If you’re lucky enough to be in Vegas these next few days for Defcon 16, you really should drop by Immunity’s booth to pick up another certification to put behind your name (apparently free). The appropriately acronym’d NOP (Network Offense Professional) certification is more than a little tongue-in-cheek, however it’s basic enough to be a good “put up or shut up” for those who claim to have some skills and understanding of basic exploitation.
Here’s the announcement:
Immunity is proud to announce the launch of our new certification, the
Network Offense Professional (NOP) at Defcon. NOP will allow prospective
employers to know that you have the capabilities needed to understand
the complex issues at the heart of information security.
Specifically, to obtain the certification you will need to write a
buffer overflow from scratch within a certain time period. You will
first find the buffer overflow by reverse engineering a target program,
and then obtain a shell from it or execute a command. This is a hands-on
certification, not a paper test. Immunity Debugger, Immunity CANVAS, and
VisualSploit will be available to you during the certification process
to enable you to write the exploit quickly. The target process will be
running on a Windows 2000 SP4 machine.
Successfully completing the challenge will allow you to use the NOP
signifier after your name and will potentially allow you to obtain
discounts of Immunity products.
Taking the NOP certification is on a first come first serve basis. Come
to the Immunity Defcon booth and try your hand.
Any inquiries can be sent to admin_at_immunityinc.com.
VP Media Relations
It’s also meant as a way to show off just how easy Visual Sploit is to use. I haven’t personally used it, but today, Dave posted a really great flash video demonstrating its use in developing a simple buffer overflow exploit:
Really easy stuff there. If you understand the concepts of how buffer overflows work, then that video should show you how easy it is to throw an exploit together. Very clean procedure:
- Demonstrates that the return pointer can be overwritten, by passing a large strings of A’s and seeing 0×41414141 in EIP
- Finds an exact offset for the return pointer by passing a string of AAAABBBBCCCC… and seeing what winds up in EIP
- Since the buffer is sitting at the stack pointer, an exact jump can be made to the shellcode by returning to a “jmp esp” that’s already in memory.
- Drops a “shellcode” of “int 3″ repeated, so the debugger will break and we can see that it worked.
Cool stuff! Wish I was in Vegas to take the test