Thursday, December 13, 2012

Corelan Exploit Development Live Training Review

My team had the opportunity to take Peter Van Eeckhoutte's live exploit development boot camp last week. This is a review of the 2012 version of his course.

A course outline can be found here:

We sat the course over a Saturday and Sunday. My one and only complaint for the course which I'll get out of the way now, is that this should really be AT LEAST a 3 day course. We spent 14 hours each day working with Peter. It was very intense and it melted my brain. By the end of the second day, mental exhaustion parlayed with the complex material began to set in. I really think I would have got more out of the last 5 hours of the course, if it were on a third day. Peter on the other hand, doesn't skip a beat. I bet he would still be talking if we were willing to sit with him that long!

Now that the bitching is out of the way, on to the good stuff. This is a fantastic course and I highly recommend it. The material Peter has put together is high quality and he's clearly put in a huge number of hours perfecting it. The course is a combination of walking through slides and lab exercises. All the students came prepared with VMs specific to Peter's requirements. His labs start easy and eventually get very hard. However, you can tell he has done this so many times because all of the labs work as designed. We literally had one "live demo fail" which he quickly recovered from. If your lab isn't working, he can look at your code (which by the way, he has never seen before and the quality is probably shit) and instantly give you hints on where the problem is. 

Peter is a great instructor because of his teaching style and he's exceptionally good at this stuff. Everyone I talked to after the course said they have never learned so much in a short period of time. As a graduate of the Offensive Security courses, I can appreciate some of the struggle that comes with exploit dev, but at a certain point, if someone tells me to "Try Harder" one more time, I'm going to rage. Peter's approach is different. He certainly makes you suffer, but when he see's you're truly stuck, he throws you a little "nugget" that usually gets you where you need to be. I witnessed this myself as well as with other students. There were numerous "AH HA" moments with this style.

Within the first five hours of the first day, I realized the course was money well spent. He has so many tricks that I had never seen before. The best part is that he is completely transparent and willing to share anything you want to know. You just have to ask him what he's doing and he's more than happy to tell you. There was one specific moment when half the class was blown away when we learned a trick for a problem that had caused some of us trouble before. Money. Well. Spent.

Something he doesn't mention in his description of the course is the use of mona. Mona is the python tool Peter and his team wrote that integrates with Immunity Debugger. I've used it before but now I will probably use it all the time. It's an incredible tool! Mona provides insight into the layout of the stack and registers that you simply cant get with the naked eye. That fucking thing can order you a pizza, put your kid to bed, all the while giving you stack pivot options. It's absolutely brilliant.

Who is this course tailored to? We had guys that had zero experience and some who had decent experience. I think you need to know the basics to get the most out of this course. If you have never opened Immunity, there are going to be diminishing returns after about hour six on the first day. If you're comfortable with basic buffer overflows, know how to read an exploit, and can write scripts, you're going to spend more time learning new stuff than futzing around with your tools. This class moves fast, there is no time to figure out how to fire up mona. You'll be lost if you're at this level.

An important point to note about the course is that you probably will not get to every section in the syllabus. Depending on the expertise in the class, he may skip things, spend more time on others etc. I wasn't sure how this would eventually work out but he knows what he is doing. He's also very flexible so if you ever want to spend more time on X or Y, he'll gladly oblige. 

The learning continues after the course... As a bonus, when you're done with the course you get access to a private IRC and forum that Peter monitors and says he is available for questions. If you have the chance to take this class either at a CON or are able to bring him out to your office, you should certainly do so. Kudos to Corelan, excellent job.

Wednesday, December 5, 2012

Burp proxy error: Received fatal alert: unexpected_message

I kept receiving this error in Burp when I was doing an web app pen test: Burp proxy error: Received fatal alert: unexpected_message

This problem isn't a Burp issue, rather a Java issue. It is because of the the Java TLS renegotiation issue documented here:

But who cares, how do you fix it? The link above mentions using but that never worked for me, nor did any of the other blog posts on this issue. I ended up removing my current version of Java and installing an older version which didn't include the fix for the TLS vulnerability I noted above.

JRE 6u35 worked for me: