Scribd
Upload
104 views

Exp 301 Syllabus

This document outlines the syllabus for the EXP 301 OSED exploit development course. The course covers various topics related to Windows exploit development, such as stack overflows, SEH overflows, IDA Pro, bypassing ASLR and DEP, format string vulnerabilities, and reverse engineering challenges. It lists the learning modules, units within each module, and the overall goal of providing students the skills to perform Windows exploit development.

Uploaded by

Mahmoud Mahajna
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
104 views

Exp 301 Syllabus

This document outlines the syllabus for the EXP 301 OSED exploit development course. The course covers various topics related to Windows exploit development, such as stack overflows, SEH overflows, IDA Pro, bypassing ASLR and DEP, format string vulnerabilities, and reverse engineering challenges. It lists the learning modules, units within each module, and the overall goal of providing students the skills to perform Windows exploit development.

Uploaded by

Mahmoud Mahajna
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

EXP 301 OSED Syllabus

Windows User Mode Exploit Development OSED Syllabus

Learning Module Learning Units

Windows User Mode About the EXP 301 Course


Exploit Development:
General Course
Information

Provided Materials

Overall Strategies for Approaching the Course

About the EXP 301 VPN Labs

About the OSED Exam

Wrapping Up

WinDbg and x86 Introduction to x86 Architecture


Architecture

Introduction to Windows Debugger

Accessing and Manipulating Memory from WinDbg

Controlling the Program Execution in WinDbg

Additional WinDbg Features

Wrapping Up

EXP 301 OSED - Copyright ©2023 OffSec Ltd. All rights reserved. 1 of 7
EXP 301 OSED Syllabus

Exploiting Stack Stack Overflows Introduction


Overflows
Installing the Sync Breeze Application

Crashing the Sync Breeze Application

Win32 Buffer Overflow Exploitation

Wrapping Up

Exploiting SEH Installing the Sync Breeze Application


Overflows

Crashing Sync Breeze

Analyzing the Crash in WinDbg

Introduction to Structured Exception Handling

Structured Exception Handler Overflows

Wrapping Up

Introduction to IDA Pro IDA Pro 101

EXP 301 OSED - Copyright ©2023 OffSec Ltd. All rights reserved. 2 of 7
EXP 301 OSED Syllabus

Working with IDA Pro

Wrapping Up

Overcoming Space Crashing the Savant Web Server


Restrictions:
Egghunters
Analyzing the Crash in WinDbg

Detecting Bad Characters

Gaining Code Execution

Finding Alternative Places to Store Large Buffers

Finding our Buffer - The Egghunter Approach

Improving the Egghunter Portability Using SEH

Wrapping Up

EXP 301 OSED - Copyright ©2023 OffSec Ltd. All rights reserved. 3 of 7
EXP 301 OSED Syllabus

Creating Custom Calling Conventions on x86


Shellcode

The System Call Problem

Finding kernel32.dll

Resolving Symbols

NULL Free Position-Independent Shellcode PIC

Reverse Shell

Wrapping Up

Reverse Engineering Installation and Enumeration


for Bugs

Interacting with Tivoli Storage Manager

Reverse Engineering the Protocol

Digging Deeper to Find More Bugs

EXP 301 OSED - Copyright ©2023 OffSec Ltd. All rights reserved. 4 of 7
EXP 301 OSED Syllabus

Wrapping Up

Stack Overflows and Data Execution Prevention


DEP Bypass

Return Oriented Programming

Gadget Selection

Bypassing DEP

Wrapping Up

Stack Overflows and ASLR Introduction


ASLR Bypass

Finding Hidden Gems

Expanding our Exploit ASLR Bypass)

Bypassing DEP with WriteProcessMemory

Wrapping Up

EXP 301 OSED - Copyright ©2023 OffSec Ltd. All rights reserved. 5 of 7
EXP 301 OSED Syllabus

Format String Specifier Format String Attacks


Attack Part I

Attacking IBM Tivoli FastBackServer

Reading the Event Log

Bypassing ASLR with Format Strings

Wrapping Up

Format String Specifier Write Primitive with Format Strings


Attack Part II

Overwriting EIP with Format Strings

Locating Storage Space

EXP 301 OSED - Copyright ©2023 OffSec Ltd. All rights reserved. 6 of 7
EXP 301 OSED Syllabus

Getting Code Execution

Wrapping Up

Trying Harder: The Challenge 1


Labs

Challenge 2

Challenge 3

Wrapping Up

EXP 301 OSED - Copyright ©2023 OffSec Ltd. All rights reserved. 7 of 7

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy