• JNDI/LDAP Manipulation
• Frameworks & Services
  • WebServices
  • REST APIs
  • Vulnerabilities in Popular Frameworks
• Crypto
  • Padding Oracle
  • PRNGs (Random & RandomStringUtils)
• Exploitation

DAY 2

• The state of RSA (common mistakes & factorization)
• Solving (EC)DLP (Pollard RHO, Index calculus)
• Elliptic Curves specifics

DAY 3

• Real World Implementation issues
• Symmetric/Asymmetric primitives
• Source / Compilation / Languages / Platform specific issues
• Local timing attacks
• Improvement of an attack using filtering

DAY 4

• Cache attacks
• Padding Oracle
• Remote timing attacks

Immunity Linux Kernel Exploitation - April 28 - May 1, 2019

28 (ISC)2 CPE CREDITS

The Immunity Kernel Exploitation Master Track focuses on modern exploit development and vulnerability discovery techniques. Intermediate to advanced exploit development skills are recommended for students wishing to this class.

Syllabus (subject to change):

DAY 1

* User Land vs Kernel Land

* Introduction to the Kernel Land

* Kernel Debugging Environment

* Kernel Internals

DAY 2

* Memory Models and the Address Space

* Kernel Shellcodes

* Taxonomy of Kernel Vulnerabilities

* Arbitrary Kernel Read/Write

DAY 3

* Kernel Heap Allocators (SLAB/SLUB)

* Kernel Pool Overflows and Use-After-Free

* Race Conditions

DAY 4

* Logical and HW-related Bugs

* Kernel and Hardware Protections

* Bypassing Protections

* The Future of Kernel Vulnerabilities

---

3rd Party Training:

INFILTRATE 2019 now offers 3rd pary training courses in addition to the IMMUNITY training courses. None of the 3rd party classes offer CPE credits. All students of the 3rd party classes are required to bring their own laptop to use during the class. Technical specifications will be provided. All 3rd party classes are eligible for the the Conference Bundle Discount ticket. All 3rd party classes include breakfast and lunch for the registered student on class days.

Azeria's ARM-based IoT Exploit Development - April 29 - May 1, 2019

*Laptops Not Provided, Students Must Bring Own Laptop*

This course starts with a comprehensive overview of the ARM 32-bit architecture. To give the students more context, advanced concepts like TrustZone and privileged modes will also be part of this introduction. The ARM Assembly part of the course includes all relevant concept needed to reverse engineer ARM-based binaries and write elaborate ROP chains. Writing shellcode gives students practice in assembly and teaches them concepts such as leveraging the “literal pool” to reference strings and struct values. The “reverse engineering” part of this course introduces students to the process of RE and debugging ARM binaries, followed by a lab in which they will reverse engineer their first binary and understand how function flow works on ARM. Students will be introduced to memory-corruption vulnerabilities on the first day. After understanding what is needed to corrupt the stack, students will trigger a stack-based vulnerability and write an exploit allowing them to execute their own shellcode from the stack. After this lab, the concept of NX and Return Oriented Programming will be introduced, followed by a more complex challenge that will require the students to build a ROP chain where the ideal ROP gadgets are not available in the target library. The second day of this course will be 80% lab time. After a quick introduction into NX mitigation bypasses and different ways of bypassing ASLR, students will start exploiting their first real-world target. For each new target, we will start with an overview of the hardware-hacking and firmware-emulation process. Students will write exploits to bypass all of the mitigations on two different IoT targets and learn how to overcome common restrictions encountered during the debugging process. After obtaining a shell through a ROP chain that leverages the system() api, students will then learn an alternative way of gaining access to the target system that is far less noisy. The labs will also teach them how to bypass common memory read and write issues when taking control over the Program Counter register, as well as how to debug real-world vulnerabilities, and how to write elaborate ROP chains to bypass all mitigations on the chosen real-world targets. On the third day, students will be introduced to information leak vulnerabilities by exploiting a buffer overflow coupled with a format string vulnerability and write an exploit to bypass NX and ASLR. Students will then be introduced to Heap exploitation and will write an exploit for a heap overflow vulnerability.

