Practical Android Exploitation
|
Next Classes:
|
blackhat 2017 debut sold out!
WHERE THIS TRAINING HAS BEEN TAUGHT (PUBLICLY & PRIVATELY)...

Overview:
Xipiter co-authored the Android Hacker's Handbook , a leading text on Android security, reverse engineering, and development. The Practical Android Exploitation course from Xipiter is a comprehensive course aimed to teach all about Android security. Students get hands on experience with the Android SDK/NDK and related toolchains and use that knowledge to write and analyze exploits and malware on Android. In this course participants will exploit userland and kernel Android vulnerabilities as well as discuss jailbreaks and the various attack surface of Android applications. This class is aimed to an indispensable training for mobile developers, forensics investigators, software security professionals, pen-testers, and others. In this class participants will:
- Analyze real Jail-breaks and see how they work
- Write exploits against userland AND kernel
- Bypass modern protection mechanisms on Android (ASLR, XN, etc)
- Perform Dalvik reverse engineering and learn about the Android NDK
- Analyze Mobile Malware
- Perform hardware attacks on Mobile devices
Students of "Practical Android Exploitation" will get hands on experience with the AndroidSDK/NDK and related toolchains and use that knowledge to write and analyze exploits on Android. This class is aimed to an indispensable training for mobile developers, forensics investigators, software security professionals, and others.
Participants of this course will also receive a complimentary copy of "The Android Hacker's Handbook".
Details:
Length: 4 days
Format: Lecture and Lab
Dates & Location:
To Be Announced
Sign up for our newsletter!
Contact us for a private on-site version of this course. (10 students or more)
Who Should Attend: Android Developers, Mobile Developers, Hackers, Penetration Testers, Forensic Investigators, reverse engineers, pen-testers, software security auditors/analysts, software exploitation engineers, jail breakers. What To Bring:
What Will Be Provided:
Participant Skillset: Students taking Practical Android Exploitation should have an intermediate software exploitation background on another architecture (such as x86). They should have hands-on familiarity with the following concepts:
Class Syllabus (Lab Exercises Only, the part you care about ;-): Slide Deck: Pre-Introduction (class/instructor intro) Instructor Bios, Course Outline/Schedule, Course Goals ** Lecture Presentations ** Lab: IDA & GDB Use GDB to debug/modify a faulty ARM app, rudimentary code injection. ** Lecture Presentations ** Lab: Calling Convention and Executable File Formats Use IDA and GDB in tandem to comprehend application flow subvert the app. ** Lecture Presentations ** Lab: Shellcoding Review of dynamic linking in ELFs. Intro to authoring ARM shellcode. Students modify assembly code stub, assemble it, and extract the shellcode to be loaded into an "loader" app. ** Lecture Presentations ** Lab: Stack Overflow Basics of Stack Overflows (NOP sleds, bouncepoints, etc). Intro to defensive countermeasures: stack cookies, and subverting with "ROP-lite" return-to-libc. Finding bouncepoints on ARM. Nuances of stack overflows on ARM. The rediculousness of NOP sleds... ** Lecture Presentations ** Lab: Stack Overflow XN Introduce Non executable stack (XN)" and how to subvert it with Return-to-Text or commonly inaccurately referred to as (Return-to-LibC" or as we call it: "ROP Lite". Students get stepped through a vulnerability to see how this works step-by-step. (We come back to the nuances of ROP gadget finding later in the course) ** Lecture Presentations ** Lab: Advanced Stack Introduction to XN, ASLR, and Stack cookies on on ARM. Discuss and see examples of ways to subvert stack cookies. (overwriting __stack_chk_guard, info disclosure bug, partial/full pointer overwrites, exception-handler overwrites) ** Lecture Presentations ** Lab: "ARM/Android: Got Stagefright?" As an homage to "Android Hacker's Handbook" lead author Joshua Drake (who found the Stagefright vulnerability), participants will exploit a vulnerability in MediaServer (StageFright) when parsing a specific file format (the illusive ".vuln" file format, a fictitious but hand-crafted vulnerability we built into libstagefright). ** Lecture Presentations ** Lab: "First Root: Two CVEs, One Cup" Participants will use two CVEs (CVE-2013-7263 & CVE-2013-6282 ) to exploit the kernel of Android 4.4.4 and gain privilege escalation to root the Android device. ** Lecture Presentations ** Lab: "Second Root: JNI" Leveraging the NDK and JNI, the participants will build an application to deliver a payload to the target Android device. ** Lecture Presentations ** Lab: "Third Root: Exploiting Android 6.0" Participants will attempt to leveraged the provided payload to deliver a native code application that will root and SELinux Android 6.0 device. ** Slide Deck ** Lab: "IntroApp: Hack An App" Participants will use static analysis to perform a "local" attack on a target Android application to obtain sensitive information from another Android app installed on the device. ** Lecture Presentations ** Lab: "Intro to BakSmali" Leveraging BakSmali to decompile, and dynamic runtime analysis of native code, we will peer "into" the process space of a running Android app to see what data it is transferring in an otherwise un-man-in-the-middle-able encrypted communication with a server. ** Lecture Presentations ** Lab: "Android Remote Exploitation: Chrome WebView" Participants will gain remote code execution an application via a Chrome WebView. ** Lecture Presentations ** Lab: "Binder: Spray your way to Success, system_server style!" In this lab participants are going to debug an app and heapspray into system_server in preparation for an actual exploit. ** Lecture Presentations ** Lab Extras: "UART on Android Devices" Participants will learn how to interface with a myriad of Android phones and devices (set top boxes, conferencing equipment, etc) via UART as well as reverse engineer pinouts of UART interfaces using a logic analyzer. ** Lecture Presentations ** Lab Extra: "Android is Everywhere" Participants will download firmware of a specific piece of VOIP/Video conferencing equipment DIRECTLY from the manufacturer's website, unpack it, disassemble it, find the requisite parts (bootloader, filesystem, etc.), decompile the APKs, and go on a guided tour of the native code and Dalvik code that contain many interesting tidbits ;-) ** Slide Deck ** Lab Extras: "How to use JTAG to 0wn Android Devices" Participants will "0wn" an Android device by leveraging JTAG interface via a device's SDCard pins! |
See a sample of the Table of Contents of the Lab Manual!
|