Friday, 24 May 2013

ALL NEW! Exploit Laboratory at Blackhat USA 2013

Blackhat 2013 is approaching. We have been hard at work overhauling The Exploit Laboratory and Exploit Laboratory: Black Belt classes. This year shall see a 100% overhaul of the course contents for both classes.

With feedback and observations from 6 years and over 40 classes taught worldwide, we have decided to give the classes a complete makeover.

A glimpse of what's new:

ALL NEW EXPLOITS! We are stepping up the game. Special focus shall be given to browser exploits in addition to memory corruption on databases, libraries and web servers.

USE-AFTER-FREE - New material, new methodology, heap tracing madness, in-depth exploitation.

NEW PEDAGOGY - In addition to our much appreciated hands-on style, we shall be handing out "after dark" exercises, meant for those who love to be on the leading edge. These are exercises to challenge your creating and pwnage skills. Those who complete the exercises shall get a special bonus.

ROP, ROP, ROP - Can't say it often enough. Return Oriented Programming is an essential skill required for an exploit to work these days. We have new ROP examples and new ROP recipes. We have "Dynamic ROP", the stuff used for Pwn2Own style exploits. And more.

BlackHat's regular pricing ends on May 31. Do keep in mind that The Exploit Laboratory and Exploit Laboratory: Black Belt can be combined into one 4-day mega exploit development fiesta.

Last but not least, new additions to our crew! Josh Michaels joins our crew along with my other awesome co-stars - S K and Josh Ryder. We promise a great 4 days of training, with 2013 being my 15th consecutive appearance at BlackHat.
Posted by at No comments:
Labels: , , , , , , , , , , ,

Students, Get Ready for Blackhat USA 2013!

It is the calm before the storm. BlackHat USA 2013 is drawing near and The Exploit Laboratory classes are filling up fast. This blog post is for students who have already registered for the classes. We would like you to brush up on some core concepts before the class, giving you sufficient time to prepare and ask us questions before the exploit development festival begins in Las Vegas!

As a refresher, we have three tutorials for you:

Operating Systems: A Primer



How Functions Work



Introduction to Debuggers


The Exploit Laboratory and Exploit Laboratory: Black Belt are fast paced classes. We want you to ensure that you maximize your learning and pwnage experience and walk away with lots of evil smiles and shells! Next month, we shall be posting new tutorials, so stay tuned!
Posted by at No comments:
Labels: , , , , , , , , , ,

Wednesday, 27 February 2013

Exploit Lab - more announcements for 2013

With the first Exploit Laboratory training for 2013 set to kick off at CanSecWest this weekend, I would like to announce three more Exploit Lab classes for this year, in addition to the upcoming trainings at Blackhat Europe 2013 and SyScan 10.

First stop, Montreal. Exploit Lab returns to REcon for the third year. We shall be featuring an all new three day version of our Advanced Exploit Lab on June 18, 19 and 20. Our classes at REcon are geared towards an experienced participant audience. We shall be featuring new topics in Return Oriented Programming, using information leaks and building dynamic ROP chains, use-after-free exploits, advanced heap sprays and kernel exploits. Registration is now open. This will be one major pwn-fest!

Blackhat has just confirmed The Exploit Laboratory and The Exploit Laboratory: Black Belt classes for  the Blackhat USA 2013 trainings at Las Vegas from July 27th to 30th. Both classes are designed to be combined into a single 4 day training as well. Registration for Blackhat USA 2013 has just opened with an early bird pricing in effect.

Last, but not the least, we are honoured and glad to announce a 2 day advanced class in London at 44CON in September! Details and registration: http://44con.com/training/the-advanced-exploit-laboratory.

With Exploit Lab training offered all over the world, we have now made it easy for you to track all the 2013 Exploit Lab classes on our class calendar. Sometimes, we need to keep a track of where we are headed too!
HTML version, ICS version.

-- Saumil Shah
@therealsaumil
Posted by at No comments:
Labels: , , , , , , , , , , , , , , , , ,

Tuesday, 12 February 2013

Defending our work - Part 2. The Exploit Lab Rip-off continues.


It has been a difficult week for us. First, the news of Exploit Laboratory's class material being ripped off and used in a paid webinar. This was followed by compelling and voluminous evidence that our worst fears were indeed coming true -- our core material in the form of slides, examples and scripts were being used too.

Our first set of new evidence was contributed by a student attending the webinar aired on February 2. We felt it necessary to bring this issue out in the open and state the facts as we have seen them. We felt it necessary to defend our work. In our previous blog post we spoke about some preliminary information regarding the apparent rip-off of our Exploit Lab course content. We thought it best to conceal the instructor's identity and give him a fair chance to stop the course of action before the second part of the webinar was aired on February 9.

