Review of eLearnSecurity eXploit Development Student (XDS)
During last winter I decided to spend some time working on exploit development basics.
I’m not new to binary exploitation, I’m also OSCE and I like to play CTF, but I’m far from naming myself a good exploiter.
I know that a long and winding road still lies ahead, and the best thing a padawan can do is to master the basics before to move towards advanced stuff. And XDS showed up as the perfect opportunity.
The course has a good structure, she covers intro and basic for both Linux and Windows and includes:
- a crash course on shellcoding
- vanilla buffer overflow
- unicode exploits (Venetian shellcode)
- return oriented programming
- format string exploit
- SEH based exploit
- egghunting on windows
- principal mitigations and how to bypass (ASLR, stack canary, of course NX)
- 32/64bit on Linux, just 32bit on WinXP SP3 unfortunately
- and some theory on what’s behind the hood
As the name suggests, the course doesn’t cover advanced stuff: don’t expect blind ROP or heap feng shui. Hopely, I’ll have the chance to blog on something like XDP in the future :)
The course follows the classical eLS style: slides, remote Hera Lab, PDF with proposed solution.
You should already know that I don’t like slides so much: I’m more a book person, but I knew this in advance.
Also Hera Lab is a bit unpractical for me: I feel the number of action a student has to do before to work on the lab itself is too much, and sometimes RDP on Windows through VPN is a bit slow. Once I’ve downloaded (it’s not against SLA, isn’t it?) binaries on my local box everything suddenly became smooth.
In my opinion, proposed arguments are well explained and clear. I remember just two big “uh?”:
1) in Lab12 - Linux NX And ASLR Bypass you see how to put your shellcode on GOT, and have it executed. I think I’ve tested this on every last 10 years major linux distribution with no luck (I knew that you can’t execute from GOT, but I’m here to learn and I tried to do my homework) before connecting back to Hera Labs and realize that this specific behaviour works ONLY on Debian6 environment. I’d appreciate both a note at Lab description and an explanation of what and why. note to self: always try exploits on Hera Lab
2) regarding local exploit on linux, when they show stack alignment because of environment variable and debugger, the teacher states: “we have two ways to find our shellcode offset: by calculating it, or by bruteforcing. let’s go with the latter” (pardon me but I don’t remember which was the video lab so words are based on what i recall). ok, no. @eLS: when working for XDSv2, please add a slide to explain how to calculate the offset and how to minimize gdb impact on the stack.
Everything else paired with my expectation: slides are clear, labs are meant to test what you just read but also present some curve ball to make you do your own research, and solutions are easy to follow.
I think that a course shouldn’t be considered a big milestone itself but more like an introduction to an argument, therefore I always try to find some extra mile to really master the subject and, let me stress this again, practice the topic.
Of course, XDS makes no exception.
What I suggest is to try the binaries from Labs starting from a clean environment and introducing traps: no mitigation, then NX, then ASLR. Some of them could be tough, but you can be sure you will have a smoother experience later. You know what i mean ;)
Tons of external resources are just a google-search from you, but there are my takes for Linux:
- guyinatuxedo nightmare is a very good intermediate one that also covers some reversing before to actually exploit the vulnerability
- ROP Emporium set a milestone ages ago, and still one of the most valuable resource (google for writeups!)
- Exploit Exercises Protostar like ROP Emporium, one of the most valuable resource out there
and for Windows:
- Corelan Exploit Writing Tutorials Corelan is like Dorian Gray: he must have a picture that ages and fades somewhere. Read starting from part1, try to not jump into the rabbit hole too early.
- FuzzySecurity Windows Exploit Development Tutorial Series from part1 to part7, another very neat introduction to Windows exploitation
If you have time, I strongly suggest you to open exploit-db and look for exploit that has downloadable app: I took some and tried to find the bug and write the exploit myself, it was a very good way to feel ready.
Of course, try to do all exercises yourself before to read the solution: you should start to test yourself with these extra miles.
Exam is pretty standard: 72hrs to pop a can’t disclose number of binaries, and 48hrs more to describe your workflow and submit the report.
You can expect to find of course both Linux and Windows binaries.
As I said I wasn’t new to the topic, but I found the exam really neat: binaries are not too complicate, some reversing will help but it’s not strictly needed, and I don’t remember of any curve ball here. Just be sure you can do all the labs before to submit, because there is nothing too frustrating than having an exam without having mastered the topic.
Every single step has been exploited during the labs or the slides.
My advice on this are always the same:
- be ready with your cheatsheet, I personally love to mind map
- force yourself to take rest
- start with an easy one to get in the mood if you like so
but the most important is: Keep in mind that “S in XDS stands for Student” and don’t overthink!
I feel that XDS can help both novice and intermediate exploiters, because it can be used to learn a new topic but also as a summary used to settle it.
I can suggest this course to all junior/mid pentester who want to be more confident by running or adapting exploits.