Corelan Win32 Advanced Exploit Development class at BruCon 2019 - the story with 6 months of homework

Tags: #<Tag:0x00007fb7d1510af0> #<Tag:0x00007fb7d1510730> #<Tag:0x00007fb7d1510208> #<Tag:0x00007fb7d151bc70> #<Tag:0x00007fb7d151b860> #<Tag:0x00007fb7d151a6e0> #<Tag:0x00007fb7d151a2a8>

This is my personal review / blog diary entry. It’s intended as a potentially useful reflection. My understanding of some of the training content is still minimal and needs to be mature over time. – Working on it…


Peter likes homework.

Corelan Win32 Advanced Exploit Development class (Q4 2019)

From the 7th to the 10th of October '19 I took Peter Van Eeckhoutte’s Win32 Advanced Exploit Development class at BruCon (Gent, Belgium).

– Exploited browsers, dived into the Heaps and got familiar with advanced WinDBG usage. If my motivation lasts I will play around with the new WinDBG Preview extension interfaces using Javascript and / or C++. I always liked to cheat with homework, and during the training we all got a six months workload of Windows Heap exploits to develop.

Just to share impressions from class:

Motivation: informed decisions around modern application security and endpoint protection

Imagine that you understand modern Windows exploit development. – Wouldn’t that add a lot of benefit to all kinds of security-decisions given that most user endpoints run Windows?
Could that add value to evaluations for modern Enterprise Detect & Response or even Endpoint Protection options? Could it even save money (hint: vendor marketing may lie on occasion)? Save some users from trouble related to malicious execution?

And what about an Application Security program that is conscious about how the application attack surface (the buggy entry point) and the Operating System (Windows) create exploitable conditions? Setting informed priorities for security bugs is key when interacting with Dev-teams.

Exploit Development skills add to the mindset. It’s not just out of the box thinking, but a unique blend of technical creativity and skills. Modern exploits take time to develop. Weeks, Months, or more. You need coding skills and tech skills coders generally don’t have. Like being able to use a system debugger.

Last but not least: the motivation to get from code exec to shell. Safe to say if you lack that, you don’t show up at BruCon in the first place.

Target audience

Among the fine folks who took the Corelan Advanced Development class were pentesters, malware analysts and some forensics professionals.

It would be good if more system engineers (like operating system kernel developers) took such classes.

Needful skills as prerequisite

  • Windows internals (Process Environment Block (PEB), mitigations (ASLR, DEP / NX, DLLs and offsets)
  • familiarity with ROP chains
  • common Javascript and DOM (lots of examples at BruCon were focused on IE and Chrome)
  • basic C / C++ and Visual Studio skills (MSVCRT and system calls)
  • basic Metasploit (Shellcode, msfvenom, reverse-shell handling)
  • Python

Training day - incoming

– About two weeks in advance I got an Email from BruCon:

Courses are scheduled to end around 17 o’clock each day, except for the Corelan Advanced. This will go on until approximately 22 o’clock

Ok, so this isn’t a 9 to 5 gig.

It’s a 3-day training, but this makes 10 hours extra (last day finished before 10 p.m.). Mathematically it’s a 4-day training if you calculate with 8h per day. But who does…

Preface: Windows installations and preliminary homework

Peter likes homework. So you get some even before it starts. :slight_smile:

Personal experience: additional preparation steps

If you are about to take the class, you need your VMs ready. Besides that:

  1. make sure your Visual Studio install really has the C++ toolchains. That’s not the default in the Dev VMs Microsoft conveniently offers for download. You can re-target the solutions to VS 2019 without any issues (Windows 10).
  2. do some ROP chains for common Stack Buffer Overflow exploits (real-world Win32 - Windows 7), get to know Windows System Calls to disable DEP. Generate Shellcode. Get shell.
  3. your VMs need internet access so that WinDBG can download the symbols. Make sure to disable Windows Update services.
  4. Use virtualization software with VM-snapshot support. You may want to use the VMs for the next six months or longer. Peter likes homework, you know…
Is this up to date? Corelan's tutorials are 10 years old...

The course and the materials point towards modern 64-bit targets (Windows 10). The course builds an understanding. You will have to develop most of your skills individually (or collaboratively after class). That is something you are not able to do without a methodic approach.

Remember: Peter likes homework. You can only develop yourself. No trainer can do this for you on an advanced level. This class is not leading you from zero to Google Project Zero skills.

Who else has got 10 years (or more) experience with Windows exploit development and teaches classes?

Placing Corelan Win32 Advanced Exploit Development in comparison with others

Some attendees mentioned the course may complement the SANS 760 Advanced Exploit Dev training or Offensive Security’s Advanced Windows Exploitation on a similar level.

Out of personal experience, I can say that basic exploitation skills are a good start (SANS 660 & SANS 610, and some years of experience).

The course will not focus on static reverse engineering: no IDA Pro or Ghidra. I may point you to here or to ReCon.
You will collect debug traces in class, and maybe you decide to use other approaches to reverse engineer the target apps. Why not?

If you ever made a living being an exploit dev, this is not the right class for you. You need to write the exploits yourself, but you don’t need to be a professional exploit developer to do that.
– One thing I did not not find in the class is Windows Patch Diffing for vulnerability discovery and analysis. I know that many other classes cover this, and I recommend that you investigate how to do this in an automated way in order to get the good bugs.
You will also not find a reverse engineering chapter of ntdll.dll for hidden system calls. The class is focused on other aspects.

Further impressions: WinDBG, chained-exploits and memory-leaks

It could be a free or busy chunk… what’s the difference:

After class, you will be able to

  • of course: develop application-specific Heap exploits using ROP chains and Shellcode
  • use exploit-dev focused debugging extensions proficiently
  • explain Use After Free and Double Free bugs (to application developers) from the perspective of an exploit developer with in-depth knowledge of the system internals
  • analyze access violations / crashes with WinDBG to be able to classify bugs
    • collect the indications to pre-determine exploitability under various circumstances (different Heaps, Windows versions, …)
  • understand what chained exploits (cross-platform / multi-version browser exploits) are and the need for memory-leaks in relation to automated ROP chain generation for retargeting…
  • adjust your fuzzing targets so that you find Heap memory-related bugs.

Many of these topics are not understood well in the AppSec and InfoSec community. Do you know the impact ASLR on local exploit development? Can you just ask for the addresses?

Summary: no fairy dust here!

It was a motivating (exploit) development class lead by Peter Van Eeckhoutte in an attentive and very focused way.

The description of the class is concise and not done by a marketing professional. It’s by an engineer for engineers.

Behind the delivery of the class are many years of personal development: we all know Peter’s tutorials and his works on Win32 exploit development. All of it is real. Few people ever documented this.

During all of our courses, we don’t just focus on techniques and mechanics, but we also want to make sure you understand why a given technique is used, why something works and why something doesn’t work. In the advanced course, we also provide you with insights on how to do your own research related with [to] heap exploitation in general (not just Windows 7 or Windows 10)

You will find no fairy dust… but time-intensive (that is the advanced part) work with microscopic investigation tools. Hundreds of slides. Months of work… Why? Because Security!