Recon 2012

Bug Hunting and Analysis 0x65

This 3 day course is structured to impart upon the students the skills necessary to effectively utilize debuggers, disassemblers, and other tools to discover vulnerabilities in binary code. The curriculum will begin by introducing students to the tools and generic techniques that will enable them to actively participate in reversing applications during the rest of the course. This includes IDA Pro and WinDBG usage, thorough target application reconnaissance, organization, and tool development.

After gaining a basic understanding of the tools and techniques required, the instructors will spend time walking students through an applied exercise during which they will discover a remotely exploitable client-side 0day vulnerability (and have the knowledge to discover several hundred more in the same target). The instructors will then step through the vulnerability analysis and exploit writing process so that the students will have covered the entire lifecycle from vulnerability discovery to running shellcode in the remote process.

After all students have successfully written an exploit for the 0day, the instructors will switch focus to server-side vulnerabilities with a new target enterprise application. Students will learn how to reverse engineer an unknown network protocol from scratch, developing IDAPython scripts to aid in the process. By the end of the audit, each student will have discovered over 20 remotely exploitable 0day vulnerabilities in the product. The students will then perform a guided crash analysis of the discovered vulnerabilities gathering enough information to aid in the final task of successfully exploiting of one of these bugs.

On the final day, the students will be given a new server-side enterprise application to audit. This section will be more free-form, requiring the students to utilize the tools they have developed and the techniques they have learned to discover the several vulnerabilities in the product.

Instructor: Aaron Portnoy and Zef Cekaj
Dates: 11-13 June
Availability: 25 Seats
Price 3000$ CAD before May 1, 3600$ CAD after.

Class Requirements

Prerequisite Knowledge:
Prospective students should have basic x86 assembly fluency. Previous debugging experience is also required; Our debugger of choice for this class will be WinDBG. Some familiarity with python is a plus but not required. Our target platform will be Windows 2003, the student should be comfortable operating in this environment. There are no host OS requirements besides supporting the prerequisite software identified below. Student should have all prerequisite software installed/licensed as necessary/configured in their host operating environment prior to Day 1.

Prerequisite Software:
- VMware Workstation (Trial is acceptable:
- WinDbg (if you're coming from another debugger: is a great resource)
- IDA Pro & IDAPython
- Python 2.6 (


Aaron Portnoy

Aaron Portnoy is the Manager of the Security Research Team at TippingPoint Technologies. His group is responsible for reverse engineering vulnerability submissions to the Zero Day Initiative program, discovering new 0day vulnerabilities in enterprise software, developing tools to aid in these processes, and architecting competitions such as Pwn2Own.

Aaron has discovered critical exploitable vulnerabilities affecting a wide range of vendors including, but not limited to: Microsoft, Adobe, RSA, Novell, Symantec, HP, IBM, SAP, and VMware. He has presented original research in the areas of reverse engineering and vulnerability discovery at conferences such as BlackHat, CanSecWest, BlueHat, RSA, and RECon. Additionally, Aaron has been an invited speaker at the National Security Agency, has been referenced in several published books, and guest lectures on reverse engineering at the Polytechnic Institute of NYU each fall.

Zef Cekaj

Zef Cekaj is a security researcher specializing in vulnerability reversing and discovery. He has reversed and documented hundreds of vulnerabilities and has a history of vehemently arguing with vendors over email regarding exploitability of bugs in their products. Consequently, he enjoys winning such arguments by demonstrating exploits on live systems.

His primary interests are in the exploitation of server side vulnerabilities and mitigation circumvention. He is currently researching identified vulnerabilities in popular sandboxing implementations so that he may contribute to The Movement to Liberate Shellcodes (, of which he is a founder.

To Register

Click here to register.