Syllabus (subject to change):

DAY 1

ARM 32-bit Architecture

• Difference between Architecture and Microarchitecture
• ARM processor types
• RISC CPU features
• Privilege Modes
• TrustZone Extension
• Memory model, memory types, memory segments

ARM Assembly Language

• Syntax of Assembly programs
• User mode registers and privileged banked registers
• Exception handling process
• Status registers (CPSR and SPSR)
• Conditional execution
• Thumb mode
• Most common instructions
• Data processing instructions
• Load immediate restrictions
• Literal pool
• Load and store instructions
• Load and store addressing modes and offset modes
• Load and store multiple register processing
• Function calls and subroutines (function prologue and epilogue)
• Preserving runtime environment via stack

Writing ARM Shellcode

• Overview of Shellcode writing process
• Tracing system calls and determining Syscall number
• Mapping out function parameters
• Translation to assembly
• Checking for null-bytes and avoiding them
• Converting assembly into hex string

Lab: Reverse Shell

Students will translate the following function calls into assembly: socket, connect, execve, dup2. This exercise teaches them how system functions are being invoked in assembly and how to make use of the literal pool when trying to reference strings and values like IP addresses.

Reverse Engineering

• Introduction to ELF binaries
• Process of gathering information about the binary
• Static analysis of ARM functions
• Understanding function flow
• Debugging with GDB, useful commands
• Dynamic analysis of function flow

Lab: Debugging with GDB

Debugging an ARM binary with GDB and analyzing the function flow with guidance of a workbook in which students will answer questions about the binary and learn the process of static and dynamic analysis. This exercise will familiarize the students with the debugging process and prepare them for the exercises that follow.

Memory corruption vulnerabilities

• Stack frames
• Examples of vulnerable functions
• Visualization of a vulnerable function call
• Stack corruption
• Executing Shellcode on the stack with a simple gadget
• Introduction to gadget hunting

Lab: Exploiting BoF

In this exercise students will corrupt the stack by exploiting a vulnerable function and create their first exploit in which they identify the offset for the PC crash and leverage a simple gadget to jump to their Shellcode on the stack.

Exploit mitigations

• Introduction to the NX bit which makes the stack non-executable
• Ways around this restriction
• Introduction to Return Oriented Programming
• invoking system() via ROP to execute a command - the traditional way

Lab: Bypassing NX

In this exercise, students can’t use the traditional way of invoking system(“/bin/sh”), which is only possible with old libraries containing the ideal gadget. This challenge uses a newer Libc library, in which the ideal gadget is not present. This lab challenges students to creatively think about a restriction and come up with a workaround.

DAY 2

Return Oriented Programming

• More detailed explanation of ROP
• Gadgets that break your ROP chain
• Workaround through register initialization
• Noisy vs stealth ways of exploitation

Mprotect ROP chains

• Technique of making a stack region executable through ROP
• Building mprotect ROP chains
• How to avoid null-bytes when trying to fill a register with a small value
• How to make stack addresses page aligned

First target: D-Link DIR890

• Process of gaining access to the device via UART and getting shell access to the device
• Process of extracting and emulation the firmware
• The vulnerable service

Lab: Bypassing memory-write issue to take over PC

Taking control over the Program Counter is not always as trivial as supplying a long string of A’s. Our first target crashes before reaching the PC overwrite. Students need to identify the issue, understand why it occurred, and find a way to bypass this issue in order to continue execution until the PC crash.

Lab: invoking system to get a reverse shell connection

After bypassing the restriction in the previous lab and gaining control over PC, students are introduced to the easy but noisy way of exploitation. Students will learn how to craft a quick Proof of Concept exploit and learn how to get a back connect without the possibility to execute reverse Shellcode from the stack.

