills gained through the previous 5 days. In the end, our team successfully completed 14 out of the 16 challenges to earn a score of 3200. Although the game was very competitive, 3200 points was enough for our team to come out on top. As a result, we earned the coolest coin offered in the SANS series of challenge coins. The 760 skull coin.

Team ROPNOP Wins the Skull Coin


Overall, I loved this class, It was an absolutely great experience. I encourage any individual looking to take their exploit development skills to the next level to take this class. I will warn you, however, that this is not an easy class, You can expect to be up late into the night after each day of class if you want to finish all of the exercises. Go into this class expecting to work hard, get frustrated, and exercise your patience. This is not a class for beginners. If the term Return Oriented Programming (ROP) is something you aren't familiar with, GDB is a foreign and feared tool, the heap sounds scary, and kernel debugging is shrouded in a fog of wizardry, you may want to consider taking SANS SEC660 first. Otherwise, embrace the challenge and I'm sure you'll finding it very rewarding!