I attended a workshop provided by MWR InfoSecurity on ‘The Evolution of an Exploit’ recently (Full details in PDF format).

A lot of security presentations can be a bit weak in terms of technical content, essentially just being “SECURITY IS GOOD. CAREFUL, OR THE MONSTERS WILL GET YOUR DATA”. The sort of scaremongering designed to get those who are perhaps not particularly technically aware to open their wallets in fear.

Don’t get me wrong: Security is vital but it must be understood properly.

Anyway, this was an excellent workshop. It followed a particular vulnerable product and the stages taken from analysing the network traffic and producing ‘fuzzy’ packets, through analysing the crash data in a debugger, to crafting an actual exploit. The network-based exploit gave a remote shell with Administrator privileges to the target box. Game over!

I particularly liked the fact that at each stage the software packages used were fully demonstrated to get the desired result. So I’ve got a few more toys to play with when I can find the time! Also, the workshop did not shy away from assembly to demonstrate how overflow exploits actually work.

Things which particularly grabbed my attention:

1. Fuzzing is not just a case of sending random data. To make it more useful, it is always based around the packet format which the target will accept. Best use of your time.
2. The Metasploit platform. Very cool framework. In particular I liked how once you have your exploit packet, you can fill the shellcode section with, well, whatever exploit in their database that fits. Download something, give a remote shell, scan a network… so many possibilities.
3. Just how “Duh” the mistake made by the developers of the vulnerable software was. The client essentially passed the memory address of the function that should be executed next to the server . “Never trust the client” is a classic security mantra, so this one particularly takes the biscuit.

I recommend the workshop, and the Marks and Spencer provided cuisine was not bad either