Review of the Corelan Live - Win32 Exploit Development Bootcamp

Wed 3rd Oct 12

I've just got back from BruCON 2012 where I started the week with the Corelan Live - Win32 Exploit Development Bootcamp. A lot of people asked about the course and what it covered so I've put this together.

First off, when Peter says no recording he means it! The first five minutes were taken up by Peter explaining how the course was created and going over why he didn't want any recording of the material. He stressed he would give as much help as needed both during and after the course and you get to take home a copy of the slides and exercises so there should be no need to record anything. Despite all this we came back from lunch on the first day to find a guy being thrown out of the class for using a Dictaphone. He claimed that due to a language barrier he wasn't able to keep up but it later came out he worked for a training company - feel free to put 2 and 2 together.

So, the course itself. In a nutshell, really hard work but in a good way. The first day ran from 9AM through to 10:30PM. We started with a lot of theory about how the OS works and how applications fit together inside it. This was a nice reminder of my university theory lessons which now make a lot more sense. We then moved on to a nice simple buffer overflow, slides then a lab, and then on through different ways to control EIP and to bypass stack protection and finished up the day with heap spraying. The second day was bypassing DEP and ASLR, again with plenty of slides and labs. We had to wrap up the day early because we were being kicked out of the room by the hotel but finished off at 8PM with a quick overview of some of the things we hadn't got around to covering.

I've not checked back yet but I think there were around 20 modules included in the slides and we maybe covered half of them. That may seem like we missed out on a lot but I really don't think I could have taken any more in. For the stuff we didn't cover I'll hopefully get around to reading it in my own time once I've mastered (OK, more like just about got my head around) the stuff we did cover. If the pace of the course had been any faster then I would have definitely missed out on things. Some of the labs maybe could have done with an extra 5 minutes but then we all say that when something looks like it is nearly working.

Some tips on getting the most of things...

  • Something mentioned in one of the setup emails is to make sure you get plenty of sleep before the course. Unfortunately I took the family to BruCON with me and Pippa (2 year old) decided I wasn't sleeping the night before. Because of this by the time we started on heap spraying at about 7:30PM I was starting to drift and so I only really got the headlines of the heap spray attacks. Guess I'll not be looking at browser based exploits for a while.
  • If you stop concentrating for even a short while there is a good chance you'll miss something important. Make sure everything you need is setup, ready and tested before hand. I'm used to using VirtualBox in Linux and so assumed I could quickly setup the networking as required on the day but for some reason it works differently in Windows so I had a short panic while trying to get it all together. Luckily I managed to do it fairly quickly so didn't miss to much but it could have spoilt the whole thing.
  • Brush up on your Python and Ruby skills before hand. You don't have to be a great programmer but knowing how to concatenate strings and do basic maths with string lengths is essential. If you are fighting the scripting you'll get nowhere on the actual labs.
  • Have a loook at how a Metasploit exploit module is put together. You'll be writing one on the course and while the skeleton is written for you so all you need to do is plug your actual exploit code in it really helps if you understand how it all fits together.
  • !mona help is your friend.
  • And finally, don't forget your stack adjust (This will make sense on the day!)

So, would I recommend the course? It depends. To make it worth while you need to have a good understanding of the basic concepts of how applications work, how programs are put together and how an OS functions. Peter does a good job of explaining all of these at the start of the class but I think if this is the first time you are hearing all of this then you are going to struggle. You also need to have some basic scripting skills, without them you'll not be able to put the actual exploits together. If you are OK with those prerequisites then I'd say definitely go for it. Peter is one of the most enthusiastic instructors I've met, the support offered during the class and what I've been told we will get going forward makes it easily good value for money and the content is first rate.

Just beware though, I was expecting to come out of the course and be able to start writing exploits for any vulnerable apps I found. The reality is that I'm going to have to put a lot of work in to get to that point. This is nothing to do with the content of the course just the technical level of the subject. Exploit development is hard and from what I can see the initial learning curve is a steep one.

And lastly, I'd suggest you leave your Dictaphone at home, they really aren't appreciated!