Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: sec710

SANS SEC710: Advanced Exploit Development

SANS_Logo_REVAfter spending the week doing the Advanced Web App Penetration Testing class, what could be better than spending a couple of day doing exploit dev! Yeah, nobody said I was smart, but I am a sucker for punishment.

Day 1 – Linux

The class kicked off with a discussion of the dynamic Linux memory, followed quickly by a couple of interesting (albeit similar) heap exploit exercises. The class moved quickly (lots of content, little time) into overwriting function pointers (BSS segment exploitation). As usual the exercises (labs) that follow each section helped reinforce the information from the previous section. Although the exercise programs are simple (and often simple purposed) they do a good job of easing you into the exploit type your working on without distracting you with huge monolithic programs.

After lunch we started in on format string attacks, which left the class a little confused I think. So many characters that we’re not accustomed to in exploitation. Still, things sorted themselves out, and surprisingly I was even able to get the exploit working using direct parameter access techniques.

To finish up the day there were 2 exercises: The first was a proftpd exploit (that for some reason didn’t like working on my version of VMware Fusion). The second was the bootcamp portion of the class, and was based on a challenge from the DefCon 18 CTF pre-quals.

Unfortunately we didn’t get too much time on the bootcamp as we spent more time on format strings and fighting with proftpd than planned.

Day 1 was mostly performed using older (Gutsy/Edgy Linux) so very little (if any) ASLR or other advanced protections in place. That’s not to say the information in day 1 isn’t worthwhile… it’s just like everything else, it’s a starting point!

Day 2 – Windows

Monday morning kicked things off with an overview of patch diffing (using BinDiff, PatchDiff2, and turbodiff) with IDA Pro. For people who don’t know how IDA works, the class went through some basics on using IDA for diffing. I found this a bit of a shame personally. I have no intention of buying IDA Pro (as I’m not an exploit dev) and the demo version used in class doesn’t support diffing (which is the primary use for SEC710). I’d have liked to have seen the class stick to open-source or free versions to keep the playing field flat for everybody in class. Still, BinDiff and IDA Pro are the de-facto standard, so I can see where the class is coming from. Using free or open-source alternatives may have made the examples so complex as to be unusable.

Some background info was a little fluffy for my liking. For example, the section on Microsoft patches started off with a discussion on how Microsoft releases patches and how to get patches from the MS website. Good info, but mostly known and not really something that warrants more than a 60 second refresher.

The real meat of day 2 was working through the old ms07-17 ANI exploit. Taking it from patch diffing with IDA (free or pro) through to a working exploit on a Vista host. The final exploitation used heap spraying to get code execution. Unfortunately the walkthrough of the exploit on a Windows Vista system was trickier than first thought and didn’t run as smoothly as it could have. Exploitation isn’t easy though, else we’d all be doing it…

Although the appendix talks about ROP gadgets and touches on Windows 7 x64 and Windows 8, these weren’t covered in the class itself. There is an exercise at the end of the book however that touches on Win7 exploitation.


A Lot of topics the class covered were a bit over my head as I don’t do this stuff on a daily basis, and unfortunately spent most of day 2 fighting with VMware fusion issues. SEC710 is not an easy class and tries to cram a LOT of information into the 2 days without going too long despite the bootcamp section. At the end of the class there is still a lot of content that needs to be reviewed to solidify things however, as well as the additional appendix content that’s not really covered in normal class. Exploit development isn’t for the faint of heart though, and anybody who thinks they can walk out of a 2 day class as a reverse engineer or exploit developer is fooling themselves.

People seem to want to compare SEC710 with Corelan’s Win32 Bootcamp. Although they both cover exploitation, SANS SEC710 covers different topics from the Corelan Live bootcamp (Linux being the biggest example) and the classes with SANS don’t run as long 😉 (Corelan likes to run 12 hour sessions both days… which is exhausting, but fun!).

Realistically there is no comparison between the two classes. SEC710 covers topics that are not covered in the Corelan class, and vice versa. As a result you end up with a broader knowledge from SEC710, but a much more detailed view from the Corelan class. Neither is better, they are simply different! Having said that, I found the explanations of the techniques are not as clear in SEC710 as they are in the Corelan Live – Win32 Exploit Development Bootcamp. Then again, having 2 days to focus on Windows means less setup, and more time to really deep dive without the confusion of describing different operating systems and how they differ.

Overall I enjoyed the class (despite not really being an exploit developer myself)… Everytime I sit in on one of these classes I learn a little more. Maybe one day I’ll actually have time to do the after class work to actually understand things fully!

Personally I hope they make some changes to SEC710 to make it deeper. To manage that I think they’d need to split the class into a 2 day Linux exploitation and a 2 day Windows exploitation class. Covering all the information in a single 2 day class just isn’t really feasible and leaves the student wanting more!