I'm teaching SEC760 in London this week while Steven Sims relaxes at RSA Conference and my guys at Rendition Infosec do some pretty cool work on a new product line (and a pretty kick butt pentest). A student in another class asked me this morning what are the most critical things to know about exploit development. I took this and ran with it, producing my 10 commandments of exploit development. I'm going to put together 10 commandments of exploit mitigation later this week as suggested be Ed McCabe.
Here are my 10 commandments (cross posted from Twitter) for your reading pleasure:
Here are my 10 commandments (cross posted from Twitter) for your reading pleasure:
Exploit dev 1st commandment: thou shalt observe the program in it's normal state before wasting time with fuzzing that will NEVER work.— Jake Williams (@MalwareJake) February 29, 2016
Exploit dev 2nd commandment: thou shalt covet thy neighbor's addresses (e.g. look for leaking pointers to bypass ASLR)— Jake Williams (@MalwareJake) February 29, 2016
Exploit dev 3rd commandment: thou shalt not poo poo printf vulnerabilities for thine information disclosure may be one %x away.— Jake Williams (@MalwareJake) February 29, 2016
Exploit dev 4th commandment: Thou shalt remember that ASLR does not protect against local attacks on Windows, only remote attacks— Jake Williams (@MalwareJake) February 29, 2016
Exploit dev 5th commandment: thou shalt not forget that PEB "randomization" is hardly random at all— Jake Williams (@MalwareJake) February 29, 2016
Exploit dev 6th commandment: thou shalt not f*ck with control flow guard (CFG)— Jake Williams (@MalwareJake) February 29, 2016
Exploit dev 7th commandment: thou shalt recall that ROP mitigations primarily focus on memory protections. Use return oriented shellcode— Jake Williams (@MalwareJake) February 29, 2016
Exploit dev 8th commandment: if thou are foolish enough to call system(), thou shall specify the FULL F*CKING PATH to the exe launched— Jake Williams (@MalwareJake) February 29, 2016
Exploit dev 9th commandment: thou shalt not attack the program directly when exploiting a vulnerable library is easier— Jake Williams (@MalwareJake) February 29, 2016
Anything you would change here? Let me know. Until the next time, I'll be here rocking London and loving exploit development.Exploit dev 10th commandment: thou shalt not fear EMET, but look for creative ways to bypass using built-in OS functionality.— Jake Williams (@MalwareJake) February 29, 2016
