Exodus Intelligence May 2016 Newsletter

Threat intelligence

Read this newsletter to see what the month of May brought for Exodus Intelligence: a new training course is open for registration, new capabilities, a blog on how waiting for a patch can cost you the business, and new Twitter-handle updates. It’s all here, in the Exodus Intelligence May 2016 newsletter! 

Read moreExodus Intelligence May 2016 Newsletter

Exodus Intelligence 2016 Training Course

threat intelligenceVulnerability Development Master Class

Since our inception, Exodus Intelligence has provided training courses on a variety of advanced subjects which have consistently been filled with students from around the world. Over the last few years, we’ve hosted Master Classes in the USA, Asia, and Europe–both publicly and privately (by request).

Once again, our flagship course–the Vulnerability Development Master Class–returns with new content, taught by recognized experts. Known as some of the best in the industry, Exodus instructors are armed with real-world experience, as well as multiple Pwn2Own victories and PWNIE awards.

Read moreExodus Intelligence 2016 Training Course

Vulnerability Development Master Course: Windows Edition

Throughout 2013 we have given training courses on a variety of advanced subjects which have consistently been filled with students from around the globe. The classes have been hosted both publicly at security events, our headquarters in Texas, and privately at military and government institutions. As the year draws to a close, we’ve had a chance to reflect on the content we’ve taught and how we can raise the bar even higher in 2014. To that end, we’re excited to announce that we have combined material from our Breaking Binary Applications, Bughunting and Analysis 101, Dynamic Reverse Engineering, and Browser Exploitation classes into a single week-long master course that we will deliver publicly at 3 locations in 2014.

The new course, titled the Vulnerability Development Master Class, will be taught by the entire Exodus team over the course of 5 consecutive days.

Dates & Locations

The dates and locations are as follows (venue information will be distributed to registered attendees):

  • March 24th-28th: Boston, MA, USA
  • July 7th-11th: Amsterdam, The Netherlands
  • September 15th-19th: San Francisco, CA, USA

If we receive sufficient interest in hosting additional events the above list may expand. Reach out to us via training@exodusintel.com or on twitter via @ExodusIntel for any inquiries.

Prerequisites

We have compiled a summary of prerequisites, the abstract, dates and locations into a single PDF for reference: Exodus Intelligence Vulnerability Development Master Class

Abstract

This 5 day course is designed to provide students with a comprehensive and progressive approach to understanding advanced vulnerability and exploitation topics on the Windows platform. Attendees will be immersed in hands-on exercises that impart valuable skills including static and dynamic reverse engineering, zero-day vulnerability discovery, binary instrumentation, and advanced exploitation of widely deployed server and client-side applications.

Taught by the entire Exodus Intelligence team, this course provides students with direct access to our renowned professionals in a setting conducive to individual interactions.

Syllabus

  • Reverse Engineering
    • Static Reverse Engineering
      • Code Representation and Graph Theory
      • Recognizing Non-Determinism
      • Recognizing Data Structures
      • Symbol Mining
      • Harvesting Useful Code
      • C++ Type Recovery
      • Scripting Disassemblers
    • Dynamic Reverse Engineering & Automation
      • Non-Intrusive Target Monitoring
      • Recovering Type Information
      • Code Flow Analysis
      • Symbol Recovery
      • Instrumentation with PIN
      • Isolating Interesting Code & Data
  • Debugging
    • Core Windows Userspace Concepts
      • Memory Management
      • Process Lineage
      • Integrity Levels
      • Windows Services
      • Inter-Process Communication
      • Local Inter-Process Communication
      • Remote Process Communication
      • The Windows Linker & Loader
      • Exception Handling
    • Core Debugger Concepts
      • Attaching (Intrusive vs Non-Intrusive)
      • Breakpoints
      • Global Flags
      • Image File Execution Options
      • Scripting with PyKD
      • Annoyances & Solutions
  • Vulnerabilities Overview & Recognition
    • Recognizing Vulnerability Patterns
    • Automated Discovery
    • Memory Corruption
      • Type Confusion
      • Improper Allocations
      • Arithmetic Issues
      • Format Strings
      • Use-After-Free
      • Buffer Overflows
    • Design Flaws
  • Vulnerability Discovery
    • Manual Auditing Processes
    • Dumb Fuzzing
    • “Intelligent” Fuzzing
    • Ambulance Chasing
    • Binary Diffing
    • Client-Side Discovery Techniques
    • Server-Side Discovery Techniques
  • Exploitation
    • Memory Manipulation & Scope
    • Windows Mitigations & Bypasses
    • Enhanced Mitigation Experience Toolkit (EMET)
      • Bypassing EMET
    • Achieving Reliability
    • Post Exploitation
      • Sandboxes
      • Process Continuation

