What learning paths is this class used in?
Debugging, Reverse Engineering, Exploits
This is it! This is the class that *actually* teaches you how to exploit a race condition vulnerability leading to a use-after-free in the Kernel Transaction Manager (KTM) component of the Windows kernel. This class is meant to show the approach an exploit developer should take in attacking a previously unknown component in the Windows kernel.
The class is primarily focused around labs to teach the students what it takes to exploit a real-world vulnerability.
This class focuses on exploiting CVE-2018-8611 on Windows 10 x64 1809 (RS5), a complex race condition that leads to a use-after-free on the non-paged kernel pool. The vulnerability is in the Kernel Transaction Manager (KTM) driver (`tm.sys`), a component that has not yet received much public scrutiny.
Even though students will learn a lot about the KTM component, we focus on our approach for analyzing this component as a new kernel component that we had no prior knowledge about. The methodology can be reused for any other unknown kernel components a student may encounter in the future. We do not specifically focus on tricks or techniques for bypassing specific Windows versions mitigations, but rather on the thought process behind exploring functionality to find useful unmitigated code paths and also abusing the bug in ways that allow to build powerful primitives that would facilitate mitigation bypasses.
After this class, you'll know what it takes to develop an exploit targeting the Windows kernel.You must have taken OST2 Debuggers 3011 since we use the environment as a base for debugging/exploitation.
You must have taken OST2 Architecture 2821, or have equivalent knowledge of Windows internals.
Debugging, Reverse Engineering, Exploits
That is the question...
Cedric (@saidelike and @saidelike) specialises in vulnerability research and exploit development, and while at NCC Group working in the Exploit Development Group (EDG) has published some public research related to Cisco ASA, Windows kernel, NAS devices, printers, etc.