Based around two real-world IoT targets that we will emulate, this course gets students to learn the process of building and debugging a memory-corruption exploit from scratch, bypassing exploit mitigations such as NX and ASLR along the way.

Our course begins with an introduction into the ARM architecture and assembly language, and how to build shellcode that can be used in exploits against ARM targets. Students then learn about the theory and practice of attacking memory-corruption exploits by finding and exploiting a stack-overflow vulnerability. Students then learn about exploit mitigations, what they are, and how to bypass them, and how to take over the process using both ret2libc, as well as complex ROP-chains to run in-memory only shellcode directly in the target process.

The second day of the course focuses on exploiting two real-world routers, including the process of how to emulate, debug and trigger vulnerabilities on real-world devices, and how to adapt exploits from one target to work on a different target, even when the devices use identical library versions.

The third day of the course provides a deeper study of exploit categories and techniques to make exploits reliable. Students will cover vulnerability discovery and use of “information leaks” to stabilize memory-corruption exploits, and learn about the ASLR and stack canary exploit mitigations, and how to exploit format-string vulnerabilities to bypass these mitigations.

The final day is a deep-dive into the process of heap exploitation, and using heap vulnerabilities to construct exploitation primitives that can be engineered together to build powerful and reliable exploits, bypassing NX, ASLR and GCC’s in-built exploit mitigations. We begin with a review of how the glibc heap works, and begin writing an exploit against a network service containing a heap linear buffer overflow. Students will learn how to turn this buffer overflow into a reliable relative read exploit primitive to bypass ASLR, how to construct arbitrary read primitives to search target memory for useful binaries, and how to exploit and construct malicious vtables to fully take control of the target device.