Pricing and Registration

The cost for the 5-day course is $6500 USD per student. You may e-mail training@exodusintel.com to register and we will supply a purchase order.

We have also made available this template request form for individuals to help justify attendance to management.

Exodus Intelligence 2013 Training Courses

Thoughts of winning Pwn2Own–or just have the urge to thoroughly bend browsers to your will? Come learn the tricks of the trade firsthand from a former Pwn2Own winner himself! Peter Vreugdenhil and Brandon Edwards will be teaching their brand-new, never before seen Browser Exploitation class in which they will be dropping all sorts of tricks amassed from many virtual years browsing the web in their own special way (including new ways to force memory disclosure to bypass ASLR). In order to deliver the most up-to-date material for such a course, the instructors will walk through the process of (reliably) exploiting an IE vulnerability patched my Microsoft within the last 3 months.

We will also have Aaron Portnoy and Zef Cekaj, who have spent the last year contemplating the art that is reverse engineering and synthesizing what differentiates the successful vulnerability hunters from the bit flippers. They are excited to be giving their new Breaking Binary Applications class, covering browser plugins (and memory disclosure), enterprise server-side software (expect at least one un-patched remote Microsoft Exchange bug), the hilarity that is SCADA (or: how to get Slashdot’ed with only 6 hours of work), and more. Learn their field-tested techniques to discover 0-day and their processes for popping the elusive calculator.

Students will be required to take a blood oath swearing their agreement to be bound by the Exodus FrieNDA and not discuss the (currently) unpatched vulnerabilities we’ll be exploiting during the two courses.

…OK, maybe the blood oath was going a bit far, but seriously: no snitches (show some sympathy at least, these bugs are on death row).

The training classes will be hosted at the Exodus Intelligence office in sunny Austin, Texas during the week of February 18th. The benefit of hosting it at our office is that you’ll be able to interact with the whole Exodus team as well as enjoy a week of training followed by an authentic Texas BBQ party at a popular downtown bar hosted by our resident grillmaster Logan Brown (you may remember his name from the Ekoparty Texas vs Argentinian BBQ competition last year). Drinks and food will be included, of course.


Abstracts

Breaking Binary Applications

Aaron Portnoy and Zef Cekaj

Prerequisites:

  • IDA Pro at least version 6.1 with a working IDAPython and PySide built by Hex-Rays on Windows (virtualized is acceptable)
  • The ability to run VMware virtual machines (player or workstation will work)
  • A working install of the IDA Toolbag plugin for IDA Pro
  • A working knowledge of the Python programming language

This three day training is an extremely hands-on course intended to give the attendees realistic experience auditing closed-source applications for the purposes of vulnerability discovery and exploitation. We will cover the crucial methodologies we’ve used over the years to unearth flaws in server-side, client-side, SCADA products, browser plugins, media players, mail clients, and more.

The first day will be devoted to building the students’ arsenal of tools and techniques to enumerate software’s attack surface, determining where weak points that should be targeted exist, peeking under the hood to gain in-depth knowledge about how the software operates, and ultimately preparing to break it. Day one will also cover specific tools that can greatly improve the efficiency of a bug hunter. Most notably, we will cover our IDA Toolbag plugin and demonstrate how, through the power of IDAPython, a reverse engineer can automate many of the more tedious aspects of the bug hunting process.

