SANS SEC760 Review

I wasn't expecting to do yet another SANS course but the opportunity did arise for me to do SEC760 in ondemand format. Previously, I had already done SEC660 as well as OSCE and was conversant with buffer overflows in a multitude of formats (EIP overrides, SEH overrides, ASLR/DEP bypass, return to libc, ROP, egghunters, venetian shellcode, alphanumeric shellcode, limited buffer space...), so it was time to move on to heap overflows and into kernel land.

There are only a few courses at a similar level, Offensive Security AWE, Corelan Advanced exploit development course and of course, SANS SEC760. I believe they are rather similar in content with AWE being heavier on Windows kernel security mitigations, Corelan being heavier on Windows heap exploitation and SEC760 bringing in Linux and browser exploitation.

The exploits in SEC760 are a lot more complicated than SEC660 and cannot be done from scratch. Researchers spend weeks or months fuzzing, reading through source code or reverse engineering binaries to find out how heap chunks are allocated and deallocated in certain OSes. They then find ways to exploit, for example discovering that allocating x chunks of a certain size and deallocating the chunks in a certain order or that creating certain HTML elements nested in a particular manner would cause a vulnerability to exist. SEC760 focuses on explaining the basics and then stepping through these well known exploits, breaking at certain points to demonstrate what is happening and how the exploit works. You would have to spend lots of time doing your own research on a particular area to really have a chance of building your own exploit from scratch.

At times, the exploitation feels more like an art than science. You tweak an address leak payload repeatedly to try to obtain a consistent leak of a function pointer. You spray the heap with the same shellcode x amount of times and hope the EIP lands somewhere in a nop sled. Browser are so complex and there are so many things going on at the same time, you might not know why an exploit failed. Even pausing too long at a breakpoint may affect the exploit as demonstrated in the walkthrough.

I feel that ondemand was a good way to do this course especially because I was totally unfamiliar with the heap and the Windows kernel. I found myself replaying the videos numerous times just to absorb the material since it is so information dense. I previously did SEC660, FOR508 and FOR610 live and had no issues keeping up with the material as I already had rough understanding of the material even before attending. I would have struggled doing SEC760 live. An additional benefit of ondemand is the ability to slowly work through all the CTF challenges. The CTF challenges are a really good way to test your understanding as they require you to find the the offsets and memory addresses specific to the CTF binary as opposed to just walking through and following the instructions on the sample binaries provided in class.

No coin this time, but 100% completion sure feels good.

sec760