EXP-301: Windows User Mode Exploit Development (OSED)
Invest in a secure future with offensive security training from the developers of Kali Linux. OffSec certifications are the most well-recognized and respected in the industry. Our courses focus on real-world skills and applicability, preparing you for real-life challenges and offensive security expertise!
Training at a glance
Level
Intermediate
Duration
5 Days
Experience
2 years: Debuggers/ Python
Average Salary
$127,000
Labs
Yes
Level
Intermediate
Duration
5 Days
Experience
2 years: Debuggers/ Python
Average Salary
$127,000
Labs
Yes
Training Details
EXP-301 is an intermediate course that teaches the skills necessary to bypass DEP and ASLR security mitigations, create advanced custom ROP chains, reverse-engineer a network protocol and even create read and write primitives by exploiting format string specifiers.
Windows User Mode Exploit Development (EXP-301) is a course that teaches learners the basics of modern exploit development. Despite being a fundamental course, it is at the 300 level because it relies on substantial knowledge of assembly and low level programming. It begins with basic buffer overflow attacks and builds into learning the skills needed to crack the critical security mitigations protecting enterprises. Learners who complete the course and pass the exam earn the OffSec Exploit Developer (OSED) certification. The OSED is one of three certifications making up the OSCE3 certification along with the OSEP for advanced penetration testing and OSWE for web application security. Course Objectives:
- Learn the fundamentals of reverse engineering
- Create custom exploits
- Develop the skills to bypass security mitigations
- Write handmade Windows shellcode
- Adapt older techniques to more modern versions of Windows
Lesson 1: Windows User Mode Exploit Development: General Course Information
- About the EXP301 Course
- Provided Materials
- Overall Strategies for Approaching the Course
- About the EXP301 VPN Labs
- About the OSED Exam
- Wrapping Up
Lesson 2: WinDbg and x86 Architecture
- Introduction to x86 Architecture
- Introduction to Windows Debugger
- Accessing and Manipulating Memory from WinDbg
Controlling the Program Execution in WinDbg - Additional WinDbg Features
- Wrapping Up
Lesson 3: Exploiting Stack Overflows
- Stack Overflows Introduction
- Installing the Sync Breeze Application
- Crashing the Sync Breeze Application
- Win32 Buffer Overflow Exploitation
- Wrapping Up
Lesson 4: Exploiting SEH Overflows
- Installing the Sync Breeze Application
- Crashing Sync Breeze
- Analyzing the Crash in WinDbg
- Introduction to Structured Exception Handling
- Structured Exception Handler
Overflows - Wrapping Up
Lesson 5: Introduction to IDA Pro
- IDA Pro 101
- Working with IDA Pro
- Wrapping Up
Lesson 6: Overcoming Space Restrictions: Egghunters
- Crashing the Savant Web Server
- Analyzing the Crash in WinDbg
- Detecting Bad Characters
- Gaining Code Execution
- Finding Alternative Places to Store
Large Buffers - Finding our Buffer - The Egghunter
Approach - Improving the Egghunter Portability Using SEH
- Wrapping Up
Lesson 7: Creating Custom Shellcode
- Calling Conventions on x86
- The System Call Problem
- Finding kernel32.dll
- Resolving Symbols
- NULLFree Position-Independent Shellcode PIC
- Reverse Shell
- Wrapping Up
Lesson 8: Reverse Engineering for Bugs
- Installation and Enumeration
- Interacting with Tivoli Storage
Manager - Reverse Engineering the Protocol
- Digging Deeper to Find More Bugs
- Wrapping Up
Lesson 9: Stack Overflows and DEP Bypass
- Data Execution Prevention
- Return Oriented Programming
- Gadget Selection
- Bypassing DEP
- Wrapping Up
Lesson 10: Stack Overflows and ASLR Bypass
- ASLR Introduction
- Finding Hidden Gems
- Expanding our Exploit ASLR Bypass)
- Bypassing DEP with WriteProcessMemory
- Wrapping Up
Lesson 11: Format String Specifier Attack Part I
- Format String Attacks
- Attacking IBM Tivoli FastBackServer
- Reading the Event Log
- Bypassing ASLR with Format Strings
Lesson 12: Format String Specifier Attack Part II
- Write Primitive with Format Strings
- Overwriting EIP with Format Strings
- Locating Storage Space
- Getting Code Execution
- Wrapping Up
Lesson 13: Trying Harder: The Labs
- Challenge 1
- Challenge 2
- Challenge 3
- Wrapping Up
- Windows User Mode Exploit Development is an intermediate course designed for those who want to learn about exploit development skills
- Job roles like penetration testers, exploit developers, security researchers, Malware analysts, and software developers working on security products, could benefit from the course
Job Roles
- Penetration Testers
- Exploit Developers
- Security Researchers
- Malware Analysts
- Software Developers Working On Security Products
All students should have the following prerequisite skills before starting the course:
- Familiarity with debuggers (ImmunityDBG, OllyDBG)
- Familiarity with basic exploitation concepts on 32-bit
- Familiarity with writing Python 3 code
- The following optional skills are recommended:
- Ability to read and understand C code at a basic level
- Ability to read and understand 32-bit Assembly code at a basic level
*The prerequisite skills can be obtained by taking our Penetration Testing with Kali Linux course.
- Course Materials
- Active Student Forums
- Access to Home Lab Setup
Learn One Package – $2,499
- One course
- 365 days of lab access
- Two exam attempts
- Plus exclusive content
OR Learn Unlimited Package – $5,499
- All courses
- 365 days of lab access
- Unlimited exam attempts
- Plus exclusive content
Upcoming Classes
PROUD OFFSEC PARTNERSHIPS
We are proud to be an OffSec Learning, Government, and Channel Partner. We pride ourselves on providing award winning boot camps and direct mentoring in our classrooms, Online Live or at your location. The only immersive Authorized Instructor-Led OffSec training available – join us today!
Black Hat USA Delivery Partner
Learn more about our Authorized OffSec training courses at BLACK HAT USA 2024!
We Offer More Than Just OffSec Training
Our successful training results keep our corporate and military clients returning. That’s because we provide everything you need to succeed. This is true for all of our courses.
Strategic Planning & Project Management
From Lean Six Sigma to Project Management Institute Project Management Professional, Agile and SCRUM, we offer the best-in-class strategic planning and project management training available. Work closely with our seasoned multi-decade project managers.
IT & Cybersecurity
ATA is the leading OffSec and Hack the Box US training provider, and a CompTIA and EC-Council award-winning training partner. We offer the best offensive and defensive cyber training to keep your team ahead of the technology skills curve.
Leadership & Management
Let us teach your team the high-level traits and micro-level tools & strategies of effective 21st-century leadership. Empower your team to play to each others’ strengths, inspire others and build a culture that values communication, authenticity, and community.
