Tl;dr – We are hiring engineers, analysts, and researchers.

This May marked our 12th year of producing world-class vulnerability intelligence at Exodus Intelligence. We have had many ups (and downs) and have worked with a variety of talented people over the years whose collective contributions have made us who we are today. Throughout our history we have stayed true to our founding mission of maintaining a hacking culture, made by hackers, for hackers. We challenge and pride ourselves on researching some of the hardest targets, across a diversity of platforms and operating systems. As a team we have analyzed (I’m’, talking weeks long, thorough, root cause analysis) more than 1,600 Nday, and discovered over 400 0day in enterprise products. Whether software, hardware, server side, client side, IoT… our experts have done it all.

It has been a bit of a waiting game for the industry to build an appreciation for vulnerability intelligence, let alone Zeroday vulnerability intelligence. I would argue that the industry is finally there, and with the help of a lot of the big companies, there are products that can effectively detect and defend against this category of risks.

There is still a degree of “wild west” in the industry where it is hard to design and maintain standards for reporting, tracking and cataloging vulnerabilities (CVE, CVSS, CNAs, CPEs, SBOM,…). At Exodus we have always focused on the core research as our wheelhouse and put less effort on the website, front end, and engineering work that drives how people view, search and ingest our data. The market demands it now.

We are at an inflection point and aim to make our data more widely available and develop what tools we can to aggregate, enrich and curate all the public data, marry it with our own discoveries and analysis, and distribute to our customers. We have developed integrations for Splunk, Demisto (Cortex XSOAR), Slack, Recorded Future, to name a few examples, but the engineering lift is large, and the research support is insurmountable. Even as we jump on the GenAI band wagon with everyone else and invest in LLM, ML and AI, that technology is only as good as its input/data, so our researchers will need to spend the requisite time and effort training these models.

Now to the point of this post, we are hiring. We are looking for engineers with a special motivation to understand these challenges and have a passion to build solutions that chip away at the problems. We intend to make some of this tooling, code, and data available to the public, so the engineers we bring onboard should have an appreciation for open source code. While we’re always looking for elite researchers to join the team, these engineering efforts will soon unlock the need for an army of analysts that are interested in coverage of public data an inch deep, and a mile wide. We will have the incentives and mentorship in place to refine and develop skills towards hacking  more difficult targets and research, but for the first time we will be opening our doors to entry level analysts with the motivation to learn and gain unparalleled experience in the world of vulnerability research.

Current openings include:

• Full-Stack Software Engineer
• Web Browser Vulnerability Researcher
• Mobile Vulnerability Researcher
• Zero-Day Vulnerability Researcher
• N-Day Vulnerability Researcher

Please apply at our careers page

This course introduces vulnerability analysis and research with a focus on Ndays. We start with understanding security risks and discuss industry-standard metrics such as CVSS, CWE, and Mitre Attack. Next, we explore the outcome of what a detailed analysis of a CVE contains including vulnerability types, attack vectors, source and binary code analysis, exploitation, and detection and mitigation guidance. In particular, we shall discuss how the efficacy of high-fidelity detection schemes is predicated on gaining a thorough understanding of the vulnerability and exploitation avenues.

Next, we look at the basics of reversing by introducing tools such as debuggers and disassemblers. We look at various bug classes and talk about determining risk just from the title and metadata of a CVE. It will be noted that predicting the severity and exploitability of a vulnerability requires knowledge about the common bug classes and exploitation techniques. To this end, we shall perform deep-dive analyses of a few CVEs that cover different bug classes such as command injection, insecure deserialization, SQL injection, stack- and heap buffer overflows, and other memory corruption vulnerabilities.

Towards the end of the training, the attendee can expect to gain familiarity with several vulnerability types, research tools, and be aware of utility and limitations of detection schemes.

 

Emphasis

To prepare the student to fully defend the modern enterprise by being aware and equipped to assess the impact of vulnerabilities across the breadth of the application space.

 

Prerequisites

• Computer with ability to run a virtual machines (recommended 16GB+ memory)
• Some familiarity with debuggers, Python, C/C++, x86 ASM. IDA Pro or Ghidra experience a plus.

**No prior vulnerability discovery experience is necessary

 

Course Information

Attendance will be limited to 25 students per course.

