Saturday, 27 June 2015

Stegosploit Was Never An Exploit - My Paper, Toolkit And Thoughts

This blog is generally reserved for updates on The Exploit Laboratory, but I shall borrow it for one "guest post" on my latest exploit delivery technique - Stegosploit.

I have been working on browser exploit delivery using steganographic techniques since the past 5 years. I have spoken about some of these techniques at several conferences around the world. This past year, I had a few breakthroughs combining steganography with file format polyglots. The goal of Stegosploit was to demonstrate my motto: "A good exploit is one that is delivered in style". I demonstrated this technique at Hack In The Box 2015 Amsterdam, on 28th May 2015. I "painted" an exploit on the face of my good friend Kevin McPeake, as a demonstration of browser exploit delivery via images. In my slide deck, I made it very clear that Stegosploit was not an exploit (although it has a cute logo associated with it). Slide 7.

I presented private demonstrations to reporters from iDigitalTimes and Vice Motherboard, who did a very thorough job in fact checking and representing the research as accurately as possible in a media article.

And then, something happened. Reddit and Twitter exploded with several scathing commentaries on my work. The backlash was caused by commenters who were not present during my presentation, nor had seen any demo or even bothered to research into the technical details that I presented. Instead, these were just conjectures and inferences derived from my older presentations at SyScan 2015 and HITB 2013 - techniques that are at best described as precursors to what Stegosploit actually is.

Rather than speculate on the merits or demerits of the technique and competency of my work and research, I leave you to read this detailed paper about Stegosploit in Issue 0x08 of PoC||GTFO, the only befitting journal for publishing research of this kind!

Along with the paper, I have also released the Stegosploit v0.2 toolkit, which is packaged as a PNG image within the issue itself. It is an interesting exercise to extract the tools, and for those of you who do, it gives you a better appreciation of this kind of research. Hint: "unzip pocorgtfo08.pdf".

Oliver Söhlke published a very well written interview in Vulnerability Magazine clarifying my position and purpose of Stegosploit, while documenting the effects of Stegosploit on evading detection.



In the end, I do want to publicly appreciate the fact that the author of the article published in The Medium was honest enough to revise his mistake.


I am looking forward to his new article on the topic.

My parting piece of advice to those interested in analyzing or dissecting an an infosec research topic - when in doubt, please ask the researcher, instead of kicking off a troll-fest. We would be happy to help you with your fact checking and correct any mistaken assumptions. We play nice.

Wednesday, 4 February 2015

Exploit Lab Announcements for 2015 - CanSecWest and SyScan

The Exploit Laboratory returns to CanSecWest for 2015 with two courses:


Advanced Browser Exploitation focuses on browser and PDF exploits on modern operating systems where students shall also learn about bypassing exploit mitigation technologies like DEP and ASLR. Special attention shall be given to Return Oriented Programming (ROP chains) and Use-After-Free (UAF) bugs. The class shall feature in-depth heap debugging for analysing and exploiting Use-After-Free bugs.

The Master class is an ideal extension to the Advanced Browser Exploitation class, or for students with previous exploit development training who wish to take their skills to present day competitiveness. Topics covered in the Master class include advanced ROP chains, an in-depth analysis of infoleak bugs, one-byte memory overwrite ownage, heap spraying on modern Javascript engines, server side heap spraying, kernel exploits, using ROP in kernel exploits and an introduction to 64-bit exploitation.


And now for SyScan. Sad, but true, this shall be the last SyScan in Singapore. And for the finale, we shall be featuring our brand new Black Box Bug Hunting and Vulnerability Discovery class as a 4-day training programme. Black Box Bug Hunting complements the Exploit Laboratory training offering by taking students through the art and craft of instrumented fuzzing to find bugs in everyday software.

The class follows a hands-on workshop style where the emphasis is on "learn by doing" with exercises and real world fuzzing scenarios. In addition to fuzzing, we shall spend an equal amount of time in analyzing crash dumps, determining exploitability, and root cause analysis through reverse engineering.

This is a class and conference you don't want to miss!

Thursday, 30 October 2014

Black Box Bug Hunting - Introduction to Vulnerability Discovery and Exploit Development

Our brand new training class "Black Box Bug Hunting - Introduction to Vulnerability Discovery and Exploit Development" debuts at the Blackhat Trainings in Potomac, Maryland. Black Box Bug Hunting complements the Exploit Laboratory training offering by taking students through the art and craft of instrumented fuzzing to find bugs in everyday software.

Blackhat Trainings is the perfect platform to launch this 4-day intense training programme. The class follows a hands-on workshop style where the emphasis is on "learn by doing" and shall be taught to a smaller group of students. The emphasis is more on exercises and real world fuzzing scenarios. In addition to fuzzing, we shall spend an equal amount of time in analyzing crash dumps, determining exploitability, and root cause analysis through reverse engineering. For more details, read up the class description.

