This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

AppSecLatam2012/Training/Advanced Vulnerability Research

Revision as of 11:37, 7 November 2012 by Sarah Baso (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search


AppSec Latam 2012 Training: Advanced Vulnerability Research and Exploit Development

Course Length: 2 Day
Training Audience: Technical
Required Skill Level: Intermediate

Course Description

The Advanced Vulnerability Research and Exploit Development course offers security professionals an opportunity to test and develop their skills like never before. During this class, attendees will be provided with the latest knowledge and tools to discover vulnerabilities and then develop exploits for a wide range of software including complex Windows applications, interpreted languages, and critical Microsoft services.

In the first half of the course, attendees will use reverse engineering and fuzzing to attack a wide variety of applications (many of which are critical to a successful penetration test) and then use the latest exploitation techniques available today to develop a reliable exploit for Windows 7 / Windows Server 2008.

In the second half of the course, the focus will shift from classic to advanced exploitation techniques. Attendees will learn how to escape from the Java sandbox, how to circumvent ASLR without pointer leaks, and how to use precise heap spraying.

By the end of this course, attendees will have a clear idea of what it’s necessary to find and exploit a vulnerability on a modern Windows machine.

This course is well-suited to penetration testers, exploit developers, malware analysts, and security professionals who are wishing to dive into vulnerability analysis and exploit writing.

Topics covered in this course include stack-based overflows, SEH-based overflows, integer overflows, information leakages, heap spraying, payload development, Unicode payload development, return oriented programming (ROP), and sandbox escaping.

Instructor Bio

Instructor: Gianni Gnesa, Ptrace Security
Twitter: @ptracesecurity

Gianni Gnesa, BCS, MSCS, CEH, OSCP, OSEE, Network+, Linux+, is a security researcher and professional trainer at Ptrace Security, a Swiss-based company that offers specialized IT security services to customers worldwide. With several years of experience in vulnerability research, exploit development, and penetration testing, Gianni is an expert in exposing the vulnerabilities of complex commercial products and modern network infrastructures. In his spare time, Gianni conducts independent security research on kernel exploitation and rootkit detection.

Course Syllabus

Module 1:

-    Vulnerability discovery - fuzzing / reverse engineering
-    Exploiting stack-based buffer overflows
-    iTunes exploit variant 1
-    Bypassing NX/DEP
-    iTunes exploit variant 2 - with DEP bypass
-    Bypassing ASLR
-    iTunes exploit variant 3 - with ASLR/DEP bypass

Module 2:

-    Vulnerability discovery – fuzzing / reverse engineering
-    Exploiting SEH based overflows
-    Quick Player exploit variant 1
-    Exploiting Unicode-based buffer overflows
-    Quick Player exploit variant 2

Module 3:

-    Vulnerability discovery – fuzzing / reverse engineering
-    Introduction to the Java sandbox architecture
-    Escaping sandboxes
-    Java exploit variant 1
-    Building custom shellcode from scratch
-    Java exploit variant 2 - with sandbox escape

Module 4:

-    Vulnerability discovery – fuzzing / source code review
-    Exploiting integer overflows
-    Firefox exploit variant 1 – with non-aslr module
-    Circumventing ASLR without info leaks.
-    Firefox exploit variant 2 –without non-aslr module

Module 5:

-    Vulnerability discovery – fuzzing / reverse engineering
-    Introduction to uninitialized memory corruption
-    Heap spraying in modern browsers
-    Microsoft XML Core Services MSXML exploit variant 1 – Internet Explorer 6
-    Microsoft XML Core Services MSXML exploit variant 2 – Internet Explorer 7
-    Microsoft XML Core Services MSXML exploit variant 3 – Internet Explorer 8


  • Experience with Immunity Debugger
  • Experience with WinDBG
  • Experience with IDA Pro
  • Experience with Metasploit Framework


Students are required to bring a laptop with VMware Workstation or VMware Player and enough processing power and RAM to run up to 2 virtual machines at the same time.

Make sure you have full admin access to each virtual machine and you can transfer files from your host machine to your virtual machines. And, make sure your virtual machines are on the same virtual network.

Tools, applications, slide deck and virtual machines will be provided during the training.