SANS Penetration Testing

SEC760 Prep Quiz Answers

[Editor's Note: Steve Sims just released a brand new advanced course offered by SANS on advanced exploit development. It's amazing and intense stuff. To help people determine whether they have the background skill set to prepare them for the course, Steve wrote a pretty cool little quiz. The brief, 10-question quiz will give you an idea of what you need to know to take the course, and it'll also help you measure your own skills. Check out Steve's description of the course below, take the quiz, and then see how you stack up in preparedness for the course! -Ed.]

Below are the answers for the 760 Prep Quiz answers. For more details about the course and the quiz, please click here.

Correct answers are in red bold font.

By Stephen Sims

 

SEC760 10 Question Exam Answers

1) Which of the following functions is most commonly used to disable Data Execution Prevention (DEP) inside of a Windows process?

a) VirtualAlloc()
b) WriteProcessMemory()
c) VirtualProtect()
d) NtSetInformationProcess()

Answer: A and C - VirtualAlloc() and VirtualProtect() | While each of these functions is capable of being used to disable DEP, VirtualAlloc() and VirtualProtect() are the most commonly used. NtSetInformationProcess() is the easiest, but is no longer supported as of Windows 7.

 

2) Windows 10 is a ____ ring processor access mode operating system?

a) 1
b) 2
c) 3
d) 4

Answer: B - 2 | Windows has always been a two-ring model operating system, kernel-land (ring 0) and userland (ring 3). This is the case for the majority of operating systems in existence today.

 

3) Which of the following is the only native Ring 0 debugger?

a) WinDbg
b) GDB
c) OllyDbg
d) Immunity Debugger

Answer: A - WinDbg | WinDbg is the only debugger that natively supports Ring 0 debugging. Immunity Debugger and OllyDbg have no support outside of Ring 3, and GDB requires modification.

 

4) Which of the following Windows 32-bit virtual addresses can a Ring 3 debugger never access?

a) 0x00000000
b) 0xFFFFFFFF
c) 0x7FFD0000
d) 0x13371337

Answer: B - 0xFFFFFFFF | On a default Windows 32-bit OS, even one supporting PAE, 0xFFFFFFFF is the only address listed that cannot be accessed by a Ring 3 debugger. Without PAE, userland virtual memory ends at 0x7FFFFFFF, and with PAE userland virtual memory ends at 0xBFFFFFFF. If you said answer "a," and said it specifically because Windows 8 offers null pointer dereference protection, then you get a point for thinking ahead of the curve!

 

5) True or False: Control Flow Guard (CFG works by mandating that an endbr32/endbr64 be the first instruction executed during an indirect function call.

Answer: False - CFG works by building a bitmap of function entry points at compile-time and is checked during indirect calls. The endbr32/endbr64 is in relation to Control Flow Integrity (CFI) protection.

6) In a 64-bit Windows application, the RBP register is most commonly used for which of the following purpose?

a) General Purpose Register
b) Base Pointer on the Stack
c) Pointer to Driver I/O
d) Extension of the Stack Pointer

Answer: A - General Purpose Register | On 64-bit operating systems running 64-bit applications, the RBP register is not often used as the base pointer on the stack like on 32-bit processes. This is due to the fact that there are eight additional general purpose registers available on 64-bit processors, r8 — r15, which can be used to hold arguments. Compiler settings will influence the usage of RBP.

 

7) Which of the following would properly result in C++ function overloading? (Choose Two)

a) Same function name, different data types
b) Same function name, different number of arguments
c) Same function name, different buffer size
d) Same function name, different number of virtual functions

Answer: A & B - C++ function overloading is used when two functions within the same scope have the same name, but utilize different data types, or a different number of arguments. The function is typically the same otherwise.

 

8) Which of the following stack pivot gadgets would not preserve a pointer to the original stack frame in eax?

a) push eax
mov eax, esp
pop esp
retn

b) xchg esp, eax
pop eax
push esp
retn

c) mov ebp, eax
mov eax, esp
mov esp, ebp
retn

d) xchg esp, eax
retn

Answer: B - Option "b" is the only one that would overwrite EAX by popping a value into it after the exchange. It does successfully pivot at first, but then clobbers EAX. Also, we return and execute what ESP is pointing to (object vptr), which is useful, but not as common as holding a pointer at this location during use-after-free attacks.

 

9) Consider the following code:

int x_value = 99;
int* x = &x_value;

Which of the following lines of code would properly dereference "x" to get the value of "x_value?"

a) cout << &x;
b) cout << *x;
c) cout << **x;
d) cout << *&x;

Answer: B - cout << *x; | Answer "b" successfully dereferences "x" to access the value held at the variable x_value.

 

10) Consider the following ASM:

mov eax, cr3
mov cr3, eax

Which of the following is the result of the above execution?

a) Nothing at all
b) The page directory is simply copied
c) Timing operation
d) Translation Lookaside Buffers are flushed

Answer: D - TLB's are flushed | The TLB's are flushed with the code sequence shown. This is often performed during context switching and requires the page table entries to be walked again. There has been much research performed in ways to preserve the process-specific TLB's between context switches to save resources.

I hope you enjoyed the quiz!

-Stephen Sims
stephen@deadlisting.com

 

SANS Note:

For a listing of upcoming opportunities to take "SANS SEC760: Advanced Exploit Development for Penetration Testers,

 

3 Comments

Posted September 18, 2013 at 6:47 PM | Permalink | Reply

@~

Question 8's text is missing some spaces: "gadgets wouldnotpreserve a"
I didn't pass today, but am taking SEC660 in November. See you soon.

Posted October 5, 2013 at 8:07 AM | Permalink | Reply

Abdul GHaffar Afzal

i like to join please

Posted October 5, 2013 at 10:59 AM | Permalink | Reply

Ed Skoudis

We'd be happy to have you participate! The first offering of the 760 class is in 9 days in Baltimore! Check it out here: http://www.sans.org/event/sec760-advanced-exploit-development-for-penetration-testers/course/advance-exploit-development-pentetration-testers

Post a Comment






Captcha


* Indicates a required field.