All essential concepts will be taught in class. However should you wish to come better prepared, we shall be posting new tutorials shortly. If you are curious about bug hunting and vulnerability discovery, this class is not one to be missed!

Oh, and one last thing. Early bird pricing ends on October 31.

Saumil Shah
@therealsaumil

Tuesday, 26 August 2014

Exploit Lab announcements - 44CON, Ruxcon/Breakpoint, Blackhat Europe, Blackhat East Coast Trainings

Presenting our training calendar for the remainder of 2014. The Exploit Laboratory trainings have been confirmed at the following events worldwide:

September 9,10: 44CON, London (Advanced)

October 6,7: RUXCON, Melbourne Australia (Intro/Intermediate)

October 14,15: Blackhat Europe, Amsterdam (Advanced)

And last but not the least, we have an all new class focusing on bug hunting and fuzzing!

"Black Box Bug Hunting - An Introduction to Vulnerability Discovery and Exploit Development" debuts at the Blackhat East Coast Trainings, Maryland, USA from December 8-11. This is a 4-day class focused more on the art and craft of bug hunting, fuzzing, reverse engineering, crash dump analysis and performing root cause analysis of exploitability.

A detailed announcement shall follow shortly.

Saturday, 9 August 2014

The Advanced Exploit Laboratory returns to 44CON

With the dust settling after Blackhat USA 2014, we are getting ready for another round of advanced exploit development training at 44CON next month.

The Advanced Exploit Laboratory at 44CON shall focus on the latest topics in exploit development - with special attention to Use-After-Free bugs, Information Leaks, Return Oriented Programming and dynamic ROP chains. The Advanced Exploit Laboratory is indeed a fast-paced class, intended for participants who already have basic exploit development experience and want to take their skills to today's cutting edge topics.

If you are joining the Advanced Exploit Laboratory at 44CON and your exploit development skills need a little warm-up, we have just the thing for you! TinySPLOIT is a tiny (30MB) VMware virtual machine running web server vulnerable to a simple stack overflow. You may download TinySPLOIT from here (mirror link). TinySPLOIT can be up and running in a few minutes. You can also read more about TinySPLOIT in our earlier blog post.

In addition to TinySPLOIT, do also check out our tutorials on How Functions Work, and Introduction to Debuggers.

See you next month in London!

Friday, 25 July 2014

TinySPLOIT - Warm-up exercise on Exploit Development

This year's Exploit Laboratory classes at Blackhat USA 2014 feature completely new content. First, we have retired Windows XP based exploits altogether from our RedTeam class. Our advanced class "The Exploit Laboratory: Black Belt" focuses on ROP, Use-After-Free, Infoleaks and 64-bit exploitation.

The Black Belt class is going to be fast paced, and we mean it! We expect all Black Belt participants to be familiar with the workings of stack overflow exploits, at a minimum.

Enter TinySPLOIT - a compact Linux virtual machine running a vulnerable web server that you can sharpen your stack overflow skills with.

TinySPLOIT is a 30MB VMware image and can be downloaded here. (mirror). SHA256 checksum: 6bd956c86846a21e713c9f5efa7cf286386d2b4aa654a3734b9ce9b6497fa59a

You can be up and running with TinySPLOIT in a matter of minutes. Boot up the VM, follow the instructions on its web page, write an exploit and get a shell! For debugging purposes, the root password is "exploitlab" :)

This shall be my 16th year in a row at Blackhat USA. This year, I shall be joined by the Exploit Lab co-developer and my dear friend S.K. who shall teach a number of new topics including 64-bit exploitation, and Eric Liu, teaching a brand new module on information leakage via 1-byte memory overwrites.

Blackhat Training prices go up on the 26th of July, so if you are thinking of registering for the courses, now's the time. See you in Las Vegas in a week!

Thursday, 3 July 2014

The Exploit Lab bids farewell to Win XP

Times are changing. Desktops all around the world bid a fond farewell to Windows XP in April 2014, and The Exploit Laboratory is no exception.

Exploits based on Windows XP shall not feature in the Exploit Laboratory any more.

After all, it doesn't make sense to learn exploit writing on a dwindling platform, does it?

The course content overhaul for Blackhat USA 2014 is complete. All exploits and examples have been revised. What was advanced content a couple of years ago has now been re-worked into our intermediate level Exploit Laboratory: Red Team class. The Exploit Laboratory: Black Belt class shall focus on present day advanced topics such as Use-After-Free exploits, Information Leaks, Compound Exploits and Dynamic ROP chains.

Our Blackhat 2014 classes are filling up fast. For those of you who have already registered, do browse through the following concepts refresher tutorials:
  1. Operating Systems: A Primer
  2. Introduction to Debuggers
  3. How Functions Work