Several weeks ago, I had the extraordinary pleasure of being a part of Corelan Live Training, which offers an intense, multi-day Win32 exploit development class. Many of the Metasploit, Metasploit Pro and Nexpose engineers in Austin, TX at Rapid7 underwent the training in Feburary. (On this note, I must give mad props to my office-mates @_sinn3r and @thelightcosine - Corelan members - for setting this up.)
The class was taught by Peter “corelanc0d3r” van Eeckhoutte, a well known metasploit contributor and exploit developer. It was 2 days of intense, 10hrs+ training each day.
We developed exploits for traditional stack buffer overflows, SEH overwrites, and integer arithmetic bugs. We went all the way from simple stack smashing, to full ASLR/DEP bypass with ROP chains, to heap spraying modern browsers (including exclusive coverage of Peter’s DEPS technique for heap spraying Firefox and IE10.) We hacked custom applications, media software, FTP clients, HTTP servers, and wrote our very own Metasploit modules.1
The class was incredible and well thought out. Peter took the time to demonstrate applications that show the key ideas behind pulling off a certain kind exploit, but also offered many real world challenges and applications to test us. It was often a competition in the class to see who could get a shell first.
This class was quite fantastic and I really had a blast developing exploits. Since then, I’ve independently written 2 more exploits against publicly known vulnerabilities (with known exploits already existing.) And I’m working on 2 more for Opera 12.12 and Safari 4.x (with no public exploits, but the vulnerabilities are fixed.) Expect metasploit modules soon!
Peter himself was great too; incredibly enthusiastic and engaged with all of his students. I’d recommend you take his class if you ever get a chance. It’s a lot of fun!