Session 1 (18/11/90)

 * Introduction to OllyDbg and Process Architecture

 * (from the beginning up to "Where did I come from? Exposing your history")

 * OllyDbg Download:
 * Altap Salamander: (first install it and then try to crack C:\Program Files\Altap Salamander\salamand.exe)

Session 2 (25/11/90)

 * Cracking sample software via patching: Altap Salamander
 * Cracking sample software via recognizing serial number: Crackme1.exe


Homework 1 (02/12/90)
 * Due date: 18/12/1390

Session 3 (2/12/90)

 * Introduction to process monitor tools: procmon
 * Introducing PE file format:
  * DOS Header
  * NT Header
  * Image Base and Relative Addresses
  * Sections and Section Headers
  * Dynamic Libraries and Import Table
  * Resources
 * Examples of Java and .Net Decompilers

 * Using procmon:
 * PE file format tutorial:

 * sysinternals tools pack:
 * procmon download:
 * peview download:
 * peid download:
 * A Java Decompiler:
 * A .Net Decompiler: (Exemplar.exe is guaranteed to work)
 * Examples of .Net applications to decompile (exe files are inside bin dir):

Session 4 (9/12/90)

 * Watching a stack buffer overflows.
  * Where function arguments and local variables are placed.
  * Functions prolog and epilog (Compiler generated instructions of function beginning and ending).
  * Viewing simple stack structure.
  * Overwriting stack data, especially return address. 


 * Sample code and executable:

Session 5 (15/1/91)

 * Exploiting a stack overflow.
  * Finding return address offset when overflowing the stack.
  * Finding a good place for EIP to go: a fixed-place "JMP ESP" instruction.
  * Guiding EIP to our shellcode place filled first by CC ("INT 3" instruction which is equivalent to debugger breakpoint)
  * Replacing CCs with out testing shellcode: opening calc.exe
 * Demonstrating an exploit inside malformed pdf file which attacks Adobe Reader 7.
 * Demonstrating a priviledge escalation exploit on a not updated Windows XP SP2.

 * Test above experiments only from Windows XP (Newer versions of Windows Such as Vista or 7 have more advanced security features which may prevent these attacks. We will cover some of these features in the following sessions).


 * The python script to attack OverflowServer:
 * To run python scripts on windows, install ActivePython:
 * Malformed pdf file which attacks Adobe Reader 7.0.0 ~ 7.0.9 (Do not hesitate to look inside this file, go to the file ending where you find a text javascript!): AdobeReader-Attack.pdf
 * Adobe Reader 7.0 download link:
 * Priviledge escalation exploit:

Session 6 (22/1/91)

 * Preventing buffer overflow or its exploitation:
  * Another example of buffer overflows: OverflowCommand.exe
  * Using safe APIs
   * For example using strcpy_s instead of strcpy).
   * Visual Studio gives a warning on using MOST of unsafe APIs.
   * OverflowCommand-Fixed.exe (strcpy_s which terminates program when buffer size is insufficient).
   * OverflowCommand-Continue.exe (the best situation: strcpy_s do not overrun the buffer and the program continues to run).
  * Stack Cookies (/GS compiler option)
   * Explanations of Stack Cookies and compiler generated code to store and check these cookies on the stack.
   * OverflowServer-WithStackCookie.exe
   * Stack Cookies can be bypassed via overwriting SEH chains (there is also other techniques to bypass stack cookies).
  * SEH chain and SafeSEH feature
   * Brief description of exception handling implementations and SEH chains.
   * Brief description of SafeSEH feature to prevent exploitation of SEH pointers.
    * A SafeSEH module is a module to which SEH pointers can only point to valid registered points (these points are specified by the compiler in a tables inside PE file).
    * If a SEH pointer points not to a registered address inside a SafeSEH module, the system will close the program immediately.
    * Attacker can not search for specific instructions (e.g. POP POP RET) inside SafeSEH modules.
   * SafeSEH was not a powerful prevention technique (at least in Windows XP and below) because:
    * For a program to be safe, all modules must be SafeSEH which is a rare situation.
  * DEP
   * Description of DEP feature and NX bit in CPU architecture.
   * ProcessExplorer: A sysinternals application to show processes details (After adding DEP column, show which processes are DEP enabled).
   * Showing how can enable DEP for all processes in Windows.
   * OverflowServer-PermDEP.exe: An application which is DEP enabled also in Windows XP SP3 (DEP is enabled automatically in Windows Vista and above).
and above (independant of windows settings).
  * ASLR
   * Description of ASLR feature (introduced in Windows Vista and above).
   * Compiler must generate a relocatable executable module.