Lab: D-Link mprotect ROP chain

The goal of this lab is to write an entire mprotect ROP chain. This type of exploit usually Involves writing around 60-80 lines of code, 80% of which is the mprotect ROP chain itself. Students will get a deep understanding of building ROP chains of any kind. The exploit is then launched against the vulnerable service to get a shell.

Lab: Bypassing memory-read issue to take over PC

The goal of the following two labs is to take control over the Tenda router using similar. This lab is yet another example of real world restrictions when attempting to crash the application and take over PC. Students will debug a Tenda buffer overflow and find a way around a memory read issue that prevents the service from crashing in PC.

Day 3

Lab: Tenda mprotect ROP chain

This lab is for students who managed to finish the previous labs ahead of time. The mprotect ROP chain of this target is similar to the previous one, however there are two problems: one part of the D-Link mprotect ROP chain needs to be modified to fit the new target, and the Shellcode needs to be modified to avoid certain characters that would cut off the payload. These characters are returns which pose a problem when exploiting a buffer overflow in a cookie header. Students learn how to think outside the box and adopt their exploit to the new target.

Address Space Layout Randomization

Techniques for bypassing ASLR:

• Brute-Force
• Partial PC overwrite
• Information leaks via string format vulnerabilities

Lab: Exploit to bypass ASLR with format string vulnerability

Students will exploit a buffer overflow and a format string vulnerability. The goal of this lab is to write an exploit that takes advantage of a buffer overflow to get a shell and calculates the Libc base address from an information leak to bypass ASLR.

Introduction to Heap Exploitation

• Introduction to the heap
• Heap layout
• Vulnerability types affecting the heap
• Categories of heap vulnerabilities
• Concepts and exploitation techniques
• Use-after-free

Lab: Writing an exploit for a heap-based buffer overflow vulnerability

---

Vector 35's Reverse Engineering with Binary Ninja - April 30 - May 1, 2019

*Laptops Not Provided, Students Must Bring Own Laptop*

Ready to be more efficient with the time you spend reverse engineering? Reverse Engineering with Binary Ninja covers everything you need to be faster with your manual RE tasks and also build automation using Binary Ninja's API for both RE and VR. Students will also learn how to extend CPU architectures and create their own binary views for custom file formats. You'll become immersed in the type system, all the layers of Binary Ninja's Intermediate Languages (BNIL), and come out with the ability to write concise powerful scripts to solve a wide variety of RE and VR challenges. A free student license to Binary Ninja is included with each registration -- if you already have a license, feel free to gift it to a friend!

Students should already be familiar with reverse engineering concepts such as memory, stack, registers, calling conventions and at least one low-level assembly language (multiple architectures will be used throughout the course but in-depth knowledge in them is not required). Familiarity with python is strongly recommended as most of the samples will be written in python though very few advanced python features are required.

Students are required to bring their own laptop to use in class. Any laptop capable of running both Binary Ninja and an Ubuntu 18.04 virtual machine (VMWare or VirtualBox) is acceptable. A commercial license for Binary Ninja is recommended for multithreading and headless processing, but students will receive a redemption code for a free personal license in the course. Students may opt to pay the difference for a commercial license separately from course registration. Recent MacOS, Linux, and Windows (x64 versions of Win10) are all supported though please test your Linux build if it is not Ubuntu LTS or most recent stable.

---

*CANCELLATION INFORMATION *

• Conference Briefings and Training Session fees are non-refundable after April 5th, 2019.

• Registrants who must cancel may substitute another person. Substitutions are allowed with the written permission of the original registrant.

• All cancellation and substitution requests shall be made in writing and sent to infiltrate@immunityinc.com from original registrant.

• Paid registrants who do not cancel by April 5th, 2019, fail to send a substitute or do not attend the conference and/or training forfeit their entire registration fee.

For more information on Cancellation/Substitution policy, please click HERE.