Friday, April 5, 2024

Auditor++ Course/Certification - preliminary table of contents

Below is my preliminary table of contents for Drudget's Auditor++ course and certification.

I don't think it's complete, and I'm interested in hearing what others think. 

Drop me a line at drudget.com.au's contact form if you're interested in knowing more about the Auditor++ course or have some recommended topics you want to know more about.


Auditor++ Course/Certification

Security

  • smashing the stack (phrack article - reference aleph1)
  • jmp/push opcode obfuscation technique
  • Exploitable Bug classes
    • stack and heap buffer overflows
    • integer overflows
    • off by one
    • double free
    • use after free
  • Deadlocks and race conditions
  • readelf and objcopy tools
  • IFUNC redirection
  • LD_PRELOAD exploits/rootkits
  • Opcode overwriting hooking method
  • Typical shell server (bind-shell)
  • Writing shellcode (execve, bind shell, connect back shellcodes)
  • strncpy (non-null termination) bugs
  • Various other non-safe "standard C" function string bugs (strcpy, strcat, sprintf, etc)
  • rand() random number generation (on non-Linux systems), and non-cryptographically secure PRNGs


Other coding

  • Memory leaks
  • Non-RAII leaks by exception handlers (C++)
  • File descriptor leaks


Using auditing tools

  • Drudget's C/C++ Flak Jacket and GCC's libasan -fsantize=address
  • Drudget's Garbage collector and Valgrind
  • Boehm-GC
  • Drudget's Deadlock detector and Helgrind
  • GDB - debugging



Hacking 102 - Leaking the canary with strncpy

Hacking 102 - Leaking the canary with strncpy A convoluted example of how you can leak GCC's stack protector canary with a strncpy, than...