Title: The Exploit Laboratory
Trainer: SK Chong (Security Consultant, SCAN Associates Bhd.) & Umesh Nagori (VP, Net-Square)
Capacity: 20 pax
Seats left: REGISTRATION CLOSED
Duration: 2 days
Cost: (per pax) MYR2899 (early bird) / MYR3299 (non early-bird)

Content:

Overview:

This workshop shall introduce how buffer overflow vulnerabilities arise in programs and how they get exploited. The workshop will take you deep inside how programs are loaded and execute within memory, how to spot buffer overflow conditions and how exploits get constructed for these overflow conditions. By exposing the inner mechanisms of such exploits, we will understand how to prevent such vulnerabilities from arising.

The workshop will cover analysis of stack overflows, heap overflows and format string vulnerabilities. Examples of vulnerabilities shall be provided on both the Windows as well as the Unix platform. The class is highly hands-on and very lab intesive. The hands-on lab provides real-life examples of programs containing vulnerabilities, and participants are required to analyse and exploit these vulnerabilities.

Who should attend

Pen-testers, developers, just about anyone who wants to understand how exploits work.

Key learning objectives

Understanding error conditions.
Categories of error conditions - stack overflow, heap overflow, off-
by-one, format string bugs, integer overflows (this class will deal
only with stack, heap and format string)
Unix process memory map
Win32 process memory map
Writing shellcode
Real life exploit construction
Secure coding practices
Kernel level protection mechanisms

Notes:

Attendees will require:

A working knowledge of operating systems, Win32 and Unix
Ability to compile programs using GCC
Ability to use vi/pico/joe editors
Understanding of C programming would be a bonus

This class requires you to sign a code-of-ethics document, which is to ensure appropriate use of such techniques.

---

About the trainers:

SK Chong

S.K. (CISSP) is a security consultant from SCAN Associates. His job allows him to play with all kinds of hacking tools in his penentration testing. Most often, he needs to modify and/or enhance these tools before it can be used for legal penetration testing against banks, ISP and goverment agencies. These experiences help him wrote a few security whitepapers on SQL Injection, Buffer Overflow, Shellcode and Windows Kernel stuff, including one of which published in Phrack E-zine #62. His researches was presented in Blackhat (Singapore) 2003, HITBSecConf2003 - Malaysia, RuxC0n2004 (Australia), XCon2004 (China) and many other security conferences.

Umesh Nagori

Umesh, currently, working as VP Business Development for the IT Security Practices at Net-Square. Umesh also provides information security consulting services and trainings to Net-Square clients, specializing in Web hacking and security. He brings more than 10 years of experience in the Information Technology. Right from the software development, he has played key roles in various other areas of Information Technologies like system administration and network management, system analysis, training, project management. He has over 6 years of experience with web application development, application and system security architecture, network architecture, security consulting, security training.

Prior to joining Net-Square, Umesh worked as Sr. System Analyst (IT Application) at Hughes Network Systems, USA (HNS). In his capacity as Sr. System Analyst, he played key role in overseeing the web development and the application security for the internet facing applications at HNS.

Prior to HNS, Umesh worked as Principal Consultant at iROMYX Inc. His experience at iROMYX provided him with numerous challenging projects at clients like Cisco, Motorola, NEC, Carlson, Sycamore, VIAG Interkom (Germany) and many others. Apart from web application development for public facing applications, he provided significant contribution to many clients in designing the security for their web applications.

Prior to his experience in USA, Umesh worked as Research Assistant at Indian Institute of Management, Ahmedabad (India) where he played a role as system & network Administrator for IIMA networks, web designer/developer for the IIMA Internet & Intranet applications and training instructor. Umesh graduated from Gujarat University with a bachelor�s degree in Commerce. He has also successfully completed BS7799 Lead Auditor Course.