The following two days will be entirely devoted to applying the aforementioned techniques against products that the Exodus team has found critical vulnerabilities in. Each target has been specifically chosen to impart upon the student a unique lesson about the bug hunting process.

If time permits we will walk the class through exploitation of one or more of the bugs they discovered. This will, of course, cover bypassing any of the exploitation mitigations that are present.


Browser Exploitation

Peter Vreugdenhil and Brandon Edwards

Prerequisites:

  • IDA Pro at least version 6.1 with a working IDAPython and PySide built by Hex-Rays on Windows (virtualized is acceptable)
  • The ability to run VMware virtual machines (player or workstation will work)
  • A working install of the IDA Toolbag plugin for IDA Pro
  • A working knowledge of the Python programming language

This two day class, taught by a former Pwn2Own winner and pioneer in the art of client-side vulnerability development, is a highly interactive, hands-on training delving into the intricacies of browser exploitation. This course starts by introducing the methods used to uncover some of the most impactful recent browser vulnerabilities, and then quickly moves into the processes of in-depth analysis and vulnerability comprehension, revealing the tools and techniques used by the Exodus team to transform crashes into reliable exploits, bypassing modern protections such as DEP and ASLR along the way.

Students will develop a working familiarity with the concepts presented through hands-on exercises, applying the course material to exploit modern vulnerabilities such as MS012-063. This course focuses on Internet Explorer, but students will leave equipped with a foundation of knowledge and insight applicable to exploiting any modern browser.


Schedule and Pricing

A limited number of student and group discounts are available. Please e-mail us at info@exodusintel.com for more information.

Breaking Binary Applications: February 18th-20th (3 days) – $3000 USD
Browser Exploitation: February 21st and 22nd (2 days) – $2000 USD

You may register on the Exodus website at: http://www.exodusintel.com/#2013.


Testimonials

Via E-Mail:

<em>"I just wanted to take a moment to let you know that I thought the training you gave over the past three days was wonderful. I believe I learnt a lot from both of you, and truly appreciate the effort that you guys put in preparing the materials, finding the teaching targets, doing up the exploits beforehand, and everything else. I know for sure that there must have been much, much more that transpired behind the scene that you guys did that we, who simply sat there and enjoyed the fruits of your labour, would definitely be oblivious to :P So, thanks a bunch for that! It's truly appreciated!

I thought the best part of the training was two-fold: First, in just seeing how you do things, both in terms of the little "demo" reversing you gave, as well as in terms of the way you describe your approach and thought processes, not out-rightly but subtly, perhaps even unconsciously, that gave a tremendous insight into what I and my team don't do well, or can improve on. Those little nuggets of information obviously came from loads of experience, and it's something that I really value, and will be taking home :) The second bit is the part about automating reversing. To be honest I never really thought that reversing could be made so much quicker and easier, and most importantly, more precise ("cheating", you called it :P). Your sharing about automation techniques opened up a whole new dimension -- to think about, and to get started on."</em>

<em>"The training was great! This was my first training at any security conference and I think was lucky to attend the best one! I wish this was for 5 days :)"</em>

<em>"I thought the class last week was great. It was my favorite part of the Pwn2Own week and out of all the other trainings I’ve been to, your training was the best and most useful I’ve attended. Some other student’s I talked to were at times overwhelmed by the rapid fire delivery of the course material. Personally, I liked the fast paced nature of the class because it kept me actively interested and engaged. The “real world” nature of the exercises also made them more fun to do."</em>

Via Twitter:

<em>"Great first day of Bug Hunting with @aaronportnoy and Zef. Eyes open farther; hope I can sleep!"</em>
<em>"Just attended "Bug Hunting and Analysis 0x65" by @aaronportnoy and @the_navs. If you want to discover Windows 0days, take this class."</em>
<em>"Epic day one of bug hunting. Great material and instruction. Looking forward to day two. @aaronportnoy"</em>
<em>"@aaronportnoy Today was an intense training day. The concepts and techniques are growing on me as time is passing by. You and Zef are great."</em>
</em>

Contact

You can always e-mail info@exodusintel.com for any inquiries regarding our training classes or vulnerability intelligence feed offerings.