Hands-on Ethical Hacking: Preventing and Writing Exploits for Buffer Overflows

Presented at AppSec USA 2013, Nov. 19, 2013, 7 p.m. (240 minutes).

** YOU MUST RSVP FOR THIS TRAINING BY EMAILING RALPH.DURKEE@OWASP.ORG. CAPACITY IS LIMITED TO 24 ATTENDEES ** A ntense 2.5 hours hands-on course where you will find a buffer overflow vulnerability and then develop an exploit for a stack based buffer overflow. We'll also discuss and test mitigating techniques such as address randomization, stack protections mechanisms, non-executable stacks and of course programming to prevent buffer overflows. The course will use a virtual Linux system with the required tools running on your own laptop. Students must be comfortable with the Linux command line, and be familiar with basic C/C++ programming. We'll be using the Gnu development tools such as g++. gcc, gdb, and make. Vim, Emacs and Eclipse will all be installed for your editing and exploit writing pleasure. We'll be looking at assembly code in order to develop the final exploit, so some familiarity with assembler languages is helpful, but not required. You must bring your own laptop. The laptop can be MS Windows, Mac or Linux, just make sure you have a recent version of VirtualBox installed and working. Having a DVD reader is helpful for transferring the VM, but a flash drive will also be available. Laptop Requirements: At least 4Gb RAM 8 Gb of free disk space Virtual Box 4.2.16 or newer installed. Administrator or root privileges for the laptop. Comfortable with Linux Command Line and g++ / gcc. SomeC/C++programming

Presenters:

  • Ralph Durkee - Principal Security Consultant - Durkee Consulting, Inc.
    Ralph Durkee is the principal security consultant and president of Durkee Consulting, Inc since 1996. Ralph founded the OWASP Rochester, NY chapter and has served on the board since 2004. Ralph served on the ISSA chapter board to start the Rochester ISSA chapter as well as starting the annual Rochester Security Summit. He has served as the ISSA chapter president since 2010. He performs a variety of network and application penetration tests, software security assessments and secure software development consultations for clients. His expertise in penetration testing, incident handling, secure software development and secure Internet and web applications is based on over 30 years of both hands-on and technical training experience. He has developed and taught a wide variety of professional security seminars including custom web application security training, and SANS SEC401 & SEC504 - Hacker Techniques and Incident Handling and CISSP bootcamp courses since 2004. Ralph also regularly consults on the development and implementation of a wide variety of security standards such as web application security, database encryption, Windows, and Linux security. Ralph also has done security consulting for compliance with the Payment Card Industry Data Security Standard, and holds the following certifications CISSP, C|EH, CRISC, GSEC, GCIH, GSNA, GCIA, and GPEN.

Links:

Similar Presentations: