Presentation Material

Abstract

This talk shall focus on exploit development from vulnerabilities. We have seen many postings on security forums which vaguely describe a vulnerability, or sometimes provide a “proof-of-concept” exploit.

The Metasploit Framework is a powerful tool to assist in the process of vulnerability testing and exploit development. The framework can also be used as an engine to run exploits, with different payloads and post-exploitation mechanisms.

In this talk, we shall look at how we can construct exploits from published vulnerabilities, using facilities provided by the Metasploit framework. A Unix and a Windows vulnerability example shall be covered. Next we shall demonstrate how to write this exploit as a Metasploit plug-in, so that it can be integrated into the Metasploit Framework.

Participants shall get insights into discovery and verification of vulnerabilities, finding the entry points, gaining control of program flow, choices of shellcode and finally writing a working exploit for the vulnerability. Participants shall also get an overview of Metasploit’s internal modules and how to integrate custom exploits with the Metasploit framework.

Optional “bring-your-own-laptop”: This session can be designed to be quite interactive, if a local area network (wired or wireless) is available during the session. All along, participants can following the steps on their own laptops. I shall be hosting an exploit lab, which participants can connect to and try out their exploits.