The InfoSec community came out in great numbers in defense of our work and against our material being used without permission. During the week, many members of the InfoSec community have presented us with more evidence supporting the statement we made in our first blog post.

On February 8, the person responsible, Joe McCray of Strategic Security Inc., responded on his blog with the following note:

"I used the virtual machines from the class that I was in 2 years ago. I did it out of convenience. The virtual machines are built with software that is freely available on the Internet. There is no intellectual property of his that was stolen."

We feel it important to disabuse the community and students of the webinar of the notion that it was "just our VMs". Building up lab systems is hard work. Eight years into the Exploit Laboratory and we are continuously working on fresh content with EVERY CLASS we teach.

However, there is a lot more at hand than just virtual machines. A few members of the instructor's intern crew have also been astonished at what they have seen. Two of them have stepped forward and presented us with screenshots taken from a Dropbox account shared across the intern team. What we saw was direct evidence linking our original material - slides, scripts, class notes and virtual machines to the content continued to be taught in the webinar.

We present it here.

First, a screenshot of a stack overflow script taught in the first webinar:


Next, the directory containing scripts for the Peercast exploit. The Peercast stack overflow is one of Exploit Laboratory's introductory examples when teaching stack overflows. Here, we have the same set of scripts, our typical "cyclic pattern" file and a copy of the Peercast binary to analyse:


The instructor's "master" folder was revealed momentarily during the webinar:


Lab example notes discussed during the webinar:


A few days ago, we were presented with screenshots of this "master" folder called "Exploits-By-Type" which was seen for a brief moment during the webinar on February 2. The screenshots are from a Dropbox share. An additional folder called "Resources" is also present here:


The "Resources" folder reveals a very familiar sight:


These are our original Exploit Laboratory class slides. All of them. And here is our original Peercast exploit slide:


Another folder called "Scripts-and-DLLs" holds our original exploit scripts, written in Perl, and the same scripts "ported" to Python:


A Perl2Python "porting" guide:


Exploit Laboratory's original Peercast exploit Perl scripts, transformed to Python:


A side-by-side comparison of Perl and Python code:


Walk throughs of how to run the exploits are taken from Exploit Lab's "Live Class Notes". Our classes feature an online notepad containing a text dump of everything we type on the demo screen, which gets echoed to every student's browser.


Lastly, a finished document:


The InfoSec community is a closely knit group. A lot of information flows freely with the implied moral understanding that we respect one another's original work and intellectual property.

SK, Josh and I believe in giving our all as instructors. We strive to improve with every class, both through refining existing materials and through the creation of new and novel content. We meet the continual challenge of balancing integrating new materials while maintaining stable environments where students can concentrate on learning rather than wrangling a badly implemented environment. I think, and our student reviews from all around the world back me up on this, that we are striking a pretty decent balance.

The Exploit Lab crew is grateful to the InfoSec community for supporting us through these events. And that's why we love this industry. Do stop by CanSecWest, Blackhat Europe or any our 2013 line-ups for a POP/POP/RET with our compliments! (Thanks @En4bler for creating an awesome cocktail, and @craigbalding for an equally awesome name to go with it)

-- Saumil Shah
@therealsaumil
Posted by at 3 comments:

Friday, 8 February 2013

Defending our work - Update on Exploit Lab rip-off

It is 2013, which means my good friend SK and I have been teaching and evolving the Exploit Laboratory for 8 years. We have had a great time over the years teaching and participating with many of the brightest minds in the InfoSec community, and are privileged to include the likes of C0relanc0d3r, Mati "muts" Aharoni, Didier Stevens, Egyp7, Peter Winter-Smith, and many more in our list of alumni.

So it was with a sense of shock and disappointment to hear that our Exploit Lab materials had been copied and are being actively taught in a webinar without our permission.

This weekend, I received an email from a past Exploit Lab student saying that he saw my content being used in a paid webinar. What I found left me mad and amazed at the same time.

The instructor has been using our labs, exploit scripts and slides from the Exploit Lab for teaching his students - most with no modification at all, and with no permission from us. For instance, here's a screenshot from the webinar featuring the Linux target VM:


It doesn't stop here. I went through the webinar recording to determine the extent of the unauthorized use of Exploit Laboratory material. Key examples were taught incorrectly, and erroneously. I saw more of our virtual machines, slides, and attack scripts being used throughout the webinar. Here's the tip of the iceberg:

To begin with, our Windows XPSP3 target virtual machine:


...and the Exploit Laboratory slide deck:


At some point, one of the webinar students forgot the login credentials to the virtual machines:


...and there's more.