Cost: $4000 USD per attendee

Dates:  July 9 – 12, 2024

Location:  Washington, D.C.

 

Syllabus

Vulnerability and risk assessment

• Nday risk and patching timelines
• Vulnerability terminology: CVE, CVSS, CWE, Mitre Attack, Impact, Category
• Risk assessment
• Vulnerability mitigation

Binary and code analysis

• Reverse engineering tools such as debuggers, disassemblers
• Deep dive into command injection, SQL injection, insecure deserialization with case studies and hands-on practical.
• Deep dive into buffer overflow and other memory corruption vulnerabilities with case studies and hands-on practical.

Analysis Enrichment

• Qualitative risk assessment
• Patch analysis
• Understanding mitigation techniques
• Writing detection guidance

This 4 day course is designed to provide students with both an overview of the Android attack surface and an in-depth understanding of advanced vulnerability and exploitation topics. Attendees will be immersed in hands-on exercises that impart valuable skills including static and dynamic reverse engineering, zero-day vulnerability discovery, binary instrumentation, and advanced exploitation of widely deployed mobile platforms.

Taught by Senior members of the Exodus Intelligence Mobile Research Team, this course provides students with direct access to our renowned professionals in a setting conducive to individual interactions.

Emphasis

Hands on with privilege escalation techniques within the Android Kernel, mitigations and execution migration issues with a focus on MediaTek chipsets.

Prerequisites

• Computer with the ability to run a VirtualBox image (x64, recommended 8GB+ memory)
• Some familiarity with: IDA Pro, Python, C/C++.
• ARM assembly fluency strongly recommended.
• Installed and usable copy of IDA Pro 6.1+, VirtualBox, Python.

Course Information

Attendance will be limited to 12 students per course.

Cost: $5000 USD per attendee

Dates:  July 15 – 18, 2024

Location:  Washington, D.C.

 

 

Syllabus

Android Kernel

• Process Management
  • Important structures
  • Memory Management
• Kernel Synchronization
• Memory Management
  • Virtual memory
  • Memory allocators
• Debugging Environment
  • Build the kernel
  • Boot and Root the kernel
  • Kernel debugging
• Samsung Knox/RKP
• SELinux
• Type of kernel vulnerabilities
  • Exploitation primitives
  • Kernel vulnerabilities overview
  • Heap overflows, use-after-free, info leakage
• Double-free vulnerability (radio)
  
  • Exploitation – convert the double free into a use-after-free of a struct page
• Double-free vulnerability (untrusted_app)
  • Vulnerability overview
  • Technique 1: type confusion to obtain write access to globally shared memory
  • Technique 2: UaF that can lead to arbitrary RW in kernel memory

Mediatek / Exynos baseband

• Introduction
  • Exynos baseband overview
  • Mediatek baseband overview
• Environment
• Previous research
• Analysis of the modem
• Emulation / Fuzzing
• Rogue base station
• Secure boot
• Mediatek boot rom vulnerability
  • Vulnerability overview
  • Exploitation
  • Using brom exploit to patch the tee
• Baseband debugger
  • Write the modem physical memory from EL1

•  

•  

This 4 day course is designed to provide students with both an overview of the current state of the browser attack surface and an in-depth understanding of advanced vulnerability and exploitation topics. Attendees will be immersed in hands-on exercises that impart valuable skills including static and dynamic reverse engineering, zero-day vulnerability discovery, and advanced exploitation of widely deployed browsers such as Google Chrome.

Taught by Senior members of the Exodus Intelligence Browser Research Team, this course provides students with direct access to our renowned professionals in a setting conducive to individual interactions.

Emphasis

Hands on with privilege escalation techniques within the JavaScript implementations, JIT optimizers and rendering components.

Prerequisites

• Computer with the ability to run a VirtualBox image (x64, recommended 8GB+ memory)
• Prior experience in vulnerability research, but not necessarily with browsers.

Course Information

Attendance will be limited to 18 students per course.

Cost: $5000 USD per attendee

Dates:  July 15 – 18, 2024

Location:  Washington, D.C.