 * Safe APIS:
 * Stack cookies brief description:
 * Stack cookies, their implementation (compiler generated codes for inserting and checking stack cookies), bypassing stack cookies, SEH chains, abusing SEH chains to bypass stack cookies, ... . This is a very long tutorial, review it up to "Stack cookie bypass demonstration 2 : Virtual Function call". The author use windbg debugger (instead of ollydbg). Link:
* SafeSEH feature:
* Exploitation tutorial using SEH overwrite. It describe SEH chains, SafeSEH, and many more exploitation details (which are not necessary to know):
* Description of DEB and how to enable it for all applications:
* What is ASLR:

* Overflow Command source code and executables:
* Process Explorer (inside sysinternals):

Session 7 (29/1/91) ------------------- Topics: * How to generate shellcodes (using Metasploit)
* Format String Attacks and their prevention
* Not to pass user controlled string to format strings.
* Dangling pointers: Dangerousness and prevention.
* Integer Overflows: An introduction.
* Reviewing codes for these vulnerabilities + tools
* An introduction to fuzz testing and fuzzers

* Format String Attack:
* Format String Attack again (view via proxy):
* Description of dangling pointers and prevention techniques:
* Exploiting dangling pointers (out of course score, just for curious students):
* Firefox 3.6 patched vulnerabilities (look for buffer and integer overflows):
* Recent integer overflow vulnerability in openssl (encryption library of most browsers and applications):
* Integer overflows (only first paragraphs told in the class):
* Integer overflows again (good exploitable example):
* Chrome patch of libpng integer overflow (view via proxy):
* List of secure versions of C functions:
* Code review hints (view via proxy):
* What is fuzz testing?:

* Metasploit 2.8 for Linux (Run ./msfweb and connect to port 55555 via a browser): metasploit-2.8-linux.tar.gz
* Advanced tools that integrate with the compiler and try to detect and prevent memory management vulnerabilities (such as dangling pointers):
* A list of general fuzzers:

Session 8 (5/2/91)

* Introduction to web applications:
* HTTP request and response; structure and the headers.
* Static web site vs. dynamic web application.
* Sending data methods: GET and POST parameters.
* Basic HTML forms.
* Client-side scripts; e.g. javascript.
* Introduction to SQL injection attack
* Database in web application architecture
* Sample attacks via GET parameter

* HTTP Protocol:
* HTML Tutorial:
* Specially see these sections: Intro, Forms, IFrames.
* Javascript Tutorial:
* PHP Tutorial:
* Specially see these sections: Intro, Forms, GET, POST, Include, Cookies, MySQL Intro.
* Slides of Web Application Security: WebSlides.pptx
* SQLi concept and exploits:

* DVWA, an insecure web application for testing:
* See installation steps in README.txt
* You must install Apache, PHP, MySQL, and php-mysql library first.
* To install these on an ubuntu linux: aptitude install apache2 php5 mysql-server php5-mysql
* Set security level to low.

Session 9 (12/2/91)

* SQL Injection completed: see slides.
* SQLi prevention.
* SQLi tests on DVWA.

* Slides of Web Application Security: WebSlides.pptx

* Parametrized sql statements in php:

Session 10 (19/2/91)

* XSS Attack: see the slides.

* Slides of Web Application Security: WebSlides.pptx
* Same-Origin Policy:

Session 11 (26/2/91)


* OWASP TOP 10 Presentation: OWASP_Top_10_-_2010 Presentation.pptx
* OWASP TOP 10 Document: OWASP Top 10 - 2010.pdf

* ESAPI for PHP:

Session 12 (9/3/91)

* Brief introduction to web application penetration testing.
* Transport Layer Security: SSL and TLS.

* Public Key Infrastructure:
* SSL/TLS Protocol:

* Acunetix (PenTest tools for web applications)