What makes me sad is that I know who this person is and how he came in possession of the Exploit Laboratory materials. I have emailed him on the 6th of February asking him to cease-and-desist and apologize to his students that he has used our material without permission. So far, I am still keeping the person's identity confidential giving him one last chance to make amends. Failing which, I have no choice but to reach out to the InfoSec community at large to prevent continued misuse of our material, and potentially those of others.

Oh, and the icing on the cake. Here's a note from the instructor to his students about proper use of webinar recordings and distribution.


Exploit Laboratory keeps evolving all the time. It is 2013. We have been hard at work through December and January to overhaul the course contents. Brand new classes have been already scheduled at top notch conferences - CanSecWest, Blackhat Europe, HackCon, Hack-in-the-Box and SyScan to begin with.

-- Saumil Shah
@therealsaumil

PS: We have contacted the individual concerned and we hope that an amicable solution can be arrived at.
Posted by at 9 comments:

Saturday, 2 February 2013

Exploit Lab 2013 announcements

After a slightly quiet January, we are ready with Exploit Laboratory training offerings at conferences worldwide! Our line-up begins with 4 events spread across 3 continents in 2 months.


CanSecWest is offering a special combo package for those interested in taking both dojos back to back. CanSecWest security dojos are compact. 7 out of 10 seats are already taken, so do make sure to contact the friendly crew if you want in. There's also a lot of informal fun and frolic at CanSecWest, which goes with the overall spirit of the conference!


This year, we are back at the Grand Hotel Krasnapolsky, Amsterdam where the Exploit Laboratory was first offered in 2006! I am personally looking forward to being back at the original Amsterdam venue which I have enjoyed since 2002! It has been more than a decade, now that I think of it. The Blackhat Europe 2013 class features new content, and is aimed at an intermediate to advanced student group. We are focussing on use-after-free bugs, defeating DEP and ASLR and other modern exploitation techniques.


With a smashing success in 2012, the Exploit Laboratory returns to SyScan 2013 in Singapore. It is SyScan's 10th anniversary and the host, Mr. Thomas Lim, has promised to pull out all stops in throwing a bash like no other! We will be there in full force teaching new exploitation techniques and hosting our own capture-the-flag in class, with special prizes.

More conferences for 2013 shall be announced over the next couple of months.

UPDATE: Announcing the Exploit Laboratory at REcon, Blackhat USA 2013 and 44CON!

-- Saumil Shah

Posted by at No comments:
Labels: , , , , , , , , , , , ,

Tuesday, 6 November 2012

Finishing 2012 with Exploit Lab at DeepSec Vienna!

The last Exploit Laboratory class for 2012 is coming up in three weeks at DeepSec in the beautiful city of Vienna, Austria on November 27 and 28. To celebrate the season and the onset of the Mayan apocalypse, we are offering an action-packed advanced exploitation class at DeepSec.

The focus of this class shall be Pwn2Own style ADVANCED EXPLOITS, bypassing exploit mitigation techniques such as DEP and ASLR, pointer inferencing and last but not the least, Android. Here is what we shall cover at DeepSec:
  • Smashing the stack in 2012
  • Use-after-free bugs and vtable overwrites
  • Browser and PDF Exploits
  • Use-after-free exploit recipes
  • Introduction to Return Oriented Programming (ROP)
  • Defeating DEP using ROP
  • Practical ROP exploits
  • Bypassing ASLR on Windows 7
  • Advanced Heap Spray techniques
  • Leaked memory pointers and Dynamic ROP chains
  • Introduction to Android
  • Practical exploitation of Webkit on Android (yes... that little green robot thingie!)

It is highly recommended that you brush up on some introductory concepts covering Operating Systems, Functions and Debuggers before you arrive in the fair city of Vienna :)

Intended Target Audience:
  • Red Team members, who want to pen-test custom binaries and exploit custom built applications.
  • Members of secret three letter agencies who want to brush up their Cyber Offensive Kung Fu.
  • People frustrated at software to the point they want to break it!

DeepSec registration is a bit confusing. If the registration link doesn't work for you, simply reach out to the wonderful organizers. See you in Vienna!

And if you have any questions, tweet @therealsaumil and use hashtag #deepsec.

Posted by at No comments:
Labels: , , , , , , , , , , , , , , , , ,
Subscribe to: Posts (Atom)