 

 

Syllabus

• JavaScript Crash Course
• Browsers Overview
  • Architecture
  • Renderer
  • Sandbox
• Deep Dive into JavaScript Engines and JIT Compilation
  • Detailed understanding of JavaScript engines and JIT compilation
  • Differences between major JavaScript engines (V8, SpiderMonkey, JavaScriptCore)
• Introduction to Browser Exploitation
  • Technical aspects and techniques of browser exploitation
  • Focus on JavaScript engine and JIT vulnerabilities
• Chrome ArrayShift case study
• JIT Compilers in depth
  • Chrome/V8 Turbofan
  • Firefox/SpiderMonkey Ion
  • Safari/JavaScriptCore DFG/FTL
• Types of Arrays
• v8 case study
  • Object in-memory layout
  • Garbage collection
• Running shellcode
  • Common avenues
  • Mitigations
• Browser Fuzzing and Bug Hunting
  • Introduction to fuzzing
  • Pros and cons of fuzzing
  • Fuzzing techniques for browsers
  • “Smarter” fuzzing
• Current landscape
• Hands-on exercises throughout the course
  • Understanding the environment and getting up to speed
  • Analysis and exploitation of a vulnerability

Mobile Exploitation Training

We are pleased to announce that the researchers of Exodus Intelligence will be providing publicly available training in person on November 14 2023 in London, England.

Browser Exploitation Training

We are pleased to announce that the researchers of Exodus Intelligence will be providing publicly available training in person on November 14 2023 in London, England.

We are pleased to announce that the researchers of Exodus Intelligence will be providing publicly available training in person on March 28 2023 in Austin, TX.

The intermediate course, titled the Vulnerability Assessment Class, covers a wide range of vulnerability and exploitation related topics and is intended for the beginner to intermediate level practitioner. This course is intended to prepare the student to fully defend the modern enterprise by being aware and equipped to assess the impact of vulnerabilities across the breadth of the application space.

Attendees should plan to travel and arrive prior to Tuesday, March 28th. The course work will conclude on Friday, March 31st, 2023.

Seating is limited. Since this training will be in person, there are a limited number of seats available.

**Later this year we will also be offering an updated version of our popular Vulnerability Development Master Class. This course will cover advanced topics such as dynamic reverse engineering, kernel exploitation concepts, browser exploitation, mitigation bypasses, and other topics. Later this year we will also be offering our Mobile Vulnerability Exploitation Class. This class will cover advanced topics concerning mobile platforms.

Vulnerability Assessment Class

This 4 day course is designed to provide students with a comprehensive and progressive approach to understanding vulnerability and exploitation topics on both the Linux and Windows platforms. Attendees will be immersed in hands-on exercises that impart valuable skills including a deep dive into the various types of vulnerabilities exploited today, static and dynamic reverse engineering, vulnerability discovery, and exploitation of widely deployed server and client-side applications. This class will cover a lot of material and move very quickly.

Prerequisites

• • Computer with ability to run a virtual machines (recommended 16GB+ memory)

• • Some familiarity with debuggers, Python, C/C++, x86 ASM. IDA Pro or Ghidra experience a plus.

• No prior vulnerability discovery experience is necessary

Pricing and Registration

The cost for the 4-day course is $4000 USD per student. You may register and pay below, or you can e-mail [email protected] to register and we will supply a purchase order.

 

Syllabus

Vulnerability and risk assessment

• NDay risk and patching timelines
• Vulnerability terminology: CVE, CVSS, CWE, Mitre Attack, Impact, Category
• Risk assessment
• Vulnerability mitigation

Web-based vulnerabilities

• Basics of HTTP
  • Format of HTTP request and response, URI
  • Command Injection and Directory Traversal attacks
  • Cross-site scripting and cross-site request forgery
• XML External Entity attacks
• Request Smuggling
• SQL Injection
• Deserialization

Modules include examples of affected CVEs and practicals.

Binary exploitation

• Basics of binaries
  • Platformns: Linux and Windows
  • x86 assembly, PE, and ELF formats
  • Stack, Heap, Dynamic modules
  • PIE, ASLR, DEP
• Tools
  • Ghidra, WinDBG, and gdb
• Stack buffer overflow
  • OS/Theme: Linux
  • Return to shellcode, Return to libc, Stack pivot, etc.
  • Linux-based practical and demo
• Use after free
  • OS/Theme: Windows
  • Overview of NT Heap, LFH
  • Practical and demo